This commit replicates commits[1][2] from the openssh package. Closes [1] https://salsa.debian.org/ssh-team/openssh/-/commit/ca7f6f719ad5f168b25165caaff658f21c784c4e [2] https://salsa.debian.org/ssh-team/openssh/-/commit/dc461e571bcc56f8d95e83c731007636d8e79da5
Closes: #1068378 --- debian/rules | 10 +++++++++- debian/xdm.pam | 19 ------------------- debian/xdm.pam.in | 20 ++++++++++++++++++++ 3 files changed, 29 insertions(+), 20 deletions(-) delete mode 100644 debian/xdm.pam create mode 100644 debian/xdm.pam.in diff --git a/debian/rules b/debian/rules index 5d2dbd3..ab9f5d4 100755 --- a/debian/rules +++ b/debian/rules @@ -38,6 +38,7 @@ ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) endif DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) +DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_ARCH_OS ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH_OS) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) @@ -58,6 +59,13 @@ endif BUILD_DIR := build +debian/xdm.pam: debian/xdm.pam.in +ifeq ($(DEB_HOST_ARCH_OS),linux) + sed 's/^@IF_KEYINIT@//' $< > $@ +else + sed '/^@IF_KEYINIT@/d' $< > $@ +endif + stampdir_targets+=config config: $(STAMP_DIR)/config $(STAMP_DIR)/config: $(STAMP_DIR)/patch @@ -121,7 +129,7 @@ clean: xsfclean dh_clean # Build architecture-dependent files here. -binary-arch: $(STAMP_DIR)/install +binary-arch: $(STAMP_DIR)/install debian/xdm.pam dh_testdir dh_testroot diff --git a/debian/xdm.pam b/debian/xdm.pam deleted file mode 100644 index 1108a71..0000000 --- a/debian/xdm.pam +++ /dev/null @@ -1,19 +0,0 @@ -auth requisite pam_nologin.so -auth required pam_env.so -auth required pam_env.so envfile=/etc/default/locale - -# SELinux needs to be the first session rule. This ensures that any -# lingering context has been cleared. Without this it is possible -# that a module could execute code in the wrong domain. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close -session required pam_loginuid.so -# SELinux needs to intervene at login time to ensure that the process -# starts in the proper default security context. Only sessions which are -# intended to run in the user's context should be run after this. -session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -session required pam_limits.so - -@include common-auth -@include common-account -@include common-session -@include common-password diff --git a/debian/xdm.pam.in b/debian/xdm.pam.in new file mode 100644 index 0000000..92c46b7 --- /dev/null +++ b/debian/xdm.pam.in @@ -0,0 +1,20 @@ +auth requisite pam_nologin.so +auth required pam_env.so +auth required pam_env.so envfile=/etc/default/locale + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without this it is possible +# that a module could execute code in the wrong domain. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_loginuid.so +@IF_KEYINIT@session optional pam_keyinit.so force revoke +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session required pam_limits.so + +@include common-auth +@include common-account +@include common-session +@include common-password -- 2.39.2