- add postlogin common PAM configuration file (#665059)

pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.3
-Release: 6%{?dist}
+Release: 7%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 License: BSD and GPLv2+
@@ -22,6 +22,8 @@ Source12: system-auth.5
 Source13: config-util.5
 Source14: 90-nproc.conf
 Source15: pamtmp.conf
+Source16: postlogin.pamd
+Source17: postlogin.5
 Patch1:  pam-1.0.90-redhat-modules.patch
 Patch2:  pam-1.0.91-std-noclose.patch
 Patch4:  pam-1.1.0-console-nochmod.patch
@@ -159,6 +161,7 @@ install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth
 install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth
 install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth
 install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
+install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
 install -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf
 install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
 install -d -m 755 $RPM_BUILD_ROOT/var/log
@@ -166,7 +169,11 @@ install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
 install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock
 
 # Install man pages.
-install -m 644 %{SOURCE12} %{SOURCE13} $RPM_BUILD_ROOT%{_mandir}/man5/
+install -m 644 %{SOURCE12} %{SOURCE13} %{SOURCE17} $RPM_BUILD_ROOT%{_mandir}/man5/
+ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/password-auth.5
+ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/fingerprint-auth.5
+ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/smartcard-auth.5
+
 
 for phase in auth acct passwd session ; do
 	ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so 
@@ -245,6 +252,7 @@ fi
 %config(noreplace) %{_pamconfdir}/fingerprint-auth
 %config(noreplace) %{_pamconfdir}/smartcard-auth
 %config(noreplace) %{_pamconfdir}/config-util
+%config(noreplace) %{_pamconfdir}/postlogin
 %doc Copyright
 %doc doc/txts
 %doc doc/sag/*.txt doc/sag/html
@@ -359,6 +367,9 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Wed Dec 22 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-7
+- add postlogin common PAM configuration file (#665059)
+
 * Tue Dec 14 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-6
 - include patches recently submitted and applied to upstream CVS
 

postlogin.5

@@ -0,0 +1,46 @@
+.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+postlogin \- Common configuration file for PAMified services
+
+.SH SYNOPSIS
+.B /etc/pam.d/postlogin
+.sp 2
+.SH DESCRIPTION
+
+The purpose of this PAM configuration file is to provide a common
+place for all PAM modules which should be called after the stack
+configured in
+.BR system-auth
+or the other common PAM configuration files.
+
+.sp
+The
+.BR postlogin
+configuration file is included from all individual service configuration
+files that provide login service with shell or file access.
+
+.SH NOTES
+The modules in the postlogin configuration file are executed regardless
+of the success or failure of the modules in the
+.BR system-auth
+configuration file.
+
+.SH BUGS
+.sp 2
+Sometimes it would be useful to be able to skip the postlogin modules in
+case the substack of the
+.BR system-auth
+modules failed. Unfortunately the current Linux-PAM library does not
+provide any way how to achieve this.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), system-auth(5)
+
+The three
+.BR Linux-PAM
+Guides, for
+.BR "system administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "

postlogin.pamd

@@ -0,0 +1,3 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.

system-auth.5

@@ -1,4 +1,4 @@
-.TH SYSTEM-AUTH 5 "2009 Apr 10" "Red Hat" "Linux-PAM Manual"
+.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
 .SH NAME
 
 system-auth \- Common configuration file for PAMified services
@@ -20,7 +20,7 @@ The
 .BR system-auth
 configuration file is included from nearly all individual service configuration
 files with the help of the
-.BR include
+.BR substack
 directive.
 
 .sp
@@ -33,36 +33,21 @@ different types of devices via simultaneously running individual conversations
 instead of one aggregate conversation.
 
 .SH NOTES
-There should be no
-.BR sufficient
-modules in the
-.BR session
-part of
-.BR system-auth
-file because individual services may add session modules after
-.BR include
+Previously these common configuration files were included with the help
 of the
-.BR system-auth
-file. Execution of these modules would be skipped if there were sufficient
-modules in
-.BR system-auth
-file.
-
-.sp
-Conversely there should not be any modules after
 .BR include
-directive in the individual service files in
-.BR auth account
-and
-.BR password
-sections otherwise they could be bypassed.
+directive. This limited the use of the different action types of modules.
+With the use of
+.BR substack
+directive to include these common configuration files this limitation
+no longer applies.
 
 .SH BUGS
 .sp 2
 None known.
 
 .SH "SEE ALSO"
-pam(8), config-util(5)
+pam(8), config-util(5), postlogin(5)
 
 The three
 .BR Linux-PAM