diff options
| author | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2009-12-18 11:18:48 -0800 |
|---|---|---|
| committer | Stephen Hemminger <stephen.hemminger@vyatta.com> | 2009-12-18 14:55:32 -0800 |
| commit | ebf4b7422e1a58978418e11f13bf7859e7ba6318 (patch) | |
| tree | 6e9492314fb3341cbb45d63df92dcfbd05a970e3 /debian/vyatta-cfg-system.postinst.in | |
| parent | 42144158c9036f4801289905a316de4a2b7a772e (diff) | |
| download | vyatta-cfg-quagga-ebf4b7422e1a58978418e11f13bf7859e7ba6318.tar.gz vyatta-cfg-quagga-ebf4b7422e1a58978418e11f13bf7859e7ba6318.zip | |
Block passwd command for non-root user
The vyatta administrator needs to use Vyatta tools to change account
password. Bug 4927
Diffstat (limited to 'debian/vyatta-cfg-system.postinst.in')
| -rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index d1e834f3..5cb03651 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -129,7 +129,6 @@ EOF # Install pamradius config (should come with radius client eventually) cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius - fi if [ "$sysconfdir" != "/opt/vyatta/etc" ]; then @@ -170,6 +169,13 @@ sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf # Do not allow users to change full name field (controlled by Vyatta config) sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs +# Only allow root to use passwd command +if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then + sed -i -e '/^@include/i \ +password requisite pam_succeed_if.so user = root +' /etc/pam.d/passwd +fi + # Block pc speaker driver to keep system quiet [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist |