From 7f86fc57b21157db71e31ed6cf224b483c82a7aa Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen.hemminger@vyatta.com>
Date: Fri, 4 Dec 2009 15:03:00 -0800
Subject: Block user from changing name or password

Bug 4927
This blocks user from changing fields in password file.

Note: adding removing users is not allowed unless user is root,
but then all bets are off anyway.
---
 debian/vyatta-cfg-system.postinst.in | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'debian')

diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 646028f3..679475f1 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -161,7 +161,19 @@ update-rc.d -f ssh remove >/dev/null
 # for password
 sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
 
+# Change default shell for new accounts
+sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf
 
+# Do not allow users to change full name field (controlled by Vyatta config)
+sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs
+
+# Do not allow users to change password (controlled from Vyatta config)
+sed -i -e '/^@include common-password/c \
+password	required	pam_echo.so	Password blocked by Vyatta CLI\
+password	requiste	pam_deny.so
+' /etc/pam.d/passwd
+
+# Block pc speaker driver to keep system quiet
 [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist
 
 #
-- 
cgit v1.2.3