From 162bd85be84ed0c23fe4a9102faf11774ea88ebd Mon Sep 17 00:00:00 2001 From: mhoellein Date: Tue, 23 Oct 2018 23:03:15 +0200 Subject: [PATCH] committing changes in /etc after apt run Package changes: +liblightdm-gobject-1-0 1.18.3-0ubuntu1.1 amd64 +lightdm 1.18.3-0ubuntu1.1 amd64 +lightdm-settings 1.1.4 all +slick-greeter 1.1.2+sylvia amd64 --- .etckeeper | 13 ++ X11/default-display-manager | 2 +- apparmor.d/abstractions/lightdm | 113 ++++++++++++++++++ .../abstractions/lightdm_chromium-browser | 74 ++++++++++++ apparmor.d/lightdm-guest-session | 24 ++++ .../org.freedesktop.DisplayManager.conf | 21 ++++ group | 1 + group- | 1 + gshadow | 1 + gshadow- | 1 + init.d/lightdm | 112 +++++++++++++++++ init/lightdm.conf | 63 ++++++++++ lightdm/users.conf | 14 +++ logrotate.d/lightdm | 9 ++ pam.d/lightdm | 19 +++ pam.d/lightdm-autologin | 12 ++ pam.d/lightdm-greeter | 15 +++ passwd | 1 + passwd- | 3 +- rc0.d/K01lightdm | 1 + rc1.d/K01lightdm | 1 + rc2.d/S05lightdm | 1 + rc3.d/S05lightdm | 1 + rc4.d/S05lightdm | 1 + rc5.d/S05lightdm | 1 + rc6.d/K01lightdm | 1 + shadow | 1 + shadow- | 1 + systemd/system/display-manager.service | 2 +- 29 files changed, 507 insertions(+), 3 deletions(-) create mode 100644 apparmor.d/abstractions/lightdm create mode 100644 apparmor.d/abstractions/lightdm_chromium-browser create mode 100644 apparmor.d/lightdm-guest-session create mode 100644 dbus-1/system.d/org.freedesktop.DisplayManager.conf create mode 100755 init.d/lightdm create mode 100644 init/lightdm.conf create mode 100644 lightdm/users.conf create mode 100644 logrotate.d/lightdm create mode 100644 pam.d/lightdm create mode 100644 pam.d/lightdm-autologin create mode 100644 pam.d/lightdm-greeter create mode 120000 rc0.d/K01lightdm create mode 120000 rc1.d/K01lightdm create mode 120000 rc2.d/S05lightdm create mode 120000 rc3.d/S05lightdm create mode 120000 rc4.d/S05lightdm create mode 120000 rc5.d/S05lightdm create mode 120000 rc6.d/K01lightdm diff --git a/.etckeeper b/.etckeeper index cee09d1f..64c3df69 100755 --- a/.etckeeper +++ b/.etckeeper @@ -24,6 +24,7 @@ mkdir -p './dbus-1/session.d' mkdir -p './dhcp/ddns-keys' mkdir -p './fail2ban/fail2ban.d' mkdir -p './fail2ban/jail.d' +mkdir -p './guest-session' mkdir -p './icinga/modules' mkdir -p './initramfs-tools/conf.d' mkdir -p './initramfs-tools/scripts/init-bottom' @@ -488,6 +489,8 @@ maybe chmod 0644 'apparmor.d/abstractions/kde' maybe chmod 0644 'apparmor.d/abstractions/kerberosclient' maybe chmod 0644 'apparmor.d/abstractions/launchpad-integration' maybe chmod 0644 'apparmor.d/abstractions/ldapclient' +maybe chmod 0644 'apparmor.d/abstractions/lightdm' +maybe chmod 0644 'apparmor.d/abstractions/lightdm_chromium-browser' maybe chmod 0644 'apparmor.d/abstractions/likewise' maybe chmod 0644 'apparmor.d/abstractions/mdns' maybe chmod 0644 'apparmor.d/abstractions/mir' @@ -551,6 +554,7 @@ maybe chmod 0644 'apparmor.d/abstractions/xdg-desktop' maybe chmod 0755 'apparmor.d/cache' maybe chmod 0755 'apparmor.d/disable' maybe chmod 0755 'apparmor.d/force-complain' +maybe chmod 0644 'apparmor.d/lightdm-guest-session' maybe chmod 0755 'apparmor.d/local' maybe chmod 0644 'apparmor.d/local/README' maybe chmod 0644 'apparmor.d/local/sbin.dhclient' @@ -2018,6 +2022,7 @@ maybe chmod 0644 'dbus-1/system.d/org.debian.AptXapianIndex.conf' maybe chmod 0644 'dbus-1/system.d/org.debian.apt.conf' maybe chmod 0644 'dbus-1/system.d/org.freedesktop.Accounts.conf' maybe chmod 0644 'dbus-1/system.d/org.freedesktop.ColorManager.conf' +maybe chmod 0644 'dbus-1/system.d/org.freedesktop.DisplayManager.conf' maybe chmod 0644 'dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf' maybe chmod 0644 'dbus-1/system.d/org.freedesktop.ModemManager1.conf' maybe chmod 0644 'dbus-1/system.d/org.freedesktop.NetworkManager.conf' @@ -2603,6 +2608,7 @@ maybe chmod 0644 'gtk-2.0/im-multipress.conf' maybe chmod 0755 'gtk-3.0' maybe chmod 0644 'gtk-3.0/im-multipress.conf' maybe chmod 0755 'gtk-3.0/settings.ini' +maybe chmod 0755 'guest-session' maybe chmod 0644 'hddtemp.db' maybe chmod 0644 'hdparm.conf' maybe chmod 0644 'host.conf' @@ -2714,6 +2720,7 @@ maybe chmod 0755 'init.d/kerneloops' maybe chmod 0755 'init.d/keyboard-setup' maybe chmod 0755 'init.d/killprocs' maybe chmod 0755 'init.d/kmod' +maybe chmod 0755 'init.d/lightdm' maybe chmod 0755 'init.d/lm-sensors' maybe chmod 0755 'init.d/loadcpufreq' maybe chmod 0755 'init.d/lvm2' @@ -2831,6 +2838,7 @@ maybe chmod 0644 'init/irqbalance.conf' maybe chmod 0644 'init/isc-dhcp-server.conf' maybe chmod 0644 'init/isc-dhcp-server6.conf' maybe chmod 0644 'init/kmod.conf' +maybe chmod 0644 'init/lightdm.conf' maybe chmod 0644 'init/mdm.conf' maybe chmod 0644 'init/modemmanager.conf' maybe chmod 0644 'init/mosquitto.conf' @@ -3259,6 +3267,7 @@ maybe chmod 0755 'lightdm/lightdm-gtk-greeter.conf.d' maybe chmod 0644 'lightdm/lightdm-gtk-greeter.conf.d/99_linuxmint.conf' maybe chmod 0755 'lightdm/lightdm.conf.d' maybe chmod 0644 'lightdm/lightdm.conf.d/70-linuxmint.conf' +maybe chmod 0644 'lightdm/users.conf' maybe chmod 0755 'lighttpd' maybe chmod 0755 'lighttpd/conf-available' maybe chmod 0644 'lighttpd/conf-available/90-javascript-alias.conf' @@ -3325,6 +3334,7 @@ maybe chmod 0644 'logrotate.d/dbconfig-common' maybe chmod 0644 'logrotate.d/dpkg' maybe chmod 0644 'logrotate.d/homematic' maybe chmod 0644 'logrotate.d/iptraf' +maybe chmod 0644 'logrotate.d/lightdm' maybe chmod 0644 'logrotate.d/mosquitto' maybe chmod 0644 'logrotate.d/mysql-server' maybe chmod 0644 'logrotate.d/oscam' @@ -3678,6 +3688,9 @@ maybe chmod 0644 'pam.d/common-session-noninteractive' maybe chmod 0644 'pam.d/cron' maybe chmod 0644 'pam.d/cups' maybe chmod 0644 'pam.d/dovecot' +maybe chmod 0644 'pam.d/lightdm' +maybe chmod 0644 'pam.d/lightdm-autologin' +maybe chmod 0644 'pam.d/lightdm-greeter' maybe chmod 0644 'pam.d/login' maybe chmod 0644 'pam.d/mdm' maybe chmod 0644 'pam.d/mdm-autologin' diff --git a/X11/default-display-manager b/X11/default-display-manager index cdf0809d..7d4e29bb 100644 --- a/X11/default-display-manager +++ b/X11/default-display-manager @@ -1 +1 @@ -/usr/sbin/mdm +/usr/sbin/lightdm diff --git a/apparmor.d/abstractions/lightdm b/apparmor.d/abstractions/lightdm new file mode 100644 index 00000000..5289a927 --- /dev/null +++ b/apparmor.d/abstractions/lightdm @@ -0,0 +1,113 @@ +# vim:syntax=apparmor +# Profile for restricting lightdm guest session +# Author: Martin Pitt + +# This abstraction provides the majority of the confinement for guest sessions. +# It is in its own abstraction so we can have a centralized place for +# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure, +# etc). Note that this profile intentionally omits chromium-browser. + +# Requires apparmor 2.9 + + #include + #include + #include + #include + #include + #include + #include + + # bug in compiz https://launchpad.net/bugs/697678 + /etc/compizconfig/config rw, + /etc/compizconfig/unity.ini rw, + + / r, + /bin/ rmix, + /bin/fusermount Px, + /bin/** rmix, + /cdrom/ rmix, + /cdrom/** rmix, + /dev/ r, + /dev/** rmw, # audio devices etc. + owner /dev/shm/** rmw, + /etc/ r, + /etc/** rmk, + /etc/gdm/Xsession ix, + /etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper + /etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper + /lib/ r, + /lib/** rmixk, + /lib32/ r, + /lib32/** rmixk, + /lib64/ r, + /lib64/** rmixk, + owner /{,run/}media/ r, + owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like + /opt/ r, + /opt/** rmixk, + @{PROC}/ r, + @{PROC}/* rm, + @{PROC}/[0-9]*/net/ r, + @{PROC}/[0-9]*/net/dev r, + @{PROC}/asound rm, + @{PROC}/asound/** rm, + @{PROC}/ati rm, + @{PROC}/ati/** rm, + @{PROC}/sys/vm/overcommit_memory r, + owner @{PROC}/** rm, + # needed for gnome-keyring-daemon + @{PROC}/*/status r, + # needed for bamfdaemon and utilities such as ps and killall + @{PROC}/*/stat r, + /sbin/ r, + /sbin/** rmixk, + /sys/ r, + /sys/** rm, + # needed for confined trusted helpers, such as dbus-daemon + /sys/kernel/security/apparmor/.access rw, + /tmp/ rw, + owner /tmp/** rwlkmix, + /usr/ r, + /usr/** rmixk, + /var/ r, + /var/** rmixk, + /var/guest-data/** rw, # allow to store files permanently + /var/tmp/ rw, + owner /var/tmp/** rwlkm, + /{,var/}run/ r, + # necessary for writing to sockets, etc. + /{,var/}run/** rmkix, + /{,var/}run/screen/** wl, + /{,var/}run/shm/** wl, + /{,var/}run/uuidd/request w, + # libpam-xdg-support/logind + owner /{,var/}run/user/*/** rw, + + capability ipc_lock, + + # allow processes in the guest session to signal and ptrace each other + signal peer=@{profile_name}, + ptrace peer=@{profile_name}, + # needed when logging out of the guest session + signal (receive) peer=unconfined, + + unix peer=(label=@{profile_name}), + unix (receive) peer=(label=unconfined), + unix (create), + unix (getattr, getopt, setopt, shutdown), + unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", + unix (bind, listen) type=stream addr="@/tmp/dbus-*", + unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", + unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", + unix (bind, listen) type=stream addr="@guest*", + unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"), + unix (connect, receive, send) type=stream peer=(addr="@guest*"), + + # silence warnings for stuff that we really don't want to grant + deny capability dac_override, + deny capability dac_read_search, + #deny /etc/** w, # re-enable once LP#697678 is fixed + deny /usr/** w, + deny /var/crash/ w, diff --git a/apparmor.d/abstractions/lightdm_chromium-browser b/apparmor.d/abstractions/lightdm_chromium-browser new file mode 100644 index 00000000..930c87e7 --- /dev/null +++ b/apparmor.d/abstractions/lightdm_chromium-browser @@ -0,0 +1,74 @@ +# vim:syntax=apparmor +# Profile abstraction for restricting chromium in the lightdm guest session +# Author: Jamie Strandboge + +# The abstraction provides the additional accesses required to launch +# chromium based browsers from within an lightdm session. Because AppArmor +# cannot yet merge profiles and because we want to utilize the access rules +# provided in abstractions/lightdm, this abstraction must be separate from +# abstractions/lightdm. + +# Requires apparmor 2.9 + + /usr/lib/chromium-browser/chromium-browser Cx -> chromium, + /usr/bin/webapp-container Cx -> chromium, + /usr/bin/webbrowser-app Cx -> chromium, + /usr/bin/ubuntu-html5-app-launcher Cx -> chromium, + /opt/google/chrome-stable/google-chrome-stable Cx -> chromium, + /opt/google/chrome-beta/google-chrome-beta Cx -> chromium, + /opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium, + /opt/google/chrome/google-chrome Cx -> chromium, + + # Allow ptracing processes in the chromium child profile + ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium, + + # Allow receiving and sending signals to processes in the chromium child profile + signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium, + + # Allow communications with chromium child profile via unix sockets + unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium), + + profile chromium { + # Allow all the same accesses as other applications in the guest session + #include + + # but also allow a few things because of chromium-browser's sandboxing that + # are not appropriate to other guest session applications. + owner @{PROC}/[0-9]*/oom_{,score_}adj w, + @{PROC}/sys/kernel/shmmax r, + capability sys_admin, # for sandbox to change namespaces + capability sys_chroot, # fod sandbox to chroot to a safe directory + capability setgid, # for sandbox to drop privileges + capability setuid, # for sandbox to drop privileges + capability sys_ptrace, # chromium needs this to keep track of itself + @{PROC}/sys/kernel/yama/ptrace_scope r, + + # Allow ptrace reads of processes in the lightdm-guest-session + ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session, + # Allow other guest session processes to read and trace us + ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session, + ptrace (readby, tracedby) peer=@{profile_name}, + + # Allow us to receive and send signals from processes in the + # lightdm-guest-session + signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session, + + # Allow us to receive and send on unix sockets from processes in the + # lightdm-guest-session + unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session), + + @{PROC}/[0-9]*/ r, # sandbox wants these + @{PROC}/[0-9]*/fd/ r, # sandbox wants these + @{PROC}/[0-9]*/statm r, # sandbox wants these + @{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these + + owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/uid_map w, + owner @{PROC}/@{pid}/gid_map w, + + /selinux/ r, + + /usr/lib/chromium-browser/chromium-browser-sandbox ix, + /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix, + /opt/google/chrome-*/chrome-sandbox ix, + } diff --git a/apparmor.d/lightdm-guest-session b/apparmor.d/lightdm-guest-session new file mode 100644 index 00000000..cc7aa17d --- /dev/null +++ b/apparmor.d/lightdm-guest-session @@ -0,0 +1,24 @@ +# vim:syntax=apparmor +# Profile for restricting lightdm guest session + +#include + +/usr/lib/lightdm/lightdm-guest-session { + # Most applications are confined via the main abstraction + #include + + # chromium-browser needs special confinement due to its sandboxing + #include + + # fcitx and friends needs special treatment due to C/S design + /usr/bin/fcitx ix, + /tmp/fcitx-socket-* rwl, + /dev/shm/* rwl, + /usr/bin/fcitx-qimpanel ix, + /usr/bin/sogou-qimpanel-watchdog ix, + /usr/bin/sogou-sys-notify ix, + /tmp/sogou-qimpanel:* rwl, + + # mozc_server needs special treatment due to C/S design + unix (bind, listen) type=stream addr="@tmp/.mozc.*", +} diff --git a/dbus-1/system.d/org.freedesktop.DisplayManager.conf b/dbus-1/system.d/org.freedesktop.DisplayManager.conf new file mode 100644 index 00000000..66d9f240 --- /dev/null +++ b/dbus-1/system.d/org.freedesktop.DisplayManager.conf @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + + + + diff --git a/group b/group index 86a11388..ba53cd13 100644 --- a/group +++ b/group @@ -98,3 +98,4 @@ systemd-bus-proxy:x:151: uuidd:x:101: input:x:152: mosquitto:x:153: +lightdm:x:154: diff --git a/group- b/group- index 2ad07ec7..86a11388 100644 --- a/group- +++ b/group- @@ -97,3 +97,4 @@ systemd-resolve:x:150: systemd-bus-proxy:x:151: uuidd:x:101: input:x:152: +mosquitto:x:153: diff --git a/gshadow b/gshadow index bc24f083..5b8a8414 100644 --- a/gshadow +++ b/gshadow @@ -98,3 +98,4 @@ systemd-bus-proxy:!:: uuidd:!:: input:!:: mosquitto:!:: +lightdm:!:: diff --git a/gshadow- b/gshadow- index 2044b026..bc24f083 100644 --- a/gshadow- +++ b/gshadow- @@ -97,3 +97,4 @@ systemd-resolve:!:: systemd-bus-proxy:!:: uuidd:!:: input:!:: +mosquitto:!:: diff --git a/init.d/lightdm b/init.d/lightdm new file mode 100755 index 00000000..74f8c0aa --- /dev/null +++ b/init.d/lightdm @@ -0,0 +1,112 @@ +#!/bin/sh + +# Largely adapted from xdm's init script: +# Copyright 1998-2002, 2004, 2005 Branden Robinson . +# Copyright 2006 Eugene Konev +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 51 Franklin Street, +# Fifth Floor, Boston, MA 02110-1301, USA. + +### BEGIN INIT INFO +# Provides: lightdm +# Required-Start: $local_fs $remote_fs dbus +# Required-Stop: $local_fs $remote_fs dbus +# Should-Start: $named +# Should-Stop: $named +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start lightdm +### END INIT INFO + +set -e + +HEED_DEFAULT_DISPLAY_MANAGER= +# To start lightdm even if it is not the default display manager, change +# HEED_DEFAULT_DISPLAY_MANAGER to "false." +# Also overridable from command line like: +# HEED_DEFAULT_DISPLAY_MANAGER=false /etc/init.d/lightdm start +[ -z "$HEED_DEFAULT_DISPLAY_MANAGER" ] && HEED_DEFAULT_DISPLAY_MANAGER=true + +DEFAULT_DISPLAY_MANAGER_FILE=/etc/X11/default-display-manager + +PATH=/bin:/usr/bin:/sbin:/usr/sbin +DAEMON=/usr/sbin/lightdm +PIDFILE=/var/run/lightdm.pid + +if [ -r /etc/default/locale ]; then + . /etc/default/locale + export LANG LANGUAGE +fi + +test -x $DAEMON || exit 0 + +. /lib/lsb/init-functions + +SSD_START_ARGS="--pidfile $PIDFILE --name $(basename $DAEMON) --startas $DAEMON -- -d" +SSD_STOP_ARGS="--pidfile $PIDFILE --name $(basename $DAEMON) --retry TERM/5/TERM/5" + +case "$1" in + start) + if [ "$HEED_DEFAULT_DISPLAY_MANAGER" = "true" ] && + [ -e $DEFAULT_DISPLAY_MANAGER_FILE ] && + [ "$(cat $DEFAULT_DISPLAY_MANAGER_FILE)" != "/usr/bin/lightdm" -a "$(cat $DEFAULT_DISPLAY_MANAGER_FILE)" != "/usr/sbin/lightdm" ]; then + echo "Not starting X display manager (lightdm); it is not the default" \ + "display manager." + else + log_daemon_msg "Starting X display manager" "lightdm" + start-stop-daemon --start --quiet $SSD_START_ARGS \ + || log_progress_msg "already running" + log_end_msg 0 + fi + ;; + + restart) + [ -f $PIDFILE ] && /etc/init.d/lightdm stop + [ -f $PIDFILE ] && exit 1 + /etc/init.d/lightdm start + ;; + + stop) + log_daemon_msg "Stopping X display manager" "lightdm" + if ! [ -f $PIDFILE ]; then + log_progress_msg "not running ($PIDFILE not found)" + else + start-stop-daemon --stop --quiet $SSD_STOP_ARGS + SSD_RES=$? + if [ $SSD_RES -eq 1 ]; then + log_progress_msg "not running" + fi + if [ $SSD_RES -eq 2 ]; then + log_progress_msg "not responding to TERM signals" + else + if [ -f $PIDFILE ]; then + log_progress_msg "(removing stale $PIDFILE)" + rm $PIDFILE + fi + fi + fi + log_end_msg 0 + ;; + force-reload) + /etc/init.d/lightdm restart + ;; + + *) + echo "Usage: /etc/init.d/lightdm {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 diff --git a/init/lightdm.conf b/init/lightdm.conf new file mode 100644 index 00000000..f861dfaf --- /dev/null +++ b/init/lightdm.conf @@ -0,0 +1,63 @@ +# LightDM - light Display Manager +# +# The display manager service manages the X servers running on the +# system, providing login and auto-login services +# +# based on gdm upstart script + +description "LightDM Display Manager" +author "Robert Ancell " + +start on ((filesystem + and runlevel [!06] + and started dbus + and plymouth-ready) + or runlevel PREVLEVEL=S) + +stop on runlevel [016] + +respawn +respawn limit 2 15 + +emits login-session-start +emits desktop-session-start +emits desktop-shutdown + +script + if [ -n "$UPSTART_EVENTS" ] + then + # Check kernel command-line for inhibitors, unless we are being called + # manually + for ARG in $(cat /proc/cmdline); do + if [ "$ARG" = "text" ]; then + plymouth quit || : + stop + exit 0 + fi + done + + [ ! -f /etc/X11/default-display-manager -o "$(cat /etc/X11/default-display-manager 2>/dev/null)" = "/usr/bin/lightdm" -o "$(cat /etc/X11/default-display-manager 2>/dev/null)" = "/usr/sbin/lightdm" ] || { stop; exit 0; } + + if [ "$RUNLEVEL" = S -o "$RUNLEVEL" = 1 ] + then + # Single-user mode + plymouth quit || : + exit 0 + fi + fi + + exec lightdm +end script + +post-start script + sleep 5 + clear > /dev/tty7 +end script + +post-stop script + clear > /dev/tty7 + sleep 1 + if [ "$UPSTART_STOP_EVENTS" = runlevel ]; then + initctl emit desktop-shutdown + fi +end script diff --git a/lightdm/users.conf b/lightdm/users.conf new file mode 100644 index 00000000..e4948a62 --- /dev/null +++ b/lightdm/users.conf @@ -0,0 +1,14 @@ +# +# User accounts configuration +# +# NOTE: If you have AccountsService installed on your system, then LightDM will +# use this instead and these settings will be ignored +# +# minimum-uid = Minimum UID required to be shown in greeter +# hidden-users = Users that are not shown to the user +# hidden-shells = Shells that indicate a user cannot login +# +[UserList] +minimum-uid=500 +hidden-users=nobody nobody4 noaccess +hidden-shells=/bin/false /usr/sbin/nologin diff --git a/logrotate.d/lightdm b/logrotate.d/lightdm new file mode 100644 index 00000000..fed4a02b --- /dev/null +++ b/logrotate.d/lightdm @@ -0,0 +1,9 @@ +/var/log/lightdm/*.log { + daily + missingok + rotate 7 + compress + notifempty + maxsize 10M + copytruncate +} diff --git a/pam.d/lightdm b/pam.d/lightdm new file mode 100644 index 00000000..123ef3b1 --- /dev/null +++ b/pam.d/lightdm @@ -0,0 +1,19 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth sufficient pam_succeed_if.so user ingroup nopasswdlogin +@include common-auth +auth optional pam_gnome_keyring.so +auth optional pam_kwallet.so +auth optional pam_kwallet5.so +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +#session required pam_loginuid.so +session required pam_limits.so +@include common-session +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session optional pam_gnome_keyring.so auto_start +session optional pam_kwallet.so auto_start +session optional pam_kwallet5.so auto_start +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale +@include common-password diff --git a/pam.d/lightdm-autologin b/pam.d/lightdm-autologin new file mode 100644 index 00000000..5053ebde --- /dev/null +++ b/pam.d/lightdm-autologin @@ -0,0 +1,12 @@ +#%PAM-1.0 +auth requisite pam_nologin.so +auth required pam_permit.so +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +#session required pam_loginuid.so +session required pam_limits.so +@include common-session +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale +@include common-password diff --git a/pam.d/lightdm-greeter b/pam.d/lightdm-greeter new file mode 100644 index 00000000..35736d32 --- /dev/null +++ b/pam.d/lightdm-greeter @@ -0,0 +1,15 @@ +#%PAM-1.0 +auth required pam_permit.so +auth optional pam_gnome_keyring.so +auth optional pam_kwallet.so +auth optional pam_kwallet5.so +@include common-account +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close +session required pam_limits.so +@include common-session +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +session optional pam_gnome_keyring.so auto_start +session optional pam_kwallet.so auto_start +session optional pam_kwallet5.so auto_start +session required pam_env.so readenv=1 +session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale diff --git a/passwd b/passwd index c6a9e5d5..61e7f44d 100644 --- a/passwd +++ b/passwd @@ -71,3 +71,4 @@ systemd-resolve:x:144:150:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:145:151:systemd Bus Proxy,,,:/run/systemd:/bin/false uuidd:x:100:101::/run/uuidd:/bin/false _apt:x:146:65534::/nonexistent:/bin/false +lightdm:x:147:154:Light Display Manager:/var/lib/lightdm:/bin/false diff --git a/passwd- b/passwd- index 8693a039..46d851c9 100644 --- a/passwd- +++ b/passwd- @@ -28,7 +28,7 @@ pulse:x:109:119:PulseAudio daemon,,,:/var/run/pulse:/bin/false hplip:x:110:7:HPLIP system user,,,:/var/run/hplip:/bin/false mdm:x:111:121:MDM Display Manager:/var/lib/mdm:/bin/false rtkit:x:112:123:RealtimeKit,,,:/proc:/bin/false -saned:x:113:124::/home/saned:/bin/false +saned:x:113:124::/var/lib/saned:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh statd:x:115:65534::/var/lib/nfs:/bin/false mhoellein:x:1000:1000:Mario Höllein,,,:/home/mhoellein:/bin/bash @@ -71,3 +71,4 @@ systemd-resolve:x:144:150:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:145:151:systemd Bus Proxy,,,:/run/systemd:/bin/false uuidd:x:100:101::/run/uuidd:/bin/false _apt:x:146:65534::/nonexistent:/bin/false +lightdm:x:147:154::/var/lib/lightdm:/bin/false diff --git a/rc0.d/K01lightdm b/rc0.d/K01lightdm new file mode 120000 index 00000000..ae17aebd --- /dev/null +++ b/rc0.d/K01lightdm @@ -0,0 +1 @@ +../init.d/lightdm \ No newline at end of file diff --git a/rc1.d/K01lightdm b/rc1.d/K01lightdm new file mode 120000 index 00000000..ae17aebd --- /dev/null +++ b/rc1.d/K01lightdm @@ -0,0 +1 @@ +../init.d/lightdm \ No newline at end of file diff --git a/rc2.d/S05lightdm b/rc2.d/S05lightdm new file mode 120000 index 00000000..ae17aebd --- /dev/null +++ b/rc2.d/S05lightdm @@ -0,0 +1 @@ +../init.d/lightdm \ No newline at end of file diff --git a/rc3.d/S05lightdm b/rc3.d/S05lightdm new file mode 120000 index 00000000..ae17aebd --- /dev/null +++ b/rc3.d/S05lightdm @@ -0,0 +1 @@ +../init.d/lightdm \ No newline at end of file diff --git a/rc4.d/S05lightdm b/rc4.d/S05lightdm new file mode 120000 index 00000000..ae17aebd --- /dev/null +++ b/rc4.d/S05lightdm @@ -0,0 +1 @@ +../init.d/lightdm \ No newline at end of file diff --git a/rc5.d/S05lightdm b/rc5.d/S05lightdm new file mode 120000 index 00000000..ae17aebd --- /dev/null +++ b/rc5.d/S05lightdm @@ -0,0 +1 @@ +../init.d/lightdm \ No newline at end of file diff --git a/rc6.d/K01lightdm b/rc6.d/K01lightdm new file mode 120000 index 00000000..ae17aebd --- /dev/null +++ b/rc6.d/K01lightdm @@ -0,0 +1 @@ +../init.d/lightdm \ No newline at end of file diff --git a/shadow b/shadow index 578b0b13..5a8afd5c 100644 --- a/shadow +++ b/shadow @@ -71,3 +71,4 @@ systemd-resolve:*:17827:0:99999:7::: systemd-bus-proxy:*:17827:0:99999:7::: uuidd:!:16637:0:99999:7::: _apt:*:17827:0:99999:7::: +lightdm:*:17827:0:99999:7::: diff --git a/shadow- b/shadow- index 578b0b13..5a8afd5c 100644 --- a/shadow- +++ b/shadow- @@ -71,3 +71,4 @@ systemd-resolve:*:17827:0:99999:7::: systemd-bus-proxy:*:17827:0:99999:7::: uuidd:!:16637:0:99999:7::: _apt:*:17827:0:99999:7::: +lightdm:*:17827:0:99999:7::: diff --git a/systemd/system/display-manager.service b/systemd/system/display-manager.service index 20ec54b0..88631e2d 120000 --- a/systemd/system/display-manager.service +++ b/systemd/system/display-manager.service @@ -1 +1 @@ -/lib/systemd/system/mdm.service \ No newline at end of file +/lib/systemd/system/lightdm.service \ No newline at end of file -- 2.43.0