libpam: deny all services for the OTHER entries

To be secure, change behavior of the OTHER entries to warn and deny
access to everything by stating pam_deny.so on all services.

(From OE-Core rev: 4ca0af699b5b4b3cf95b3e76482651949fd922ac)

Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 6 insertions, 9 deletions

diff --git a/meta/recipes-extended/pam/libpam/pam.d/other b/meta/recipes-extended/pam/libpam/pam.d/other
index 6e40cd0c02..ec970ecbe0 100644
--- a/meta/recipes-extended/pam/libpam/pam.d/other
+++ b/meta/recipes-extended/pam/libpam/pam.d/other
@@ -6,22 +6,19 @@
 #pam_open_session, the session module out of /etc/pam.d/other is
 #used.  
 
-#If you really want nothing to happen then use pam_permit.so or
-#pam_deny.so as appropriate.
-
 # We use pam_warn.so to generate syslog notes that the 'other'
 #fallback rules are being used (as a hint to suggest you should setup
-#specific PAM rules for the service and aid to debugging). We then 
-#fall back to the system default in /etc/pam.d/common-*
+#specific PAM rules for the service and aid to debugging). Then to be
+#secure, deny access to all services by default. 
 
 auth       required     pam_warn.so
-auth       include      common-auth
+auth       required     pam_deny.so
 
 account    required     pam_warn.so
-account    include      common-account
+account    required     pam_deny.so
 
 password   required     pam_warn.so
-password   include      common-password
+password   required     pam_deny.so
 
 session    required     pam_warn.so
-session    include      common-session
+session    required     pam_deny.so