usermngr: Vendor extension for Security Hardening parameters

usermngr/Config.in

@@ -5,4 +5,17 @@ config USERMNGR_SECURITY_HARDENING
 	default y
 	help
 	   Enable this option to use PAM based faillock, passwdqc, faildelay for security hardening.
+
+config USERMNGR_ENABLE_AUTH_VENDOR_EXT
+	depends on USERMNGR_SECURITY_HARDENING
+	bool "Exposes vendor datamodel extensions for AuthenticationPolicy"
+	default y
+	help
+	   Enable this option to expose TR181 vendor extensions for AuthenticationPolicy.
+
+config USERMNGR_VENDOR_PREFIX
+	depends on USERMNGR_ENABLE_AUTH_VENDOR_EXT
+	string "Package specific datamodel Vendor Prefix for TR181 extensions"
+	default ""
+
 endif

usermngr/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=usermngr
-PKG_VERSION:=1.4.3
+PKG_VERSION:=1.4.4
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/usermngr.git
-PKG_SOURCE_VERSION:=ca6a6d03dd7c7e3b6ff0b2810ef63762d93c2bd1
+PKG_SOURCE_VERSION:=6e1a8d6ef9691f616a6f0d629f3db4ae359e0dcf
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -57,6 +57,18 @@ ifeq ($(CONFIG_USERMNGR_SECURITY_HARDENING),y)
 MAKE_FLAGS += USERMNGR_SECURITY_HARDENING=y
 endif
 
+ifeq ($(CONFIG_USERMNGR_ENABLE_AUTH_VENDOR_EXT),y)
+MAKE_FLAGS += USERMNGR_ENABLE_AUTH_VENDOR_EXT=y
+endif
+
+ifeq ($(CONFIG_USERMNGR_VENDOR_PREFIX),"")
+VENDOR_PREFIX = $(CONFIG_BBF_VENDOR_PREFIX)
+else
+VENDOR_PREFIX = $(CONFIG_USERMNGR_VENDOR_PREFIX)
+endif
+
+TARGET_CFLAGS += -DBBF_VENDOR_PREFIX=\\\"$(VENDOR_PREFIX)\\\"
+
 define Package/usermngr/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/etc/config
@@ -68,6 +80,9 @@ define Package/usermngr/install
 ifeq ($(CONFIG_USERMNGR_SECURITY_HARDENING),y)
 	$(INSTALL_BIN) ./files/etc/uci-defaults/91-security-hardening $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/91-set-ssh-pam $(1)/etc/uci-defaults/
+else
+	$(INSTALL_BIN) ./files/etc/uci-defaults/91-disabled-security $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/etc/uci-defaults/91-unset-ssh-pam $(1)/etc/uci-defaults/
 endif
 	$(INSTALL_BIN) ./files/etc/init.d/users $(1)/etc/init.d/users
 	$(INSTALL_BIN) ./files/etc/config/users $(1)/etc/config/users

usermngr/files/etc/config/users

@@ -1,17 +1,3 @@
-config security_policy 'security_policy'
-	option enabled '1'
-	option fail_delay '3'
-	option faillock_attempts '6'
-	option faillock_lockout_time '300'
-
-config passwdqc 'passwdqc'
-	option enabled '1'
-	option min 'disabled,disabled,disabled,8,8'
-	option max '20'
-	option passphrase '0'
-	option retry '3'
-	option enforce 'everyone'
-
 config users 'users'
 	option enabled '1'
 	option loglevel '3'

usermngr/files/etc/init.d/users

@@ -51,17 +51,31 @@ update_auth() {
 	tmp_file="/tmp/common-auth"
 	pam_file="/etc/pam.d/common-auth"
 
+	local auth_enabled="${1}"
+	local enabled="${2}"
+
+	local faildelay="$(uci -q get users.authentication_policy.fail_delay)"
+	local faillock_lockout_time="$(uci -q get users.authentication_policy.faillock_lockout_time)"
+	local faillock_attempts="$(uci -q get users.authentication_policy.faillock_attempts)"
+
+	[ -n "$faildelay" ] || faildelay=3
+	[ -n "$faillock_attempts" ] || faillock_attempts=6
+	[ -n "$faillock_lockout_time" ] || faillock_lockout_time=300
+
+	# Convert seconds to microseconds for pam_faildelay
+	local faildelay_usec=$((faildelay * 1000000))
+
 	rm -f "$tmp_file"
 	touch "$tmp_file"
 
-	if [ "$enabled" != "0" ]; then
+	if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
 		write_line "$tmp_file" "auth	optional	pam_faildelay.so delay=$faildelay_usec"
 		write_line "$tmp_file" "auth	required	pam_faillock.so preauth deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
 	fi
 
 	write_line "$tmp_file" "auth	sufficient	pam_unix.so nullok_secure"
 
-	if [ "$enabled" != "0" ]; then
+	if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
 		write_line "$tmp_file" "auth	[default=die]	pam_faillock.so authfail audit deny=$faillock_attempts even_deny_root unlock_time=$faillock_lockout_time"
 		write_line "$tmp_file" ""
 	fi
@@ -103,7 +117,8 @@ update_password() {
 	local tmp_file pam_file enabled line
 	tmp_file="/tmp/common-password"
 	pam_file="/etc/pam.d/common-password"
-	enabled=1
+
+	local auth_enabled="${1}"
 
 	rm -f "$tmp_file"
 	touch "$tmp_file"
@@ -112,7 +127,7 @@ update_password() {
 	if uci -q get users.passwdqc >/dev/null 2>&1; then
 		# if enabled is not present it is assumed to be 0
 		enabled=$(uci -q get users.passwdqc.enabled || echo "0")
-		if [ "$enabled" != "0" ]; then
+		if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
 			line="$(build_pam_passwdqc_line)"
 			write_line "$tmp_file" "$line"
 		fi
@@ -132,10 +147,13 @@ update_account() {
 	tmp_file="/tmp/common-account"
 	pam_file="/etc/pam.d/common-account"
 
+	local auth_enabled="${1}"
+	local enabled="${2}"
+
 	rm -f "$tmp_file"
 	touch "$tmp_file"
 
-	if [ "$enabled" != "0" ]; then
+	if [ "${auth_enabled}" -eq 1 ] && [ "${enabled}" -eq 1 ]; then
 		write_line "$tmp_file" "account 	required       		pam_faillock.so"
 	fi
 
@@ -148,28 +166,20 @@ update_account() {
 }
 
 handle_security_policy() {
-	local enabled faildelay faillock_lockout_time faillock_attempts faildelay_usec
+	local auth_enabled enabled
 
 	# Read UCI values
-	enabled="$(uci -q get users.security_policy.enabled)"
+	auth_enabled="$(uci -q get users.users.auth_policy_enable || echo 0)"
-	faildelay="$(uci -q get users.security_policy.fail_delay)"
+	enabled="$(uci -q get users.authentication_policy.enabled || echo 0)"
-	faillock_lockout_time="$(uci -q get users.security_policy.faillock_lockout_time)"
-	faillock_attempts="$(uci -q get users.security_policy.faillock_attempts)"
 
 	# if any .so files are missing, then we cannot setup security
 	if ! check_required_modules; then
 		return
 	fi
 
-	[ -n "$faildelay" ] || faildelay=3
+	update_auth "${auth_enabled}" "${enabled}"
-	[ -n "$faillock_attempts" ] || faillock_attempts=6
+	update_account "${auth_enabled}" "${enabled}"
-	[ -n "$faillock_lockout_time" ] || faillock_lockout_time=300
+	update_password "${auth_enabled}"
-	# Convert seconds to microseconds for pam_faildelay
-	faildelay_usec=$((faildelay * 1000000))
-
-	update_auth
-	update_account
-	update_password
 }
 
 start_service() {
@@ -196,6 +206,7 @@ reload_service() {
 		stop
 		start
 	else
+		handle_security_policy
 		ubus send usermngr.reload
 	fi
 

usermngr/files/etc/uci-defaults/91-disabled-security

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Remove auth_policy_enable from global
+if uci -q get users.users; then
+	uci -q set users.users.auth_policy_enable=''
+else
+	uci -q set users.users='users'
+fi
+
+# Remove authentication_policy section
+uci -q del users.authentication_policy
+
+# Remove passwdqc section
+uci -q del users.passwdqc
+
+exit 0

usermngr/files/etc/uci-defaults/91-security-hardening

@@ -1,12 +1,19 @@
 #!/bin/sh
 
-# Create default security_policy section if missing
+# Create global section
-if ! uci -q get users.security_policy; then
+if ! uci -q get users.users; then
-	uci -q set users.security_policy='security_policy'
+	uci -q set users.users='users'
-	uci -q set users.security_policy.enabled='1'
+fi
-	uci -q set users.security_policy.fail_delay='3'
+
-	uci -q set users.security_policy.faillock_attempts='6'
+uci -q set users.users.auth_policy_enable='1'
-	uci -q set users.security_policy.faillock_lockout_time='300'
+
+# Create default authentication_policy section if missing
+if ! uci -q get users.authentication_policy; then
+	uci -q set users.authentication_policy='authentication_policy'
+	uci -q set users.authentication_policy.enabled='1'
+	uci -q set users.authentication_policy.fail_delay='3'
+	uci -q set users.authentication_policy.faillock_attempts='6'
+	uci -q set users.authentication_policy.faillock_lockout_time='300'
 fi
 
 # Create default passwdqc section if missing

usermngr/files/etc/uci-defaults/91-unset-ssh-pam

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ -f /etc/config/sshd ]; then
+	uci -q set sshd.@sshd[0].UsePAM=0
+fi
+
+exit 0
+