From bfd3e49328a30c359dc1adc351fab82ce6251a46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Tue, 13 Feb 2024 13:47:20 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 pam revision 0bf4344e447551fd37662b147ec12ea4 --- .gitattributes | 23 + Linux-PAM-1.6.0.tar.xz | 3 + Linux-PAM-1.6.0.tar.xz.asc | 16 + _multibuild | 3 + baselibs.conf | 6 + common-account.pamd | 9 + common-auth.pamd | 11 + common-password.pamd | 11 + common-session-nonlogin.pamd | 14 + common-session.pamd | 13 + macros.pam | 8 + other.pamd | 10 + pam-limit-nproc.patch | 11 + pam-login_defs-check.sh | 46 + pam.changes | 2316 +++++++++++++++++++ pam.spec | 585 +++++ pam.tmpfiles | 4 + pam_env-fix-enable-vendordir-fallback.patch | 51 + pam_env-fix_vendordir.patch | 51 + pam_env-remove-escaped-newlines.patch | 54 + pam_unix-fix-password-aging-disabled.patch | 27 + postlogin-account.pamd | 10 + postlogin-auth.pamd | 10 + postlogin-password.pamd | 10 + postlogin-session.pamd | 10 + unix2_chkpwd.8 | 79 + unix2_chkpwd.c | 337 +++ 27 files changed, 3728 insertions(+) create mode 100644 .gitattributes create mode 100644 Linux-PAM-1.6.0.tar.xz create mode 100644 Linux-PAM-1.6.0.tar.xz.asc create mode 100644 _multibuild create mode 100644 baselibs.conf create mode 100644 common-account.pamd create mode 100644 common-auth.pamd create mode 100644 common-password.pamd create mode 100644 common-session-nonlogin.pamd create mode 100644 common-session.pamd create mode 100644 macros.pam create mode 100644 other.pamd create mode 100644 pam-limit-nproc.patch create mode 100644 pam-login_defs-check.sh create mode 100644 pam.changes create mode 100644 pam.spec create mode 100644 pam.tmpfiles create mode 100644 pam_env-fix-enable-vendordir-fallback.patch create mode 100644 pam_env-fix_vendordir.patch create mode 100644 pam_env-remove-escaped-newlines.patch create mode 100644 pam_unix-fix-password-aging-disabled.patch create mode 100644 postlogin-account.pamd create mode 100644 postlogin-auth.pamd create mode 100644 postlogin-password.pamd create mode 100644 postlogin-session.pamd create mode 100644 unix2_chkpwd.8 create mode 100644 unix2_chkpwd.c diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/Linux-PAM-1.6.0.tar.xz b/Linux-PAM-1.6.0.tar.xz new file mode 100644 index 0000000..48b0111 --- /dev/null +++ b/Linux-PAM-1.6.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fff4a34e5bbee77e2e8f1992f27631e2329bcbf8a0563ddeb5c3389b4e3169ad +size 1048296 diff --git a/Linux-PAM-1.6.0.tar.xz.asc b/Linux-PAM-1.6.0.tar.xz.asc new file mode 100644 index 0000000..61163a8 --- /dev/null +++ b/Linux-PAM-1.6.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI +n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm +NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY +U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3 +XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw +6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi +Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2 +gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n +b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n +NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ +LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox +zxDFnUsJ/JgmJm3y47J2 +=wzV/ +-----END PGP SIGNATURE----- diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..6cf83f2 --- /dev/null +++ b/_multibuild @@ -0,0 +1,3 @@ + + full + diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..af148bb --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,6 @@ +pam + requires "(systemd- if systemd)" + obsoletes "pam_unix-" + obsoletes "pam_unix-nis-" +pam-extra +pam-devel diff --git a/common-account.pamd b/common-account.pamd new file mode 100644 index 0000000..5e724e8 --- /dev/null +++ b/common-account.pamd @@ -0,0 +1,9 @@ +# +# /etc/pam.d/common-account - account settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the account modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired. +# +account required pam_unix.so try_first_pass diff --git a/common-auth.pamd b/common-auth.pamd new file mode 100644 index 0000000..4fa5eea --- /dev/null +++ b/common-auth.pamd @@ -0,0 +1,11 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +auth required pam_env.so +auth required pam_unix.so try_first_pass diff --git a/common-password.pamd b/common-password.pamd new file mode 100644 index 0000000..269b4c6 --- /dev/null +++ b/common-password.pamd @@ -0,0 +1,11 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. +# +# The "nullok" option allows users to change an empty password, else +# empty passwords are treated as locked accounts. +# +password required pam_unix.so nullok diff --git a/common-session-nonlogin.pamd b/common-session-nonlogin.pamd new file mode 100644 index 0000000..9830c96 --- /dev/null +++ b/common-session-nonlogin.pamd @@ -0,0 +1,14 @@ +# +# /etc/pam.d/common-session-nonlogin - session-related modules common +# to services not doing a real login +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive), but not if they don't create a new login session +# (e.g. like cron, chfn, chsh, ...) +# +session required pam_limits.so +session required pam_unix.so try_first_pass +session optional pam_umask.so +session optional pam_env.so diff --git a/common-session.pamd b/common-session.pamd new file mode 100644 index 0000000..8446c6b --- /dev/null +++ b/common-session.pamd @@ -0,0 +1,13 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +session optional pam_systemd.so +session required pam_limits.so +session required pam_unix.so try_first_pass +session optional pam_umask.so +session optional pam_env.so diff --git a/macros.pam b/macros.pam new file mode 100644 index 0000000..f89d9f5 --- /dev/null +++ b/macros.pam @@ -0,0 +1,8 @@ +%_pam_libdir %{_libdir} +%_pam_moduledir %{_libdir}/security +%_pam_secconfdir %{_sysconfdir}/security +%_pam_secdistconfdir %{_distconfdir}/security +%_pam_confdir %{_sysconfdir}/pam.d +%_pam_vendordir %{_prefix}/lib/pam.d +# legacy, to be retired +%_pamdir %{_pam_moduledir} diff --git a/other.pamd b/other.pamd new file mode 100644 index 0000000..840eb77 --- /dev/null +++ b/other.pamd @@ -0,0 +1,10 @@ +#%PAM-1.0 +auth required pam_warn.so +auth required pam_deny.so +account required pam_warn.so +account required pam_deny.so +password required pam_warn.so +password required pam_deny.so +session required pam_warn.so +session required pam_deny.so + diff --git a/pam-limit-nproc.patch b/pam-limit-nproc.patch new file mode 100644 index 0000000..f7a85a2 --- /dev/null +++ b/pam-limit-nproc.patch @@ -0,0 +1,11 @@ +Index: Linux-PAM-1.3.1/modules/pam_limits/limits.conf +=================================================================== +--- Linux-PAM-1.3.1.orig/modules/pam_limits/limits.conf ++++ Linux-PAM-1.3.1/modules/pam_limits/limits.conf +@@ -47,4 +47,6 @@ + #ftp hard nproc 0 + #@student - maxlogins 4 + ++# No limits for nproc, use systemd configuration instead ++ + # End of file diff --git a/pam-login_defs-check.sh b/pam-login_defs-check.sh new file mode 100644 index 0000000..b6520aa --- /dev/null +++ b/pam-login_defs-check.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# Extract list of variables supported by su/runuser. +# +# If you edit this file, you will probably need to edit +# shadow-login_defs-check.sh from shadow sources in a similar way. + +set -o errexit + +echo -n "Checking login.defs variables in pam... " >&2 +grep -rh LOGIN_DEFS . | + sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | + LC_ALL=C sort -u >pam-login_defs-vars.lst + +if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then + + echo "does not match!" >&2 + echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2 + +cat >&2 <&2 +fi diff --git a/pam.changes b/pam.changes new file mode 100644 index 0000000..934cb8b --- /dev/null +++ b/pam.changes @@ -0,0 +1,2316 @@ +------------------------------------------------------------------- +Wed Feb 7 13:11:15 UTC 2024 - Thorsten Kukuk + +- pam.tmpfiles: Make sure the content of the /run directories get + removed in case of a soft-reboot + +------------------------------------------------------------------- +Tue Jan 30 15:17:57 UTC 2024 - Thorsten Kukuk + +- Enable pam_canonicalize_user.so + +------------------------------------------------------------------- +Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk + +- Add post 1.6.0 release fixes for pam_env and pam_unix: + - pam_env-fix-enable-vendordir-fallback.patch + - pam_env-fix_vendordir.patch + - pam_env-remove-escaped-newlines.patch + - pam_unix-fix-password-aging-disabled.patch +- Update to version 1.6.0 + - Added support of configuration files with arbitrarily long lines. + - build: fixed build outside of the source tree. + - libpam: added use of getrandom(2) as a source of randomness if available. + - libpam: fixed calculation of fail delay with very long delays. + - libpam: fixed potential infinite recursion with includes. + - libpam: implemented string to number conversions validation when parsing + controls in configuration. + - pam_access: added quiet_log option. + - pam_access: fixed truncation of very long group names. + - pam_canonicalize_user: new module to canonicalize user name. + - pam_echo: fixed file handling to prevent overflows and short reads. + - pam_env: added support of '\' character in environment variable values. + - pam_exec: allowed expose_authtok for password PAM_TYPE. + - pam_exec: fixed stack overflow with binary output of programs. + - pam_faildelay: implemented parameter ranges validation. + - pam_listfile: changed to treat \r and \n exactly the same in configuration. + - pam_mkhomedir: hardened directory creation against timing attacks. + - Please note that using *at functions leads to more open file handles + during creation. + - pam_namespace: fixed potential local DoS (CVE-2024-22365). + - pam_nologin: fixed file handling to prevent short reads. + - pam_pwhistory: helper binary is now built only if SELinux support is + enabled. + - pam_pwhistory: implemented reliable usernames handling when remembering + passwords. + - pam_shells: changed to allow shell entries with absolute paths only. + - pam_succeed_if: fixed treating empty strings as numerical value 0. + - pam_unix: added support of disabled password aging. + - pam_unix: synchronized password aging with shadow. + - pam_unix: implemented string to number conversions validation. + - pam_unix: fixed truncation of very long user names. + - pam_unix: corrected rounds retrieval for configured encryption method. + - pam_unix: implemented reliable usernames handling when remembering + passwords. + - pam_unix: changed to always run the helper to obtain shadow password + entries. + - pam_unix: unix_update helper binary is now built only if SELinux support + is enabled. + - pam_unix: added audit support to unix_update helper. + - pam_userdb: added gdbm support. + - Multiple minor bug fixes, portability fixes, documentation improvements, + and translation updates. +- The following patches are obsolete with the update: + - pam_access-doc-IPv6-link-local.patch + - pam_access-hostname-debug.patch + - pam_shells-fix-econf-memory-leak.patch + - pam_shells-fix-econf-memory-leak.patch + - disable-examples.patch +- pam-login_defs-check.sh: adjust checksum, SHA_CRYPT_MAX_ROUNDS + is no longer used. + +------------------------------------------------------------------- +Wed Aug 23 09:20:06 UTC 2023 - Thorsten Kukuk + +- Fix building without SELinux + +------------------------------------------------------------------- +Mon Aug 7 09:41:27 UTC 2023 - Thorsten Kukuk + +- pam_access backports from upstream: + - pam_access-doc-IPv6-link-local.patch: + Document only partial supported IPv6 link local addresses + - pam_access-hostname-debug.patch: + Don't print error if we cannot resolve a hostname, does not + need to be a hostname + - pam_shells-fix-econf-memory-leak.patch: + Free econf keys variable + - disable-examples.patch: + Don't build examples + +------------------------------------------------------------------- +Tue May 9 12:14:48 UTC 2023 - Thorsten Kukuk + +- Update to final 1.5.3 release: + - configure: added --enable-logind option to use logind instead of utmp + in pam_issue and pam_timestamp. + - pam_modutil_getlogin: changed to use getlogin() from libc instead of + parsing utmp. + - Added libeconf support to pam_env and pam_shells. + - Added vendor directory support to pam_access, pam_env, pam_group, + pam_faillock, pam_limits, pam_namespace, pam_pwhistory, pam_sepermit, + pam_shells, and pam_time. + - pam_limits: changed to not fail on missing config files. + - pam_pwhistory: added conf= option to specify config file location. + - pam_pwhistory: added file= option to specify password history file + location. + - pam_shells: added shells.d support when libeconf and vendordir are enabled. + - Deprecated pam_lastlog: this module is no longer built by default because + it uses utmp, wtmp, btmp and lastlog, but none of them are Y2038 safe, + even on 64bit architectures. + pam_lastlog will be removed in one of the next releases, consider using + pam_lastlog2 (from https://github.com/thkukuk/lastlog2) and/or + pam_wtmpdb (from https://github.com/thkukuk/wtmpdb) instead. + - Deprecated _pam_overwrite(), _pam_overwrite_n(), and _pam_drop_reply() + macros provided by _pam_macros.h; the memory override performed by these + macros can be optimized out by the compiler and therefore can no longer + be relied upon. + +------------------------------------------------------------------- +Thu Apr 20 09:40:50 UTC 2023 - Thorsten Kukuk + +- pam-extra: add split provide + +------------------------------------------------------------------- +Wed Apr 12 11:28:48 UTC 2023 - Thorsten Kukuk + +- pam-userdb: add split provide + +------------------------------------------------------------------- +Tue Apr 11 07:53:44 UTC 2023 - Thorsten Kukuk + +- Drop pam-xauth_ownership.patch, got fixed in sudo itself +- Drop pam-bsc1177858-dont-free-environment-string.patch, was a + fix for above patch + +------------------------------------------------------------------- +Thu Apr 6 12:11:30 UTC 2023 - Thorsten Kukuk + +- Use bcond selinux to disable SELinux +- Remove old pam_unix_* compat symlinks +- Move pam_userdb to own pam-userdb sub-package +- pam-extra contains now modules having extended dependencies like + libsystemd +- Update to 1.5.3.90 git snapshot +- Drop merged patches: + - pam-git.diff + - docbook5.patch + - pam_pwhistory-docu.patch + - pam_xauth_data.3.xml.patch +- Drop Linux-PAM-1.5.2.90.tar.xz as we have to rebuild all + documentation anyways and don't use the prebuild versions +- Move all devel manual pages to pam-manpages, too. Fixes the + problem that adjusted defaults not shown correct. + +------------------------------------------------------------------- +Mon Mar 20 10:12:41 UTC 2023 - Thorsten Kukuk + +- Add common-session-nonlogin and postlogin-* pam.d config files + for https://github.com/SUSE/pam-config/pull/16, pam_lastlog2 + and upcoming pam_wtmpdb. + +------------------------------------------------------------------- +Fri Mar 10 18:27:09 UTC 2023 - Giuliano Belinassi + +- Enable livepatching support on x86_64. + +------------------------------------------------------------------- +Tue Jan 24 08:38:04 UTC 2023 - Valentin Lefebvre + +- Use rpm macros for pam dist conf dir (/usr/etc/security) + +------------------------------------------------------------------- +Wed Jan 18 09:33:37 UTC 2023 - Stefan Schubert + +- Moved following files/dirs in /etc/security to vendor directory: + access.conf, limits.d, sepermit.conf, time.conf, namespace.conf, + namespace.d, namespace.init + +------------------------------------------------------------------- +Sat Dec 24 13:31:33 UTC 2022 - Dominique Leuenberger + +- Also obsolete pam_unix-32bit to have clean upgrade path. + +------------------------------------------------------------------- +Fri Dec 16 09:37:15 UTC 2022 - Thorsten Kukuk + +- Merge pam_unix back into pam, seperate package not needed anymore + +------------------------------------------------------------------- +Thu Dec 15 12:47:53 UTC 2022 - Thorsten Kukuk + +- Update pam-git.diff to current upstream + - pam_env: Use vendor specific pam_env.conf and environment as fallback + - pam_shells: Use the vendor directory + obsoletes pam_env_econf.patch +- Refresh docbook5.patch + +------------------------------------------------------------------- +Tue Dec 6 16:43:49 UTC 2022 - Thorsten Kukuk + +- pam_pwhistory-docu.patch, docbook5.patch: convert docu to + docbook5 + +------------------------------------------------------------------- +Thu Dec 1 13:51:35 UTC 2022 - Thorsten Kukuk + +- pam-git.diff: update to current git + - obsoletes pam-hostnames-in-access_conf.patch + - obsoletes tst-pam_env-retval.c +- pam_env_econf.patch refresh + +------------------------------------------------------------------- +Tue Nov 22 15:24:12 UTC 2022 - Thorsten Kukuk + +- Move pam_env config files below /usr/etc + +------------------------------------------------------------------- +Tue Oct 11 14:44:56 UTC 2022 - Stefan Schubert + +- pam_env: Using libeconf for reading configuration and environment + files. (Patch: pam_env_econf.patch; Testcase: tst-pam_env-retval.c) + +------------------------------------------------------------------- +Fri Jun 17 15:26:20 UTC 2022 - Thorsten Kukuk + +- Keep old directory in filelist for migration + +------------------------------------------------------------------- +Wed Jun 1 11:43:22 UTC 2022 - Thorsten Kukuk + +- Move PAM config files from /usr/etc/pam.d to /usr/lib/pam.d + +------------------------------------------------------------------- +Fri Mar 11 11:25:35 UTC 2022 - Thorsten Kukuk + +- pam-hostnames-in-access_conf.patch: update with upstream + submission. Fixes several bugs including memory leaks. + +------------------------------------------------------------------- +Wed Feb 9 14:05:01 UTC 2022 - Thorsten Kukuk + +- Move group.conf and faillock.conf to /usr/etc/security + +------------------------------------------------------------------- +Mon Feb 7 09:46:16 UTC 2022 - Thorsten Kukuk + +- Update to current git for enhanced vendordir support (pam-git.diff) + Obsoletes: + - 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch + - 0002-Only-include-vendordir-in-manual-page-if-set-401.patch + - 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch + +------------------------------------------------------------------- +Mon Dec 13 13:06:47 UTC 2021 - Thorsten Kukuk + +- Drop pam_umask-usergroups-login_defs.patch, does more harm + than helps. If not explizit specified as module option, we + use UMASK from login.defs unmodified. + +------------------------------------------------------------------- +Thu Nov 25 10:12:20 UTC 2021 - Thorsten Kukuk + +- Don't define doc/manpages packages in main build + +------------------------------------------------------------------- +Wed Nov 24 13:45:22 UTC 2021 - Thorsten Kukuk + +- Add missing recommends and split provides + +------------------------------------------------------------------- +Wed Nov 24 13:39:45 UTC 2021 - Thorsten Kukuk + +- Use multibuild to build docu with correct paths and available + features. + +------------------------------------------------------------------- +Mon Nov 22 13:12:09 UTC 2021 - Thorsten Kukuk + +- common-session: move pam_systemd to first position as if the + file would have been generated with pam-config +- Add vendordir fixes and enhancements from upstream: + - pam_xauth_data.3.xml.patch + - 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch + - 0002-Only-include-vendordir-in-manual-page-if-set-401.patch + - 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch +- For buggy bot: Makefile-pam_unix-nis.diff belonged to the other + spec file. + +------------------------------------------------------------------- +Wed Nov 17 04:14:18 UTC 2021 - Stanislav Brabec + +- Update pam-login_defs-check.sh regexp and + login_defs-support-for-pam symbol to version 1.5.2 + (new variable HMAC_CRYPTO_ALGO). + +------------------------------------------------------------------- +Tue Nov 2 20:32:04 UTC 2021 - Callum Farmer + +- Add /run/pam_timestamp to pam.tmpfiles + +------------------------------------------------------------------- +Tue Oct 12 13:49:53 UTC 2021 - Josef Möllers + +- Corrected macro definition of %_pam_moduledir: + %_pam_moduledir %{_libdir}/security + [macros.pam] + +------------------------------------------------------------------- +Wed Oct 6 09:14:11 UTC 2021 - Josef Möllers + +- Prepend a slash to the expansion of %{_lib} in macros.pam as + this are defined without a leading slash! + +------------------------------------------------------------------- +Wed Sep 15 13:34:52 UTC 2021 - Thorsten Kukuk + +- Rename motd.tmpfiles to pam.tmpfiles + - Add /run/faillock directory + +------------------------------------------------------------------- +Fri Sep 10 10:08:28 UTC 2021 - Thorsten Kukuk + +- pam-login_defs-check.sh: adjust for new login.defs variable usages + +------------------------------------------------------------------- +Mon Sep 6 11:51:30 UTC 2021 - Josef Möllers + +- Update to 1.5.2 + Noteworthy changes in Linux-PAM 1.5.2: + + * pam_exec: implemented quiet_log option. + * pam_mkhomedir: added support of HOME_MODE and UMASK from + /etc/login.defs. + * pam_timestamp: changed hmac algorithm to call openssl instead + of the bundled sha1 implementation if selected, added option + to select the hash algorithm to use with HMAC. + * Added pkgconfig files for provided libraries. + * Added --with-systemdunitdir configure option to specify systemd + unit directory. + * Added --with-misc-conv-bufsize configure option to specify the + buffer size in libpam_misc's misc_conv() function, raised the + default value for this parameter from 512 to 4096. + * Multiple minor bug fixes, portability fixes, documentation + improvements, and translation updates. + + pam_tally2 has been removed upstream, remove pam_tally2-removal.patch + + pam_cracklib has been removed from the upstream sources. This + obsoletes pam-pam_cracklib-add-usersubstr.patch and + pam_cracklib-removal.patch. + The following patches have been accepted upstream and, so, + are obsolete: + - pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch + - pam_securetty-don-t-complain-about-missing-config.patch + - bsc1184358-prevent-LOCAL-from-being-resolved.patch + - revert-check_shadow_expiry.diff + + [Linux-PAM-1.5.2-docs.tar.xz, Linux-PAM-1.5.2-docs.tar.xz.asc, + Linux-PAM-1.5.2.tar.xz, Linux-PAM-1.5.2.tar.xz.asc, + pam-pam_cracklib-add-usersubstr.patch, pam_cracklib-removal.patch, + pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch, + pam_securetty-don-t-complain-about-missing-config.patch, + bsc1184358-prevent-LOCAL-from-being-resolved.patch, + revert-check_shadow_expiry.diff] + +------------------------------------------------------------------- +Thu Aug 12 14:42:54 UTC 2021 - Thorsten Kukuk + +- pam_umask-usergroups-login_defs.patch: Deprecate pam_umask + explicit "usergroups" option and instead read it from login.def's + "USERGROUP_ENAB" option if umask is only defined there. + [bsc#1189139] + +------------------------------------------------------------------- +Tue Aug 3 09:26:00 UTC 2021 - pgajdos@suse.com + +- package man5/motd.5 as a man-pages link to man8/pam_motd.8 + [bsc#1188724] + +------------------------------------------------------------------- +Tue Jul 13 13:40:00 UTC 2021 - Thorsten Kukuk + +- revert-check_shadow_expiry.diff: revert wrong + CRYPT_SALT_METHOD_LEGACY check. + +------------------------------------------------------------------- +Fri Jun 25 08:07:04 UTC 2021 - Callum Farmer + +- Create /run/motd.d + +------------------------------------------------------------------- +Wed Jun 9 14:01:19 UTC 2021 - Ludwig Nussel + +- Remove legacy pre-usrmerge compat code (removed pam-usrmerge.diff) +- Backport patch to not install /usr/etc/securetty (boo#1033626) ie + no distro defaults and don't complain about it missing + (pam_securetty-don-t-complain-about-missing-config.patch) +- add debug bcond to be able to build pam with debug output easily +- add macros file to allow other packages to stop hardcoding + directory names. Compatible with Fedora. + +------------------------------------------------------------------- +Mon May 10 14:22:01 UTC 2021 - Josef Möllers + +- In the 32-bit compatibility package for 64-bit architectures, + require "systemd-32bit" to be also installed as it contains + pam_systemd.so for 32 bit applications. + [bsc#1185562, baselibs.conf] + +------------------------------------------------------------------- +Wed Apr 7 12:20:40 UTC 2021 - Josef Möllers + +- If "LOCAL" is configured in access.conf, and a login attempt from + a remote host is made, pam_access tries to resolve "LOCAL" as + a hostname and logs a failure. + Checking explicitly for "LOCAL" and rejecting access in this case + resolves this issue. + [bsc#1184358, bsc1184358-prevent-LOCAL-from-being-resolved.patch] + +------------------------------------------------------------------- +Wed Mar 31 11:43:17 UTC 2021 - Josef Möllers + +- pam_limits: "unlimited" is not a legitimate value for "nofile" + (see setrlimit(2)). So, when "nofile" is set to one of the + "unlimited" values, it is set to the contents of + "/proc/sys/fs/nr_open" instead. + Also changed the manpage of pam_limits to express this. + [bsc#1181443, pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch] + +------------------------------------------------------------------- +Thu Feb 18 22:16:43 UTC 2021 - Thorsten Kukuk + +- Add missing conflicts for pam_unix-nis + +------------------------------------------------------------------- +Tue Feb 16 10:27:04 UTC 2021 - Thorsten Kukuk + +- Split out pam_unix module and build without NIS support + +------------------------------------------------------------------- +Fri Nov 27 09:10:28 UTC 2020 - Thorsten Kukuk + +- Update to 1.5.1 + - pam_unix: fixed CVE-2020-27780 - authentication bypass when a user + doesn't exist and root password is blank [bsc#1179166] + - pam_faillock: added nodelay option to not set pam_fail_delay + - pam_wheel: use pam_modutil_user_in_group to check for the group membership + with getgrouplist where it is available + +------------------------------------------------------------------- +Thu Nov 26 13:31:52 UTC 2020 - Ludwig Nussel + +- add macros.pam to abstract directory for pam modules + +------------------------------------------------------------------- +Thu Nov 19 15:43:33 UTC 2020 - Thorsten Kukuk + +- Update to 1.5.0 + - obsoletes pam-bsc1178727-initialize-daysleft.patch + - Multiple minor bug fixes, portability fixes, and documentation improvements. + - Extended libpam API with pam_modutil_check_user_in_passwd function. + - pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660. + - pam_motd: read motd files with target user credentials skipping unreadable ones. + - pam_pwhistory: added a SELinux helper executable. + - pam_unix, pam_usertype: implemented avoidance of certain timing attacks. + - pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails. + - pam_env: Reading of the user environment is deprecated and will be removed + at some point in the future. + - libpam: pam_modutil_drop_priv() now correctly sets the target user's + supplementary groups, allowing pam_motd to filter messages accordingly +- Refresh pam-xauth_ownership.patch +- pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package +- pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package + +------------------------------------------------------------------- +Wed Nov 18 13:02:15 UTC 2020 - Josef Möllers + +- pam_cracklib: added code to check whether the password contains + a substring of of the user's name of at least characters length + in some form. + This is enabled by the new parameter "usersubstr=" + See https://github.com/libpwquality/libpwquality/commit/bfef79dbe6aa525e9557bf4b0a61e6dde12749c4 + [jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch] + +------------------------------------------------------------------- +Wed Nov 18 10:02:32 UTC 2020 - Josef Möllers + +- pam_xauth.c: do not free() a string which has been (successfully) + passed to putenv(). + [bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch] + +------------------------------------------------------------------- +Fri Nov 13 09:13:18 UTC 2020 - Josef Möllers + +- Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft" + to avoid spurious (and misleading) + Warning: your password will expire in ... days. + fixed upstream with commit db6b293046a + [bsc#1178727, pam-bsc1178727-initialize-daysleft.patch] + +------------------------------------------------------------------- +Tue Nov 10 11:09:39 UTC 2020 - Thorsten Kukuk + +- Enable pam_faillock [bnc#1171562] + +------------------------------------------------------------------- +Thu Oct 29 10:10:23 UTC 2020 - Ludwig Nussel + +- prepare usrmerge (boo#1029961, pam-usrmerge.diff) + +------------------------------------------------------------------- +Wed Oct 8 13:31:39 UTC 2020 - Josef Möllers + +- /usr/bin/xauth chokes on the old user's $HOME being on an NFS + file system. Run /usr/bin/xauth using the old user's uid/gid + Patch courtesy of Dr. Werner Fink. + [bsc#1174593, pam-xauth_ownership.patch] + +------------------------------------------------------------------- +Thu Oct 8 02:33:16 UTC 2020 - Stanislav Brabec + +- pam-login_defs-check.sh: Fix the regexp to get a real variable + list (boo#1164274). + +------------------------------------------------------------------- +Wed Jun 24 13:06:33 UTC 2020 - Josef Möllers + +- Revert the previous change [SR#815713]. + The group is not necessary for PAM functionality but used only + during testing. The test system should therefore create this group. + [bsc#1171016, pam.spec] + +------------------------------------------------------------------- +Mon Jun 15 15:05:18 UTC 2020 - Josef Möllers + +- Add requirement for group "wheel" to spec file. + [bsc#1171016, pam.spec] + +------------------------------------------------------------------- +Mon Jun 8 13:19:12 UTC 2020 - Thorsten Kukuk + +- Update to final 1.4.0 release + - includes pam-check-user-home-dir.patch + - obsoletes fix-man-links.dif + +------------------------------------------------------------------- +Mon Jun 8 07:59:58 UTC 2020 - Thorsten Kukuk + +- common-password: remove pam_cracklib, as that is deprecated. + +------------------------------------------------------------------- +Thu May 28 12:36:33 UTC 2020 - Josef Möllers + +- pam_setquota.so: + When setting quota, don't apply any quota if the user's $HOME is + a mountpoint (ie the user has a partition of his/her own). + [bsc#1171721, pam-check-user-home-dir.patch] + +------------------------------------------------------------------- +Wed May 27 09:27:32 UTC 2020 - Thorsten Kukuk + +- Update to current Linux-PAM snapshot + - pam_tally* and pam_cracklib got deprecated +- Disable pam_faillock and pam_setquota until they are whitelisted + +------------------------------------------------------------------- +Tue May 12 11:44:19 UTC 2020 - Josef Möllers + +- Adapted patch pam-hostnames-in-access_conf.patch for new version + New version obsoleted patch use-correct-IP-address.patch + [pam-hostnames-in-access_conf.patch, + use-correct-IP-address.patch] + +------------------------------------------------------------------- +Tue May 12 11:30:27 UTC 2020 - Thorsten Kukuk + +- Update to current Linux-PAM snapshot + - Obsoletes pam_namespace-systemd.diff + +------------------------------------------------------------------- +Tue May 12 09:24:46 UTC 2020 - Thorsten Kukuk + +- Update to current Linux-PAM snapshot + - Add pam_faillock + - Multiple minor bug fixes and documentation improvements + - Fixed grammar of messages printed via pam_prompt + - Added support for a vendor directory and libeconf + - configure: Allowed disabling documentation through --disable-doc + - pam_get_authtok_verify: Avoid duplicate password verification + - pam_env: Changed the default to not read the user .pam_environment file + - pam_group, pam_time: Fixed logical error with multiple ! operators + - pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session + - pam_lastlog: Do not log info about failed login if the session was opened + with PAM_SILENT flag + - pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs + - pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize' + limit + - pam_motd: Export MOTD_SHOWN=pam after showing MOTD + - pam_motd: Support multiple motd paths specified, with filename overrides + - pam_namespace: Added a systemd service, which creates the namespaced + instance parent directories during boot + - pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts + - pam_shells: Recognize /bin/sh as the default shell + - pam_succeed_if: Support lists in group membership checks + - pam_tty_audit: If kernel audit is disabled return PAM_IGNORE + - pam_umask: Added new 'nousergroups' module argument and allowed specifying + the default for usergroups at build-time + - pam_unix: Added 'nullresetok' option to allow resetting blank passwords + - pam_unix: Report unusable hashes found by checksalt to syslog + - pam_unix: Support for (gost-)yescrypt hashing methods + - pam_unix: Use bcrypt b-variant when it bcrypt is chosen + - pam_usertype: New module to tell if uid is in login.defs ranges + - Added new API call pam_start_confdir() for special applications that + cannot use the system-default PAM configuration paths and need to + explicitly specify another path +- pam_namespace-systemd.diff: fix path of pam_namespace.services + +------------------------------------------------------------------- +Thu Apr 2 09:51:31 UTC 2020 - Ludwig Nussel + +- own /usr/lib/motd.d/ so other packages can add files there + +------------------------------------------------------------------- +Tue Mar 24 07:09:55 UTC 2020 - Josef Möllers + +- Listed all manual pages seperately as pam_userdb.8 has been moved + to pam-extra. + Also %exclude %{_defaultdocdir}/pam as the docs are in a separate + package. + [pam.spec] + +------------------------------------------------------------------- +Mon Mar 16 13:26:27 UTC 2020 - Josef Möllers + +- pam_userdb moved to a new package pam-extra as pam-modules + is obsolete and not part of SLE. + [bsc#1166510, pam.spec] + +------------------------------------------------------------------- +Thu Mar 12 16:01:46 UTC 2020 - Josef Möllers + +- Removed pam_userdb from this package and moved to pam-modules. + This removed the requirement for libdb. + Also made "xz" required for all releases. + Remove limits for nproc from /etc/security/limits.conf + [bsc#1164562, bsc#1166510, bsc#1110700, pam.spec] + +------------------------------------------------------------------- +Wed Feb 19 10:04:09 CET 2020 - kukuk@suse.de + +- Recommend login.defs only (no hard requirement) + +------------------------------------------------------------------- +Tue Sep 24 11:15:19 UTC 2019 - kukuk@suse.com + +- Update to version 1.3.1+git20190923.ea78d67: + * Fixed missing quotes in configure script + * Add support for a vendor directory and libeconf (#136) + * pam_lastlog: document the 'unlimited' option + * pam_lastlog: prevent crash due to reduced 'fsize' limit + * pam_unix_sess.c add uid for opening session + * Fix the man page for "pam_fail_delay()" + * Fix a typo + * Update a function comment +- drop usr-etc-support.patch (accepted upstream) + +------------------------------------------------------------------- +Thu Sep 5 10:09:05 CEST 2019 - kukuk@suse.de + +- Add migration support from /etc to /usr/etc during upgrade + +------------------------------------------------------------------- +Wed Sep 04 19:06:01 UTC 2019 - kukuk@suse.com + +- Update to version 1.3.1+git20190902.9de67ee: + * pwhistory: fix read of uninitialized data and memory leak when modifying opasswd + +------------------------------------------------------------------- +Tue Aug 27 18:41:10 UTC 2019 - kukuk@suse.com + +- Update to version 1.3.1+git20190826.1b087ed: + * libpam/pam_modutil_sanitize.c: optimize the way to close fds + +------------------------------------------------------------------- +Thu Aug 22 20:29:24 UTC 2019 - Jan Engelhardt + +- Replace old $RPM_* shell vars by macros. +- Avoid unnecessary invocation of subshells. +- Shorten recipe for constructing securetty contents on s390. + +------------------------------------------------------------------- +Mon Aug 19 14:45:43 CEST 2019 - kukuk@suse.de + +- usr-etc-support.patch: Add support for /usr/etc/pam.d + +------------------------------------------------------------------- +Mon Aug 19 13:33:49 CEST 2019 - kukuk@suse.de + +- encryption_method_nis.diff: obsolete, NIS clients shouldn't + require DES anymore. +- etc.environment: removed, the sources contain the same + +------------------------------------------------------------------- +Mon Aug 19 11:28:31 UTC 2019 - kukuk@suse.com + +- Update to version 1.3.1+git20190807.e31dd6c: + * pam_tty_audit: Manual page clarification about password logging + * pam_get_authtok_verify: Avoid duplicate password verification + * Mention that ./autogen.sh is needeed to be run if you check out the sources from git + * pam_unix: Correct MAXPASS define name in the previous two commits. + * Restrict password length when changing password + * Trim password at PAM_MAX_RESP_SIZE chars + * pam_succeed_if: Request user data only when needed + * pam_tally2: Remove unnecessary fsync() + * Fixed a grammer mistake + * Fix documentation for pam_wheel + * Fix a typo in the documentation + * pam_lastlog: Improve silent option documentation + * pam_lastlog: Respect PAM_SILENT flag + * Fix regressions from the last commits. + * Replace strndupa with strncpy + * build: ignore pam_lastlog when logwtmp is not available. + * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available. + * pam_motd: Cleanup the code and avoid unnecessary logging + * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs. + * Move the duplicated search_key function to pam_modutil. + * pam_unix: Use pam_syslog instead of helper_log_err. + * pam_unix: Report unusable hashes found by checksalt to syslog. + * Revert "pam_unix: Add crypt_default method, if supported." + * pam_unix: Add crypt_default method, if supported. + * Revert part of the commit 4da9febc + * pam_unix: Add support for (gost-)yescrypt hashing methods. + * pam_unix: Fix closing curly brace. (#77) + * pam_unix: Add support for crypt_checksalt, if libcrypt supports it. + * pam_unix: Prefer a gensalt function, that supports auto entropy. + * pam_motd: Fix segmentation fault when no motd_dir specified (#76) + * pam_motd: Support multiple motd paths specified, with filename overrides (#69) + * pam_unix: Use bcrypt b-variant for computing new hashes. + * pam_tally, pam_tally2: fix grammar and spelling (#54) + * Fix grammar of messages printed via pam_prompt + * pam_stress: do not mark messages for translation + * pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros + * pam_unix: remove obsolete _unix_read_password prototype + +------------------------------------------------------------------- +Thu May 2 23:55:30 CEST 2019 - sbrabec@suse.com + +- Add virtual symbols for login.defs compatibility (bsc#1121197). +- Add login.defs safety check pam-login_defs-check.sh + (bsc#1121197). + +------------------------------------------------------------------- +Thu Nov 15 15:41:08 UTC 2018 - josef.moellers@suse.com + +- When comparing an incoming IP address with an entry in + access.conf that only specified a single host (ie no netmask), + the incoming IP address was used rather than the IP address from + access.conf, effectively comparing the incoming address with + itself. (Also fixed a small typo while I was at it) + {bsc#1115640, use-correct-IP-address.patch, CVE-2018-17953] + +------------------------------------------------------------------- +Mon Oct 22 07:42:19 UTC 2018 - josef.moellers@suse.com + +- Upgrade to 1.3.1 + * pam_motd: add support for a motd.d directory + * pam_umask: Fix documentation to align with order of loading umask + * pam_get_user.3: Fix missing word in documentation + * pam_tally2 --reset: avoid creating a missing tallylog file + * pam_mkhomedir: Allow creating parent of homedir under / + * access.conf.5: Add note about spaces around ':' + * pam.8: Workaround formatting problem + * pam_unix: Check return value of malloc used for setcred data + * pam_cracklib: Drop unused prompt macros + * pam_tty_audit: Support matching users by uid range + * pam_access: support parsing files in /etc/security/access.d/*.conf + * pam_localuser: Correct documentation + * pam_issue: Fix no prompting in parse escape codes mode + * Unification and cleanup of syslog log levels + Also: removed nproc limit, referred to systemd instead. + Patch5 (pam-fix-config-order-in-manpage.patch) not needed any more. + [bsc#1112508, pam-fix-config-order-in-manpage.patch] + +------------------------------------------------------------------- +Fri Aug 24 09:35:18 UTC 2018 - psimons@suse.com + +- Add libdb as build-time dependency to enable pam_userdb module. + This module is useful for implementing virtual user support for + vsftpd and possibly other daemons, too. [bsc#929711, fate#322538] + +------------------------------------------------------------------- +Fri Jul 13 15:48:58 CEST 2018 - sbrabec@suse.com + +- Install empty directory /etc/security/namespace.d for + pam_namespace.so iscript. + +------------------------------------------------------------------- +Thu May 3 07:08:50 UTC 2018 - josef.moellers@suse.com + +- pam_umask.8 needed to be patched as well. + [bsc#1089884, pam-fix-config-order-in-manpage.patch] + +------------------------------------------------------------------- +Wed May 2 12:32:40 UTC 2018 - josef.moellers@suse.com + +- Changed order of configuration files to reflect actual code. + [bsc#1089884, pam-fix-config-order-in-manpage.patch] + +------------------------------------------------------------------- +Thu Feb 22 15:10:42 UTC 2018 - fvogt@suse.com + +- Use %license (boo#1082318) + +------------------------------------------------------------------- +Thu Oct 12 08:55:29 UTC 2017 - schwab@suse.de + +- Prerequire group(shadow), user(root) + +------------------------------------------------------------------- +Fri Jan 27 10:35:29 UTC 2017 - josef.moellers@suse.com + +- Allow symbolic hostnames in access.conf file. + [pam-hostnames-in-access_conf.patch, boo#1019866] + +------------------------------------------------------------------- +Thu Dec 8 12:41:05 UTC 2016 - josef.moellers@suse.com + +- Increased nproc limits for non-privileged users to 4069/16384. + Removed limits for "root". + [pam-limit-nproc.patch, bsc#1012494, bsc#1013706] + +------------------------------------------------------------------- +Sun Jul 31 11:08:19 UTC 2016 - develop7@develop7.info + +- pam-limit-nproc.patch: increased process limit to help + Chrome/Chromuim users with really lots of tabs. New limit gets + closer to UserTasksMax parameter in logind.conf + +------------------------------------------------------------------- +Thu Jul 28 14:29:09 CEST 2016 - kukuk@suse.de + +- Add doc directory to filelist. + +------------------------------------------------------------------- +Mon May 2 10:44:38 CEST 2016 - kukuk@suse.de + +- Remove obsolete README.pam_tally [bsc#977973] + +------------------------------------------------------------------- +Thu Apr 28 13:51:59 CEST 2016 - kukuk@suse.de + +- Update Linux-PAM to version 1.3.0 +- Rediff encryption_method_nis.diff +- Link pam_unix against libtirpc and external libnsl to enable + IPv6 support. + +------------------------------------------------------------------- +Thu Apr 14 14:06:18 CEST 2016 - kukuk@suse.de + +- Add /sbin/unix2_chkpwd (moved from pam-modules) + +------------------------------------------------------------------- +Mon Apr 11 15:09:04 CEST 2016 - kukuk@suse.de + +- Remove (since accepted upstream): + - 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch + - 0002-Remove-enable-static-modules-option-and-support-from.patch + - 0003-fix-nis-checks.patch + - 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch + - 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch + +------------------------------------------------------------------- +Fri Apr 1 15:32:37 CEST 2016 - kukuk@suse.de + +- Add 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch + - Replace IPv4 only functions + +------------------------------------------------------------------- +Fri Apr 1 10:37:58 CEST 2016 - kukuk@suse.de + +- Fix typo in common-account.pamd [bnc#959439] + +------------------------------------------------------------------- +Tue Mar 29 14:25:02 CEST 2016 - kukuk@suse.de + +- Add 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch + - readd PAM_EXTERN for external PAM modules + +------------------------------------------------------------------- +Wed Mar 23 11:21:16 CET 2016 - kukuk@suse.de + +- Add 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch +- Add 0002-Remove-enable-static-modules-option-and-support-from.patch +- Add 0003-fix-nis-checks.patch + +------------------------------------------------------------------- +Sat Jul 25 16:03:33 UTC 2015 - joschibrauchle@gmx.de + +- Add folder /etc/security/limits.d as mentioned in 'man pam_limits' + +------------------------------------------------------------------- +Fri Jun 26 09:39:42 CEST 2015 - kukuk@suse.de + +- Update to version 1.2.1 + - security update for CVE-2015-3238 + +------------------------------------------------------------------- +Mon Apr 27 17:14:40 CEST 2015 - kukuk@suse.de + +- Update to version 1.2.0 + - obsoletes Linux-PAM-git-20150109.diff + +------------------------------------------------------------------- +Fri Jan 9 15:37:28 CET 2015 - kukuk@suse.de + +- Re-add lost patch encryption_method_nis.diff [bnc#906660] + +------------------------------------------------------------------- +Fri Jan 9 14:53:50 CET 2015 - kukuk@suse.de + +- Update to current git: + - Linux-PAM-git-20150109.diff replaces Linux-PAM-git-20140127.diff + - obsoletes pam_loginuid-log_write_errors.diff + - obsoletes pam_xauth-sigpipe.diff + - obsoletes bug-870433_pam_timestamp-fix-directory-traversal.patch + +------------------------------------------------------------------- +Fri Jan 9 11:10:45 UTC 2015 - bwiedemann@suse.com + +- increase process limit to 1200 to help chromium users with many tabs + +------------------------------------------------------------------- +Tue May 6 14:31:36 UTC 2014 - bwiedemann@suse.com + +- limit number of processes to 700 to harden against fork-bombs + Add pam-limit-nproc.patch + +------------------------------------------------------------------- +Wed Apr 9 16:02:17 UTC 2014 - ckornacker@suse.com + +- Fix CVE-2014-2583: pam_timestamp path injection (bnc#870433) + bug-870433_pam_timestamp-fix-directory-traversal.patch + +------------------------------------------------------------------- +Tue Apr 1 15:35:56 UTC 2014 - ckornacker@suse.com + +- adding sclp_line0/ttysclp0 to /etc/securetty on s390 (bnc#869664) + +------------------------------------------------------------------- +Mon Jan 27 17:05:11 CET 2014 - kukuk@suse.de + +- Add pam_loginuid-log_write_errors.diff: log significant loginuid + write errors +- pam_xauth-sigpipe.diff: avoid potential SIGPIPE when writing to + xauth process + +------------------------------------------------------------------- +Mon Jan 27 15:14:34 CET 2014 - kukuk@suse.de + +- Update to current git (Linux-PAM-git-20140127.diff), which + obsoletes pam_loginuid-part1.diff, pam_loginuid-part2.diff and + Linux-PAM-git-20140109.diff. + - Fix gratuitous use of strdup and x_strdup + - pam_xauth: log fatal errors preventing xauth process execution + - pam_loginuid: cleanup loginuid buffer initialization + - libpam_misc: fix an inconsistency in handling memory allocation errors + - pam_limits: fix utmp->ut_user handling + - pam_mkhomedir: check and create home directory for the same user + - pam_limits: detect and ignore stale utmp entries +- Disable pam_userdb (remove db-devel from build requires) + +------------------------------------------------------------------- +Fri Jan 10 10:56:24 UTC 2014 - kukuk@suse.com + +- Add pam_loginuid-part1.diff: Ignore missing /proc/self/loginuid +- Add pam_loginuid-part2.diff: Workaround to run pam_loginuid inside lxc + +------------------------------------------------------------------- +Thu Jan 9 17:31:27 CET 2014 - kukuk@suse.de + +- Update to current git (Linux-PAM-git-20140109.diff, which + replaces pam_unix.diff and encryption_method_nis.diff) + - pam_access: fix debug level logging + - pam_warn: log flags passed to the module + - pam_securetty: check return value of fgets + - pam_lastlog: fix format string + - pam_loginuid: If the correct loginuid is already set, skip writing it + +------------------------------------------------------------------- +Fri Nov 29 20:25:32 UTC 2013 - schwab@linux-m68k.org + +- common-session.pamd: add missing newline + +------------------------------------------------------------------- +Thu Nov 28 12:00:09 CET 2013 - kukuk@suse.de + +- Remove libtrpc support to solve dependency/build cycles, plain + glibc is enough for now. + +------------------------------------------------------------------- +Tue Nov 12 13:08:44 CET 2013 - kukuk@suse.de + +- Add encryption_method_nis.diff: + - implement pam_unix2 functionality to use another hash for + NIS passwords. + +------------------------------------------------------------------- +Fri Nov 8 16:01:35 CET 2013 - kukuk@suse.de + +- Add pam_unix.diff: + - fix if /etc/login.defs uses DES + - ask always for old password if a NIS password will be changed + +------------------------------------------------------------------- +Sat Sep 28 09:26:21 UTC 2013 - mc@suse.com + +- fix manpages links (bnc#842872) [fix-man-links.dif] + +------------------------------------------------------------------- +Fri Sep 20 21:42:54 UTC 2013 - hrvoje.senjan@gmail.com + +- Explicitly add pam_systemd.so to list of modules in + common-session.pamd (bnc#812462) + +------------------------------------------------------------------- +Fri Sep 20 09:43:38 CEST 2013 - kukuk@suse.de + +- Update to official release 1.1.8 (1.1.7 + git-20130916.diff) +- Remove needless pam_tally-deprecated.diff patch + +------------------------------------------------------------------- +Mon Sep 16 11:54:15 CEST 2013 - kukuk@suse.de + +- Replace fix-compiler-warnings.diff with current git snapshot + (git-20130916.diff) for pam_unix.so: + - fix glibc warnings + - fix syntax error in SELinux code + - fix crash at login + +------------------------------------------------------------------- +Thu Sep 12 10:05:53 CEST 2013 - kukuk@suse.de + +- Remove pam_unix-login.defs.diff, not needed anymore + +------------------------------------------------------------------- +Thu Sep 12 09:47:52 CEST 2013 - kukuk@suse.de + +- Update to version 1.1.7 (bugfix release) + - Drop missing-DESTDIR.diff and pam-fix-includes.patch + - fix-compiler-warnings.diff: fix unchecked setuid return code + +------------------------------------------------------------------- +Tue Aug 6 10:30:13 CEST 2013 - mc@suse.de + +- adding hvc0-hvc7 to /etc/securetty on s390 (bnc#718516) + +------------------------------------------------------------------- +Mon May 27 12:26:53 CEST 2013 - kukuk@suse.de + +- Fix typo in common-password [bnc#821526] + +------------------------------------------------------------------- +Fri Apr 26 10:25:06 UTC 2013 - mmeister@suse.com + +- Added libtool as BuildRequire, and autoreconf -i option to fix + build with new automake + +------------------------------------------------------------------- +Tue Feb 5 17:28:25 CET 2013 - kukuk@suse.de + +- Update pam_unix-login.defs.diff patch to the final upstream + version. + +------------------------------------------------------------------- +Tue Feb 5 14:09:06 CET 2013 - kukuk@suse.de + +- Adjust URL +- Add set_permission macro and PreReq +- Read default encryption method from /etc/login.defs + (pam_unix-login.defs.diff) + +------------------------------------------------------------------- +Fri Jan 25 13:49:36 UTC 2013 - kukuk@suse.com + +- Remove deprecated pam_tally.so module, it's too buggy and can + destroy config and log files. + +------------------------------------------------------------------- +Mon Nov 12 14:42:53 CET 2012 - kukuk@suse.de + +- Sync common-*.pamd config with pam-config (use pam_unix.so as + default). + +------------------------------------------------------------------- +Wed Sep 19 14:20:54 CEST 2012 - kukuk@suse.de + +- Fix building in Factory (add patch missing-DESTDIR.diff) + +------------------------------------------------------------------- +Fri Sep 14 10:55:31 CEST 2012 - kukuk@suse.de + +- Update to Linux-PAM 1.1.6 + - Update translations + - pam_cracklib: Add more checks for weak passwords + - pam_lastlog: Never lock out root + - Lot of bug fixes and smaller enhancements + +------------------------------------------------------------------- +Thu Jun 21 11:59:52 UTC 2012 - aj@suse.de + +- Include correct headers for getrlimit (add patch pam-fix-includes.patch). + +------------------------------------------------------------------- +Mon Apr 23 15:30:02 UTC 2012 - jengelh@medozas.de + +- Update homepage URL in specfile + +------------------------------------------------------------------- +Sat Mar 3 15:16:42 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 1.1.5 +* pam_env: Fix CVE-2011-3148: correctly count leading whitespace + when parsing environment file in pam_env +* Fix CVE-2011-3149: when overflowing, exit with PAM_BUF_ERR in + pam_env +* pam_access: Add hostname resolution cache + +------------------------------------------------------------------- +Tue Oct 25 14:24:27 CEST 2011 - mc@suse.de + +- pam_tally2: remove invalid options from manpage (bnc#726071) +- fix possible overflow and DOS in pam_env (bnc#724480) + CVE-2011-3148, CVE-2011-3149 + +------------------------------------------------------------------- +Mon Jun 27 15:29:11 CEST 2011 - kukuk@suse.de + +- Update to version 1.1.4 + * pam_securetty: Honour console= kernel option, add noconsole option + * pam_limits: Add %group syntax, drop change_uid option, add set_all option + * Lot of small bug fixes + * Add support for libtirpc +- Build against libtirpc + +------------------------------------------------------------------- +Thu May 26 09:37:34 UTC 2011 - cfarrell@novell.com + +- license update: GPL-2.0+ or BSD-3-Clause + Updating to spdx.org/licenses syntax as legal-auto for some reason did + not accept the previous spec file license + +------------------------------------------------------------------- +Wed May 25 16:15:30 CEST 2011 - kukuk@suse.de + +- Remove libxcrypt-devel from BuildRequires + +------------------------------------------------------------------- +Wed Feb 23 12:45:03 UTC 2011 - vcizek@novell.com + +- bnc#673826 rework + * manpage is left intact, as it was + * correct parsing of "quiet" option + +------------------------------------------------------------------- + +Wed Feb 23 10:00:22 UTC 2011 - vcizek@novell.com + +- fix for bnc#673826 (pam_listfile) + * removed unnecessary logging when listfile is missing and quiet +option is specified + * manpage is also updated, to reflect that all option +require values + +------------------------------------------------------------------- +Thu Oct 28 16:23:49 CEST 2010 - kukuk@suse.de + +- Update to Linux-PAM 1.1.3 + - fixes CVE-2010-3853, CVE-2010-3431, CVE-2010-3430 + - pam_unix: Add minlen option, change default from 6 to 0 + +------------------------------------------------------------------- +Tue Aug 31 13:38:23 CEST 2010 - kukuk@suse.de + +- Update to Linux-PAM 1.1.2 + +------------------------------------------------------------------- +Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de + +- use %_smp_mflags + +------------------------------------------------------------------- +Mon May 10 14:22:18 CEST 2010 - kukuk@suse.de + +- Update to current CVS version (pam_rootok: Add support for + chauthtok and acct_mgmt, [bnc#533249]) + +------------------------------------------------------------------- +Thu Mar 11 13:25:46 CET 2010 - kukuk@suse.de + +- Install correct documentation + +------------------------------------------------------------------- +Wed Dec 16 15:22:39 CET 2009 - kukuk@suse.de + +- Update to Linux-PAM 1.1.1 (bug fix release) + +------------------------------------------------------------------- +Sat Dec 12 18:36:43 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Wed Dec 9 10:50:22 CET 2009 - jengelh@medozas.de + +- enable parallel building + +------------------------------------------------------------------- +Fri Jun 26 14:46:21 CEST 2009 - kukuk@suse.de + +- Add fixes from CVS + +------------------------------------------------------------------- +Wed Jun 24 09:52:29 CEST 2009 - kukuk@suse.de + +- Update to final version 1.1.0 (spelling fixes) + +------------------------------------------------------------------- +Tue May 5 16:07:00 CEST 2009 - kukuk@suse.de + +- Update to version 1.0.92: + * Update translations + * pam_succeed_if: Use provided username + * pam_mkhomedir: Fix handling of options + +------------------------------------------------------------------- +Fri Apr 3 21:43:48 CEST 2009 - rguenther@suse.de + +- Remove cracklib-dict-full and pwdutils BuildRequires again. + +------------------------------------------------------------------- +Fri Mar 27 11:41:23 CET 2009 - kukuk@suse.de + +- Update to version 1.0.91 aka 1.1 Beta2: + * Changes in the behavior of the password stack. Results of + PRELIM_CHECK are not used for the final run. + * Redefine LOCAL keyword of pam_access configuration file + * Add support for try_first_pass and use_first_pass to + pam_cracklib + * New password quality tests in pam_cracklib + * Add support for passing PAM_AUTHTOK to stdin of helpers from + pam_exec + * New options for pam_lastlog to show last failed login attempt and + to disable lastlog update + * New pam_pwhistory module to store last used passwords + * New pam_tally2 module similar to pam_tally with wordsize independent + tally data format, obsoletes pam_tally + * Make libpam not log missing module if its type is prepended with '-' + * New pam_timestamp module for authentication based on recent successful + login. + * Add blowfish support to pam_unix. + * Add support for user specific environment file to pam_env. + * Add pam_get_authtok to libpam as Linux-PAM extension. + +------------------------------------------------------------------- +Wed Feb 11 01:20:15 CET 2009 - ro@suse.de + +- use sr@latin instead of sr@Latn + +------------------------------------------------------------------- +Thu Feb 5 17:01:56 CET 2009 - kukuk@suse.de + +- Log failures of setrlimit in pam_limits [bnc#448314] +- Fix using of requisite in password stack [bnc#470337] + +------------------------------------------------------------------- +Tue Jan 20 12:21:08 CET 2009 - kukuk@suse.de + +- Regenerate documentation [bnc#448314] + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Thu Dec 4 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Thu Nov 27 15:56:51 CET 2008 - mc@suse.de + +- enhance the man page for limits.conf (bnc#448314) + +------------------------------------------------------------------- +Mon Nov 24 17:21:19 CET 2008 - kukuk@suse.de + +- pam_time: fix parsing if '|' is used [bdo#326407] + +------------------------------------------------------------------- +Wed Nov 19 11:13:31 CET 2008 - kukuk@suse.de + +- pam_xauth: update last patch +- pam_pwhistory: add missing type option + +------------------------------------------------------------------- +Tue Nov 4 13:42:03 CET 2008 - mc@suse.de + +- pam_xauth: put XAUTHLOCALHOSTNAME into new enviroment + (bnc#441314) + +------------------------------------------------------------------- +Fri Oct 17 14:02:31 CEST 2008 - kukuk@suse.de + +- Add pam_tally2 +- Regenerate Documentation + +------------------------------------------------------------------- +Sat Oct 11 17:06:49 CEST 2008 - kukuk@suse.de + +- Enhance pam_lastlog with status output +- Add pam_pwhistory as tech preview + +------------------------------------------------------------------- +Fri Sep 26 13:44:21 CEST 2008 - kukuk@suse.de + +- pam_tally: fix fd leak +- pam_mail: fix "quiet" option + +------------------------------------------------------------------- +Fri Aug 29 15:17:50 CEST 2008 - kukuk@suse.de + +- Update to version 1.0.2 (fix SELinux regression) +- enhance pam_tally [FATE#303753] +- Backport fixes from CVS + +------------------------------------------------------------------- +Wed Aug 20 14:59:30 CEST 2008 - prusnak@suse.cz + +- enabled SELinux support [Fate#303662] + +------------------------------------------------------------------- +Wed Apr 16 13:24:22 CEST 2008 - kukuk@suse.de + +- Update to version 1.0.1: + - Fixes regression in pam_set_item(). + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Fri Apr 4 14:41:44 CEST 2008 - kukuk@suse.de + +- Remove devfs lines from securetty [bnc#372241] + +------------------------------------------------------------------- +Thu Apr 3 15:18:11 CEST 2008 - kukuk@suse.de + +- Update to version 1.0.0: + - Official first "stable" release + - bug fixes + - translation updates + +------------------------------------------------------------------- +Fri Feb 15 10:55:26 CET 2008 - kukuk@suse.de + +- Update to version 0.99.10.0: + - New substack directive in config file syntax + - New module pam_tty_audit.so for enabling and disabling tty + auditing + - New PAM items PAM_XDISPLAY and PAM_XAUTHDATA + - Improved functionality of pam_namespace.so module (method flags, + namespace.d configuration directory, new options). + - Finaly removed deprecated pam_rhosts_auth module. + +------------------------------------------------------------------- +Wed Oct 10 15:13:33 CEST 2007 - kukuk@suse.de + +- Update to version 0.99.9.0: + - misc_conv no longer blocks SIGINT; applications that don't want + user-interruptable prompts should block SIGINT themselves + - Merge fixes from Debian + - Fix parser for pam_group and pam_time + +------------------------------------------------------------------- +Wed Jul 18 12:00:07 CEST 2007 - kukuk@suse.de + +- Update to version 0.99.8.1: + - Fix regression in pam_audit + +------------------------------------------------------------------- +Fri Jul 6 11:38:42 CEST 2007 - kukuk@suse.de + +- Update to version 0.99.8.0: + - Add translations for ar, ca, da, ru, sv and zu. + - Update hungarian translation. + - Add support for limits.d directory to pam_limits. + - Add minclass option to pam_cracklib + - Add new group syntax to pam_access + +------------------------------------------------------------------- +Thu Apr 19 15:30:46 CEST 2007 - mc@suse.de + +- move the documentation into a seperate package (pam-doc) + [partly fixes Bug #265733] + +------------------------------------------------------------------- +Mon Mar 26 15:48:13 CEST 2007 - rguenther@suse.de + +- add flex and bison BuildRequires + +------------------------------------------------------------------- +Wed Jan 24 11:27:16 CET 2007 - mc@suse.de + +- add %verify_permissions for /sbin/unix_chkpwd + [#237625] + +------------------------------------------------------------------- +Tue Jan 23 13:19:51 CET 2007 - kukuk@suse.de + +- Update to Version 0.99.7.1 (security fix) + +------------------------------------------------------------------- +Wed Jan 17 14:13:14 CET 2007 - kukuk@suse.de + +- Update to Version 0.99.7.0 + * Add manual page for pam_unix.so. + * Add pam_faildelay module to set pam_fail_delay() value. + * Fix possible seg.fault in libpam/pam_set_data(). + * Cleanup of configure options. + * Update hungarian translation, fix german translation. + +------------------------------------------------------------------- +Wed Jan 17 14:00:03 CET 2007 - lnussel@suse.de + +- install unix_chkpwd setuid root instead of setgid shadow (#216816) + +------------------------------------------------------------------- +Tue Oct 24 14:26:51 CEST 2006 - kukuk@suse.de + +- pam_unix.so/unix_chkpwd: teach about blowfish [#213929] +- pam_namespace.so: Fix two possible buffer overflow +- link against libxcrypt + +------------------------------------------------------------------- +Sat Oct 7 11:46:56 CEST 2006 - kukuk@suse.de + +- Update hungarian translation [#210091] + +------------------------------------------------------------------- +Tue Sep 19 18:25:25 CEST 2006 - kukuk@suse.de + +- Don't remove pam_unix.so +- Use cracklib again (goes lost with one of the last cleanups) + +------------------------------------------------------------------- +Thu Sep 14 16:11:36 CEST 2006 - kukuk@suse.de + +- Add pam_umask.so to common-session [Fate#3621] + +------------------------------------------------------------------- +Wed Sep 6 16:37:33 CEST 2006 - kukuk@suse.de + +- Update to Linux-PAM 0.99.6.3 (merges all patches) + +------------------------------------------------------------------- +Wed Aug 30 17:14:22 CEST 2006 - kukuk@suse.de + +- Update to Linux-PAM 0.99.6.2 (incorporate last change) +- Add pam_loginuid and fixes from CVS [Fate#300486] + +------------------------------------------------------------------- +Wed Aug 23 19:11:41 CEST 2006 - kukuk@suse.de + +- Fix seg.fault in pam_cracklib if retyped password is empty + +------------------------------------------------------------------- +Tue Aug 22 21:53:40 CEST 2006 - kukuk@suse.de + +- Remove use_first_pass from pam_unix2.so in password section + +------------------------------------------------------------------- +Fri Aug 11 03:26:56 CEST 2006 - kukuk@suse.de + +- Update to Linux-PAM 0.99.6.1 (big documentation update) + +------------------------------------------------------------------- +Fri Jul 28 11:30:28 CEST 2006 - kukuk@suse.de + +- Add missing namespace.init script + +------------------------------------------------------------------- +Thu Jul 27 17:12:24 CEST 2006 - kukuk@suse.de + +- Reenable audit subsystem [Fate#300486] + +------------------------------------------------------------------- +Wed Jun 28 13:07:15 CEST 2006 - kukuk@suse.de + +- Update to Linux-PAM 0.99.5.0 (more manual pages, three new PAM + modules: pam_keyinit, pam_namespace, pam_rhosts) + +------------------------------------------------------------------- +Mon Jun 12 11:49:20 CEST 2006 - kukuk@suse.de + +- Update to current CVS (lot of new manual pages and docu) + +------------------------------------------------------------------- +Tue May 30 15:28:21 CEST 2006 - kukuk@suse.de + +- Update to Linux-PAM 0.99.4.0 (merge all patches and translations) + +------------------------------------------------------------------- +Wed May 24 10:54:25 CEST 2006 - kukuk@suse.de + +- Fix problems found by Coverity + +------------------------------------------------------------------- +Wed May 17 14:46:04 CEST 2006 - schwab@suse.de + +- Don't strip binaries. + +------------------------------------------------------------------- +Fri May 5 15:16:29 CEST 2006 - kukuk@suse.de + +- Fix pam_tally LFS support [#172492] + +------------------------------------------------------------------- +Fri Apr 21 13:48:17 CEST 2006 - kukuk@suse.de + +- Update fr.po and pl.po + +------------------------------------------------------------------- +Tue Apr 11 14:56:37 CEST 2006 - kukuk@suse.de + +- Update km.po + +------------------------------------------------------------------- +Tue Apr 4 14:24:11 CEST 2006 - kukuk@suse.de + +- Remove obsolete pam-laus from the system + +------------------------------------------------------------------- +Mon Mar 27 14:20:56 CEST 2006 - kukuk@suse.de + +- Update translations for pt, pl, fr, fi and cs +- Add translation for uk + +------------------------------------------------------------------- +Tue Mar 21 14:06:00 CET 2006 - kukuk@suse.de + +- Update hu.po + +------------------------------------------------------------------- +Tue Mar 21 12:40:11 CET 2006 - kukuk@suse.de + +- Add translation for tr + +------------------------------------------------------------------- +Mon Mar 13 11:47:07 CET 2006 - kukuk@suse.de + +- Fix order of NULL checks in pam_get_user +- Fix comment in pam_lastlog for translators to be visible in + pot file +- Docu update, remove pam_selinux docu + +------------------------------------------------------------------- +Thu Mar 2 16:49:10 CET 2006 - kukuk@suse.de + +- Update km translation + +------------------------------------------------------------------- +Thu Feb 23 13:21:22 CET 2006 - kukuk@suse.de + +- pam_lastlog: + - Initialize correct struct member [SF#1427401] + - Mark strftime fmt string for translation [SF#1428269] + +------------------------------------------------------------------- +Sun Feb 19 09:15:42 CET 2006 - kukuk@suse.de + +- Update more manual pages + +------------------------------------------------------------------- +Sat Feb 18 12:45:19 CET 2006 - ro@suse.de + +- really disable audit if header file not present + +------------------------------------------------------------------- +Tue Feb 14 13:29:42 CET 2006 - kukuk@suse.de + +- Update fi.po +- Add km.po +- Update pl.po + +------------------------------------------------------------------- +Mon Feb 13 09:38:56 CET 2006 - kukuk@suse.de + +- Update with better manual pages + +------------------------------------------------------------------- +Thu Feb 9 16:07:27 CET 2006 - kukuk@suse.de + +- Add translation for nl, update pt translation + +------------------------------------------------------------------- +Fri Jan 27 14:03:06 CET 2006 - kukuk@suse.de + +- Move devel manual pages to -devel package +- Mark PAM config files as noreplace +- Mark /etc/securetty as noreplace +- Run ldconfig +- Fix libdb/ndbm compat detection with gdbm +- Adjust german translation +- Add all services to pam_listfile + +------------------------------------------------------------------- +Wed Jan 25 21:30:44 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Jan 13 22:34:02 CET 2006 - kukuk@suse.de + +- Update to Linux-PAM 0.99.3.0 release candiate tar balls + (new translations) + +------------------------------------------------------------------- +Mon Jan 9 18:04:53 CET 2006 - kukuk@suse.de + +- Fix NULL handling for LSB-pam test suite [#141240] + +------------------------------------------------------------------- +Sun Jan 8 13:04:19 CET 2006 - kukuk@suse.de + +- Fix usage of PAM_AUTHTOK_RECOVER_ERR vs. PAM_AUTHTOK_RECOVERY_ERR + +------------------------------------------------------------------- +Fri Jan 6 12:34:57 CET 2006 - kukuk@suse.de + +- NULL is allowed as thirs argument for pam_get_item [#141240] + +------------------------------------------------------------------- +Wed Dec 21 10:29:02 CET 2005 - kukuk@suse.de + +- Add fixes from CVS + +------------------------------------------------------------------- +Thu Dec 15 17:18:35 CET 2005 - kukuk@suse.de + +- Fix pam_lastlog: don't report error on first login + +------------------------------------------------------------------- +Tue Dec 13 09:19:12 CET 2005 - kukuk@suse.de + +- Update to 0.99.2.1 + +------------------------------------------------------------------- +Fri Dec 9 09:41:05 CET 2005 - kukuk@suse.de + +- Add /etc/environment to avoid warnings in syslog + +------------------------------------------------------------------- +Mon Dec 5 12:36:47 CET 2005 - kukuk@suse.de + +- disable SELinux + +------------------------------------------------------------------- +Wed Nov 23 17:42:10 CET 2005 - kukuk@suse.de + +- Update getlogin() fix to final one + +------------------------------------------------------------------- +Mon Nov 21 18:15:05 CET 2005 - kukuk@suse.de + +- Fix PAM getlogin() implementation + +------------------------------------------------------------------- +Mon Nov 21 16:37:57 CET 2005 - kukuk@suse.de + +- Update to official 0.99.2.0 release + +------------------------------------------------------------------- +Tue Nov 8 08:49:30 CET 2005 - kukuk@suse.de + +- Update to new snapshot + +------------------------------------------------------------------- +Mon Oct 10 18:15:20 CEST 2005 - kukuk@suse.de + +- Enable original pam_wheel module + +------------------------------------------------------------------- +Tue Sep 27 10:56:58 CEST 2005 - kukuk@suse.de + +- Update to current CVS +- Compile libpam_misc with -fno-strict-aliasing + +------------------------------------------------------------------- +Mon Sep 19 15:31:34 CEST 2005 - kukuk@suse.de + +- Update to current CVS +- Fix compiling of pammodutil with -fPIC + +------------------------------------------------------------------- +Sun Sep 18 15:29:37 CEST 2005 - kukuk@suse.de + +- Update to current CVS + +------------------------------------------------------------------- +Tue Aug 23 16:27:50 CEST 2005 - kukuk@suse.de + +- Update to new snapshot (Major version is back to 0) + +------------------------------------------------------------------- +Fri Aug 19 16:24:54 CEST 2005 - kukuk@suse.de + +- Update to Linux-PAM 0.99.0.3 snapshot + +------------------------------------------------------------------- +Mon Jul 11 15:48:19 CEST 2005 - kukuk@suse.de + +- Add pam_umask + +------------------------------------------------------------------- +Mon Jul 4 11:13:21 CEST 2005 - kukuk@suse.de + +- Update to current CVS snapshot + +------------------------------------------------------------------- +Thu Jun 23 10:28:43 CEST 2005 - kukuk@suse.de + +- Update to current CVS snapshot +- Add pam_loginuid + +------------------------------------------------------------------- +Thu Jun 9 12:01:49 CEST 2005 - kukuk@suse.de + +- Update to current CVS snapshot + +------------------------------------------------------------------- +Mon Jun 6 17:55:33 CEST 2005 - kukuk@suse.de + +- Don't reset priority [#81690] +- Fix creating of symlinks + +------------------------------------------------------------------- +Fri May 20 13:18:43 CEST 2005 - kukuk@suse.de + +- Update to current CVS snapshot +- Real fix for [#82687] (don't include kernel header files) + +------------------------------------------------------------------- +Thu May 12 16:37:07 CEST 2005 - schubi@suse.de + +- Bug 82687 - pam_client.h redefines __u8 and __u32 + +------------------------------------------------------------------- +Fri Apr 29 11:18:16 CEST 2005 - kukuk@suse.de + +- Apply lot of fixes from CVS (including SELinux support) + +------------------------------------------------------------------- +Fri Apr 1 09:41:16 CEST 2005 - kukuk@suse.de + +- Update to final 0.79 release + +------------------------------------------------------------------- +Mon Mar 14 10:01:07 CET 2005 - kukuk@suse.de + +- Apply patch for pam_xauth to preserve DISPLAY variable [#66885] + +------------------------------------------------------------------- +Mon Jan 24 16:02:11 CET 2005 - kukuk@suse.de + +- Compile with large file support + +------------------------------------------------------------------- +Mon Jan 24 11:30:27 CET 2005 - schubi@suse.de + +- Made patch of latest CVS tree +- Removed patch pam_handler.diff ( included in CVS now ) +- moved Linux-PAM-0.78.dif to pam_group_time.diff + +------------------------------------------------------------------- +Wed Jan 5 13:09:18 CET 2005 - kukuk@suse.de + +- Fix seg.fault, if a PAM config line is incomplete + +------------------------------------------------------------------- +Thu Nov 18 14:58:43 CET 2004 - kukuk@suse.de + +- Update to final 0.78 + +------------------------------------------------------------------- +Mon Nov 8 17:09:53 CET 2004 - kukuk@suse.de + +- Add pam_env.so to common-auth +- Add pam_limit.so to common-session + +------------------------------------------------------------------- +Wed Oct 13 15:11:59 CEST 2004 - kukuk@suse.de + +- Update to 0.78-Beta1 + +------------------------------------------------------------------- +Wed Sep 22 16:40:26 CEST 2004 - kukuk@suse.de + +- Create pam.d/common-{auth,account,password,session} and include + them in pam.d/other +- Update to current CVS version of upcoming 0.78 release + +------------------------------------------------------------------- +Mon Aug 23 16:44:40 CEST 2004 - kukuk@suse.de + +- Update "code cleanup" patch +- Disable reading of /etc/environment in pam_env.so per default + +------------------------------------------------------------------- +Thu Aug 19 16:55:24 CEST 2004 - kukuk@suse.de + +- Reenable a "fixed" version of "code cleanup" patch +- Use pam_wheel from pam-modules package + +------------------------------------------------------------------- +Wed Aug 18 17:06:33 CEST 2004 - kukuk@suse.de + +- Disable "code cleanup" patch (no more comments about security + fixes) + +------------------------------------------------------------------- +Fri Aug 13 15:40:31 CEST 2004 - kukuk@suse.de + +- Apply big "code cleanup" patch [Bug #39673] + +------------------------------------------------------------------- +Fri Mar 12 14:32:27 CET 2004 - kukuk@suse.de + +- pam_wheel: Use original getlogin again, PAM internal does not + work without application help [Bug #35682] + +------------------------------------------------------------------- +Sun Jan 18 12:11:37 CET 2004 - meissner@suse.de + +- We no longer have pam in the buildsystem, so we + need some buildroot magic flags for the dlopen tests. + +------------------------------------------------------------------- +Thu Jan 15 23:19:55 CET 2004 - kukuk@suse.de + +- Cleanup neededforbuild + +------------------------------------------------------------------- +Fri Dec 5 11:32:57 CET 2003 - kukuk@suse.de + +- Add manual pages from SLES8 + +------------------------------------------------------------------- +Fri Nov 28 09:21:01 CET 2003 - kukuk@suse.de + +- Fix installing manual pages of modules +- Remove pthread check (db is now linked against pthread) + +------------------------------------------------------------------- +Thu Nov 27 09:13:46 CET 2003 - kukuk@suse.de + +- Merge with current CVS +- Apply bug fixes from bugtracking system +- Build as normal user + +------------------------------------------------------------------- +Fri Nov 21 14:41:41 CET 2003 - kukuk@suse.de + +- Compile with noexecstack + +------------------------------------------------------------------- +Thu Nov 6 12:12:15 CET 2003 - kukuk@suse.de + +- Fix pam_securetty CVS patch + +------------------------------------------------------------------- +Wed Oct 29 13:47:02 CET 2003 - kukuk@suse.de + +- Sync with current CVS version + +------------------------------------------------------------------- +Thu Oct 2 18:37:19 CEST 2003 - kukuk@suse.de + +- Add patch to implement "include" statement in pamd files + +------------------------------------------------------------------- +Wed Sep 10 14:36:51 CEST 2003 - uli@suse.de + +- added ttyS1 (VT220) to securetty on s390* (bug #29239) + +------------------------------------------------------------------- +Mon Jul 28 15:35:32 CEST 2003 - kukuk@suse.de + +- Apply lot of fixes for various problems + +------------------------------------------------------------------- +Tue Jun 10 12:08:56 CEST 2003 - kukuk@suse.de + +- Fix getlogin handling in pam_wheel.so + +------------------------------------------------------------------- +Tue May 27 16:26:00 CEST 2003 - ro@suse.de + +- added cracklib-devel to neededforbuild + +------------------------------------------------------------------- +Thu Feb 13 14:56:05 CET 2003 - kukuk@suse.de + +- Update pam_localuser and pam_xauth. + +------------------------------------------------------------------- +Wed Nov 13 14:51:23 CET 2002 - kukuk@suse.de + +- Update to Linux-PAM 0.77 (minor bug fixes and enhancemants) + +------------------------------------------------------------------- +Mon Nov 11 11:26:13 CET 2002 - ro@suse.de + +- changed neededforbuild to + +------------------------------------------------------------------- +Sat Sep 14 18:12:49 CEST 2002 - ro@suse.de + +- changed securetty / use extra file + +------------------------------------------------------------------- +Fri Sep 13 18:21:35 CEST 2002 - bk@suse.de + +- 390: standard console (4,64)/ttyS0 ->only ttyS0 in /etc/securetty + +------------------------------------------------------------------- +Tue Aug 27 17:23:30 CEST 2002 - kukuk@suse.de + +- Call password checking helper from pam_unix.so whenever the + passwd field is invalid. + +------------------------------------------------------------------- +Sat Aug 24 14:41:43 CEST 2002 - kukuk@suse.de + +- Don't build ps and pdf documentation + +------------------------------------------------------------------- +Fri Aug 9 10:26:37 CEST 2002 - kukuk@suse.de + +- pam-devel requires pam [Bug #17543] + +------------------------------------------------------------------- +Wed Jul 17 21:48:22 CEST 2002 - kukuk@suse.de + +- Remove explicit requires + +------------------------------------------------------------------- +Wed Jul 10 10:14:17 CEST 2002 - kukuk@suse.de + +- Update to Linux-PAM 0.76 +- Remove reentrant patch for original PAM modules (needs to be + rewritten for new PAM version) +- Add docu in PDF format + +------------------------------------------------------------------- +Thu Jul 4 11:07:23 CEST 2002 - kukuk@suse.de + +- Fix build on different partitions + +------------------------------------------------------------------- +Tue Apr 16 14:50:19 CEST 2002 - mmj@suse.de + +- Fix to not own /usr/shar/man/man3 + +------------------------------------------------------------------- +Wed Mar 13 10:44:20 CET 2002 - kukuk@suse.de + +- Add /usr/include/security to pam-devel filelist + +------------------------------------------------------------------- +Mon Feb 11 22:46:43 CET 2002 - ro@suse.de + +- tar option for bz2 is "j" + +------------------------------------------------------------------- +Fri Jan 25 18:55:26 CET 2002 - kukuk@suse.de + +- Fix last pam_securetty patch + +------------------------------------------------------------------- +Thu Jan 24 20:11:37 CET 2002 - kukuk@suse.de + +- Use reentrant getpwnam functions for most modules +- Fix unresolved symbols in pam_access and pam_userdb + +------------------------------------------------------------------- +Sun Jan 20 22:06:39 CET 2002 - kukuk@suse.de + +- libpam_misc: Don't handle Ctrl-D as error. + +------------------------------------------------------------------- +Wed Jan 16 12:21:30 CET 2002 - kukuk@suse.de + +- Remove SuSEconfig.pam +- Update pam_localuser and pam_xauth +- Add new READMEs about blowfish and cracklib + +------------------------------------------------------------------- +Mon Nov 12 13:33:09 CET 2001 - kukuk@suse.de + +- Remove pam_unix.so (is part of pam-modules) + +------------------------------------------------------------------- +Fri Nov 9 10:42:02 CET 2001 - kukuk@suse.de + +- Move extra PAM modules to separate package +- Require pam-modules package + +------------------------------------------------------------------- +Fri Aug 24 14:55:04 CEST 2001 - kukuk@suse.de + +- Move susehelp config file to susehelp package + +------------------------------------------------------------------- +Mon Aug 13 15:51:57 CEST 2001 - ro@suse.de + +- changed neededforbuild to + +------------------------------------------------------------------- +Tue Aug 7 17:48:40 CEST 2001 - kukuk@suse.de + +- Fixes wrong symlink handling of pam_homecheck [Bug #3905] + +------------------------------------------------------------------- +Wed Jul 11 18:10:11 CEST 2001 - kukuk@suse.de + +- Sync pam_homecheck and pam_unix2 fixes from 7.2 +- Always ask for the old password if it is expired + +------------------------------------------------------------------- +Sat May 5 20:18:35 CEST 2001 - kukuk@suse.de + +- Cleanup Patches, make tar archive from extra pam modules + +------------------------------------------------------------------- +Fri May 4 16:51:07 CEST 2001 - kukuk@suse.de + +- Use LOG_NOTICE for trace option [Bug #7673] + +------------------------------------------------------------------- +Thu Apr 12 17:45:55 CEST 2001 - kukuk@suse.de + +- Linux-PAM: link pam_access against libnsl +- Add pam.conf for susehelp/pam html docu + +------------------------------------------------------------------- +Tue Apr 10 17:39:50 CEST 2001 - kukuk@suse.de + +- Linux-PAM: Update to version 0.75 + +------------------------------------------------------------------- +Tue Apr 3 15:08:27 CEST 2001 - kukuk@suse.de + +- Linux-PAM: link libpam_misc against libpam [Bug #6890] + +------------------------------------------------------------------- +Thu Mar 8 15:38:22 CET 2001 - kukuk@suse.de + +- Linux-PAM: Fix manual pages (.so reference) +- pam_pwcheck: fix Makefile + +------------------------------------------------------------------- +Tue Mar 6 12:16:58 CET 2001 - kukuk@suse.de + +- Update for Linux-PAM 0.74 +- Drop pwdb subpackage + +------------------------------------------------------------------- +Tue Feb 13 14:17:13 CET 2001 - kukuk@suse.de + +- pam_unix2: Create temp files with permission 0600 + +------------------------------------------------------------------- +Tue Feb 6 01:34:06 CET 2001 - ro@suse.de + +- pam_issue.c: include time.h to make it compile + +------------------------------------------------------------------- +Fri Jan 5 22:51:44 CET 2001 - kukuk@suse.de + +- Don't print error message about failed initialization from + pam_limits with kernel 2.2 [Bug #5198] + +------------------------------------------------------------------- +Thu Jan 4 17:15:44 CET 2001 - kukuk@suse.de + +- Adjust docu for pam_limits + +------------------------------------------------------------------- +Sun Dec 17 13:22:11 CET 2000 - kukuk@suse.de + +- Adjust docu for pam_pwcheck + +------------------------------------------------------------------- +Thu Dec 7 15:23:37 CET 2000 - kukuk@suse.de + +- Add fix for pam_limits from 0.73 + +------------------------------------------------------------------- +Thu Oct 26 16:36:09 CEST 2000 - kukuk@suse.de + +- Add db-devel to need for build + +------------------------------------------------------------------- +Fri Oct 20 12:03:07 CEST 2000 - kukuk@suse.de + +- Don't link PAM modules against old libpam library + +------------------------------------------------------------------- +Wed Oct 18 11:53:34 CEST 2000 - kukuk@suse.de + +- Create new "devel" subpackage + +------------------------------------------------------------------- +Thu Oct 12 15:16:55 CEST 2000 - kukuk@suse.de + +- Add SuSEconfig.pam + +------------------------------------------------------------------- +Tue Oct 3 15:05:00 CEST 2000 - kukuk@suse.de + +- Fix problems with new gcc and glibc 2.2 header files + +------------------------------------------------------------------- +Wed Sep 13 13:12:08 CEST 2000 - kukuk@suse.de + +- Fix problem with passwords longer then PASS_MAX_LEN + +------------------------------------------------------------------- +Wed Sep 6 16:01:50 CEST 2000 - kukuk@suse.de + +- Add missing PAM modules to filelist +- Fix seg.fault in pam_pwcheck [BUG #3894] +- Clean spec file + +------------------------------------------------------------------- +Fri Jun 23 12:40:40 CEST 2000 - kukuk@suse.de + +- Lot of bug fixes in pam_unix2 and pam_pwcheck +- compress postscript docu + +------------------------------------------------------------------- +Mon May 15 10:57:16 CEST 2000 - kukuk@suse.de + +- Move docu to /usr/share/doc/pam +- Fix some bugs in pam_unix2 and pam_pwcheck + +------------------------------------------------------------------- +Tue Apr 25 16:32:56 CEST 2000 - kukuk@suse.de + +- Add pam_homecheck Module + +------------------------------------------------------------------- +Tue Apr 25 14:17:10 CEST 2000 - kukuk@suse.de + +- Add devfs devices to /etc/securetty + +------------------------------------------------------------------- +Wed Mar 1 17:35:27 CET 2000 - kukuk@suse.de + +- Fix handling of changing passwords to empty one + +------------------------------------------------------------------- +Tue Feb 22 18:00:48 CET 2000 - kukuk@suse.de + +- Set correct attr for unix_chkpwd and pwdb_chkpwd + +------------------------------------------------------------------- +Tue Feb 15 17:47:50 CET 2000 - kukuk@suse.de + +- Update pam_pwcheck +- Update pam_unix2 + +------------------------------------------------------------------- +Mon Feb 7 17:55:42 CET 2000 - kukuk@suse.de + +- pwdb: Update to 0.61 + +------------------------------------------------------------------- +Thu Jan 27 16:54:03 CET 2000 - kukuk@suse.de + +- Add config files and README for md5 passwords +- Update pam_pwcheck +- Update pam_unix2 + +------------------------------------------------------------------- +Thu Jan 13 18:22:10 CET 2000 - kukuk@suse.de + +- Update pam_unix2 +- New: pam_pwcheck +- Update to Linux-PAM 0.72 + +------------------------------------------------------------------- +Wed Oct 13 16:48:51 MEST 1999 - kukuk@suse.de + +- pam_pwdb: Add security fixes from RedHat + +------------------------------------------------------------------- +Mon Oct 11 20:34:18 MEST 1999 - kukuk@suse.de + +- Update to Linux-PAM 0.70 +- Update to pwdb-0.60 +- Fix more pam_unix2 shadow bugs + +------------------------------------------------------------------- +Fri Oct 8 17:20:11 MEST 1999 - kukuk@suse.de + +- Add more PAM fixes +- Implement Password changing request (sp_lstchg == 0) + +------------------------------------------------------------------- +Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de + +- ran old prepare_spec on spec file to switch to new prepare_spec. + +------------------------------------------------------------------- +Sat Sep 11 17:38:50 MEST 1999 - kukuk@suse.de + +- Add pam_wheel to file list +- pam_wheel: Minor fixes +- pam_unix2: root is allowed to change passwords with wrong + password aging information + +------------------------------------------------------------------- +Mon Aug 30 10:16:43 MEST 1999 - kukuk@suse.de + +- pam_unix2: Fix typo + +------------------------------------------------------------------- +Thu Aug 19 16:05:09 MEST 1999 - kukuk@suse.de + +- Linux-PAM: Update to version 0.69 + +------------------------------------------------------------------- +Fri Jul 16 12:35:14 MEST 1999 - kukuk@suse.de + +- pam_unix2: Root is allowed to use the old password again. + +------------------------------------------------------------------- +Tue Jul 13 11:09:41 MEST 1999 - kukuk@suse.de + +- pam_unix2: Allow root to set an empty password. + +------------------------------------------------------------------- +Sat Jul 10 18:41:00 MEST 1999 - kukuk@suse.de + +- Add HP-UX password aging to pam_unix2. + +------------------------------------------------------------------- +Wed Jul 7 17:45:04 MEST 1999 - kukuk@suse.de + +- Don't install .cvsignore files +- Make sure, /etc/shadow has the correct rights + +------------------------------------------------------------------- +Tue Jul 6 10:14:08 MEST 1999 - kukuk@suse.de + +- Update to Linux-PAM 0.68 + +------------------------------------------------------------------- +Wed Jun 30 18:46:26 MEST 1999 - kukuk@suse.de + +- pam_unix2: more bug fixes + +------------------------------------------------------------------- +Tue Jun 29 10:57:18 MEST 1999 - kukuk@suse.de + +- pam_unix2: Fix "inactive" password + +------------------------------------------------------------------- +Mon Jun 28 13:59:18 MEST 1999 - kukuk@suse.de + +- pam_warn: Add missing functions +- other.pamd: Update +- Add more doku + +------------------------------------------------------------------- +Thu Jun 24 14:24:54 MEST 1999 - kukuk@suse.de + +- Add securetty config file +- Fix Debian pam_env patch + +------------------------------------------------------------------- +Mon Jun 21 10:10:35 MEST 1999 - kukuk@suse.de + +- Update to Linux-PAM 0.67 +- Add Debian pam_env patch + +------------------------------------------------------------------- +Thu Jun 17 15:59:30 MEST 1999 - kukuk@suse.de + +- pam_ftp malloc (core dump) fix + +------------------------------------------------------------------- +Tue Jun 15 18:57:03 MEST 1999 - kukuk@suse.de + +- pam_unix2 fixes + +------------------------------------------------------------------- +Mon Jun 7 11:34:48 MEST 1999 - kukuk@suse.de + +- First PAM package: pam 0.66, pwdb 0.57 and pam_unix2 diff --git a/pam.spec b/pam.spec new file mode 100644 index 0000000..9ba38c4 --- /dev/null +++ b/pam.spec @@ -0,0 +1,585 @@ +# +# spec file for package pam +# +# Copyright (c) 2020 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 +# Enable livepatching support for SLE15-SP4 onwards. It requires +# compiler support introduced there. +%define livepatchable 1 + +# Set variables for livepatching. +%define _other %{_topdir}/OTHER +%define tar_basename pam-livepatch-%{version}-%{release} +%define tar_package_name %{tar_basename}.%{_arch}.tar.xz +%define clones_dest_dir %{tar_basename}/%{_arch} +%else +# Unsupported operating system. +%define livepatchable 0 +%endif + +%ifnarch x86_64 +# Unsupported architectures must have livepatch disabled. +%define livepatchable 0 +%endif + +%bcond_without selinux +%bcond_with debug + +%define flavor @BUILD_FLAVOR@%{nil} + +%define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\ + security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\ + security/namespace.conf security/namespace.init security/sepermit.conf + +%if "%{flavor}" == "full" +%define build_main 0 +%define build_doc 1 +%define build_extra 1 +%define build_userdb 1 +%define name_suffix -%{flavor}-src +%else +%define build_main 1 +%define build_doc 0 +%define build_extra 0 +%define build_userdb 0 +%define name_suffix %{nil} +%endif + +# +%define libpam_so_version 0.85.1 +%define libpam_misc_so_version 0.82.1 +%define libpamc_so_version 0.82.1 +%if ! %{defined _distconfdir} + %define _distconfdir %{_sysconfdir} + %define config_noreplace 1 +%endif +# +%{load:%{_sourcedir}/macros.pam} +# +Name: pam%{name_suffix} +# +Version: 1.6.0 +Release: 0 +Summary: A Security Tool that Provides Authentication for Applications +License: GPL-2.0-or-later OR BSD-3-Clause +Group: System/Libraries +URL: https://github.com/linux-pam/linux-pam +Source: Linux-PAM-%{version}.tar.xz +Source1: Linux-PAM-%{version}.tar.xz.asc +Source2: macros.pam +Source3: other.pamd +Source4: common-auth.pamd +Source5: common-account.pamd +Source6: common-password.pamd +Source7: common-session.pamd +Source9: baselibs.conf +Source10: unix2_chkpwd.c +Source11: unix2_chkpwd.8 +Source12: pam-login_defs-check.sh +Source13: pam.tmpfiles +Source20: common-session-nonlogin.pamd +Source21: postlogin-auth.pamd +Source22: postlogin-account.pamd +Source23: postlogin-password.pamd +Source24: postlogin-session.pamd +Patch1: pam-limit-nproc.patch +# https://github.com/linux-pam/linux-pam/pull/739 +Patch2: pam_env-fix_vendordir.patch +# https://github.com/linux-pam/linux-pam/pull/740 +Patch3: pam_env-fix-enable-vendordir-fallback.patch +# https://github.com/linux-pam/linux-pam/pull/741 +Patch4: pam_env-remove-escaped-newlines.patch +# https://github.com/linux-pam/linux-pam/pull/744 +Patch5: pam_unix-fix-password-aging-disabled.patch +BuildRequires: audit-devel +BuildRequires: bison +BuildRequires: flex +BuildRequires: libtool +BuildRequires: xz +Requires(post): permissions +# All login.defs variables require support from shadow side. +# Upgrade this symbol version only if new variables appear! +# Verify by shadow-login_defs-check.sh from shadow source package. +Recommends: login_defs-support-for-pam >= 1.5.2 +BuildRequires: pkgconfig(libeconf) +%if %{with selinux} +BuildRequires: libselinux-devel +%endif +Obsoletes: pam_unix +Obsoletes: pam_unix-nis +Recommends: pam-manpages +Requires(pre): group(shadow) +Requires(pre): user(root) + +%description +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policies without +having to recompile programs that do authentication. + +%if %{build_userdb} +%package -n pam-userdb +Summary: PAM module to authenticate against a separate database +Group: System/Libraries +Provides: pam-extra:%{_pam_moduledir}/pam_userdb.so +BuildRequires: libdb-4_8-devel +BuildRequires: pam-devel + +%description -n pam-userdb +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policies without +having to recompile programs that do authentication. + +This package contains pam_userdb which is used to verify a +username/password pair against values stored in a Berkeley DB database. +%endif + + +%if %{build_extra} +%package -n pam-extra +Summary: PAM module with extended dependencies +Group: System/Libraries +#BuildRequires: pkgconfig(systemd) +# The systemd-mini package does not pass configure checks +BuildRequires: systemd-devel >= 254 +BuildRequires: pam-devel +Provides: pam:%{_sbindir}/pam_timestamp_check + +%description -n pam-extra +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policies without +having to recompile programs that do authentication. + +This package contains extra modules eg pam_issue and pam_timestamp which +can have extended dependencies. +%endif + +%if %{build_doc} + +%package -n pam-doc +Summary: Documentation for Pluggable Authentication Modules +Group: Documentation/HTML +BuildArch: noarch + +%description -n pam-doc +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policies without +having to recompile programs that do authentication. + +This package contains the documentation. + +%package -n pam-manpages +Summary: Manualpages for Pluggable Authentication Modules +Group: Documentation/HTML +Provides: pam:/%{_mandir}/man8/PAM.8.gz +BuildArch: noarch +BuildRequires: docbook5-xsl-stylesheets +BuildRequires: elinks +BuildRequires: xmlgraphics-fop + +%description -n pam-manpages +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policies without +having to recompile programs that do authentication. + +This package contains the manual pages. + +%endif + +%package devel +Summary: Include Files and Libraries for PAM Development +Group: Development/Libraries/C and C++ +Requires: glibc-devel +Requires: pam = %{version} + +%description devel +PAM (Pluggable Authentication Modules) is a system security tool which +allows system administrators to set authentication policy without +having to recompile programs which do authentication. + +This package contains header files and static libraries used for +building both PAM-aware applications and modules for use with PAM. + +%prep +%setup -q -n Linux-PAM-%{version} +cp -a %{SOURCE12} . +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + +%build +bash ./pam-login_defs-check.sh +export CFLAGS="%{optflags}" +%if !%{with debug} +CFLAGS="$CFLAGS -DNDEBUG" +%endif +%if %{livepatchable} +CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones" +%endif +autoreconf +%configure \ + --includedir=%{_includedir}/security \ + --docdir=%{_docdir}/pam \ + --htmldir=%{_docdir}/pam/html \ + --pdfdir=%{_docdir}/pam/pdf \ + --enable-isadir=../..%{_pam_moduledir} \ + --enable-securedir=%{_pam_moduledir} \ + --enable-vendordir=%{_prefix}/etc \ +%if "%{flavor}" == "full" + --enable-logind \ +%endif + --disable-examples \ + --disable-nis \ +%if %{with debug} + --enable-debug +%endif + +%make_build + +%if %{livepatchable} + +# Ipa-clones are files generated by gcc which logs changes made across +# functions, and we need to know such changes to build livepatches +# correctly. These files are intended to be used by the livepatch +# developers and may be retrieved by using `osc getbinaries`. +# +# Create list of ipa-clones. +find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list + +# Create ipa-clones destination folder and move clones there. +mkdir -p ipa-clones/%{clones_dest_dir} +while read f; do + _dest=ipa-clones/%{clones_dest_dir}/$f + mkdir -p ${_dest%/*} + cp $f $_dest +done < ipa-clones.list + +# Create tar package with the clone files. +tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename} + +# Copy tar package to the OTHERS folder +cp %{tar_package_name} %{_other} + +%endif # livepatchable + +gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam + +%if %{build_main} +%check +%make_build check +%endif + +%install +mkdir -p %{buildroot}%{_pam_confdir} +mkdir -p %{buildroot}%{_pam_vendordir} +mkdir -p %{buildroot}%{_includedir}/security +mkdir -p %{buildroot}%{_pam_moduledir} +mkdir -p %{buildroot}/sbin +mkdir -p -m 755 %{buildroot}%{_libdir} +# For compat reasons +mkdir -p %{buildroot}%{_distconfdir}/pam.d + +%make_install +/sbin/ldconfig -n %{buildroot}%{_libdir} +# Install documentation +%make_install -C doc +# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript +install -d %{buildroot}%{_pam_secconfdir}/namespace.d +# install other.pamd and common-*.pamd +install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other +install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth +install -m 644 %{SOURCE5} %{buildroot}%{_pam_vendordir}/common-account +install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/common-password +install -m 644 %{SOURCE7} %{buildroot}%{_pam_vendordir}/common-session +install -m 644 %{SOURCE20} %{buildroot}%{_pam_vendordir}/common-session-nonlogin +install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth +install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account +install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password +install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session +mkdir -p %{buildroot}%{_prefix}/lib/motd.d +# +# Remove crap +# +find %{buildroot} -type f -name "*.la" -delete -print +# +# Install READMEs of PAM modules +# +DOC=%{buildroot}%{_defaultdocdir}/pam +mkdir -p $DOC/modules +pushd modules +for i in pam_*/README; do + cp -fpv "$i" "$DOC/modules/README.${i%/*}" +done +popd +# Install unix2_chkpwd +install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir} + +# rpm macros +install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam +# /run/motd.d +install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf + +mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d} +mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment + +# Remove manual pages for main package +%if !%{build_doc} +rm -rf %{buildroot}%{_mandir}/man?/* +%else +install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/ +# bsc#1188724 +echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5 +%endif + +%if !%{build_main} +rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale} +rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service} +rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}* +%else +# Delete files for extra package +rm -rf %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check} + +# Create filelist with translations +%find_lang Linux-PAM + +%endif + +%if %{build_main} + +%verifyscript +%verify_permissions -e %{_sbindir}/unix_chkpwd +%verify_permissions -e %{_sbindir}/unix2_chkpwd + +%post +/sbin/ldconfig +%set_permissions %{_sbindir}/unix_chkpwd +%set_permissions %{_sbindir}/unix2_chkpwd +%tmpfiles_create %{_tmpfilesdir}/pam.conf + +%postun -p /sbin/ldconfig +%pre +for i in securetty %{config_files} ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done + +%posttrans +# Migration to /usr/etc. +for i in securetty %{config_files} ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done + +%files -f Linux-PAM.lang +%doc NEWS +%license COPYING +%exclude %{_defaultdocdir}/pam/html +%exclude %{_defaultdocdir}/pam/modules +%exclude %{_defaultdocdir}/pam/pdf +%exclude %{_defaultdocdir}/pam/*.txt +%dir %{_pam_confdir} +%dir %{_pam_vendordir} +%dir %{_pam_secconfdir} +%dir %{_pam_secdistconfdir} +%dir %{_pam_secdistconfdir}/limits.d +# /usr/etc/pam.d is for compat reasons +%dir %{_distconfdir}/pam.d +%dir %{_prefix}/lib/motd.d +%if %{defined config_noreplace} +%config(noreplace) %{_pam_confdir}/other +%config(noreplace) %{_pam_confdir}/common-* +%else +%{_pam_vendordir}/other +%{_pam_vendordir}/common-* +%{_pam_vendordir}/postlogin-* +%endif +%{_distconfdir}/environment +%{_pam_secdistconfdir}/access.conf +%{_pam_secdistconfdir}/group.conf +%{_pam_secdistconfdir}/faillock.conf +%{_pam_secdistconfdir}/limits.conf +%{_pam_secdistconfdir}/pam_env.conf +%if %{with selinux} +%{_pam_secdistconfdir}/sepermit.conf +%endif +%{_pam_secdistconfdir}/time.conf +%{_pam_secdistconfdir}/namespace.conf +%{_pam_secdistconfdir}/namespace.init +%{_pam_secdistconfdir}/pwhistory.conf +%dir %{_pam_secdistconfdir}/namespace.d +%{_libdir}/libpam.so.0 +%{_libdir}/libpam.so.%{libpam_so_version} +%{_libdir}/libpamc.so.0 +%{_libdir}/libpamc.so.%{libpamc_so_version} +%{_libdir}/libpam_misc.so.0 +%{_libdir}/libpam_misc.so.%{libpam_misc_so_version} +%dir %{_pam_moduledir} +%{_pam_moduledir}/pam_access.so +%{_pam_moduledir}/pam_canonicalize_user.so +%{_pam_moduledir}/pam_debug.so +%{_pam_moduledir}/pam_deny.so +%{_pam_moduledir}/pam_echo.so +%{_pam_moduledir}/pam_env.so +%{_pam_moduledir}/pam_exec.so +%{_pam_moduledir}/pam_faildelay.so +%{_pam_moduledir}/pam_faillock.so +%{_pam_moduledir}/pam_filter.so +%dir %{_pam_moduledir}/pam_filter +%{_pam_moduledir}//pam_filter/upperLOWER +%{_pam_moduledir}/pam_ftp.so +%{_pam_moduledir}/pam_group.so +%{_pam_moduledir}/pam_keyinit.so +%{_pam_moduledir}/pam_limits.so +%{_pam_moduledir}/pam_listfile.so +%{_pam_moduledir}/pam_localuser.so +%{_pam_moduledir}/pam_loginuid.so +%{_pam_moduledir}/pam_mail.so +%{_pam_moduledir}/pam_mkhomedir.so +%{_pam_moduledir}/pam_motd.so +%{_pam_moduledir}/pam_namespace.so +%{_pam_moduledir}/pam_nologin.so +%{_pam_moduledir}/pam_permit.so +%{_pam_moduledir}/pam_pwhistory.so +%{_pam_moduledir}/pam_rhosts.so +%{_pam_moduledir}/pam_rootok.so +%{_pam_moduledir}/pam_securetty.so +%if %{with selinux} +%{_pam_moduledir}/pam_selinux.so +%{_pam_moduledir}/pam_sepermit.so +%endif +%{_pam_moduledir}/pam_setquota.so +%{_pam_moduledir}/pam_shells.so +%{_pam_moduledir}/pam_stress.so +%{_pam_moduledir}/pam_succeed_if.so +%{_pam_moduledir}/pam_time.so +%{_pam_moduledir}/pam_tty_audit.so +%{_pam_moduledir}/pam_umask.so +%{_pam_moduledir}/pam_unix.so +%{_pam_moduledir}/pam_usertype.so +%{_pam_moduledir}/pam_warn.so +%{_pam_moduledir}/pam_wheel.so +%{_pam_moduledir}/pam_xauth.so +%{_sbindir}/faillock +%{_sbindir}/mkhomedir_helper +%{_sbindir}/pam_namespace_helper +%{_sbindir}/pwhistory_helper +%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd +%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd +%attr(0700,root,root) %{_sbindir}/unix_update +%{_unitdir}/pam_namespace.service +%{_tmpfilesdir}/pam.conf + +%files devel +%defattr(644,root,root,755) +%dir %{_includedir}/security +%{_includedir}/security/*.h +%{_libdir}/libpam.so +%{_libdir}/libpamc.so +%{_libdir}/libpam_misc.so +%{_rpmmacrodir}/macros.pam +%{_libdir}/pkgconfig/pam*.pc +%endif + +%if %{build_userdb} +%files -n pam-userdb +%defattr(-,root,root,755) +%{_pam_moduledir}/pam_userdb.so +%{_mandir}/man8/pam_userdb.8%{?ext_man} +%endif + +%if %{build_extra} +%files -n pam-extra +%defattr(-,root,root,755) +%{_pam_moduledir}/pam_issue.so +%{_pam_moduledir}/pam_timestamp.so +%{_sbindir}/pam_timestamp_check +%endif + +%if %{build_doc} + +%files -n pam-doc +%defattr(644,root,root,755) +%dir %{_defaultdocdir}/pam +%doc %{_defaultdocdir}/pam/html +%doc %{_defaultdocdir}/pam/modules +%doc %{_defaultdocdir}/pam/pdf +%doc %{_defaultdocdir}/pam/*.txt + +%files -n pam-manpages +%{_mandir}/man3/pam*.3%{?ext_man} +%{_mandir}/man3/misc_conv.3%{?ext_man} +%{_mandir}/man5/environment.5%{?ext_man} +%{_mandir}/man5/*.conf.5%{?ext_man} +%{_mandir}/man5/pam.d.5%{?ext_man} +%{_mandir}/man5/motd.5%{?ext_man} +%{_mandir}/man8/PAM.8%{?ext_man} +%{_mandir}/man8/faillock.8%{?ext_man} +%{_mandir}/man8/mkhomedir_helper.8%{?ext_man} +%{_mandir}/man8/pam.8%{?ext_man} +%{_mandir}/man8/pam_access.8%{?ext_man} +%{_mandir}/man8/pam_canonicalize_user.8%{?ext_man} +%{_mandir}/man8/pam_debug.8%{?ext_man} +%{_mandir}/man8/pam_deny.8%{?ext_man} +%{_mandir}/man8/pam_echo.8%{?ext_man} +%{_mandir}/man8/pam_env.8%{?ext_man} +%{_mandir}/man8/pam_exec.8%{?ext_man} +%{_mandir}/man8/pam_faildelay.8%{?ext_man} +%{_mandir}/man8/pam_faillock.8%{?ext_man} +%{_mandir}/man8/pam_filter.8%{?ext_man} +%{_mandir}/man8/pam_ftp.8%{?ext_man} +%{_mandir}/man8/pam_group.8%{?ext_man} +%{_mandir}/man8/pam_issue.8%{?ext_man} +%{_mandir}/man8/pam_keyinit.8%{?ext_man} +%{_mandir}/man8/pam_limits.8%{?ext_man} +%{_mandir}/man8/pam_listfile.8%{?ext_man} +%{_mandir}/man8/pam_localuser.8%{?ext_man} +%{_mandir}/man8/pam_loginuid.8%{?ext_man} +%{_mandir}/man8/pam_mail.8%{?ext_man} +%{_mandir}/man8/pam_mkhomedir.8%{?ext_man} +%{_mandir}/man8/pam_motd.8%{?ext_man} +%{_mandir}/man8/pam_namespace.8%{?ext_man} +%{_mandir}/man8/pam_namespace_helper.8%{?ext_man} +%{_mandir}/man8/pam_nologin.8%{?ext_man} +%{_mandir}/man8/pam_permit.8%{?ext_man} +%{_mandir}/man8/pam_pwhistory.8%{?ext_man} +%{_mandir}/man8/pam_rhosts.8%{?ext_man} +%{_mandir}/man8/pam_rootok.8%{?ext_man} +%{_mandir}/man8/pam_securetty.8%{?ext_man} +%if %{with selinux} +%{_mandir}/man8/pam_selinux.8%{?ext_man} +%{_mandir}/man8/pam_sepermit.8%{?ext_man} +%endif +%{_mandir}/man8/pam_setquota.8%{?ext_man} +%{_mandir}/man8/pam_shells.8%{?ext_man} +%{_mandir}/man8/pam_stress.8%{?ext_man} +%{_mandir}/man8/pam_succeed_if.8%{?ext_man} +%{_mandir}/man8/pam_time.8%{?ext_man} +%{_mandir}/man8/pam_timestamp.8%{?ext_man} +%{_mandir}/man8/pam_timestamp_check.8%{?ext_man} +%{_mandir}/man8/pam_tty_audit.8%{?ext_man} +%{_mandir}/man8/pam_umask.8%{?ext_man} +%{_mandir}/man8/pam_unix.8%{?ext_man} +%{_mandir}/man8/pam_usertype.8%{?ext_man} +%{_mandir}/man8/pam_warn.8%{?ext_man} +%{_mandir}/man8/pam_wheel.8%{?ext_man} +%{_mandir}/man8/pam_xauth.8%{?ext_man} +%{_mandir}/man8/pwhistory_helper.8%{?ext_man} +%{_mandir}/man8/unix2_chkpwd.8%{?ext_man} +%{_mandir}/man8/unix_chkpwd.8%{?ext_man} +%{_mandir}/man8/unix_update.8%{?ext_man} + +%endif + +%changelog diff --git a/pam.tmpfiles b/pam.tmpfiles new file mode 100644 index 0000000..c41b85b --- /dev/null +++ b/pam.tmpfiles @@ -0,0 +1,4 @@ +#Type Path Mode User Group Age Argument +D /run/faillock 0755 root root - - +D /run/motd.d 0755 root root - - +D /run/pam_timestamp 0755 root root - - diff --git a/pam_env-fix-enable-vendordir-fallback.patch b/pam_env-fix-enable-vendordir-fallback.patch new file mode 100644 index 0000000..aaaf96e --- /dev/null +++ b/pam_env-fix-enable-vendordir-fallback.patch @@ -0,0 +1,51 @@ +From 28894b319488e8302899ee569b6e0911905f374e Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Thu, 18 Jan 2024 17:00:00 +0000 +Subject: [PATCH] pam_env: fix --enable-vendordir fallback logic + +* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF && +VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file +if the config file is specified via module arguments. + +Link: https://github.com/linux-pam/linux-pam/issues/738 +Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback") +--- + modules/pam_env/pam_env.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index a0b812fff..8b40b6a5a 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -850,20 +850,20 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file) + #ifdef USE_ECONF + /* If "file" is not NULL, only this file will be parsed. */ + retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list); +-#else ++#else /* !USE_ECONF */ + /* Only one file will be parsed. So, file has to be set. */ +- if (file == NULL) /* No filename has been set via argv. */ ++ if (file == NULL) { /* No filename has been set via argv. */ + file = DEFAULT_CONF_FILE; +-#ifdef VENDOR_DEFAULT_CONF_FILE +- /* +- * Check whether file is available. +- * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file. +- */ +- struct stat stat_buffer; +- if (stat(file, &stat_buffer) != 0 && errno == ENOENT) { +- file = VENDOR_DEFAULT_CONF_FILE; ++# ifdef VENDOR_DEFAULT_CONF_FILE ++ /* ++ * Check whether DEFAULT_CONF_FILE file is available. ++ * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file. ++ */ ++ struct stat stat_buffer; ++ if (stat(file, &stat_buffer) != 0 && errno == ENOENT) ++ file = VENDOR_DEFAULT_CONF_FILE; ++# endif + } +-#endif + retval = read_file(pamh, file, &conf_list); + #endif + diff --git a/pam_env-fix_vendordir.patch b/pam_env-fix_vendordir.patch new file mode 100644 index 0000000..38b69bd --- /dev/null +++ b/pam_env-fix_vendordir.patch @@ -0,0 +1,51 @@ +From 0703453bec6ac54ad31d7245be4529796a3ef764 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 18 Jan 2024 18:08:05 +0100 +Subject: [PATCH] pam_env: check VENDORDIR after config.h inclusion + +The VENDORDIR define has to be checked after config.h +inclusion, otherwise the ifdef test always yields false. + +Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback") + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_env/pam_env.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index 59adc942c..a0b812fff 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -6,15 +6,6 @@ + * template for this file (via pam_mail) + */ + +-#define DEFAULT_ETC_ENVFILE "/etc/environment" +-#ifdef VENDORDIR +-#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment") +-#endif +-#define DEFAULT_READ_ENVFILE 1 +- +-#define DEFAULT_USER_ENVFILE ".pam_environment" +-#define DEFAULT_USER_READ_ENVFILE 0 +- + #include "config.h" + + #include +@@ -52,6 +43,15 @@ typedef struct var { + char *override; + } VAR; + ++#define DEFAULT_ETC_ENVFILE "/etc/environment" ++#ifdef VENDORDIR ++#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment") ++#endif ++#define DEFAULT_READ_ENVFILE 1 ++ ++#define DEFAULT_USER_ENVFILE ".pam_environment" ++#define DEFAULT_USER_READ_ENVFILE 0 ++ + #define DEFAULT_CONF_FILE (SCONFIGDIR "/pam_env.conf") + #ifdef VENDOR_SCONFIGDIR + #define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf") diff --git a/pam_env-remove-escaped-newlines.patch b/pam_env-remove-escaped-newlines.patch new file mode 100644 index 0000000..74aeb93 --- /dev/null +++ b/pam_env-remove-escaped-newlines.patch @@ -0,0 +1,54 @@ +From ef51c51523b4c6ce6275b2863a0de1a3a6dff1e5 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 18 Jan 2024 20:25:20 +0100 +Subject: [PATCH] pam_env: remove escaped newlines from econf lines + +The libeconf routines do not remove escaped newlines the way we want to +process them later on. Manually remove them from values. + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_env/pam_env.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index a0b812fff..5f53fbb10 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -160,6 +160,28 @@ isDirectory(const char *path) { + return S_ISDIR(statbuf.st_mode); + } + ++/* ++ * Remove escaped newline from string. ++ * ++ * All occurrences of "\\n" will be removed from string. ++ */ ++static void ++econf_unescnl(char *val) ++{ ++ char *dest, *p; ++ ++ dest = p = val; ++ ++ while (*p != '\0') { ++ if (p[0] == '\\' && p[1] == '\n') { ++ p += 2; ++ } else { ++ *dest++ = *p++; ++ } ++ } ++ *dest = '\0'; ++} ++ + static int + econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim, + const char *name, const char *suffix, const char *subpath, +@@ -270,6 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + keys[i], + econf_errString(error)); + } else { ++ econf_unescnl(val); + if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); diff --git a/pam_unix-fix-password-aging-disabled.patch b/pam_unix-fix-password-aging-disabled.patch new file mode 100644 index 0000000..f11b5a6 --- /dev/null +++ b/pam_unix-fix-password-aging-disabled.patch @@ -0,0 +1,27 @@ +From 9d40f55216b2de60ccb9b617c79b9280b9f29ead Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Fri, 19 Jan 2024 10:09:00 +0100 +Subject: [PATCH] pam_unix: do not warn if password aging disabled + +Later checks will print a warning if daysleft is 0. If password +aging is disabled, leave daysleft at -1. + +Fixes 9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb. + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_unix/passverify.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index 5c4f862e7..1bc98fa25 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -314,7 +314,6 @@ PAMH_ARG_DECL(int check_shadow_expiry, + } + if (spent->sp_lstchg < 0) { + D(("password aging disabled")); +- *daysleft = 0; + return PAM_SUCCESS; + } + if (curdays < spent->sp_lstchg) { diff --git a/postlogin-account.pamd b/postlogin-account.pamd new file mode 100644 index 0000000..68f6395 --- /dev/null +++ b/postlogin-account.pamd @@ -0,0 +1,10 @@ +# +# /etc/pam.d/postlogin-account - account settings common to login services +# +# This file is included from login service-specific PAM config files, +# and contains the PAM modules which should be called after +# the modules of "common-account". +# +# This file should only be included from services doing real logins, +# so like "login", "xdm" or "sshd", but not "chsh" or "cron". +# diff --git a/postlogin-auth.pamd b/postlogin-auth.pamd new file mode 100644 index 0000000..fc72201 --- /dev/null +++ b/postlogin-auth.pamd @@ -0,0 +1,10 @@ +# +# /etc/pam.d/postlogin-auth - authentication settings common to login services +# +# This file is included from login service-specific PAM config files, +# and contains the PAM modules which should be called after +# the modules of "common-auth". +# +# This file should only be included from services doing real logins, +# so like "login", "xdm" or "sshd", but not "chsh" or "cron". +# diff --git a/postlogin-password.pamd b/postlogin-password.pamd new file mode 100644 index 0000000..9f1bd7c --- /dev/null +++ b/postlogin-password.pamd @@ -0,0 +1,10 @@ +# +# /etc/pam.d/postlogin-password - password settings common to login services +# +# This file is included from login service-specific PAM config files, +# and contains the PAM modules which should be called after +# the modules of "common-password". +# +# This file should only be included from services doing real logins, +# so like "login", "xdm" or "sshd", but not "chsh" or "cron". +# diff --git a/postlogin-session.pamd b/postlogin-session.pamd new file mode 100644 index 0000000..c94ceb5 --- /dev/null +++ b/postlogin-session.pamd @@ -0,0 +1,10 @@ +# +# /etc/pam.d/postlogin-session - session settings common to login services +# +# This file is included from login service-specific PAM config files, +# and contains the PAM modules which should be called after +# the modules of "common-session". +# +# This file should only be included from services doing real logins, +# so like "login", "xdm" or "sshd", but not "chsh" or "cron". +# diff --git a/unix2_chkpwd.8 b/unix2_chkpwd.8 new file mode 100644 index 0000000..f072b0f --- /dev/null +++ b/unix2_chkpwd.8 @@ -0,0 +1,79 @@ +.\" Copyright (C) 2003 International Business Machines Corporation +.\" This file is distributed according to the GNU General Public License. +.\" See the file COPYING in the top level source directory for details. +.\" +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual" +.SH NAME +unix2_chkpwd \- helper binary that verifies the password of the current user +.SH "SYNOPSIS" +.ad l +.hy 0 + +/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR +.sp +.ad +.hy +.SH "DESCRIPTION" +.PP +\fBunix2_chkpwd\fR is a helper program for applications that verifies +the password of the current user. It is not intended to be run directly from +the command line and logs a security violation if done so. + +It is typically installed setuid root or setgid shadow and called by +applications, which only wishes to do an user authentification and +nothing more. + +.SH "OPTIONS" +.PP +unix2_chkpwd requires the following arguments: +.TP +\fIpam_service\fR +The name of the service using unix2_chkpwd. This is required to be one of +the services in /etc/pam.d +.TP +\fIusername\fR +The name of the user whose password you want to verify. + +.SH "INPUTS" +.PP +unix2_chkpwd expects the password via stdin. + +.SH "RETURN CODES" +.PP +\fBunix2_chkpwd\fR has the following return codes: +.TP +1 +unix2_chkpwd was inappropriately called from the command line or the password is incorrect. + +.TP +0 +The password is correct. + +.SH "HISTORY" +Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan + +.SH "SEE ALSO" + +.PP +\fBpam\fR(8) + +.SH AUTHOR +Emily Ratliff. diff --git a/unix2_chkpwd.c b/unix2_chkpwd.c new file mode 100644 index 0000000..f33cf5f --- /dev/null +++ b/unix2_chkpwd.c @@ -0,0 +1,337 @@ +/* + * Set*id helper program for PAM authentication. + * + * It is supposed to be called from pam_unix2's + * pam_sm_authenticate function if the function notices + * that it's unable to get the password from the shadow file + * because it doesn't have sufficient permissions. + * + * Copyright (C) 2002 SuSE Linux AG + * + * Written by okir@suse.de, loosely based on unix_chkpwd + * by Andrew Morgan. + */ + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define BUFLEN 1024 +#ifndef LOGINDEFS +#define LOGINDEFS "/etc/login.defs" +#endif +#define LOGINDEFS_FAIL_DELAY_KEY "FAIL_DELAY" +#define DEFAULT_FAIL_DELAY_S 10 + +#define PASSWD_CRACKER_DELAY_MS 100 + +enum { + UNIX_PASSED = 0, + UNIX_FAILED = 1 +}; + +static char * program_name; +static char pass[64]; +static int npass = -1; + +/* + * Log error messages + */ +static void +_log_err(int err, const char *format,...) +{ + va_list args; + + va_start(args, format); + openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH); + vsyslog(err, format, args); + va_end(args); + closelog(); +} + +static void +su_sighandler(int sig) +{ + if (sig > 0) { + _log_err(LOG_NOTICE, "caught signal %d.", sig); + exit(sig); + } +} + +/* + * Setup signal handlers + */ +static void +setup_signals(void) +{ + struct sigaction action; + + memset((void *) &action, 0, sizeof(action)); + action.sa_handler = su_sighandler; + action.sa_flags = SA_RESETHAND; + sigaction(SIGILL, &action, NULL); + sigaction(SIGTRAP, &action, NULL); + sigaction(SIGBUS, &action, NULL); + sigaction(SIGSEGV, &action, NULL); + action.sa_handler = SIG_IGN; + action.sa_flags = 0; + sigaction(SIGTERM, &action, NULL); + sigaction(SIGHUP, &action, NULL); + sigaction(SIGINT, &action, NULL); + sigaction(SIGQUIT, &action, NULL); + sigaction(SIGALRM, &action, NULL); +} + +static int +_converse(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + struct pam_response *reply; + int num; + + if (!(reply = malloc(sizeof(*reply) * num_msg))) + return PAM_CONV_ERR; + + for (num = 0; num < num_msg; num++) { + reply[num].resp_retcode = PAM_SUCCESS; + reply[num].resp = NULL; + switch (msg[num]->msg_style) { + case PAM_PROMPT_ECHO_ON: + return PAM_CONV_ERR; + case PAM_PROMPT_ECHO_OFF: + /* read the password from stdin */ + if (npass < 0) { + npass = read(STDIN_FILENO, pass, sizeof(pass)-1); + if (npass < 0) { + _log_err(LOG_DEBUG, "error reading password"); + return UNIX_FAILED; + } + pass[npass] = '\0'; + } + reply[num].resp = strdup(pass); + break; + case PAM_TEXT_INFO: + case PAM_ERROR_MSG: + /* ignored */ + break; + default: + /* Must be an error of some sort... */ + return PAM_CONV_ERR; + } + } + + *resp = reply; + return PAM_SUCCESS; +} + +static int +_authenticate(const char *service, const char *user) +{ + struct pam_conv conv = { _converse, NULL }; + pam_handle_t *pamh; + int err; + + err = pam_start(service, user, &conv, &pamh); + if (err != PAM_SUCCESS) { + _log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)", + service, user, err); + return UNIX_FAILED; + } + + err = pam_authenticate(pamh, 0); + if (err != PAM_SUCCESS) + _log_err(LOG_ERR, "pam_authenticate(%s, %s): %s", + service, user, + pam_strerror(pamh, err)); + + if (err == PAM_SUCCESS) + { + err = pam_acct_mgmt(pamh, 0); + if (err == PAM_SUCCESS) + { + int err2 = pam_setcred(pamh, PAM_REFRESH_CRED); + if (err2 != PAM_SUCCESS) + _log_err(LOG_ERR, "pam_setcred(%s, %s): %s", + service, user, + pam_strerror(pamh, err2)); + /* + * ignore errors on refresh credentials. + * If this did not work we use the old once. + */ + } else { + _log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s", + service, user, + pam_strerror(pamh, err)); + } + } + + pam_end(pamh, err); + + if (err != PAM_SUCCESS) + return UNIX_FAILED; + return UNIX_PASSED; +} + +static char * +getuidname(uid_t uid) +{ + struct passwd *pw; + static char username[32]; + + pw = getpwuid(uid); + if (pw == NULL) + return NULL; + + strncpy(username, pw->pw_name, sizeof(username)); + username[sizeof(username) - 1] = '\0'; + + endpwent(); + return username; +} + +static int +sane_pam_service(const char *name) +{ + const char *sp; + char path[128]; + + if (strlen(name) > 32) + return 0; + for (sp = name; *sp; sp++) { + if (!isalnum(*sp) && *sp != '_' && *sp != '-') + return 0; + } + + snprintf(path, sizeof(path), "/etc/pam.d/%s", name); + return access(path, R_OK) == 0; +} + +static int +get_system_fail_delay (void) +{ + FILE *fs; + char buf[BUFLEN]; + long int delay = -1; + char *s; + int l; + + fs = fopen(LOGINDEFS, "r"); + if (NULL == fs) { + goto bail_out; + } + + while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) { + if (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) { + continue; + } + s = buf + strspn(buf, " \t"); + l = strcspn(s, " \t"); + if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) { + continue; + } + s += l; + s += strspn(s, " \t"); + errno = 0; + delay = strtol(s, NULL, 10); + if (errno) { + delay = -1; + } + break; + } + fclose (fs); +bail_out: + delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay; + return (int)delay; +} + +int +main(int argc, char *argv[]) +{ + const char *program_name; + char *service, *user; + int fd; + int result = UNIX_FAILED; + uid_t uid; + + uid = getuid(); + + /* + * Make sure standard file descriptors are connected. + */ + while ((fd = open("/dev/null", O_RDWR)) <= 2) + ; + close(fd); + + /* + * Get the program name + */ + if (argc == 0) + program_name = "unix2_chkpwd"; + else if ((program_name = strrchr(argv[0], '/')) != NULL) + program_name++; + else + program_name = argv[0]; + + /* + * Catch or ignore as many signal as possible. + */ + setup_signals(); + + /* + * Check argument list + */ + if (argc < 2 || argc > 3) { + _log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc); + return UNIX_FAILED; + } + + /* + * Get the service name and do some sanity checks on it + */ + service = argv[1]; + if (!sane_pam_service(service)) { + _log_err(LOG_ERR, "Illegal service name '%s'", service); + return UNIX_FAILED; + } + + /* + * Discourage users messing around (fat chance) + */ + if (isatty(STDIN_FILENO) && uid != 0) { + _log_err(LOG_NOTICE, + "Inappropriate use of Unix helper binary [UID=%d]", + uid); + fprintf(stderr, + "This binary is not designed for running in this way\n" + "-- the system administrator has been informed\n"); + sleep(10); /* this should discourage/annoy the user */ + return UNIX_FAILED; + } + + /* + * determine the caller's user name + */ + user = getuidname(uid); + if (argc == 3 && strcmp(user, argv[2])) { + user = argv[2]; + } + result = _authenticate(service, user); + /* Discourage use of this program as a + * password cracker */ + usleep(PASSWD_CRACKER_DELAY_MS * 1000); + if (result != UNIX_PASSED && uid != 0) + sleep(get_system_fail_delay()); + return result; +}