From 09dc58a4efebc18c8e78235fa3c1df972e284078492e826252b0dae1673d138a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 8 Nov 2024 17:24:11 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main pam revision c30bf434b5f4bbbb90649d92c346dbac --- Linux-PAM-1.6.1.tar.xz | 3 - Linux-PAM-1.6.1.tar.xz.asc | 16 ----- Linux-PAM-1.7.0.tar.xz | 3 + Linux-PAM-1.7.0.tar.xz.asc | 16 +++++ baselibs.conf | 1 + common-session-nonlogin.pamd | 1 - common-session.pamd | 1 - pam-bsc1194818-cursor-escape.patch | 36 ---------- pam.changes | 37 ++++++++++ pam.spec | 106 +++++++++-------------------- 10 files changed, 90 insertions(+), 130 deletions(-) delete mode 100644 Linux-PAM-1.6.1.tar.xz delete mode 100644 Linux-PAM-1.6.1.tar.xz.asc create mode 100644 Linux-PAM-1.7.0.tar.xz create mode 100644 Linux-PAM-1.7.0.tar.xz.asc delete mode 100644 pam-bsc1194818-cursor-escape.patch diff --git a/Linux-PAM-1.6.1.tar.xz b/Linux-PAM-1.6.1.tar.xz deleted file mode 100644 index 95fe0a8..0000000 --- a/Linux-PAM-1.6.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f8923c740159052d719dbfc2a2f81942d68dd34fcaf61c706a02c9b80feeef8e -size 1054152 diff --git a/Linux-PAM-1.6.1.tar.xz.asc b/Linux-PAM-1.6.1.tar.xz.asc deleted file mode 100644 index 8cbfcb4..0000000 --- a/Linux-PAM-1.6.1.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1 -sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq -47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub -RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT -mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet -cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ -fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd -PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku -o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR -0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB -9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2 -UoUkHsbCWJU/ksn/9BIQ -=Dbz2 ------END PGP SIGNATURE----- diff --git a/Linux-PAM-1.7.0.tar.xz b/Linux-PAM-1.7.0.tar.xz new file mode 100644 index 0000000..69dc2e3 --- /dev/null +++ b/Linux-PAM-1.7.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:57dcd7a6b966ecd5bbd95e1d11173734691e16b68692fa59661cdae9b13b1697 +size 507824 diff --git a/Linux-PAM-1.7.0.tar.xz.asc b/Linux-PAM-1.7.0.tar.xz.asc new file mode 100644 index 0000000..5fbbdaa --- /dev/null +++ b/Linux-PAM-1.7.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJnGiIVAAoJEKgEH6g54W42kSsP/jsmwl1WMrtPlze2jtRZ1ZVD +HvJPJMYNCeXKpXxSCL4rt97TeZKp+8WbrmrbG+zG8okIFDKl4rHuU9PpJocIpwDd ++zAD1GQOqeUz0AyPPXBmsMshmQ3z+l8W9ykR1WCFrceXRAswSgNEDEavluVP9EHG +epFA/+t1BR8G3GV6LH9LhRkTOOsE8O30hTEHZp1vCrR+xKJo41ZTq+VVvU8KFUrC +lPGH9pX1ioe5rlLfvKNJthUKVoaNyDXED2la9sJPdTmc5hDBGLIo5hnBpvOn8Zfp +cfMoB3lFBy6MHF7tb4ZfDxgG44D/xIwXd7Zddc6HenJl/SUjucXFq1OXHcK+MhqO +63zFAci8k7ywwPPoGBpHMYZ2czZx3jo++It80b2CBMYKzi9YMVmaq/toEtMyI+Og +W3gh4EfHkN98GQz4XC9yO4fjIno1J/Bwni6HNXBaumbg6xIPRwvxcOCdXZBUjKrx +mDljxQetZJGzURidA+2cdJsAu1o0PDtzPguabno4aW2GMV9tUF3Q3aF+NClg18uZ ++eXlGd/fsrLOIGfhYOpbFyIEE5h/dZq3vIj/NOVfKCsU0yajs6d3Zj2Y+2sxs7ob +z9begFsadFZ6atqA77FL7i4781U2bTtqp8qsj9UXb+gJabqnQZ2k+qBXg4XtAWrn +iJaal6uBXWOJG9BG5l8G +=CVaC +-----END PGP SIGNATURE----- diff --git a/baselibs.conf b/baselibs.conf index aae13c0..af91018 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -4,3 +4,4 @@ pam obsoletes "pam_unix-nis-" pam-extra pam-devel +pam-userdb diff --git a/common-session-nonlogin.pamd b/common-session-nonlogin.pamd index 665a150..827283b 100644 --- a/common-session-nonlogin.pamd +++ b/common-session-nonlogin.pamd @@ -8,7 +8,6 @@ # non-interactive), but not if they don't create a new login session # (e.g. like cron, chfn, chsh, ...) # -session required pam_limits.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_env.so diff --git a/common-session.pamd b/common-session.pamd index f20e8c2..c57304c 100644 --- a/common-session.pamd +++ b/common-session.pamd @@ -7,7 +7,6 @@ # non-interactive). # session optional pam_systemd.so -session required pam_limits.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_env.so diff --git a/pam-bsc1194818-cursor-escape.patch b/pam-bsc1194818-cursor-escape.patch deleted file mode 100644 index fbd27de..0000000 --- a/pam-bsc1194818-cursor-escape.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001 -From: Stanislav Brabec -Date: Mon, 22 Jul 2024 23:18:16 +0200 -Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input - -Use the canonical terminal mode (line mode) and set ECHOCTL to prevent -cursor escape from the login prompt using arrows or escape sequences. - -ICANON is the default in most cases anyway. ECHOCTL is default on tty, but -for example not on pty, allowing cursor to escape. - -Stanislav Brabec ---- - libpam_misc/misc_conv.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c -index 7410e929..6b839b48 100644 ---- a/libpam_misc/misc_conv.c -+++ b/libpam_misc/misc_conv.c -@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr) - return -1; - } - memcpy(&term_tmp, &term_before, sizeof(term_tmp)); -- if (!echo) { -+ if (echo) -+ term_tmp.c_lflag |= ICANON | ECHOCTL; -+ else - term_tmp.c_lflag &= ~(ECHO); -- } - have_term = 1; - - /* --- -2.45.2 - diff --git a/pam.changes b/pam.changes index 2ed849d..0aaf97d 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,40 @@ +------------------------------------------------------------------- +Thu Oct 24 11:57:20 UTC 2024 - Thorsten Kukuk + +- Update to version 1.7.0 + - build: changed build system from autotools to meson. + - libpam_misc: use ECHOCTL in the terminal input + - pam_access: support UID and GID in access.conf + - pam_env: install environment file in vendordir if vendordir is enabled + - pam_issue: only count class user if logind support is enabled + - pam_limits: use systemd-logind instead of utmp if logind support is enabled + - pam_unix: compare password hashes in constant time + - Multiple minor bug fixes, build fixes, portability fixes, + documentation improvements, and translation updates. +- Drop upstream patches: + - pam-bsc1194818-cursor-escape.patch + - pam_limits-systemd.patch + - pam_issue-systemd.patch + +------------------------------------------------------------------- +Thu Sep 12 07:50:55 UTC 2024 - Thorsten Kukuk + +- baselibs.conf: add pam-userdb + +------------------------------------------------------------------- +Tue Sep 10 08:22:02 UTC 2024 - Thorsten Kukuk + +- pam_limits-systemd.patch: update to final PR + +------------------------------------------------------------------- +Fri Sep 6 08:13:22 UTC 2024 - Thorsten Kukuk + +- Add systemd-logind support to pam_limits (pam_limits-systemd.patch) +- Remove /usr/etc/pam.d, everything should be migrated +- Remove pam_limits from default common-sessions* files. pam_limits + is now part of pam-extra and not in our default generated config. +- pam_issue-systemd.patch: only count class user sessions + ------------------------------------------------------------------- Wed Aug 7 14:44:56 UTC 2024 - Stanislav Brabec diff --git a/pam.spec b/pam.spec index 652fd7b..51fefdb 100644 --- a/pam.spec +++ b/pam.spec @@ -36,10 +36,10 @@ %endif %bcond_without selinux -%bcond_with debug %define flavor @BUILD_FLAVOR@%{nil} +# List of config files for migration to /usr/etc %define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\ security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\ security/namespace.conf security/namespace.init security/sepermit.conf @@ -64,14 +64,13 @@ %define libpamc_so_version 0.82.1 %if ! %{defined _distconfdir} %define _distconfdir %{_sysconfdir} - %define config_noreplace 1 %endif # %{load:%{_sourcedir}/macros.pam} # Name: pam%{name_suffix} # -Version: 1.6.1 +Version: 1.7.0 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause @@ -96,11 +95,10 @@ Source22: postlogin-account.pamd Source23: postlogin-password.pamd Source24: postlogin-session.pamd Patch1: pam-limit-nproc.patch -Patch2: pam-bsc1194818-cursor-escape.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex -BuildRequires: libtool +BuildRequires: meson >= 0.62.0 BuildRequires: xz Requires(post): permissions # All login.defs variables require support from shadow side. @@ -144,11 +142,10 @@ username/password pair against values stored in a Berkeley DB database. %package -n pam-extra Summary: PAM module with extended dependencies Group: System/Libraries -#BuildRequires: pkgconfig(systemd) -# The systemd-mini package does not pass configure checks -BuildRequires: systemd-devel >= 254 +BuildRequires: pkgconfig(libsystemd) >= 254 BuildRequires: pam-devel Provides: pam:%{_sbindir}/pam_timestamp_check +Provides: pam:%{_pam_moduledir}/pam_limits.so %description -n pam-extra PAM (Pluggable Authentication Modules) is a system security tool that @@ -211,32 +208,23 @@ cp -a %{SOURCE12} . %build bash ./pam-login_defs-check.sh -export CFLAGS="%{optflags}" -%if !%{with debug} -CFLAGS="$CFLAGS -DNDEBUG" -%endif %if %{livepatchable} CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones" %endif -autoreconf -%configure \ - --includedir=%{_includedir}/security \ - --docdir=%{_docdir}/pam \ - --htmldir=%{_docdir}/pam/html \ - --pdfdir=%{_docdir}/pam/pdf \ - --enable-isadir=../..%{_pam_moduledir} \ - --enable-securedir=%{_pam_moduledir} \ - --enable-vendordir=%{_prefix}/etc \ -%if "%{flavor}" == "full" - --enable-logind \ -%endif - --disable-examples \ - --disable-nis \ -%if %{with debug} - --enable-debug -%endif -%make_build +%meson -Dvendordir=%{_distconfdir} \ + -Ddocdir=%{_docdir}/pam \ + -Dhtmldir=%{_docdir}/pam/html \ + -Dpdfdir=%{_docdir}/pam/pdf \ + -Dsecuredir=%{_pam_moduledir} \ +%if "%{flavor}" != "full" + -Dlogind=disabled \ + -Dpam_userdb=disabled \ + -Ddocs=disabled \ +%endif + -Dexamples=false \ + -Dnis=disabled +%meson_build %if %{livepatchable} @@ -264,29 +252,19 @@ cp %{tar_package_name} %{_other} %endif # livepatchable -gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam +gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/%{_target_platform}/libpam -lpam %if %{build_main} %check -%make_build check +%meson_test %endif %install +%meson_install + mkdir -p %{buildroot}%{_pam_confdir} mkdir -p %{buildroot}%{_pam_vendordir} -mkdir -p %{buildroot}%{_includedir}/security -mkdir -p %{buildroot}%{_pam_moduledir} -mkdir -p %{buildroot}/sbin -mkdir -p -m 755 %{buildroot}%{_libdir} -# For compat reasons -mkdir -p %{buildroot}%{_distconfdir}/pam.d -%make_install -/sbin/ldconfig -n %{buildroot}%{_libdir} -# Install documentation -%make_install -C doc -# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript -install -d %{buildroot}%{_pam_secconfdir}/namespace.d # install other.pamd and common-*.pamd install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth @@ -298,21 +276,14 @@ install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session -mkdir -p %{buildroot}%{_prefix}/lib/motd.d -# -# Remove crap -# -find %{buildroot} -type f -name "*.la" -delete -print # # Install READMEs of PAM modules # DOC=%{buildroot}%{_defaultdocdir}/pam +%if "%{flavor}" == "full" mkdir -p $DOC/modules -pushd modules -for i in pam_*/README; do - cp -fpv "$i" "$DOC/modules/README.${i%/*}" -done -popd +cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/" +%endif # Install unix2_chkpwd install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir} @@ -322,7 +293,6 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d} -mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment # Remove manual pages for main package %if !%{build_doc} @@ -334,12 +304,13 @@ echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5 %endif %if !%{build_main} -rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale} +rm -rf %{buildroot}{%{_distconfdir}/environment,%{_pam_secdistconfdir}/{a,f,g,n,p,s,t}*} +rm -rf %{buildroot}{%{_sysconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale} rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service} -rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}* +rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,la,lis,lo,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}* %else # Delete files for extra package -rm -rf %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check} +rm -rf %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limits.conf,%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check} # Create filelist with translations %find_lang Linux-PAM @@ -373,31 +344,17 @@ done %files -f Linux-PAM.lang %doc NEWS %license COPYING -%exclude %{_defaultdocdir}/pam/html -%exclude %{_defaultdocdir}/pam/modules -%exclude %{_defaultdocdir}/pam/pdf -%exclude %{_defaultdocdir}/pam/*.txt %dir %{_pam_confdir} %dir %{_pam_vendordir} %dir %{_pam_secconfdir} %dir %{_pam_secdistconfdir} -%dir %{_pam_secdistconfdir}/limits.d -# /usr/etc/pam.d is for compat reasons -%dir %{_distconfdir}/pam.d -%dir %{_prefix}/lib/motd.d -%if %{defined config_noreplace} -%config(noreplace) %{_pam_confdir}/other -%config(noreplace) %{_pam_confdir}/common-* -%else %{_pam_vendordir}/other %{_pam_vendordir}/common-* %{_pam_vendordir}/postlogin-* -%endif %{_distconfdir}/environment %{_pam_secdistconfdir}/access.conf %{_pam_secdistconfdir}/group.conf %{_pam_secdistconfdir}/faillock.conf -%{_pam_secdistconfdir}/limits.conf %{_pam_secdistconfdir}/pam_env.conf %if %{with selinux} %{_pam_secdistconfdir}/sepermit.conf @@ -429,7 +386,6 @@ done %{_pam_moduledir}/pam_ftp.so %{_pam_moduledir}/pam_group.so %{_pam_moduledir}/pam_keyinit.so -%{_pam_moduledir}/pam_limits.so %{_pam_moduledir}/pam_listfile.so %{_pam_moduledir}/pam_localuser.so %{_pam_moduledir}/pam_loginuid.so @@ -490,6 +446,10 @@ done %if %{build_extra} %files -n pam-extra %defattr(-,root,root,755) +%dir %{_pam_secdistconfdir} +%dir %{_pam_secdistconfdir}/limits.d +%{_pam_secdistconfdir}/limits.conf +%{_pam_moduledir}/pam_limits.so %{_pam_moduledir}/pam_issue.so %{_pam_moduledir}/pam_timestamp.so %{_sbindir}/pam_timestamp_check