Sync from SUSE:SLFO:Main pam revision c30bf434b5f4bbbb90649d92c346dbac

2024-11-08 17:24:11 +01:00 · 2024-11-08 17:24:11 +01:00 · 09dc58a4ef
commit 09dc58a4ef
parent 8a72f7369a
10 changed files with 90 additions and 130 deletions
--- a/Linux-PAM-1.6.1.tar.xz
+++ b/Linux-PAM-1.6.1.tar.xz
--- a/Linux-PAM-1.6.1.tar.xz.asc
+++ b/Linux-PAM-1.6.1.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
-sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
-47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
-RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
-mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
-cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
-fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
-PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
-o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
-0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
-9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
-UoUkHsbCWJU/ksn/9BIQ
-=Dbz2
-----END PGP SIGNATURE-----
--- a/Linux-PAM-1.7.0.tar.xz
+++ b/Linux-PAM-1.7.0.tar.xz
--- a/Linux-PAM-1.7.0.tar.xz.asc
+++ b/Linux-PAM-1.7.0.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJnGiIVAAoJEKgEH6g54W42kSsP/jsmwl1WMrtPlze2jtRZ1ZVD
+HvJPJMYNCeXKpXxSCL4rt97TeZKp+8WbrmrbG+zG8okIFDKl4rHuU9PpJocIpwDd
+zAD1GQOqeUz0AyPPXBmsMshmQ3z+l8W9ykR1WCFrceXRAswSgNEDEavluVP9EHG
+epFA/+t1BR8G3GV6LH9LhRkTOOsE8O30hTEHZp1vCrR+xKJo41ZTq+VVvU8KFUrC
+lPGH9pX1ioe5rlLfvKNJthUKVoaNyDXED2la9sJPdTmc5hDBGLIo5hnBpvOn8Zfp
+cfMoB3lFBy6MHF7tb4ZfDxgG44D/xIwXd7Zddc6HenJl/SUjucXFq1OXHcK+MhqO
+63zFAci8k7ywwPPoGBpHMYZ2czZx3jo++It80b2CBMYKzi9YMVmaq/toEtMyI+Og
+W3gh4EfHkN98GQz4XC9yO4fjIno1J/Bwni6HNXBaumbg6xIPRwvxcOCdXZBUjKrx
+mDljxQetZJGzURidA+2cdJsAu1o0PDtzPguabno4aW2GMV9tUF3Q3aF+NClg18uZ
+eXlGd/fsrLOIGfhYOpbFyIEE5h/dZq3vIj/NOVfKCsU0yajs6d3Zj2Y+2sxs7ob
+z9begFsadFZ6atqA77FL7i4781U2bTtqp8qsj9UXb+gJabqnQZ2k+qBXg4XtAWrn
+iJaal6uBXWOJG9BG5l8G
+=CVaC
+-----END PGP SIGNATURE-----
--- a/baselibs.conf
+++ b/baselibs.conf
@ -4,3 +4,4 @@ pam
 	obsoletes "pam_unix-nis-<targettype>"
 pam-extra
 pam-devel
+pam-userdb
--- a/common-session-nonlogin.pamd
+++ b/common-session-nonlogin.pamd
@ -8,7 +8,6 @@
 # non-interactive), but not if they don't create a new login session
 # (e.g. like cron, chfn, chsh, ...)
 #
-session	required	pam_limits.so
 session	required	pam_unix.so	try_first_pass
 session optional	pam_umask.so
 session optional	pam_env.so
--- a/common-session.pamd
+++ b/common-session.pamd
@ -7,7 +7,6 @@
 # non-interactive).
 #
 session optional	pam_systemd.so
-session	required	pam_limits.so
 session	required	pam_unix.so	try_first_pass
 session optional	pam_umask.so
 session optional	pam_env.so
--- a/pam-bsc1194818-cursor-escape.patch
+++ b/pam-bsc1194818-cursor-escape.patch
@ -1,36 +0,0 @@
-From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001
-From: Stanislav Brabec <sbrabec@suse.cz>
-Date: Mon, 22 Jul 2024 23:18:16 +0200
-Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input
-
-Use the canonical terminal mode (line mode) and set ECHOCTL to prevent
-cursor escape from the login prompt using arrows or escape sequences.
-
-ICANON is the default in most cases anyway. ECHOCTL is default on tty, but
-for example not on pty, allowing cursor to escape.
-
-Stanislav Brabec <sbrabec@suse.com>
---
- libpam_misc/misc_conv.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
-index 7410e929..6b839b48 100644
--- a/libpam_misc/misc_conv.c
-+++ b/libpam_misc/misc_conv.c
-@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr)
- 	    return -1;
- 	}
- 	memcpy(&term_tmp, &term_before, sizeof(term_tmp));
-	if (!echo) {
-+	if (echo)
-+	    term_tmp.c_lflag |= ICANON | ECHOCTL;
-+	else
- 	    term_tmp.c_lflag &= ~(ECHO);
-	}
- 	have_term = 1;
- 
- 	/*
-- 
-2.45.2
-
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Thu Oct 24 11:57:20 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to version 1.7.0
+  - build: changed build system from autotools to meson.
+  - libpam_misc: use ECHOCTL in the terminal input
+  - pam_access: support UID and GID in access.conf
+  - pam_env: install environment file in vendordir if vendordir is enabled
+  - pam_issue: only count class user if logind support is enabled
+  - pam_limits: use systemd-logind instead of utmp if logind support is enabled
+  - pam_unix: compare password hashes in constant time
+  - Multiple minor bug fixes, build fixes, portability fixes,
+    documentation improvements, and translation updates.
+- Drop upstream patches:
+  - pam-bsc1194818-cursor-escape.patch
+  - pam_limits-systemd.patch
+  - pam_issue-systemd.patch
+
+-------------------------------------------------------------------
+Thu Sep 12 07:50:55 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- baselibs.conf: add pam-userdb
+
+-------------------------------------------------------------------
+Tue Sep 10 08:22:02 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- pam_limits-systemd.patch: update to final PR
+
+-------------------------------------------------------------------
+Fri Sep  6 08:13:22 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- Add systemd-logind support to pam_limits (pam_limits-systemd.patch)
+- Remove /usr/etc/pam.d, everything should be migrated
+- Remove pam_limits from default common-sessions* files. pam_limits
+  is now part of pam-extra and not in our default generated config.
+- pam_issue-systemd.patch: only count class user sessions
+
 -------------------------------------------------------------------
 Wed Aug  7 14:44:56 UTC 2024 - Stanislav Brabec <sbrabec@suse.com>

--- a/pam.spec
+++ b/pam.spec
@ -36,10 +36,10 @@
 %endif

 %bcond_without selinux
-%bcond_with debug

 %define flavor @BUILD_FLAVOR@%{nil}

+# List of config files for migration to /usr/etc
 %define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
 	security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
 	security/namespace.conf security/namespace.init security/sepermit.conf
@ -64,14 +64,13 @@
 %define libpamc_so_version 0.82.1
 %if ! %{defined _distconfdir}
  %define _distconfdir %{_sysconfdir}
-  %define config_noreplace 1
 %endif
 #
 %{load:%{_sourcedir}/macros.pam}
 #
 Name:           pam%{name_suffix}
 #
-Version:        1.6.1
+Version:        1.7.0
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@ -96,11 +95,10 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
-Patch2:         pam-bsc1194818-cursor-escape.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
-BuildRequires:  libtool
+BuildRequires:  meson >= 0.62.0
 BuildRequires:  xz
 Requires(post): permissions
 # All login.defs variables require support from shadow side.
@ -144,11 +142,10 @@ username/password pair against values stored in a Berkeley DB database.
 %package -n pam-extra
 Summary:        PAM module with extended dependencies
 Group:          System/Libraries
-#BuildRequires:  pkgconfig(systemd) 
-# The systemd-mini package does not pass configure checks
-BuildRequires:  systemd-devel >= 254
+BuildRequires:  pkgconfig(libsystemd) >= 254
 BuildRequires:  pam-devel
 Provides:	pam:%{_sbindir}/pam_timestamp_check
+Provides:       pam:%{_pam_moduledir}/pam_limits.so

 %description -n pam-extra
 PAM (Pluggable Authentication Modules) is a system security tool that
@ -211,32 +208,23 @@ cp -a %{SOURCE12} .

 %build
 bash ./pam-login_defs-check.sh
-export CFLAGS="%{optflags}"
-%if !%{with debug}
-CFLAGS="$CFLAGS -DNDEBUG"
-%endif
 %if %{livepatchable}
 CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
 %endif
-autoreconf
-%configure \
-	--includedir=%{_includedir}/security \
-	--docdir=%{_docdir}/pam \
-	--htmldir=%{_docdir}/pam/html \
-	--pdfdir=%{_docdir}/pam/pdf \
-	--enable-isadir=../..%{_pam_moduledir} \
-	--enable-securedir=%{_pam_moduledir} \
-	--enable-vendordir=%{_prefix}/etc \
-%if "%{flavor}" == "full"
-	--enable-logind \
-%endif
-        --disable-examples \
-	--disable-nis \
-%if %{with debug}
-	--enable-debug
-%endif

-%make_build
+%meson -Dvendordir=%{_distconfdir} \
+       -Ddocdir=%{_docdir}/pam \
+       -Dhtmldir=%{_docdir}/pam/html \
+       -Dpdfdir=%{_docdir}/pam/pdf \
+       -Dsecuredir=%{_pam_moduledir} \
+%if "%{flavor}" != "full"
+       -Dlogind=disabled \
+       -Dpam_userdb=disabled \
+       -Ddocs=disabled \
+%endif
+       -Dexamples=false \
+       -Dnis=disabled
+%meson_build

 %if %{livepatchable}

@ -264,29 +252,19 @@ cp %{tar_package_name} %{_other}

 %endif # livepatchable

-gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
+gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/%{_target_platform}/libpam -lpam

 %if %{build_main}
 %check
-%make_build check
+%meson_test
 %endif

 %install
+%meson_install
+
 mkdir -p %{buildroot}%{_pam_confdir}
 mkdir -p %{buildroot}%{_pam_vendordir}
-mkdir -p %{buildroot}%{_includedir}/security
-mkdir -p %{buildroot}%{_pam_moduledir}
-mkdir -p %{buildroot}/sbin
-mkdir -p -m 755 %{buildroot}%{_libdir}
-# For compat reasons
-mkdir -p %{buildroot}%{_distconfdir}/pam.d

-%make_install
-/sbin/ldconfig -n %{buildroot}%{_libdir}
-# Install documentation
-%make_install -C doc
-# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
-install -d %{buildroot}%{_pam_secconfdir}/namespace.d
 # install other.pamd and common-*.pamd
 install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
 install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
@ -298,21 +276,14 @@ install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
 install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
 install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
 install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
-mkdir -p %{buildroot}%{_prefix}/lib/motd.d
-#
-# Remove crap
-#
-find %{buildroot} -type f -name "*.la" -delete -print
 #
 # Install READMEs of PAM modules
 #
 DOC=%{buildroot}%{_defaultdocdir}/pam
+%if "%{flavor}" == "full"
 mkdir -p $DOC/modules
-pushd modules
-for i in pam_*/README; do
-	cp -fpv "$i" "$DOC/modules/README.${i%/*}"
-done
-popd
+cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/"
+%endif
 # Install unix2_chkpwd
 install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}

@ -322,7 +293,6 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
 install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf

 mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
-mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment

 # Remove manual pages for main package
 %if !%{build_doc}
@ -334,12 +304,13 @@ echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
 %endif

 %if !%{build_main}
-rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
+rm -rf %{buildroot}{%{_distconfdir}/environment,%{_pam_secdistconfdir}/{a,f,g,n,p,s,t}*}
+rm -rf %{buildroot}{%{_sysconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
 rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
-rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
+rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,la,lis,lo,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
 %else
 # Delete files for extra package
-rm -rf  %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
+rm -rf  %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limits.conf,%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}

 # Create filelist with translations
 %find_lang Linux-PAM
@ -373,31 +344,17 @@ done
 %files -f Linux-PAM.lang
 %doc NEWS
 %license COPYING
-%exclude %{_defaultdocdir}/pam/html
-%exclude %{_defaultdocdir}/pam/modules
-%exclude %{_defaultdocdir}/pam/pdf
-%exclude %{_defaultdocdir}/pam/*.txt
 %dir %{_pam_confdir}
 %dir %{_pam_vendordir}
 %dir %{_pam_secconfdir}
 %dir %{_pam_secdistconfdir}
-%dir %{_pam_secdistconfdir}/limits.d
-# /usr/etc/pam.d is for compat reasons
-%dir %{_distconfdir}/pam.d
-%dir %{_prefix}/lib/motd.d
-%if %{defined config_noreplace}
-%config(noreplace) %{_pam_confdir}/other
-%config(noreplace) %{_pam_confdir}/common-*
-%else
 %{_pam_vendordir}/other
 %{_pam_vendordir}/common-*
 %{_pam_vendordir}/postlogin-*
-%endif
 %{_distconfdir}/environment
 %{_pam_secdistconfdir}/access.conf
 %{_pam_secdistconfdir}/group.conf
 %{_pam_secdistconfdir}/faillock.conf
-%{_pam_secdistconfdir}/limits.conf
 %{_pam_secdistconfdir}/pam_env.conf
 %if %{with selinux}
 %{_pam_secdistconfdir}/sepermit.conf
@ -429,7 +386,6 @@ done
 %{_pam_moduledir}/pam_ftp.so
 %{_pam_moduledir}/pam_group.so
 %{_pam_moduledir}/pam_keyinit.so
-%{_pam_moduledir}/pam_limits.so
 %{_pam_moduledir}/pam_listfile.so
 %{_pam_moduledir}/pam_localuser.so
 %{_pam_moduledir}/pam_loginuid.so
@ -490,6 +446,10 @@ done
 %if %{build_extra}
 %files -n pam-extra
 %defattr(-,root,root,755)
+%dir %{_pam_secdistconfdir}
+%dir %{_pam_secdistconfdir}/limits.d
+%{_pam_secdistconfdir}/limits.conf
+%{_pam_moduledir}/pam_limits.so
 %{_pam_moduledir}/pam_issue.so
 %{_pam_moduledir}/pam_timestamp.so
 %{_sbindir}/pam_timestamp_check