Sync from SUSE:SLFO:Main pam revision 87d53b016a50ec24e701f0298ef63bef

2024-05-31 15:42:57 +02:00 · 2024-05-31 15:42:57 +02:00 · fa11b990ef
commit fa11b990ef
parent 242ad4afd6
10 changed files with 42 additions and 217 deletions
--- a/Linux-PAM-1.6.0.tar.xz
+++ b/Linux-PAM-1.6.0.tar.xz
--- a/Linux-PAM-1.6.0.tar.xz.asc
+++ b/Linux-PAM-1.6.0.tar.xz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI
 n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm
 NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY
 U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3
 XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw
 6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi
 Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2
 gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n
 b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n
 NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ
 LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox
 zxDFnUsJ/JgmJm3y47J2
 =wzV/
 -----END PGP SIGNATURE-----
--- a/Linux-PAM-1.6.1.tar.xz
+++ b/Linux-PAM-1.6.1.tar.xz
--- a/Linux-PAM-1.6.1.tar.xz.asc
+++ b/Linux-PAM-1.6.1.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
 sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
 47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
 RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
 mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
 cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
 fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
 PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
 o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
 0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
 9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
 UoUkHsbCWJU/ksn/9BIQ
 =Dbz2
 -----END PGP SIGNATURE-----
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,24 @@
 -------------------------------------------------------------------
 Wed Apr 10 07:12:02 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 - Update to version 1.6.1
  - pam_env: fixed --disable-econf --enable-vendordir support.
  - pam_unix: do not warn if password aging is disabled.
  - pam_unix: try to set uid to 0 before unix_chkpwd invocation.
  - pam_unix: allow empty passwords with non-empty hashes.
  - Multiple minor bug fixes, build fixes, portability fixes,
    documentation improvements, and translation updates.
 - Remove backports:
  - pam_env-fix_vendordir.patch
  - pam_env-fix-enable-vendordir-fallback.patch
  - pam_env-remove-escaped-newlines.patch
  - pam_unix-fix-password-aging-disabled.patch
 -------------------------------------------------------------------
 Thu Feb 22 17:30:24 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
 - Use autosetup to prepare for RPM 4.20. 
 -------------------------------------------------------------------
 Wed Feb  7 13:11:15 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
--- a/pam.spec
+++ b/pam.spec
@ -71,7 +71,7 @@
 #
 Name:           pam%{name_suffix}
 #
-Version:        1.6.0
+Version:        1.6.1
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@ -96,14 +96,6 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
 # https://github.com/linux-pam/linux-pam/pull/739
 Patch2:         pam_env-fix_vendordir.patch
 # https://github.com/linux-pam/linux-pam/pull/740
 Patch3:		pam_env-fix-enable-vendordir-fallback.patch
 # https://github.com/linux-pam/linux-pam/pull/741
 Patch4:         pam_env-remove-escaped-newlines.patch
 # https://github.com/linux-pam/linux-pam/pull/744
 Patch5:         pam_unix-fix-password-aging-disabled.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
@ -213,13 +205,8 @@ This package contains header files and static libraries used for
 building both PAM-aware applications and modules for use with PAM.
 %prep
-%setup -q -n Linux-PAM-%{version}
+%autosetup -p1 -n Linux-PAM-%{version}
 cp -a %{SOURCE12} .
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %build
 bash ./pam-login_defs-check.sh
--- a/pam_env-fix-enable-vendordir-fallback.patch
+++ b/pam_env-fix-enable-vendordir-fallback.patch
@ -1,51 +0,0 @@
 From 28894b319488e8302899ee569b6e0911905f374e Mon Sep 17 00:00:00 2001
 From: "Dmitry V. Levin" <ldv@strace.io>
 Date: Thu, 18 Jan 2024 17:00:00 +0000
 Subject: [PATCH] pam_env: fix --enable-vendordir fallback logic
 * modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF &&
 VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file
 if the config file is specified via module arguments.
 Link: https://github.com/linux-pam/linux-pam/issues/738
 Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
 ---
 modules/pam_env/pam_env.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
 diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
 index a0b812fff..8b40b6a5a 100644
 --- a/modules/pam_env/pam_env.c
 +++ b/modules/pam_env/pam_env.c
@@ -850,20 +850,20 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
 #ifdef USE_ECONF
     /* If "file" is not NULL, only this file will be parsed. */
     retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list);
 -#else
 +#else /* !USE_ECONF */
     /* Only one file will be parsed. So, file has to be set. */
 -    if (file == NULL) /* No filename has been set via argv. */
 +    if (file == NULL) { /* No filename has been set via argv. */
       file = DEFAULT_CONF_FILE;
 -#ifdef VENDOR_DEFAULT_CONF_FILE
 -    /*
 -    * Check whether file is available.
 -    * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
 -    */
 -    struct stat stat_buffer;
 -    if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
 -      file = VENDOR_DEFAULT_CONF_FILE;
 +# ifdef VENDOR_DEFAULT_CONF_FILE
 +      /*
 +       * Check whether DEFAULT_CONF_FILE file is available.
 +       * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
 +       */
 +      struct stat stat_buffer;
 +      if (stat(file, &stat_buffer) != 0 && errno == ENOENT)
 +        file = VENDOR_DEFAULT_CONF_FILE;
 +# endif
     }
 -#endif
     retval = read_file(pamh, file, &conf_list);
 #endif
--- a/pam_env-fix_vendordir.patch
+++ b/pam_env-fix_vendordir.patch
@ -1,51 +0,0 @@
 From 0703453bec6ac54ad31d7245be4529796a3ef764 Mon Sep 17 00:00:00 2001
 From: Tobias Stoeckmann <tobias@stoeckmann.org>
 Date: Thu, 18 Jan 2024 18:08:05 +0100
 Subject: [PATCH] pam_env: check VENDORDIR after config.h inclusion
 The VENDORDIR define has to be checked after config.h
 inclusion, otherwise the ifdef test always yields false.
 Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
 ---
 modules/pam_env/pam_env.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)
 diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
 index 59adc942c..a0b812fff 100644
 --- a/modules/pam_env/pam_env.c
 +++ b/modules/pam_env/pam_env.c
@@ -6,15 +6,6 @@
  * template for this file (via pam_mail)
  */
 -#define DEFAULT_ETC_ENVFILE     "/etc/environment"
 -#ifdef VENDORDIR
 -#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
 -#endif
 -#define DEFAULT_READ_ENVFILE    1
 -
 -#define DEFAULT_USER_ENVFILE    ".pam_environment"
 -#define DEFAULT_USER_READ_ENVFILE 0
 -
 #include "config.h"
 #include <ctype.h>
@@ -52,6 +43,15 @@ typedef struct var {
   char *override;
 } VAR;
 +#define DEFAULT_ETC_ENVFILE     "/etc/environment"
 +#ifdef VENDORDIR
 +#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
 +#endif
 +#define DEFAULT_READ_ENVFILE    1
 +
 +#define DEFAULT_USER_ENVFILE    ".pam_environment"
 +#define DEFAULT_USER_READ_ENVFILE 0
 +
 #define DEFAULT_CONF_FILE	(SCONFIGDIR "/pam_env.conf")
 #ifdef VENDOR_SCONFIGDIR
 #define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf")
--- a/pam_env-remove-escaped-newlines.patch
+++ b/pam_env-remove-escaped-newlines.patch
@ -1,54 +0,0 @@
 From ef51c51523b4c6ce6275b2863a0de1a3a6dff1e5 Mon Sep 17 00:00:00 2001
 From: Tobias Stoeckmann <tobias@stoeckmann.org>
 Date: Thu, 18 Jan 2024 20:25:20 +0100
 Subject: [PATCH] pam_env: remove escaped newlines from econf lines
 The libeconf routines do not remove escaped newlines the way we want to
 process them later on. Manually remove them from values.
 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
 ---
 modules/pam_env/pam_env.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
 index a0b812fff..5f53fbb10 100644
 --- a/modules/pam_env/pam_env.c
 +++ b/modules/pam_env/pam_env.c
@@ -160,6 +160,28 @@ isDirectory(const char *path) {
    return S_ISDIR(statbuf.st_mode);
 }
 +/*
 + * Remove escaped newline from string.
 + *
 + * All occurrences of "\\n" will be removed from string.
 + */
 +static void
 +econf_unescnl(char *val)
 +{
 +    char *dest, *p;
 +
 +    dest = p = val;
 +
 +    while (*p != '\0') {
 +      if (p[0] == '\\' && p[1] == '\n') {
 +	p += 2;
 +      } else {
 +	*dest++ = *p++;
 +      }
 +    }
 +    *dest = '\0';
 +}
 +
 static int
 econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim,
 			   const char *name, const char *suffix, const char *subpath,
@@ -270,6 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
 		   keys[i],
 		   econf_errString(error));
       } else {
 +        econf_unescnl(val);
         if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) {
 	  pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
           econf_free(keys);
--- a/pam_unix-fix-password-aging-disabled.patch
+++ b/pam_unix-fix-password-aging-disabled.patch
@ -1,27 +0,0 @@
 From 9d40f55216b2de60ccb9b617c79b9280b9f29ead Mon Sep 17 00:00:00 2001
 From: Tobias Stoeckmann <tobias@stoeckmann.org>
 Date: Fri, 19 Jan 2024 10:09:00 +0100
 Subject: [PATCH] pam_unix: do not warn if password aging disabled
 Later checks will print a warning if daysleft is 0. If password
 aging is disabled, leave daysleft at -1.
 Fixes 9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb.
 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
 ---
 modules/pam_unix/passverify.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
 index 5c4f862e7..1bc98fa25 100644
 --- a/modules/pam_unix/passverify.c
 +++ b/modules/pam_unix/passverify.c
@@ -314,7 +314,6 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 	}
 	if (spent->sp_lstchg < 0) {
 		D(("password aging disabled"));
 -		*daysleft = 0;
 		return PAM_SUCCESS;
 	}
 	if (curdays < spent->sp_lstchg) {