pool/pam
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 903070 from home:lnussel:usrmove

Browse Source 
- Remove legacy pre-usrmerge compat code (removed pam-usrmerge.diff)
- Backport patch to not install /usr/etc/securetty (boo#1033626) ie
  no distro defaults and don't complain about it missing
  (pam_securetty-don-t-complain-about-missing-config.patch)
- add debug bcond to be able to build pam with debug output easily
- add macros file to allow other packages to stop hardcoding
  directory names. Compatible with Fedora.

- Remove usrmerged conditional as it's now the default

OBS-URL: https://build.opensuse.org/request/show/903070
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=241
This commit is contained in:
Thorsten Kukuk 2021-07-09 12:12:20 +00:00 committed by Git OBS Bridge
parent dd0389449b
commit 089ed3e485
8 changed files with 192 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
macros.pam Normal file
View File

@ -0,0 +1,7 @@
%_pam_libdir %{_libdir}
%_pam_moduledir %{_libdir}/security
%_pam_secconfdir %{_sysconfdir}/security
%_pam_confdir %{_sysconfdir}/pam.d
%_pam_vendordir %{_distconfdir}/pam.d
# legacy, to be retired
%_pamdir %{_pam_moduledir}

16
pam-usrmerge.diff
View File

@ -1,16 +0,0 @@
Index: Linux-PAM-1.4.0/libpam/pam_handlers.c
===================================================================
--- Linux-PAM-1.4.0.orig/libpam/pam_handlers.c
+++ Linux-PAM-1.4.0/libpam/pam_handlers.c
@@ -801,6 +801,11 @@ int _pam_add_handler(pam_handle_t *pamh
} else if (asprintf(&mod_full_path, "%s%s",
DEFAULT_MODULE_PATH, mod_path) >= 0) {
mod = _pam_load_module(pamh, mod_full_path, handler_type);
+ /* for usrmerge transition, the the path in / also */
+ if (mod == NULL && !strncmp(DEFAULT_MODULE_PATH, "/usr/", 5) &&
+ access(mod_full_path+4, F_OK)) {
+ mod = _pam_load_module(pamh, mod_full_path+4, handler_type);
+ }
_pam_drop(mod_full_path);
} else {
pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path");

11
pam.changes
View File

@ -3,6 +3,17 @@ Fri Jun 25 08:07:04 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
- Create /run/motd.d - Create /run/motd.d
-------------------------------------------------------------------
Wed Jun 9 14:01:19 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
- Remove legacy pre-usrmerge compat code (removed pam-usrmerge.diff)
- Backport patch to not install /usr/etc/securetty (boo#1033626) ie
no distro defaults and don't complain about it missing
(pam_securetty-don-t-complain-about-missing-config.patch)
- add debug bcond to be able to build pam with debug output easily
- add macros file to allow other packages to stop hardcoding
directory names. Compatible with Fedora.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon May 10 14:22:01 UTC 2021 - Josef Möllers <josef.moellers@suse.com> Mon May 10 14:22:01 UTC 2021 - Josef Möllers <josef.moellers@suse.com>

266
pam.spec
View File

@ -15,19 +15,7 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
%bcond_with debug
%if !0%{?usrmerged}
%define libdir /%{_lib}
%define sbindir /sbin
%define pamdir /%{_lib}/security
%else
%define libdir %{_libdir}
%define sbindir %{_sbindir}
# moving this to /usr needs fixing
# several packages short of
# https://github.com/linux-pam/linux-pam/issues/256
%define pamdir %{_libdir}/security
%endif
# #
%define enable_selinux 1 %define enable_selinux 1
@ -38,6 +26,9 @@
%define _distconfdir %{_sysconfdir} %define _distconfdir %{_sysconfdir}
%define config_noreplace 1 %define config_noreplace 1
%endif %endif
#
%{load:%{_sourcedir}/macros.pam}
#
Name: pam Name: pam
# #
Version: 1.5.1 Version: 1.5.1
@ -48,12 +39,12 @@ Group: System/Libraries
URL: http://www.linux-pam.org/ URL: http://www.linux-pam.org/
Source: Linux-PAM-%{version}.tar.xz Source: Linux-PAM-%{version}.tar.xz
Source1: Linux-PAM-%{version}-docs.tar.xz Source1: Linux-PAM-%{version}-docs.tar.xz
Source2: macros.pam
Source3: other.pamd Source3: other.pamd
Source4: common-auth.pamd Source4: common-auth.pamd
Source5: common-account.pamd Source5: common-account.pamd
Source6: common-password.pamd Source6: common-password.pamd
Source7: common-session.pamd Source7: common-session.pamd
Source8: securetty
Source9: baselibs.conf Source9: baselibs.conf
Source10: unix2_chkpwd.c Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8 Source11: unix2_chkpwd.8
@ -68,15 +59,14 @@ Patch8: pam-bsc1177858-dont-free-environment-string.patch
Patch9: pam-pam_cracklib-add-usersubstr.patch Patch9: pam-pam_cracklib-add-usersubstr.patch
Patch10: pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch Patch10: pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
Patch11: bsc1184358-prevent-LOCAL-from-being-resolved.patch Patch11: bsc1184358-prevent-LOCAL-from-being-resolved.patch
# https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068
Patch100: pam_securetty-don-t-complain-about-missing-config.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: cracklib-devel BuildRequires: cracklib-devel
BuildRequires: flex BuildRequires: flex
BuildRequires: libtool BuildRequires: libtool
BuildRequires: xz BuildRequires: xz
# this is only needed in the transition phase to make sure modules
# are also loaded from /lib/security as fallback
Patch99: pam-usrmerge.diff
Requires(post): permissions Requires(post): permissions
# All login.defs variables require support from shadow side. # All login.defs variables require support from shadow side.
# Upgrade this symbol version only if new variables appear! # Upgrade this symbol version only if new variables appear!
@ -181,25 +171,25 @@ cp -a %{SOURCE12} .
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1 %patch11 -p1
%if 0%{?usrmerged} %patch100 -p1
%patch99 -p1
%endif
%build %build
bash ./pam-login_defs-check.sh bash ./pam-login_defs-check.sh
export CFLAGS="%{optflags} -DNDEBUG" export CFLAGS="%{optflags}"
%if !%{with debug}
CFLAGS="$CFLAGS -DNDEBUG"
%endif
%configure \ %configure \
--includedir=%{_includedir}/security \ --includedir=%{_includedir}/security \
--docdir=%{_docdir}/pam \ --docdir=%{_docdir}/pam \
--htmldir=%{_docdir}/pam/html \ --htmldir=%{_docdir}/pam/html \
--pdfdir=%{_docdir}/pam/pdf \ --pdfdir=%{_docdir}/pam/pdf \
%if !0%{?usrmerged} --enable-isadir=../..%{_pam_moduledir} \
--sbindir=/sbin \ --enable-securedir=%{_pam_moduledir} \
--libdir=/%{_lib} \
%endif
--enable-isadir=../..%{pamdir} \
--enable-securedir=%{pamdir} \
--enable-vendordir=%{_distconfdir} \ --enable-vendordir=%{_distconfdir} \
%if %{with debug}
--enable-debug \
%endif
--enable-tally2 --enable-cracklib --enable-tally2 --enable-cracklib
make %{?_smp_mflags} make %{?_smp_mflags}
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
@ -208,46 +198,31 @@ gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags}
%make_build check %make_build check
%install %install
mkdir -p %{buildroot}%{_sysconfdir}/pam.d mkdir -p %{buildroot}%{_pam_confdir}
mkdir -p %{buildroot}%{_distconfdir}/pam.d mkdir -p %{buildroot}%{_pam_vendordir}
mkdir -p %{buildroot}%{_includedir}/security mkdir -p %{buildroot}%{_includedir}/security
mkdir -p %{buildroot}%{pamdir} mkdir -p %{buildroot}%{_pam_moduledir}
mkdir -p %{buildroot}/sbin mkdir -p %{buildroot}/sbin
mkdir -p -m 755 %{buildroot}%{_libdir} mkdir -p -m 755 %{buildroot}%{_libdir}
%make_install %make_install
/sbin/ldconfig -n %{buildroot}%{libdir} /sbin/ldconfig -n %{buildroot}%{libdir}
# Install documentation # Install documentation
%make_install -C doc %make_install -C doc
# install securetty
install -m 644 %{SOURCE8} %{buildroot}%{_distconfdir}
%ifarch s390 s390x
for i in ttyS0 ttyS1 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 sclp_line0 ttysclp0; do
echo "$i" >>%{buildroot}/%{_distconfdir}/securetty
done
%endif
# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
install -d %{buildroot}%{_sysconfdir}/security/namespace.d install -d %{buildroot}%{_pam_secconfdir}/namespace.d
# install other.pamd and common-*.pamd # install other.pamd and common-*.pamd
install -m 644 %{SOURCE3} %{buildroot}%{_distconfdir}/pam.d/other install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
install -m 644 %{SOURCE4} %{buildroot}%{_distconfdir}/pam.d/common-auth install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
install -m 644 %{SOURCE5} %{buildroot}%{_distconfdir}/pam.d/common-account install -m 644 %{SOURCE5} %{buildroot}%{_pam_vendordir}/common-account
install -m 644 %{SOURCE6} %{buildroot}%{_distconfdir}/pam.d/common-password install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/common-password
install -m 644 %{SOURCE7} %{buildroot}%{_distconfdir}/pam.d/common-session install -m 644 %{SOURCE7} %{buildroot}%{_pam_vendordir}/common-session
%if !0%{?usrmerged}
rm %{buildroot}/%{_lib}/libpam.so
ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} %{buildroot}%{_libdir}/libpam.so
rm %{buildroot}/%{_lib}/libpamc.so
ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} %{buildroot}%{_libdir}/libpamc.so
rm %{buildroot}/%{_lib}/libpam_misc.so
ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} %{buildroot}%{_libdir}/libpam_misc.so
%endif
mkdir -p %{buildroot}%{_prefix}/lib/motd.d mkdir -p %{buildroot}%{_prefix}/lib/motd.d
# #
# Remove crap # Remove crap
# #
find %{buildroot} -type f -name "*.la" -delete -print find %{buildroot} -type f -name "*.la" -delete -print
for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
ln -f %{buildroot}%{pamdir}/pam_unix.so %{buildroot}%{pamdir}/$x.so ln -f %{buildroot}%{_pam_moduledir}/pam_unix.so %{buildroot}%{_pam_moduledir}/$x.so
done done
# #
# Install READMEs of PAM modules # Install READMEs of PAM modules
@ -260,24 +235,23 @@ for i in pam_*/README; do
done done
popd popd
# Install unix2_chkpwd # Install unix2_chkpwd
install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{sbindir} install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/ install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
# rpm macros # rpm macros
mkdir -p %{buildroot}/usr/lib/rpm/macros.d install -D -m 644 %{SOURCE2} %{buildroot}%{_prefix}/lib/rpm/macros.d/macros.pam
echo "%%_pamdir %pamdir" > %{buildroot}%{_prefix}/lib/rpm/macros.d/macros.pam
# /run/motd.d # /run/motd.d
install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/motd.conf install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/motd.conf
# Create filelist with translations # Create filelist with translations
%find_lang Linux-PAM %find_lang Linux-PAM
%verifyscript %verifyscript
%verify_permissions -e %{sbindir}/unix_chkpwd %verify_permissions -e %{_sbindir}/unix_chkpwd
%verify_permissions -e %{sbindir}/unix2_chkpwd %verify_permissions -e %{_sbindir}/unix2_chkpwd
%post %post
/sbin/ldconfig /sbin/ldconfig
%set_permissions %{sbindir}/unix_chkpwd %set_permissions %{_sbindir}/unix_chkpwd
%set_permissions %{sbindir}/unix2_chkpwd %set_permissions %{_sbindir}/unix2_chkpwd
%tmpfiles_create %{_tmpfilesdir}/motd.conf %tmpfiles_create %{_tmpfilesdir}/motd.conf
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
@ -294,34 +268,32 @@ done
%files -f Linux-PAM.lang %files -f Linux-PAM.lang
%exclude %{_defaultdocdir}/pam %exclude %{_defaultdocdir}/pam
%dir %{_sysconfdir}/pam.d %dir %{_pam_confdir}
%dir %{_distconfdir}/pam.d %dir %{_pam_vendordir}
%dir %{_sysconfdir}/security %dir %{_pam_secconfdir}
%dir %{_sysconfdir}/security/limits.d %dir %{_pam_secconfdir}/limits.d
%dir %{_prefix}/lib/motd.d %dir %{_prefix}/lib/motd.d
%ghost %dir %{_rundir}/motd.d %ghost %dir %{_rundir}/motd.d
%if %{defined config_noreplace} %if %{defined config_noreplace}
%config(noreplace) %{_sysconfdir}/pam.d/other %config(noreplace) %{_pam_confdir}/other
%config(noreplace) %{_sysconfdir}/pam.d/common-* %config(noreplace) %{_pam_confdir}/common-*
%config(noreplace) %{_sysconfdir}/securetty
%else %else
%{_distconfdir}/pam.d/other %{_pam_vendordir}/other
%{_distconfdir}/pam.d/common-* %{_pam_vendordir}/common-*
%{_distconfdir}/securetty
%endif %endif
%config(noreplace) %{_sysconfdir}/environment %config(noreplace) %{_sysconfdir}/environment
%config(noreplace) %{_sysconfdir}/security/access.conf %config(noreplace) %{_pam_secconfdir}/access.conf
%config(noreplace) %{_sysconfdir}/security/group.conf %config(noreplace) %{_pam_secconfdir}/group.conf
%config(noreplace) %{_sysconfdir}/security/faillock.conf %config(noreplace) %{_pam_secconfdir}/faillock.conf
%config(noreplace) %{_sysconfdir}/security/limits.conf %config(noreplace) %{_pam_secconfdir}/limits.conf
%config(noreplace) %{_sysconfdir}/security/pam_env.conf %config(noreplace) %{_pam_secconfdir}/pam_env.conf
%if %{enable_selinux} %if %{enable_selinux}
%config(noreplace) %{_sysconfdir}/security/sepermit.conf %config(noreplace) %{_pam_secconfdir}/sepermit.conf
%endif %endif
%config(noreplace) %{_sysconfdir}/security/time.conf %config(noreplace) %{_pam_secconfdir}/time.conf
%config(noreplace) %{_sysconfdir}/security/namespace.conf %config(noreplace) %{_pam_secconfdir}/namespace.conf
%config(noreplace) %{_sysconfdir}/security/namespace.init %config(noreplace) %{_pam_secconfdir}/namespace.init
%dir %{_sysconfdir}/security/namespace.d %dir %{_pam_secconfdir}/namespace.d
%doc NEWS %doc NEWS
%license COPYING %license COPYING
%{_mandir}/man5/environment.5%{?ext_man} %{_mandir}/man5/environment.5%{?ext_man}
@ -380,88 +352,88 @@ done
%{_mandir}/man8/unix2_chkpwd.8%{?ext_man} %{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_chkpwd.8%{?ext_man} %{_mandir}/man8/unix_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_update.8%{?ext_man} %{_mandir}/man8/unix_update.8%{?ext_man}
%{libdir}/libpam.so.0 %{_libdir}/libpam.so.0
%{libdir}/libpam.so.%{libpam_so_version} %{_libdir}/libpam.so.%{libpam_so_version}
%{libdir}/libpamc.so.0 %{_libdir}/libpamc.so.0
%{libdir}/libpamc.so.%{libpamc_so_version} %{_libdir}/libpamc.so.%{libpamc_so_version}
%{libdir}/libpam_misc.so.0 %{_libdir}/libpam_misc.so.0
%{libdir}/libpam_misc.so.%{libpam_misc_so_version} %{_libdir}/libpam_misc.so.%{libpam_misc_so_version}
%dir %{pamdir} %dir %{_pam_moduledir}
%{pamdir}/pam_access.so %{_pam_moduledir}/pam_access.so
%{pamdir}/pam_debug.so %{_pam_moduledir}/pam_debug.so
%{pamdir}/pam_deny.so %{_pam_moduledir}/pam_deny.so
%{pamdir}/pam_echo.so %{_pam_moduledir}/pam_echo.so
%{pamdir}/pam_env.so %{_pam_moduledir}/pam_env.so
%{pamdir}/pam_exec.so %{_pam_moduledir}/pam_exec.so
%{pamdir}/pam_faildelay.so %{_pam_moduledir}/pam_faildelay.so
%{pamdir}/pam_faillock.so %{_pam_moduledir}/pam_faillock.so
%{pamdir}/pam_filter.so %{_pam_moduledir}/pam_filter.so
%dir %{pamdir}/pam_filter %dir %{_pam_moduledir}/pam_filter
%{pamdir}//pam_filter/upperLOWER %{_pam_moduledir}//pam_filter/upperLOWER
%{pamdir}/pam_ftp.so %{_pam_moduledir}/pam_ftp.so
%{pamdir}/pam_group.so %{_pam_moduledir}/pam_group.so
%{pamdir}/pam_issue.so %{_pam_moduledir}/pam_issue.so
%{pamdir}/pam_keyinit.so %{_pam_moduledir}/pam_keyinit.so
%{pamdir}/pam_lastlog.so %{_pam_moduledir}/pam_lastlog.so
%{pamdir}/pam_limits.so %{_pam_moduledir}/pam_limits.so
%{pamdir}/pam_listfile.so %{_pam_moduledir}/pam_listfile.so
%{pamdir}/pam_localuser.so %{_pam_moduledir}/pam_localuser.so
%{pamdir}/pam_loginuid.so %{_pam_moduledir}/pam_loginuid.so
%{pamdir}/pam_mail.so %{_pam_moduledir}/pam_mail.so
%{pamdir}/pam_mkhomedir.so %{_pam_moduledir}/pam_mkhomedir.so
%{pamdir}/pam_motd.so %{_pam_moduledir}/pam_motd.so
%{pamdir}/pam_namespace.so %{_pam_moduledir}/pam_namespace.so
%{pamdir}/pam_nologin.so %{_pam_moduledir}/pam_nologin.so
%{pamdir}/pam_permit.so %{_pam_moduledir}/pam_permit.so
%{pamdir}/pam_pwhistory.so %{_pam_moduledir}/pam_pwhistory.so
%{pamdir}/pam_rhosts.so %{_pam_moduledir}/pam_rhosts.so
%{pamdir}/pam_rootok.so %{_pam_moduledir}/pam_rootok.so
%{pamdir}/pam_securetty.so %{_pam_moduledir}/pam_securetty.so
%if %{enable_selinux} %if %{enable_selinux}
%{pamdir}/pam_selinux.so %{_pam_moduledir}/pam_selinux.so
%{pamdir}/pam_sepermit.so %{_pam_moduledir}/pam_sepermit.so
%endif %endif
%{pamdir}/pam_setquota.so %{_pam_moduledir}/pam_setquota.so
%{pamdir}/pam_shells.so %{_pam_moduledir}/pam_shells.so
%{pamdir}/pam_stress.so %{_pam_moduledir}/pam_stress.so
%{pamdir}/pam_succeed_if.so %{_pam_moduledir}/pam_succeed_if.so
%{pamdir}/pam_time.so %{_pam_moduledir}/pam_time.so
%{pamdir}/pam_timestamp.so %{_pam_moduledir}/pam_timestamp.so
%{pamdir}/pam_tty_audit.so %{_pam_moduledir}/pam_tty_audit.so
%{pamdir}/pam_umask.so %{_pam_moduledir}/pam_umask.so
%{pamdir}/pam_usertype.so %{_pam_moduledir}/pam_usertype.so
%{pamdir}/pam_warn.so %{_pam_moduledir}/pam_warn.so
%{pamdir}/pam_wheel.so %{_pam_moduledir}/pam_wheel.so
%{pamdir}/pam_xauth.so %{_pam_moduledir}/pam_xauth.so
%{sbindir}/faillock %{_sbindir}/faillock
%{sbindir}/mkhomedir_helper %{_sbindir}/mkhomedir_helper
%{sbindir}/pam_namespace_helper %{_sbindir}/pam_namespace_helper
%{sbindir}/pam_timestamp_check %{_sbindir}/pam_timestamp_check
%{sbindir}/pwhistory_helper %{_sbindir}/pwhistory_helper
%verify(not mode) %attr(4755,root,shadow) %{sbindir}/unix_chkpwd %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
%verify(not mode) %attr(4755,root,shadow) %{sbindir}/unix2_chkpwd %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
%attr(0700,root,root) %{sbindir}/unix_update %attr(0700,root,root) %{_sbindir}/unix_update
%{_unitdir}/pam_namespace.service %{_unitdir}/pam_namespace.service
%{_tmpfilesdir}/motd.conf %{_tmpfilesdir}/motd.conf
%files -n pam_unix %files -n pam_unix
%defattr(-,root,root,755) %defattr(-,root,root,755)
%{pamdir}/pam_unix.so %{_pam_moduledir}/pam_unix.so
%{pamdir}/pam_unix_acct.so %{_pam_moduledir}/pam_unix_acct.so
%{pamdir}/pam_unix_auth.so %{_pam_moduledir}/pam_unix_auth.so
%{pamdir}/pam_unix_passwd.so %{_pam_moduledir}/pam_unix_passwd.so
%{pamdir}/pam_unix_session.so %{_pam_moduledir}/pam_unix_session.so
%files extra %files extra
%defattr(-,root,root,755) %defattr(-,root,root,755)
%{pamdir}/pam_userdb.so %{_pam_moduledir}/pam_userdb.so
%{_mandir}/man8/pam_userdb.8%{?ext_man} %{_mandir}/man8/pam_userdb.8%{?ext_man}
%files deprecated %files deprecated
%defattr(-,root,root,755) %defattr(-,root,root,755)
%{pamdir}/pam_cracklib.so %{_pam_moduledir}/pam_cracklib.so
%{pamdir}/pam_tally2.so %{_pam_moduledir}/pam_tally2.so
%{sbindir}/pam_tally2 %{_sbindir}/pam_tally2
%files doc %files doc
%defattr(644,root,root,755) %defattr(644,root,root,755)

40
pam_securetty-don-t-complain-about-missing-config.patch Normal file
View File

@ -0,0 +1,40 @@
From e842a5fc075002f46672ebcd8e896624f1ec8068 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Tue, 26 Jan 2021 13:07:20 +0100
Subject: [PATCH] pam_securetty: don't complain about missing config
Not shipping a config file should be perfectly valid for distros while
still having eg login pre-configured to honor securetty when present.
PAM itself doesn't ship any template either. So avoid spamming the log
file if /etc/securetty wasn't found.
---
modules/pam_securetty/pam_securetty.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index b4d71751..47a5cd9f 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -111,7 +111,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
#ifdef VENDORDIR
if (errno == ENOENT) {
if (stat(SECURETTY2_FILE, &ttyfileinfo)) {
- pam_syslog(pamh, LOG_NOTICE,
+ if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh, LOG_DEBUG,
"Couldn't open %s: %m", SECURETTY2_FILE);
return PAM_SUCCESS; /* for compatibility with old securetty handling,
this needs to succeed. But we still log the
@@ -120,7 +121,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
securettyfile = SECURETTY2_FILE;
} else {
#endif
- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
+ if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh, LOG_DEBUG, "Couldn't open %s: %m", SECURETTY_FILE);
return PAM_SUCCESS; /* for compatibility with old securetty handling,
this needs to succeed. But we still log the
error. */
--
2.26.2

5
pam_unix-nis.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Wed Jun 9 14:02:02 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
- Remove usrmerged conditional as it's now the default
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 18 22:16:58 UTC 2021 - Thorsten Kukuk <kukuk@suse.com> Thu Feb 18 22:16:58 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>

37
pam_unix-nis.spec
View File

@ -16,19 +16,6 @@
# #
%if !0%{?usrmerged}
%define libdir /%{_lib}
%define sbindir /sbin
%define pamdir /%{_lib}/security
%else
%define libdir %{_libdir}
%define sbindir %{_sbindir}
# moving this to /usr needs fixing
# several packages short of
# https://github.com/linux-pam/linux-pam/issues/256
%define pamdir %{_libdir}/security
%endif
# #
%define enable_selinux 1 %define enable_selinux 1
%define libpam_so_version 0.85.1 %define libpam_so_version 0.85.1
@ -78,29 +65,25 @@ export CFLAGS="%{optflags} -DNDEBUG"
--docdir=%{_docdir}/pam \ --docdir=%{_docdir}/pam \
--htmldir=%{_docdir}/pam/html \ --htmldir=%{_docdir}/pam/html \
--pdfdir=%{_docdir}/pam/pdf \ --pdfdir=%{_docdir}/pam/pdf \
%if !0%{?usrmerged} --enable-isadir=../..%{_pam_moduledir} \
--sbindir=/sbin \ --enable-securedir=%{_pam_moduledir} \
--libdir=/%{_lib} \
%endif
--enable-isadir=../..%{pamdir} \
--enable-securedir=%{pamdir} \
--enable-vendordir=%{_distconfdir} \ --enable-vendordir=%{_distconfdir} \
--enable-tally2 --enable-cracklib --enable-tally2 --enable-cracklib
make -C modules/pam_unix make -C modules/pam_unix
%install %install
mkdir -p %{buildroot}%{pamdir} mkdir -p %{buildroot}%{_pam_moduledir}
install -m 755 modules/pam_unix/.libs/pam_unix.so %{buildroot}%{pamdir}/ install -m 755 modules/pam_unix/.libs/pam_unix.so %{buildroot}%{_pam_moduledir}/
for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
ln -f %{buildroot}%{pamdir}/pam_unix.so %{buildroot}%{pamdir}/$x.so ln -f %{buildroot}%{_pam_moduledir}/pam_unix.so %{buildroot}%{_pam_moduledir}/$x.so
done done
%files %files
%license COPYING %license COPYING
%{pamdir}/pam_unix.so %{_pam_moduledir}/pam_unix.so
%{pamdir}/pam_unix_acct.so %{_pam_moduledir}/pam_unix_acct.so
%{pamdir}/pam_unix_auth.so %{_pam_moduledir}/pam_unix_auth.so
%{pamdir}/pam_unix_passwd.so %{_pam_moduledir}/pam_unix_passwd.so
%{pamdir}/pam_unix_session.so %{_pam_moduledir}/pam_unix_session.so
%changelog %changelog

10
securetty
View File

@ -1,10 +0,0 @@
#
# This file contains the device names of tty lines (one per line,
# without leading /dev/) on which root is allowed to login.
#
tty1
tty2
tty3
tty4
tty5
tty6