pool/pam
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 919240 from Linux-PAM

Browse Source 
- Rename motd.tmpfiles to pam.tmpfiles
  - Add /run/faillock directory

- pam-login_defs-check.sh: adjust for new login.defs variable usages

- Update to 1.5.2
  Noteworthy changes in Linux-PAM 1.5.2:
  * pam_exec: implemented quiet_log option.
  * pam_mkhomedir: added support of HOME_MODE and UMASK from
    /etc/login.defs.
  * pam_timestamp: changed hmac algorithm to call openssl instead
    of the bundled sha1 implementation if selected, added option
    to select the hash algorithm to use with HMAC.
  * Added pkgconfig files for provided libraries.
  * Added --with-systemdunitdir configure option to specify systemd
    unit directory.
  * Added --with-misc-conv-bufsize configure option to specify the
    buffer size in libpam_misc's misc_conv() function, raised the
    default value for this parameter from 512 to 4096.
  * Multiple minor bug fixes, portability fixes, documentation
    improvements, and translation updates.
  pam_tally2 has been removed upstream, remove pam_tally2-removal.patch
  pam_cracklib has been removed from the upstream sources. This
  obsoletes pam-pam_cracklib-add-usersubstr.patch and
  pam_cracklib-removal.patch.
  The following patches have been accepted upstream and, so,
  are obsolete:
  - pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
  - pam_securetty-don-t-complain-about-missing-config.patch
  - bsc1184358-prevent-LOCAL-from-being-resolved.patch

OBS-URL: https://build.opensuse.org/request/show/919240
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=116
This commit is contained in:
Dominique Leuenberger 2021-09-20 21:31:43 +00:00 committed by Git OBS Bridge
commit 34a306b1ac
22 changed files with 193 additions and 4207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Linux-PAM-1.5.1-docs.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d0fc4ef466d0050f46b0ccd2f73373c60c47454da55f6fb2fd04b0701c73c134
size 441632

3
Linux-PAM-1.5.1.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc
size 972964

3
Linux-PAM-1.5.2-docs.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bd75b3474dfbed60dff728721c48a6dd88bfea901b607c469bbe5fa5ccc535e4
size 443276

16
Linux-PAM-1.5.2-docs.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJhMg78AAoJEKgEH6g54W429wIP/1FdfjVSygdVkmCSbMl0Dvbp
7/DOYkDb1W3KSzD4Y0pE76HXAxC5fL32781oioP3vx4YKLfP7VMxHM42ugFhKBcZ
cdXZGwCHxvbfNesjm++Lg5I0w16Qh9BoJ5UNbcLoIur+bpadmhPorj2SutPY/U9j
klKESN5AQtdnqUivTWbm4z8CrmZs3NoQTCfkv+ABW33olrj2gJtZucuMjfwDMQFS
oDikxPUErpz7tUDuWEM5Gp26B9iuz4mX/2pUmta18r0Y6RGSl6QtmjEhTlGR2n5R
XEDIZX4vLAYzWum63bzJH/xiyoRMur0lO55GSPtpLnLYPdaot8fWYzdpvRdfg7DR
rristlSYNtRhs3ORbMvvxqgkdzVKa6CLm9WuJiTHPY2dxNP6q8TYdHxyPtrscyz0
ijhvxAYGHvJ47JESvV16pLaQhTKdVp95aM+pC8A2WfCMZf8WfKM8ZpT9JtZ6tjwC
wc79KWEX9SARoiqk0ZuqITu1pR9gzzDS5WBehwvJkTFm95PkaxQyPNCYwbUIouUf
c+mg5u2xaXrR4NWLMZZid0HRivwYb3/nK8hqUqRaUEri2KoSl6N5f8KlNiyLQiUN
JYB/GRWFueCkGPzuhCREyxdQ0Pxh3H1Us6TLgFHYv/ZdJjYY9GpqLXx7PuoKhZUU
kfOtmSc7D8FhaXULOtvi
=ijjK
-----END PGP SIGNATURE-----

3
Linux-PAM-1.5.2.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d
size 988784

16
Linux-PAM-1.5.2.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJhMg48AAoJEKgEH6g54W42TUgP/0feavEYuZpjTWche32Ug2nu
h6TGQbqkAasDexkHf6S2p+LYbt/6Nl+EpzOtELY/F3qRq8aYgTlHpJETSSBcZ++t
tIhoaPAhEt+N5vb4YfTQcYIGihdgAzQCj0LViEuG/1PgSUjPdbW8RyvfJTw6I3Ch
XUulrEwyudPCZHDpdW06DMv2we/7oTzrWHVDEmY/TTFKCvDSuAixLrxZrLO/MRK4
huhXhe3oGv+TtLCqPcr0nJDTl44XNQOTbP/Dl+EI/5tXlDLXLH+IiPEMvnDRbsdd
ngqdwM6wsOenEtlcA27YkDID/FRwgGJILKNaaUKSIa/uk8Tzy+Lx0j1wKEmE8P4T
JI+24IIP5Gw8Sxd+NB8lSjtHXlyJF8psAFRWnTb67mgVTXruDXo771Mhqqy2Vu74
sjf03w6jYrcGGKHlr7Q08jncghmMHFdW6jAcOG02oNO1oNrSu67MjAIqFox36Byu
FmCajrGBwCR6bWmHCFRGT9qESWg9zRjPL7vkVBmAQg4J4og8FExUi8wBqt1zFH8W
vGTgCDB/Oue3nYTws27hNKEeYumA8emOHyCG4n80vyA6DbRp+7nrtcDnJQir0lzf
8UfWxooIJNqFH9ohnAqMTqJbKJkjLswLnTVpuyJvgzDwGl4sdSvIToxTo/2jp2W+
q1y3BpSxAA1wOd9/mTM+
=KMIz
-----END PGP SIGNATURE-----

1
baselibs.conf
View File

@ -1,7 +1,6 @@
pam
requires "(systemd-<targettype> if systemd)"
pam-extra
pam-deprecated
pam-devel
pam_unix
conflicts "pam_unix-nis-<targettype>"

90
bsc1184358-prevent-LOCAL-from-being-resolved.patch
View File

@ -1,90 +0,0 @@
From c4dbba499f335ad88536244254d2d444b8e1c17c Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 6 Apr 2021 12:27:38 +0200
Subject: [PATCH] pam_access: clean up the remote host matching code
* modules/pam_access/pam_access.c (from_match): Split out remote_match()
function and avoid calling it when matching against LOCAL keyword.
There is also no point in doing domain match against TTY or SERVICE.
---
modules/pam_access/pam_access.c | 42 +++++++++++++++++++++------------
1 file changed, 27 insertions(+), 15 deletions(-)
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 98848c54..b493c7bd 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -160,6 +160,7 @@ static int list_match (pam_handle_t *, char *, char *, struct login_info *,
static int user_match (pam_handle_t *, char *, struct login_info *);
static int group_match (pam_handle_t *, const char *, const char *, int);
static int from_match (pam_handle_t *, char *, struct login_info *);
+static int remote_match (pam_handle_t *, char *, struct login_info *);
static int string_match (pam_handle_t *, const char *, const char *, int);
static int network_netmask_match (pam_handle_t *, const char *, const char *, struct login_info *);
@@ -589,11 +590,9 @@ group_match (pam_handle_t *pamh, const char *tok, const char* usr,
/* from_match - match a host or tty against a list of tokens */
static int
-from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
+from_match (pam_handle_t *pamh, char *tok, struct login_info *item)
{
const char *string = item->from;
- int tok_len;
- int str_len;
int rv;
if (item->debug)
@@ -616,13 +615,28 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
} else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) {
/* ALL or exact match */
return rv;
- } else if (tok[0] == '.') { /* domain: match last fields */
- if ((str_len = strlen(string)) > (tok_len = strlen(tok))
- && strcasecmp(tok, string + str_len - tok_len) == 0)
- return (YES);
- } else if (item->from_remote_host == 0) { /* local: no PAM_RHOSTS */
- if (strcasecmp(tok, "LOCAL") == 0)
- return (YES);
+ } else if (strcasecmp(tok, "LOCAL") == 0) {
+ /* LOCAL matches only local accesses */
+ if (!item->from_remote_host)
+ return YES;
+ return NO;
+ } else if (item->from_remote_host) {
+ return remote_match(pamh, tok, item);
+ }
+ return NO;
+}
+
+static int
+remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+{
+ const char *string = item->from;
+ size_t tok_len = strlen(tok);
+ size_t str_len;
+
+ if (tok[0] == '.') { /* domain: match last fields */
+ if ((str_len = strlen(string)) > tok_len
+ && strcasecmp(tok, string + str_len - tok_len) == 0)
+ return YES;
} else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
struct addrinfo hint;
@@ -661,13 +675,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
runp = runp->ai_next;
}
}
- } else {
- /* Assume network/netmask with a IP of a host. */
- if (network_netmask_match(pamh, tok, string, item))
- return YES;
+ return NO;
}
- return NO;
+ /* Assume network/netmask with an IP of a host. */
+ return network_netmask_match(pamh, tok, string, item);
}
/* string_match - match a string against one token */

2
motd.tmpfiles
View File

@ -1,2 +0,0 @@
#Type Path Mode User Group Age Argument
d /run/motd.d 0755 root root - -

755
pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
View File

@ -1,755 +0,0 @@
Index: Linux-PAM-1.5.1/doc/sag/Linux-PAM_SAG.txt
===================================================================
--- Linux-PAM-1.5.1.orig/doc/sag/Linux-PAM_SAG.txt
+++ Linux-PAM-1.5.1/doc/sag/Linux-PAM_SAG.txt
@@ -2171,6 +2171,9 @@ The fields listed above should be filled
All items support the values -1, unlimited or infinity indicating no limit,
except for priority, nice, and nonewprivs.
+If nofile is to be set to one of these values,
+it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
+
If a hard limit or soft limit of a resource is set to a valid value, but
outside of the supported range of the local system, the system may reject the
new limit or unexpected behavior may occur. If the control value required is
Index: Linux-PAM-1.5.1/doc/sag/html/sag-pam_limits.html
===================================================================
--- Linux-PAM-1.5.1.orig/doc/sag/html/sag-pam_limits.html
+++ Linux-PAM-1.5.1/doc/sag/html/sag-pam_limits.html
@@ -104,6 +104,9 @@
<span class="emphasis"><em>unlimited</em></span> or <span class="emphasis"><em>infinity</em></span> indicating no limit,
except for <span class="emphasis"><em>priority</em></span>, <span class="emphasis"><em>nice</em></span>,
and <span class="emphasis"><em>nonewprivs</em></span>.
+ If <span class="emphasis"><em>nofile</em></span> is to be set to one of these values,
+ it will be set to the contents of <em class="replaceable"><code>/proc/sys/fs/nr_open</code></em> instead
+ (see <span class="citerefentry"><span class="refentrytitle">setrlimit</span>(3)</span>).
</p><p>
If a hard limit or soft limit of a resource is set to a valid value,
but outside of the supported range of the local system, the system
Index: Linux-PAM-1.5.1/modules/pam_limits/limits.conf.5
===================================================================
--- Linux-PAM-1.5.1.orig/modules/pam_limits/limits.conf.5
+++ Linux-PAM-1.5.1/modules/pam_limits/limits.conf.5
@@ -290,6 +290,8 @@ indicating no limit, except for
\fBpriority\fR,
\fBnice\fR, and
\fBnonewprivs\fR\&.
+If \fBnofile\fP is to be set to one of these values,
+it will be set to the contents of \fI/proc/sys/fs/nr_open\fP instead (see \fBsetrlimit\fP(3))\&.
.PP
If a hard limit or soft limit of a resource is set to a valid value, but outside of the supported range of the local system, the system may reject the new limit or unexpected behavior may occur\&. If the control value
\fIrequired\fR
Index: Linux-PAM-1.5.1/modules/pam_limits/limits.conf.5.xml
===================================================================
--- Linux-PAM-1.5.1.orig/modules/pam_limits/limits.conf.5.xml
+++ Linux-PAM-1.5.1/modules/pam_limits/limits.conf.5.xml
@@ -283,6 +283,8 @@
<emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
except for <emphasis remap='B'>priority</emphasis>, <emphasis remap='B'>nice</emphasis>,
and <emphasis remap='B'>nonewprivs</emphasis>.
+ If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values,
+ it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
</para>
<para>
If a hard limit or soft limit of a resource is set to a valid value,
Index: Linux-PAM-1.5.1/modules/pam_limits/pam_limits.c
===================================================================
--- Linux-PAM-1.5.1.orig/modules/pam_limits/pam_limits.c
+++ Linux-PAM-1.5.1/modules/pam_limits/pam_limits.c
@@ -228,21 +228,21 @@ rlimit2str (int i)
/* Counts the number of user logins and check against the limit*/
static int
check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
- struct pam_limit_s *pl)
+ struct pam_limit_s *pl)
{
struct utmp *ut;
int count;
if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_DEBUG,
+ pam_syslog(pamh, LOG_DEBUG,
"checking logins for '%s' (maximum of %d)", name, limit);
}
if (limit < 0)
- return 0; /* no limits imposed */
+ return 0; /* no limits imposed */
if (limit == 0) /* maximum 0 logins ? */ {
- pam_syslog(pamh, LOG_WARNING, "No logins allowed for '%s'", name);
- return LOGIN_ERR;
+ pam_syslog(pamh, LOG_WARNING, "No logins allowed for '%s'", name);
+ return LOGIN_ERR;
}
setutent();
@@ -265,14 +265,14 @@ check_logins (pam_handle_t *pamh, const
while((ut = getutent())) {
#ifdef USER_PROCESS
- if (ut->ut_type != USER_PROCESS) {
- continue;
+ if (ut->ut_type != USER_PROCESS) {
+ continue;
}
#endif
- if (ut->UT_USER[0] == '\0') {
- continue;
+ if (ut->UT_USER[0] == '\0') {
+ continue;
}
- if (!pl->flag_numsyslogins) {
+ if (!pl->flag_numsyslogins) {
char user[sizeof(ut->UT_USER) + 1];
user[0] = '\0';
strncat(user, ut->UT_USER, sizeof(ut->UT_USER));
@@ -281,11 +281,11 @@ check_logins (pam_handle_t *pamh, const
|| (pl->login_limit_def == LIMITS_DEF_GROUP)
|| (pl->login_limit_def == LIMITS_DEF_DEFAULT))
&& strcmp(name, user) != 0) {
- continue;
+ continue;
}
if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
&& !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
- continue;
+ continue;
}
if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) {
/* process does not exist anymore */
@@ -307,50 +307,50 @@ check_logins (pam_handle_t *pamh, const
} else {
pam_syslog(pamh, LOG_NOTICE, "Too many system logins (max %d)", limit);
}
- return LOGIN_ERR;
+ return LOGIN_ERR;
}
return 0;
}
static const char *lnames[RLIM_NLIMITS] = {
- [RLIMIT_CPU] = "Max cpu time",
- [RLIMIT_FSIZE] = "Max file size",
- [RLIMIT_DATA] = "Max data size",
- [RLIMIT_STACK] = "Max stack size",
- [RLIMIT_CORE] = "Max core file size",
- [RLIMIT_RSS] = "Max resident set",
- [RLIMIT_NPROC] = "Max processes",
- [RLIMIT_NOFILE] = "Max open files",
- [RLIMIT_MEMLOCK] = "Max locked memory",
+ [RLIMIT_CPU] = "Max cpu time",
+ [RLIMIT_FSIZE] = "Max file size",
+ [RLIMIT_DATA] = "Max data size",
+ [RLIMIT_STACK] = "Max stack size",
+ [RLIMIT_CORE] = "Max core file size",
+ [RLIMIT_RSS] = "Max resident set",
+ [RLIMIT_NPROC] = "Max processes",
+ [RLIMIT_NOFILE] = "Max open files",
+ [RLIMIT_MEMLOCK] = "Max locked memory",
#ifdef RLIMIT_AS
- [RLIMIT_AS] = "Max address space",
+ [RLIMIT_AS] = "Max address space",
#endif
#ifdef RLIMIT_LOCKS
- [RLIMIT_LOCKS] = "Max file locks",
+ [RLIMIT_LOCKS] = "Max file locks",
#endif
#ifdef RLIMIT_SIGPENDING
- [RLIMIT_SIGPENDING] = "Max pending signals",
+ [RLIMIT_SIGPENDING] = "Max pending signals",
#endif
#ifdef RLIMIT_MSGQUEUE
- [RLIMIT_MSGQUEUE] = "Max msgqueue size",
+ [RLIMIT_MSGQUEUE] = "Max msgqueue size",
#endif
#ifdef RLIMIT_NICE
- [RLIMIT_NICE] = "Max nice priority",
+ [RLIMIT_NICE] = "Max nice priority",
#endif
#ifdef RLIMIT_RTPRIO
- [RLIMIT_RTPRIO] = "Max realtime priority",
+ [RLIMIT_RTPRIO] = "Max realtime priority",
#endif
#ifdef RLIMIT_RTTIME
- [RLIMIT_RTTIME] = "Max realtime timeout",
+ [RLIMIT_RTTIME] = "Max realtime timeout",
#endif
};
static int str2rlimit(char *name) {
int i;
if (!name || *name == '\0')
- return -1;
+ return -1;
for(i = 0; i < RLIM_NLIMITS; i++) {
- if (strcmp(name, lnames[i]) == 0) return i;
+ if (strcmp(name, lnames[i]) == 0) return i;
}
return -1;
}
@@ -360,25 +360,25 @@ static rlim_t str2rlim_t(char *value) {
if (!value) return (rlim_t)rlimit;
if (strcmp(value, "unlimited") == 0) {
- return RLIM_INFINITY;
+ return RLIM_INFINITY;
}
rlimit = strtoull(value, NULL, 10);
return (rlim_t)rlimit;
}
#define LIMITS_SKIP_WHITESPACE { \
- /* step backwards over spaces */ \
- pos--; \
- while (pos && line[pos] == ' ') pos--; \
- if (!pos) continue; \
- line[pos+1] = '\0'; \
+ /* step backwards over spaces */ \
+ pos--; \
+ while (pos && line[pos] == ' ') pos--; \
+ if (!pos) continue; \
+ line[pos+1] = '\0'; \
}
#define LIMITS_MARK_ITEM(item) { \
- /* step backwards over non-spaces */ \
- pos--; \
- while (pos && line[pos] != ' ') pos--; \
- if (!pos) continue; \
- item = line + pos + 1; \
+ /* step backwards over non-spaces */ \
+ pos--; \
+ while (pos && line[pos] != ' ') pos--; \
+ if (!pos) continue; \
+ item = line + pos + 1; \
}
static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
@@ -390,54 +390,54 @@ static void parse_kernel_limits(pam_hand
char *hard, *soft, *name;
if (!(limitsfile = fopen(proclimits, "r"))) {
- pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
- return;
+ pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
+ return;
}
while (fgets(line, 256, limitsfile)) {
- int pos = strlen(line);
- if (pos < 2) continue;
+ int pos = strlen(line);
+ if (pos < 2) continue;
+
+ /* drop trailing newline */
+ if (line[pos-1] == '\n') {
+ pos--;
+ line[pos] = '\0';
+ }
- /* drop trailing newline */
- if (line[pos-1] == '\n') {
- pos--;
- line[pos] = '\0';
- }
-
- /* determine formatting boundary of limits report */
- if (!maxlen && pam_str_skip_prefix(line, "Limit") != NULL) {
- maxlen = pos;
- continue;
- }
-
- if (pos == maxlen) {
- /* step backwards over "Units" name */
- LIMITS_SKIP_WHITESPACE;
- LIMITS_MARK_ITEM(hard); /* not a typo, units unused */
- }
-
- /* step backwards over "Hard Limit" value */
- LIMITS_SKIP_WHITESPACE;
- LIMITS_MARK_ITEM(hard);
-
- /* step backwards over "Soft Limit" value */
- LIMITS_SKIP_WHITESPACE;
- LIMITS_MARK_ITEM(soft);
-
- /* step backwards over name of limit */
- LIMITS_SKIP_WHITESPACE;
- name = line;
-
- i = str2rlimit(name);
- if (i < 0 || i >= RLIM_NLIMITS) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit '%s' ignored", name);
- continue;
- }
- pl->limits[i].limit.rlim_cur = str2rlim_t(soft);
- pl->limits[i].limit.rlim_max = str2rlim_t(hard);
- pl->limits[i].src_soft = LIMITS_DEF_KERNEL;
- pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
+ /* determine formatting boundary of limits report */
+ if (!maxlen && pam_str_skip_prefix(line, "Limit") != NULL) {
+ maxlen = pos;
+ continue;
+ }
+
+ if (pos == maxlen) {
+ /* step backwards over "Units" name */
+ LIMITS_SKIP_WHITESPACE;
+ LIMITS_MARK_ITEM(hard); /* not a typo, units unused */
+ }
+
+ /* step backwards over "Hard Limit" value */
+ LIMITS_SKIP_WHITESPACE;
+ LIMITS_MARK_ITEM(hard);
+
+ /* step backwards over "Soft Limit" value */
+ LIMITS_SKIP_WHITESPACE;
+ LIMITS_MARK_ITEM(soft);
+
+ /* step backwards over name of limit */
+ LIMITS_SKIP_WHITESPACE;
+ name = line;
+
+ i = str2rlimit(name);
+ if (i < 0 || i >= RLIM_NLIMITS) {
+ if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit '%s' ignored", name);
+ continue;
+ }
+ pl->limits[i].limit.rlim_cur = str2rlim_t(soft);
+ pl->limits[i].limit.rlim_max = str2rlim_t(hard);
+ pl->limits[i].src_soft = LIMITS_DEF_KERNEL;
+ pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
}
fclose(limitsfile);
}
@@ -486,6 +486,54 @@ static int init_limits(pam_handle_t *pam
return retval;
}
+/*
+ * Read the contents of /proc/sys/fs/<name>
+ * return 1 if conversion succeeds, result is in *valuep
+ * return 0 if conversion fails.
+ */
+static int
+value_from_proc_sys_fs(const pam_handle_t *pamh, const char *name, rlim_t *valuep)
+{
+ char pathname[128];
+ char buf[128];
+ FILE *fp;
+ int retval;
+
+ retval = 0;
+
+ snprintf(pathname, sizeof(pathname), "/proc/sys/fs/%s", name);
+
+ if ((fp = fopen(pathname, "r")) != NULL) {
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
+ char *endptr;
+
+#ifdef __USE_FILE_OFFSET64
+ *valuep = strtoull(buf, &endptr, 10);
+#else
+ *valuep = strtoul(buf, &endptr, 10);
+#endif
+
+ retval = (endptr != buf);
+ }
+
+ fclose(fp);
+ }
+
+ return retval;
+}
+
+/*
+ * Check if the string passed as the argument corresponds to
+ * "unlimited"
+ */
+static inline int
+is_unlimited(const char *lim_value)
+{
+ return strcmp(lim_value, "-1") == 0
+ || strcmp(lim_value, "-") == 0
+ || strcmp(lim_value, "unlimited") == 0
+ || strcmp(lim_value, "infinity") == 0;
+}
static void
process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
@@ -505,9 +553,9 @@ process_limit (const pam_handle_t *pamh,
limits_def_names[source]);
if (strcmp(lim_item, "cpu") == 0)
- limit_item = RLIMIT_CPU;
+ limit_item = RLIMIT_CPU;
else if (strcmp(lim_item, "fsize") == 0)
- limit_item = RLIMIT_FSIZE;
+ limit_item = RLIMIT_FSIZE;
else if (strcmp(lim_item, "data") == 0)
limit_item = RLIMIT_DATA;
else if (strcmp(lim_item, "stack") == 0)
@@ -557,8 +605,8 @@ process_limit (const pam_handle_t *pamh,
} else if (strcmp(lim_item, "nonewprivs") == 0) {
limit_item = LIMIT_NONEWPRIVS;
} else {
- pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
- return;
+ pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
+ return;
}
if (strcmp(lim_type,"soft")==0)
@@ -569,9 +617,10 @@ process_limit (const pam_handle_t *pamh,
limit_type=LIMIT_SOFT | LIMIT_HARD;
else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS
&& limit_item != LIMIT_NONEWPRIVS) {
- pam_syslog(pamh, LOG_DEBUG, "unknown limit type '%s'", lim_type);
- return;
+ pam_syslog(pamh, LOG_DEBUG, "unknown limit type '%s'", lim_type);
+ return;
}
+
if (limit_item == LIMIT_NONEWPRIVS) {
/* just require a bool-style 0 or 1 */
if (strcmp(lim_value, "0") == 0) {
@@ -587,9 +636,7 @@ process_limit (const pam_handle_t *pamh,
#ifdef RLIMIT_NICE
&& limit_item != RLIMIT_NICE
#endif
- && (strcmp(lim_value, "-1") == 0
- || strcmp(lim_value, "-") == 0 || strcmp(lim_value, "unlimited") == 0
- || strcmp(lim_value, "infinity") == 0)) {
+ && is_unlimited(lim_value)) {
int_value = -1;
rlimit_value = RLIM_INFINITY;
} else if (limit_item == LIMIT_PRI || limit_item == LIMIT_LOGIN ||
@@ -605,7 +652,7 @@ process_limit (const pam_handle_t *pamh,
pam_syslog(pamh, LOG_DEBUG,
"wrong limit value '%s' for limit type '%s'",
lim_value, lim_type);
- return;
+ return;
}
} else {
#ifdef __USE_FILE_OFFSET64
@@ -631,7 +678,7 @@ process_limit (const pam_handle_t *pamh,
}
switch(limit_item) {
- case RLIMIT_CPU:
+ case RLIMIT_CPU:
if (rlimit_value != RLIM_INFINITY)
{
if (rlimit_value >= RLIM_INFINITY/60)
@@ -639,17 +686,17 @@ process_limit (const pam_handle_t *pamh,
else
rlimit_value *= 60;
}
- break;
- case RLIMIT_FSIZE:
- case RLIMIT_DATA:
- case RLIMIT_STACK:
- case RLIMIT_CORE:
- case RLIMIT_RSS:
- case RLIMIT_MEMLOCK:
+ break;
+ case RLIMIT_FSIZE:
+ case RLIMIT_DATA:
+ case RLIMIT_STACK:
+ case RLIMIT_CORE:
+ case RLIMIT_RSS:
+ case RLIMIT_MEMLOCK:
#ifdef RLIMIT_AS
- case RLIMIT_AS:
+ case RLIMIT_AS:
#endif
- if (rlimit_value != RLIM_INFINITY)
+ if (rlimit_value != RLIM_INFINITY)
{
if (rlimit_value >= RLIM_INFINITY/1024)
rlimit_value = RLIM_INFINITY;
@@ -664,29 +711,42 @@ process_limit (const pam_handle_t *pamh,
if (int_value < -20)
int_value = -20;
rlimit_value = 20 - int_value;
- break;
+ break;
#endif
+ case RLIMIT_NOFILE:
+ /*
+ * If nofile is to be set to "unlimited", try to set it to
+ * the value in /proc/sys/fs/nr_open instead.
+ */
+ if (rlimit_value == RLIM_INFINITY) {
+ if (!value_from_proc_sys_fs(pamh, "nr_open", &rlimit_value))
+ pam_syslog(pamh, LOG_DEBUG,
+ "Cannot set \"nofile\" to a sensible value");
+ else
+ pam_syslog(pamh, LOG_WARNING, "Setting \"nofile\" limit to %lu", (long unsigned) rlimit_value);
+ }
+ break;
}
if ( (limit_item != LIMIT_LOGIN)
&& (limit_item != LIMIT_NUMSYSLOGINS)
&& (limit_item != LIMIT_PRI)
&& (limit_item != LIMIT_NONEWPRIVS) ) {
- if (limit_type & LIMIT_SOFT) {
+ if (limit_type & LIMIT_SOFT) {
if (pl->limits[limit_item].src_soft < source) {
- return;
+ return;
} else {
- pl->limits[limit_item].limit.rlim_cur = rlimit_value;
- pl->limits[limit_item].src_soft = source;
- }
+ pl->limits[limit_item].limit.rlim_cur = rlimit_value;
+ pl->limits[limit_item].src_soft = source;
+ }
}
- if (limit_type & LIMIT_HARD) {
+ if (limit_type & LIMIT_HARD) {
if (pl->limits[limit_item].src_hard < source) {
- return;
- } else {
- pl->limits[limit_item].limit.rlim_max = rlimit_value;
- pl->limits[limit_item].src_hard = source;
- }
+ return;
+ } else {
+ pl->limits[limit_item].limit.rlim_max = rlimit_value;
+ pl->limits[limit_item].src_hard = source;
+ }
}
} else {
/* recent kernels support negative priority limits (=raise priority) */
@@ -764,42 +824,42 @@ parse_config_file(pam_handle_t *pamh, co
/* check for the LIMITS_FILE */
if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE);
+ pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE);
fil = fopen(CONF_FILE, "r");
if (fil == NULL) {
- pam_syslog (pamh, LOG_WARNING,
+ pam_syslog (pamh, LOG_WARNING,
"cannot read settings from %s: %m", CONF_FILE);
- return PAM_SERVICE_ERR;
+ return PAM_SERVICE_ERR;
}
/* start the show */
while (fgets(buf, LINE_LENGTH, fil) != NULL) {
- char domain[LINE_LENGTH];
- char ltype[LINE_LENGTH];
- char item[LINE_LENGTH];
- char value[LINE_LENGTH];
- int i;
- int rngtype;
- size_t j;
- char *tptr,*line;
- uid_t min_uid = (uid_t)-1, max_uid = (uid_t)-1;
-
- line = buf;
- /* skip the leading white space */
- while (*line && isspace(*line))
- line++;
-
- /* Rip off the comments */
- tptr = strchr(line,'#');
- if (tptr)
- *tptr = '\0';
- /* Rip off the newline char */
- tptr = strchr(line,'\n');
- if (tptr)
- *tptr = '\0';
- /* Anything left ? */
- if (!strlen(line))
- continue;
+ char domain[LINE_LENGTH];
+ char ltype[LINE_LENGTH];
+ char item[LINE_LENGTH];
+ char value[LINE_LENGTH];
+ int i;
+ int rngtype;
+ size_t j;
+ char *tptr,*line;
+ uid_t min_uid = (uid_t)-1, max_uid = (uid_t)-1;
+
+ line = buf;
+ /* skip the leading white space */
+ while (*line && isspace(*line))
+ line++;
+
+ /* Rip off the comments */
+ tptr = strchr(line,'#');
+ if (tptr)
+ *tptr = '\0';
+ /* Rip off the newline char */
+ tptr = strchr(line,'\n');
+ if (tptr)
+ *tptr = '\0';
+ /* Anything left ? */
+ if (!strlen(line))
+ continue;
domain[0] = ltype[0] = item[0] = value[0] = '\0';
@@ -807,23 +867,23 @@ parse_config_file(pam_handle_t *pamh, co
D(("scanned line[%d]: domain[%s], ltype[%s], item[%s], value[%s]",
i, domain, ltype, item, value));
- for(j=0; j < strlen(ltype); j++)
- ltype[j]=tolower(ltype[j]);
+ for(j=0; j < strlen(ltype); j++)
+ ltype[j]=tolower(ltype[j]);
if ((rngtype=parse_uid_range(pamh, domain, &min_uid, &max_uid)) < 0) {
pam_syslog(pamh, LOG_WARNING, "invalid uid range '%s' - skipped", domain);
continue;
}
- if (i == 4) { /* a complete line */
+ if (i == 4) { /* a complete line */
for(j=0; j < strlen(item); j++)
item[j]=tolower(item[j]);
for(j=0; j < strlen(value); j++)
value[j]=tolower(value[j]);
- if (strcmp(uname, domain) == 0) /* this user have a limit */
- process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
- else if (domain[0]=='@') {
+ if (strcmp(uname, domain) == 0) /* this user have a limit */
+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
+ else if (domain[0]=='@') {
if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
@@ -849,7 +909,7 @@ parse_config_file(pam_handle_t *pamh, co
process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
pl);
}
- } else if (domain[0]=='%') {
+ } else if (domain[0]=='%') {
if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
@@ -880,7 +940,7 @@ parse_config_file(pam_handle_t *pamh, co
case LIMIT_RANGE_MM:
pam_syslog(pamh, LOG_WARNING, "range unsupported for %%group matching - ignored");
}
- } else {
+ } else {
switch(rngtype) {
case LIMIT_RANGE_NONE:
if (strcmp(domain, "*") == 0)
@@ -951,8 +1011,8 @@ parse_config_file(pam_handle_t *pamh, co
}
fclose(fil);
return PAM_IGNORE;
- } else {
- pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line);
+ } else {
+ pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line);
}
}
fclose(fil);
@@ -979,8 +1039,8 @@ static int setup_limits(pam_handle_t *pa
/* skip it if its not initialized */
continue;
}
- if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
- pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
+ if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
+ pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
res = setrlimit(i, &pl->limits[i].limit);
if (res != 0)
pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
@@ -989,30 +1049,30 @@ static int setup_limits(pam_handle_t *pa
}
if (status) {
- retval = LIMIT_ERR;
+ retval = LIMIT_ERR;
}
status = setpriority(PRIO_PROCESS, 0, pl->priority);
if (status != 0) {
- pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m");
- retval = LIMIT_ERR;
+ pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m");
+ retval = LIMIT_ERR;
}
if (uid == 0) {
D(("skip login limit check for uid=0"));
} else if (pl->login_limit > 0) {
- if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
+ if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
#ifdef HAVE_LIBAUDIT
if (!(ctrl & PAM_NO_AUDIT)) {
pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS,
"pam_limits", PAM_PERM_DENIED);
/* ignore return value as we fail anyway */
- }
+ }
#endif
- retval |= LOGIN_ERR;
+ retval |= LOGIN_ERR;
}
} else if (pl->login_limit == 0) {
- retval |= LOGIN_ERR;
+ retval |= LOGIN_ERR;
}
if (pl->nonewprivs) {
@@ -1049,22 +1109,22 @@ pam_sm_open_session (pam_handle_t *pamh,
ctrl = _pam_parse(pamh, argc, argv, pl);
retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
if ( user_name == NULL || retval != PAM_SUCCESS ) {
- pam_syslog(pamh, LOG_ERR, "open_session - error recovering username");
- return PAM_SESSION_ERR;
+ pam_syslog(pamh, LOG_ERR, "open_session - error recovering username");
+ return PAM_SESSION_ERR;
}
pwd = pam_modutil_getpwnam(pamh, user_name);
if (!pwd) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh, LOG_WARNING,
+ if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh, LOG_WARNING,
"open_session username '%s' does not exist", user_name);
- return PAM_USER_UNKNOWN;
+ return PAM_USER_UNKNOWN;
}
retval = init_limits(pamh, pl, ctrl);
if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_ERR, "cannot initialize");
- return PAM_ABORT;
+ pam_syslog(pamh, LOG_ERR, "cannot initialize");
+ return PAM_ABORT;
}
retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
@@ -1099,7 +1159,7 @@ pam_sm_open_session (pam_handle_t *pamh,
}
if (retval != PAM_SUCCESS)
goto out;
- }
+ }
}
out:
@@ -1115,7 +1175,7 @@ out:
pam_error(pamh, _("There were too many logins for '%s'."),
pwd->pw_name);
if (retval != LIMITED_OK) {
- return PAM_PERM_DENIED;
+ return PAM_PERM_DENIED;
}
return PAM_SUCCESS;

2
pam-login_defs-check.sh
View File

@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3c6e0020c31609690b69ef391654df930b74151d ; then
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != e9750fd874b9b55fc151d424ae048050e3858d57 ; then
echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2

81
pam-pam_cracklib-add-usersubstr.patch
View File

@ -1,81 +0,0 @@
Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
@@ -88,6 +88,7 @@ struct cracklib_options {
int reject_user;
int gecos_check;
int enforce_for_root;
+ int user_substr;
const char *cracklib_dictpath;
};
@@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c
if (!*(opt->cracklib_dictpath)) {
opt->cracklib_dictpath = CRACKLIB_DICTS;
}
+ } else if ((str = pam_str_skip_prefix(*argv, "usersubstr=")) != NULL) {
+ opt->user_substr = strtol(str, &ep, 10);
+ if (ep == str)
+ opt->user_substr = 0;
} else {
pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
}
@@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch
return 0;
}
+/*
+ * RETURNS: True if the password is unacceptable, else false
+ */
+static int usersubstr(int len, const char *new, char *user)
+{
+ int i, userlen;
+ int bad = 0; // Assume it's OK unless proven otherwise
+ char *subuser = calloc(len+1, sizeof(char));
+
+ if (subuser == NULL) {
+ return 1;
+ }
+
+ userlen = strlen(user);
+
+ if (len >= CO_MIN_WORD_LENGTH &&
+ userlen > len) {
+ for(i = 0; !bad && (i <= userlen - len); i++) {
+ strncpy(subuser, user+i, len+1);
+ subuser[len] = '\0';
+ bad = wordcheck(new, subuser);
+ }
+ } else {
+ // if we already tested substrings, there's no need to test
+ // the whole username; all substrings would've been found :)
+ if (!bad)
+ bad = wordcheck(new, user);
+ }
+
+ free(subuser);
+
+ return bad;
+}
+
+/*
+ * RETURNS: True if the password is unacceptable, else false
+ */
static int usercheck(struct cracklib_options *opt, const char *new,
char *user)
{
- if (!opt->reject_user)
- return 0;
+ int bad = 0;
+
+ if (opt->reject_user)
+ bad = wordcheck(new, user);
+ if (!bad && opt->user_substr != 0)
+ bad = usersubstr(opt->user_substr, new, user);
- return wordcheck(new, user);
+ return bad;
}
static char * str_lower(char *string)

52
pam.changes
View File

@ -1,3 +1,55 @@
-------------------------------------------------------------------
Wed Sep 15 13:34:52 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
- Rename motd.tmpfiles to pam.tmpfiles
- Add /run/faillock directory
-------------------------------------------------------------------
Fri Sep 10 10:08:28 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
- pam-login_defs-check.sh: adjust for new login.defs variable usages
-------------------------------------------------------------------
Mon Sep 6 11:51:30 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
- Update to 1.5.2
Noteworthy changes in Linux-PAM 1.5.2:
* pam_exec: implemented quiet_log option.
* pam_mkhomedir: added support of HOME_MODE and UMASK from
/etc/login.defs.
* pam_timestamp: changed hmac algorithm to call openssl instead
of the bundled sha1 implementation if selected, added option
to select the hash algorithm to use with HMAC.
* Added pkgconfig files for provided libraries.
* Added --with-systemdunitdir configure option to specify systemd
unit directory.
* Added --with-misc-conv-bufsize configure option to specify the
buffer size in libpam_misc's misc_conv() function, raised the
default value for this parameter from 512 to 4096.
* Multiple minor bug fixes, portability fixes, documentation
improvements, and translation updates.
pam_tally2 has been removed upstream, remove pam_tally2-removal.patch
pam_cracklib has been removed from the upstream sources. This
obsoletes pam-pam_cracklib-add-usersubstr.patch and
pam_cracklib-removal.patch.
The following patches have been accepted upstream and, so,
are obsolete:
- pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
- pam_securetty-don-t-complain-about-missing-config.patch
- bsc1184358-prevent-LOCAL-from-being-resolved.patch
- revert-check_shadow_expiry.diff
[Linux-PAM-1.5.2-docs.tar.xz, Linux-PAM-1.5.2-docs.tar.xz.asc,
Linux-PAM-1.5.2.tar.xz, Linux-PAM-1.5.2.tar.xz.asc,
pam-pam_cracklib-add-usersubstr.patch, pam_cracklib-removal.patch,
pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch,
pam_securetty-don-t-complain-about-missing-config.patch,
bsc1184358-prevent-LOCAL-from-being-resolved.patch,
revert-check_shadow_expiry.diff]
-------------------------------------------------------------------
Thu Aug 12 14:42:54 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>

57
pam.spec
View File

@ -31,7 +31,7 @@
#
Name: pam
#
Version: 1.5.1
Version: 1.5.2
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause
@ -49,23 +49,16 @@ Source9: baselibs.conf
Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8
Source12: pam-login_defs-check.sh
Source13: motd.tmpfiles
Source13: pam.tmpfiles
Source14: Linux-PAM-%{version}-docs.tar.xz.asc
Source15: Linux-PAM-%{version}.tar.xz.asc
Patch2: pam-limit-nproc.patch
Patch4: pam-hostnames-in-access_conf.patch
Patch5: pam-xauth_ownership.patch
Patch6: pam_cracklib-removal.patch
Patch7: pam_tally2-removal.patch
Patch8: pam-bsc1177858-dont-free-environment-string.patch
Patch9: pam-pam_cracklib-add-usersubstr.patch
Patch10: pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
Patch11: bsc1184358-prevent-LOCAL-from-being-resolved.patch
Patch12: pam_umask-usergroups-login_defs.patch
# https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068
Patch100: pam_securetty-don-t-complain-about-missing-config.patch
Patch101: revert-check_shadow_expiry.diff
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: cracklib-devel
BuildRequires: flex
BuildRequires: libtool
BuildRequires: xz
@ -121,9 +114,7 @@ a Berkeley DB database.
%package doc
Summary: Documentation for Pluggable Authentication Modules
Group: Documentation/HTML
%if 0%{?suse_version} >= 1140
BuildArch: noarch
%endif
%description doc
PAM (Pluggable Authentication Modules) is a system security tool that
@ -146,36 +137,14 @@ having to recompile programs which do authentication.
This package contains header files and static libraries used for
building both PAM-aware applications and modules for use with PAM.
%package deprecated
Summary: Deprecated PAM Modules
Group: System/Libraries
Provides: pam:/%{_lib}/security/pam_cracklib.so
Provides: pam:/%{_lib}/security/pam_tally2.so
%description deprecated
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains deprecated extra modules like pam_cracklib and
pam_tally2, which are no longer supported upstream and will be completly
removed with one of the next releases.
%prep
%setup -q -n Linux-PAM-%{version} -b 1
cp -a %{SOURCE12} .
%patch2 -p1
%patch4 -p1
%patch5 -p1
%patch6 -R -p1
%patch7 -R -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch100 -p1
%patch101 -p1
%build
bash ./pam-login_defs-check.sh
@ -192,9 +161,9 @@ CFLAGS="$CFLAGS -DNDEBUG"
--enable-securedir=%{_pam_moduledir} \
--enable-vendordir=%{_distconfdir} \
%if %{with debug}
--enable-debug \
--enable-debug
%endif
--enable-tally2 --enable-cracklib
%make_build
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
@ -246,7 +215,7 @@ echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
# rpm macros
install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
# /run/motd.d
install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/motd.conf
install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
# Create filelist with translations
%find_lang Linux-PAM
@ -258,7 +227,7 @@ install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/motd.conf
/sbin/ldconfig
%set_permissions %{_sbindir}/unix_chkpwd
%set_permissions %{_sbindir}/unix2_chkpwd
%tmpfiles_create %{_tmpfilesdir}/motd.conf
%tmpfiles_create %{_tmpfilesdir}/pam.conf
%postun -p /sbin/ldconfig
%pre
@ -279,7 +248,6 @@ done
%dir %{_pam_secconfdir}
%dir %{_pam_secconfdir}/limits.d
%dir %{_prefix}/lib/motd.d
%ghost %dir %{_rundir}/motd.d
%if %{defined config_noreplace}
%config(noreplace) %{_pam_confdir}/other
%config(noreplace) %{_pam_confdir}/common-*
@ -421,7 +389,7 @@ done
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update
%{_unitdir}/pam_namespace.service
%{_tmpfilesdir}/motd.conf
%{_tmpfilesdir}/pam.conf
%files -n pam_unix
%defattr(-,root,root,755)
@ -436,12 +404,6 @@ done
%{_pam_moduledir}/pam_userdb.so
%{_mandir}/man8/pam_userdb.8%{?ext_man}
%files deprecated
%defattr(-,root,root,755)
%{_pam_moduledir}/pam_cracklib.so
%{_pam_moduledir}/pam_tally2.so
%{_sbindir}/pam_tally2
%files doc
%defattr(644,root,root,755)
%dir %{_defaultdocdir}/pam
@ -460,5 +422,6 @@ done
%{_libdir}/libpamc.so
%{_libdir}/libpam_misc.so
%{_rpmmacrodir}/macros.pam
%{_libdir}/pkgconfig/pam*.pc
%changelog

3
pam.tmpfiles Normal file
View File

@ -0,0 +1,3 @@
#Type Path Mode User Group Age Argument
d /run/faillock 0755 root root - -
d /run/motd.d 0755 root root - -

1740
pam_cracklib-removal.patch
View File

File diff suppressed because it is too large Load Diff

40
pam_securetty-don-t-complain-about-missing-config.patch
View File

@ -1,40 +0,0 @@
From e842a5fc075002f46672ebcd8e896624f1ec8068 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Tue, 26 Jan 2021 13:07:20 +0100
Subject: [PATCH] pam_securetty: don't complain about missing config
Not shipping a config file should be perfectly valid for distros while
still having eg login pre-configured to honor securetty when present.
PAM itself doesn't ship any template either. So avoid spamming the log
file if /etc/securetty wasn't found.
---
modules/pam_securetty/pam_securetty.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index b4d71751..47a5cd9f 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -111,7 +111,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
#ifdef VENDORDIR
if (errno == ENOENT) {
if (stat(SECURETTY2_FILE, &ttyfileinfo)) {
- pam_syslog(pamh, LOG_NOTICE,
+ if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh, LOG_DEBUG,
"Couldn't open %s: %m", SECURETTY2_FILE);
return PAM_SUCCESS; /* for compatibility with old securetty handling,
this needs to succeed. But we still log the
@@ -120,7 +121,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
securettyfile = SECURETTY2_FILE;
} else {
#endif
- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
+ if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh, LOG_DEBUG, "Couldn't open %s: %m", SECURETTY_FILE);
return PAM_SUCCESS; /* for compatibility with old securetty handling,
this needs to succeed. But we still log the
error. */
--
2.26.2

1332
pam_tally2-removal.patch
View File

File diff suppressed because it is too large Load Diff

158
pam_umask-usergroups-login_defs.patch
View File

@ -4,9 +4,72 @@ Deprecate pam_umask explicit "usergroups" option and instead read it from /etc/l
Original Author: Martin Pitt <martin.pitt@ubuntu.com>
Bug-Debian: http://bugs.debian.org/583958
diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml
--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml 2020-11-25 17:57:02.000000000 +0100
+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml 2021-08-12 16:02:56.108249895 +0200
Index: Linux-PAM-1.5.2/modules/pam_umask/README
===================================================================
--- Linux-PAM-1.5.2.orig/modules/pam_umask/README
+++ Linux-PAM-1.5.2/modules/pam_umask/README
@@ -15,7 +15,7 @@ following order:
• umask= argument
- • UMASK entry from /etc/login.defs
+ • UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB)
• UMASK= entry from /etc/default/login
@@ -38,7 +38,10 @@ usergroups
If the user is not root and the username is the same as primary group name,
the umask group bits are set to be the same as owner bits (examples: 022 ->
- 002, 077 -> 007).
+ 002, 077 -> 007). Note that using this option explicitly is discouraged.
+ pam_umask enables this functionality by default if /etc/login.defs enables
+ USERGROUPS_ENAB, and the umask is not set explicitly in other places than /
+ etc/login.defs.
nousergroups
Index: Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8
===================================================================
--- Linux-PAM-1.5.2.orig/modules/pam_umask/pam_umask.8
+++ Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8
@@ -68,7 +68,9 @@ umask= argument
.sp -1
.IP \(bu 2.3
.\}
-UMASK entry from /etc/login\&.defs
+UMASK entry from
+/etc/login\&.defs
+(influenced by USERGROUPS_ENAB)
.RE
.sp
.RS 4
@@ -79,7 +81,8 @@ UMASK entry from /etc/login\&.defs
.sp -1
.IP \(bu 2.3
.\}
-UMASK= entry from /etc/default/login
+UMASK= entry from
+/etc/default/login
.RE
.PP
The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create\&.
@@ -98,7 +101,10 @@ Don\*(Aqt print informative messages\&.
.PP
\fBusergroups\fR
.RS 4
-If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&.
+If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. Note that using this option explicitly is discouraged\&. pam_umask enables this functionality by default if
+/etc/login\&.defs
+enables USERGROUPS_ENAB, and the umask is not set explicitly in other places than
+/etc/login\&.defs\&.
.RE
.PP
\fBnousergroups\fR
Index: Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8.xml
===================================================================
--- Linux-PAM-1.5.2.orig/modules/pam_umask/pam_umask.8.xml
+++ Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8.xml
@@ -61,12 +61,13 @@
</listitem>
<listitem>
@ -35,14 +98,15 @@ diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml Linux-PAM-1.5.1/
</para>
</listitem>
</varlistentry>
diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c
--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c 2020-11-25 17:57:02.000000000 +0100
+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c 2021-08-12 16:14:40.505589328 +0200
@@ -103,7 +103,23 @@
Index: Linux-PAM-1.5.2/modules/pam_umask/pam_umask.c
===================================================================
--- Linux-PAM-1.5.2.orig/modules/pam_umask/pam_umask.c
+++ Linux-PAM-1.5.2/modules/pam_umask/pam_umask.c
@@ -104,7 +104,23 @@ get_options (pam_handle_t *pamh, options
parse_option (pamh, *argv, options);
if (options->umask == NULL)
- options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
if (options->umask == NULL) {
- options->login_umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
+ {
+ options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
+ /* login.defs' USERGROUPS_ENAB will modify the UMASK setting there by way
@ -51,73 +115,15 @@ diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c Linux-PAM-1.5.1/modu
+ */
+ if (options->umask != NULL)
+ {
+ char *result = pam_modutil_search_key (pamh, LOGIN_DEFS,
+ char *result = pam_modutil_search_key (pamh, LOGIN_DEFS,
+ "USERGROUPS_ENAB");
+ if (result != NULL)
+ {
+ options->usergroups = (strcasecmp (result, "yes") == 0);
+ free (result);
+ }
+ if (result != NULL)
+ {
+ options->usergroups = (strcasecmp (result, "yes") == 0);
+ free (result);
+ }
+ }
+ }
if (options->umask == NULL)
options->umask = pam_modutil_search_key (pamh, LOGIN_CONF, "UMASK");
--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8 2021-08-12 16:34:08.314505891 +0200
+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8 2021-08-12 16:14:43.969615764 +0200
@@ -68,7 +68,9 @@
.sp -1
.IP \(bu 2.3
.\}
-UMASK entry from /etc/login\&.defs
+UMASK entry from
+/etc/login\&.defs
+(influenced by USERGROUPS_ENAB)
.RE
.sp
.RS 4
@@ -79,7 +81,8 @@
.sp -1
.IP \(bu 2.3
.\}
-UMASK= entry from /etc/default/login
+UMASK= entry from
+/etc/default/login
.RE
.PP
The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create\&.
@@ -98,7 +101,10 @@
.PP
\fBusergroups\fR
.RS 4
-If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&.
+If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. Note that using this option explicitly is discouraged\&. pam_umask enables this functionality by default if
+/etc/login\&.defs
+enables USERGROUPS_ENAB, and the umask is not set explicitly in other places than
+/etc/login\&.defs\&.
.RE
.PP
\fBnousergroups\fR
--- Linux-PAM-1.5.1.pre/modules/pam_umask/README 2021-08-12 16:34:08.638508373 +0200
+++ Linux-PAM-1.5.1/modules/pam_umask/README 2021-08-12 16:14:44.241617840 +0200
@@ -15,7 +15,7 @@
• umask= argument
- • UMASK entry from /etc/login.defs
+ • UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB)
• UMASK= entry from /etc/default/login
@@ -38,7 +38,10 @@
If the user is not root and the username is the same as primary group name,
the umask group bits are set to be the same as owner bits (examples: 022 ->
- 002, 077 -> 007).
+ 002, 077 -> 007). Note that using this option explicitly is discouraged.
+ pam_umask enables this functionality by default if /etc/login.defs enables
+ USERGROUPS_ENAB, and the umask is not set explicitly in other places than /
+ etc/login.defs.
nousergroups
if (options->login_umask == NULL)
options->login_umask = pam_modutil_search_key (pamh, LOGIN_CONF, "UMASK");
options->umask = options->login_umask;

5
pam_unix-nis.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Fri Sep 10 10:23:13 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
- Update to version 1.5.2
-------------------------------------------------------------------
Tue Jul 13 13:40:54 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>

7
pam_unix-nis.spec
View File

@ -27,7 +27,7 @@
%endif
Name: pam_unix-nis
#
Version: 1.5.1
Version: 1.5.2
Release: 0
Summary: PAM module for standard UNIX and NIS authentication
License: GPL-2.0-or-later OR BSD-3-Clause
@ -36,7 +36,6 @@ URL: http://www.linux-pam.org/
Source: Linux-PAM-%{version}.tar.xz
Source9: baselibs.conf
Patch: Makefile-pam_unix-nis.diff
Patch1: revert-check_shadow_expiry.diff
BuildRequires: pam-devel
%if 0%{?suse_version} > 1320
BuildRequires: pkgconfig(libeconf)
@ -58,7 +57,6 @@ module has NIS support.
%prep
%setup -q -n Linux-PAM-%{version}
%patch -p1
%patch1 -p1
%build
export CFLAGS="%{optflags} -DNDEBUG"
@ -69,8 +67,7 @@ export CFLAGS="%{optflags} -DNDEBUG"
--pdfdir=%{_docdir}/pam/pdf \
--enable-isadir=../..%{_pam_moduledir} \
--enable-securedir=%{_pam_moduledir} \
--enable-vendordir=%{_distconfdir} \
--enable-tally2 --enable-cracklib
--enable-vendordir=%{_distconfdir}
make -C modules/pam_unix
%install

31
revert-check_shadow_expiry.diff
View File

@ -1,31 +0,0 @@
pam_unix: do not use crypt_checksalt when checking for password expiration
According to Zack Weinberg, the intended meaning of
CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
method", it is not supposed to mean "force a password change on next
login for any user with an existing stored hash using this method".
This reverts commit 4da9feb.
* modules/pam_unix/passverify.c (check_shadow_expiry)
[CRYPT_CHECKSALT_AVAILABLE]: Remove.
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index f6132f805..5a19ed856 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
D(("account expired"));
return PAM_ACCT_EXPIRED;
}
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
- if (spent->sp_lstchg == 0 ||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
-#else
if (spent->sp_lstchg == 0) {
-#endif
D(("need a new password"));
*daysleft = 0;
return PAM_NEW_AUTHTOK_REQD;