Accepting request 849468 from Linux-PAM
- Update to 1.5.0
- obsoletes pam-bsc1178727-initialize-daysleft.patch
- Multiple minor bug fixes, portability fixes, and documentation improvements.
- Extended libpam API with pam_modutil_check_user_in_passwd function.
- pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
- pam_motd: read motd files with target user credentials skipping unreadable ones.
- pam_pwhistory: added a SELinux helper executable.
- pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
- pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
- pam_env: Reading of the user environment is deprecated and will be removed
at some point in the future.
- libpam: pam_modutil_drop_priv() now correctly sets the target user's
supplementary groups, allowing pam_motd to filter messages accordingly
- Refresh pam-xauth_ownership.patch
- pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package
- pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package
- pam_cracklib: added code to check whether the password contains
a substring of of the user's name of at least <N> characters length
in some form.
This is enabled by the new parameter "usersubstr=<N>"
See bfef79dbe6
[jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch]
- pam_xauth.c: do not free() a string which has been (successfully)
passed to putenv().
[bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch]
- Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft"
to avoid spurious (and misleading)
OBS-URL: https://build.opensuse.org/request/show/849468
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=107
This commit is contained in:
commit
5048cec3be
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:351764a0643052564a4b840320744c7e402112a2a57d2ac04511a6d22dc52e04
|
|
||||||
size 477712
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034
|
|
||||||
size 988908
|
|
3
Linux-PAM-1.5.0-docs.tar.xz
Normal file
3
Linux-PAM-1.5.0-docs.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:75fefd2a601c76d5e289aa8c36234ec2ac398395f4a48caf5ef638c1131019a9
|
||||||
|
size 441644
|
3
Linux-PAM-1.5.0.tar.xz
Normal file
3
Linux-PAM-1.5.0.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8
|
||||||
|
size 972228
|
26
pam-bsc1177858-dont-free-environment-string.patch
Normal file
26
pam-bsc1177858-dont-free-environment-string.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
|
||||||
|
===================================================================
|
||||||
|
--- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c
|
||||||
|
+++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
|
||||||
|
@@ -701,8 +701,9 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
pam_syslog(pamh, LOG_ERR,
|
||||||
|
"can't set environment variable '%s'",
|
||||||
|
xauthority);
|
||||||
|
- putenv (xauthority); /* The environment owns this string now. */
|
||||||
|
- /* Don't free environment variables nor set them to NULL. */
|
||||||
|
+ if (putenv (xauthority) == 0) /* The environment owns this string now. */
|
||||||
|
+ xauthority = NULL;
|
||||||
|
+ /* Don't free environment variables. */
|
||||||
|
|
||||||
|
/* set $DISPLAY in pam handle to make su - work */
|
||||||
|
{
|
||||||
|
@@ -765,7 +766,8 @@ cleanup:
|
||||||
|
unsetenv (XAUTHENV);
|
||||||
|
free(cookiefile);
|
||||||
|
free(cookie);
|
||||||
|
- free(xauthority);
|
||||||
|
+ if (xauthority != NULL) /* If it hasn't been successfully passed to putenv() ... */
|
||||||
|
+ free(xauthority);
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
|
@ -9,10 +9,10 @@ set -o errexit
|
|||||||
|
|
||||||
echo -n "Checking login.defs variables in pam... " >&2
|
echo -n "Checking login.defs variables in pam... " >&2
|
||||||
grep -rh LOGIN_DEFS . |
|
grep -rh LOGIN_DEFS . |
|
||||||
sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
|
sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
|
||||||
LC_ALL=C sort -u >pam-login_defs-vars.lst
|
LC_ALL=C sort -u >pam-login_defs-vars.lst
|
||||||
|
|
||||||
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then
|
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3c6e0020c31609690b69ef391654df930b74151d ; then
|
||||||
|
|
||||||
echo "does not match!" >&2
|
echo "does not match!" >&2
|
||||||
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
|
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
|
||||||
|
81
pam-pam_cracklib-add-usersubstr.patch
Normal file
81
pam-pam_cracklib-add-usersubstr.patch
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
|
||||||
|
===================================================================
|
||||||
|
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
|
||||||
|
+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
|
||||||
|
@@ -88,6 +88,7 @@ struct cracklib_options {
|
||||||
|
int reject_user;
|
||||||
|
int gecos_check;
|
||||||
|
int enforce_for_root;
|
||||||
|
+ int user_substr;
|
||||||
|
const char *cracklib_dictpath;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c
|
||||||
|
if (!*(opt->cracklib_dictpath)) {
|
||||||
|
opt->cracklib_dictpath = CRACKLIB_DICTS;
|
||||||
|
}
|
||||||
|
+ } else if ((str = pam_str_skip_prefix(*argv, "usersubstr=")) != NULL) {
|
||||||
|
+ opt->user_substr = strtol(str, &ep, 10);
|
||||||
|
+ if (ep == str)
|
||||||
|
+ opt->user_substr = 0;
|
||||||
|
} else {
|
||||||
|
pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
|
||||||
|
}
|
||||||
|
@@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * RETURNS: True if the password is unacceptable, else false
|
||||||
|
+ */
|
||||||
|
+static int usersubstr(int len, const char *new, char *user)
|
||||||
|
+{
|
||||||
|
+ int i, userlen;
|
||||||
|
+ int bad = 0; // Assume it's OK unless proven otherwise
|
||||||
|
+ char *subuser = calloc(len+1, sizeof(char));
|
||||||
|
+
|
||||||
|
+ if (subuser == NULL) {
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ userlen = strlen(user);
|
||||||
|
+
|
||||||
|
+ if (len >= CO_MIN_WORD_LENGTH &&
|
||||||
|
+ userlen > len) {
|
||||||
|
+ for(i = 0; !bad && (i <= userlen - len); i++) {
|
||||||
|
+ strncpy(subuser, user+i, len+1);
|
||||||
|
+ subuser[len] = '\0';
|
||||||
|
+ bad = wordcheck(new, subuser);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ // if we already tested substrings, there's no need to test
|
||||||
|
+ // the whole username; all substrings would've been found :)
|
||||||
|
+ if (!bad)
|
||||||
|
+ bad = wordcheck(new, user);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(subuser);
|
||||||
|
+
|
||||||
|
+ return bad;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * RETURNS: True if the password is unacceptable, else false
|
||||||
|
+ */
|
||||||
|
static int usercheck(struct cracklib_options *opt, const char *new,
|
||||||
|
char *user)
|
||||||
|
{
|
||||||
|
- if (!opt->reject_user)
|
||||||
|
- return 0;
|
||||||
|
+ int bad = 0;
|
||||||
|
+
|
||||||
|
+ if (opt->reject_user)
|
||||||
|
+ bad = wordcheck(new, user);
|
||||||
|
+ if (!bad && opt->user_substr != 0)
|
||||||
|
+ bad = usersubstr(opt->user_substr, new, user);
|
||||||
|
|
||||||
|
- return wordcheck(new, user);
|
||||||
|
+ return bad;
|
||||||
|
}
|
||||||
|
|
||||||
|
static char * str_lower(char *string)
|
105
pam-xauth_ownership.patch
Normal file
105
pam-xauth_ownership.patch
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
diff -urN Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c
|
||||||
|
--- Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c 2020-11-10 16:46:13.000000000 +0100
|
||||||
|
+++ Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c 2020-11-19 11:50:54.176925556 +0100
|
||||||
|
@@ -355,11 +355,13 @@
|
||||||
|
char *cookiefile = NULL, *xauthority = NULL,
|
||||||
|
*cookie = NULL, *display = NULL, *tmp = NULL,
|
||||||
|
*xauthlocalhostname = NULL;
|
||||||
|
- const char *user, *xauth = NULL;
|
||||||
|
+ const char *user, *xauth = NULL, *login_name;
|
||||||
|
struct passwd *tpwd, *rpwd;
|
||||||
|
int fd, i, debug = 0;
|
||||||
|
int retval = PAM_SUCCESS;
|
||||||
|
- uid_t systemuser = 499, targetuser = 0;
|
||||||
|
+ uid_t systemuser = 499, targetuser = 0, uid;
|
||||||
|
+ gid_t gid;
|
||||||
|
+ struct stat st;
|
||||||
|
|
||||||
|
/* Parse arguments. We don't understand many, so no sense in breaking
|
||||||
|
* this into a separate function. */
|
||||||
|
@@ -429,7 +431,16 @@
|
||||||
|
retval = PAM_SESSION_ERR;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
- rpwd = pam_modutil_getpwuid(pamh, getuid());
|
||||||
|
+
|
||||||
|
+ login_name = pam_modutil_getlogin(pamh);
|
||||||
|
+ if (login_name == NULL) {
|
||||||
|
+ login_name = "";
|
||||||
|
+ }
|
||||||
|
+ if (*login_name)
|
||||||
|
+ rpwd = pam_modutil_getpwnam(pamh, login_name);
|
||||||
|
+ else
|
||||||
|
+ rpwd = pam_modutil_getpwuid(pamh, getuid());
|
||||||
|
+
|
||||||
|
if (rpwd == NULL) {
|
||||||
|
pam_syslog(pamh, LOG_ERR,
|
||||||
|
"error determining invoking user's name");
|
||||||
|
@@ -518,18 +529,26 @@
|
||||||
|
cookiefile);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Get owner and group of the cookiefile */
|
||||||
|
+ uid = getuid();
|
||||||
|
+ gid = getgid();
|
||||||
|
+ if (stat(cookiefile, &st) == 0) {
|
||||||
|
+ uid = st.st_uid;
|
||||||
|
+ gid = st.st_gid;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Read the user's .Xauthority file. Because the current UID is
|
||||||
|
* the original user's UID, this will only fail if something has
|
||||||
|
* gone wrong, or we have no cookies. */
|
||||||
|
if (debug) {
|
||||||
|
pam_syslog(pamh, LOG_DEBUG,
|
||||||
|
- "running \"%s %s %s %s %s\" as %lu/%lu",
|
||||||
|
- xauth, "-f", cookiefile, "nlist", display,
|
||||||
|
- (unsigned long) getuid(), (unsigned long) getgid());
|
||||||
|
+ "running \"%s %s %s %s %s %s\" as %lu/%lu",
|
||||||
|
+ xauth, "-i", "-f", cookiefile, "nlist", display,
|
||||||
|
+ (unsigned long) uid, (unsigned long) gid);
|
||||||
|
}
|
||||||
|
if (run_coprocess(pamh, NULL, &cookie,
|
||||||
|
- getuid(), getgid(),
|
||||||
|
- xauth, "-f", cookiefile, "nlist", display,
|
||||||
|
+ uid, gid,
|
||||||
|
+ xauth, "-i", "-f", cookiefile, "nlist", display,
|
||||||
|
NULL) == 0) {
|
||||||
|
#ifdef WITH_SELINUX
|
||||||
|
char *context_raw = NULL;
|
||||||
|
@@ -583,12 +602,12 @@
|
||||||
|
cookiefile,
|
||||||
|
"nlist",
|
||||||
|
t,
|
||||||
|
- (unsigned long) getuid(),
|
||||||
|
- (unsigned long) getgid());
|
||||||
|
+ (unsigned long) uid,
|
||||||
|
+ (unsigned long) gid);
|
||||||
|
}
|
||||||
|
run_coprocess(pamh, NULL, &cookie,
|
||||||
|
- getuid(), getgid(),
|
||||||
|
- xauth, "-f", cookiefile,
|
||||||
|
+ uid, gid,
|
||||||
|
+ xauth, "-i", "-f", cookiefile,
|
||||||
|
"nlist", t, NULL);
|
||||||
|
}
|
||||||
|
free(t);
|
||||||
|
@@ -673,13 +692,17 @@
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (debug) {
|
||||||
|
+ pam_syslog(pamh, LOG_DEBUG, "set environment variable '%s'",
|
||||||
|
+ xauthority);
|
||||||
|
+ }
|
||||||
|
/* Set the new variable in the environment. */
|
||||||
|
if (pam_putenv (pamh, xauthority) != PAM_SUCCESS)
|
||||||
|
pam_syslog(pamh, LOG_ERR,
|
||||||
|
"can't set environment variable '%s'",
|
||||||
|
xauthority);
|
||||||
|
putenv (xauthority); /* The environment owns this string now. */
|
||||||
|
- xauthority = NULL; /* Don't free environment variables. */
|
||||||
|
+ /* Don't free environment variables nor set them to NULL. */
|
||||||
|
|
||||||
|
/* set $DISPLAY in pam handle to make su - work */
|
||||||
|
{
|
79
pam.changes
79
pam.changes
@ -1,3 +1,82 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 19 15:43:33 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
||||||
|
|
||||||
|
- Update to 1.5.0
|
||||||
|
- obsoletes pam-bsc1178727-initialize-daysleft.patch
|
||||||
|
- Multiple minor bug fixes, portability fixes, and documentation improvements.
|
||||||
|
- Extended libpam API with pam_modutil_check_user_in_passwd function.
|
||||||
|
- pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
|
||||||
|
- pam_motd: read motd files with target user credentials skipping unreadable ones.
|
||||||
|
- pam_pwhistory: added a SELinux helper executable.
|
||||||
|
- pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
|
||||||
|
- pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
|
||||||
|
- pam_env: Reading of the user environment is deprecated and will be removed
|
||||||
|
at some point in the future.
|
||||||
|
- libpam: pam_modutil_drop_priv() now correctly sets the target user's
|
||||||
|
supplementary groups, allowing pam_motd to filter messages accordingly
|
||||||
|
- Refresh pam-xauth_ownership.patch
|
||||||
|
- pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package
|
||||||
|
- pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 18 13:02:15 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
|
||||||
|
|
||||||
|
- pam_cracklib: added code to check whether the password contains
|
||||||
|
a substring of of the user's name of at least <N> characters length
|
||||||
|
in some form.
|
||||||
|
This is enabled by the new parameter "usersubstr=<N>"
|
||||||
|
See https://github.com/libpwquality/libpwquality/commit/bfef79dbe6aa525e9557bf4b0a61e6dde12749c4
|
||||||
|
[jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 18 10:02:32 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
|
||||||
|
|
||||||
|
- pam_xauth.c: do not free() a string which has been (successfully)
|
||||||
|
passed to putenv().
|
||||||
|
[bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 13 09:13:18 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
|
||||||
|
|
||||||
|
- Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft"
|
||||||
|
to avoid spurious (and misleading)
|
||||||
|
Warning: your password will expire in ... days.
|
||||||
|
fixed upstream with commit db6b293046a
|
||||||
|
[bsc#1178727, pam-bsc1178727-initialize-daysleft.patch]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 10 11:09:39 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
||||||
|
|
||||||
|
- Enable pam_faillock [bnc#1171562]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 8 13:31:39 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
|
||||||
|
|
||||||
|
- /usr/bin/xauth chokes on the old user's $HOME being on an NFS
|
||||||
|
file system. Run /usr/bin/xauth using the old user's uid/gid
|
||||||
|
Patch courtesy of Dr. Werner Fink.
|
||||||
|
[bsc#1174593, pam-xauth_ownership.patch]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 8 02:33:16 UTC 2020 - Stanislav Brabec <sbrabec@suse.com>
|
||||||
|
|
||||||
|
- pam-login_defs-check.sh: Fix the regexp to get a real variable
|
||||||
|
list (boo#1164274).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 24 13:06:33 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
|
||||||
|
|
||||||
|
- Revert the previous change [SR#815713].
|
||||||
|
The group is not necessary for PAM functionality but used only
|
||||||
|
during testing. The test system should therefore create this group.
|
||||||
|
[bsc#1171016, pam.spec]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jun 15 15:05:18 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
|
||||||
|
|
||||||
|
- Add requirement for group "wheel" to spec file.
|
||||||
|
[bsc#1171016, pam.spec]
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jun 8 13:19:12 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
Mon Jun 8 13:19:12 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
||||||
|
|
||||||
|
21
pam.spec
21
pam.spec
@ -27,7 +27,7 @@
|
|||||||
%endif
|
%endif
|
||||||
Name: pam
|
Name: pam
|
||||||
#
|
#
|
||||||
Version: 1.4.0
|
Version: 1.5.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A Security Tool that Provides Authentication for Applications
|
Summary: A Security Tool that Provides Authentication for Applications
|
||||||
License: GPL-2.0-or-later OR BSD-3-Clause
|
License: GPL-2.0-or-later OR BSD-3-Clause
|
||||||
@ -47,6 +47,11 @@ Source11: unix2_chkpwd.8
|
|||||||
Source12: pam-login_defs-check.sh
|
Source12: pam-login_defs-check.sh
|
||||||
Patch2: pam-limit-nproc.patch
|
Patch2: pam-limit-nproc.patch
|
||||||
Patch4: pam-hostnames-in-access_conf.patch
|
Patch4: pam-hostnames-in-access_conf.patch
|
||||||
|
Patch5: pam-xauth_ownership.patch
|
||||||
|
Patch6: pam_cracklib-removal.patch
|
||||||
|
Patch7: pam_tally2-removal.patch
|
||||||
|
Patch8: pam-bsc1177858-dont-free-environment-string.patch
|
||||||
|
Patch9: pam-pam_cracklib-add-usersubstr.patch
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: cracklib-devel
|
BuildRequires: cracklib-devel
|
||||||
@ -139,6 +144,11 @@ removed with one of the next releases.
|
|||||||
cp -a %{SOURCE12} .
|
cp -a %{SOURCE12} .
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
%patch6 -R -p1
|
||||||
|
%patch7 -R -p1
|
||||||
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
bash ./pam-login_defs-check.sh
|
bash ./pam-login_defs-check.sh
|
||||||
@ -210,8 +220,6 @@ for i in pam_*/README; do
|
|||||||
cp -fpv "$i" "$DOC/modules/README.${i%/*}"
|
cp -fpv "$i" "$DOC/modules/README.${i%/*}"
|
||||||
done
|
done
|
||||||
popd
|
popd
|
||||||
# XXX Remove until whitelisted
|
|
||||||
rm %{buildroot}/%{_lib}/security/pam_faillock.so
|
|
||||||
# Install unix2_chkpwd
|
# Install unix2_chkpwd
|
||||||
install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/
|
install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/
|
||||||
install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
|
install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
|
||||||
@ -310,6 +318,7 @@ done
|
|||||||
%{_mandir}/man8/pam_sepermit.8%{?ext_man}
|
%{_mandir}/man8/pam_sepermit.8%{?ext_man}
|
||||||
%{_mandir}/man8/pam_setquota.8%{?ext_man}
|
%{_mandir}/man8/pam_setquota.8%{?ext_man}
|
||||||
%{_mandir}/man8/pam_shells.8%{?ext_man}
|
%{_mandir}/man8/pam_shells.8%{?ext_man}
|
||||||
|
%{_mandir}/man8/pam_stress.8%{?ext_man}
|
||||||
%{_mandir}/man8/pam_succeed_if.8%{?ext_man}
|
%{_mandir}/man8/pam_succeed_if.8%{?ext_man}
|
||||||
%{_mandir}/man8/pam_time.8%{?ext_man}
|
%{_mandir}/man8/pam_time.8%{?ext_man}
|
||||||
%{_mandir}/man8/pam_timestamp.8%{?ext_man}
|
%{_mandir}/man8/pam_timestamp.8%{?ext_man}
|
||||||
@ -321,6 +330,7 @@ done
|
|||||||
%{_mandir}/man8/pam_warn.8%{?ext_man}
|
%{_mandir}/man8/pam_warn.8%{?ext_man}
|
||||||
%{_mandir}/man8/pam_wheel.8%{?ext_man}
|
%{_mandir}/man8/pam_wheel.8%{?ext_man}
|
||||||
%{_mandir}/man8/pam_xauth.8%{?ext_man}
|
%{_mandir}/man8/pam_xauth.8%{?ext_man}
|
||||||
|
%{_mandir}/man8/pwhistory_helper.8%{?ext_man}
|
||||||
%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
|
%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
|
||||||
%{_mandir}/man8/unix_chkpwd.8%{?ext_man}
|
%{_mandir}/man8/unix_chkpwd.8%{?ext_man}
|
||||||
%{_mandir}/man8/unix_update.8%{?ext_man}
|
%{_mandir}/man8/unix_update.8%{?ext_man}
|
||||||
@ -338,7 +348,7 @@ done
|
|||||||
/%{_lib}/security/pam_env.so
|
/%{_lib}/security/pam_env.so
|
||||||
/%{_lib}/security/pam_exec.so
|
/%{_lib}/security/pam_exec.so
|
||||||
/%{_lib}/security/pam_faildelay.so
|
/%{_lib}/security/pam_faildelay.so
|
||||||
#/%{_lib}/security/pam_faillock.so
|
/%{_lib}/security/pam_faillock.so
|
||||||
/%{_lib}/security/pam_filter.so
|
/%{_lib}/security/pam_filter.so
|
||||||
%dir /%{_lib}/security/pam_filter
|
%dir /%{_lib}/security/pam_filter
|
||||||
/%{_lib}/security//pam_filter/upperLOWER
|
/%{_lib}/security//pam_filter/upperLOWER
|
||||||
@ -386,6 +396,7 @@ done
|
|||||||
/sbin/mkhomedir_helper
|
/sbin/mkhomedir_helper
|
||||||
/sbin/pam_namespace_helper
|
/sbin/pam_namespace_helper
|
||||||
/sbin/pam_timestamp_check
|
/sbin/pam_timestamp_check
|
||||||
|
/sbin/pwhistory_helper
|
||||||
%verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd
|
%verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd
|
||||||
%verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd
|
%verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd
|
||||||
%attr(0700,root,root) /sbin/unix_update
|
%attr(0700,root,root) /sbin/unix_update
|
||||||
@ -401,8 +412,6 @@ done
|
|||||||
/%{_lib}/security/pam_cracklib.so
|
/%{_lib}/security/pam_cracklib.so
|
||||||
/%{_lib}/security/pam_tally2.so
|
/%{_lib}/security/pam_tally2.so
|
||||||
/sbin/pam_tally2
|
/sbin/pam_tally2
|
||||||
%{_mandir}/man8/pam_cracklib.8%{?ext_man}
|
|
||||||
%{_mandir}/man8/pam_tally2.8%{?ext_man}
|
|
||||||
|
|
||||||
%files doc
|
%files doc
|
||||||
%defattr(644,root,root,755)
|
%defattr(644,root,root,755)
|
||||||
|
1740
pam_cracklib-removal.patch
Normal file
1740
pam_cracklib-removal.patch
Normal file
File diff suppressed because it is too large
Load Diff
1332
pam_tally2-removal.patch
Normal file
1332
pam_tally2-removal.patch
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user