Accepting request 724569 from home:kukuk:branches:Linux-PAM

- encryption_method_nis.diff: obsolete, NIS clients shouldn't
  require DES anymore.
- etc.environment: removed, the sources contain the same

- Update to version 1.3.1+git20190807.e31dd6c:
  * pam_tty_audit: Manual page clarification about password logging
  * pam_get_authtok_verify: Avoid duplicate password verification
  * Mention that ./autogen.sh is needeed to be run if you check out the sources from git
  * pam_unix: Correct MAXPASS define name in the previous two commits.
  * Restrict password length when changing password
  * Trim password at PAM_MAX_RESP_SIZE chars
  * pam_succeed_if: Request user data only when needed
  * pam_tally2: Remove unnecessary fsync()
  * Fixed a grammer mistake
  * Fix documentation for pam_wheel
  * Fix a typo in the documentation
  * pam_lastlog: Improve silent option documentation
  * pam_lastlog: Respect PAM_SILENT flag
  * Fix regressions from the last commits.
  * Replace strndupa with strncpy
  * build: ignore pam_lastlog when logwtmp is not available.
  * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
  * pam_motd: Cleanup the code and avoid unnecessary logging
  * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
  * Move the duplicated search_key function to pam_modutil.
  * pam_unix: Use pam_syslog instead of helper_log_err.
  * pam_unix: Report unusable hashes found by checksalt to syslog.
  * Revert "pam_unix: Add crypt_default method, if supported."
  * pam_unix: Add crypt_default method, if supported.
  * Revert part of the commit 4da9febc

OBS-URL: https://build.opensuse.org/request/show/724569
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=191

Linux-PAM-1.3.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db
-size 912332

_service

@@ -0,0 +1,14 @@
+<services>
+  <service name="tar_scm" mode="disabled">
+    <param name="version">1.3.1</param>
+    <param name="versionformat">1.3.1+git%cd.%h</param>
+    <param name="url">git://github.com/linux-pam/linux-pam.git</param>
+    <param name="scm">git</param>
+    <param name="changesgenerate">enable</param>
+  </service>
+  <service name="recompress" mode="disabled">
+    <param name="compression">xz</param>
+    <param name="file">*.tar</param>
+  </service>
+  <service name="set_version" mode="disabled"/>
+</services>

_servicedata

@@ -0,0 +1,6 @@
+<servicedata>
+  <service name="tar_scm">
+    <param name="url">git://github.com/linux-pam/linux-pam.git</param>
+    <param name="changesrevision">e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15</param>
+ </service>
+</servicedata>

encryption_method_nis.diff

@@ -1,71 +0,0 @@
---- modules/pam_unix/pam_unix_passwd.c
-+++ modules/pam_unix/pam_unix_passwd.c	2016/04/11 13:49:32
-@@ -840,6 +840,29 @@
- 		 * rebuild the password database file.
- 		 */
- 
-+
-+		/* if it is a NIS account, check for special hash algo */
-+		if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
-+		  /* preset encryption method with value from /etc/login.defs */
-+		  int j;
-+		  char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
-+		  if (val) {
-+		    for (j = 0; j < UNIX_CTRLS_; ++j) {
-+		      if (unix_args[j].token && unix_args[j].is_hash_algo
-+			  && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
-+			break;
-+		      }
-+		    }
-+		    if (j >= UNIX_CTRLS_) {
-+		      pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
-+		    } else {
-+		      ctrl &= unix_args[j].mask;  /* for turning things off */
-+		      ctrl |= unix_args[j].flag;  /* for turning things on  */
-+		    }
-+		    free (val);
-+		  }
-+		}
-+
- 		/*
- 		 * First we encrypt the new password.
- 		 */
---- modules/pam_unix/support.c
-+++ modules/pam_unix/support.c	2016/04/11 13:49:32
-@@ -31,8 +31,8 @@
- #include "support.h"
- #include "passverify.h"
- 
--static char *
--search_key (const char *key, const char *filename)
-+char *
-+_unix_search_key (const char *key, const char *filename)
- {
-   FILE *fp;
-   char *buf = NULL;
-@@ -153,7 +153,7 @@
- 	}
- 
- 	/* preset encryption method with value from /etc/login.defs */
--	val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
-+	val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
- 	if (val) {
- 	  for (j = 0; j < UNIX_CTRLS_; ++j) {
- 	    if (unix_args[j].token && unix_args[j].is_hash_algo
-@@ -171,7 +171,7 @@
- 
- 	  /* read number of rounds for crypt algo */
- 	  if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
--	    val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
-+	    val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
- 
- 	    if (val) {
- 	      *rounds = strtol(val, NULL, 10);
---- modules/pam_unix/support.h
-+++ modules/pam_unix/support.h	2016/04/11 13:49:32
-@@ -174,4 +174,5 @@
- 
- extern int _unix_run_verify_binary(pam_handle_t *pamh,
- 			unsigned int ctrl, const char *user, int *daysleft);
-+extern char *_unix_search_key(const char *key, const char *filename);
- #endif /* _PAM_UNIX_SUPPORT_H */

etc.environment

@@ -1,5 +0,0 @@
-#
-# This file is parsed by pam_env module
-#
-# Syntax: simple "KEY=VAL" pairs on seperate lines
-#

linux-pam-1.3.1+git20190807.e31dd6c.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5203477a4c8ea91e038e08f18efeb3836aa7b395de8b518f405eb3f43ea7fdbf
+size 530264

linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:89397d7cb52e6a331b766d6219c6aaf3e3cc57c384ef8223f10c1f0ff4217bac
+size 64012

pam-login_defs-check.sh

@@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
 	sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
 	LC_ALL=C sort -u >pam-login_defs-vars.lst
 
-if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3e1ae01b1e928c53c828f64ab412be6267eb1018 ; then
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then
 
 	echo "does not match!" >&2
 	echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2

pam.changes

@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Mon Aug 19 13:33:49 CEST 2019 - kukuk@suse.de
+
+- encryption_method_nis.diff: obsolete, NIS clients shouldn't
+  require DES anymore.
+- etc.environment: removed, the sources contain the same
+
+-------------------------------------------------------------------
+Mon Aug 19 11:28:31 UTC 2019 - kukuk@suse.com
+
+- Update to version 1.3.1+git20190807.e31dd6c:
+  * pam_tty_audit: Manual page clarification about password logging
+  * pam_get_authtok_verify: Avoid duplicate password verification
+  * Mention that ./autogen.sh is needeed to be run if you check out the sources from git
+  * pam_unix: Correct MAXPASS define name in the previous two commits.
+  * Restrict password length when changing password
+  * Trim password at PAM_MAX_RESP_SIZE chars
+  * pam_succeed_if: Request user data only when needed
+  * pam_tally2: Remove unnecessary fsync()
+  * Fixed a grammer mistake
+  * Fix documentation for pam_wheel
+  * Fix a typo in the documentation
+  * pam_lastlog: Improve silent option documentation
+  * pam_lastlog: Respect PAM_SILENT flag
+  * Fix regressions from the last commits.
+  * Replace strndupa with strncpy
+  * build: ignore pam_lastlog when logwtmp is not available.
+  * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
+  * pam_motd: Cleanup the code and avoid unnecessary logging
+  * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
+  * Move the duplicated search_key function to pam_modutil.
+  * pam_unix: Use pam_syslog instead of helper_log_err.
+  * pam_unix: Report unusable hashes found by checksalt to syslog.
+  * Revert "pam_unix: Add crypt_default method, if supported."
+  * pam_unix: Add crypt_default method, if supported.
+  * Revert part of the commit 4da9febc
+  * pam_unix: Add support for (gost-)yescrypt hashing methods.
+  * pam_unix: Fix closing curly brace. (#77)
+  * pam_unix: Add support for crypt_checksalt, if libcrypt supports it.
+  * pam_unix: Prefer a gensalt function, that supports auto entropy.
+  * pam_motd: Fix segmentation fault when no motd_dir specified (#76)
+  * pam_motd: Support multiple motd paths specified, with filename overrides (#69)
+  * pam_unix: Use bcrypt b-variant for computing new hashes.
+  * pam_tally, pam_tally2: fix grammar and spelling (#54)
+  * Fix grammar of messages printed via pam_prompt
+  * pam_stress: do not mark messages for translation
+  * pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros
+  * pam_unix: remove obsolete _unix_read_password prototype
+
 -------------------------------------------------------------------
 Thu May  2 23:55:30 CEST 2019 - sbrabec@suse.com
 

pam.spec

@@ -38,7 +38,7 @@ BuildRequires:  libselinux-devel
 %define libpam_misc_so_version 0.82.1
 %define libpamc_so_version 0.82.1
 #
-Version:        1.3.1
+Version:        1.3.1+git20190807.e31dd6c
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@@ -55,22 +55,21 @@ Requires(pre):  user(root)
 Requires:       login_defs-support-for-pam >= 1.3.1
 
 #DL-URL:	https://fedorahosted.org/releases/l/i/linux-pam/
-Source:         Linux-PAM-%{version}.tar.xz
-Source1:        Linux-PAM-%{version}-docs.tar.xz
-Source2:        securetty
+Source:         linux-pam-%{version}.tar.xz
+Source1:        Linux-PAM-1.3.1-docs.tar.xz
+Source2:        linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz
 Source3:        other.pamd
 Source4:        common-auth.pamd
 Source5:        common-account.pamd
 Source6:        common-password.pamd
 Source7:        common-session.pamd
-Source8:        etc.environment
+Source8:        securetty
 Source9:        baselibs.conf
 Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Patch0:         fix-man-links.dif
 Patch2:         pam-limit-nproc.patch
-Patch3:         encryption_method_nis.diff
 Patch4:         pam-hostnames-in-access_conf.patch
 Patch5:         use-correct-IP-address.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -120,17 +119,17 @@ building both PAM-aware applications and modules for use with PAM.
 
 
 %prep
-%setup -q -n Linux-PAM-%{version} -b 1
+%setup -q -n linux-pam-%{version} -b 1 -a 2
+cp -av ../Linux-PAM-1.3.1/* . 
 cp -a %{S:12} .
 %patch0 -p1
 %patch2 -p1
-%patch3 -p0
 %patch4 -p0
 %patch5 -p1
 
 %build
 bash ./pam-login_defs-check.sh
-autoreconf -fiv
+./autogen.sh
 export CFLAGS="%optflags -DNDEBUG"
 %configure \
 	--sbindir=/sbin \
@@ -142,7 +141,7 @@ export CFLAGS="%optflags -DNDEBUG"
 	--enable-isadir=../../%{_lib}/security \
         --enable-securedir=/%{_lib}/security
 make %{?_smp_mflags}
-%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam
+%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/linux-pam-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/linux-pam-%{version}/libpam/.libs/ -lpam
 
 %check
 make %{?_smp_mflags} check
@@ -157,10 +156,8 @@ make DESTDIR=$RPM_BUILD_ROOT install
 /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
 # Install documentation
 make -C doc install DESTDIR=$RPM_BUILD_ROOT
-# install /etc/environment
-install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc/environment
 # install securetty
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc
+install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc
 %ifarch s390 s390x
 echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty
 echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty