pool/pam
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Remove obsolete README.pam_tally [bsc#977973]

Browse Source 
- Update Linux-PAM to version 1.3.0
- Rediff encryption_method_nis.diff

- Add /sbin/unix2_chkpwd (moved from pam-modules)

- Remove (since accepted upstream):
  - 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
  - 0002-Remove-enable-static-modules-option-and-support-from.patch
  - 0003-fix-nis-checks.patch
  - 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
  - 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=159
This commit is contained in:
Thorsten Kukuk 2016-05-02 08:45:43 +00:00 committed by Git OBS Bridge
parent dff8159e4f
commit 8722ee21ea
14 changed files with 483 additions and 3626 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
View File

@ -1,71 +0,0 @@
From a64de52d1621ac3d3dd03f66742b48bef0101043 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Wed, 23 Mar 2016 11:16:55 +0100
Subject: [PATCH] Remove YP dependencies from pam_access, they were never used
and such not needed.
* modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS
* modules/pam_access/pam_access.c: Remove yp_get_default_domain case,
it will never be used.
---
modules/pam_access/Makefile.am | 4 ++--
modules/pam_access/pam_access.c | 8 --------
2 files changed, 2 insertions(+), 10 deletions(-)
diff --git a/modules/pam_access/Makefile.am b/modules/pam_access/Makefile.am
index 0527674..6c0f738 100644
--- a/modules/pam_access/Makefile.am
+++ b/modules/pam_access/Makefile.am
@@ -15,14 +15,14 @@ securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" $(NIS_CFLAGS)
+ -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\"
AM_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
securelib_LTLIBRARIES = pam_access.la
-pam_access_la_LIBADD = $(top_builddir)/libpam/libpam.la $(NIS_LIBS)
+pam_access_la_LIBADD = $(top_builddir)/libpam/libpam.la
secureconf_DATA = access.conf
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index b32a966..d4c847a 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -44,9 +44,6 @@
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/socket.h>
-#ifdef HAVE_RPCSVC_YPCLNT_H
-#include <rpcsvc/ypclnt.h>
-#endif
#ifdef HAVE_LIBAUDIT
#include <libaudit.h>
#endif
@@ -470,8 +467,6 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup,
{
int retval;
char *mydomain = NULL;
-
-#if defined(HAVE_GETDOMAINNAME)
char domainname_res[256];
if (getdomainname (domainname_res, sizeof (domainname_res)) == 0)
@@ -481,9 +476,6 @@ netgroup_match (pam_handle_t *pamh, const char *netgroup,
mydomain = domainname_res;
}
}
-#elif defined(HAVE_YP_GET_DEFAULT_DOMAIN)
- yp_get_default_domain(&mydomain);
-#endif
#ifdef HAVE_INNETGR
retval = innetgr (netgroup, machine, user, mydomain);
--
1.8.5.6

3256
0002-Remove-enable-static-modules-option-and-support-from.patch
View File

File diff suppressed because it is too large Load Diff

70
0003-fix-nis-checks.patch
View File

@ -1,70 +0,0 @@
diff --git a/configure.ac b/configure.ac
index d5cc644..534194d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -447,22 +447,26 @@ AC_SUBST(LIBDB)
AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"])
AC_ARG_ENABLE([nis],
- AS_HELP_STRING([--disable-nis], [Disable building NIS/YP support in pam_unix and pam_access]))
+ AS_HELP_STRING([--disable-nis], [Disable building NIS/YP support in pam_unix]))
AS_IF([test "x$enable_nis" != "xno"], [
- CFLAGS=$old_CFLAGS
- LIBS=$old_LIBS
+ old_CFLAGS=$CFLAGS
+ old_LIBS=$LIBS
dnl if there's libtirpc available, prefer that over the system
dnl implementation.
- PKG_CHECK_MODULES([libtirpc], [libtirpc], [
- CFLAGS="$CFLAGS $libtirpc_CFLAGS"
- LIBS="$LIBS $libtirpc_LIBS"
+ PKG_CHECK_MODULES([TIRPC], [libtirpc], [
+ CFLAGS="$CFLAGS $TIRPC_CFLAGS"
+ LIBS="$LIBS $TIRPC_LIBS"
], [:;])
- AC_SEARCH_LIBS([yp_get_default_domain], [nsl])
+ PKG_CHECK_MODULES([NSL], [libnsl], [],
+ [AC_CHECK_LIB([nsl],[yp_match],[NSL_LIBS="-lnsl"],[NSL_LIBS=""])])
+ CFLAGS="$CFLAGS $NSL_CFLAGS"
+ LIBS="$LIBS $NSL_LIBS"
AC_CHECK_FUNCS([yp_get_default_domain yperr_string yp_master yp_bind yp_match yp_unbind])
+ AC_CHECK_FUNCS([getrpcport rpcb_getaddr])
AC_CHECK_HEADERS([rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h])
AC_CHECK_DECLS([getrpcport], , , [
#if HAVE_RPC_RPC_H
@@ -470,9 +474,6 @@ AS_IF([test "x$enable_nis" != "xno"], [
#endif
])
- NIS_CFLAGS="${CFLAGS%${old_CFLAGS}}"
- NIS_LIBS="${LIBS%${old_LIBS}}"
-
CFLAGS="$old_CFLAGS"
LIBS="$old_LIBS"
])
diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
index ab0d55a..56df178 100644
--- a/modules/pam_unix/Makefile.am
+++ b/modules/pam_unix/Makefile.am
@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
-DCHKPWD_HELPER=\"$(sbindir)/unix_chkpwd\" \
-DUPDATE_HELPER=\"$(sbindir)/unix_update\" \
- $(NIS_CFLAGS)
+ @TIRPC_CFLAGS@ @NSL_CFLAGS@
if HAVE_LIBSELINUX
AM_CFLAGS += -D"WITH_SELINUX"
@@ -30,7 +30,7 @@ if HAVE_VERSIONING
pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \
- @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS)
+ @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@
securelib_LTLIBRARIES = pam_unix.la

28
0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
View File

@ -1,28 +0,0 @@
From 6b12a20c527cb6ced5b8911ea0f1dcdfc6e6f30c Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 29 Mar 2016 14:17:34 +0200
Subject: [PATCH 2/2] PAM_EXTERN isn't needed anymore, but don't remove it to
not break lot of external code using it.
* libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility
---
libpam/include/security/pam_modules.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libpam/include/security/pam_modules.h b/libpam/include/security/pam_modules.h
index 37568e9..ec65e3e 100644
--- a/libpam/include/security/pam_modules.h
+++ b/libpam/include/security/pam_modules.h
@@ -75,6 +75,9 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
#define PAM_DATA_REPLACE 0x20000000 /* used when replacing a data item */
+/* PAM_EXTERN isn't needed anymore, but don't remove it to not break
+ lot of external code using it. */
+#define PAM_EXTERN extern
/* take care of any compatibility issues */
#include <security/_pam_compat.h>
--
1.8.5.6

155
0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch
View File

@ -1,155 +0,0 @@
From 549aef483c9f1852e1fbefabc4ebbbe72e00c243 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Fri, 1 Apr 2016 15:28:09 +0200
Subject: [PATCH] Use TI-RPC functions if we compile and link against libtirpc.
The old SunRPC functions don't work with IPv6.
* configure.ac: Set and restore CPPFLAGS
* modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
rpcb_getaddr if available.
---
configure.ac | 4 +++
modules/pam_unix/pam_unix_passwd.c | 73 +++++++++++++++++++++++++++++++++++++-
2 files changed, 76 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 534194d..20f6ba3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -451,18 +451,21 @@ AC_ARG_ENABLE([nis],
AS_IF([test "x$enable_nis" != "xno"], [
old_CFLAGS=$CFLAGS
+ old_CPPFLAGS=$CPPFLAGS
old_LIBS=$LIBS
dnl if there's libtirpc available, prefer that over the system
dnl implementation.
PKG_CHECK_MODULES([TIRPC], [libtirpc], [
CFLAGS="$CFLAGS $TIRPC_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $TIRPC_CFLAGS"
LIBS="$LIBS $TIRPC_LIBS"
], [:;])
PKG_CHECK_MODULES([NSL], [libnsl], [],
[AC_CHECK_LIB([nsl],[yp_match],[NSL_LIBS="-lnsl"],[NSL_LIBS=""])])
CFLAGS="$CFLAGS $NSL_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $NSL_CFLAGS"
LIBS="$LIBS $NSL_LIBS"
AC_CHECK_FUNCS([yp_get_default_domain yperr_string yp_master yp_bind yp_match yp_unbind])
@@ -475,6 +478,7 @@ AS_IF([test "x$enable_nis" != "xno"], [
])
CFLAGS="$old_CFLAGS"
+ CPPFLAGS="$old_CPPFLAGS"
LIBS="$old_LIBS"
])
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index e3d3209..fa29327 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -92,7 +92,7 @@
# include "yppasswd.h"
-# if !HAVE_DECL_GETRPCPORT
+# if !HAVE_DECL_GETRPCPORT &&!HAVE_RPCB_GETADDR
extern int getrpcport(const char *host, unsigned long prognum,
unsigned long versnum, unsigned int proto);
# endif /* GNU libc 2.1 */
@@ -114,11 +114,48 @@ extern int getrpcport(const char *host, unsigned long prognum,
#define MAX_PASSWD_TRIES 3
#ifdef HAVE_NIS
+#ifdef HAVE_RPCB_GETADDR
+static unsigned short
+__taddr2port (const struct netconfig *nconf, const struct netbuf *nbuf)
+{
+ unsigned short port = 0;
+ struct __rpc_sockinfo si;
+ struct sockaddr_in *sin;
+ struct sockaddr_in6 *sin6;
+ if (!__rpc_nconf2sockinfo(nconf, &si))
+ return 0;
+
+ switch (si.si_af)
+ {
+ case AF_INET:
+ sin = nbuf->buf;
+ port = sin->sin_port;
+ break;
+ case AF_INET6:
+ sin6 = nbuf->buf;
+ port = sin6->sin6_port;
+ break;
+ default:
+ break;
+ }
+
+ return htons (port);
+}
+#endif
+
static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
{
char *master;
char *domainname;
int port, err;
+#if defined(HAVE_RPCB_GETADDR)
+ struct netconfig *nconf;
+ struct netbuf svcaddr;
+ char addrbuf[INET6_ADDRSTRLEN];
+ void *handle;
+ int found;
+#endif
+
#ifdef HAVE_YP_GET_DEFAULT_DOMAIN
if ((err = yp_get_default_domain(&domainname)) != 0) {
@@ -146,7 +183,41 @@ static char *getNISserver(pam_handle_t *pamh, unsigned int ctrl)
yperr_string(err));
return NULL;
}
+#ifdef HAVE_RPCB_GETADDR
+ svcaddr.len = 0;
+ svcaddr.maxlen = sizeof (addrbuf);
+ svcaddr.buf = addrbuf;
+ port = 0;
+ found = 0;
+
+ handle = setnetconfig();
+ while ((nconf = getnetconfig(handle)) != NULL) {
+ if (!strcmp(nconf->nc_proto, "udp")) {
+ if (rpcb_getaddr(YPPASSWDPROG, YPPASSWDPROC_UPDATE,
+ nconf, &svcaddr, master)) {
+ port = __taddr2port (nconf, &svcaddr);
+ endnetconfig (handle);
+ found=1;
+ break;
+ }
+
+ if (rpc_createerr.cf_stat != RPC_UNKNOWNHOST) {
+ clnt_pcreateerror (master);
+ pam_syslog (pamh, LOG_ERR,
+ "rpcb_getaddr (%s) failed!", master);
+ return NULL;
+ }
+ }
+ }
+
+ if (!found) {
+ pam_syslog (pamh, LOG_ERR,
+ "Cannot find suitable transport for protocol 'udp'");
+ return NULL;
+ }
+#else
port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP);
+#endif
if (port == 0) {
pam_syslog(pamh, LOG_WARNING,
"yppasswdd not running on NIS master host");
--
1.8.5.6

3
Linux-PAM-1.2.1-docs.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1f8860544d935f744546a4bb15167e3e42736c4e37756534117bdfaa822e6b25
size 491551

3
Linux-PAM-1.2.1.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:342b1211c0d3b203a7df2540a5b03a428a087bd8a48c17e49ae268f992b334d9
size 1279523

3
Linux-PAM-1.3.0-docs.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8610b48703f036f6755c1d2bd8bcdeaddd9d99a1631f2d7668ec69b444d972a0
size 492805

3
Linux-PAM-1.3.0.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:241aed1ef522f66ed672719ecf2205ec513fd0075ed80cda8e086a5b1a01d1bb
size 1302820

32
encryption_method_nis.diff
View File

@ -1,8 +1,6 @@
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 0cfc0f4..2239206 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
--- modules/pam_unix/pam_unix_passwd.c
+++ modules/pam_unix/pam_unix_passwd.c 2016/04/11 13:49:32
@@ -840,6 +840,29 @@
* rebuild the password database file.
*/
@ -32,13 +30,11 @@ index 0cfc0f4..2239206 100644
/*
* First we encrypt the new password.
*/
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 19d72e6..dafa9f0 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -37,8 +37,8 @@
#define SELINUX_ENABLED 0
#endif
--- modules/pam_unix/support.c
+++ modules/pam_unix/support.c 2016/04/11 13:49:32
@@ -31,8 +31,8 @@
#include "support.h"
#include "passverify.h"
-static char *
-search_key (const char *key, const char *filename)
@ -47,7 +43,7 @@ index 19d72e6..dafa9f0 100644
{
FILE *fp;
char *buf = NULL;
@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
@@ -153,7 +153,7 @@
}
/* preset encryption method with value from /etc/login.defs */
@ -56,7 +52,7 @@ index 19d72e6..dafa9f0 100644
if (val) {
for (j = 0; j < UNIX_CTRLS_; ++j) {
if (unix_args[j].token && unix_args[j].is_hash_algo
@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
@@ -171,7 +171,7 @@
/* read number of rounds for crypt algo */
if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
@ -65,11 +61,9 @@ index 19d72e6..dafa9f0 100644
if (val) {
*rounds = strtol(val, NULL, 10);
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 6f5b2eb..a35a8a8 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh
--- modules/pam_unix/support.h
+++ modules/pam_unix/support.h 2016/04/11 13:49:32
@@ -174,4 +174,5 @@
extern int _unix_run_verify_binary(pam_handle_t *pamh,
unsigned int ctrl, const char *user, int *daysleft);

26
pam.changes
View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Mon May 2 10:44:38 CEST 2016 - kukuk@suse.de
- Remove obsolete README.pam_tally [bsc#977973]
-------------------------------------------------------------------
Thu Apr 28 13:51:59 CEST 2016 - kukuk@suse.de
- Update Linux-PAM to version 1.3.0
- Rediff encryption_method_nis.diff
-------------------------------------------------------------------
Thu Apr 14 14:06:18 CEST 2016 - kukuk@suse.de
- Add /sbin/unix2_chkpwd (moved from pam-modules)
-------------------------------------------------------------------
Mon Apr 11 15:09:04 CEST 2016 - kukuk@suse.de
- Remove (since accepted upstream):
- 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
- 0002-Remove-enable-static-modules-option-and-support-from.patch
- 0003-fix-nis-checks.patch
- 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
- 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch
-------------------------------------------------------------------
Fri Apr 1 15:32:37 CEST 2016 - kukuk@suse.de

43
pam.spec
View File

@ -30,11 +30,11 @@ BuildRequires: pkgconfig(libtirpc)
%if %{enable_selinux}
BuildRequires: libselinux-devel
%endif
%define libpam_so_version 0.84.1
%define libpam_so_version 0.84.2
%define libpam_misc_so_version 0.82.1
%define libpamc_so_version 0.82.1
#
Version: 1.2.1
Version: 1.3.0
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0+ or BSD-3-Clause
@ -52,14 +52,11 @@ Source6: common-password.pamd
Source7: common-session.pamd
Source8: etc.environment
Source9: baselibs.conf
Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8
Patch0: fix-man-links.dif
Patch2: pam-limit-nproc.patch
Patch3: encryption_method_nis.diff
Patch4: 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch
Patch5: 0002-Remove-enable-static-modules-option-and-support-from.patch
Patch6: 0003-fix-nis-checks.patch
Patch7: 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch
Patch8: 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# Remove with next version update:
BuildRequires: autoconf
@ -109,12 +106,7 @@ building both PAM-aware applications and modules for use with PAM.
%setup -q -n Linux-PAM-%{version} -b 1
%patch0 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch3 -p0
%build
autoreconf -fiv
@ -128,7 +120,8 @@ export CFLAGS="%optflags -DNDEBUG"
--libdir=/%{_lib} \
--enable-isadir=../../%{_lib}/security \
--enable-securedir=/%{_lib}/security
make %{?_smp_mflags};
make %{?_smp_mflags}
%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam
%check
make %{?_smp_mflags} check
@ -181,12 +174,6 @@ for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do
ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so
done
#
# pam_tally is deprecated since ages
#
rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
rm -f $RPM_BUILD_ROOT/sbin/pam_tally
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
#
# Install READMEs of PAM modules
#
DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam
@ -198,18 +185,30 @@ mkdir -p $DOC/modules
done
)
#
# Install misc docu and md5.config
# pam_tally is deprecated since ages
#
rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so
rm -f $RPM_BUILD_ROOT/sbin/pam_tally
rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8*
rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally
#
# Install misc docu
#
install -m 644 NEWS COPYING $DOC
# Install unix2_chkpwd
install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/
install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/
# Create filelist with translatins
%{find_lang} Linux-PAM
%verifyscript
%verify_permissions -e /sbin/unix_chkpwd
%verify_permissions -e /sbin/unix2_chkpwd
%post
/sbin/ldconfig
%set_permissions /sbin/unix_chkpwd
%set_permissions /sbin/unix2_chkpwd
%postun -p /sbin/ldconfig
@ -234,6 +233,7 @@ install -m 644 NEWS COPYING $DOC
%config(noreplace) %{_sysconfdir}/security/namespace.init
%doc %{_defaultdocdir}/pam/NEWS
%doc %{_defaultdocdir}/pam/COPYING
%doc %{_mandir}/man5/environment.5*
%doc %{_mandir}/man5/*.conf.5*
%doc %{_mandir}/man5/pam.d.5*
%doc %{_mandir}/man8/*
@ -299,6 +299,7 @@ install -m 644 NEWS COPYING $DOC
/sbin/pam_tally2
/sbin/pam_timestamp_check
%verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd
%verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd
%attr(0700,root,root) /sbin/unix_update
%files doc

79
unix2_chkpwd.8 Normal file
View File

@ -0,0 +1,79 @@
.\" Copyright (C) 2003 International Business Machines Corporation
.\" This file is distributed according to the GNU General Public License.
.\" See the file COPYING in the top level source directory for details.
.\"
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
.SH NAME
unix2_chkpwd \- helper binary that verifies the password of the current user
.SH "SYNOPSIS"
.ad l
.hy 0
/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
.sp
.ad
.hy
.SH "DESCRIPTION"
.PP
\fBunix2_chkpwd\fR is a helper program for applications that verifies
the password of the current user. It is not intended to be run directly from
the command line and logs a security violation if done so.
It is typically installed setuid root or setgid shadow and called by
applications, which only wishes to do an user authentification and
nothing more.
.SH "OPTIONS"
.PP
unix2_chkpwd requires the following arguments:
.TP
\fIpam_service\fR
The name of the service using unix2_chkpwd. This is required to be one of
the services in /etc/pam.d
.TP
\fIusername\fR
The name of the user whose password you want to verify.
.SH "INPUTS"
.PP
unix2_chkpwd expects the password via stdin.
.SH "RETURN CODES"
.PP
\fBunix2_chkpwd\fR has the following return codes:
.TP
1
unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
.TP
0
The password is correct.
.SH "HISTORY"
Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
.SH "SEE ALSO"
.PP
\fBpam\fR(8)
.SH AUTHOR
Emily Ratliff.

337
unix2_chkpwd.c Normal file
View File

@ -0,0 +1,337 @@
/*
* Set*id helper program for PAM authentication.
*
* It is supposed to be called from pam_unix2's
* pam_sm_authenticate function if the function notices
* that it's unable to get the password from the shadow file
* because it doesn't have sufficient permissions.
*
* Copyright (C) 2002 SuSE Linux AG
*
* Written by okir@suse.de, loosely based on unix_chkpwd
* by Andrew Morgan.
*/
#include <security/pam_appl.h>
#include <security/_pam_macros.h>
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <pwd.h>
#include <signal.h>
#include <fcntl.h>
#include <ctype.h>
#include <errno.h>
#define BUFLEN 1024
#ifndef LOGINDEFS
#define LOGINDEFS "/etc/login.defs"
#endif
#define LOGINDEFS_FAIL_DELAY_KEY "FAIL_DELAY"
#define DEFAULT_FAIL_DELAY_S 10
#define PASSWD_CRACKER_DELAY_MS 100
enum {
UNIX_PASSED = 0,
UNIX_FAILED = 1
};
static char * program_name;
static char pass[64];
static int npass = -1;
/*
* Log error messages
*/
static void
_log_err(int err, const char *format,...)
{
va_list args;
va_start(args, format);
openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
vsyslog(err, format, args);
va_end(args);
closelog();
}
static void
su_sighandler(int sig)
{
if (sig > 0) {
_log_err(LOG_NOTICE, "caught signal %d.", sig);
exit(sig);
}
}
/*
* Setup signal handlers
*/
static void
setup_signals(void)
{
struct sigaction action;
memset((void *) &action, 0, sizeof(action));
action.sa_handler = su_sighandler;
action.sa_flags = SA_RESETHAND;
sigaction(SIGILL, &action, NULL);
sigaction(SIGTRAP, &action, NULL);
sigaction(SIGBUS, &action, NULL);
sigaction(SIGSEGV, &action, NULL);
action.sa_handler = SIG_IGN;
action.sa_flags = 0;
sigaction(SIGTERM, &action, NULL);
sigaction(SIGHUP, &action, NULL);
sigaction(SIGINT, &action, NULL);
sigaction(SIGQUIT, &action, NULL);
sigaction(SIGALRM, &action, NULL);
}
static int
_converse(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
struct pam_response *reply;
int num;
if (!(reply = malloc(sizeof(*reply) * num_msg)))
return PAM_CONV_ERR;
for (num = 0; num < num_msg; num++) {
reply[num].resp_retcode = PAM_SUCCESS;
reply[num].resp = NULL;
switch (msg[num]->msg_style) {
case PAM_PROMPT_ECHO_ON:
return PAM_CONV_ERR;
case PAM_PROMPT_ECHO_OFF:
/* read the password from stdin */
if (npass < 0) {
npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
if (npass < 0) {
_log_err(LOG_DEBUG, "error reading password");
return UNIX_FAILED;
}
pass[npass] = '\0';
}
reply[num].resp = strdup(pass);
break;
case PAM_TEXT_INFO:
case PAM_ERROR_MSG:
/* ignored */
break;
default:
/* Must be an error of some sort... */
return PAM_CONV_ERR;
}
}
*resp = reply;
return PAM_SUCCESS;
}
static int
_authenticate(const char *service, const char *user)
{
struct pam_conv conv = { _converse, NULL };
pam_handle_t *pamh;
int err;
err = pam_start(service, user, &conv, &pamh);
if (err != PAM_SUCCESS) {
_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
service, user, err);
return UNIX_FAILED;
}
err = pam_authenticate(pamh, 0);
if (err != PAM_SUCCESS)
_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
service, user,
pam_strerror(pamh, err));
if (err == PAM_SUCCESS)
{
err = pam_acct_mgmt(pamh, 0);
if (err == PAM_SUCCESS)
{
int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
if (err2 != PAM_SUCCESS)
_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
service, user,
pam_strerror(pamh, err2));
/*
* ignore errors on refresh credentials.
* If this did not work we use the old once.
*/
} else {
_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
service, user,
pam_strerror(pamh, err));
}
}
pam_end(pamh, err);
if (err != PAM_SUCCESS)
return UNIX_FAILED;
return UNIX_PASSED;
}
static char *
getuidname(uid_t uid)
{
struct passwd *pw;
static char username[32];
pw = getpwuid(uid);
if (pw == NULL)
return NULL;
strncpy(username, pw->pw_name, sizeof(username));
username[sizeof(username) - 1] = '\0';
endpwent();
return username;
}
static int
sane_pam_service(const char *name)
{
const char *sp;
char path[128];
if (strlen(name) > 32)
return 0;
for (sp = name; *sp; sp++) {
if (!isalnum(*sp) && *sp != '_' && *sp != '-')
return 0;
}
snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
return access(path, R_OK) == 0;
}
static int
get_system_fail_delay (void)
{
FILE *fs;
char buf[BUFLEN];
long int delay = -1;
char *s;
int l;
fs = fopen(LOGINDEFS, "r");
if (NULL == fs) {
goto bail_out;
}
while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
if (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
continue;
}
s = buf + strspn(buf, " \t");
l = strcspn(s, " \t");
if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
continue;
}
s += l;
s += strspn(s, " \t");
errno = 0;
delay = strtol(s, NULL, 10);
if (errno) {
delay = -1;
}
break;
}
fclose (fs);
bail_out:
delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
return (int)delay;
}
int
main(int argc, char *argv[])
{
const char *program_name;
char *service, *user;
int fd;
int result = UNIX_FAILED;
uid_t uid;
uid = getuid();
/*
* Make sure standard file descriptors are connected.
*/
while ((fd = open("/dev/null", O_RDWR)) <= 2)
;
close(fd);
/*
* Get the program name
*/
if (argc == 0)
program_name = "unix2_chkpwd";
else if ((program_name = strrchr(argv[0], '/')) != NULL)
program_name++;
else
program_name = argv[0];
/*
* Catch or ignore as many signal as possible.
*/
setup_signals();
/*
* Check argument list
*/
if (argc < 2 || argc > 3) {
_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
return UNIX_FAILED;
}
/*
* Get the service name and do some sanity checks on it
*/
service = argv[1];
if (!sane_pam_service(service)) {
_log_err(LOG_ERR, "Illegal service name '%s'", service);
return UNIX_FAILED;
}
/*
* Discourage users messing around (fat chance)
*/
if (isatty(STDIN_FILENO) && uid != 0) {
_log_err(LOG_NOTICE,
"Inappropriate use of Unix helper binary [UID=%d]",
uid);
fprintf(stderr,
"This binary is not designed for running in this way\n"
"-- the system administrator has been informed\n");
sleep(10); /* this should discourage/annoy the user */
return UNIX_FAILED;
}
/*
* determine the caller's user name
*/
user = getuidname(uid);
if (argc == 3 && strcmp(user, argv[2])) {
user = argv[2];
}
result = _authenticate(service, user);
/* Discourage use of this program as a
* password cracker */
usleep(PASSWD_CRACKER_DELAY_MS * 1000);
if (result != UNIX_PASSED && uid != 0)
sleep(get_system_fail_delay());
return result;
}