From 78441ed37bd6f5f265c397b5d3ce344d423bd125e9975f9ac59e8383195258ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Mon, 19 Aug 2019 12:43:33 +0000 Subject: [PATCH 1/3] Accepting request 724569 from home:kukuk:branches:Linux-PAM - encryption_method_nis.diff: obsolete, NIS clients shouldn't require DES anymore. - etc.environment: removed, the sources contain the same - Update to version 1.3.1+git20190807.e31dd6c: * pam_tty_audit: Manual page clarification about password logging * pam_get_authtok_verify: Avoid duplicate password verification * Mention that ./autogen.sh is needeed to be run if you check out the sources from git * pam_unix: Correct MAXPASS define name in the previous two commits. * Restrict password length when changing password * Trim password at PAM_MAX_RESP_SIZE chars * pam_succeed_if: Request user data only when needed * pam_tally2: Remove unnecessary fsync() * Fixed a grammer mistake * Fix documentation for pam_wheel * Fix a typo in the documentation * pam_lastlog: Improve silent option documentation * pam_lastlog: Respect PAM_SILENT flag * Fix regressions from the last commits. * Replace strndupa with strncpy * build: ignore pam_lastlog when logwtmp is not available. * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available. * pam_motd: Cleanup the code and avoid unnecessary logging * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs. * Move the duplicated search_key function to pam_modutil. * pam_unix: Use pam_syslog instead of helper_log_err. * pam_unix: Report unusable hashes found by checksalt to syslog. * Revert "pam_unix: Add crypt_default method, if supported." * pam_unix: Add crypt_default method, if supported. * Revert part of the commit 4da9febc OBS-URL: https://build.opensuse.org/request/show/724569 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=191 --- Linux-PAM-1.3.1.tar.xz | 3 - _service | 14 ++++ _servicedata | 6 ++ encryption_method_nis.diff | 71 ------------------- etc.environment | 5 -- linux-pam-1.3.1+git20190807.e31dd6c.tar.xz | 3 + ...man-pages-1.3.1+git20190807.e31dd6c.tar.xz | 3 + pam-login_defs-check.sh | 2 +- pam.changes | 49 +++++++++++++ pam.spec | 23 +++--- 10 files changed, 86 insertions(+), 93 deletions(-) delete mode 100644 Linux-PAM-1.3.1.tar.xz create mode 100644 _service create mode 100644 _servicedata delete mode 100644 encryption_method_nis.diff delete mode 100644 etc.environment create mode 100644 linux-pam-1.3.1+git20190807.e31dd6c.tar.xz create mode 100644 linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz diff --git a/Linux-PAM-1.3.1.tar.xz b/Linux-PAM-1.3.1.tar.xz deleted file mode 100644 index 506f7a9..0000000 --- a/Linux-PAM-1.3.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db -size 912332 diff --git a/_service b/_service new file mode 100644 index 0000000..b7a310b --- /dev/null +++ b/_service @@ -0,0 +1,14 @@ + + + 1.3.1 + 1.3.1+git%cd.%h + git://github.com/linux-pam/linux-pam.git + git + enable + + + xz + *.tar + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..bf2e116 --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + git://github.com/linux-pam/linux-pam.git + e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15 + + \ No newline at end of file diff --git a/encryption_method_nis.diff b/encryption_method_nis.diff deleted file mode 100644 index f812786..0000000 --- a/encryption_method_nis.diff +++ /dev/null @@ -1,71 +0,0 @@ ---- modules/pam_unix/pam_unix_passwd.c -+++ modules/pam_unix/pam_unix_passwd.c 2016/04/11 13:49:32 -@@ -840,6 +840,29 @@ - * rebuild the password database file. - */ - -+ -+ /* if it is a NIS account, check for special hash algo */ -+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) { -+ /* preset encryption method with value from /etc/login.defs */ -+ int j; -+ char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS); -+ if (val) { -+ for (j = 0; j < UNIX_CTRLS_; ++j) { -+ if (unix_args[j].token && unix_args[j].is_hash_algo -+ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { -+ break; -+ } -+ } -+ if (j >= UNIX_CTRLS_) { -+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val); -+ } else { -+ ctrl &= unix_args[j].mask; /* for turning things off */ -+ ctrl |= unix_args[j].flag; /* for turning things on */ -+ } -+ free (val); -+ } -+ } -+ - /* - * First we encrypt the new password. - */ ---- modules/pam_unix/support.c -+++ modules/pam_unix/support.c 2016/04/11 13:49:32 -@@ -31,8 +31,8 @@ - #include "support.h" - #include "passverify.h" - --static char * --search_key (const char *key, const char *filename) -+char * -+_unix_search_key (const char *key, const char *filename) - { - FILE *fp; - char *buf = NULL; -@@ -153,7 +153,7 @@ - } - - /* preset encryption method with value from /etc/login.defs */ -- val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS); -+ val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS); - if (val) { - for (j = 0; j < UNIX_CTRLS_; ++j) { - if (unix_args[j].token && unix_args[j].is_hash_algo -@@ -171,7 +171,7 @@ - - /* read number of rounds for crypt algo */ - if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) { -- val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); -+ val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); - - if (val) { - *rounds = strtol(val, NULL, 10); ---- modules/pam_unix/support.h -+++ modules/pam_unix/support.h 2016/04/11 13:49:32 -@@ -174,4 +174,5 @@ - - extern int _unix_run_verify_binary(pam_handle_t *pamh, - unsigned int ctrl, const char *user, int *daysleft); -+extern char *_unix_search_key(const char *key, const char *filename); - #endif /* _PAM_UNIX_SUPPORT_H */ diff --git a/etc.environment b/etc.environment deleted file mode 100644 index 09697f5..0000000 --- a/etc.environment +++ /dev/null @@ -1,5 +0,0 @@ -# -# This file is parsed by pam_env module -# -# Syntax: simple "KEY=VAL" pairs on seperate lines -# diff --git a/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz b/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz new file mode 100644 index 0000000..71e65e1 --- /dev/null +++ b/linux-pam-1.3.1+git20190807.e31dd6c.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5203477a4c8ea91e038e08f18efeb3836aa7b395de8b518f405eb3f43ea7fdbf +size 530264 diff --git a/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz b/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz new file mode 100644 index 0000000..6e424fe --- /dev/null +++ b/linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:89397d7cb52e6a331b766d6219c6aaf3e3cc57c384ef8223f10c1f0ff4217bac +size 64012 diff --git a/pam-login_defs-check.sh b/pam-login_defs-check.sh index 80ce8fd..d1f9e38 100644 --- a/pam-login_defs-check.sh +++ b/pam-login_defs-check.sh @@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . | sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' | LC_ALL=C sort -u >pam-login_defs-vars.lst -if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3e1ae01b1e928c53c828f64ab412be6267eb1018 ; then +if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then echo "does not match!" >&2 echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2 diff --git a/pam.changes b/pam.changes index c84e094..0e5b788 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,52 @@ +------------------------------------------------------------------- +Mon Aug 19 13:33:49 CEST 2019 - kukuk@suse.de + +- encryption_method_nis.diff: obsolete, NIS clients shouldn't + require DES anymore. +- etc.environment: removed, the sources contain the same + +------------------------------------------------------------------- +Mon Aug 19 11:28:31 UTC 2019 - kukuk@suse.com + +- Update to version 1.3.1+git20190807.e31dd6c: + * pam_tty_audit: Manual page clarification about password logging + * pam_get_authtok_verify: Avoid duplicate password verification + * Mention that ./autogen.sh is needeed to be run if you check out the sources from git + * pam_unix: Correct MAXPASS define name in the previous two commits. + * Restrict password length when changing password + * Trim password at PAM_MAX_RESP_SIZE chars + * pam_succeed_if: Request user data only when needed + * pam_tally2: Remove unnecessary fsync() + * Fixed a grammer mistake + * Fix documentation for pam_wheel + * Fix a typo in the documentation + * pam_lastlog: Improve silent option documentation + * pam_lastlog: Respect PAM_SILENT flag + * Fix regressions from the last commits. + * Replace strndupa with strncpy + * build: ignore pam_lastlog when logwtmp is not available. + * build: ignore pam_rhosts if neither ruserok nor ruserok_af is available. + * pam_motd: Cleanup the code and avoid unnecessary logging + * pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs. + * Move the duplicated search_key function to pam_modutil. + * pam_unix: Use pam_syslog instead of helper_log_err. + * pam_unix: Report unusable hashes found by checksalt to syslog. + * Revert "pam_unix: Add crypt_default method, if supported." + * pam_unix: Add crypt_default method, if supported. + * Revert part of the commit 4da9febc + * pam_unix: Add support for (gost-)yescrypt hashing methods. + * pam_unix: Fix closing curly brace. (#77) + * pam_unix: Add support for crypt_checksalt, if libcrypt supports it. + * pam_unix: Prefer a gensalt function, that supports auto entropy. + * pam_motd: Fix segmentation fault when no motd_dir specified (#76) + * pam_motd: Support multiple motd paths specified, with filename overrides (#69) + * pam_unix: Use bcrypt b-variant for computing new hashes. + * pam_tally, pam_tally2: fix grammar and spelling (#54) + * Fix grammar of messages printed via pam_prompt + * pam_stress: do not mark messages for translation + * pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros + * pam_unix: remove obsolete _unix_read_password prototype + ------------------------------------------------------------------- Thu May 2 23:55:30 CEST 2019 - sbrabec@suse.com diff --git a/pam.spec b/pam.spec index 7fec94b..e512b97 100644 --- a/pam.spec +++ b/pam.spec @@ -38,7 +38,7 @@ BuildRequires: libselinux-devel %define libpam_misc_so_version 0.82.1 %define libpamc_so_version 0.82.1 # -Version: 1.3.1 +Version: 1.3.1+git20190807.e31dd6c Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause @@ -55,22 +55,21 @@ Requires(pre): user(root) Requires: login_defs-support-for-pam >= 1.3.1 #DL-URL: https://fedorahosted.org/releases/l/i/linux-pam/ -Source: Linux-PAM-%{version}.tar.xz -Source1: Linux-PAM-%{version}-docs.tar.xz -Source2: securetty +Source: linux-pam-%{version}.tar.xz +Source1: Linux-PAM-1.3.1-docs.tar.xz +Source2: linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz Source3: other.pamd Source4: common-auth.pamd Source5: common-account.pamd Source6: common-password.pamd Source7: common-session.pamd -Source8: etc.environment +Source8: securetty Source9: baselibs.conf Source10: unix2_chkpwd.c Source11: unix2_chkpwd.8 Source12: pam-login_defs-check.sh Patch0: fix-man-links.dif Patch2: pam-limit-nproc.patch -Patch3: encryption_method_nis.diff Patch4: pam-hostnames-in-access_conf.patch Patch5: use-correct-IP-address.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -120,17 +119,17 @@ building both PAM-aware applications and modules for use with PAM. %prep -%setup -q -n Linux-PAM-%{version} -b 1 +%setup -q -n linux-pam-%{version} -b 1 -a 2 +cp -av ../Linux-PAM-1.3.1/* . cp -a %{S:12} . %patch0 -p1 %patch2 -p1 -%patch3 -p0 %patch4 -p0 %patch5 -p1 %build bash ./pam-login_defs-check.sh -autoreconf -fiv +./autogen.sh export CFLAGS="%optflags -DNDEBUG" %configure \ --sbindir=/sbin \ @@ -142,7 +141,7 @@ export CFLAGS="%optflags -DNDEBUG" --enable-isadir=../../%{_lib}/security \ --enable-securedir=/%{_lib}/security make %{?_smp_mflags} -%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam +%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/linux-pam-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/linux-pam-%{version}/libpam/.libs/ -lpam %check make %{?_smp_mflags} check @@ -157,10 +156,8 @@ make DESTDIR=$RPM_BUILD_ROOT install /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib} # Install documentation make -C doc install DESTDIR=$RPM_BUILD_ROOT -# install /etc/environment -install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc/environment # install securetty -install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc +install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc %ifarch s390 s390x echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty From 8952f5370e91d787a2c1fbaac28fdac90fd21b4d02309323de75b5fbd39a6109 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 21 Aug 2019 11:20:26 +0000 Subject: [PATCH 2/3] Accepting request 725009 from home:kukuk:etc Add /usr/etc/pam.d directory and read from it. OBS-URL: https://build.opensuse.org/request/show/725009 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=192 --- pam.changes | 5 ++ pam.spec | 180 ++++++++++++++++++++---------------------- usr-etc-support.patch | 81 +++++++++++++++++++ 3 files changed, 172 insertions(+), 94 deletions(-) create mode 100644 usr-etc-support.patch diff --git a/pam.changes b/pam.changes index 0e5b788..75cef9f 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Aug 19 14:45:43 CEST 2019 - kukuk@suse.de + +- usr-etc-support.patch: Add support for /usr/etc/pam.d + ------------------------------------------------------------------- Mon Aug 19 13:33:49 CEST 2019 - kukuk@suse.de diff --git a/pam.spec b/pam.spec index e512b97..2ea747a 100644 --- a/pam.spec +++ b/pam.spec @@ -18,43 +18,17 @@ # %define enable_selinux 1 - -Name: pam -Url: http://www.linux-pam.org/ -BuildRequires: audit-devel -BuildRequires: bison -BuildRequires: cracklib-devel -BuildRequires: flex -%if 0%{?suse_version} > 1320 -BuildRequires: libdb-4_8-devel -BuildRequires: xz -BuildRequires: pkgconfig(libnsl) -BuildRequires: pkgconfig(libtirpc) -%endif -%if %{enable_selinux} -BuildRequires: libselinux-devel -%endif %define libpam_so_version 0.84.2 %define libpam_misc_so_version 0.82.1 %define libpamc_so_version 0.82.1 +Name: pam # Version: 1.3.1+git20190807.e31dd6c Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause Group: System/Libraries -PreReq: permissions -%if 0%{?suse_version} >= 1330 -Requires(pre): group(shadow) -Requires(pre): user(root) -%endif -# All login.defs variables require support from shadow side. -# Upgrade this symbol version only if new variables appear! -# Verify by shadow-login_defs-check.sh from shadow source package. -# Recent symbol includes variable from encryption_method_nis.diff. -Requires: login_defs-support-for-pam >= 1.3.1 - -#DL-URL: https://fedorahosted.org/releases/l/i/linux-pam/ +URL: http://www.linux-pam.org/ Source: linux-pam-%{version}.tar.xz Source1: Linux-PAM-1.3.1-docs.tar.xz Source2: linux-pam-man-pages-1.3.1+git20190807.e31dd6c.tar.xz @@ -72,20 +46,40 @@ Patch0: fix-man-links.dif Patch2: pam-limit-nproc.patch Patch4: pam-hostnames-in-access_conf.patch Patch5: use-correct-IP-address.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: libdb-4_8-devel +Patch6: usr-etc-support.patch +BuildRequires: audit-devel # Remove with next version update: BuildRequires: autoconf BuildRequires: automake +BuildRequires: bison +BuildRequires: cracklib-devel +BuildRequires: flex +BuildRequires: libdb-4_8-devel BuildRequires: libtool +# All login.defs variables require support from shadow side. +# Upgrade this symbol version only if new variables appear! +# Verify by shadow-login_defs-check.sh from shadow source package. +Requires: login_defs-support-for-pam >= 1.3.1 +Requires(post): permissions +%if 0%{?suse_version} > 1320 +BuildRequires: libdb-4_8-devel +BuildRequires: xz +BuildRequires: pkgconfig(libnsl) +BuildRequires: pkgconfig(libtirpc) +%endif +%if %{enable_selinux} +BuildRequires: libselinux-devel +%endif +%if 0%{?suse_version} >= 1330 +Requires(pre): group(shadow) +Requires(pre): user(root) +%endif %description PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set authentication policies without having to recompile programs that do authentication. - - %package doc Summary: Documentation for Pluggable Authentication Modules Group: Documentation/HTML @@ -100,8 +94,6 @@ having to recompile programs that do authentication. This package contains the documentation. - - %package devel Summary: Include Files and Libraries for PAM-Development Group: Development/Libraries/C and C++ @@ -116,24 +108,23 @@ having to recompile programs which do authentication. This package contains header files and static libraries used for building both PAM-aware applications and modules for use with PAM. - - %prep %setup -q -n linux-pam-%{version} -b 1 -a 2 -cp -av ../Linux-PAM-1.3.1/* . -cp -a %{S:12} . +cp -av ../Linux-PAM-1.3.1/* . +cp -a %{SOURCE12} . %patch0 -p1 %patch2 -p1 -%patch4 -p0 +%patch4 %patch5 -p1 +%patch6 %build bash ./pam-login_defs-check.sh ./autogen.sh -export CFLAGS="%optflags -DNDEBUG" +export CFLAGS="%{optflags} -DNDEBUG" %configure \ --sbindir=/sbin \ - --includedir=%_includedir/security \ + --includedir=%{_includedir}/security \ --docdir=%{_docdir}/pam \ --htmldir=%{_docdir}/pam/html \ --pdfdir=%{_docdir}/pam/pdf \ @@ -141,62 +132,63 @@ export CFLAGS="%optflags -DNDEBUG" --enable-isadir=../../%{_lib}/security \ --enable-securedir=/%{_lib}/security make %{?_smp_mflags} -%__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/linux-pam-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/linux-pam-%{version}/libpam/.libs/ -lpam +gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/linux-pam-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/linux-pam-%{version}/libpam/.libs/ -lpam %check make %{?_smp_mflags} check %install -mkdir -p $RPM_BUILD_ROOT/etc/pam.d -mkdir -p $RPM_BUILD_ROOT/usr/include/security -mkdir -p $RPM_BUILD_ROOT/%{_lib}/security -mkdir -p $RPM_BUILD_ROOT/sbin -mkdir -p -m 755 $RPM_BUILD_ROOT%{_libdir} -make DESTDIR=$RPM_BUILD_ROOT install -/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib} +mkdir -p %{buildroot}%{_sysconfdir}/pam.d +mkdir -p %{buildroot}%{_prefix}%{_sysconfdir}/pam.d +mkdir -p %{buildroot}%{_includedir}/security +mkdir -p %{buildroot}/%{_lib}/security +mkdir -p %{buildroot}/sbin +mkdir -p -m 755 %{buildroot}%{_libdir} +%make_install +/sbin/ldconfig -n %{buildroot}/%{_lib} # Install documentation -make -C doc install DESTDIR=$RPM_BUILD_ROOT +make -C doc install DESTDIR=%{buildroot} # install securetty -install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc +install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir} %ifarch s390 s390x -echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty -echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty -echo "hvc0" >> $RPM_BUILD_ROOT/etc/securetty -echo "hvc1" >> $RPM_BUILD_ROOT/etc/securetty -echo "hvc2" >> $RPM_BUILD_ROOT/etc/securetty -echo "hvc3" >> $RPM_BUILD_ROOT/etc/securetty -echo "hvc4" >> $RPM_BUILD_ROOT/etc/securetty -echo "hvc5" >> $RPM_BUILD_ROOT/etc/securetty -echo "hvc6" >> $RPM_BUILD_ROOT/etc/securetty -echo "hvc7" >> $RPM_BUILD_ROOT/etc/securetty -echo "sclp_line0" >> $RPM_BUILD_ROOT/etc/securetty -echo "ttysclp0" >> $RPM_BUILD_ROOT/etc/securetty +echo "ttyS0" >> %{buildroot}%{_sysconfdir}/securetty +echo "ttyS1" >> %{buildroot}%{_sysconfdir}/securetty +echo "hvc0" >> %{buildroot}%{_sysconfdir}/securetty +echo "hvc1" >> %{buildroot}%{_sysconfdir}/securetty +echo "hvc2" >> %{buildroot}%{_sysconfdir}/securetty +echo "hvc3" >> %{buildroot}%{_sysconfdir}/securetty +echo "hvc4" >> %{buildroot}%{_sysconfdir}/securetty +echo "hvc5" >> %{buildroot}%{_sysconfdir}/securetty +echo "hvc6" >> %{buildroot}%{_sysconfdir}/securetty +echo "hvc7" >> %{buildroot}%{_sysconfdir}/securetty +echo "sclp_line0" >> %{buildroot}%{_sysconfdir}/securetty +echo "ttysclp0" >> %{buildroot}%{_sysconfdir}/securetty %endif # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript -install -d $RPM_BUILD_ROOT%{_sysconfdir}/security/namespace.d +install -d %{buildroot}%{_sysconfdir}/security/namespace.d # install other.pamd and common-*.pamd -install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/other -install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/pam.d/common-auth -install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/common-account -install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/common-password -install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc/pam.d/common-session -rm $RPM_BUILD_ROOT/%{_lib}/libpam.so -ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam.so -rm $RPM_BUILD_ROOT/%{_lib}/libpamc.so -ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpamc.so -rm $RPM_BUILD_ROOT/%{_lib}/libpam_misc.so -ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam_misc.so +install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/other +install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/common-auth +install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/common-account +install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/common-password +install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/pam.d/common-session +rm %{buildroot}/%{_lib}/libpam.so +ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} %{buildroot}%{_libdir}/libpam.so +rm %{buildroot}/%{_lib}/libpamc.so +ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} %{buildroot}%{_libdir}/libpamc.so +rm %{buildroot}/%{_lib}/libpam_misc.so +ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} %{buildroot}%{_libdir}/libpam_misc.so # # Remove crap # -rm -rf $RPM_BUILD_ROOT/%{_lib}/*.la $RPM_BUILD_ROOT/%{_lib}/security/*.la +find %{buildroot} -type f -name "*.la" -delete -print for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do - ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so + ln -f %{buildroot}/%{_lib}/security/pam_unix.so %{buildroot}/%{_lib}/security/$x.so done # # Install READMEs of PAM modules # -DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam +DOC=%{buildroot}%{_defaultdocdir}/pam mkdir -p $DOC/modules ( cd modules; @@ -207,15 +199,15 @@ mkdir -p $DOC/modules # # pam_tally is deprecated since ages # -rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so -rm -f $RPM_BUILD_ROOT/sbin/pam_tally -rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8* -rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally +rm -f %{buildroot}/%{_lib}/security/pam_tally.so +rm -f %{buildroot}/sbin/pam_tally +rm -f %{buildroot}%{_mandir}/man8/pam_tally.8* +rm -f %{buildroot}%{_defaultdocdir}/pam/modules/README.pam_tally # Install unix2_chkpwd -install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/ -install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/ +install -m 755 $RPM_BUILD_DIR/unix2_chkpwd %{buildroot}/sbin/ +install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 %{buildroot}%{_mandir}/man8/ # Create filelist with translatins -%{find_lang} Linux-PAM +%find_lang Linux-PAM %verifyscript %verify_permissions -e /sbin/unix_chkpwd @@ -229,8 +221,8 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/ %postun -p /sbin/ldconfig %files -f Linux-PAM.lang -%defattr(-,root,root) %dir %{_sysconfdir}/pam.d +%dir %{_prefix}%{_sysconfdir}/pam.d %dir %{_sysconfdir}/security %dir %{_sysconfdir}/security/limits.d %dir %{_defaultdocdir}/pam @@ -248,13 +240,13 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/ %config(noreplace) %{_sysconfdir}/security/time.conf %config(noreplace) %{_sysconfdir}/security/namespace.conf %config(noreplace) %{_sysconfdir}/security/namespace.init -%dir %{_sysconfdir}/security/namespace.d +%dir %{_sysconfdir}/security/namespace.d %doc NEWS %license COPYING -%doc %{_mandir}/man5/environment.5* -%doc %{_mandir}/man5/*.conf.5* -%doc %{_mandir}/man5/pam.d.5* -%doc %{_mandir}/man8/* +%{_mandir}/man5/environment.5%{?ext_man} +%{_mandir}/man5/*.conf.5%{?ext_man} +%{_mandir}/man5/pam.d.5%{?ext_man} +%{_mandir}/man8/* /%{_lib}/libpam.so.0 /%{_lib}/libpam.so.%{libpam_so_version} /%{_lib}/libpamc.so.0 @@ -330,9 +322,9 @@ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/ %files devel %defattr(644,root,root,755) -%dir /usr/include/security -%doc %{_mandir}/man3/pam* -%doc %{_mandir}/man3/misc_conv.3* +%dir %{_includedir}/security +%{_mandir}/man3/pam* +%{_mandir}/man3/misc_conv.3%{?ext_man} %{_includedir}/security/*.h %{_libdir}/libpam.so %{_libdir}/libpamc.so diff --git a/usr-etc-support.patch b/usr-etc-support.patch new file mode 100644 index 0000000..631b095 --- /dev/null +++ b/usr-etc-support.patch @@ -0,0 +1,81 @@ +--- doc/man/pam.8.xml ++++ doc/man/pam.8.xml 2019/08/16 13:37:44 +@@ -53,11 +53,13 @@ + + + Vendor-supplied PAM configuration files might be installed in +- the system directory /usr/lib/pam.d/ instead ++ the system directory /usr/lib/pam.d/ or ++ /usr/etc/pam.d/ instead + of the machine configuration directory /etc/pam.d/. + If no machine configuration file is found, the vendor-supplied file + is used. All files in /etc/pam.d/ override +- files with the same name in /usr/lib/pam.d/. ++ files with the same name in /usr/lib/pam.d/, ++ which override files with the same name in /usr/etc/pam.d/. + + + From the point of view of the system administrator, for whom this +@@ -157,6 +159,16 @@ + + + ++ /usr/etc/pam.d ++ ++ ++ the Linux-PAM vendor configuration ++ directory. Files in /etc/pam.d and ++ /usr/lib/pam.d override files with the same ++ name in this directory. ++ ++ ++ + + + +--- libpam/pam_handlers.c ++++ libpam/pam_handlers.c 2019/08/16 13:35:31 +@@ -329,6 +329,21 @@ + *file = f; + return PAM_SUCCESS; + } ++ ++ /* System Configuration /usr/etc/pam.d/ */ ++ _pam_drop(p); ++ if (asprintf (&p, PAM_CONFIG_DIST2_DF, service) < 0) { ++ pam_syslog(pamh, LOG_CRIT, "asprintf failed"); ++ return PAM_BUF_ERR; ++ } ++ D(("opening %s", p)); ++ f = fopen(p, "r"); ++ if (f != NULL) { ++ *path = p; ++ *file = f; ++ return PAM_SUCCESS; ++ } ++ + _pam_drop(p); + + return PAM_ABORT; +@@ -447,7 +462,8 @@ + + /* Is there a PAM_CONFIG_D directory? */ + if ((stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) || +- (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) { ++ (stat(PAM_CONFIG_DIST_D, &test_d) == 0 && S_ISDIR(test_d.st_mode)) || ++ (stat(PAM_CONFIG_DIST2_D, &test_d) == 0 && S_ISDIR(test_d.st_mode))) { + char *path = NULL; + int read_something=0; + +--- libpam/pam_private.h ++++ libpam/pam_private.h 2019/08/16 13:33:04 +@@ -29,6 +29,9 @@ + #define PAM_CONFIG_DF "/etc/pam.d/%s" + #define PAM_CONFIG_DIST_D "/usr/lib/pam.d" + #define PAM_CONFIG_DIST_DF "/usr/lib/pam.d/%s" ++#define PAM_CONFIG_DIST2_D "/usr/etc/pam.d" ++#define PAM_CONFIG_DIST2_DF "/usr/etc/pam.d/%s" ++ + + #define PAM_DEFAULT_SERVICE "other" /* lower case */ + From 9b6fc55e330c5759478cca7249f219b8faf92fd1f4869c7d99d6e24c06ab44e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Fri, 23 Aug 2019 12:39:21 +0000 Subject: [PATCH 3/3] Accepting request 725419 from home:jengelh:branches:Linux-PAM - Replace old $RPM_* shell vars by macros. - Avoid unnecessary invocation of subshells. - Shorten recipe for constructing securetty contents on s390. OBS-URL: https://build.opensuse.org/request/show/725419 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=193 --- pam.changes | 7 +++++++ pam.spec | 36 +++++++++++++----------------------- 2 files changed, 20 insertions(+), 23 deletions(-) diff --git a/pam.changes b/pam.changes index 75cef9f..e52b4d2 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Aug 22 20:29:24 UTC 2019 - Jan Engelhardt + +- Replace old $RPM_* shell vars by macros. +- Avoid unnecessary invocation of subshells. +- Shorten recipe for constructing securetty contents on s390. + ------------------------------------------------------------------- Mon Aug 19 14:45:43 CEST 2019 - kukuk@suse.de diff --git a/pam.spec b/pam.spec index 2ea747a..b22d1dd 100644 --- a/pam.spec +++ b/pam.spec @@ -95,7 +95,7 @@ having to recompile programs that do authentication. This package contains the documentation. %package devel -Summary: Include Files and Libraries for PAM-Development +Summary: Include Files and Libraries for PAM Development Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: pam = %{version} @@ -132,7 +132,7 @@ export CFLAGS="%{optflags} -DNDEBUG" --enable-isadir=../../%{_lib}/security \ --enable-securedir=/%{_lib}/security make %{?_smp_mflags} -gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/linux-pam-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/linux-pam-%{version}/libpam/.libs/ -lpam +gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/linux-pam-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/linux-pam-%{version}/libpam/.libs/ -lpam %check make %{?_smp_mflags} check @@ -147,22 +147,13 @@ mkdir -p -m 755 %{buildroot}%{_libdir} %make_install /sbin/ldconfig -n %{buildroot}/%{_lib} # Install documentation -make -C doc install DESTDIR=%{buildroot} +%make_install -C doc # install securetty install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir} %ifarch s390 s390x -echo "ttyS0" >> %{buildroot}%{_sysconfdir}/securetty -echo "ttyS1" >> %{buildroot}%{_sysconfdir}/securetty -echo "hvc0" >> %{buildroot}%{_sysconfdir}/securetty -echo "hvc1" >> %{buildroot}%{_sysconfdir}/securetty -echo "hvc2" >> %{buildroot}%{_sysconfdir}/securetty -echo "hvc3" >> %{buildroot}%{_sysconfdir}/securetty -echo "hvc4" >> %{buildroot}%{_sysconfdir}/securetty -echo "hvc5" >> %{buildroot}%{_sysconfdir}/securetty -echo "hvc6" >> %{buildroot}%{_sysconfdir}/securetty -echo "hvc7" >> %{buildroot}%{_sysconfdir}/securetty -echo "sclp_line0" >> %{buildroot}%{_sysconfdir}/securetty -echo "ttysclp0" >> %{buildroot}%{_sysconfdir}/securetty +for i in ttyS0 ttyS1 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 sclp_line0 ttysclp0; do + echo "$i" >>%{buildroot}/%{_sysconfdir}/securetty +done %endif # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript install -d %{buildroot}%{_sysconfdir}/security/namespace.d @@ -190,12 +181,11 @@ done # DOC=%{buildroot}%{_defaultdocdir}/pam mkdir -p $DOC/modules -( - cd modules; - for i in pam_*/README ; do - cp -fpv ${i} $DOC/modules/README.`dirname ${i}` - done -) +pushd modules +for i in pam_*/README; do + cp -fpv "$i" "$DOC/modules/README.${i%/*}" +done +popd # # pam_tally is deprecated since ages # @@ -204,8 +194,8 @@ rm -f %{buildroot}/sbin/pam_tally rm -f %{buildroot}%{_mandir}/man8/pam_tally.8* rm -f %{buildroot}%{_defaultdocdir}/pam/modules/README.pam_tally # Install unix2_chkpwd -install -m 755 $RPM_BUILD_DIR/unix2_chkpwd %{buildroot}/sbin/ -install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 %{buildroot}%{_mandir}/man8/ +install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/ +install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/ # Create filelist with translatins %find_lang Linux-PAM