- Update to final 1.4.0 release

- includes pam-check-user-home-dir.patch - obsoletes fix-man-links.dif OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=216
2020-06-08 13:50:31 +00:00 · 2020-06-08 13:50:31 +00:00 · 8c2c162984
commit 8c2c162984
parent 5a8acbff55
8 changed files with 14 additions and 139 deletions
--- a/Linux-PAM-1.3.92-docs.tar.xz
+++ b/Linux-PAM-1.3.92-docs.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:58af8e875cdcaffcf5bc2ca2d228dcb2f1589e73448391f2de562dfed186cf8a
-size 464148
--- a/Linux-PAM-1.3.92.tar.xz
+++ b/Linux-PAM-1.3.92.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:12bb1b2128fa4cffdd3ba5950e2f985602db35f2ff984129709e84b8f5e6225b
-size 982628
--- a/Linux-PAM-1.4.0-docs.tar.xz
+++ b/Linux-PAM-1.4.0-docs.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:351764a0643052564a4b840320744c7e402112a2a57d2ac04511a6d22dc52e04
+size 477712
--- a/Linux-PAM-1.4.0.tar.xz
+++ b/Linux-PAM-1.4.0.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034
+size 988908
--- a/fix-man-links.dif
+++ b/fix-man-links.dif
@ -1,56 +0,0 @@
-Index: Linux-PAM-1.1.8/doc/man/pam.8
-===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam.8
-+++ Linux-PAM-1.1.8/doc/man/pam.8
-@@ -1 +1 @@
-.so PAM.8
-+.so man8/PAM.8
-Index: Linux-PAM-1.1.8/doc/man/pam.d.5
-===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam.d.5
-+++ Linux-PAM-1.1.8/doc/man/pam.d.5
-@@ -1 +1 @@
-.so pam.conf.5
-+.so man5/pam.conf.5
-Index: Linux-PAM-1.1.8/doc/man/pam_get_authtok_noverify.3
-===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_get_authtok_noverify.3
-+++ Linux-PAM-1.1.8/doc/man/pam_get_authtok_noverify.3
-@@ -1 +1 @@
-.so pam_get_authtok.3
-+.so man3/pam_get_authtok.3
-Index: Linux-PAM-1.1.8/doc/man/pam_get_authtok_verify.3
-===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_get_authtok_verify.3
-+++ Linux-PAM-1.1.8/doc/man/pam_get_authtok_verify.3
-@@ -1 +1 @@
-.so pam_get_authtok.3
-+.so man3/pam_get_authtok.3
-Index: Linux-PAM-1.1.8/doc/man/pam_verror.3
-===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_verror.3
-+++ Linux-PAM-1.1.8/doc/man/pam_verror.3
-@@ -1 +1 @@
-.so pam_error.3
-+.so man3/pam_error.3
-Index: Linux-PAM-1.1.8/doc/man/pam_vinfo.3
-===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_vinfo.3
-+++ Linux-PAM-1.1.8/doc/man/pam_vinfo.3
-@@ -1 +1 @@
-.so pam_info.3
-+.so man3/pam_info.3
-Index: Linux-PAM-1.1.8/doc/man/pam_vprompt.3
-===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_vprompt.3
-+++ Linux-PAM-1.1.8/doc/man/pam_vprompt.3
-@@ -1 +1 @@
-.so pam_prompt.3
-+.so man3/pam_prompt.3
-Index: Linux-PAM-1.1.8/doc/man/pam_vsyslog.3
-===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_vsyslog.3
-+++ Linux-PAM-1.1.8/doc/man/pam_vsyslog.3
-@@ -1 +1 @@
-.so pam_syslog.3
-+.so man3/pam_syslog.3
--- a/pam-check-user-home-dir.patch
+++ b/pam-check-user-home-dir.patch
@ -1,72 +0,0 @@
-From 27ded8954a1235bb65ffc9c730ae5a50b1dfed61 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Josef=20M=C3=B6llers?= <jmoellers@suse.de>
-Date: Fri, 29 May 2020 14:35:43 +0000
-Subject: [PATCH] pam_setquota: skip mountpoints equal to the user's $HOME
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Matthias Gerstner found the following issue:
-
-<quote>
-So this pam_setquota module iterates over all mounted file systems using
-`setmntent()` and `getmntent()`.  It tries to find the longest match of
-a file system mounted on /home/$USER or above (except when the
-fs=/some/path parameter is passed to the pam module).
-
-The thing is that /home/$USER is owned by the unprivileged user.  And
-there exist tools like fusermount from libfuse which is by default
-installed setuid-root for everybody.  fusermount allows to mount a FUSE
-file system using an arbitrary "source device name" as the unprivileged
-user.
-
-Thus considering the following use case:
-
-1) there is only the root file system (/) or a file system is mounted on
-   /home, but not on /home/$USER.
-2) the attacker mounts a fake FUSE file system over its own home directory:
-
-  ```
-  user $ export _FUSE_COMMFD=0
-  user $ fusermount $HOME -ononempty,fsname=/dev/sda1
-  ```
-
-  This will result in a mount entry in /proc/mounts looking like this:
-
-  ```
-  /dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
-  ```
-3) when the attacker now logs in with pam_setquota configured then
-   pam_setquota will identify /dev/sda1 and the file system where
-   to apply the user's quota on.
-
-As a result an unprivileged user has full control over onto which block
-device the quota is applied.
-</quote>
-
-If the user's $HOME is on a separate partition, setting a quota on the
-user's $HOME does not really make sense, so this patch skips mountpoints
-equal to the user's $HOME, preventing the above mentioned bug as
-a side-effect (or vice-versa).
-
-Reported-by: Matthias Gerstner <mgerstner@suse.de>
-Co-authored-by: Tomáš Mráz <tmraz@redhat.com>
-Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
-Resolves: https://github.com/linux-pam/linux-pam/pull/230
---
- modules/pam_setquota/pam_setquota.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/modules/pam_setquota/pam_setquota.c b/modules/pam_setquota/pam_setquota.c
-index 9c05862a..01b05e38 100644
--- a/modules/pam_setquota/pam_setquota.c
-+++ b/modules/pam_setquota/pam_setquota.c
-@@ -275,7 +275,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
-        */
-       if ((mnt_len > match_size || (mnt_len == 0 && mnt->mnt_dir[0] == '/')) &&
-          (s = pam_str_skip_prefix_len(pwd->pw_dir, mnt->mnt_dir, mnt_len)) != NULL &&
-         (s[0] == '\0' || s[0] == '/')) {
-+         s[0] == '/') {
-         free(mntdevice);
-         if ((mntdevice = strdup(mnt->mnt_fsname)) == NULL) {
-           pam_syslog(pamh, LOG_CRIT, "Memory allocation error");
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jun  8 13:19:12 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to final 1.4.0 release
+  - includes pam-check-user-home-dir.patch
+  - obsoletes fix-man-links.dif
+
 -------------------------------------------------------------------
 Mon Jun  8 07:59:58 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>

--- a/pam.spec
+++ b/pam.spec
@ -27,7 +27,7 @@
 %endif
 Name:           pam
 #
-Version:        1.3.92
+Version:        1.4.0
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@ -45,10 +45,8 @@ Source9:        baselibs.conf
 Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
-Patch0:         fix-man-links.dif
 Patch2:         pam-limit-nproc.patch
 Patch4:         pam-hostnames-in-access_conf.patch
-Patch5:         pam-check-user-home-dir.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
@ -139,10 +137,8 @@ removed with one of the next releases.
 %prep
 %setup -q -n Linux-PAM-%{version} -b 1
 cp -a %{SOURCE12} .
-%patch0 -p1
 %patch2 -p1
 %patch4 -p1
-%patch5 -p1

 %build
 bash ./pam-login_defs-check.sh