pool/pam
SHA256
3
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to final 1.4.0 release

Browse Source 
- includes pam-check-user-home-dir.patch
  - obsoletes fix-man-links.dif

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=216
This commit is contained in:
Thorsten Kukuk 2020-06-08 13:50:31 +00:00 committed by Git OBS Bridge
parent 5a8acbff55
commit 8c2c162984
8 changed files with 14 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Linux-PAM-1.3.92-docs.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:58af8e875cdcaffcf5bc2ca2d228dcb2f1589e73448391f2de562dfed186cf8a
size 464148

3
Linux-PAM-1.3.92.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:12bb1b2128fa4cffdd3ba5950e2f985602db35f2ff984129709e84b8f5e6225b
size 982628

3
Linux-PAM-1.4.0-docs.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:351764a0643052564a4b840320744c7e402112a2a57d2ac04511a6d22dc52e04
size 477712

3
Linux-PAM-1.4.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034
size 988908

56
fix-man-links.dif
View File

@ -1,56 +0,0 @@
Index: Linux-PAM-1.1.8/doc/man/pam.8
===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam.8
+++ Linux-PAM-1.1.8/doc/man/pam.8
@@ -1 +1 @@
-.so PAM.8
+.so man8/PAM.8
Index: Linux-PAM-1.1.8/doc/man/pam.d.5
===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam.d.5
+++ Linux-PAM-1.1.8/doc/man/pam.d.5
@@ -1 +1 @@
-.so pam.conf.5
+.so man5/pam.conf.5
Index: Linux-PAM-1.1.8/doc/man/pam_get_authtok_noverify.3
===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_get_authtok_noverify.3
+++ Linux-PAM-1.1.8/doc/man/pam_get_authtok_noverify.3
@@ -1 +1 @@
-.so pam_get_authtok.3
+.so man3/pam_get_authtok.3
Index: Linux-PAM-1.1.8/doc/man/pam_get_authtok_verify.3
===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_get_authtok_verify.3
+++ Linux-PAM-1.1.8/doc/man/pam_get_authtok_verify.3
@@ -1 +1 @@
-.so pam_get_authtok.3
+.so man3/pam_get_authtok.3
Index: Linux-PAM-1.1.8/doc/man/pam_verror.3
===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_verror.3
+++ Linux-PAM-1.1.8/doc/man/pam_verror.3
@@ -1 +1 @@
-.so pam_error.3
+.so man3/pam_error.3
Index: Linux-PAM-1.1.8/doc/man/pam_vinfo.3
===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_vinfo.3
+++ Linux-PAM-1.1.8/doc/man/pam_vinfo.3
@@ -1 +1 @@
-.so pam_info.3
+.so man3/pam_info.3
Index: Linux-PAM-1.1.8/doc/man/pam_vprompt.3
===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_vprompt.3
+++ Linux-PAM-1.1.8/doc/man/pam_vprompt.3
@@ -1 +1 @@
-.so pam_prompt.3
+.so man3/pam_prompt.3
Index: Linux-PAM-1.1.8/doc/man/pam_vsyslog.3
===================================================================
--- Linux-PAM-1.1.8.orig/doc/man/pam_vsyslog.3
+++ Linux-PAM-1.1.8/doc/man/pam_vsyslog.3
@@ -1 +1 @@
-.so pam_syslog.3
+.so man3/pam_syslog.3

72
pam-check-user-home-dir.patch
View File

@ -1,72 +0,0 @@
From 27ded8954a1235bb65ffc9c730ae5a50b1dfed61 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josef=20M=C3=B6llers?= <jmoellers@suse.de>
Date: Fri, 29 May 2020 14:35:43 +0000
Subject: [PATCH] pam_setquota: skip mountpoints equal to the user's $HOME
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Matthias Gerstner found the following issue:
<quote>
So this pam_setquota module iterates over all mounted file systems using
`setmntent()` and `getmntent()`. It tries to find the longest match of
a file system mounted on /home/$USER or above (except when the
fs=/some/path parameter is passed to the pam module).
The thing is that /home/$USER is owned by the unprivileged user. And
there exist tools like fusermount from libfuse which is by default
installed setuid-root for everybody. fusermount allows to mount a FUSE
file system using an arbitrary "source device name" as the unprivileged
user.
Thus considering the following use case:
1) there is only the root file system (/) or a file system is mounted on
/home, but not on /home/$USER.
2) the attacker mounts a fake FUSE file system over its own home directory:
```
user $ export _FUSE_COMMFD=0
user $ fusermount $HOME -ononempty,fsname=/dev/sda1
```
This will result in a mount entry in /proc/mounts looking like this:
```
/dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
```
3) when the attacker now logs in with pam_setquota configured then
pam_setquota will identify /dev/sda1 and the file system where
to apply the user's quota on.
As a result an unprivileged user has full control over onto which block
device the quota is applied.
</quote>
If the user's $HOME is on a separate partition, setting a quota on the
user's $HOME does not really make sense, so this patch skips mountpoints
equal to the user's $HOME, preventing the above mentioned bug as
a side-effect (or vice-versa).
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Co-authored-by: Tomáš Mráz <tmraz@redhat.com>
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/230
---
modules/pam_setquota/pam_setquota.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/pam_setquota/pam_setquota.c b/modules/pam_setquota/pam_setquota.c
index 9c05862a..01b05e38 100644
--- a/modules/pam_setquota/pam_setquota.c
+++ b/modules/pam_setquota/pam_setquota.c
@@ -275,7 +275,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
*/
if ((mnt_len > match_size || (mnt_len == 0 && mnt->mnt_dir[0] == '/')) &&
(s = pam_str_skip_prefix_len(pwd->pw_dir, mnt->mnt_dir, mnt_len)) != NULL &&
- (s[0] == '\0' || s[0] == '/')) {
+ s[0] == '/') {
free(mntdevice);
if ((mntdevice = strdup(mnt->mnt_fsname)) == NULL) {
pam_syslog(pamh, LOG_CRIT, "Memory allocation error");

7
pam.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Jun 8 13:19:12 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
- Update to final 1.4.0 release
- includes pam-check-user-home-dir.patch
- obsoletes fix-man-links.dif
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jun 8 07:59:58 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> Mon Jun 8 07:59:58 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>

6
pam.spec
View File

@ -27,7 +27,7 @@
%endif %endif
Name: pam Name: pam
# #
Version: 1.3.92 Version: 1.4.0
Release: 0 Release: 0
Summary: A Security Tool that Provides Authentication for Applications Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause License: GPL-2.0-or-later OR BSD-3-Clause
@ -45,10 +45,8 @@ Source9: baselibs.conf
Source10: unix2_chkpwd.c Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8 Source11: unix2_chkpwd.8
Source12: pam-login_defs-check.sh Source12: pam-login_defs-check.sh
Patch0: fix-man-links.dif
Patch2: pam-limit-nproc.patch Patch2: pam-limit-nproc.patch
Patch4: pam-hostnames-in-access_conf.patch Patch4: pam-hostnames-in-access_conf.patch
Patch5: pam-check-user-home-dir.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: cracklib-devel BuildRequires: cracklib-devel
@ -139,10 +137,8 @@ removed with one of the next releases.
%prep %prep
%setup -q -n Linux-PAM-%{version} -b 1 %setup -q -n Linux-PAM-%{version} -b 1
cp -a %{SOURCE12} . cp -a %{SOURCE12} .
%patch0 -p1
%patch2 -p1 %patch2 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%build %build
bash ./pam-login_defs-check.sh bash ./pam-login_defs-check.sh