diff --git a/disable-examples.patch b/disable-examples.patch new file mode 100644 index 0000000..0ebaaed --- /dev/null +++ b/disable-examples.patch @@ -0,0 +1,51 @@ +From 5fa961fd3b5b8cf5ba1a0cf49b10ebf79e273e96 Mon Sep 17 00:00:00 2001 +From: Pino Toscano +Date: Mon, 8 May 2023 18:39:36 +0200 +Subject: [PATCH] configure.ac: add --enable-examples option + +Allow the user to not build the examples through --disable-examples +(enabled by default); this can be useful: +- when cross-compiling, as the examples are not useful +- in distribution builds, not building stuff that is not used in any + way +--- + Makefile.am | 5 ++++- + configure.ac | 5 +++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index deb252680..2e8fede7b 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -4,11 +4,14 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news + +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests + + if HAVE_DOC + SUBDIRS += doc + endif ++if HAVE_EXAMPLES ++SUBDIRS += examples ++endif + + CLEANFILES = *~ + +diff --git a/configure.ac b/configure.ac +index b9b0f8392..6666b1b26 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -224,6 +224,11 @@ AC_ARG_ENABLE([doc], + WITH_DOC=$enableval, WITH_DOC=yes) + AM_CONDITIONAL([HAVE_DOC], [test "x$WITH_DOC" = "xyes"]) + ++AC_ARG_ENABLE([examples], ++ AS_HELP_STRING([--disable-examples],[Do not build the examples]), ++ WITH_EXAMPLES=$enableval, WITH_EXAMPLES=yes) ++AM_CONDITIONAL([HAVE_EXAMPLES], [test "x$WITH_EXAMPLES" = "xyes"]) ++ + AC_ARG_ENABLE([prelude], + AS_HELP_STRING([--disable-prelude],[do not use prelude]), + WITH_PRELUDE=$enableval, WITH_PRELUDE=yes) diff --git a/pam.changes b/pam.changes index bf4cb8f..6b48ff1 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Aug 7 09:41:27 UTC 2023 - Thorsten Kukuk + +- pam_access backports from upstream: + - pam_access-doc-IPv6-link-local.patch: + Document only partial supported IPv6 link local addresses + - pam_access-hostname-debug.patch: + Don't print error if we cannot resolve a hostname, does not + need to be a hostname + - pam_shells-fix-econf-memory-leak.patch: + Free econf keys variable + - disable-examples.patch: + Don't build examples + ------------------------------------------------------------------- Tue May 9 12:14:48 UTC 2023 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index 45459aa..58a4155 100644 --- a/pam.spec +++ b/pam.spec @@ -96,6 +96,14 @@ Source22: postlogin-account.pamd Source23: postlogin-password.pamd Source24: postlogin-session.pamd Patch1: pam-limit-nproc.patch +# https://github.com/linux-pam/linux-pam/pull/594 +Patch2: pam_access-doc-IPv6-link-local.patch +# https://github.com/linux-pam/linux-pam/pull/596 +Patch3: pam_access-hostname-debug.patch +# https://github.com/linux-pam/linux-pam/pull/581 +Patch4: pam_shells-fix-econf-memory-leak.patch +# https://github.com/linux-pam/linux-pam/pull/574 +Patch5: disable-examples.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex @@ -206,6 +214,10 @@ building both PAM-aware applications and modules for use with PAM. %setup -q -n Linux-PAM-%{version} cp -a %{SOURCE12} . %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build bash ./pam-login_defs-check.sh @@ -216,6 +228,7 @@ CFLAGS="$CFLAGS -DNDEBUG" %if %{livepatchable} CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones" %endif +autoreconf %configure \ --includedir=%{_includedir}/security \ --docdir=%{_docdir}/pam \ @@ -225,6 +238,7 @@ CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones" --enable-securedir=%{_pam_moduledir} \ --enable-vendordir=%{_prefix}/etc \ --enable-logind \ + --disable-examples \ --disable-nis \ %if %{with debug} --enable-debug diff --git a/pam_access-doc-IPv6-link-local.patch b/pam_access-doc-IPv6-link-local.patch new file mode 100644 index 0000000..d84a1de --- /dev/null +++ b/pam_access-doc-IPv6-link-local.patch @@ -0,0 +1,63 @@ +From 4ba3105511c3a55fc750a790f7310c6d7ebfdfda Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Thu, 3 Aug 2023 17:11:32 +0200 +Subject: [PATCH] pam_access: document IPv6 link-local addresses (#582) + +* modules/pam_access/access.conf.5.xml: Add example and note for IPv6 + link-local addresses +* modules/pam_access/access.conf: Add example for IPv6 link-local + addresses +--- + modules/pam_access/access.conf | 3 +++ + modules/pam_access/access.conf.5.xml | 12 +++++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf +index 47b6b84c1..9c8e21716 100644 +--- a/modules/pam_access/access.conf ++++ b/modules/pam_access/access.conf +@@ -115,6 +115,9 @@ + # User "john" should get access from ipv6 host address (same as above) + #+:john:2001:4ca0:0:101:0:0:0:1 + # ++# User "john" should get access from ipv6 local link host address ++#+:john:fe80::de95:818c:1b55:7e42%eth0 ++# + # User "john" should get access from ipv6 net/mask + #+:john:2001:4ca0:0:101::/64 + # +diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml +index ff1cb2237..2dc5d477c 100644 +--- a/modules/pam_access/access.conf.5.xml ++++ b/modules/pam_access/access.conf.5.xml +@@ -188,6 +188,12 @@ + + +:john foo:2001:db8:0:101::1 + ++ ++ User john and foo ++ should get access from IPv6 link local host address. ++ ++ +:john foo:fe80::de95:818c:1b55:7e42%eth1 ++ + + User john should get access from IPv6 net/mask. + +@@ -222,6 +228,10 @@ + item and the line will be most probably ignored. For this reason, it is not + recommended to put spaces around the ':' characters. + ++ ++ An IPv6 link local host address must contain the interface ++ identifier. IPv6 link local network/netmask is not supported. ++ + + + +@@ -246,4 +256,4 @@ + introduced by Mike Becher <mike.becher@lrz-muenchen.de>. + + +- +\ No newline at end of file ++ diff --git a/pam_access-hostname-debug.patch b/pam_access-hostname-debug.patch new file mode 100644 index 0000000..13168b5 --- /dev/null +++ b/pam_access-hostname-debug.patch @@ -0,0 +1,27 @@ +From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Fri, 4 Aug 2023 15:46:16 +0200 +Subject: [PATCH] pam_access: make non-resolveable hostname a debug output + (#590) + +* modules/pam_access/pam_access.c (network_netmask_match): Don't print +an error if a string is not resolveable, only a debug message in debug +mode. We even don't know if that entry is for remote logins or not. +--- + modules/pam_access/pam_access.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index f70b7e495..985dc7de2 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh, + */ + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { +- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); ++ if (item->debug) ++ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok); + + return NO; + } diff --git a/pam_shells-fix-econf-memory-leak.patch b/pam_shells-fix-econf-memory-leak.patch new file mode 100644 index 0000000..506a1c5 --- /dev/null +++ b/pam_shells-fix-econf-memory-leak.patch @@ -0,0 +1,22 @@ +From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 18 May 2023 17:55:21 +0200 +Subject: [PATCH] pam_shells: Plug econf memory leak + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_shells/pam_shells.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c +index 05c09c656..276a56dd5 100644 +--- a/modules/pam_shells/pam_shells.c ++++ b/modules/pam_shells/pam_shells.c +@@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh) + if (!retval) + break; + } ++ econf_free (keys); + econf_free (key_file); + #else + char shellFileLine[256];