diff --git a/Linux-PAM-1.6.1.tar.xz b/Linux-PAM-1.6.1.tar.xz deleted file mode 100644 index 95fe0a8..0000000 --- a/Linux-PAM-1.6.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f8923c740159052d719dbfc2a2f81942d68dd34fcaf61c706a02c9b80feeef8e -size 1054152 diff --git a/Linux-PAM-1.6.1.tar.xz.asc b/Linux-PAM-1.6.1.tar.xz.asc deleted file mode 100644 index 8cbfcb4..0000000 --- a/Linux-PAM-1.6.1.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1 -sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq -47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub -RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT -mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet -cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ -fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd -PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku -o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR -0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB -9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2 -UoUkHsbCWJU/ksn/9BIQ -=Dbz2 ------END PGP SIGNATURE----- diff --git a/Linux-PAM-1.7.0.tar.xz b/Linux-PAM-1.7.0.tar.xz new file mode 100644 index 0000000..69dc2e3 --- /dev/null +++ b/Linux-PAM-1.7.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:57dcd7a6b966ecd5bbd95e1d11173734691e16b68692fa59661cdae9b13b1697 +size 507824 diff --git a/Linux-PAM-1.7.0.tar.xz.asc b/Linux-PAM-1.7.0.tar.xz.asc new file mode 100644 index 0000000..5fbbdaa --- /dev/null +++ b/Linux-PAM-1.7.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJnGiIVAAoJEKgEH6g54W42kSsP/jsmwl1WMrtPlze2jtRZ1ZVD +HvJPJMYNCeXKpXxSCL4rt97TeZKp+8WbrmrbG+zG8okIFDKl4rHuU9PpJocIpwDd ++zAD1GQOqeUz0AyPPXBmsMshmQ3z+l8W9ykR1WCFrceXRAswSgNEDEavluVP9EHG +epFA/+t1BR8G3GV6LH9LhRkTOOsE8O30hTEHZp1vCrR+xKJo41ZTq+VVvU8KFUrC +lPGH9pX1ioe5rlLfvKNJthUKVoaNyDXED2la9sJPdTmc5hDBGLIo5hnBpvOn8Zfp +cfMoB3lFBy6MHF7tb4ZfDxgG44D/xIwXd7Zddc6HenJl/SUjucXFq1OXHcK+MhqO +63zFAci8k7ywwPPoGBpHMYZ2czZx3jo++It80b2CBMYKzi9YMVmaq/toEtMyI+Og +W3gh4EfHkN98GQz4XC9yO4fjIno1J/Bwni6HNXBaumbg6xIPRwvxcOCdXZBUjKrx +mDljxQetZJGzURidA+2cdJsAu1o0PDtzPguabno4aW2GMV9tUF3Q3aF+NClg18uZ ++eXlGd/fsrLOIGfhYOpbFyIEE5h/dZq3vIj/NOVfKCsU0yajs6d3Zj2Y+2sxs7ob +z9begFsadFZ6atqA77FL7i4781U2bTtqp8qsj9UXb+gJabqnQZ2k+qBXg4XtAWrn +iJaal6uBXWOJG9BG5l8G +=CVaC +-----END PGP SIGNATURE----- diff --git a/pam-bsc1194818-cursor-escape.patch b/pam-bsc1194818-cursor-escape.patch deleted file mode 100644 index fbd27de..0000000 --- a/pam-bsc1194818-cursor-escape.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001 -From: Stanislav Brabec -Date: Mon, 22 Jul 2024 23:18:16 +0200 -Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input - -Use the canonical terminal mode (line mode) and set ECHOCTL to prevent -cursor escape from the login prompt using arrows or escape sequences. - -ICANON is the default in most cases anyway. ECHOCTL is default on tty, but -for example not on pty, allowing cursor to escape. - -Stanislav Brabec ---- - libpam_misc/misc_conv.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c -index 7410e929..6b839b48 100644 ---- a/libpam_misc/misc_conv.c -+++ b/libpam_misc/misc_conv.c -@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr) - return -1; - } - memcpy(&term_tmp, &term_before, sizeof(term_tmp)); -- if (!echo) { -+ if (echo) -+ term_tmp.c_lflag |= ICANON | ECHOCTL; -+ else - term_tmp.c_lflag &= ~(ECHO); -- } - have_term = 1; - - /* --- -2.45.2 - diff --git a/pam.changes b/pam.changes index c0863c9..0aaf97d 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Thu Oct 24 11:57:20 UTC 2024 - Thorsten Kukuk + +- Update to version 1.7.0 + - build: changed build system from autotools to meson. + - libpam_misc: use ECHOCTL in the terminal input + - pam_access: support UID and GID in access.conf + - pam_env: install environment file in vendordir if vendordir is enabled + - pam_issue: only count class user if logind support is enabled + - pam_limits: use systemd-logind instead of utmp if logind support is enabled + - pam_unix: compare password hashes in constant time + - Multiple minor bug fixes, build fixes, portability fixes, + documentation improvements, and translation updates. +- Drop upstream patches: + - pam-bsc1194818-cursor-escape.patch + - pam_limits-systemd.patch + - pam_issue-systemd.patch + ------------------------------------------------------------------- Thu Sep 12 07:50:55 UTC 2024 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index ea90976..51fefdb 100644 --- a/pam.spec +++ b/pam.spec @@ -36,10 +36,10 @@ %endif %bcond_without selinux -%bcond_with debug %define flavor @BUILD_FLAVOR@%{nil} +# List of config files for migration to /usr/etc %define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\ security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\ security/namespace.conf security/namespace.init security/sepermit.conf @@ -64,14 +64,13 @@ %define libpamc_so_version 0.82.1 %if ! %{defined _distconfdir} %define _distconfdir %{_sysconfdir} - %define config_noreplace 1 %endif # %{load:%{_sourcedir}/macros.pam} # Name: pam%{name_suffix} # -Version: 1.6.1 +Version: 1.7.0 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause @@ -96,16 +95,10 @@ Source22: postlogin-account.pamd Source23: postlogin-password.pamd Source24: postlogin-session.pamd Patch1: pam-limit-nproc.patch -# https://github.com/linux-pam/linux-pam/pull/816 -Patch2: pam-bsc1194818-cursor-escape.patch -# https://github.com/linux-pam/linux-pam/pull/826 -Patch3: pam_limits-systemd.patch -# https://github.com/linux-pam/linux-pam/pull/825 -Patch4: pam_issue-systemd.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex -BuildRequires: libtool +BuildRequires: meson >= 0.62.0 BuildRequires: xz Requires(post): permissions # All login.defs variables require support from shadow side. @@ -149,9 +142,7 @@ username/password pair against values stored in a Berkeley DB database. %package -n pam-extra Summary: PAM module with extended dependencies Group: System/Libraries -#BuildRequires: pkgconfig(systemd) -# The systemd-mini package does not pass configure checks -BuildRequires: systemd-devel >= 254 +BuildRequires: pkgconfig(libsystemd) >= 254 BuildRequires: pam-devel Provides: pam:%{_sbindir}/pam_timestamp_check Provides: pam:%{_pam_moduledir}/pam_limits.so @@ -217,32 +208,23 @@ cp -a %{SOURCE12} . %build bash ./pam-login_defs-check.sh -export CFLAGS="%{optflags}" -%if !%{with debug} -CFLAGS="$CFLAGS -DNDEBUG" -%endif %if %{livepatchable} CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones" %endif -autoreconf -%configure \ - --includedir=%{_includedir}/security \ - --docdir=%{_docdir}/pam \ - --htmldir=%{_docdir}/pam/html \ - --pdfdir=%{_docdir}/pam/pdf \ - --enable-isadir=../..%{_pam_moduledir} \ - --enable-securedir=%{_pam_moduledir} \ - --enable-vendordir=%{_prefix}/etc \ -%if "%{flavor}" == "full" - --enable-logind \ -%endif - --disable-examples \ - --disable-nis \ -%if %{with debug} - --enable-debug -%endif -%make_build +%meson -Dvendordir=%{_distconfdir} \ + -Ddocdir=%{_docdir}/pam \ + -Dhtmldir=%{_docdir}/pam/html \ + -Dpdfdir=%{_docdir}/pam/pdf \ + -Dsecuredir=%{_pam_moduledir} \ +%if "%{flavor}" != "full" + -Dlogind=disabled \ + -Dpam_userdb=disabled \ + -Ddocs=disabled \ +%endif + -Dexamples=false \ + -Dnis=disabled +%meson_build %if %{livepatchable} @@ -270,29 +252,19 @@ cp %{tar_package_name} %{_other} %endif # livepatchable -gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam +gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/%{_target_platform}/libpam -lpam %if %{build_main} %check -%make_build check +%meson_test %endif %install +%meson_install + mkdir -p %{buildroot}%{_pam_confdir} mkdir -p %{buildroot}%{_pam_vendordir} -mkdir -p %{buildroot}%{_includedir}/security -mkdir -p %{buildroot}%{_pam_moduledir} -mkdir -p %{buildroot}/sbin -mkdir -p -m 755 %{buildroot}%{_libdir} -# For compat reasons -mkdir -p %{buildroot}%{_distconfdir}/pam.d -%make_install -/sbin/ldconfig -n %{buildroot}%{_libdir} -# Install documentation -%make_install -C doc -# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript -install -d %{buildroot}%{_pam_secconfdir}/namespace.d # install other.pamd and common-*.pamd install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth @@ -304,21 +276,14 @@ install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session -mkdir -p %{buildroot}%{_prefix}/lib/motd.d -# -# Remove crap -# -find %{buildroot} -type f -name "*.la" -delete -print # # Install READMEs of PAM modules # DOC=%{buildroot}%{_defaultdocdir}/pam +%if "%{flavor}" == "full" mkdir -p $DOC/modules -pushd modules -for i in pam_*/README; do - cp -fpv "$i" "$DOC/modules/README.${i%/*}" -done -popd +cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/" +%endif # Install unix2_chkpwd install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir} @@ -328,7 +293,6 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d} -mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment # Remove manual pages for main package %if !%{build_doc} @@ -380,23 +344,13 @@ done %files -f Linux-PAM.lang %doc NEWS %license COPYING -%exclude %{_defaultdocdir}/pam/html -%exclude %{_defaultdocdir}/pam/modules -%exclude %{_defaultdocdir}/pam/pdf -%exclude %{_defaultdocdir}/pam/*.txt %dir %{_pam_confdir} %dir %{_pam_vendordir} %dir %{_pam_secconfdir} %dir %{_pam_secdistconfdir} -%dir %{_prefix}/lib/motd.d -%if %{defined config_noreplace} -%config(noreplace) %{_pam_confdir}/other -%config(noreplace) %{_pam_confdir}/common-* -%else %{_pam_vendordir}/other %{_pam_vendordir}/common-* %{_pam_vendordir}/postlogin-* -%endif %{_distconfdir}/environment %{_pam_secdistconfdir}/access.conf %{_pam_secdistconfdir}/group.conf diff --git a/pam_issue-systemd.patch b/pam_issue-systemd.patch deleted file mode 100644 index 40e3bfb..0000000 --- a/pam_issue-systemd.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 8401cef10cd5f62849c5fcfef4c82db92712296c Mon Sep 17 00:00:00 2001 -From: Thorsten Kukuk -Date: Wed, 4 Sep 2024 16:07:56 +0200 -Subject: [PATCH] pam_issue: only count class user - -Since systemd added new types of classes (e.g. manager*), we cannot -use the count of all sessions anymore, but have to check which class -this is. - -This is backward compatible, systemd v209 or newer is required. ---- - modules/pam_issue/pam_issue.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c -index aade642ec5..e2c555c405 100644 ---- a/modules/pam_issue/pam_issue.c -+++ b/modules/pam_issue/pam_issue.c -@@ -165,13 +165,31 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt) - { - unsigned int users = 0; - #ifdef USE_LOGIND -- int sessions = sd_get_sessions(NULL); -+ char **sessions_list; -+ int sessions = sd_get_sessions(&sessions_list); - - if (sessions < 0) { - pam_syslog(pamh, LOG_ERR, "logind error: %s", - strerror(-sessions)); - _pam_drop(issue); - return PAM_SERVICE_ERR; -+ } else if (sessions > 0 && sessions_list != NULL) { -+ int i; -+ -+ for (i = 0; i < sessions; i++) { -+ char *class; -+ -+ if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL) -+ continue; -+ -+ if (strncmp(class, "user", 4) == 0) // user, user-early, user-incomplete -+ users++; -+ free(class); -+ } -+ -+ for (i = 0; i < sessions; i++) -+ free(sessions_list[i]); -+ free(sessions_list); - } else { - users = sessions; - } diff --git a/pam_limits-systemd.patch b/pam_limits-systemd.patch deleted file mode 100644 index 3934ba9..0000000 --- a/pam_limits-systemd.patch +++ /dev/null @@ -1,157 +0,0 @@ -From 12bb33b56dee6d6b05200d4b776c7e6de3d0df91 Mon Sep 17 00:00:00 2001 -From: Thorsten Kukuk -Date: Fri, 6 Sep 2024 11:55:46 +0200 -Subject: [PATCH] pam_limits: use systemd-logind instead of utmp (#822) - -The utmp database is unreliable for counting logged in users, since -there is no standard which defines who should create an entry at which -time for which reason. And it has a Y2038 problem with glibc/x86-64. -Query systemd-logind for the number of user sessions instead. ---- - modules/pam_limits/Makefile.am | 4 +- - modules/pam_limits/pam_limits.c | 81 +++++++++++++++++++++++++++++++-- - 2 files changed, 80 insertions(+), 5 deletions(-) - -diff --git a/modules/pam_limits/Makefile.am b/modules/pam_limits/Makefile.am -index ab3cf33ed..3f64d79bb 100644 ---- a/modules/pam_limits/Makefile.am -+++ b/modules/pam_limits/Makefile.am -@@ -24,7 +24,7 @@ limits_conf_dir = $(SCONFIGDIR)/limits.d - - AM_CFLAGS = -I$(top_srcdir)/libpam/include \ - -DLIMITS_FILE_DIR=\"$(limits_conf_dir)\" \ -- $(WARN_CFLAGS) -+ $(LOGIND_CFLAGS) $(WARN_CFLAGS) - AM_LDFLAGS = -no-undefined -avoid-version -module - if HAVE_VERSIONING - AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -@@ -32,7 +32,7 @@ endif - - securelib_LTLIBRARIES = pam_limits.la - pam_limits_la_LIBADD = $(top_builddir)/libpam_internal/libpam_internal.la \ -- $(top_builddir)/libpam/libpam.la -+ $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS) - - dist_secureconf_DATA = limits.conf - -diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index 75c584fca..1e4dfa3d0 100644 ---- a/modules/pam_limits/pam_limits.c -+++ b/modules/pam_limits/pam_limits.c -@@ -36,7 +36,12 @@ - #include - #include - #include -+#ifdef USE_LOGIND -+#include -+#else - #include -+#endif -+ - #ifndef UT_USER /* some systems have ut_name instead of ut_user */ - #define UT_USER ut_user - #endif -@@ -240,7 +245,6 @@ static int - check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, - struct pam_limit_s *pl) - { -- struct utmp *ut; - int count; - - if (ctrl & PAM_DEBUG_ARG) { -@@ -255,8 +259,6 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, - return LOGIN_ERR; - } - -- setutent(); -- - /* Because there is no definition about when an application - actually adds a utmp entry, some applications bizarrely do the - utmp call before the have PAM authenticate them to the system: -@@ -273,6 +275,78 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, - count = 1; - } - -+#ifdef USE_LOGIND -+ char **sessions_list; -+ int sessions = sd_get_sessions(&sessions_list); -+ -+ /* maxlogins needs to be 2 with systemd-logind because -+ of the systemd --user process started with first login by -+ pam_systemd. -+ Which is also calling pam_limits, but in this very first special -+ case the session does already exist and is counted twice. -+ With start of the second session, session manager is already running -+ and no longer counted. */ -+ if (limit == 1) { -+ pam_syslog(pamh, LOG_WARNING, "Maxlogin limit needs to be 2 or higher with systemd-logind"); -+ return LIMIT_ERR; -+ } -+ -+ if (sessions < 0) { -+ pam_syslog(pamh, LOG_ERR, "logind error getting session list: %s", -+ strerror(-sessions)); -+ return LIMIT_ERR; -+ } else if (sessions > 0 && sessions_list != NULL && !pl->flag_numsyslogins) { -+ int i; -+ -+ for (i = 0; i < sessions; i++) { -+ char *user = NULL; -+ char *class = NULL; -+ -+ if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL) -+ continue; -+ -+ if (strncmp(class, "user", 4) != 0) { /* user, user-early, user-incomplete */ -+ free (class); -+ continue; -+ } -+ free (class); -+ -+ if (sd_session_get_username(sessions_list[i], &user) < 0 || user == NULL) { -+ pam_syslog(pamh, LOG_ERR, "logind error getting username: %s", -+ strerror(-sessions)); -+ return LIMIT_ERR; -+ } -+ -+ if (((pl->login_limit_def == LIMITS_DEF_USER) -+ || (pl->login_limit_def == LIMITS_DEF_GROUP) -+ || (pl->login_limit_def == LIMITS_DEF_DEFAULT)) -+ && strcmp(name, user) != 0) { -+ free(user); -+ continue; -+ } -+ if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP) -+ && pl->login_group != NULL -+ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) { -+ free(user); -+ continue; -+ } -+ free(user); -+ -+ if (++count > limit) { -+ break; -+ } -+ } -+ for (i = 0; i < sessions; i++) -+ free(sessions_list[i]); -+ free(sessions_list); -+ } else { -+ count = sessions; -+ } -+#else -+ struct utmp *ut; -+ -+ setutent(); -+ - while((ut = getutent())) { - #ifdef USER_PROCESS - if (ut->ut_type != USER_PROCESS) { -@@ -311,6 +385,7 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl, - } - } - endutent(); -+#endif - if (count > limit) { - if (name) { - pam_syslog(pamh, LOG_NOTICE,