diff --git a/pam.changes b/pam.changes index 3e620d5..9e67946 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Feb 5 14:09:06 CET 2013 - kukuk@suse.de + +- Adjust URL +- Add set_permission macro and PreReq +- Read default encryption method from /etc/login.defs + (pam_unix-login.defs.diff) + ------------------------------------------------------------------- Fri Jan 25 13:49:36 UTC 2013 - kukuk@suse.com diff --git a/pam.spec b/pam.spec index ba9c688..805c238 100644 --- a/pam.spec +++ b/pam.spec @@ -20,7 +20,7 @@ %define enable_selinux 1 Name: pam -Url: http://fedorahosted.org/linux-pam/ +Url: http://www.linux-pam.org/ BuildRequires: audit-devel BuildRequires: bison BuildRequires: cracklib-devel @@ -35,18 +35,14 @@ BuildRequires: automake %define libpam_so_version 0.83.1 %define libpam_misc_so_version 0.82.0 %define libpamc_so_version 0.82.1 -# bug437293 -%ifarch ppc64 -Obsoletes: pam-64bit -%endif -# + Version: 1.1.6 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0+ or BSD-3-Clause Group: System/Libraries +PreReq: permissions -###DL-URL: http://www.kernel.org/pub/linux/libs/pam/library/ #DL-URL: https://fedorahosted.org/releases/l/i/linux-pam/ Source: Linux-PAM-%{version}.tar.bz2 Source1: Linux-PAM-%{version}-docs.tar.bz2 @@ -61,6 +57,7 @@ Source9: baselibs.conf Patch0: pam_tally-deprecated.diff Patch1: pam-fix-includes.patch Patch2: missing-DESTDIR.diff +Patch3: pam_unix-login.defs.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -91,11 +88,6 @@ Summary: Include Files and Libraries for PAM-Development Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: pam = %{version} -# bug437293 -%ifarch ppc64 -Obsoletes: pam-devel-64bit -%endif -# %description devel PAM (Pluggable Authentication Modules) is a system security tool which @@ -112,6 +104,7 @@ building both PAM-aware applications and modules for use with PAM. %patch0 -p0 %patch1 -p0 %patch2 -p1 +%patch3 -p0 %build autoreconf @@ -194,7 +187,9 @@ install -m 644 NEWS COPYING $DOC %verifyscript %verify_permissions -e /sbin/unix_chkpwd -%post -p /sbin/ldconfig +%post +/sbin/ldconfig +%set_permissions /sbin/unix_chkpwd %postun -p /sbin/ldconfig diff --git a/pam_unix-login.defs.diff b/pam_unix-login.defs.diff new file mode 100644 index 0000000..b13e1ab --- /dev/null +++ b/pam_unix-login.defs.diff @@ -0,0 +1,164 @@ +2013-02-05 Thorsten Kukuk + +Use hash from /etc/login.defs as default if no +other one is specified as argument. + +* modules/pam_unix/support.c: Add search_key, call from __set_ctrl +* modules/pam_unix/support.h: Add define for /etc/login.defs +* modules/pam_unix/pam_unix.8.xml: Document new behavior. + +--- modules/pam_unix/support.c ++++ modules/pam_unix/support.c +@@ -37,6 +37,76 @@ + #define SELINUX_ENABLED 0 + #endif + ++static char * ++search_key (const char *filename) ++{ ++ FILE *fp; ++ char *buf = NULL; ++ size_t buflen = 0; ++ char *retval = NULL; ++ ++ fp = fopen (filename, "r"); ++ if (NULL == fp) ++ return NULL; ++ ++ while (!feof (fp)) ++ { ++ char *tmp, *cp; ++#if defined(HAVE_GETLINE) ++ ssize_t n = getline (&buf, &buflen, fp); ++#elif defined (HAVE_GETDELIM) ++ ssize_t n = getdelim (&buf, &buflen, '\n', fp); ++#else ++ ssize_t n; ++ ++ if (buf == NULL) ++ { ++ buflen = BUF_SIZE; ++ buf = malloc (buflen); ++ } ++ buf[0] = '\0'; ++ if (fgets (buf, buflen - 1, fp) == NULL) ++ break; ++ else if (buf != NULL) ++ n = strlen (buf); ++ else ++ n = 0; ++#endif /* HAVE_GETLINE / HAVE_GETDELIM */ ++ cp = buf; ++ ++ if (n < 1) ++ break; ++ ++ tmp = strchr (cp, '#'); /* remove comments */ ++ if (tmp) ++ *tmp = '\0'; ++ while (isspace ((int)*cp)) /* remove spaces and tabs */ ++ ++cp; ++ if (*cp == '\0') /* ignore empty lines */ ++ continue; ++ ++ if (cp[strlen (cp) - 1] == '\n') ++ cp[strlen (cp) - 1] = '\0'; ++ ++ tmp = strsep (&cp, " \t="); ++ if (cp != NULL) ++ while (isspace ((int)*cp) || *cp == '=') ++ ++cp; ++ ++ if (strcasecmp (tmp, "ENCRYPT_METHOD") == 0) ++ { ++ retval = strdup (cp); ++ break; ++ } ++ } ++ fclose (fp); ++ ++ free (buf); ++ ++ return retval; ++} ++ ++ + /* this is a front-end for module-application conversations */ + + int _make_remark(pam_handle_t * pamh, unsigned int ctrl, +@@ -58,6 +128,8 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, + int *pass_min_len, int argc, const char **argv) + { + unsigned int ctrl; ++ char *val; ++ int j; + + D(("called.")); + +@@ -81,10 +153,27 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, + D(("SILENT")); + set(UNIX__QUIET, ctrl); + } ++ ++ /* preset encryption method with value from /etc/login.defs */ ++ val = search_key (LOGIN_DEFS); ++ if (val) { ++ for (j = 0; j < UNIX_CTRLS_; ++j) { ++ if (unix_args[j].token ++ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { ++ break; ++ } ++ } ++ if (j >= UNIX_CTRLS_) { ++ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPTION_METHOD value [%s]", val); ++ } else { ++ ctrl &= unix_args[j].mask; /* for turning things off */ ++ ctrl |= unix_args[j].flag; /* for turning things on */ ++ } ++ } ++ + /* now parse the arguments to this module */ + + for (; argc-- > 0; ++argv) { +- int j; + + D(("pam_unix arg: %s", *argv)); + +--- modules/pam_unix/support.h ++++ modules/pam_unix/support.h +@@ -8,6 +8,12 @@ + #include + + /* ++ * File to read value of ENCRYPT_METHOD from. ++ */ ++#define LOGIN_DEFS "/etc/login.defs" ++ ++ ++/* + * here is the string to inform the user that the new passwords they + * typed were not the same. + */ +--- modules/pam_unix/pam_unix.8.xml ++++ modules/pam_unix/pam_unix.8.xml +@@ -81,7 +81,9 @@ + + + The password component of this module performs the task of updating +- the user's password. ++ the user's password. The default encryption hash is taken from the ++ ENCYPTION_METHOD variable from ++ /etc/login.defs + + + +@@ -393,6 +395,9 @@ session required pam_unix.so + SEE ALSO + + ++ login.defs5 ++ , ++ + pam.conf5 + , +