diff --git a/Linux-PAM-1.1.6-docs.tar.bz2 b/Linux-PAM-1.1.6-docs.tar.bz2 deleted file mode 100644 index e8d827a..0000000 --- a/Linux-PAM-1.1.6-docs.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0244321b1c4b8a71064d984880566890cc809b1c77bdd0550f121fa7d8450497 -size 147359 diff --git a/Linux-PAM-1.1.6.tar.bz2 b/Linux-PAM-1.1.6.tar.bz2 deleted file mode 100644 index 0b4e759..0000000 --- a/Linux-PAM-1.1.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bab887d6280f47fc3963df3b95735a27a16f0f663636163ddf3acab5f1149fc2 -size 1147538 diff --git a/Linux-PAM-1.1.7-docs.tar.bz2 b/Linux-PAM-1.1.7-docs.tar.bz2 new file mode 100644 index 0000000..411e830 --- /dev/null +++ b/Linux-PAM-1.1.7-docs.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4b0d4824888c509214a216487caa636ee8a456268b3a51f7ba7920175e9ac24d +size 147833 diff --git a/Linux-PAM-1.1.7.tar.bz2 b/Linux-PAM-1.1.7.tar.bz2 new file mode 100644 index 0000000..19330d7 --- /dev/null +++ b/Linux-PAM-1.1.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7fef52d86f16f8b39b13211dc3092b8eeb5bc2890e64e64cb7731629c6438e63 +size 1149359 diff --git a/fix-compiler-warnings.diff b/fix-compiler-warnings.diff new file mode 100644 index 0000000..7c817de --- /dev/null +++ b/fix-compiler-warnings.diff @@ -0,0 +1,41 @@ +--- modules/pam_unix/pam_unix_acct.c ++++ modules/pam_unix/pam_unix_acct.c 2013/09/12 07:19:05 +@@ -121,7 +121,12 @@ + if (geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ +- setuid(0); ++ if (setuid(0) == -1) { ++ pam_syslog(pamh, LOG_ERR, "setuid failed: %m"); ++ printf("-1\n"); ++ fflush(stdout); ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } + } + + /* exec binary helper */ +--- modules/pam_unix/pam_unix_passwd.c ++++ modules/pam_unix/pam_unix_passwd.c 2013/09/12 07:24:40 +@@ -255,7 +255,7 @@ + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); + /* wait for helper to complete: */ +- while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR); ++ while ((rc=waitpid(child, &retval, 0) < 0) && errno == EINTR); + if (rc<0) { + pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m"); + retval = PAM_AUTHTOK_ERR; +--- modules/pam_unix/support.c ++++ modules/pam_unix/support.c 2013/09/12 07:20:51 +@@ -586,7 +586,10 @@ + if (geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ +- setuid(0); ++ if (setuid(0) == -1) { ++ D(("setuid failed")); ++ _exit(PAM_AUTHINFO_UNAVAIL); ++ } + } + + /* exec binary helper */ diff --git a/missing-DESTDIR.diff b/missing-DESTDIR.diff deleted file mode 100644 index 4ec7bf4..0000000 --- a/missing-DESTDIR.diff +++ /dev/null @@ -1,38 +0,0 @@ -From d7e6b921cd34f7ad8fc4d05065c75d13ba330896 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 17 Aug 2012 12:46:40 +0000 -Subject: Add missing $(DESTDIR) when making directories on install. - -modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making -$(namespaceddir) on install. -modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making -$(sepermitlockdir) on install. ---- -diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am -index a28f196..ebb00f3 100644 ---- a/modules/pam_namespace/Makefile.am -+++ b/modules/pam_namespace/Makefile.am -@@ -40,7 +40,7 @@ if HAVE_UNSHARE - secureconf_SCRIPTS = namespace.init - - install-data-local: -- mkdir -p $(namespaceddir) -+ mkdir -p $(DESTDIR)$(namespaceddir) - endif - - -diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am -index cfc5594..bc82275 100644 ---- a/modules/pam_sepermit/Makefile.am -+++ b/modules/pam_sepermit/Makefile.am -@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX - securelib_LTLIBRARIES = pam_sepermit.la - - install-data-local: -- mkdir -p $(sepermitlockdir) -+ mkdir -p $(DESTDIR)$(sepermitlockdir) - endif - if ENABLE_REGENERATE_MAN - noinst_DATA = README pam_sepermit.8 sepermit.conf.5 --- -cgit v0.9.0.2 diff --git a/pam-fix-includes.patch b/pam-fix-includes.patch deleted file mode 100644 index 9cc771e..0000000 --- a/pam-fix-includes.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- modules/pam_unix/pam_unix_passwd.c -+++ modules/pam_unix/pam_unix_passwd.c -@@ -54,6 +54,7 @@ - #include - #include - #include -+#include - - #include - #include diff --git a/pam.changes b/pam.changes index bb5fd56..d01ccbe 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Sep 12 10:05:53 CEST 2013 - kukuk@suse.de + +- Remove pam_unix-login.defs.diff, not needed anymore + +------------------------------------------------------------------- +Thu Sep 12 09:47:52 CEST 2013 - kukuk@suse.de + +- Update to version 1.1.7 (bugfix release) + - Drop missing-DESTDIR.diff and pam-fix-includes.patch + - fix-compiler-warnings.diff: fix unchecked setuid return code + ------------------------------------------------------------------- Tue Aug 6 10:30:13 CEST 2013 - mc@suse.de diff --git a/pam.spec b/pam.spec index 2b24df7..23ea606 100644 --- a/pam.spec +++ b/pam.spec @@ -30,14 +30,11 @@ BuildRequires: pkgconfig(libtirpc) %if %{enable_selinux} BuildRequires: libselinux-devel %endif -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool %define libpam_so_version 0.83.1 %define libpam_misc_so_version 0.82.0 %define libpamc_so_version 0.82.1 - -Version: 1.1.6 +# +Version: 1.1.7 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0+ or BSD-3-Clause @@ -56,9 +53,7 @@ Source7: common-session.pamd Source8: etc.environment Source9: baselibs.conf Patch0: pam_tally-deprecated.diff -Patch1: pam-fix-includes.patch -Patch2: missing-DESTDIR.diff -Patch3: pam_unix-login.defs.diff +Patch1: fix-compiler-warnings.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -104,11 +99,8 @@ building both PAM-aware applications and modules for use with PAM. %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p0 %patch1 -p0 -%patch2 -p1 -%patch3 -p1 %build -autoreconf -i export CFLAGS="%optflags -DNDEBUG" %configure \ --sbindir=/sbin \ diff --git a/pam_unix-login.defs.diff b/pam_unix-login.defs.diff deleted file mode 100644 index 613683a..0000000 --- a/pam_unix-login.defs.diff +++ /dev/null @@ -1,196 +0,0 @@ -Use hash from /etc/login.defs as default if no -other one is specified as argument. - -* modules/pam_unix/support.c: Add search_key, call from __set_ctrl -* modules/pam_unix/support.h: Add define for /etc/login.defs -* modules/pam_unix/pam_unix.8.xml: Document new behavior. -* modules/pam_umask/pam_umask.c: Add missing NULL pointer check - -diff --git a/modules/pam_umask/pam_umask.c b/modules/pam_umask/pam_umask.c -index 6d2ec1a..863f038 100644 ---- a/modules/pam_umask/pam_umask.c -+++ b/modules/pam_umask/pam_umask.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2005, 2006, 2007, 2010 Thorsten Kukuk -+ * Copyright (c) 2005, 2006, 2007, 2010, 2013 Thorsten Kukuk - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -112,6 +112,10 @@ search_key (const char *filename) - { - buflen = BUF_SIZE; - buf = malloc (buflen); -+ if (buf == NULL) { -+ fclose (fp); -+ return NULL; -+ } - } - buf[0] = '\0'; - if (fgets (buf, buflen - 1, fp) == NULL) -diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml -index 0a42d7a..9ce084e 100644 ---- a/modules/pam_unix/pam_unix.8.xml -+++ b/modules/pam_unix/pam_unix.8.xml -@@ -81,7 +81,9 @@ - - - The password component of this module performs the task of updating -- the user's password. -+ the user's password. The default encryption hash is taken from the -+ ENCRYPT_METHOD variable from -+ /etc/login.defs - - - -@@ -393,6 +395,9 @@ session required pam_unix.so - SEE ALSO - - -+ login.defs5 -+ , -+ - pam.conf5 - , - -diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c -index ab04535..527c380 100644 ---- a/modules/pam_unix/support.c -+++ b/modules/pam_unix/support.c -@@ -37,6 +37,80 @@ - #define SELINUX_ENABLED 0 - #endif - -+static char * -+search_key (const char *filename) -+{ -+ FILE *fp; -+ char *buf = NULL; -+ size_t buflen = 0; -+ char *retval = NULL; -+ -+ fp = fopen (filename, "r"); -+ if (NULL == fp) -+ return NULL; -+ -+ while (!feof (fp)) -+ { -+ char *tmp, *cp; -+#if defined(HAVE_GETLINE) -+ ssize_t n = getline (&buf, &buflen, fp); -+#elif defined (HAVE_GETDELIM) -+ ssize_t n = getdelim (&buf, &buflen, '\n', fp); -+#else -+ ssize_t n; -+ -+ if (buf == NULL) -+ { -+ buflen = BUF_SIZE; -+ buf = malloc (buflen); -+ if (buf == NULL) { -+ fclose (fp); -+ return NULL; -+ } -+ } -+ buf[0] = '\0'; -+ if (fgets (buf, buflen - 1, fp) == NULL) -+ break; -+ else if (buf != NULL) -+ n = strlen (buf); -+ else -+ n = 0; -+#endif /* HAVE_GETLINE / HAVE_GETDELIM */ -+ cp = buf; -+ -+ if (n < 1) -+ break; -+ -+ tmp = strchr (cp, '#'); /* remove comments */ -+ if (tmp) -+ *tmp = '\0'; -+ while (isspace ((int)*cp)) /* remove spaces and tabs */ -+ ++cp; -+ if (*cp == '\0') /* ignore empty lines */ -+ continue; -+ -+ if (cp[strlen (cp) - 1] == '\n') -+ cp[strlen (cp) - 1] = '\0'; -+ -+ tmp = strsep (&cp, " \t="); -+ if (cp != NULL) -+ while (isspace ((int)*cp) || *cp == '=') -+ ++cp; -+ -+ if (strcasecmp (tmp, "ENCRYPT_METHOD") == 0) -+ { -+ retval = strdup (cp); -+ break; -+ } -+ } -+ fclose (fp); -+ -+ free (buf); -+ -+ return retval; -+} -+ -+ - /* this is a front-end for module-application conversations */ - - int _make_remark(pam_handle_t * pamh, unsigned int ctrl, -@@ -58,6 +132,8 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, - int *pass_min_len, int argc, const char **argv) - { - unsigned int ctrl; -+ char *val; -+ int j; - - D(("called.")); - -@@ -81,10 +157,28 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, - D(("SILENT")); - set(UNIX__QUIET, ctrl); - } -+ -+ /* preset encryption method with value from /etc/login.defs */ -+ val = search_key (LOGIN_DEFS); -+ if (val) { -+ for (j = 0; j < UNIX_CTRLS_; ++j) { -+ if (unix_args[j].token -+ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { -+ break; -+ } -+ } -+ if (j >= UNIX_CTRLS_) { -+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD value [%s]", val); -+ } else { -+ ctrl &= unix_args[j].mask; /* for turning things off */ -+ ctrl |= unix_args[j].flag; /* for turning things on */ -+ } -+ free (val); -+ } -+ - /* now parse the arguments to this module */ - - for (; argc-- > 0; ++argv) { -- int j; - - D(("pam_unix arg: %s", *argv)); - -diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h -index db4cd95..d21e349 100644 ---- a/modules/pam_unix/support.h -+++ b/modules/pam_unix/support.h -@@ -8,6 +8,12 @@ - #include - - /* -+ * File to read value of ENCRYPT_METHOD from. -+ */ -+#define LOGIN_DEFS "/etc/login.defs" -+ -+ -+/* - * here is the string to inform the user that the new passwords they - * typed were not the same. - */