From db3a5fbd692fdc96e9e341a58a83cf89da6466cf368e905a06897481da725408 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 12 May 2020 09:30:59 +0000 Subject: [PATCH 1/9] - Update to current Linux-PAM snapshot - Multiple minor bug fixes and documentation improvements - Fixed grammar of messages printed via pam_prompt - Added support for a vendor directory and libeconf - configure: Allowed disabling documentation through --disable-doc - pam_get_authtok_verify: Avoid duplicate password verification - pam_env: Changed the default to not read the user .pam_environment file - pam_group, pam_time: Fixed logical error with multiple ! operators - pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session - pam_lastlog: Do not log info about failed login if the session was opened with PAM_SILENT flag - pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs - pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize' limit - pam_motd: Export MOTD_SHOWN=pam after showing MOTD - pam_motd: Support multiple motd paths specified, with filename overrides - pam_namespace: Added a systemd service, which creates the namespaced instance parent directories during boot - pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts - pam_shells: Recognize /bin/sh as the default shell - pam_succeed_if: Support lists in group membership checks - pam_tty_audit: If kernel audit is disabled return PAM_IGNORE - pam_umask: Added new 'nousergroups' module argument and allowed specifying the default for usergroups at build-time - pam_unix: Added 'nullresetok' option to allow resetting blank passwords - pam_unix: Report unusable hashes found by checksalt to syslog - pam_unix: Support for (gost-)yescrypt hashing methods - pam_unix: Use bcrypt b-variant when it bcrypt is chosen - pam_usertype: New module to tell if uid is in login.defs ranges - Added new API call pam_start_confdir() for special applications that OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=208 --- Linux-PAM-1.3.1-docs.tar.xz | 3 -- Linux-PAM-1.3.90-docs.tar.xz | 3 ++ Linux-PAM-1.3.90.tar.xz | 3 ++ linux-pam-1.3.1+git20190923.ea78d67.tar.xz | 3 -- pam.changes | 37 ++++++++++++++++++++++ pam.spec | 37 +++++++++++++++------- pam_namespace-systemd.diff | 13 ++++++++ 7 files changed, 82 insertions(+), 17 deletions(-) delete mode 100644 Linux-PAM-1.3.1-docs.tar.xz create mode 100644 Linux-PAM-1.3.90-docs.tar.xz create mode 100644 Linux-PAM-1.3.90.tar.xz delete mode 100644 linux-pam-1.3.1+git20190923.ea78d67.tar.xz create mode 100644 pam_namespace-systemd.diff diff --git a/Linux-PAM-1.3.1-docs.tar.xz b/Linux-PAM-1.3.1-docs.tar.xz deleted file mode 100644 index 6317d16..0000000 --- a/Linux-PAM-1.3.1-docs.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3bb80257cc61f23956d8df43ea31cadeeb3b4cdb69d46006a70b377c139e37ca -size 459552 diff --git a/Linux-PAM-1.3.90-docs.tar.xz b/Linux-PAM-1.3.90-docs.tar.xz new file mode 100644 index 0000000..f1574da --- /dev/null +++ b/Linux-PAM-1.3.90-docs.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3c36209714f41cb58379be9330bf990e28affc0b51d89eab976a8b02ec5a9529 +size 464040 diff --git a/Linux-PAM-1.3.90.tar.xz b/Linux-PAM-1.3.90.tar.xz new file mode 100644 index 0000000..9eb944c --- /dev/null +++ b/Linux-PAM-1.3.90.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1f6ade473809f6c2b284426cee67f3d2162ce791f7b26c56c2f8928e9be9f8c +size 975768 diff --git a/linux-pam-1.3.1+git20190923.ea78d67.tar.xz b/linux-pam-1.3.1+git20190923.ea78d67.tar.xz deleted file mode 100644 index bb14cc8..0000000 --- a/linux-pam-1.3.1+git20190923.ea78d67.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a56e27836c298e46b09e14d6d3aaa78d1e9e02dee8785818141ea73fa4e4622f -size 970564 diff --git a/pam.changes b/pam.changes index 58e0c2a..2803b39 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,40 @@ +------------------------------------------------------------------- +Tue May 12 09:24:46 UTC 2020 - Thorsten Kukuk + +- Update to current Linux-PAM snapshot + - Multiple minor bug fixes and documentation improvements + - Fixed grammar of messages printed via pam_prompt + - Added support for a vendor directory and libeconf + - configure: Allowed disabling documentation through --disable-doc + - pam_get_authtok_verify: Avoid duplicate password verification + - pam_env: Changed the default to not read the user .pam_environment file + - pam_group, pam_time: Fixed logical error with multiple ! operators + - pam_keyinit: In pam_sm_setcred do the same as in pam_sm_open_session + - pam_lastlog: Do not log info about failed login if the session was opened + with PAM_SILENT flag + - pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs + - pam_lastlog: With 'unlimited' option prevent SIGXFSZ due to reduced 'fsize' + limit + - pam_motd: Export MOTD_SHOWN=pam after showing MOTD + - pam_motd: Support multiple motd paths specified, with filename overrides + - pam_namespace: Added a systemd service, which creates the namespaced + instance parent directories during boot + - pam_namespace: Support for noexec, nosuid and nodev flags for tmpfs mounts + - pam_shells: Recognize /bin/sh as the default shell + - pam_succeed_if: Support lists in group membership checks + - pam_tty_audit: If kernel audit is disabled return PAM_IGNORE + - pam_umask: Added new 'nousergroups' module argument and allowed specifying + the default for usergroups at build-time + - pam_unix: Added 'nullresetok' option to allow resetting blank passwords + - pam_unix: Report unusable hashes found by checksalt to syslog + - pam_unix: Support for (gost-)yescrypt hashing methods + - pam_unix: Use bcrypt b-variant when it bcrypt is chosen + - pam_usertype: New module to tell if uid is in login.defs ranges + - Added new API call pam_start_confdir() for special applications that + cannot use the system-default PAM configuration paths and need to + explicitly specify another path +- pam_namespace-systemd.diff: fix path of pam_namespace.services + ------------------------------------------------------------------- Thu Apr 2 09:51:31 UTC 2020 - Ludwig Nussel diff --git a/pam.spec b/pam.spec index 4c676d8..fa784bf 100644 --- a/pam.spec +++ b/pam.spec @@ -23,19 +23,19 @@ # %define enable_selinux 1 -%define libpam_so_version 0.84.2 +%define libpam_so_version 0.85.1 %define libpam_misc_so_version 0.82.1 %define libpamc_so_version 0.82.1 Name: pam # -Version: 1.3.1+git20190923.ea78d67 +Version: 1.3.90 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause Group: System/Libraries URL: http://www.linux-pam.org/ -Source: linux-pam-%{version}.tar.xz -Source1: Linux-PAM-1.3.1-docs.tar.xz +Source: Linux-PAM-%{version}.tar.xz +Source1: Linux-PAM-%{version}-docs.tar.xz Source3: other.pamd Source4: common-auth.pamd Source5: common-account.pamd @@ -50,6 +50,7 @@ Patch0: fix-man-links.dif Patch2: pam-limit-nproc.patch Patch4: pam-hostnames-in-access_conf.patch Patch5: use-correct-IP-address.patch +Patch6: pam_namespace-systemd.diff BuildRequires: audit-devel # Remove with next version update: BuildRequires: autoconf @@ -76,6 +77,8 @@ BuildRequires: libselinux-devel Requires(pre): group(shadow) Requires(pre): user(root) %endif +BuildRequires: autoconf +BuildRequires: automake %description PAM (Pluggable Authentication Modules) is a system security tool that @@ -126,17 +129,17 @@ This package contains header files and static libraries used for building both PAM-aware applications and modules for use with PAM. %prep -%setup -q -n linux-pam-%{version} -b 1 -cp -av ../Linux-PAM-1.3.1/* . +%setup -q -n Linux-PAM-%{version} -b 1 cp -a %{SOURCE12} . %patch0 -p1 %patch2 -p1 -%patch4 -%patch5 -p1 +#%patch4 +#%patch5 -p1 +%patch6 -p1 %build bash ./pam-login_defs-check.sh -./autogen.sh +autoreconf -fiv export CFLAGS="%{optflags} -DNDEBUG" %configure \ --sbindir=/sbin \ @@ -258,6 +261,7 @@ done %config(noreplace) %{_sysconfdir}/environment %config(noreplace) %{_sysconfdir}/security/access.conf %config(noreplace) %{_sysconfdir}/security/group.conf +%config(noreplace) %{_sysconfdir}/security/faillock.conf %config(noreplace) %{_sysconfdir}/security/limits.conf %config(noreplace) %{_sysconfdir}/security/pam_env.conf %if %{enable_selinux} @@ -272,9 +276,10 @@ done %{_mandir}/man5/environment.5%{?ext_man} %{_mandir}/man5/*.conf.5%{?ext_man} %{_mandir}/man5/pam.d.5%{?ext_man} +%{_mandir}/man8/PAM.8.gz +%{_mandir}/man8/faillock.8.gz %{_mandir}/man8/mkhomedir_helper.8.gz %{_mandir}/man8/pam.8.gz -%{_mandir}/man8/PAM.8.gz %{_mandir}/man8/pam_access.8.gz %{_mandir}/man8/pam_cracklib.8.gz %{_mandir}/man8/pam_debug.8.gz @@ -283,6 +288,7 @@ done %{_mandir}/man8/pam_env.8.gz %{_mandir}/man8/pam_exec.8.gz %{_mandir}/man8/pam_faildelay.8.gz +%{_mandir}/man8/pam_faillock.8.gz %{_mandir}/man8/pam_filter.8.gz %{_mandir}/man8/pam_ftp.8.gz %{_mandir}/man8/pam_group.8.gz @@ -297,6 +303,7 @@ done %{_mandir}/man8/pam_mkhomedir.8.gz %{_mandir}/man8/pam_motd.8.gz %{_mandir}/man8/pam_namespace.8.gz +%{_mandir}/man8/pam_namespace_helper.8.gz %{_mandir}/man8/pam_nologin.8.gz %{_mandir}/man8/pam_permit.8.gz %{_mandir}/man8/pam_pwhistory.8.gz @@ -305,6 +312,7 @@ done %{_mandir}/man8/pam_securetty.8.gz %{_mandir}/man8/pam_selinux.8.gz %{_mandir}/man8/pam_sepermit.8.gz +%{_mandir}/man8/pam_setquota.8.gz %{_mandir}/man8/pam_shells.8.gz %{_mandir}/man8/pam_succeed_if.8.gz %{_mandir}/man8/pam_tally2.8.gz @@ -314,11 +322,12 @@ done %{_mandir}/man8/pam_tty_audit.8.gz %{_mandir}/man8/pam_umask.8.gz %{_mandir}/man8/pam_unix.8.gz +%{_mandir}/man8/pam_usertype.8.gz %{_mandir}/man8/pam_warn.8.gz %{_mandir}/man8/pam_wheel.8.gz %{_mandir}/man8/pam_xauth.8.gz -%{_mandir}/man8/unix_chkpwd.8.gz %{_mandir}/man8/unix2_chkpwd.8.gz +%{_mandir}/man8/unix_chkpwd.8.gz %{_mandir}/man8/unix_update.8.gz /%{_lib}/libpam.so.0 /%{_lib}/libpam.so.%{libpam_so_version} @@ -335,6 +344,7 @@ done /%{_lib}/security/pam_env.so /%{_lib}/security/pam_exec.so /%{_lib}/security/pam_faildelay.so +/%{_lib}/security/pam_faillock.so /%{_lib}/security/pam_filter.so %dir /%{_lib}/security/pam_filter /%{_lib}/security//pam_filter/upperLOWER @@ -361,6 +371,7 @@ done /%{_lib}/security/pam_selinux.so /%{_lib}/security/pam_sepermit.so %endif +/%{_lib}/security/pam_setquota.so /%{_lib}/security/pam_shells.so /%{_lib}/security/pam_stress.so /%{_lib}/security/pam_succeed_if.so @@ -374,15 +385,19 @@ done /%{_lib}/security/pam_unix_auth.so /%{_lib}/security/pam_unix_passwd.so /%{_lib}/security/pam_unix_session.so +/%{_lib}/security/pam_usertype.so /%{_lib}/security/pam_warn.so /%{_lib}/security/pam_wheel.so /%{_lib}/security/pam_xauth.so +/sbin/faillock /sbin/mkhomedir_helper +/sbin/pam_namespace_helper /sbin/pam_tally2 /sbin/pam_timestamp_check %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd %verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd %attr(0700,root,root) /sbin/unix_update +%{_unitdir}/pam_namespace.service %files extra %defattr(-,root,root,755) diff --git a/pam_namespace-systemd.diff b/pam_namespace-systemd.diff new file mode 100644 index 0000000..33c6a39 --- /dev/null +++ b/pam_namespace-systemd.diff @@ -0,0 +1,13 @@ +diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am +index eacd5201..21e1b33a 100644 +--- a/modules/pam_namespace/Makefile.am ++++ b/modules/pam_namespace/Makefile.am +@@ -18,7 +18,7 @@ TESTS = $(dist_check_SCRIPTS) + securelibdir = $(SECUREDIR) + secureconfdir = $(SCONFIGDIR) + namespaceddir = $(SCONFIGDIR)/namespace.d +-servicedir = $(prefix)/lib/systemd ++servicedir = $(prefix)/lib/systemd/system + + AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) From 868d149bc4d88a20bcb1aca5fd8ab9151ff9c179d5708bd5149f1e590b613d0d Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 12 May 2020 11:32:07 +0000 Subject: [PATCH 2/9] - Update to current Linux-PAM snapshot - Obsoletes pam_namespace-systemd.diff OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=209 --- Linux-PAM-1.3.90-docs.tar.xz | 3 --- Linux-PAM-1.3.90.tar.xz | 3 --- Linux-PAM-1.3.91-docs.tar.xz | 3 +++ Linux-PAM-1.3.91.tar.xz | 3 +++ pam.changes | 6 ++++++ pam.spec | 10 +--------- pam_namespace-systemd.diff | 13 ------------- 7 files changed, 13 insertions(+), 28 deletions(-) delete mode 100644 Linux-PAM-1.3.90-docs.tar.xz delete mode 100644 Linux-PAM-1.3.90.tar.xz create mode 100644 Linux-PAM-1.3.91-docs.tar.xz create mode 100644 Linux-PAM-1.3.91.tar.xz delete mode 100644 pam_namespace-systemd.diff diff --git a/Linux-PAM-1.3.90-docs.tar.xz b/Linux-PAM-1.3.90-docs.tar.xz deleted file mode 100644 index f1574da..0000000 --- a/Linux-PAM-1.3.90-docs.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3c36209714f41cb58379be9330bf990e28affc0b51d89eab976a8b02ec5a9529 -size 464040 diff --git a/Linux-PAM-1.3.90.tar.xz b/Linux-PAM-1.3.90.tar.xz deleted file mode 100644 index 9eb944c..0000000 --- a/Linux-PAM-1.3.90.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b1f6ade473809f6c2b284426cee67f3d2162ce791f7b26c56c2f8928e9be9f8c -size 975768 diff --git a/Linux-PAM-1.3.91-docs.tar.xz b/Linux-PAM-1.3.91-docs.tar.xz new file mode 100644 index 0000000..550647a --- /dev/null +++ b/Linux-PAM-1.3.91-docs.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:45c03e0c2b34263fbb0038c3045650dbc1d2a0e520e8c0283c3baef9d95bd7f0 +size 464208 diff --git a/Linux-PAM-1.3.91.tar.xz b/Linux-PAM-1.3.91.tar.xz new file mode 100644 index 0000000..8785288 --- /dev/null +++ b/Linux-PAM-1.3.91.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fa94b9495c0a7346a442528e6db1f8768fb224085f378eb40f1c08ec36f39fcc +size 976108 diff --git a/pam.changes b/pam.changes index 2803b39..ea7632d 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue May 12 11:30:27 UTC 2020 - Thorsten Kukuk + +- Update to current Linux-PAM snapshot + - Obsoletes pam_namespace-systemd.diff + ------------------------------------------------------------------- Tue May 12 09:24:46 UTC 2020 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index fa784bf..e59f5eb 100644 --- a/pam.spec +++ b/pam.spec @@ -28,7 +28,7 @@ %define libpamc_so_version 0.82.1 Name: pam # -Version: 1.3.90 +Version: 1.3.91 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause @@ -50,11 +50,7 @@ Patch0: fix-man-links.dif Patch2: pam-limit-nproc.patch Patch4: pam-hostnames-in-access_conf.patch Patch5: use-correct-IP-address.patch -Patch6: pam_namespace-systemd.diff BuildRequires: audit-devel -# Remove with next version update: -BuildRequires: autoconf -BuildRequires: automake BuildRequires: bison BuildRequires: cracklib-devel BuildRequires: flex @@ -77,8 +73,6 @@ BuildRequires: libselinux-devel Requires(pre): group(shadow) Requires(pre): user(root) %endif -BuildRequires: autoconf -BuildRequires: automake %description PAM (Pluggable Authentication Modules) is a system security tool that @@ -135,11 +129,9 @@ cp -a %{SOURCE12} . %patch2 -p1 #%patch4 #%patch5 -p1 -%patch6 -p1 %build bash ./pam-login_defs-check.sh -autoreconf -fiv export CFLAGS="%{optflags} -DNDEBUG" %configure \ --sbindir=/sbin \ diff --git a/pam_namespace-systemd.diff b/pam_namespace-systemd.diff deleted file mode 100644 index 33c6a39..0000000 --- a/pam_namespace-systemd.diff +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am -index eacd5201..21e1b33a 100644 ---- a/modules/pam_namespace/Makefile.am -+++ b/modules/pam_namespace/Makefile.am -@@ -18,7 +18,7 @@ TESTS = $(dist_check_SCRIPTS) - securelibdir = $(SECUREDIR) - secureconfdir = $(SCONFIGDIR) - namespaceddir = $(SCONFIGDIR)/namespace.d --servicedir = $(prefix)/lib/systemd -+servicedir = $(prefix)/lib/systemd/system - - AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) From a3260b7eb86f880c587d27b6505f0f1b1d6d5770d2147dd6d5f48038848e980d Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 12 May 2020 12:09:42 +0000 Subject: [PATCH 3/9] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=210 --- Linux-PAM-1.3.91-docs.tar.xz | 4 ++-- Linux-PAM-1.3.91.tar.xz | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Linux-PAM-1.3.91-docs.tar.xz b/Linux-PAM-1.3.91-docs.tar.xz index 550647a..f4919b6 100644 --- a/Linux-PAM-1.3.91-docs.tar.xz +++ b/Linux-PAM-1.3.91-docs.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:45c03e0c2b34263fbb0038c3045650dbc1d2a0e520e8c0283c3baef9d95bd7f0 -size 464208 +oid sha256:3bf5336ef11158dd52d22c7919eb24ac7e381a60d8937179a87f09f77e74fe99 +size 464136 diff --git a/Linux-PAM-1.3.91.tar.xz b/Linux-PAM-1.3.91.tar.xz index 8785288..c3fa0da 100644 --- a/Linux-PAM-1.3.91.tar.xz +++ b/Linux-PAM-1.3.91.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:fa94b9495c0a7346a442528e6db1f8768fb224085f378eb40f1c08ec36f39fcc -size 976108 +oid sha256:426895651da97d3c0f139ddcd878067962eb0809ddc17e1138081249c51ac2b8 +size 975112 From d205252584149ed261672066f076566dadad741ca78e9b4c0226018342c4a2eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Tue, 12 May 2020 12:19:16 +0000 Subject: [PATCH 4/9] Accepting request 802957 from home:jmoellers:branches:Linux-PAM OBS-URL: https://build.opensuse.org/request/show/802957 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=211 --- pam-hostnames-in-access_conf.patch | 58 +++++++++++++++--------------- pam.changes | 8 +++++ pam.spec | 4 +-- use-correct-IP-address.patch | 34 ------------------ 4 files changed, 39 insertions(+), 65 deletions(-) delete mode 100644 use-correct-IP-address.patch diff --git a/pam-hostnames-in-access_conf.patch b/pam-hostnames-in-access_conf.patch index 7650754..3f2c1f9 100644 --- a/pam-hostnames-in-access_conf.patch +++ b/pam-hostnames-in-access_conf.patch @@ -1,8 +1,8 @@ -Index: modules/pam_access/pam_access.c +Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c =================================================================== ---- modules/pam_access/pam_access.c.orig -+++ modules/pam_access/pam_access.c -@@ -692,10 +692,10 @@ string_match (pam_handle_t *pamh, const +--- Linux-PAM-1.3.91.orig/modules/pam_access/pam_access.c ++++ Linux-PAM-1.3.91/modules/pam_access/pam_access.c +@@ -699,10 +699,10 @@ string_match (pam_handle_t *pamh, const return (NO); } @@ -15,7 +15,7 @@ Index: modules/pam_access/pam_access.c */ static int network_netmask_match (pam_handle_t *pamh, -@@ -704,10 +704,14 @@ network_netmask_match (pam_handle_t *pam +@@ -711,10 +711,14 @@ network_netmask_match (pam_handle_t *pam char *netmask_ptr; char netmask_string[MAXHOSTNAMELEN + 1]; int addr_type; @@ -31,7 +31,7 @@ Index: modules/pam_access/pam_access.c /* OK, check if tok is of type addr/mask */ if ((netmask_ptr = strchr(tok, '/')) != NULL) { -@@ -717,7 +721,7 @@ network_netmask_match (pam_handle_t *pam +@@ -724,7 +728,7 @@ network_netmask_match (pam_handle_t *pam *netmask_ptr = 0; netmask_ptr++; @@ -40,7 +40,7 @@ Index: modules/pam_access/pam_access.c { /* no netaddr */ return NO; } -@@ -739,19 +743,47 @@ network_netmask_match (pam_handle_t *pam +@@ -748,19 +752,47 @@ network_netmask_match (pam_handle_t *pam netmask_ptr = number_to_netmask(netmask, addr_type, netmask_string, MAXHOSTNAMELEN); } @@ -93,7 +93,7 @@ Index: modules/pam_access/pam_access.c memset (&hint, '\0', sizeof (hint)); hint.ai_flags = AI_CANONNAME; hint.ai_family = AF_UNSPEC; -@@ -764,27 +796,52 @@ network_netmask_match (pam_handle_t *pam +@@ -773,29 +805,54 @@ network_netmask_match (pam_handle_t *pam else { struct addrinfo *runp = item->res; @@ -103,29 +103,31 @@ Index: modules/pam_access/pam_access.c { char buf[INET6_ADDRSTRLEN]; + DIAG_PUSH_IGNORE_CAST_ALIGN; - inet_ntop (runp->ai_family, - runp->ai_family == AF_INET - ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr - : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, - buf, sizeof (buf)); + (void) getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST); + DIAG_POP_IGNORE_CAST_ALIGN; - if (are_addresses_equal(buf, tok, netmask_ptr)) + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) { - return YES; -+ char buf1[INET6_ADDRSTRLEN]; ++ char buf1[INET6_ADDRSTRLEN]; + -+ if (runp->ai_family != runp1->ai_family) -+ continue; ++ if (runp->ai_family != runp1->ai_family) ++ continue; + -+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); ++ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); + -+ if (are_addresses_equal (buf, buf1, netmask_ptr)) -+ { -+ freeaddrinfo(ai); -+ return YES; -+ } ++ if (are_addresses_equal (buf, buf1, netmask_ptr)) ++ { ++ freeaddrinfo(ai); ++ return YES; ++ } } runp = runp->ai_next; } @@ -134,20 +136,20 @@ Index: modules/pam_access/pam_access.c else - return (are_addresses_equal(string, tok, netmask_ptr)); + { -+ struct addrinfo *runp1; ++ struct addrinfo *runp1; + -+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) -+ { -+ char buf1[INET6_ADDRSTRLEN]; ++ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) ++ { ++ char buf1[INET6_ADDRSTRLEN]; + -+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); ++ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); + -+ if (are_addresses_equal(string, buf1, netmask_ptr)) -+ { -+ freeaddrinfo(ai); -+ return YES; -+ } -+ } ++ if (are_addresses_equal(string, buf1, netmask_ptr)) ++ { ++ freeaddrinfo(ai); ++ return YES; ++ } ++ } + } + + freeaddrinfo(ai); diff --git a/pam.changes b/pam.changes index ea7632d..c0268c9 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue May 12 11:44:19 UTC 2020 - Josef Möllers + +- Adapted patch pam-hostnames-in-access_conf.patch for new version + New version obsoleted patch use-correct-IP-address.patch + [pam-hostnames-in-access_conf.patch, + use-correct-IP-address.patch] + ------------------------------------------------------------------- Tue May 12 11:30:27 UTC 2020 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index e59f5eb..e3037f9 100644 --- a/pam.spec +++ b/pam.spec @@ -49,7 +49,6 @@ Source12: pam-login_defs-check.sh Patch0: fix-man-links.dif Patch2: pam-limit-nproc.patch Patch4: pam-hostnames-in-access_conf.patch -Patch5: use-correct-IP-address.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: cracklib-devel @@ -127,8 +126,7 @@ building both PAM-aware applications and modules for use with PAM. cp -a %{SOURCE12} . %patch0 -p1 %patch2 -p1 -#%patch4 -#%patch5 -p1 +%patch4 -p1 %build bash ./pam-login_defs-check.sh diff --git a/use-correct-IP-address.patch b/use-correct-IP-address.patch deleted file mode 100644 index 105a16c..0000000 --- a/use-correct-IP-address.patch +++ /dev/null @@ -1,34 +0,0 @@ -Index: Linux-PAM-1.3.1/modules/pam_access/pam_access.c -=================================================================== ---- Linux-PAM-1.3.1.orig/modules/pam_access/pam_access.c -+++ Linux-PAM-1.3.1/modules/pam_access/pam_access.c -@@ -716,7 +716,7 @@ network_netmask_match (pam_handle_t *pam - - if (item->debug) - pam_syslog (pamh, LOG_DEBUG, -- "network_netmask_match: tok=%s, item=%s", tok, string); -+ "network_netmask_match: tok=%s, string=%s", tok, string); - - /* OK, check if tok is of type addr/mask */ - if ((netmask_ptr = strchr(tok, '/')) != NULL) -@@ -734,7 +734,7 @@ network_netmask_match (pam_handle_t *pam - - /* check netmask */ - if (isipaddr(netmask_ptr, NULL, NULL) == NO) -- { /* netmask as integre value */ -+ { /* netmask as integer value */ - char *endptr = NULL; - netmask = strtol(netmask_ptr, &endptr, 0); - if ((endptr == netmask_ptr) || (*endptr != '\0')) -@@ -778,9 +778,9 @@ network_netmask_match (pam_handle_t *pam - - ai = NULL; /* just to be on the safe side */ - -- if (getaddrinfo (string, NULL, &hint, &ai) != 0) -+ if (getaddrinfo (tok, NULL, &hint, &ai) != 0) - { -- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", string); -+ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); - - return NO; - } From a9deb79ba930296dbf4dfea870534890993c462001097df2acd25c01245d283c Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 12 May 2020 12:36:23 +0000 Subject: [PATCH 5/9] - Add pam_faillock OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=212 --- pam.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/pam.changes b/pam.changes index c0268c9..3cfc512 100644 --- a/pam.changes +++ b/pam.changes @@ -16,6 +16,7 @@ Tue May 12 11:30:27 UTC 2020 - Thorsten Kukuk Tue May 12 09:24:46 UTC 2020 - Thorsten Kukuk - Update to current Linux-PAM snapshot + - Add pam_faillock - Multiple minor bug fixes and documentation improvements - Fixed grammar of messages printed via pam_prompt - Added support for a vendor directory and libeconf From 00f1294879e27e3a8f86ef04bcb799d2c6832f4da79766a2dd2099b2f797eca0 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 27 May 2020 09:48:06 +0000 Subject: [PATCH 6/9] - Update to current Linux-PAM snapshot - pam_tally* and pam_cracklib got deprecated - Disable pam_faillock and pam_setquota until they are whitelisted OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=213 --- Linux-PAM-1.3.91-docs.tar.xz | 3 - Linux-PAM-1.3.91.tar.xz | 3 - Linux-PAM-1.3.92-docs.tar.xz | 3 + Linux-PAM-1.3.92.tar.xz | 3 + baselibs.conf | 2 + pam.changes | 7 ++ pam.spec | 177 +++++++++++++++++++---------------- 7 files changed, 110 insertions(+), 88 deletions(-) delete mode 100644 Linux-PAM-1.3.91-docs.tar.xz delete mode 100644 Linux-PAM-1.3.91.tar.xz create mode 100644 Linux-PAM-1.3.92-docs.tar.xz create mode 100644 Linux-PAM-1.3.92.tar.xz diff --git a/Linux-PAM-1.3.91-docs.tar.xz b/Linux-PAM-1.3.91-docs.tar.xz deleted file mode 100644 index f4919b6..0000000 --- a/Linux-PAM-1.3.91-docs.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3bf5336ef11158dd52d22c7919eb24ac7e381a60d8937179a87f09f77e74fe99 -size 464136 diff --git a/Linux-PAM-1.3.91.tar.xz b/Linux-PAM-1.3.91.tar.xz deleted file mode 100644 index c3fa0da..0000000 --- a/Linux-PAM-1.3.91.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:426895651da97d3c0f139ddcd878067962eb0809ddc17e1138081249c51ac2b8 -size 975112 diff --git a/Linux-PAM-1.3.92-docs.tar.xz b/Linux-PAM-1.3.92-docs.tar.xz new file mode 100644 index 0000000..cef9c1b --- /dev/null +++ b/Linux-PAM-1.3.92-docs.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:58af8e875cdcaffcf5bc2ca2d228dcb2f1589e73448391f2de562dfed186cf8a +size 464148 diff --git a/Linux-PAM-1.3.92.tar.xz b/Linux-PAM-1.3.92.tar.xz new file mode 100644 index 0000000..bfd8bbf --- /dev/null +++ b/Linux-PAM-1.3.92.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:12bb1b2128fa4cffdd3ba5950e2f985602db35f2ff984129709e84b8f5e6225b +size 982628 diff --git a/baselibs.conf b/baselibs.conf index 4cd0578..aa1a812 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,2 +1,4 @@ pam +pam-extra +pam-deprecated pam-devel diff --git a/pam.changes b/pam.changes index 3cfc512..ecbc36b 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed May 27 09:27:32 UTC 2020 - Thorsten Kukuk + +- Update to current Linux-PAM snapshot + - pam_tally* and pam_cracklib got deprecated +- Disable pam_faillock and pam_setquota until they are whitelisted + ------------------------------------------------------------------- Tue May 12 11:44:19 UTC 2020 - Josef Möllers diff --git a/pam.spec b/pam.spec index e3037f9..82bb5fd 100644 --- a/pam.spec +++ b/pam.spec @@ -16,19 +16,18 @@ # -%if ! %{defined _distconfdir} - %define _distconfdir %{_sysconfdir} - %define config_noreplace 1 -%endif - # %define enable_selinux 1 %define libpam_so_version 0.85.1 %define libpam_misc_so_version 0.82.1 %define libpamc_so_version 0.82.1 +%if ! %{defined _distconfdir} + %define _distconfdir %{_sysconfdir} + %define config_noreplace 1 +%endif Name: pam # -Version: 1.3.91 +Version: 1.3.92 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause @@ -54,12 +53,12 @@ BuildRequires: bison BuildRequires: cracklib-devel BuildRequires: flex BuildRequires: libtool +BuildRequires: xz +Requires(post): permissions # All login.defs variables require support from shadow side. # Upgrade this symbol version only if new variables appear! # Verify by shadow-login_defs-check.sh from shadow source package. Recommends: login_defs-support-for-pam >= 1.3.1 -Requires(post): permissions -BuildRequires: xz %if 0%{?suse_version} > 1320 BuildRequires: pkgconfig(libeconf) BuildRequires: pkgconfig(libnsl) @@ -80,7 +79,7 @@ having to recompile programs that do authentication. %package extra Summary: PAM module to authenticate against a separate database -Group: System/Libraries%description +Group: System/Libraries BuildRequires: libdb-4_8-devel BuildRequires: pam-devel @@ -121,6 +120,21 @@ having to recompile programs which do authentication. This package contains header files and static libraries used for building both PAM-aware applications and modules for use with PAM. +%package deprecated +Summary: Deprecated PAM Modules +Group: System/Libraries +Provides: pam:/%{_lib}/security/pam_cracklib.so +Provides: pam:/%{_lib}/security/pam_tally2.so + +%description deprecated +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policies without +having to recompile programs that do authentication. + +This package contains deprecated extra modules like pam_cracklib and +pam_tally2, which are no longer supported upstream and will be completly +removed with one of the next releases. + %prep %setup -q -n Linux-PAM-%{version} -b 1 cp -a %{SOURCE12} . @@ -140,12 +154,13 @@ export CFLAGS="%{optflags} -DNDEBUG" --libdir=/%{_lib} \ --enable-isadir=../../%{_lib}/security \ --enable-securedir=/%{_lib}/security \ - --enable-vendordir=%{_distconfdir} + --enable-vendordir=%{_distconfdir} \ + --enable-tally2 --enable-cracklib make %{?_smp_mflags} -gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/linux-pam-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/linux-pam-%{version}/libpam/.libs/ -lpam +gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam %check -make %{?_smp_mflags} check +%make_build check %install mkdir -p %{buildroot}%{_sysconfdir}/pam.d @@ -197,13 +212,9 @@ for i in pam_*/README; do cp -fpv "$i" "$DOC/modules/README.${i%/*}" done popd -# -# pam_tally is deprecated since ages -# -rm -f %{buildroot}/%{_lib}/security/pam_tally.so -rm -f %{buildroot}/sbin/pam_tally -rm -f %{buildroot}%{_mandir}/man8/pam_tally.8* -rm -f %{buildroot}%{_defaultdocdir}/pam/modules/README.pam_tally +# XXX Remove until whitelisted +rm %{buildroot}/%{_lib}/security/pam_setquota.so +rm %{buildroot}/%{_lib}/security/pam_faillock.so # Install unix2_chkpwd install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/ install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/ @@ -220,16 +231,15 @@ install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/ %set_permissions /sbin/unix2_chkpwd %postun -p /sbin/ldconfig - %pre for i in securetty pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session ; do - test -f /etc/${i}.rpmsave && mv -v /etc/${i}.rpmsave /etc/${i}.rpmsave.old ||: + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: done %posttrans # Migration to /usr/etc. for i in securetty pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session ; do - test -f /etc/${i}.rpmsave && mv -v /etc/${i}.rpmsave /etc/${i} ||: + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: done %files -f Linux-PAM.lang @@ -266,59 +276,57 @@ done %{_mandir}/man5/environment.5%{?ext_man} %{_mandir}/man5/*.conf.5%{?ext_man} %{_mandir}/man5/pam.d.5%{?ext_man} -%{_mandir}/man8/PAM.8.gz -%{_mandir}/man8/faillock.8.gz -%{_mandir}/man8/mkhomedir_helper.8.gz -%{_mandir}/man8/pam.8.gz -%{_mandir}/man8/pam_access.8.gz -%{_mandir}/man8/pam_cracklib.8.gz -%{_mandir}/man8/pam_debug.8.gz -%{_mandir}/man8/pam_deny.8.gz -%{_mandir}/man8/pam_echo.8.gz -%{_mandir}/man8/pam_env.8.gz -%{_mandir}/man8/pam_exec.8.gz -%{_mandir}/man8/pam_faildelay.8.gz -%{_mandir}/man8/pam_faillock.8.gz -%{_mandir}/man8/pam_filter.8.gz -%{_mandir}/man8/pam_ftp.8.gz -%{_mandir}/man8/pam_group.8.gz -%{_mandir}/man8/pam_issue.8.gz -%{_mandir}/man8/pam_keyinit.8.gz -%{_mandir}/man8/pam_lastlog.8.gz -%{_mandir}/man8/pam_limits.8.gz -%{_mandir}/man8/pam_listfile.8.gz -%{_mandir}/man8/pam_localuser.8.gz -%{_mandir}/man8/pam_loginuid.8.gz -%{_mandir}/man8/pam_mail.8.gz -%{_mandir}/man8/pam_mkhomedir.8.gz -%{_mandir}/man8/pam_motd.8.gz -%{_mandir}/man8/pam_namespace.8.gz -%{_mandir}/man8/pam_namespace_helper.8.gz -%{_mandir}/man8/pam_nologin.8.gz -%{_mandir}/man8/pam_permit.8.gz -%{_mandir}/man8/pam_pwhistory.8.gz -%{_mandir}/man8/pam_rhosts.8.gz -%{_mandir}/man8/pam_rootok.8.gz -%{_mandir}/man8/pam_securetty.8.gz -%{_mandir}/man8/pam_selinux.8.gz -%{_mandir}/man8/pam_sepermit.8.gz -%{_mandir}/man8/pam_setquota.8.gz -%{_mandir}/man8/pam_shells.8.gz -%{_mandir}/man8/pam_succeed_if.8.gz -%{_mandir}/man8/pam_tally2.8.gz -%{_mandir}/man8/pam_time.8.gz -%{_mandir}/man8/pam_timestamp.8.gz -%{_mandir}/man8/pam_timestamp_check.8.gz -%{_mandir}/man8/pam_tty_audit.8.gz -%{_mandir}/man8/pam_umask.8.gz -%{_mandir}/man8/pam_unix.8.gz -%{_mandir}/man8/pam_usertype.8.gz -%{_mandir}/man8/pam_warn.8.gz -%{_mandir}/man8/pam_wheel.8.gz -%{_mandir}/man8/pam_xauth.8.gz -%{_mandir}/man8/unix2_chkpwd.8.gz -%{_mandir}/man8/unix_chkpwd.8.gz -%{_mandir}/man8/unix_update.8.gz +%{_mandir}/man8/PAM.8%{?ext_man} +%{_mandir}/man8/faillock.8%{?ext_man} +%{_mandir}/man8/mkhomedir_helper.8%{?ext_man} +%{_mandir}/man8/pam.8%{?ext_man} +%{_mandir}/man8/pam_access.8%{?ext_man} +%{_mandir}/man8/pam_debug.8%{?ext_man} +%{_mandir}/man8/pam_deny.8%{?ext_man} +%{_mandir}/man8/pam_echo.8%{?ext_man} +%{_mandir}/man8/pam_env.8%{?ext_man} +%{_mandir}/man8/pam_exec.8%{?ext_man} +%{_mandir}/man8/pam_faildelay.8%{?ext_man} +%{_mandir}/man8/pam_faillock.8%{?ext_man} +%{_mandir}/man8/pam_filter.8%{?ext_man} +%{_mandir}/man8/pam_ftp.8%{?ext_man} +%{_mandir}/man8/pam_group.8%{?ext_man} +%{_mandir}/man8/pam_issue.8%{?ext_man} +%{_mandir}/man8/pam_keyinit.8%{?ext_man} +%{_mandir}/man8/pam_lastlog.8%{?ext_man} +%{_mandir}/man8/pam_limits.8%{?ext_man} +%{_mandir}/man8/pam_listfile.8%{?ext_man} +%{_mandir}/man8/pam_localuser.8%{?ext_man} +%{_mandir}/man8/pam_loginuid.8%{?ext_man} +%{_mandir}/man8/pam_mail.8%{?ext_man} +%{_mandir}/man8/pam_mkhomedir.8%{?ext_man} +%{_mandir}/man8/pam_motd.8%{?ext_man} +%{_mandir}/man8/pam_namespace.8%{?ext_man} +%{_mandir}/man8/pam_namespace_helper.8%{?ext_man} +%{_mandir}/man8/pam_nologin.8%{?ext_man} +%{_mandir}/man8/pam_permit.8%{?ext_man} +%{_mandir}/man8/pam_pwhistory.8%{?ext_man} +%{_mandir}/man8/pam_rhosts.8%{?ext_man} +%{_mandir}/man8/pam_rootok.8%{?ext_man} +%{_mandir}/man8/pam_securetty.8%{?ext_man} +%{_mandir}/man8/pam_selinux.8%{?ext_man} +%{_mandir}/man8/pam_sepermit.8%{?ext_man} +%{_mandir}/man8/pam_setquota.8%{?ext_man} +%{_mandir}/man8/pam_shells.8%{?ext_man} +%{_mandir}/man8/pam_succeed_if.8%{?ext_man} +%{_mandir}/man8/pam_time.8%{?ext_man} +%{_mandir}/man8/pam_timestamp.8%{?ext_man} +%{_mandir}/man8/pam_timestamp_check.8%{?ext_man} +%{_mandir}/man8/pam_tty_audit.8%{?ext_man} +%{_mandir}/man8/pam_umask.8%{?ext_man} +%{_mandir}/man8/pam_unix.8%{?ext_man} +%{_mandir}/man8/pam_usertype.8%{?ext_man} +%{_mandir}/man8/pam_warn.8%{?ext_man} +%{_mandir}/man8/pam_wheel.8%{?ext_man} +%{_mandir}/man8/pam_xauth.8%{?ext_man} +%{_mandir}/man8/unix2_chkpwd.8%{?ext_man} +%{_mandir}/man8/unix_chkpwd.8%{?ext_man} +%{_mandir}/man8/unix_update.8%{?ext_man} /%{_lib}/libpam.so.0 /%{_lib}/libpam.so.%{libpam_so_version} /%{_lib}/libpamc.so.0 @@ -327,14 +335,13 @@ done /%{_lib}/libpam_misc.so.%{libpam_misc_so_version} %dir /%{_lib}/security /%{_lib}/security/pam_access.so -/%{_lib}/security/pam_cracklib.so /%{_lib}/security/pam_debug.so /%{_lib}/security/pam_deny.so /%{_lib}/security/pam_echo.so /%{_lib}/security/pam_env.so /%{_lib}/security/pam_exec.so /%{_lib}/security/pam_faildelay.so -/%{_lib}/security/pam_faillock.so +#/%{_lib}/security/pam_faillock.so /%{_lib}/security/pam_filter.so %dir /%{_lib}/security/pam_filter /%{_lib}/security//pam_filter/upperLOWER @@ -361,11 +368,10 @@ done /%{_lib}/security/pam_selinux.so /%{_lib}/security/pam_sepermit.so %endif -/%{_lib}/security/pam_setquota.so +#/%{_lib}/security/pam_setquota.so /%{_lib}/security/pam_shells.so /%{_lib}/security/pam_stress.so /%{_lib}/security/pam_succeed_if.so -/%{_lib}/security/pam_tally2.so /%{_lib}/security/pam_time.so /%{_lib}/security/pam_timestamp.so /%{_lib}/security/pam_tty_audit.so @@ -382,7 +388,6 @@ done /sbin/faillock /sbin/mkhomedir_helper /sbin/pam_namespace_helper -/sbin/pam_tally2 /sbin/pam_timestamp_check %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd %verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd @@ -391,8 +396,16 @@ done %files extra %defattr(-,root,root,755) -%attr(755,root,root) /%{_lib}/security/pam_userdb.so -%attr(644,root,root) %doc %{_mandir}/man8/pam_userdb.8.gz +/%{_lib}/security/pam_userdb.so +%{_mandir}/man8/pam_userdb.8%{?ext_man} + +%files deprecated +%defattr(-,root,root,755) +/%{_lib}/security/pam_cracklib.so +/%{_lib}/security/pam_tally2.so +/sbin/pam_tally2 +%{_mandir}/man8/pam_cracklib.8%{?ext_man} +%{_mandir}/man8/pam_tally2.8%{?ext_man} %files doc %defattr(644,root,root,755) From 3c370e0e45c414bd29000da4f438d4beec3ab0938c0b35ac3b5497e49cbe01d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Mon, 8 Jun 2020 06:48:10 +0000 Subject: [PATCH 7/9] Accepting request 811145 from home:jmoellers:branches:Linux-PAM OBS-URL: https://build.opensuse.org/request/show/811145 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=214 --- pam-check-user-home-dir.patch | 72 +++++++++++++++++++++++++++++++++++ pam.changes | 8 ++++ pam.spec | 5 ++- 3 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 pam-check-user-home-dir.patch diff --git a/pam-check-user-home-dir.patch b/pam-check-user-home-dir.patch new file mode 100644 index 0000000..e3a98e7 --- /dev/null +++ b/pam-check-user-home-dir.patch @@ -0,0 +1,72 @@ +From 27ded8954a1235bb65ffc9c730ae5a50b1dfed61 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Josef=20M=C3=B6llers?= +Date: Fri, 29 May 2020 14:35:43 +0000 +Subject: [PATCH] pam_setquota: skip mountpoints equal to the user's $HOME +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Matthias Gerstner found the following issue: + + +So this pam_setquota module iterates over all mounted file systems using +`setmntent()` and `getmntent()`. It tries to find the longest match of +a file system mounted on /home/$USER or above (except when the +fs=/some/path parameter is passed to the pam module). + +The thing is that /home/$USER is owned by the unprivileged user. And +there exist tools like fusermount from libfuse which is by default +installed setuid-root for everybody. fusermount allows to mount a FUSE +file system using an arbitrary "source device name" as the unprivileged +user. + +Thus considering the following use case: + +1) there is only the root file system (/) or a file system is mounted on + /home, but not on /home/$USER. +2) the attacker mounts a fake FUSE file system over its own home directory: + + ``` + user $ export _FUSE_COMMFD=0 + user $ fusermount $HOME -ononempty,fsname=/dev/sda1 + ``` + + This will result in a mount entry in /proc/mounts looking like this: + + ``` + /dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100) + ``` +3) when the attacker now logs in with pam_setquota configured then + pam_setquota will identify /dev/sda1 and the file system where + to apply the user's quota on. + +As a result an unprivileged user has full control over onto which block +device the quota is applied. + + +If the user's $HOME is on a separate partition, setting a quota on the +user's $HOME does not really make sense, so this patch skips mountpoints +equal to the user's $HOME, preventing the above mentioned bug as +a side-effect (or vice-versa). + +Reported-by: Matthias Gerstner +Co-authored-by: Tomáš Mráz +Co-authored-by: Dmitry V. Levin +Resolves: https://github.com/linux-pam/linux-pam/pull/230 +--- + modules/pam_setquota/pam_setquota.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/pam_setquota/pam_setquota.c b/modules/pam_setquota/pam_setquota.c +index 9c05862a..01b05e38 100644 +--- a/modules/pam_setquota/pam_setquota.c ++++ b/modules/pam_setquota/pam_setquota.c +@@ -275,7 +275,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + */ + if ((mnt_len > match_size || (mnt_len == 0 && mnt->mnt_dir[0] == '/')) && + (s = pam_str_skip_prefix_len(pwd->pw_dir, mnt->mnt_dir, mnt_len)) != NULL && +- (s[0] == '\0' || s[0] == '/')) { ++ s[0] == '/') { + free(mntdevice); + if ((mntdevice = strdup(mnt->mnt_fsname)) == NULL) { + pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); diff --git a/pam.changes b/pam.changes index ecbc36b..8085123 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu May 28 12:36:33 UTC 2020 - Josef Möllers + +- pam_setquota.so: + When setting quota, don't apply any quota if the user's $HOME is + a mountpoint (ie the user has a partition of his/her own). + [bsc#1171721, pam-check-user-home-dir.patch] + ------------------------------------------------------------------- Wed May 27 09:27:32 UTC 2020 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index 82bb5fd..e95797a 100644 --- a/pam.spec +++ b/pam.spec @@ -48,6 +48,7 @@ Source12: pam-login_defs-check.sh Patch0: fix-man-links.dif Patch2: pam-limit-nproc.patch Patch4: pam-hostnames-in-access_conf.patch +Patch5: pam-check-user-home-dir.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: cracklib-devel @@ -141,6 +142,7 @@ cp -a %{SOURCE12} . %patch0 -p1 %patch2 -p1 %patch4 -p1 +%patch5 -p1 %build bash ./pam-login_defs-check.sh @@ -213,7 +215,6 @@ for i in pam_*/README; do done popd # XXX Remove until whitelisted -rm %{buildroot}/%{_lib}/security/pam_setquota.so rm %{buildroot}/%{_lib}/security/pam_faillock.so # Install unix2_chkpwd install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/ @@ -368,7 +369,7 @@ done /%{_lib}/security/pam_selinux.so /%{_lib}/security/pam_sepermit.so %endif -#/%{_lib}/security/pam_setquota.so +/%{_lib}/security/pam_setquota.so /%{_lib}/security/pam_shells.so /%{_lib}/security/pam_stress.so /%{_lib}/security/pam_succeed_if.so From 5a8acbff55b6e4fe76f555b94c07e9e6745c353f35c7d67fa0613da7a1784214 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 8 Jun 2020 08:00:42 +0000 Subject: [PATCH 8/9] - common-password: remove pam_cracklib, as that is deprecated. OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=215 --- common-password.pamd | 3 +-- pam.changes | 5 +++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/common-password.pamd b/common-password.pamd index 1baf490..83e9109 100644 --- a/common-password.pamd +++ b/common-password.pamd @@ -8,5 +8,4 @@ # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # -password requisite pam_cracklib.so -password required pam_unix.so use_authtok nullok try_first_pass +password required pam_unix.so nullok diff --git a/pam.changes b/pam.changes index 8085123..8b5264c 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jun 8 07:59:58 UTC 2020 - Thorsten Kukuk + +- common-password: remove pam_cracklib, as that is deprecated. + ------------------------------------------------------------------- Thu May 28 12:36:33 UTC 2020 - Josef Möllers From 8c2c16298451d536df2d81e8609c1846c3176811a228ad66e96c2cea975173b3 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 8 Jun 2020 13:50:31 +0000 Subject: [PATCH 9/9] - Update to final 1.4.0 release - includes pam-check-user-home-dir.patch - obsoletes fix-man-links.dif OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=216 --- Linux-PAM-1.3.92-docs.tar.xz | 3 -- Linux-PAM-1.3.92.tar.xz | 3 -- Linux-PAM-1.4.0-docs.tar.xz | 3 ++ Linux-PAM-1.4.0.tar.xz | 3 ++ fix-man-links.dif | 56 --------------------------- pam-check-user-home-dir.patch | 72 ----------------------------------- pam.changes | 7 ++++ pam.spec | 6 +-- 8 files changed, 14 insertions(+), 139 deletions(-) delete mode 100644 Linux-PAM-1.3.92-docs.tar.xz delete mode 100644 Linux-PAM-1.3.92.tar.xz create mode 100644 Linux-PAM-1.4.0-docs.tar.xz create mode 100644 Linux-PAM-1.4.0.tar.xz delete mode 100644 fix-man-links.dif delete mode 100644 pam-check-user-home-dir.patch diff --git a/Linux-PAM-1.3.92-docs.tar.xz b/Linux-PAM-1.3.92-docs.tar.xz deleted file mode 100644 index cef9c1b..0000000 --- a/Linux-PAM-1.3.92-docs.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:58af8e875cdcaffcf5bc2ca2d228dcb2f1589e73448391f2de562dfed186cf8a -size 464148 diff --git a/Linux-PAM-1.3.92.tar.xz b/Linux-PAM-1.3.92.tar.xz deleted file mode 100644 index bfd8bbf..0000000 --- a/Linux-PAM-1.3.92.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:12bb1b2128fa4cffdd3ba5950e2f985602db35f2ff984129709e84b8f5e6225b -size 982628 diff --git a/Linux-PAM-1.4.0-docs.tar.xz b/Linux-PAM-1.4.0-docs.tar.xz new file mode 100644 index 0000000..273819e --- /dev/null +++ b/Linux-PAM-1.4.0-docs.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:351764a0643052564a4b840320744c7e402112a2a57d2ac04511a6d22dc52e04 +size 477712 diff --git a/Linux-PAM-1.4.0.tar.xz b/Linux-PAM-1.4.0.tar.xz new file mode 100644 index 0000000..fedf45f --- /dev/null +++ b/Linux-PAM-1.4.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034 +size 988908 diff --git a/fix-man-links.dif b/fix-man-links.dif deleted file mode 100644 index 04fe917..0000000 --- a/fix-man-links.dif +++ /dev/null @@ -1,56 +0,0 @@ -Index: Linux-PAM-1.1.8/doc/man/pam.8 -=================================================================== ---- Linux-PAM-1.1.8.orig/doc/man/pam.8 -+++ Linux-PAM-1.1.8/doc/man/pam.8 -@@ -1 +1 @@ --.so PAM.8 -+.so man8/PAM.8 -Index: Linux-PAM-1.1.8/doc/man/pam.d.5 -=================================================================== ---- Linux-PAM-1.1.8.orig/doc/man/pam.d.5 -+++ Linux-PAM-1.1.8/doc/man/pam.d.5 -@@ -1 +1 @@ --.so pam.conf.5 -+.so man5/pam.conf.5 -Index: Linux-PAM-1.1.8/doc/man/pam_get_authtok_noverify.3 -=================================================================== ---- Linux-PAM-1.1.8.orig/doc/man/pam_get_authtok_noverify.3 -+++ Linux-PAM-1.1.8/doc/man/pam_get_authtok_noverify.3 -@@ -1 +1 @@ --.so pam_get_authtok.3 -+.so man3/pam_get_authtok.3 -Index: Linux-PAM-1.1.8/doc/man/pam_get_authtok_verify.3 -=================================================================== ---- Linux-PAM-1.1.8.orig/doc/man/pam_get_authtok_verify.3 -+++ Linux-PAM-1.1.8/doc/man/pam_get_authtok_verify.3 -@@ -1 +1 @@ --.so pam_get_authtok.3 -+.so man3/pam_get_authtok.3 -Index: Linux-PAM-1.1.8/doc/man/pam_verror.3 -=================================================================== ---- Linux-PAM-1.1.8.orig/doc/man/pam_verror.3 -+++ Linux-PAM-1.1.8/doc/man/pam_verror.3 -@@ -1 +1 @@ --.so pam_error.3 -+.so man3/pam_error.3 -Index: Linux-PAM-1.1.8/doc/man/pam_vinfo.3 -=================================================================== ---- Linux-PAM-1.1.8.orig/doc/man/pam_vinfo.3 -+++ Linux-PAM-1.1.8/doc/man/pam_vinfo.3 -@@ -1 +1 @@ --.so pam_info.3 -+.so man3/pam_info.3 -Index: Linux-PAM-1.1.8/doc/man/pam_vprompt.3 -=================================================================== ---- Linux-PAM-1.1.8.orig/doc/man/pam_vprompt.3 -+++ Linux-PAM-1.1.8/doc/man/pam_vprompt.3 -@@ -1 +1 @@ --.so pam_prompt.3 -+.so man3/pam_prompt.3 -Index: Linux-PAM-1.1.8/doc/man/pam_vsyslog.3 -=================================================================== ---- Linux-PAM-1.1.8.orig/doc/man/pam_vsyslog.3 -+++ Linux-PAM-1.1.8/doc/man/pam_vsyslog.3 -@@ -1 +1 @@ --.so pam_syslog.3 -+.so man3/pam_syslog.3 diff --git a/pam-check-user-home-dir.patch b/pam-check-user-home-dir.patch deleted file mode 100644 index e3a98e7..0000000 --- a/pam-check-user-home-dir.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 27ded8954a1235bb65ffc9c730ae5a50b1dfed61 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Josef=20M=C3=B6llers?= -Date: Fri, 29 May 2020 14:35:43 +0000 -Subject: [PATCH] pam_setquota: skip mountpoints equal to the user's $HOME -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Matthias Gerstner found the following issue: - - -So this pam_setquota module iterates over all mounted file systems using -`setmntent()` and `getmntent()`. It tries to find the longest match of -a file system mounted on /home/$USER or above (except when the -fs=/some/path parameter is passed to the pam module). - -The thing is that /home/$USER is owned by the unprivileged user. And -there exist tools like fusermount from libfuse which is by default -installed setuid-root for everybody. fusermount allows to mount a FUSE -file system using an arbitrary "source device name" as the unprivileged -user. - -Thus considering the following use case: - -1) there is only the root file system (/) or a file system is mounted on - /home, but not on /home/$USER. -2) the attacker mounts a fake FUSE file system over its own home directory: - - ``` - user $ export _FUSE_COMMFD=0 - user $ fusermount $HOME -ononempty,fsname=/dev/sda1 - ``` - - This will result in a mount entry in /proc/mounts looking like this: - - ``` - /dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100) - ``` -3) when the attacker now logs in with pam_setquota configured then - pam_setquota will identify /dev/sda1 and the file system where - to apply the user's quota on. - -As a result an unprivileged user has full control over onto which block -device the quota is applied. - - -If the user's $HOME is on a separate partition, setting a quota on the -user's $HOME does not really make sense, so this patch skips mountpoints -equal to the user's $HOME, preventing the above mentioned bug as -a side-effect (or vice-versa). - -Reported-by: Matthias Gerstner -Co-authored-by: Tomáš Mráz -Co-authored-by: Dmitry V. Levin -Resolves: https://github.com/linux-pam/linux-pam/pull/230 ---- - modules/pam_setquota/pam_setquota.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/pam_setquota/pam_setquota.c b/modules/pam_setquota/pam_setquota.c -index 9c05862a..01b05e38 100644 ---- a/modules/pam_setquota/pam_setquota.c -+++ b/modules/pam_setquota/pam_setquota.c -@@ -275,7 +275,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, - */ - if ((mnt_len > match_size || (mnt_len == 0 && mnt->mnt_dir[0] == '/')) && - (s = pam_str_skip_prefix_len(pwd->pw_dir, mnt->mnt_dir, mnt_len)) != NULL && -- (s[0] == '\0' || s[0] == '/')) { -+ s[0] == '/') { - free(mntdevice); - if ((mntdevice = strdup(mnt->mnt_fsname)) == NULL) { - pam_syslog(pamh, LOG_CRIT, "Memory allocation error"); diff --git a/pam.changes b/pam.changes index 8b5264c..f2c199e 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jun 8 13:19:12 UTC 2020 - Thorsten Kukuk + +- Update to final 1.4.0 release + - includes pam-check-user-home-dir.patch + - obsoletes fix-man-links.dif + ------------------------------------------------------------------- Mon Jun 8 07:59:58 UTC 2020 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index e95797a..cff51f0 100644 --- a/pam.spec +++ b/pam.spec @@ -27,7 +27,7 @@ %endif Name: pam # -Version: 1.3.92 +Version: 1.4.0 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause @@ -45,10 +45,8 @@ Source9: baselibs.conf Source10: unix2_chkpwd.c Source11: unix2_chkpwd.8 Source12: pam-login_defs-check.sh -Patch0: fix-man-links.dif Patch2: pam-limit-nproc.patch Patch4: pam-hostnames-in-access_conf.patch -Patch5: pam-check-user-home-dir.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: cracklib-devel @@ -139,10 +137,8 @@ removed with one of the next releases. %prep %setup -q -n Linux-PAM-%{version} -b 1 cp -a %{SOURCE12} . -%patch0 -p1 %patch2 -p1 %patch4 -p1 -%patch5 -p1 %build bash ./pam-login_defs-check.sh