pool/pam
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1139944 from Linux-PAM

Browse Source 
- Add post 1.6.0 release fixes for pam_env and pam_unix:
  - pam_env-fix-enable-vendordir-fallback.patch
  - pam_env-fix_vendordir.patch
  - pam_env-remove-escaped-newlines.patch
  - pam_unix-fix-password-aging-disabled.patch
- Update to version 1.6.0
  - Added support of configuration files with arbitrarily long lines.
  - build: fixed build outside of the source tree.
  - libpam: added use of getrandom(2) as a source of randomness if available.
  - libpam: fixed calculation of fail delay with very long delays.
  - libpam: fixed potential infinite recursion with includes.
  - libpam: implemented string to number conversions validation when parsing
    controls in configuration.
  - pam_access: added quiet_log option.
  - pam_access: fixed truncation of very long group names.
  - pam_canonicalize_user: new module to canonicalize user name.
  - pam_echo: fixed file handling to prevent overflows and short reads.
  - pam_env: added support of '\' character in environment variable values.
  - pam_exec: allowed expose_authtok for password PAM_TYPE.
  - pam_exec: fixed stack overflow with binary output of programs.
  - pam_faildelay: implemented parameter ranges validation.
  - pam_listfile: changed to treat \r and \n exactly the same in configuration.
  - pam_mkhomedir: hardened directory creation against timing attacks.
  - Please note that using *at functions leads to more open file handles
    during creation.
  - pam_namespace: fixed potential local DoS (CVE-2024-22365).
  - pam_nologin: fixed file handling to prevent short reads.
  - pam_pwhistory: helper binary is now built only if SELinux support is
    enabled.
  - pam_pwhistory: implemented reliable usernames handling when remembering

OBS-URL: https://build.opensuse.org/request/show/1139944
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=134
This commit is contained in:
Ana Guerrero 2024-01-23 21:55:08 +00:00 committed by Git OBS Bridge
commit daf3dbbb29
15 changed files with 283 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Linux-PAM-1.5.3.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

16
Linux-PAM-1.5.3.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJkWBFQAAoJEKgEH6g54W42OoMP/R1O9dvpncrR4DfD3yJViTPw
To3isPszsdHhw/uZUzCBEUMxhJgUgefzHGAng1EbTyX2eTLk/cnLY8pZLXr3pzC0
5CfacxAqgjK8B/7CbchsZQCDal84E5jR8qyzVCM3IPxZQfpiR3HJzXVjhg/gnBcY
L6v7FbLpcdM2keHHT1C/hyQfTnzyIdmwyzRdE1DF3ERbe3/1VlNmANNOacZ1H2T9
Hs5dVIFiXwOO11Xku42oOo99LCqXyIsRnEogBFCORHNjD7B88lCdJAHssBdvWq5t
/CJnoGtJrVCXs11JVPSNyW0rm24rZH9YCC6yVRIuMq6jjMBawFUlMAqamLoSA3hK
4BPuPqQjHYk/D5H+m0HF2qRDpz76Bj1zdmYofqspeJf4QJOyOpMSXFY3pgsohuKW
P8YQ44cAkmMswFqMSKGi9EVnf6SVXWQFoHJhtlbUgi7ef/4IICrbtgSSE96OGdlg
Sdoplu3n+1HClaYqlHbjkd/m0Hc8QvOjovctb0Zoclnlup+u2JH4rDNqjxFUvkWB
8CeILjebgBrNRqAFDx7fKBEQyHs5FLOtUU1SwBLXXSyMCHuMhr/tKBHcbDgMhpVP
IiIyYGyEGUoIR/er5AgIX9e6/zcQbc8OvY+gTu9t+tw+HIt8hGvUUkuYX8LB1k6r
zf06e/iTT4GL6AhJtbh3
=2hyW
-----END PGP SIGNATURE-----

BIN
Linux-PAM-1.6.0.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
Linux-PAM-1.6.0.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI
n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm
NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY
U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3
XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw
6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi
Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2
gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n
b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n
NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ
LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox
zxDFnUsJ/JgmJm3y47J2
=wzV/
-----END PGP SIGNATURE-----

51
disable-examples.patch
View File

@ -1,51 +0,0 @@
From 5fa961fd3b5b8cf5ba1a0cf49b10ebf79e273e96 Mon Sep 17 00:00:00 2001
From: Pino Toscano <toscano.pino@tiscali.it>
Date: Mon, 8 May 2023 18:39:36 +0200
Subject: [PATCH] configure.ac: add --enable-examples option
Allow the user to not build the examples through --disable-examples
(enabled by default); this can be useful:
- when cross-compiling, as the examples are not useful
- in distribution builds, not building stuff that is not used in any
way
---
Makefile.am | 5 ++++-
configure.ac | 5 +++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index deb252680..2e8fede7b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,11 +4,14 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests
if HAVE_DOC
SUBDIRS += doc
endif
+if HAVE_EXAMPLES
+SUBDIRS += examples
+endif
CLEANFILES = *~
diff --git a/configure.ac b/configure.ac
index b9b0f8392..6666b1b26 100644
--- a/configure.ac
+++ b/configure.ac
@@ -224,6 +224,11 @@ AC_ARG_ENABLE([doc],
WITH_DOC=$enableval, WITH_DOC=yes)
AM_CONDITIONAL([HAVE_DOC], [test "x$WITH_DOC" = "xyes"])
+AC_ARG_ENABLE([examples],
+ AS_HELP_STRING([--disable-examples],[Do not build the examples]),
+ WITH_EXAMPLES=$enableval, WITH_EXAMPLES=yes)
+AM_CONDITIONAL([HAVE_EXAMPLES], [test "x$WITH_EXAMPLES" = "xyes"])
+
AC_ARG_ENABLE([prelude],
AS_HELP_STRING([--disable-prelude],[do not use prelude]),
WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)

2
pam-login_defs-check.sh
View File

@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != cda62ec4158236270a5a30ba1875fa2795926f23 ; then
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2

60
pam.changes
View File

@ -1,3 +1,63 @@
-------------------------------------------------------------------
Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
- Add post 1.6.0 release fixes for pam_env and pam_unix:
- pam_env-fix-enable-vendordir-fallback.patch
- pam_env-fix_vendordir.patch
- pam_env-remove-escaped-newlines.patch
- pam_unix-fix-password-aging-disabled.patch
- Update to version 1.6.0
- Added support of configuration files with arbitrarily long lines.
- build: fixed build outside of the source tree.
- libpam: added use of getrandom(2) as a source of randomness if available.
- libpam: fixed calculation of fail delay with very long delays.
- libpam: fixed potential infinite recursion with includes.
- libpam: implemented string to number conversions validation when parsing
controls in configuration.
- pam_access: added quiet_log option.
- pam_access: fixed truncation of very long group names.
- pam_canonicalize_user: new module to canonicalize user name.
- pam_echo: fixed file handling to prevent overflows and short reads.
- pam_env: added support of '\' character in environment variable values.
- pam_exec: allowed expose_authtok for password PAM_TYPE.
- pam_exec: fixed stack overflow with binary output of programs.
- pam_faildelay: implemented parameter ranges validation.
- pam_listfile: changed to treat \r and \n exactly the same in configuration.
- pam_mkhomedir: hardened directory creation against timing attacks.
- Please note that using *at functions leads to more open file handles
during creation.
- pam_namespace: fixed potential local DoS (CVE-2024-22365).
- pam_nologin: fixed file handling to prevent short reads.
- pam_pwhistory: helper binary is now built only if SELinux support is
enabled.
- pam_pwhistory: implemented reliable usernames handling when remembering
passwords.
- pam_shells: changed to allow shell entries with absolute paths only.
- pam_succeed_if: fixed treating empty strings as numerical value 0.
- pam_unix: added support of disabled password aging.
- pam_unix: synchronized password aging with shadow.
- pam_unix: implemented string to number conversions validation.
- pam_unix: fixed truncation of very long user names.
- pam_unix: corrected rounds retrieval for configured encryption method.
- pam_unix: implemented reliable usernames handling when remembering
passwords.
- pam_unix: changed to always run the helper to obtain shadow password
entries.
- pam_unix: unix_update helper binary is now built only if SELinux support
is enabled.
- pam_unix: added audit support to unix_update helper.
- pam_userdb: added gdbm support.
- Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
- The following patches are obsolete with the update:
- pam_access-doc-IPv6-link-local.patch
- pam_access-hostname-debug.patch
- pam_shells-fix-econf-memory-leak.patch
- pam_shells-fix-econf-memory-leak.patch
- disable-examples.patch
- pam-login_defs-check.sh: adjust checksum, SHA_CRYPT_MAX_ROUNDS
is no longer used.
-------------------------------------------------------------------
Wed Aug 23 09:20:06 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>

32
pam.spec
View File

@ -71,7 +71,7 @@
#
Name: pam%{name_suffix}
#
Version: 1.5.3
Version: 1.6.0
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause
@ -96,14 +96,14 @@ Source22: postlogin-account.pamd
Source23: postlogin-password.pamd
Source24: postlogin-session.pamd
Patch1: pam-limit-nproc.patch
# https://github.com/linux-pam/linux-pam/pull/594
Patch2: pam_access-doc-IPv6-link-local.patch
# https://github.com/linux-pam/linux-pam/pull/596
Patch3: pam_access-hostname-debug.patch
# https://github.com/linux-pam/linux-pam/pull/581
Patch4: pam_shells-fix-econf-memory-leak.patch
# https://github.com/linux-pam/linux-pam/pull/574
Patch5: disable-examples.patch
# https://github.com/linux-pam/linux-pam/pull/739
Patch2: pam_env-fix_vendordir.patch
# https://github.com/linux-pam/linux-pam/pull/740
Patch3: pam_env-fix-enable-vendordir-fallback.patch
# https://github.com/linux-pam/linux-pam/pull/741
Patch4: pam_env-remove-escaped-newlines.patch
# https://github.com/linux-pam/linux-pam/pull/744
Patch5: pam_unix-fix-password-aging-disabled.patch
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: flex
@ -151,7 +151,9 @@ username/password pair against values stored in a Berkeley DB database.
%package -n pam-extra
Summary: PAM module with extended dependencies
Group: System/Libraries
BuildRequires: pkgconfig(systemd)
#BuildRequires: pkgconfig(systemd)
# The systemd-mini package does not pass configure checks
BuildRequires: systemd-devel >= 254
BuildRequires: pam-devel
Provides: pam:%{_sbindir}/pam_timestamp_check
@ -237,7 +239,9 @@ autoreconf
--enable-isadir=../..%{_pam_moduledir} \
--enable-securedir=%{_pam_moduledir} \
--enable-vendordir=%{_prefix}/etc \
%if "%{flavor}" == "full"
--enable-logind \
%endif
--disable-examples \
--disable-nis \
%if %{with debug}
@ -290,9 +294,13 @@ mkdir -p -m 755 %{buildroot}%{_libdir}
mkdir -p %{buildroot}%{_distconfdir}/pam.d
%make_install
/sbin/ldconfig -n %{buildroot}%{libdir}
# XXX remove for now until we have a security review of the new module
rm -f %{buildroot}%{_libdir}/security/pam_canonicalize_user.so
/sbin/ldconfig -n %{buildroot}%{_libdir}
# Install documentation
%make_install -C doc
# XXX remove for now until we have a security review, see above
rm -f %{buildroot}%{_mandir}/man8/pam_canonicalize_user.8*
# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
install -d %{buildroot}%{_pam_secconfdir}/namespace.d
# install other.pamd and common-*.pamd
@ -343,7 +351,7 @@ echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
%if !%{build_main}
rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir}}
rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
%else
# Delete files for extra package

63
pam_access-doc-IPv6-link-local.patch
View File

@ -1,63 +0,0 @@
From 4ba3105511c3a55fc750a790f7310c6d7ebfdfda Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Thu, 3 Aug 2023 17:11:32 +0200
Subject: [PATCH] pam_access: document IPv6 link-local addresses (#582)
* modules/pam_access/access.conf.5.xml: Add example and note for IPv6
link-local addresses
* modules/pam_access/access.conf: Add example for IPv6 link-local
addresses
---
modules/pam_access/access.conf | 3 +++
modules/pam_access/access.conf.5.xml | 12 +++++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf
index 47b6b84c1..9c8e21716 100644
--- a/modules/pam_access/access.conf
+++ b/modules/pam_access/access.conf
@@ -115,6 +115,9 @@
# User "john" should get access from ipv6 host address (same as above)
#+:john:2001:4ca0:0:101:0:0:0:1
#
+# User "john" should get access from ipv6 local link host address
+#+:john:fe80::de95:818c:1b55:7e42%eth0
+#
# User "john" should get access from ipv6 net/mask
#+:john:2001:4ca0:0:101::/64
#
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index ff1cb2237..2dc5d477c 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -188,6 +188,12 @@
</para>
<para>+:john foo:2001:db8:0:101::1</para>
+ <para>
+ User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
+ should get access from IPv6 link local host address.
+ </para>
+ <para>+:john foo:fe80::de95:818c:1b55:7e42%eth1</para>
+
<para>
User <emphasis>john</emphasis> should get access from IPv6 net/mask.
</para>
@@ -222,6 +228,10 @@
item and the line will be most probably ignored. For this reason, it is not
recommended to put spaces around the ':' characters.
</para>
+ <para>
+ An IPv6 link local host address must contain the interface
+ identifier. IPv6 link local network/netmask is not supported.
+ </para>
</refsect1>
<refsect1 xml:id="access.conf-see_also">
@@ -246,4 +256,4 @@
introduced by Mike Becher &lt;mike.becher@lrz-muenchen.de&gt;.
</para>
</refsect1>
-</refentry>
\ No newline at end of file
+</refentry>

27
pam_access-hostname-debug.patch
View File

@ -1,27 +0,0 @@
From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Fri, 4 Aug 2023 15:46:16 +0200
Subject: [PATCH] pam_access: make non-resolveable hostname a debug output
(#590)
* modules/pam_access/pam_access.c (network_netmask_match): Don't print
an error if a string is not resolveable, only a debug message in debug
mode. We even don't know if that entry is for remote logins or not.
---
modules/pam_access/pam_access.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index f70b7e495..985dc7de2 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh,
*/
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
{
- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
+ if (item->debug)
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
return NO;
}

51
pam_env-fix-enable-vendordir-fallback.patch Normal file
View File

@ -0,0 +1,51 @@
From 28894b319488e8302899ee569b6e0911905f374e Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Thu, 18 Jan 2024 17:00:00 +0000
Subject: [PATCH] pam_env: fix --enable-vendordir fallback logic
* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF &&
VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file
if the config file is specified via module arguments.
Link: https://github.com/linux-pam/linux-pam/issues/738
Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
---
modules/pam_env/pam_env.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index a0b812fff..8b40b6a5a 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -850,20 +850,20 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
#ifdef USE_ECONF
/* If "file" is not NULL, only this file will be parsed. */
retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list);
-#else
+#else /* !USE_ECONF */
/* Only one file will be parsed. So, file has to be set. */
- if (file == NULL) /* No filename has been set via argv. */
+ if (file == NULL) { /* No filename has been set via argv. */
file = DEFAULT_CONF_FILE;
-#ifdef VENDOR_DEFAULT_CONF_FILE
- /*
- * Check whether file is available.
- * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
- */
- struct stat stat_buffer;
- if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
- file = VENDOR_DEFAULT_CONF_FILE;
+# ifdef VENDOR_DEFAULT_CONF_FILE
+ /*
+ * Check whether DEFAULT_CONF_FILE file is available.
+ * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
+ */
+ struct stat stat_buffer;
+ if (stat(file, &stat_buffer) != 0 && errno == ENOENT)
+ file = VENDOR_DEFAULT_CONF_FILE;
+# endif
}
-#endif
retval = read_file(pamh, file, &conf_list);
#endif

51
pam_env-fix_vendordir.patch Normal file
View File

@ -0,0 +1,51 @@
From 0703453bec6ac54ad31d7245be4529796a3ef764 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 18 Jan 2024 18:08:05 +0100
Subject: [PATCH] pam_env: check VENDORDIR after config.h inclusion
The VENDORDIR define has to be checked after config.h
inclusion, otherwise the ifdef test always yields false.
Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_env/pam_env.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 59adc942c..a0b812fff 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -6,15 +6,6 @@
* template for this file (via pam_mail)
*/
-#define DEFAULT_ETC_ENVFILE "/etc/environment"
-#ifdef VENDORDIR
-#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
-#endif
-#define DEFAULT_READ_ENVFILE 1
-
-#define DEFAULT_USER_ENVFILE ".pam_environment"
-#define DEFAULT_USER_READ_ENVFILE 0
-
#include "config.h"
#include <ctype.h>
@@ -52,6 +43,15 @@ typedef struct var {
char *override;
} VAR;
+#define DEFAULT_ETC_ENVFILE "/etc/environment"
+#ifdef VENDORDIR
+#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
+#endif
+#define DEFAULT_READ_ENVFILE 1
+
+#define DEFAULT_USER_ENVFILE ".pam_environment"
+#define DEFAULT_USER_READ_ENVFILE 0
+
#define DEFAULT_CONF_FILE (SCONFIGDIR "/pam_env.conf")
#ifdef VENDOR_SCONFIGDIR
#define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf")

54
pam_env-remove-escaped-newlines.patch Normal file
View File

@ -0,0 +1,54 @@
From ef51c51523b4c6ce6275b2863a0de1a3a6dff1e5 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 18 Jan 2024 20:25:20 +0100
Subject: [PATCH] pam_env: remove escaped newlines from econf lines
The libeconf routines do not remove escaped newlines the way we want to
process them later on. Manually remove them from values.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_env/pam_env.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index a0b812fff..5f53fbb10 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -160,6 +160,28 @@ isDirectory(const char *path) {
return S_ISDIR(statbuf.st_mode);
}
+/*
+ * Remove escaped newline from string.
+ *
+ * All occurrences of "\\n" will be removed from string.
+ */
+static void
+econf_unescnl(char *val)
+{
+ char *dest, *p;
+
+ dest = p = val;
+
+ while (*p != '\0') {
+ if (p[0] == '\\' && p[1] == '\n') {
+ p += 2;
+ } else {
+ *dest++ = *p++;
+ }
+ }
+ *dest = '\0';
+}
+
static int
econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim,
const char *name, const char *suffix, const char *subpath,
@@ -270,6 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
keys[i],
econf_errString(error));
} else {
+ econf_unescnl(val);
if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) {
pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
econf_free(keys);

22
pam_shells-fix-econf-memory-leak.patch
View File

@ -1,22 +0,0 @@
From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 18 May 2023 17:55:21 +0200
Subject: [PATCH] pam_shells: Plug econf memory leak
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_shells/pam_shells.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c
index 05c09c656..276a56dd5 100644
--- a/modules/pam_shells/pam_shells.c
+++ b/modules/pam_shells/pam_shells.c
@@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh)
if (!retval)
break;
}
+ econf_free (keys);
econf_free (key_file);
#else
char shellFileLine[256];

27
pam_unix-fix-password-aging-disabled.patch Normal file
View File

@ -0,0 +1,27 @@
From 9d40f55216b2de60ccb9b617c79b9280b9f29ead Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Fri, 19 Jan 2024 10:09:00 +0100
Subject: [PATCH] pam_unix: do not warn if password aging disabled
Later checks will print a warning if daysleft is 0. If password
aging is disabled, leave daysleft at -1.
Fixes 9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_unix/passverify.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 5c4f862e7..1bc98fa25 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -314,7 +314,6 @@ PAMH_ARG_DECL(int check_shadow_expiry,
}
if (spent->sp_lstchg < 0) {
D(("password aging disabled"));
- *daysleft = 0;
return PAM_SUCCESS;
}
if (curdays < spent->sp_lstchg) {