From e352b2c6616d02ede5738b678d95dff435a7127ba6a0bd8b2d537bf6f9cb8ed2 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 18 Jan 2024 09:18:10 +0000 Subject: [PATCH 01/13] - Update to version 1.6.0 - Added support of configuration files with arbitrarily long lines. - build: fixed build outside of the source tree. - libpam: added use of getrandom(2) as a source of randomness if available. - libpam: fixed calculation of fail delay with very long delays. - libpam: fixed potential infinite recursion with includes. - libpam: implemented string to number conversions validation when parsing controls in configuration. - pam_access: added quiet_log option. - pam_access: fixed truncation of very long group names. - pam_canonicalize_user: new module to canonicalize user name. - pam_echo: fixed file handling to prevent overflows and short reads. - pam_env: added support of '\' character in environment variable values. - pam_exec: allowed expose_authtok for password PAM_TYPE. - pam_exec: fixed stack overflow with binary output of programs. - pam_faildelay: implemented parameter ranges validation. - pam_listfile: changed to treat \r and \n exactly the same in configuration. - pam_mkhomedir: hardened directory creation against timing attacks. - Please note that using *at functions leads to more open file handles during creation. - pam_namespace: fixed potential local DoS (CVE-2024-22365). - pam_nologin: fixed file handling to prevent short reads. - pam_pwhistory: helper binary is now built only if SELinux support is enabled. - pam_pwhistory: implemented reliable usernames handling when remembering passwords. - pam_shells: changed to allow shell entries with absolute paths only. - pam_succeed_if: fixed treating empty strings as numerical value 0. - pam_unix: added support of disabled password aging. - pam_unix: synchronized password aging with shadow. OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=280 --- Linux-PAM-1.5.3.tar.xz | 3 -- Linux-PAM-1.5.3.tar.xz.asc | 16 ------- Linux-PAM-1.6.0.tar.xz | 3 ++ Linux-PAM-1.6.0.tar.xz.asc | 16 +++++++ disable-examples.patch | 51 --------------------- pam-login_defs-check.sh | 2 +- pam.changes | 54 ++++++++++++++++++++++ pam.spec | 16 ++----- pam_access-doc-IPv6-link-local.patch | 63 -------------------------- pam_access-hostname-debug.patch | 27 ----------- pam_shells-fix-econf-memory-leak.patch | 22 --------- 11 files changed, 77 insertions(+), 196 deletions(-) delete mode 100644 Linux-PAM-1.5.3.tar.xz delete mode 100644 Linux-PAM-1.5.3.tar.xz.asc create mode 100644 Linux-PAM-1.6.0.tar.xz create mode 100644 Linux-PAM-1.6.0.tar.xz.asc delete mode 100644 disable-examples.patch delete mode 100644 pam_access-doc-IPv6-link-local.patch delete mode 100644 pam_access-hostname-debug.patch delete mode 100644 pam_shells-fix-econf-memory-leak.patch diff --git a/Linux-PAM-1.5.3.tar.xz b/Linux-PAM-1.5.3.tar.xz deleted file mode 100644 index d1b6d47..0000000 --- a/Linux-PAM-1.5.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283 -size 1020076 diff --git a/Linux-PAM-1.5.3.tar.xz.asc b/Linux-PAM-1.5.3.tar.xz.asc deleted file mode 100644 index 8817c44..0000000 --- a/Linux-PAM-1.5.3.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABCgAGBQJkWBFQAAoJEKgEH6g54W42OoMP/R1O9dvpncrR4DfD3yJViTPw -To3isPszsdHhw/uZUzCBEUMxhJgUgefzHGAng1EbTyX2eTLk/cnLY8pZLXr3pzC0 -5CfacxAqgjK8B/7CbchsZQCDal84E5jR8qyzVCM3IPxZQfpiR3HJzXVjhg/gnBcY -L6v7FbLpcdM2keHHT1C/hyQfTnzyIdmwyzRdE1DF3ERbe3/1VlNmANNOacZ1H2T9 -Hs5dVIFiXwOO11Xku42oOo99LCqXyIsRnEogBFCORHNjD7B88lCdJAHssBdvWq5t -/CJnoGtJrVCXs11JVPSNyW0rm24rZH9YCC6yVRIuMq6jjMBawFUlMAqamLoSA3hK -4BPuPqQjHYk/D5H+m0HF2qRDpz76Bj1zdmYofqspeJf4QJOyOpMSXFY3pgsohuKW -P8YQ44cAkmMswFqMSKGi9EVnf6SVXWQFoHJhtlbUgi7ef/4IICrbtgSSE96OGdlg -Sdoplu3n+1HClaYqlHbjkd/m0Hc8QvOjovctb0Zoclnlup+u2JH4rDNqjxFUvkWB -8CeILjebgBrNRqAFDx7fKBEQyHs5FLOtUU1SwBLXXSyMCHuMhr/tKBHcbDgMhpVP -IiIyYGyEGUoIR/er5AgIX9e6/zcQbc8OvY+gTu9t+tw+HIt8hGvUUkuYX8LB1k6r -zf06e/iTT4GL6AhJtbh3 -=2hyW ------END PGP SIGNATURE----- diff --git a/Linux-PAM-1.6.0.tar.xz b/Linux-PAM-1.6.0.tar.xz new file mode 100644 index 0000000..e3aa8ba --- /dev/null +++ b/Linux-PAM-1.6.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fff4a34e5bbee77e2e8f1992f27631e2329bcbf8a0563ddeb5c3389b4e3169ad +size 1048296 diff --git a/Linux-PAM-1.6.0.tar.xz.asc b/Linux-PAM-1.6.0.tar.xz.asc new file mode 100644 index 0000000..d0ed0be --- /dev/null +++ b/Linux-PAM-1.6.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI +n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm +NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY +U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3 +XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw +6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi +Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2 +gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n +b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n +NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ +LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox +zxDFnUsJ/JgmJm3y47J2 +=wzV/ +-----END PGP SIGNATURE----- diff --git a/disable-examples.patch b/disable-examples.patch deleted file mode 100644 index 0ebaaed..0000000 --- a/disable-examples.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 5fa961fd3b5b8cf5ba1a0cf49b10ebf79e273e96 Mon Sep 17 00:00:00 2001 -From: Pino Toscano -Date: Mon, 8 May 2023 18:39:36 +0200 -Subject: [PATCH] configure.ac: add --enable-examples option - -Allow the user to not build the examples through --disable-examples -(enabled by default); this can be useful: -- when cross-compiling, as the examples are not useful -- in distribution builds, not building stuff that is not used in any - way ---- - Makefile.am | 5 ++++- - configure.ac | 5 +++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/Makefile.am b/Makefile.am -index deb252680..2e8fede7b 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -4,11 +4,14 @@ - - AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news - --SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests - - if HAVE_DOC - SUBDIRS += doc - endif -+if HAVE_EXAMPLES -+SUBDIRS += examples -+endif - - CLEANFILES = *~ - -diff --git a/configure.ac b/configure.ac -index b9b0f8392..6666b1b26 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -224,6 +224,11 @@ AC_ARG_ENABLE([doc], - WITH_DOC=$enableval, WITH_DOC=yes) - AM_CONDITIONAL([HAVE_DOC], [test "x$WITH_DOC" = "xyes"]) - -+AC_ARG_ENABLE([examples], -+ AS_HELP_STRING([--disable-examples],[Do not build the examples]), -+ WITH_EXAMPLES=$enableval, WITH_EXAMPLES=yes) -+AM_CONDITIONAL([HAVE_EXAMPLES], [test "x$WITH_EXAMPLES" = "xyes"]) -+ - AC_ARG_ENABLE([prelude], - AS_HELP_STRING([--disable-prelude],[do not use prelude]), - WITH_PRELUDE=$enableval, WITH_PRELUDE=yes) diff --git a/pam-login_defs-check.sh b/pam-login_defs-check.sh index 50190eb..6b9b498 100644 --- a/pam-login_defs-check.sh +++ b/pam-login_defs-check.sh @@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . | sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | LC_ALL=C sort -u >pam-login_defs-vars.lst -if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != cda62ec4158236270a5a30ba1875fa2795926f23 ; then +if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then echo "does not match!" >&2 echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2 diff --git a/pam.changes b/pam.changes index d5bc85e..da9abb7 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Thu Jan 18 08:28:14 UTC 2024 - Thorsten Kukuk + +- Update to version 1.6.0 + - Added support of configuration files with arbitrarily long lines. + - build: fixed build outside of the source tree. + - libpam: added use of getrandom(2) as a source of randomness if available. + - libpam: fixed calculation of fail delay with very long delays. + - libpam: fixed potential infinite recursion with includes. + - libpam: implemented string to number conversions validation when parsing + controls in configuration. + - pam_access: added quiet_log option. + - pam_access: fixed truncation of very long group names. + - pam_canonicalize_user: new module to canonicalize user name. + - pam_echo: fixed file handling to prevent overflows and short reads. + - pam_env: added support of '\' character in environment variable values. + - pam_exec: allowed expose_authtok for password PAM_TYPE. + - pam_exec: fixed stack overflow with binary output of programs. + - pam_faildelay: implemented parameter ranges validation. + - pam_listfile: changed to treat \r and \n exactly the same in configuration. + - pam_mkhomedir: hardened directory creation against timing attacks. + - Please note that using *at functions leads to more open file handles + during creation. + - pam_namespace: fixed potential local DoS (CVE-2024-22365). + - pam_nologin: fixed file handling to prevent short reads. + - pam_pwhistory: helper binary is now built only if SELinux support is + enabled. + - pam_pwhistory: implemented reliable usernames handling when remembering + passwords. + - pam_shells: changed to allow shell entries with absolute paths only. + - pam_succeed_if: fixed treating empty strings as numerical value 0. + - pam_unix: added support of disabled password aging. + - pam_unix: synchronized password aging with shadow. + - pam_unix: implemented string to number conversions validation. + - pam_unix: fixed truncation of very long user names. + - pam_unix: corrected rounds retrieval for configured encryption method. + - pam_unix: implemented reliable usernames handling when remembering + passwords. + - pam_unix: changed to always run the helper to obtain shadow password + entries. + - pam_unix: unix_update helper binary is now built only if SELinux support + is enabled. + - pam_unix: added audit support to unix_update helper. + - pam_userdb: added gdbm support. + - Multiple minor bug fixes, portability fixes, documentation improvements, + and translation updates. +- The following patches are obsolete with the update: + - pam_access-doc-IPv6-link-local.patch + - pam_access-hostname-debug.patch + - pam_shells-fix-econf-memory-leak.patch + - pam_shells-fix-econf-memory-leak.patch +- pam-login_defs-check.sh: adjust checksum, SHA_CRYPT_MAX_ROUNDS + is no longer used. + ------------------------------------------------------------------- Wed Aug 23 09:20:06 UTC 2023 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index 0d05b92..8b9a6e3 100644 --- a/pam.spec +++ b/pam.spec @@ -71,7 +71,7 @@ # Name: pam%{name_suffix} # -Version: 1.5.3 +Version: 1.6.0 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause @@ -96,14 +96,6 @@ Source22: postlogin-account.pamd Source23: postlogin-password.pamd Source24: postlogin-session.pamd Patch1: pam-limit-nproc.patch -# https://github.com/linux-pam/linux-pam/pull/594 -Patch2: pam_access-doc-IPv6-link-local.patch -# https://github.com/linux-pam/linux-pam/pull/596 -Patch3: pam_access-hostname-debug.patch -# https://github.com/linux-pam/linux-pam/pull/581 -Patch4: pam_shells-fix-econf-memory-leak.patch -# https://github.com/linux-pam/linux-pam/pull/574 -Patch5: disable-examples.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex @@ -214,10 +206,6 @@ building both PAM-aware applications and modules for use with PAM. %setup -q -n Linux-PAM-%{version} cp -a %{SOURCE12} . %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 %build bash ./pam-login_defs-check.sh @@ -237,7 +225,9 @@ autoreconf --enable-isadir=../..%{_pam_moduledir} \ --enable-securedir=%{_pam_moduledir} \ --enable-vendordir=%{_prefix}/etc \ +%if "%{flavor}" == "full" --enable-logind \ +%endif --disable-examples \ --disable-nis \ %if %{with debug} diff --git a/pam_access-doc-IPv6-link-local.patch b/pam_access-doc-IPv6-link-local.patch deleted file mode 100644 index d84a1de..0000000 --- a/pam_access-doc-IPv6-link-local.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 4ba3105511c3a55fc750a790f7310c6d7ebfdfda Mon Sep 17 00:00:00 2001 -From: Thorsten Kukuk -Date: Thu, 3 Aug 2023 17:11:32 +0200 -Subject: [PATCH] pam_access: document IPv6 link-local addresses (#582) - -* modules/pam_access/access.conf.5.xml: Add example and note for IPv6 - link-local addresses -* modules/pam_access/access.conf: Add example for IPv6 link-local - addresses ---- - modules/pam_access/access.conf | 3 +++ - modules/pam_access/access.conf.5.xml | 12 +++++++++++- - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf -index 47b6b84c1..9c8e21716 100644 ---- a/modules/pam_access/access.conf -+++ b/modules/pam_access/access.conf -@@ -115,6 +115,9 @@ - # User "john" should get access from ipv6 host address (same as above) - #+:john:2001:4ca0:0:101:0:0:0:1 - # -+# User "john" should get access from ipv6 local link host address -+#+:john:fe80::de95:818c:1b55:7e42%eth0 -+# - # User "john" should get access from ipv6 net/mask - #+:john:2001:4ca0:0:101::/64 - # -diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml -index ff1cb2237..2dc5d477c 100644 ---- a/modules/pam_access/access.conf.5.xml -+++ b/modules/pam_access/access.conf.5.xml -@@ -188,6 +188,12 @@ - - +:john foo:2001:db8:0:101::1 - -+ -+ User john and foo -+ should get access from IPv6 link local host address. -+ -+ +:john foo:fe80::de95:818c:1b55:7e42%eth1 -+ - - User john should get access from IPv6 net/mask. - -@@ -222,6 +228,10 @@ - item and the line will be most probably ignored. For this reason, it is not - recommended to put spaces around the ':' characters. - -+ -+ An IPv6 link local host address must contain the interface -+ identifier. IPv6 link local network/netmask is not supported. -+ - - - -@@ -246,4 +256,4 @@ - introduced by Mike Becher <mike.becher@lrz-muenchen.de>. - - -- -\ No newline at end of file -+ diff --git a/pam_access-hostname-debug.patch b/pam_access-hostname-debug.patch deleted file mode 100644 index 13168b5..0000000 --- a/pam_access-hostname-debug.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001 -From: Thorsten Kukuk -Date: Fri, 4 Aug 2023 15:46:16 +0200 -Subject: [PATCH] pam_access: make non-resolveable hostname a debug output - (#590) - -* modules/pam_access/pam_access.c (network_netmask_match): Don't print -an error if a string is not resolveable, only a debug message in debug -mode. We even don't know if that entry is for remote logins or not. ---- - modules/pam_access/pam_access.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c -index f70b7e495..985dc7de2 100644 ---- a/modules/pam_access/pam_access.c -+++ b/modules/pam_access/pam_access.c -@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh, - */ - if (getaddrinfo (tok, NULL, NULL, &ai) != 0) - { -- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); -+ if (item->debug) -+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok); - - return NO; - } diff --git a/pam_shells-fix-econf-memory-leak.patch b/pam_shells-fix-econf-memory-leak.patch deleted file mode 100644 index 506a1c5..0000000 --- a/pam_shells-fix-econf-memory-leak.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Thu, 18 May 2023 17:55:21 +0200 -Subject: [PATCH] pam_shells: Plug econf memory leak - -Signed-off-by: Tobias Stoeckmann ---- - modules/pam_shells/pam_shells.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c -index 05c09c656..276a56dd5 100644 ---- a/modules/pam_shells/pam_shells.c -+++ b/modules/pam_shells/pam_shells.c -@@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh) - if (!retval) - break; - } -+ econf_free (keys); - econf_free (key_file); - #else - char shellFileLine[256]; From 182f702c5975cd8d156abcfd92c1c58e11d8e116356036438c4ca1f92973ef73 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 18 Jan 2024 16:09:06 +0000 Subject: [PATCH 02/13] - disable-pam_env-test.patch: disable tst-pam_env-retval.c as it is broken OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=281 --- disable-pam_env-test.patch | 11 +++++++++++ pam.changes | 6 ++++++ pam.spec | 6 +++++- 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 disable-pam_env-test.patch diff --git a/disable-pam_env-test.patch b/disable-pam_env-test.patch new file mode 100644 index 0000000..6093897 --- /dev/null +++ b/disable-pam_env-test.patch @@ -0,0 +1,11 @@ +--- Linux-PAM-1.6.0/modules/pam_env/Makefile.am.old 2024-01-17 11:29:36.000000000 +0100 ++++ Linux-PAM-1.6.0/modules/pam_env/Makefile.am 2024-01-18 16:45:11.923011145 +0100 +@@ -12,7 +12,7 @@ + endif + XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml + dist_check_SCRIPTS = tst-pam_env +-TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) ++TESTS = $(dist_check_SCRIPTS) + + securelibdir = $(SECUREDIR) + if HAVE_VENDORDIR diff --git a/pam.changes b/pam.changes index da9abb7..4147492 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jan 18 15:45:53 UTC 2024 - Thorsten Kukuk + +- disable-pam_env-test.patch: disable tst-pam_env-retval.c as it is + broken + ------------------------------------------------------------------- Thu Jan 18 08:28:14 UTC 2024 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index 8b9a6e3..65fef55 100644 --- a/pam.spec +++ b/pam.spec @@ -96,6 +96,7 @@ Source22: postlogin-account.pamd Source23: postlogin-password.pamd Source24: postlogin-session.pamd Patch1: pam-limit-nproc.patch +Patch2: disable-pam_env-test.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex @@ -206,6 +207,7 @@ building both PAM-aware applications and modules for use with PAM. %setup -q -n Linux-PAM-%{version} cp -a %{SOURCE12} . %patch1 -p1 +%patch2 -p1 %build bash ./pam-login_defs-check.sh @@ -280,7 +282,9 @@ mkdir -p -m 755 %{buildroot}%{_libdir} mkdir -p %{buildroot}%{_distconfdir}/pam.d %make_install -/sbin/ldconfig -n %{buildroot}%{libdir} +# XXX remove for now until we have a security review of the new module +rm -f %{buildroot}%{_libdir}/security/pam_canonicalize_user.so +/sbin/ldconfig -n %{buildroot}%{_libdir} # Install documentation %make_install -C doc # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript From 089f3fa0f4f47a1e634a1e339c8af6250b4da04501ece36fef8c76edee275561 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 18 Jan 2024 16:22:56 +0000 Subject: [PATCH 03/13] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=282 --- pam.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pam.spec b/pam.spec index 65fef55..16b1120 100644 --- a/pam.spec +++ b/pam.spec @@ -144,7 +144,8 @@ username/password pair against values stored in a Berkeley DB database. %package -n pam-extra Summary: PAM module with extended dependencies Group: System/Libraries -BuildRequires: pkgconfig(systemd) +#BuildRequires: pkgconfig(systemd) +BuildRequires: systemd-devel >= 254 BuildRequires: pam-devel Provides: pam:%{_sbindir}/pam_timestamp_check From 37a6bd3211c7914ea13682885b77101be0c030149ada4923a051fb1ce35238c2 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 18 Jan 2024 16:36:00 +0000 Subject: [PATCH 04/13] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=283 --- pam.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pam.spec b/pam.spec index 16b1120..05479fb 100644 --- a/pam.spec +++ b/pam.spec @@ -144,8 +144,7 @@ username/password pair against values stored in a Berkeley DB database. %package -n pam-extra Summary: PAM module with extended dependencies Group: System/Libraries -#BuildRequires: pkgconfig(systemd) -BuildRequires: systemd-devel >= 254 +BuildRequires: pkgconfig(systemd) BuildRequires: pam-devel Provides: pam:%{_sbindir}/pam_timestamp_check From e2402ccf1b87cfbe8228f9b601621c9360c2b8314b86c2ce41ce67bdebd5c611 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 18 Jan 2024 17:01:37 +0000 Subject: [PATCH 05/13] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=284 --- pam.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pam.spec b/pam.spec index 05479fb..316680a 100644 --- a/pam.spec +++ b/pam.spec @@ -144,7 +144,9 @@ username/password pair against values stored in a Berkeley DB database. %package -n pam-extra Summary: PAM module with extended dependencies Group: System/Libraries -BuildRequires: pkgconfig(systemd) +#BuildRequires: pkgconfig(systemd) +# The systemd-mini package does not pass configure checks +BuildRequires: systemd-devel >= 254 BuildRequires: pam-devel Provides: pam:%{_sbindir}/pam_timestamp_check @@ -287,6 +289,8 @@ rm -f %{buildroot}%{_libdir}/security/pam_canonicalize_user.so /sbin/ldconfig -n %{buildroot}%{_libdir} # Install documentation %make_install -C doc +# XXX remove for now until we have a security review, see above +rm -f %{buildroot}%{_mandir}/man8/pam_canonicalize_user.8* # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript install -d %{buildroot}%{_pam_secconfdir}/namespace.d # install other.pamd and common-*.pamd From f0eb90949bbd71042d09d585dbc6b60a49638185b1d5cd8473353ce7de850d2d Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 19 Jan 2024 09:33:12 +0000 Subject: [PATCH 06/13] - Add post 1.6.0 release fixes for pam_env: - pam_env-fix-enable-vendordir-fallback.patch - pam_env-fix_vendordir.patch - pam_env-remove-escaped-newlines.patch OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=285 --- Linux-PAM-1.5.3.tar.xz | 3 ++ disable-pam_env-test.patch | 11 ----- pam.changes | 12 ++--- pam.spec | 9 +++- pam_env-fix-enable-vendordir-fallback.patch | 51 +++++++++++++++++++ pam_env-fix_vendordir.patch | 51 +++++++++++++++++++ pam_env-remove-escaped-newlines.patch | 54 +++++++++++++++++++++ 7 files changed, 172 insertions(+), 19 deletions(-) create mode 100644 Linux-PAM-1.5.3.tar.xz delete mode 100644 disable-pam_env-test.patch create mode 100644 pam_env-fix-enable-vendordir-fallback.patch create mode 100644 pam_env-fix_vendordir.patch create mode 100644 pam_env-remove-escaped-newlines.patch diff --git a/Linux-PAM-1.5.3.tar.xz b/Linux-PAM-1.5.3.tar.xz new file mode 100644 index 0000000..d1b6d47 --- /dev/null +++ b/Linux-PAM-1.5.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283 +size 1020076 diff --git a/disable-pam_env-test.patch b/disable-pam_env-test.patch deleted file mode 100644 index 6093897..0000000 --- a/disable-pam_env-test.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Linux-PAM-1.6.0/modules/pam_env/Makefile.am.old 2024-01-17 11:29:36.000000000 +0100 -+++ Linux-PAM-1.6.0/modules/pam_env/Makefile.am 2024-01-18 16:45:11.923011145 +0100 -@@ -12,7 +12,7 @@ - endif - XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml - dist_check_SCRIPTS = tst-pam_env --TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) -+TESTS = $(dist_check_SCRIPTS) - - securelibdir = $(SECUREDIR) - if HAVE_VENDORDIR diff --git a/pam.changes b/pam.changes index 4147492..4f8e09a 100644 --- a/pam.changes +++ b/pam.changes @@ -1,12 +1,10 @@ ------------------------------------------------------------------- -Thu Jan 18 15:45:53 UTC 2024 - Thorsten Kukuk - -- disable-pam_env-test.patch: disable tst-pam_env-retval.c as it is - broken - -------------------------------------------------------------------- -Thu Jan 18 08:28:14 UTC 2024 - Thorsten Kukuk +Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk +- Add post 1.6.0 release fixes for pam_env: + - pam_env-fix-enable-vendordir-fallback.patch + - pam_env-fix_vendordir.patch + - pam_env-remove-escaped-newlines.patch - Update to version 1.6.0 - Added support of configuration files with arbitrarily long lines. - build: fixed build outside of the source tree. diff --git a/pam.spec b/pam.spec index 316680a..fa47dab 100644 --- a/pam.spec +++ b/pam.spec @@ -96,7 +96,12 @@ Source22: postlogin-account.pamd Source23: postlogin-password.pamd Source24: postlogin-session.pamd Patch1: pam-limit-nproc.patch -Patch2: disable-pam_env-test.patch +# https://github.com/linux-pam/linux-pam/pull/739 +Patch2: pam_env-fix_vendordir.patch +# https://github.com/linux-pam/linux-pam/pull/740 +Patch3: pam_env-fix-enable-vendordir-fallback.patch +# https://github.com/linux-pam/linux-pam/pull/741 +Patch4: pam_env-remove-escaped-newlines.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex @@ -210,6 +215,8 @@ building both PAM-aware applications and modules for use with PAM. cp -a %{SOURCE12} . %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build bash ./pam-login_defs-check.sh diff --git a/pam_env-fix-enable-vendordir-fallback.patch b/pam_env-fix-enable-vendordir-fallback.patch new file mode 100644 index 0000000..52c895d --- /dev/null +++ b/pam_env-fix-enable-vendordir-fallback.patch @@ -0,0 +1,51 @@ +From 28894b319488e8302899ee569b6e0911905f374e Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Thu, 18 Jan 2024 17:00:00 +0000 +Subject: [PATCH] pam_env: fix --enable-vendordir fallback logic + +* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF && +VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file +if the config file is specified via module arguments. + +Link: https://github.com/linux-pam/linux-pam/issues/738 +Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback") +--- + modules/pam_env/pam_env.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index a0b812fff..8b40b6a5a 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -850,20 +850,20 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file) + #ifdef USE_ECONF + /* If "file" is not NULL, only this file will be parsed. */ + retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list); +-#else ++#else /* !USE_ECONF */ + /* Only one file will be parsed. So, file has to be set. */ +- if (file == NULL) /* No filename has been set via argv. */ ++ if (file == NULL) { /* No filename has been set via argv. */ + file = DEFAULT_CONF_FILE; +-#ifdef VENDOR_DEFAULT_CONF_FILE +- /* +- * Check whether file is available. +- * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file. +- */ +- struct stat stat_buffer; +- if (stat(file, &stat_buffer) != 0 && errno == ENOENT) { +- file = VENDOR_DEFAULT_CONF_FILE; ++# ifdef VENDOR_DEFAULT_CONF_FILE ++ /* ++ * Check whether DEFAULT_CONF_FILE file is available. ++ * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file. ++ */ ++ struct stat stat_buffer; ++ if (stat(file, &stat_buffer) != 0 && errno == ENOENT) ++ file = VENDOR_DEFAULT_CONF_FILE; ++# endif + } +-#endif + retval = read_file(pamh, file, &conf_list); + #endif + diff --git a/pam_env-fix_vendordir.patch b/pam_env-fix_vendordir.patch new file mode 100644 index 0000000..862b6b6 --- /dev/null +++ b/pam_env-fix_vendordir.patch @@ -0,0 +1,51 @@ +From 0703453bec6ac54ad31d7245be4529796a3ef764 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 18 Jan 2024 18:08:05 +0100 +Subject: [PATCH] pam_env: check VENDORDIR after config.h inclusion + +The VENDORDIR define has to be checked after config.h +inclusion, otherwise the ifdef test always yields false. + +Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback") + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_env/pam_env.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index 59adc942c..a0b812fff 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -6,15 +6,6 @@ + * template for this file (via pam_mail) + */ + +-#define DEFAULT_ETC_ENVFILE "/etc/environment" +-#ifdef VENDORDIR +-#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment") +-#endif +-#define DEFAULT_READ_ENVFILE 1 +- +-#define DEFAULT_USER_ENVFILE ".pam_environment" +-#define DEFAULT_USER_READ_ENVFILE 0 +- + #include "config.h" + + #include +@@ -52,6 +43,15 @@ typedef struct var { + char *override; + } VAR; + ++#define DEFAULT_ETC_ENVFILE "/etc/environment" ++#ifdef VENDORDIR ++#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment") ++#endif ++#define DEFAULT_READ_ENVFILE 1 ++ ++#define DEFAULT_USER_ENVFILE ".pam_environment" ++#define DEFAULT_USER_READ_ENVFILE 0 ++ + #define DEFAULT_CONF_FILE (SCONFIGDIR "/pam_env.conf") + #ifdef VENDOR_SCONFIGDIR + #define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf") diff --git a/pam_env-remove-escaped-newlines.patch b/pam_env-remove-escaped-newlines.patch new file mode 100644 index 0000000..3085571 --- /dev/null +++ b/pam_env-remove-escaped-newlines.patch @@ -0,0 +1,54 @@ +From ef51c51523b4c6ce6275b2863a0de1a3a6dff1e5 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 18 Jan 2024 20:25:20 +0100 +Subject: [PATCH] pam_env: remove escaped newlines from econf lines + +The libeconf routines do not remove escaped newlines the way we want to +process them later on. Manually remove them from values. + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_env/pam_env.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index a0b812fff..5f53fbb10 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -160,6 +160,28 @@ isDirectory(const char *path) { + return S_ISDIR(statbuf.st_mode); + } + ++/* ++ * Remove escaped newline from string. ++ * ++ * All occurrences of "\\n" will be removed from string. ++ */ ++static void ++econf_unescnl(char *val) ++{ ++ char *dest, *p; ++ ++ dest = p = val; ++ ++ while (*p != '\0') { ++ if (p[0] == '\\' && p[1] == '\n') { ++ p += 2; ++ } else { ++ *dest++ = *p++; ++ } ++ } ++ *dest = '\0'; ++} ++ + static int + econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim, + const char *name, const char *suffix, const char *subpath, +@@ -270,6 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + keys[i], + econf_errString(error)); + } else { ++ econf_unescnl(val); + if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys); From bafc2117536bb43e5694539f12e44fa1a3c9c68dafc3eccb0083f9a89dae2873 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 19 Jan 2024 09:34:45 +0000 Subject: [PATCH 07/13] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=286 --- Linux-PAM-1.5.3.tar.xz | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 Linux-PAM-1.5.3.tar.xz diff --git a/Linux-PAM-1.5.3.tar.xz b/Linux-PAM-1.5.3.tar.xz deleted file mode 100644 index d1b6d47..0000000 --- a/Linux-PAM-1.5.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283 -size 1020076 From 538371760fa150b0d099124ce6a4b9466d8bbffc2ca9ef5c943e6b16593876a7 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 19 Jan 2024 09:49:30 +0000 Subject: [PATCH 08/13] - Add post 1.6.0 release fixes for pam_env and pam_unix: - pam_unix-fix-password-aging-disabled.patch OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=287 --- pam.changes | 3 ++- pam.spec | 3 +++ pam_unix-fix-password-aging-disabled.patch | 27 ++++++++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 pam_unix-fix-password-aging-disabled.patch diff --git a/pam.changes b/pam.changes index 4f8e09a..7dd6086 100644 --- a/pam.changes +++ b/pam.changes @@ -1,10 +1,11 @@ ------------------------------------------------------------------- Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk -- Add post 1.6.0 release fixes for pam_env: +- Add post 1.6.0 release fixes for pam_env and pam_unix: - pam_env-fix-enable-vendordir-fallback.patch - pam_env-fix_vendordir.patch - pam_env-remove-escaped-newlines.patch + - pam_unix-fix-password-aging-disabled.patch - Update to version 1.6.0 - Added support of configuration files with arbitrarily long lines. - build: fixed build outside of the source tree. diff --git a/pam.spec b/pam.spec index fa47dab..a0249b5 100644 --- a/pam.spec +++ b/pam.spec @@ -102,6 +102,8 @@ Patch2: pam_env-fix_vendordir.patch Patch3: pam_env-fix-enable-vendordir-fallback.patch # https://github.com/linux-pam/linux-pam/pull/741 Patch4: pam_env-remove-escaped-newlines.patch +# https://github.com/linux-pam/linux-pam/pull/744 +Patch5: pam_unix-fix-password-aging-disabled.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex @@ -217,6 +219,7 @@ cp -a %{SOURCE12} . %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build bash ./pam-login_defs-check.sh diff --git a/pam_unix-fix-password-aging-disabled.patch b/pam_unix-fix-password-aging-disabled.patch new file mode 100644 index 0000000..53f2793 --- /dev/null +++ b/pam_unix-fix-password-aging-disabled.patch @@ -0,0 +1,27 @@ +From 9d40f55216b2de60ccb9b617c79b9280b9f29ead Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Fri, 19 Jan 2024 10:09:00 +0100 +Subject: [PATCH] pam_unix: do not warn if password aging disabled + +Later checks will print a warning if daysleft is 0. If password +aging is disabled, leave daysleft at -1. + +Fixes 9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb. + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_unix/passverify.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index 5c4f862e7..1bc98fa25 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -314,7 +314,6 @@ PAMH_ARG_DECL(int check_shadow_expiry, + } + if (spent->sp_lstchg < 0) { + D(("password aging disabled")); +- *daysleft = 0; + return PAM_SUCCESS; + } + if (curdays < spent->sp_lstchg) { From 3b382a88845e3619652ca4449f512afa66e0ec3139dff30d2e71f3b04d7fe1f3 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 19 Jan 2024 11:13:37 +0000 Subject: [PATCH 09/13] - Move pam_namespace to pam-extra due to systemd dependencies OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=288 --- pam.changes | 5 +++++ pam.spec | 23 +++++++++++------------ 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/pam.changes b/pam.changes index 7dd6086..536aae7 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jan 19 11:11:47 UTC 2024 - Thorsten Kukuk + +- Move pam_namespace to pam-extra due to systemd dependencies + ------------------------------------------------------------------- Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index a0249b5..23bbc86 100644 --- a/pam.spec +++ b/pam.spec @@ -151,11 +151,12 @@ username/password pair against values stored in a Berkeley DB database. %package -n pam-extra Summary: PAM module with extended dependencies Group: System/Libraries -#BuildRequires: pkgconfig(systemd) +#BuildRequires: pkgconfig(systemd) # The systemd-mini package does not pass configure checks BuildRequires: systemd-devel >= 254 BuildRequires: pam-devel Provides: pam:%{_sbindir}/pam_timestamp_check +Provides: pam:%{_sbindir}/pam_namespace_helper %description -n pam-extra PAM (Pluggable Authentication Modules) is a system security tool that @@ -301,8 +302,6 @@ rm -f %{buildroot}%{_libdir}/security/pam_canonicalize_user.so %make_install -C doc # XXX remove for now until we have a security review, see above rm -f %{buildroot}%{_mandir}/man8/pam_canonicalize_user.8* -# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript -install -d %{buildroot}%{_pam_secconfdir}/namespace.d # install other.pamd and common-*.pamd install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth @@ -337,7 +336,7 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam # /run/motd.d install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf -mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d} +mkdir -p %{buildroot}%{_pam_secdistconfdir}/limits.d mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment # Remove manual pages for main package @@ -350,9 +349,10 @@ echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5 %endif %if !%{build_main} -rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale} +rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir}/{environment,pam.d},%{_sbindir}/{f*,m*,pw*,u*}} +rm -rf %{buildroot}{%{_pam_secdistconfdir}/{a,f,g,l,p,s,t}*.conf,%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale} rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir}} -rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}* +rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,no,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}* %else # Delete files for extra package rm -rf %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check} @@ -419,10 +419,7 @@ done %{_pam_secdistconfdir}/sepermit.conf %endif %{_pam_secdistconfdir}/time.conf -%{_pam_secdistconfdir}/namespace.conf -%{_pam_secdistconfdir}/namespace.init %{_pam_secdistconfdir}/pwhistory.conf -%dir %{_pam_secdistconfdir}/namespace.d %{_libdir}/libpam.so.0 %{_libdir}/libpam.so.%{libpam_so_version} %{_libdir}/libpamc.so.0 @@ -451,7 +448,6 @@ done %{_pam_moduledir}/pam_mail.so %{_pam_moduledir}/pam_mkhomedir.so %{_pam_moduledir}/pam_motd.so -%{_pam_moduledir}/pam_namespace.so %{_pam_moduledir}/pam_nologin.so %{_pam_moduledir}/pam_permit.so %{_pam_moduledir}/pam_pwhistory.so @@ -476,12 +472,10 @@ done %{_pam_moduledir}/pam_xauth.so %{_sbindir}/faillock %{_sbindir}/mkhomedir_helper -%{_sbindir}/pam_namespace_helper %{_sbindir}/pwhistory_helper %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd %attr(0700,root,root) %{_sbindir}/unix_update -%{_unitdir}/pam_namespace.service %{_tmpfilesdir}/pam.conf %files devel @@ -506,8 +500,13 @@ done %files -n pam-extra %defattr(-,root,root,755) %{_pam_moduledir}/pam_issue.so +%{_pam_moduledir}/pam_namespace.so %{_pam_moduledir}/pam_timestamp.so +%{_sbindir}/pam_namespace_helper %{_sbindir}/pam_timestamp_check +%{_pam_secdistconfdir}/namespace.conf +%{_pam_secdistconfdir}/namespace.init +%{_unitdir}/pam_namespace.service %endif %if %{build_doc} From 5f4342b7e38a9b24b11ca43c4cc6d017d2604ea29e1631309a12995adf0e6a09 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 19 Jan 2024 11:23:06 +0000 Subject: [PATCH 10/13] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=289 --- pam.changes | 5 ----- 1 file changed, 5 deletions(-) diff --git a/pam.changes b/pam.changes index 536aae7..7dd6086 100644 --- a/pam.changes +++ b/pam.changes @@ -1,8 +1,3 @@ -------------------------------------------------------------------- -Fri Jan 19 11:11:47 UTC 2024 - Thorsten Kukuk - -- Move pam_namespace to pam-extra due to systemd dependencies - ------------------------------------------------------------------- Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk From 488d867f619a7ddf6ad4d1f224fd50f52ba3d5e17bc125ea9ac0769e231febe7 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 19 Jan 2024 11:24:46 +0000 Subject: [PATCH 11/13] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=290 --- pam.spec | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/pam.spec b/pam.spec index 23bbc86..a0249b5 100644 --- a/pam.spec +++ b/pam.spec @@ -151,12 +151,11 @@ username/password pair against values stored in a Berkeley DB database. %package -n pam-extra Summary: PAM module with extended dependencies Group: System/Libraries -#BuildRequires: pkgconfig(systemd) +#BuildRequires: pkgconfig(systemd) # The systemd-mini package does not pass configure checks BuildRequires: systemd-devel >= 254 BuildRequires: pam-devel Provides: pam:%{_sbindir}/pam_timestamp_check -Provides: pam:%{_sbindir}/pam_namespace_helper %description -n pam-extra PAM (Pluggable Authentication Modules) is a system security tool that @@ -302,6 +301,8 @@ rm -f %{buildroot}%{_libdir}/security/pam_canonicalize_user.so %make_install -C doc # XXX remove for now until we have a security review, see above rm -f %{buildroot}%{_mandir}/man8/pam_canonicalize_user.8* +# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript +install -d %{buildroot}%{_pam_secconfdir}/namespace.d # install other.pamd and common-*.pamd install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth @@ -336,7 +337,7 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam # /run/motd.d install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf -mkdir -p %{buildroot}%{_pam_secdistconfdir}/limits.d +mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d} mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment # Remove manual pages for main package @@ -349,10 +350,9 @@ echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5 %endif %if !%{build_main} -rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir}/{environment,pam.d},%{_sbindir}/{f*,m*,pw*,u*}} -rm -rf %{buildroot}{%{_pam_secdistconfdir}/{a,f,g,l,p,s,t}*.conf,%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale} +rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale} rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir}} -rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,no,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}* +rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}* %else # Delete files for extra package rm -rf %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check} @@ -419,7 +419,10 @@ done %{_pam_secdistconfdir}/sepermit.conf %endif %{_pam_secdistconfdir}/time.conf +%{_pam_secdistconfdir}/namespace.conf +%{_pam_secdistconfdir}/namespace.init %{_pam_secdistconfdir}/pwhistory.conf +%dir %{_pam_secdistconfdir}/namespace.d %{_libdir}/libpam.so.0 %{_libdir}/libpam.so.%{libpam_so_version} %{_libdir}/libpamc.so.0 @@ -448,6 +451,7 @@ done %{_pam_moduledir}/pam_mail.so %{_pam_moduledir}/pam_mkhomedir.so %{_pam_moduledir}/pam_motd.so +%{_pam_moduledir}/pam_namespace.so %{_pam_moduledir}/pam_nologin.so %{_pam_moduledir}/pam_permit.so %{_pam_moduledir}/pam_pwhistory.so @@ -472,10 +476,12 @@ done %{_pam_moduledir}/pam_xauth.so %{_sbindir}/faillock %{_sbindir}/mkhomedir_helper +%{_sbindir}/pam_namespace_helper %{_sbindir}/pwhistory_helper %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd %attr(0700,root,root) %{_sbindir}/unix_update +%{_unitdir}/pam_namespace.service %{_tmpfilesdir}/pam.conf %files devel @@ -500,13 +506,8 @@ done %files -n pam-extra %defattr(-,root,root,755) %{_pam_moduledir}/pam_issue.so -%{_pam_moduledir}/pam_namespace.so %{_pam_moduledir}/pam_timestamp.so -%{_sbindir}/pam_namespace_helper %{_sbindir}/pam_timestamp_check -%{_pam_secdistconfdir}/namespace.conf -%{_pam_secdistconfdir}/namespace.init -%{_unitdir}/pam_namespace.service %endif %if %{build_doc} From 2563154862bbcd1ae4bf72a1733ebe7f28803a4fb82a133193d02eb113ce3232 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 19 Jan 2024 11:30:53 +0000 Subject: [PATCH 12/13] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=291 --- pam.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pam.spec b/pam.spec index a0249b5..423401a 100644 --- a/pam.spec +++ b/pam.spec @@ -351,7 +351,7 @@ echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5 %if !%{build_main} rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale} -rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir}} +rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service} rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}* %else # Delete files for extra package From 4352831aa4a65a4ed046cce820dafa33f6e45523ce090dee16f76eb8e8337434 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 19 Jan 2024 13:04:11 +0000 Subject: [PATCH 13/13] - disable-examples.patch OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=292 --- pam.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/pam.changes b/pam.changes index 7dd6086..96b4404 100644 --- a/pam.changes +++ b/pam.changes @@ -54,6 +54,7 @@ Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk - pam_access-hostname-debug.patch - pam_shells-fix-econf-memory-leak.patch - pam_shells-fix-econf-memory-leak.patch + - disable-examples.patch - pam-login_defs-check.sh: adjust checksum, SHA_CRYPT_MAX_ROUNDS is no longer used.