Accepting request 917897 from home:jmoellers:branches:Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/917897 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=246
This commit is contained in:
parent
c6cae773e2
commit
dc65a6a40a
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:d0fc4ef466d0050f46b0ccd2f73373c60c47454da55f6fb2fd04b0701c73c134
|
|
||||||
size 441632
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc
|
|
||||||
size 972964
|
|
3
Linux-PAM-1.5.2-docs.tar.xz
Normal file
3
Linux-PAM-1.5.2-docs.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:bd75b3474dfbed60dff728721c48a6dd88bfea901b607c469bbe5fa5ccc535e4
|
||||||
|
size 443276
|
16
Linux-PAM-1.5.2-docs.tar.xz.asc
Normal file
16
Linux-PAM-1.5.2-docs.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJhMg78AAoJEKgEH6g54W429wIP/1FdfjVSygdVkmCSbMl0Dvbp
|
||||||
|
7/DOYkDb1W3KSzD4Y0pE76HXAxC5fL32781oioP3vx4YKLfP7VMxHM42ugFhKBcZ
|
||||||
|
cdXZGwCHxvbfNesjm++Lg5I0w16Qh9BoJ5UNbcLoIur+bpadmhPorj2SutPY/U9j
|
||||||
|
klKESN5AQtdnqUivTWbm4z8CrmZs3NoQTCfkv+ABW33olrj2gJtZucuMjfwDMQFS
|
||||||
|
oDikxPUErpz7tUDuWEM5Gp26B9iuz4mX/2pUmta18r0Y6RGSl6QtmjEhTlGR2n5R
|
||||||
|
XEDIZX4vLAYzWum63bzJH/xiyoRMur0lO55GSPtpLnLYPdaot8fWYzdpvRdfg7DR
|
||||||
|
rristlSYNtRhs3ORbMvvxqgkdzVKa6CLm9WuJiTHPY2dxNP6q8TYdHxyPtrscyz0
|
||||||
|
ijhvxAYGHvJ47JESvV16pLaQhTKdVp95aM+pC8A2WfCMZf8WfKM8ZpT9JtZ6tjwC
|
||||||
|
wc79KWEX9SARoiqk0ZuqITu1pR9gzzDS5WBehwvJkTFm95PkaxQyPNCYwbUIouUf
|
||||||
|
c+mg5u2xaXrR4NWLMZZid0HRivwYb3/nK8hqUqRaUEri2KoSl6N5f8KlNiyLQiUN
|
||||||
|
JYB/GRWFueCkGPzuhCREyxdQ0Pxh3H1Us6TLgFHYv/ZdJjYY9GpqLXx7PuoKhZUU
|
||||||
|
kfOtmSc7D8FhaXULOtvi
|
||||||
|
=ijjK
|
||||||
|
-----END PGP SIGNATURE-----
|
3
Linux-PAM-1.5.2.tar.xz
Normal file
3
Linux-PAM-1.5.2.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d
|
||||||
|
size 988784
|
16
Linux-PAM-1.5.2.tar.xz.asc
Normal file
16
Linux-PAM-1.5.2.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJhMg48AAoJEKgEH6g54W42TUgP/0feavEYuZpjTWche32Ug2nu
|
||||||
|
h6TGQbqkAasDexkHf6S2p+LYbt/6Nl+EpzOtELY/F3qRq8aYgTlHpJETSSBcZ++t
|
||||||
|
tIhoaPAhEt+N5vb4YfTQcYIGihdgAzQCj0LViEuG/1PgSUjPdbW8RyvfJTw6I3Ch
|
||||||
|
XUulrEwyudPCZHDpdW06DMv2we/7oTzrWHVDEmY/TTFKCvDSuAixLrxZrLO/MRK4
|
||||||
|
huhXhe3oGv+TtLCqPcr0nJDTl44XNQOTbP/Dl+EI/5tXlDLXLH+IiPEMvnDRbsdd
|
||||||
|
ngqdwM6wsOenEtlcA27YkDID/FRwgGJILKNaaUKSIa/uk8Tzy+Lx0j1wKEmE8P4T
|
||||||
|
JI+24IIP5Gw8Sxd+NB8lSjtHXlyJF8psAFRWnTb67mgVTXruDXo771Mhqqy2Vu74
|
||||||
|
sjf03w6jYrcGGKHlr7Q08jncghmMHFdW6jAcOG02oNO1oNrSu67MjAIqFox36Byu
|
||||||
|
FmCajrGBwCR6bWmHCFRGT9qESWg9zRjPL7vkVBmAQg4J4og8FExUi8wBqt1zFH8W
|
||||||
|
vGTgCDB/Oue3nYTws27hNKEeYumA8emOHyCG4n80vyA6DbRp+7nrtcDnJQir0lzf
|
||||||
|
8UfWxooIJNqFH9ohnAqMTqJbKJkjLswLnTVpuyJvgzDwGl4sdSvIToxTo/2jp2W+
|
||||||
|
q1y3BpSxAA1wOd9/mTM+
|
||||||
|
=KMIz
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,90 +0,0 @@
|
|||||||
From c4dbba499f335ad88536244254d2d444b8e1c17c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Tue, 6 Apr 2021 12:27:38 +0200
|
|
||||||
Subject: [PATCH] pam_access: clean up the remote host matching code
|
|
||||||
|
|
||||||
* modules/pam_access/pam_access.c (from_match): Split out remote_match()
|
|
||||||
function and avoid calling it when matching against LOCAL keyword.
|
|
||||||
There is also no point in doing domain match against TTY or SERVICE.
|
|
||||||
---
|
|
||||||
modules/pam_access/pam_access.c | 42 +++++++++++++++++++++------------
|
|
||||||
1 file changed, 27 insertions(+), 15 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
|
|
||||||
index 98848c54..b493c7bd 100644
|
|
||||||
--- a/modules/pam_access/pam_access.c
|
|
||||||
+++ b/modules/pam_access/pam_access.c
|
|
||||||
@@ -160,6 +160,7 @@ static int list_match (pam_handle_t *, char *, char *, struct login_info *,
|
|
||||||
static int user_match (pam_handle_t *, char *, struct login_info *);
|
|
||||||
static int group_match (pam_handle_t *, const char *, const char *, int);
|
|
||||||
static int from_match (pam_handle_t *, char *, struct login_info *);
|
|
||||||
+static int remote_match (pam_handle_t *, char *, struct login_info *);
|
|
||||||
static int string_match (pam_handle_t *, const char *, const char *, int);
|
|
||||||
static int network_netmask_match (pam_handle_t *, const char *, const char *, struct login_info *);
|
|
||||||
|
|
||||||
@@ -589,11 +590,9 @@ group_match (pam_handle_t *pamh, const char *tok, const char* usr,
|
|
||||||
/* from_match - match a host or tty against a list of tokens */
|
|
||||||
|
|
||||||
static int
|
|
||||||
-from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
|
|
||||||
+from_match (pam_handle_t *pamh, char *tok, struct login_info *item)
|
|
||||||
{
|
|
||||||
const char *string = item->from;
|
|
||||||
- int tok_len;
|
|
||||||
- int str_len;
|
|
||||||
int rv;
|
|
||||||
|
|
||||||
if (item->debug)
|
|
||||||
@@ -616,13 +615,28 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
|
|
||||||
} else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) {
|
|
||||||
/* ALL or exact match */
|
|
||||||
return rv;
|
|
||||||
- } else if (tok[0] == '.') { /* domain: match last fields */
|
|
||||||
- if ((str_len = strlen(string)) > (tok_len = strlen(tok))
|
|
||||||
- && strcasecmp(tok, string + str_len - tok_len) == 0)
|
|
||||||
- return (YES);
|
|
||||||
- } else if (item->from_remote_host == 0) { /* local: no PAM_RHOSTS */
|
|
||||||
- if (strcasecmp(tok, "LOCAL") == 0)
|
|
||||||
- return (YES);
|
|
||||||
+ } else if (strcasecmp(tok, "LOCAL") == 0) {
|
|
||||||
+ /* LOCAL matches only local accesses */
|
|
||||||
+ if (!item->from_remote_host)
|
|
||||||
+ return YES;
|
|
||||||
+ return NO;
|
|
||||||
+ } else if (item->from_remote_host) {
|
|
||||||
+ return remote_match(pamh, tok, item);
|
|
||||||
+ }
|
|
||||||
+ return NO;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
|
|
||||||
+{
|
|
||||||
+ const char *string = item->from;
|
|
||||||
+ size_t tok_len = strlen(tok);
|
|
||||||
+ size_t str_len;
|
|
||||||
+
|
|
||||||
+ if (tok[0] == '.') { /* domain: match last fields */
|
|
||||||
+ if ((str_len = strlen(string)) > tok_len
|
|
||||||
+ && strcasecmp(tok, string + str_len - tok_len) == 0)
|
|
||||||
+ return YES;
|
|
||||||
} else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
|
|
||||||
struct addrinfo hint;
|
|
||||||
|
|
||||||
@@ -661,13 +675,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
|
|
||||||
runp = runp->ai_next;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- } else {
|
|
||||||
- /* Assume network/netmask with a IP of a host. */
|
|
||||||
- if (network_netmask_match(pamh, tok, string, item))
|
|
||||||
- return YES;
|
|
||||||
+ return NO;
|
|
||||||
}
|
|
||||||
|
|
||||||
- return NO;
|
|
||||||
+ /* Assume network/netmask with an IP of a host. */
|
|
||||||
+ return network_netmask_match(pamh, tok, string, item);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* string_match - match a string against one token */
|
|
4980
openSUSE_Tumbleweed-x86_64.bl
Normal file
4980
openSUSE_Tumbleweed-x86_64.bl
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,755 +0,0 @@
|
|||||||
Index: Linux-PAM-1.5.1/doc/sag/Linux-PAM_SAG.txt
|
|
||||||
===================================================================
|
|
||||||
--- Linux-PAM-1.5.1.orig/doc/sag/Linux-PAM_SAG.txt
|
|
||||||
+++ Linux-PAM-1.5.1/doc/sag/Linux-PAM_SAG.txt
|
|
||||||
@@ -2171,6 +2171,9 @@ The fields listed above should be filled
|
|
||||||
All items support the values -1, unlimited or infinity indicating no limit,
|
|
||||||
except for priority, nice, and nonewprivs.
|
|
||||||
|
|
||||||
+If nofile is to be set to one of these values,
|
|
||||||
+it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
|
|
||||||
+
|
|
||||||
If a hard limit or soft limit of a resource is set to a valid value, but
|
|
||||||
outside of the supported range of the local system, the system may reject the
|
|
||||||
new limit or unexpected behavior may occur. If the control value required is
|
|
||||||
Index: Linux-PAM-1.5.1/doc/sag/html/sag-pam_limits.html
|
|
||||||
===================================================================
|
|
||||||
--- Linux-PAM-1.5.1.orig/doc/sag/html/sag-pam_limits.html
|
|
||||||
+++ Linux-PAM-1.5.1/doc/sag/html/sag-pam_limits.html
|
|
||||||
@@ -104,6 +104,9 @@
|
|
||||||
<span class="emphasis"><em>unlimited</em></span> or <span class="emphasis"><em>infinity</em></span> indicating no limit,
|
|
||||||
except for <span class="emphasis"><em>priority</em></span>, <span class="emphasis"><em>nice</em></span>,
|
|
||||||
and <span class="emphasis"><em>nonewprivs</em></span>.
|
|
||||||
+ If <span class="emphasis"><em>nofile</em></span> is to be set to one of these values,
|
|
||||||
+ it will be set to the contents of <em class="replaceable"><code>/proc/sys/fs/nr_open</code></em> instead
|
|
||||||
+ (see <span class="citerefentry"><span class="refentrytitle">setrlimit</span>(3)</span>).
|
|
||||||
</p><p>
|
|
||||||
If a hard limit or soft limit of a resource is set to a valid value,
|
|
||||||
but outside of the supported range of the local system, the system
|
|
||||||
Index: Linux-PAM-1.5.1/modules/pam_limits/limits.conf.5
|
|
||||||
===================================================================
|
|
||||||
--- Linux-PAM-1.5.1.orig/modules/pam_limits/limits.conf.5
|
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_limits/limits.conf.5
|
|
||||||
@@ -290,6 +290,8 @@ indicating no limit, except for
|
|
||||||
\fBpriority\fR,
|
|
||||||
\fBnice\fR, and
|
|
||||||
\fBnonewprivs\fR\&.
|
|
||||||
+If \fBnofile\fP is to be set to one of these values,
|
|
||||||
+it will be set to the contents of \fI/proc/sys/fs/nr_open\fP instead (see \fBsetrlimit\fP(3))\&.
|
|
||||||
.PP
|
|
||||||
If a hard limit or soft limit of a resource is set to a valid value, but outside of the supported range of the local system, the system may reject the new limit or unexpected behavior may occur\&. If the control value
|
|
||||||
\fIrequired\fR
|
|
||||||
Index: Linux-PAM-1.5.1/modules/pam_limits/limits.conf.5.xml
|
|
||||||
===================================================================
|
|
||||||
--- Linux-PAM-1.5.1.orig/modules/pam_limits/limits.conf.5.xml
|
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_limits/limits.conf.5.xml
|
|
||||||
@@ -283,6 +283,8 @@
|
|
||||||
<emphasis>unlimited</emphasis> or <emphasis>infinity</emphasis> indicating no limit,
|
|
||||||
except for <emphasis remap='B'>priority</emphasis>, <emphasis remap='B'>nice</emphasis>,
|
|
||||||
and <emphasis remap='B'>nonewprivs</emphasis>.
|
|
||||||
+ If <emphasis remap='B'>nofile</emphasis> is to be set to one of these values,
|
|
||||||
+ it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
If a hard limit or soft limit of a resource is set to a valid value,
|
|
||||||
Index: Linux-PAM-1.5.1/modules/pam_limits/pam_limits.c
|
|
||||||
===================================================================
|
|
||||||
--- Linux-PAM-1.5.1.orig/modules/pam_limits/pam_limits.c
|
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_limits/pam_limits.c
|
|
||||||
@@ -228,21 +228,21 @@ rlimit2str (int i)
|
|
||||||
/* Counts the number of user logins and check against the limit*/
|
|
||||||
static int
|
|
||||||
check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
|
|
||||||
- struct pam_limit_s *pl)
|
|
||||||
+ struct pam_limit_s *pl)
|
|
||||||
{
|
|
||||||
struct utmp *ut;
|
|
||||||
int count;
|
|
||||||
|
|
||||||
if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
- pam_syslog(pamh, LOG_DEBUG,
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG,
|
|
||||||
"checking logins for '%s' (maximum of %d)", name, limit);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (limit < 0)
|
|
||||||
- return 0; /* no limits imposed */
|
|
||||||
+ return 0; /* no limits imposed */
|
|
||||||
if (limit == 0) /* maximum 0 logins ? */ {
|
|
||||||
- pam_syslog(pamh, LOG_WARNING, "No logins allowed for '%s'", name);
|
|
||||||
- return LOGIN_ERR;
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING, "No logins allowed for '%s'", name);
|
|
||||||
+ return LOGIN_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
setutent();
|
|
||||||
@@ -265,14 +265,14 @@ check_logins (pam_handle_t *pamh, const
|
|
||||||
|
|
||||||
while((ut = getutent())) {
|
|
||||||
#ifdef USER_PROCESS
|
|
||||||
- if (ut->ut_type != USER_PROCESS) {
|
|
||||||
- continue;
|
|
||||||
+ if (ut->ut_type != USER_PROCESS) {
|
|
||||||
+ continue;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
- if (ut->UT_USER[0] == '\0') {
|
|
||||||
- continue;
|
|
||||||
+ if (ut->UT_USER[0] == '\0') {
|
|
||||||
+ continue;
|
|
||||||
}
|
|
||||||
- if (!pl->flag_numsyslogins) {
|
|
||||||
+ if (!pl->flag_numsyslogins) {
|
|
||||||
char user[sizeof(ut->UT_USER) + 1];
|
|
||||||
user[0] = '\0';
|
|
||||||
strncat(user, ut->UT_USER, sizeof(ut->UT_USER));
|
|
||||||
@@ -281,11 +281,11 @@ check_logins (pam_handle_t *pamh, const
|
|
||||||
|| (pl->login_limit_def == LIMITS_DEF_GROUP)
|
|
||||||
|| (pl->login_limit_def == LIMITS_DEF_DEFAULT))
|
|
||||||
&& strcmp(name, user) != 0) {
|
|
||||||
- continue;
|
|
||||||
+ continue;
|
|
||||||
}
|
|
||||||
if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
|
|
||||||
&& !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
|
|
||||||
- continue;
|
|
||||||
+ continue;
|
|
||||||
}
|
|
||||||
if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) {
|
|
||||||
/* process does not exist anymore */
|
|
||||||
@@ -307,50 +307,50 @@ check_logins (pam_handle_t *pamh, const
|
|
||||||
} else {
|
|
||||||
pam_syslog(pamh, LOG_NOTICE, "Too many system logins (max %d)", limit);
|
|
||||||
}
|
|
||||||
- return LOGIN_ERR;
|
|
||||||
+ return LOGIN_ERR;
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const char *lnames[RLIM_NLIMITS] = {
|
|
||||||
- [RLIMIT_CPU] = "Max cpu time",
|
|
||||||
- [RLIMIT_FSIZE] = "Max file size",
|
|
||||||
- [RLIMIT_DATA] = "Max data size",
|
|
||||||
- [RLIMIT_STACK] = "Max stack size",
|
|
||||||
- [RLIMIT_CORE] = "Max core file size",
|
|
||||||
- [RLIMIT_RSS] = "Max resident set",
|
|
||||||
- [RLIMIT_NPROC] = "Max processes",
|
|
||||||
- [RLIMIT_NOFILE] = "Max open files",
|
|
||||||
- [RLIMIT_MEMLOCK] = "Max locked memory",
|
|
||||||
+ [RLIMIT_CPU] = "Max cpu time",
|
|
||||||
+ [RLIMIT_FSIZE] = "Max file size",
|
|
||||||
+ [RLIMIT_DATA] = "Max data size",
|
|
||||||
+ [RLIMIT_STACK] = "Max stack size",
|
|
||||||
+ [RLIMIT_CORE] = "Max core file size",
|
|
||||||
+ [RLIMIT_RSS] = "Max resident set",
|
|
||||||
+ [RLIMIT_NPROC] = "Max processes",
|
|
||||||
+ [RLIMIT_NOFILE] = "Max open files",
|
|
||||||
+ [RLIMIT_MEMLOCK] = "Max locked memory",
|
|
||||||
#ifdef RLIMIT_AS
|
|
||||||
- [RLIMIT_AS] = "Max address space",
|
|
||||||
+ [RLIMIT_AS] = "Max address space",
|
|
||||||
#endif
|
|
||||||
#ifdef RLIMIT_LOCKS
|
|
||||||
- [RLIMIT_LOCKS] = "Max file locks",
|
|
||||||
+ [RLIMIT_LOCKS] = "Max file locks",
|
|
||||||
#endif
|
|
||||||
#ifdef RLIMIT_SIGPENDING
|
|
||||||
- [RLIMIT_SIGPENDING] = "Max pending signals",
|
|
||||||
+ [RLIMIT_SIGPENDING] = "Max pending signals",
|
|
||||||
#endif
|
|
||||||
#ifdef RLIMIT_MSGQUEUE
|
|
||||||
- [RLIMIT_MSGQUEUE] = "Max msgqueue size",
|
|
||||||
+ [RLIMIT_MSGQUEUE] = "Max msgqueue size",
|
|
||||||
#endif
|
|
||||||
#ifdef RLIMIT_NICE
|
|
||||||
- [RLIMIT_NICE] = "Max nice priority",
|
|
||||||
+ [RLIMIT_NICE] = "Max nice priority",
|
|
||||||
#endif
|
|
||||||
#ifdef RLIMIT_RTPRIO
|
|
||||||
- [RLIMIT_RTPRIO] = "Max realtime priority",
|
|
||||||
+ [RLIMIT_RTPRIO] = "Max realtime priority",
|
|
||||||
#endif
|
|
||||||
#ifdef RLIMIT_RTTIME
|
|
||||||
- [RLIMIT_RTTIME] = "Max realtime timeout",
|
|
||||||
+ [RLIMIT_RTTIME] = "Max realtime timeout",
|
|
||||||
#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
static int str2rlimit(char *name) {
|
|
||||||
int i;
|
|
||||||
if (!name || *name == '\0')
|
|
||||||
- return -1;
|
|
||||||
+ return -1;
|
|
||||||
for(i = 0; i < RLIM_NLIMITS; i++) {
|
|
||||||
- if (strcmp(name, lnames[i]) == 0) return i;
|
|
||||||
+ if (strcmp(name, lnames[i]) == 0) return i;
|
|
||||||
}
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
@@ -360,25 +360,25 @@ static rlim_t str2rlim_t(char *value) {
|
|
||||||
|
|
||||||
if (!value) return (rlim_t)rlimit;
|
|
||||||
if (strcmp(value, "unlimited") == 0) {
|
|
||||||
- return RLIM_INFINITY;
|
|
||||||
+ return RLIM_INFINITY;
|
|
||||||
}
|
|
||||||
rlimit = strtoull(value, NULL, 10);
|
|
||||||
return (rlim_t)rlimit;
|
|
||||||
}
|
|
||||||
|
|
||||||
#define LIMITS_SKIP_WHITESPACE { \
|
|
||||||
- /* step backwards over spaces */ \
|
|
||||||
- pos--; \
|
|
||||||
- while (pos && line[pos] == ' ') pos--; \
|
|
||||||
- if (!pos) continue; \
|
|
||||||
- line[pos+1] = '\0'; \
|
|
||||||
+ /* step backwards over spaces */ \
|
|
||||||
+ pos--; \
|
|
||||||
+ while (pos && line[pos] == ' ') pos--; \
|
|
||||||
+ if (!pos) continue; \
|
|
||||||
+ line[pos+1] = '\0'; \
|
|
||||||
}
|
|
||||||
#define LIMITS_MARK_ITEM(item) { \
|
|
||||||
- /* step backwards over non-spaces */ \
|
|
||||||
- pos--; \
|
|
||||||
- while (pos && line[pos] != ' ') pos--; \
|
|
||||||
- if (!pos) continue; \
|
|
||||||
- item = line + pos + 1; \
|
|
||||||
+ /* step backwards over non-spaces */ \
|
|
||||||
+ pos--; \
|
|
||||||
+ while (pos && line[pos] != ' ') pos--; \
|
|
||||||
+ if (!pos) continue; \
|
|
||||||
+ item = line + pos + 1; \
|
|
||||||
}
|
|
||||||
|
|
||||||
static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
|
|
||||||
@@ -390,54 +390,54 @@ static void parse_kernel_limits(pam_hand
|
|
||||||
char *hard, *soft, *name;
|
|
||||||
|
|
||||||
if (!(limitsfile = fopen(proclimits, "r"))) {
|
|
||||||
- pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
|
|
||||||
- return;
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
|
|
||||||
+ return;
|
|
||||||
}
|
|
||||||
|
|
||||||
while (fgets(line, 256, limitsfile)) {
|
|
||||||
- int pos = strlen(line);
|
|
||||||
- if (pos < 2) continue;
|
|
||||||
+ int pos = strlen(line);
|
|
||||||
+ if (pos < 2) continue;
|
|
||||||
+
|
|
||||||
+ /* drop trailing newline */
|
|
||||||
+ if (line[pos-1] == '\n') {
|
|
||||||
+ pos--;
|
|
||||||
+ line[pos] = '\0';
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- /* drop trailing newline */
|
|
||||||
- if (line[pos-1] == '\n') {
|
|
||||||
- pos--;
|
|
||||||
- line[pos] = '\0';
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* determine formatting boundary of limits report */
|
|
||||||
- if (!maxlen && pam_str_skip_prefix(line, "Limit") != NULL) {
|
|
||||||
- maxlen = pos;
|
|
||||||
- continue;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (pos == maxlen) {
|
|
||||||
- /* step backwards over "Units" name */
|
|
||||||
- LIMITS_SKIP_WHITESPACE;
|
|
||||||
- LIMITS_MARK_ITEM(hard); /* not a typo, units unused */
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* step backwards over "Hard Limit" value */
|
|
||||||
- LIMITS_SKIP_WHITESPACE;
|
|
||||||
- LIMITS_MARK_ITEM(hard);
|
|
||||||
-
|
|
||||||
- /* step backwards over "Soft Limit" value */
|
|
||||||
- LIMITS_SKIP_WHITESPACE;
|
|
||||||
- LIMITS_MARK_ITEM(soft);
|
|
||||||
-
|
|
||||||
- /* step backwards over name of limit */
|
|
||||||
- LIMITS_SKIP_WHITESPACE;
|
|
||||||
- name = line;
|
|
||||||
-
|
|
||||||
- i = str2rlimit(name);
|
|
||||||
- if (i < 0 || i >= RLIM_NLIMITS) {
|
|
||||||
- if (ctrl & PAM_DEBUG_ARG)
|
|
||||||
- pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit '%s' ignored", name);
|
|
||||||
- continue;
|
|
||||||
- }
|
|
||||||
- pl->limits[i].limit.rlim_cur = str2rlim_t(soft);
|
|
||||||
- pl->limits[i].limit.rlim_max = str2rlim_t(hard);
|
|
||||||
- pl->limits[i].src_soft = LIMITS_DEF_KERNEL;
|
|
||||||
- pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
|
|
||||||
+ /* determine formatting boundary of limits report */
|
|
||||||
+ if (!maxlen && pam_str_skip_prefix(line, "Limit") != NULL) {
|
|
||||||
+ maxlen = pos;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (pos == maxlen) {
|
|
||||||
+ /* step backwards over "Units" name */
|
|
||||||
+ LIMITS_SKIP_WHITESPACE;
|
|
||||||
+ LIMITS_MARK_ITEM(hard); /* not a typo, units unused */
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* step backwards over "Hard Limit" value */
|
|
||||||
+ LIMITS_SKIP_WHITESPACE;
|
|
||||||
+ LIMITS_MARK_ITEM(hard);
|
|
||||||
+
|
|
||||||
+ /* step backwards over "Soft Limit" value */
|
|
||||||
+ LIMITS_SKIP_WHITESPACE;
|
|
||||||
+ LIMITS_MARK_ITEM(soft);
|
|
||||||
+
|
|
||||||
+ /* step backwards over name of limit */
|
|
||||||
+ LIMITS_SKIP_WHITESPACE;
|
|
||||||
+ name = line;
|
|
||||||
+
|
|
||||||
+ i = str2rlimit(name);
|
|
||||||
+ if (i < 0 || i >= RLIM_NLIMITS) {
|
|
||||||
+ if (ctrl & PAM_DEBUG_ARG)
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "Unknown kernel rlimit '%s' ignored", name);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ pl->limits[i].limit.rlim_cur = str2rlim_t(soft);
|
|
||||||
+ pl->limits[i].limit.rlim_max = str2rlim_t(hard);
|
|
||||||
+ pl->limits[i].src_soft = LIMITS_DEF_KERNEL;
|
|
||||||
+ pl->limits[i].src_hard = LIMITS_DEF_KERNEL;
|
|
||||||
}
|
|
||||||
fclose(limitsfile);
|
|
||||||
}
|
|
||||||
@@ -486,6 +486,54 @@ static int init_limits(pam_handle_t *pam
|
|
||||||
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
+/*
|
|
||||||
+ * Read the contents of /proc/sys/fs/<name>
|
|
||||||
+ * return 1 if conversion succeeds, result is in *valuep
|
|
||||||
+ * return 0 if conversion fails.
|
|
||||||
+ */
|
|
||||||
+static int
|
|
||||||
+value_from_proc_sys_fs(const pam_handle_t *pamh, const char *name, rlim_t *valuep)
|
|
||||||
+{
|
|
||||||
+ char pathname[128];
|
|
||||||
+ char buf[128];
|
|
||||||
+ FILE *fp;
|
|
||||||
+ int retval;
|
|
||||||
+
|
|
||||||
+ retval = 0;
|
|
||||||
+
|
|
||||||
+ snprintf(pathname, sizeof(pathname), "/proc/sys/fs/%s", name);
|
|
||||||
+
|
|
||||||
+ if ((fp = fopen(pathname, "r")) != NULL) {
|
|
||||||
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
|
|
||||||
+ char *endptr;
|
|
||||||
+
|
|
||||||
+#ifdef __USE_FILE_OFFSET64
|
|
||||||
+ *valuep = strtoull(buf, &endptr, 10);
|
|
||||||
+#else
|
|
||||||
+ *valuep = strtoul(buf, &endptr, 10);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ retval = (endptr != buf);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ fclose(fp);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Check if the string passed as the argument corresponds to
|
|
||||||
+ * "unlimited"
|
|
||||||
+ */
|
|
||||||
+static inline int
|
|
||||||
+is_unlimited(const char *lim_value)
|
|
||||||
+{
|
|
||||||
+ return strcmp(lim_value, "-1") == 0
|
|
||||||
+ || strcmp(lim_value, "-") == 0
|
|
||||||
+ || strcmp(lim_value, "unlimited") == 0
|
|
||||||
+ || strcmp(lim_value, "infinity") == 0;
|
|
||||||
+}
|
|
||||||
|
|
||||||
static void
|
|
||||||
process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
|
|
||||||
@@ -505,9 +553,9 @@ process_limit (const pam_handle_t *pamh,
|
|
||||||
limits_def_names[source]);
|
|
||||||
|
|
||||||
if (strcmp(lim_item, "cpu") == 0)
|
|
||||||
- limit_item = RLIMIT_CPU;
|
|
||||||
+ limit_item = RLIMIT_CPU;
|
|
||||||
else if (strcmp(lim_item, "fsize") == 0)
|
|
||||||
- limit_item = RLIMIT_FSIZE;
|
|
||||||
+ limit_item = RLIMIT_FSIZE;
|
|
||||||
else if (strcmp(lim_item, "data") == 0)
|
|
||||||
limit_item = RLIMIT_DATA;
|
|
||||||
else if (strcmp(lim_item, "stack") == 0)
|
|
||||||
@@ -557,8 +605,8 @@ process_limit (const pam_handle_t *pamh,
|
|
||||||
} else if (strcmp(lim_item, "nonewprivs") == 0) {
|
|
||||||
limit_item = LIMIT_NONEWPRIVS;
|
|
||||||
} else {
|
|
||||||
- pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
|
|
||||||
- return;
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
|
|
||||||
+ return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (strcmp(lim_type,"soft")==0)
|
|
||||||
@@ -569,9 +617,10 @@ process_limit (const pam_handle_t *pamh,
|
|
||||||
limit_type=LIMIT_SOFT | LIMIT_HARD;
|
|
||||||
else if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS
|
|
||||||
&& limit_item != LIMIT_NONEWPRIVS) {
|
|
||||||
- pam_syslog(pamh, LOG_DEBUG, "unknown limit type '%s'", lim_type);
|
|
||||||
- return;
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "unknown limit type '%s'", lim_type);
|
|
||||||
+ return;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
if (limit_item == LIMIT_NONEWPRIVS) {
|
|
||||||
/* just require a bool-style 0 or 1 */
|
|
||||||
if (strcmp(lim_value, "0") == 0) {
|
|
||||||
@@ -587,9 +636,7 @@ process_limit (const pam_handle_t *pamh,
|
|
||||||
#ifdef RLIMIT_NICE
|
|
||||||
&& limit_item != RLIMIT_NICE
|
|
||||||
#endif
|
|
||||||
- && (strcmp(lim_value, "-1") == 0
|
|
||||||
- || strcmp(lim_value, "-") == 0 || strcmp(lim_value, "unlimited") == 0
|
|
||||||
- || strcmp(lim_value, "infinity") == 0)) {
|
|
||||||
+ && is_unlimited(lim_value)) {
|
|
||||||
int_value = -1;
|
|
||||||
rlimit_value = RLIM_INFINITY;
|
|
||||||
} else if (limit_item == LIMIT_PRI || limit_item == LIMIT_LOGIN ||
|
|
||||||
@@ -605,7 +652,7 @@ process_limit (const pam_handle_t *pamh,
|
|
||||||
pam_syslog(pamh, LOG_DEBUG,
|
|
||||||
"wrong limit value '%s' for limit type '%s'",
|
|
||||||
lim_value, lim_type);
|
|
||||||
- return;
|
|
||||||
+ return;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
#ifdef __USE_FILE_OFFSET64
|
|
||||||
@@ -631,7 +678,7 @@ process_limit (const pam_handle_t *pamh,
|
|
||||||
}
|
|
||||||
|
|
||||||
switch(limit_item) {
|
|
||||||
- case RLIMIT_CPU:
|
|
||||||
+ case RLIMIT_CPU:
|
|
||||||
if (rlimit_value != RLIM_INFINITY)
|
|
||||||
{
|
|
||||||
if (rlimit_value >= RLIM_INFINITY/60)
|
|
||||||
@@ -639,17 +686,17 @@ process_limit (const pam_handle_t *pamh,
|
|
||||||
else
|
|
||||||
rlimit_value *= 60;
|
|
||||||
}
|
|
||||||
- break;
|
|
||||||
- case RLIMIT_FSIZE:
|
|
||||||
- case RLIMIT_DATA:
|
|
||||||
- case RLIMIT_STACK:
|
|
||||||
- case RLIMIT_CORE:
|
|
||||||
- case RLIMIT_RSS:
|
|
||||||
- case RLIMIT_MEMLOCK:
|
|
||||||
+ break;
|
|
||||||
+ case RLIMIT_FSIZE:
|
|
||||||
+ case RLIMIT_DATA:
|
|
||||||
+ case RLIMIT_STACK:
|
|
||||||
+ case RLIMIT_CORE:
|
|
||||||
+ case RLIMIT_RSS:
|
|
||||||
+ case RLIMIT_MEMLOCK:
|
|
||||||
#ifdef RLIMIT_AS
|
|
||||||
- case RLIMIT_AS:
|
|
||||||
+ case RLIMIT_AS:
|
|
||||||
#endif
|
|
||||||
- if (rlimit_value != RLIM_INFINITY)
|
|
||||||
+ if (rlimit_value != RLIM_INFINITY)
|
|
||||||
{
|
|
||||||
if (rlimit_value >= RLIM_INFINITY/1024)
|
|
||||||
rlimit_value = RLIM_INFINITY;
|
|
||||||
@@ -664,29 +711,42 @@ process_limit (const pam_handle_t *pamh,
|
|
||||||
if (int_value < -20)
|
|
||||||
int_value = -20;
|
|
||||||
rlimit_value = 20 - int_value;
|
|
||||||
- break;
|
|
||||||
+ break;
|
|
||||||
#endif
|
|
||||||
+ case RLIMIT_NOFILE:
|
|
||||||
+ /*
|
|
||||||
+ * If nofile is to be set to "unlimited", try to set it to
|
|
||||||
+ * the value in /proc/sys/fs/nr_open instead.
|
|
||||||
+ */
|
|
||||||
+ if (rlimit_value == RLIM_INFINITY) {
|
|
||||||
+ if (!value_from_proc_sys_fs(pamh, "nr_open", &rlimit_value))
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG,
|
|
||||||
+ "Cannot set \"nofile\" to a sensible value");
|
|
||||||
+ else
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING, "Setting \"nofile\" limit to %lu", (long unsigned) rlimit_value);
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( (limit_item != LIMIT_LOGIN)
|
|
||||||
&& (limit_item != LIMIT_NUMSYSLOGINS)
|
|
||||||
&& (limit_item != LIMIT_PRI)
|
|
||||||
&& (limit_item != LIMIT_NONEWPRIVS) ) {
|
|
||||||
- if (limit_type & LIMIT_SOFT) {
|
|
||||||
+ if (limit_type & LIMIT_SOFT) {
|
|
||||||
if (pl->limits[limit_item].src_soft < source) {
|
|
||||||
- return;
|
|
||||||
+ return;
|
|
||||||
} else {
|
|
||||||
- pl->limits[limit_item].limit.rlim_cur = rlimit_value;
|
|
||||||
- pl->limits[limit_item].src_soft = source;
|
|
||||||
- }
|
|
||||||
+ pl->limits[limit_item].limit.rlim_cur = rlimit_value;
|
|
||||||
+ pl->limits[limit_item].src_soft = source;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
- if (limit_type & LIMIT_HARD) {
|
|
||||||
+ if (limit_type & LIMIT_HARD) {
|
|
||||||
if (pl->limits[limit_item].src_hard < source) {
|
|
||||||
- return;
|
|
||||||
- } else {
|
|
||||||
- pl->limits[limit_item].limit.rlim_max = rlimit_value;
|
|
||||||
- pl->limits[limit_item].src_hard = source;
|
|
||||||
- }
|
|
||||||
+ return;
|
|
||||||
+ } else {
|
|
||||||
+ pl->limits[limit_item].limit.rlim_max = rlimit_value;
|
|
||||||
+ pl->limits[limit_item].src_hard = source;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
/* recent kernels support negative priority limits (=raise priority) */
|
|
||||||
@@ -764,42 +824,42 @@ parse_config_file(pam_handle_t *pamh, co
|
|
||||||
|
|
||||||
/* check for the LIMITS_FILE */
|
|
||||||
if (ctrl & PAM_DEBUG_ARG)
|
|
||||||
- pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE);
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE);
|
|
||||||
fil = fopen(CONF_FILE, "r");
|
|
||||||
if (fil == NULL) {
|
|
||||||
- pam_syslog (pamh, LOG_WARNING,
|
|
||||||
+ pam_syslog (pamh, LOG_WARNING,
|
|
||||||
"cannot read settings from %s: %m", CONF_FILE);
|
|
||||||
- return PAM_SERVICE_ERR;
|
|
||||||
+ return PAM_SERVICE_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* start the show */
|
|
||||||
while (fgets(buf, LINE_LENGTH, fil) != NULL) {
|
|
||||||
- char domain[LINE_LENGTH];
|
|
||||||
- char ltype[LINE_LENGTH];
|
|
||||||
- char item[LINE_LENGTH];
|
|
||||||
- char value[LINE_LENGTH];
|
|
||||||
- int i;
|
|
||||||
- int rngtype;
|
|
||||||
- size_t j;
|
|
||||||
- char *tptr,*line;
|
|
||||||
- uid_t min_uid = (uid_t)-1, max_uid = (uid_t)-1;
|
|
||||||
-
|
|
||||||
- line = buf;
|
|
||||||
- /* skip the leading white space */
|
|
||||||
- while (*line && isspace(*line))
|
|
||||||
- line++;
|
|
||||||
-
|
|
||||||
- /* Rip off the comments */
|
|
||||||
- tptr = strchr(line,'#');
|
|
||||||
- if (tptr)
|
|
||||||
- *tptr = '\0';
|
|
||||||
- /* Rip off the newline char */
|
|
||||||
- tptr = strchr(line,'\n');
|
|
||||||
- if (tptr)
|
|
||||||
- *tptr = '\0';
|
|
||||||
- /* Anything left ? */
|
|
||||||
- if (!strlen(line))
|
|
||||||
- continue;
|
|
||||||
+ char domain[LINE_LENGTH];
|
|
||||||
+ char ltype[LINE_LENGTH];
|
|
||||||
+ char item[LINE_LENGTH];
|
|
||||||
+ char value[LINE_LENGTH];
|
|
||||||
+ int i;
|
|
||||||
+ int rngtype;
|
|
||||||
+ size_t j;
|
|
||||||
+ char *tptr,*line;
|
|
||||||
+ uid_t min_uid = (uid_t)-1, max_uid = (uid_t)-1;
|
|
||||||
+
|
|
||||||
+ line = buf;
|
|
||||||
+ /* skip the leading white space */
|
|
||||||
+ while (*line && isspace(*line))
|
|
||||||
+ line++;
|
|
||||||
+
|
|
||||||
+ /* Rip off the comments */
|
|
||||||
+ tptr = strchr(line,'#');
|
|
||||||
+ if (tptr)
|
|
||||||
+ *tptr = '\0';
|
|
||||||
+ /* Rip off the newline char */
|
|
||||||
+ tptr = strchr(line,'\n');
|
|
||||||
+ if (tptr)
|
|
||||||
+ *tptr = '\0';
|
|
||||||
+ /* Anything left ? */
|
|
||||||
+ if (!strlen(line))
|
|
||||||
+ continue;
|
|
||||||
|
|
||||||
domain[0] = ltype[0] = item[0] = value[0] = '\0';
|
|
||||||
|
|
||||||
@@ -807,23 +867,23 @@ parse_config_file(pam_handle_t *pamh, co
|
|
||||||
D(("scanned line[%d]: domain[%s], ltype[%s], item[%s], value[%s]",
|
|
||||||
i, domain, ltype, item, value));
|
|
||||||
|
|
||||||
- for(j=0; j < strlen(ltype); j++)
|
|
||||||
- ltype[j]=tolower(ltype[j]);
|
|
||||||
+ for(j=0; j < strlen(ltype); j++)
|
|
||||||
+ ltype[j]=tolower(ltype[j]);
|
|
||||||
|
|
||||||
if ((rngtype=parse_uid_range(pamh, domain, &min_uid, &max_uid)) < 0) {
|
|
||||||
pam_syslog(pamh, LOG_WARNING, "invalid uid range '%s' - skipped", domain);
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (i == 4) { /* a complete line */
|
|
||||||
+ if (i == 4) { /* a complete line */
|
|
||||||
for(j=0; j < strlen(item); j++)
|
|
||||||
item[j]=tolower(item[j]);
|
|
||||||
for(j=0; j < strlen(value); j++)
|
|
||||||
value[j]=tolower(value[j]);
|
|
||||||
|
|
||||||
- if (strcmp(uname, domain) == 0) /* this user have a limit */
|
|
||||||
- process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
|
|
||||||
- else if (domain[0]=='@') {
|
|
||||||
+ if (strcmp(uname, domain) == 0) /* this user have a limit */
|
|
||||||
+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
|
|
||||||
+ else if (domain[0]=='@') {
|
|
||||||
if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
pam_syslog(pamh, LOG_DEBUG,
|
|
||||||
"checking if %s is in group %s",
|
|
||||||
@@ -849,7 +909,7 @@ parse_config_file(pam_handle_t *pamh, co
|
|
||||||
process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
|
|
||||||
pl);
|
|
||||||
}
|
|
||||||
- } else if (domain[0]=='%') {
|
|
||||||
+ } else if (domain[0]=='%') {
|
|
||||||
if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
pam_syslog(pamh, LOG_DEBUG,
|
|
||||||
"checking if %s is in group %s",
|
|
||||||
@@ -880,7 +940,7 @@ parse_config_file(pam_handle_t *pamh, co
|
|
||||||
case LIMIT_RANGE_MM:
|
|
||||||
pam_syslog(pamh, LOG_WARNING, "range unsupported for %%group matching - ignored");
|
|
||||||
}
|
|
||||||
- } else {
|
|
||||||
+ } else {
|
|
||||||
switch(rngtype) {
|
|
||||||
case LIMIT_RANGE_NONE:
|
|
||||||
if (strcmp(domain, "*") == 0)
|
|
||||||
@@ -951,8 +1011,8 @@ parse_config_file(pam_handle_t *pamh, co
|
|
||||||
}
|
|
||||||
fclose(fil);
|
|
||||||
return PAM_IGNORE;
|
|
||||||
- } else {
|
|
||||||
- pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line);
|
|
||||||
+ } else {
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
fclose(fil);
|
|
||||||
@@ -979,8 +1039,8 @@ static int setup_limits(pam_handle_t *pa
|
|
||||||
/* skip it if its not initialized */
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
- if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
|
|
||||||
- pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
|
|
||||||
+ if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
|
|
||||||
+ pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
|
|
||||||
res = setrlimit(i, &pl->limits[i].limit);
|
|
||||||
if (res != 0)
|
|
||||||
pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
|
|
||||||
@@ -989,30 +1049,30 @@ static int setup_limits(pam_handle_t *pa
|
|
||||||
}
|
|
||||||
|
|
||||||
if (status) {
|
|
||||||
- retval = LIMIT_ERR;
|
|
||||||
+ retval = LIMIT_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
status = setpriority(PRIO_PROCESS, 0, pl->priority);
|
|
||||||
if (status != 0) {
|
|
||||||
- pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m");
|
|
||||||
- retval = LIMIT_ERR;
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m");
|
|
||||||
+ retval = LIMIT_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (uid == 0) {
|
|
||||||
D(("skip login limit check for uid=0"));
|
|
||||||
} else if (pl->login_limit > 0) {
|
|
||||||
- if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
|
|
||||||
+ if (check_logins(pamh, uname, pl->login_limit, ctrl, pl) == LOGIN_ERR) {
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
if (!(ctrl & PAM_NO_AUDIT)) {
|
|
||||||
pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_SESSIONS,
|
|
||||||
"pam_limits", PAM_PERM_DENIED);
|
|
||||||
/* ignore return value as we fail anyway */
|
|
||||||
- }
|
|
||||||
+ }
|
|
||||||
#endif
|
|
||||||
- retval |= LOGIN_ERR;
|
|
||||||
+ retval |= LOGIN_ERR;
|
|
||||||
}
|
|
||||||
} else if (pl->login_limit == 0) {
|
|
||||||
- retval |= LOGIN_ERR;
|
|
||||||
+ retval |= LOGIN_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (pl->nonewprivs) {
|
|
||||||
@@ -1049,22 +1109,22 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
||||||
ctrl = _pam_parse(pamh, argc, argv, pl);
|
|
||||||
retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
|
|
||||||
if ( user_name == NULL || retval != PAM_SUCCESS ) {
|
|
||||||
- pam_syslog(pamh, LOG_ERR, "open_session - error recovering username");
|
|
||||||
- return PAM_SESSION_ERR;
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "open_session - error recovering username");
|
|
||||||
+ return PAM_SESSION_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
pwd = pam_modutil_getpwnam(pamh, user_name);
|
|
||||||
if (!pwd) {
|
|
||||||
- if (ctrl & PAM_DEBUG_ARG)
|
|
||||||
- pam_syslog(pamh, LOG_WARNING,
|
|
||||||
+ if (ctrl & PAM_DEBUG_ARG)
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING,
|
|
||||||
"open_session username '%s' does not exist", user_name);
|
|
||||||
- return PAM_USER_UNKNOWN;
|
|
||||||
+ return PAM_USER_UNKNOWN;
|
|
||||||
}
|
|
||||||
|
|
||||||
retval = init_limits(pamh, pl, ctrl);
|
|
||||||
if (retval != PAM_SUCCESS) {
|
|
||||||
- pam_syslog(pamh, LOG_ERR, "cannot initialize");
|
|
||||||
- return PAM_ABORT;
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "cannot initialize");
|
|
||||||
+ return PAM_ABORT;
|
|
||||||
}
|
|
||||||
|
|
||||||
retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
|
|
||||||
@@ -1099,7 +1159,7 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
||||||
}
|
|
||||||
if (retval != PAM_SUCCESS)
|
|
||||||
goto out;
|
|
||||||
- }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
out:
|
|
||||||
@@ -1115,7 +1175,7 @@ out:
|
|
||||||
pam_error(pamh, _("There were too many logins for '%s'."),
|
|
||||||
pwd->pw_name);
|
|
||||||
if (retval != LIMITED_OK) {
|
|
||||||
- return PAM_PERM_DENIED;
|
|
||||||
+ return PAM_PERM_DENIED;
|
|
||||||
}
|
|
||||||
|
|
||||||
return PAM_SUCCESS;
|
|
@ -1,81 +0,0 @@
|
|||||||
Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
|
|
||||||
===================================================================
|
|
||||||
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
|
|
||||||
@@ -88,6 +88,7 @@ struct cracklib_options {
|
|
||||||
int reject_user;
|
|
||||||
int gecos_check;
|
|
||||||
int enforce_for_root;
|
|
||||||
+ int user_substr;
|
|
||||||
const char *cracklib_dictpath;
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c
|
|
||||||
if (!*(opt->cracklib_dictpath)) {
|
|
||||||
opt->cracklib_dictpath = CRACKLIB_DICTS;
|
|
||||||
}
|
|
||||||
+ } else if ((str = pam_str_skip_prefix(*argv, "usersubstr=")) != NULL) {
|
|
||||||
+ opt->user_substr = strtol(str, &ep, 10);
|
|
||||||
+ if (ep == str)
|
|
||||||
+ opt->user_substr = 0;
|
|
||||||
} else {
|
|
||||||
pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
|
|
||||||
}
|
|
||||||
@@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * RETURNS: True if the password is unacceptable, else false
|
|
||||||
+ */
|
|
||||||
+static int usersubstr(int len, const char *new, char *user)
|
|
||||||
+{
|
|
||||||
+ int i, userlen;
|
|
||||||
+ int bad = 0; // Assume it's OK unless proven otherwise
|
|
||||||
+ char *subuser = calloc(len+1, sizeof(char));
|
|
||||||
+
|
|
||||||
+ if (subuser == NULL) {
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ userlen = strlen(user);
|
|
||||||
+
|
|
||||||
+ if (len >= CO_MIN_WORD_LENGTH &&
|
|
||||||
+ userlen > len) {
|
|
||||||
+ for(i = 0; !bad && (i <= userlen - len); i++) {
|
|
||||||
+ strncpy(subuser, user+i, len+1);
|
|
||||||
+ subuser[len] = '\0';
|
|
||||||
+ bad = wordcheck(new, subuser);
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ // if we already tested substrings, there's no need to test
|
|
||||||
+ // the whole username; all substrings would've been found :)
|
|
||||||
+ if (!bad)
|
|
||||||
+ bad = wordcheck(new, user);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(subuser);
|
|
||||||
+
|
|
||||||
+ return bad;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * RETURNS: True if the password is unacceptable, else false
|
|
||||||
+ */
|
|
||||||
static int usercheck(struct cracklib_options *opt, const char *new,
|
|
||||||
char *user)
|
|
||||||
{
|
|
||||||
- if (!opt->reject_user)
|
|
||||||
- return 0;
|
|
||||||
+ int bad = 0;
|
|
||||||
+
|
|
||||||
+ if (opt->reject_user)
|
|
||||||
+ bad = wordcheck(new, user);
|
|
||||||
+ if (!bad && opt->user_substr != 0)
|
|
||||||
+ bad = usersubstr(opt->user_substr, new, user);
|
|
||||||
|
|
||||||
- return wordcheck(new, user);
|
|
||||||
+ return bad;
|
|
||||||
}
|
|
||||||
|
|
||||||
static char * str_lower(char *string)
|
|
39
pam.changes
39
pam.changes
@ -1,3 +1,42 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 6 11:51:30 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
|
||||||
|
|
||||||
|
- Update to 1.5.2
|
||||||
|
Noteworthy changes in Linux-PAM 1.5.2:
|
||||||
|
|
||||||
|
* pam_exec: implemented quiet_log option.
|
||||||
|
* pam_mkhomedir: added support of HOME_MODE and UMASK from
|
||||||
|
/etc/login.defs.
|
||||||
|
* pam_timestamp: changed hmac algorithm to call openssl instead
|
||||||
|
of the bundled sha1 implementation if selected, added option
|
||||||
|
to select the hash algorithm to use with HMAC.
|
||||||
|
* Added pkgconfig files for provided libraries.
|
||||||
|
* Added --with-systemdunitdir configure option to specify systemd
|
||||||
|
unit directory.
|
||||||
|
* Added --with-misc-conv-bufsize configure option to specify the
|
||||||
|
buffer size in libpam_misc's misc_conv() function, raised the
|
||||||
|
default value for this parameter from 512 to 4096.
|
||||||
|
* Multiple minor bug fixes, portability fixes, documentation
|
||||||
|
improvements, and translation updates.
|
||||||
|
|
||||||
|
pam_cracklib has been removed from the upstream sources. This
|
||||||
|
obsoletes pam-pam_cracklib-add-usersubstr.patch and
|
||||||
|
pam_cracklib-removal.patch.
|
||||||
|
The following patches have been accepted upstream and, so,
|
||||||
|
are obsolete:
|
||||||
|
- pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
|
||||||
|
- pam_securetty-don-t-complain-about-missing-config.patch
|
||||||
|
- bsc1184358-prevent-LOCAL-from-being-resolved.patch
|
||||||
|
- revert-check_shadow_expiry.diff
|
||||||
|
|
||||||
|
[Linux-PAM-1.5.2-docs.tar.xz, Linux-PAM-1.5.2-docs.tar.xz.asc,
|
||||||
|
Linux-PAM-1.5.2.tar.xz, Linux-PAM-1.5.2.tar.xz.asc,
|
||||||
|
pam-pam_cracklib-add-usersubstr.patch, pam_cracklib-removal.patch,
|
||||||
|
pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch,
|
||||||
|
pam_securetty-don-t-complain-about-missing-config.patch,
|
||||||
|
bsc1184358-prevent-LOCAL-from-being-resolved.patch,
|
||||||
|
revert-check_shadow_expiry.diff]
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Aug 12 14:42:54 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
|
Thu Aug 12 14:42:54 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
|
||||||
|
|
||||||
|
49
pam.spec
49
pam.spec
@ -31,7 +31,7 @@
|
|||||||
#
|
#
|
||||||
Name: pam
|
Name: pam
|
||||||
#
|
#
|
||||||
Version: 1.5.1
|
Version: 1.5.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A Security Tool that Provides Authentication for Applications
|
Summary: A Security Tool that Provides Authentication for Applications
|
||||||
License: GPL-2.0-or-later OR BSD-3-Clause
|
License: GPL-2.0-or-later OR BSD-3-Clause
|
||||||
@ -50,22 +50,17 @@ Source10: unix2_chkpwd.c
|
|||||||
Source11: unix2_chkpwd.8
|
Source11: unix2_chkpwd.8
|
||||||
Source12: pam-login_defs-check.sh
|
Source12: pam-login_defs-check.sh
|
||||||
Source13: motd.tmpfiles
|
Source13: motd.tmpfiles
|
||||||
|
Source14: Linux-PAM-%{version}-docs.tar.xz.asc
|
||||||
|
Source15: Linux-PAM-%{version}.tar.xz.asc
|
||||||
Patch2: pam-limit-nproc.patch
|
Patch2: pam-limit-nproc.patch
|
||||||
Patch4: pam-hostnames-in-access_conf.patch
|
Patch4: pam-hostnames-in-access_conf.patch
|
||||||
Patch5: pam-xauth_ownership.patch
|
Patch5: pam-xauth_ownership.patch
|
||||||
Patch6: pam_cracklib-removal.patch
|
|
||||||
Patch7: pam_tally2-removal.patch
|
|
||||||
Patch8: pam-bsc1177858-dont-free-environment-string.patch
|
Patch8: pam-bsc1177858-dont-free-environment-string.patch
|
||||||
Patch9: pam-pam_cracklib-add-usersubstr.patch
|
|
||||||
Patch10: pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
|
|
||||||
Patch11: bsc1184358-prevent-LOCAL-from-being-resolved.patch
|
|
||||||
Patch12: pam_umask-usergroups-login_defs.patch
|
Patch12: pam_umask-usergroups-login_defs.patch
|
||||||
# https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068
|
# https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068
|
||||||
Patch100: pam_securetty-don-t-complain-about-missing-config.patch
|
# Patch101: revert-check_shadow_expiry.diff
|
||||||
Patch101: revert-check_shadow_expiry.diff
|
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: cracklib-devel
|
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: xz
|
BuildRequires: xz
|
||||||
@ -146,39 +141,18 @@ having to recompile programs which do authentication.
|
|||||||
This package contains header files and static libraries used for
|
This package contains header files and static libraries used for
|
||||||
building both PAM-aware applications and modules for use with PAM.
|
building both PAM-aware applications and modules for use with PAM.
|
||||||
|
|
||||||
%package deprecated
|
|
||||||
Summary: Deprecated PAM Modules
|
|
||||||
Group: System/Libraries
|
|
||||||
Provides: pam:/%{_lib}/security/pam_cracklib.so
|
|
||||||
Provides: pam:/%{_lib}/security/pam_tally2.so
|
|
||||||
|
|
||||||
%description deprecated
|
|
||||||
PAM (Pluggable Authentication Modules) is a system security tool that
|
|
||||||
allows system administrators to set authentication policies without
|
|
||||||
having to recompile programs that do authentication.
|
|
||||||
|
|
||||||
This package contains deprecated extra modules like pam_cracklib and
|
|
||||||
pam_tally2, which are no longer supported upstream and will be completly
|
|
||||||
removed with one of the next releases.
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n Linux-PAM-%{version} -b 1
|
%setup -q -n Linux-PAM-%{version} -b 1
|
||||||
cp -a %{SOURCE12} .
|
cp -a %{SOURCE12} .
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -R -p1
|
|
||||||
%patch7 -R -p1
|
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
|
||||||
%patch10 -p1
|
|
||||||
%patch11 -p1
|
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch100 -p1
|
# %%patch101 -p1
|
||||||
%patch101 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
bash ./pam-login_defs-check.sh
|
# bash ./pam-login_defs-check.sh
|
||||||
export CFLAGS="%{optflags}"
|
export CFLAGS="%{optflags}"
|
||||||
%if !%{with debug}
|
%if !%{with debug}
|
||||||
CFLAGS="$CFLAGS -DNDEBUG"
|
CFLAGS="$CFLAGS -DNDEBUG"
|
||||||
@ -192,9 +166,9 @@ CFLAGS="$CFLAGS -DNDEBUG"
|
|||||||
--enable-securedir=%{_pam_moduledir} \
|
--enable-securedir=%{_pam_moduledir} \
|
||||||
--enable-vendordir=%{_distconfdir} \
|
--enable-vendordir=%{_distconfdir} \
|
||||||
%if %{with debug}
|
%if %{with debug}
|
||||||
--enable-debug \
|
--enable-debug
|
||||||
%endif
|
%endif
|
||||||
--enable-tally2 --enable-cracklib
|
|
||||||
%make_build
|
%make_build
|
||||||
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
|
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
|
||||||
|
|
||||||
@ -436,12 +410,6 @@ done
|
|||||||
%{_pam_moduledir}/pam_userdb.so
|
%{_pam_moduledir}/pam_userdb.so
|
||||||
%{_mandir}/man8/pam_userdb.8%{?ext_man}
|
%{_mandir}/man8/pam_userdb.8%{?ext_man}
|
||||||
|
|
||||||
%files deprecated
|
|
||||||
%defattr(-,root,root,755)
|
|
||||||
%{_pam_moduledir}/pam_cracklib.so
|
|
||||||
%{_pam_moduledir}/pam_tally2.so
|
|
||||||
%{_sbindir}/pam_tally2
|
|
||||||
|
|
||||||
%files doc
|
%files doc
|
||||||
%defattr(644,root,root,755)
|
%defattr(644,root,root,755)
|
||||||
%dir %{_defaultdocdir}/pam
|
%dir %{_defaultdocdir}/pam
|
||||||
@ -460,5 +428,6 @@ done
|
|||||||
%{_libdir}/libpamc.so
|
%{_libdir}/libpamc.so
|
||||||
%{_libdir}/libpam_misc.so
|
%{_libdir}/libpam_misc.so
|
||||||
%{_rpmmacrodir}/macros.pam
|
%{_rpmmacrodir}/macros.pam
|
||||||
|
%{_libdir}/pkgconfig/pam*.pc
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,40 +0,0 @@
|
|||||||
From e842a5fc075002f46672ebcd8e896624f1ec8068 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ludwig Nussel <ludwig.nussel@suse.de>
|
|
||||||
Date: Tue, 26 Jan 2021 13:07:20 +0100
|
|
||||||
Subject: [PATCH] pam_securetty: don't complain about missing config
|
|
||||||
|
|
||||||
Not shipping a config file should be perfectly valid for distros while
|
|
||||||
still having eg login pre-configured to honor securetty when present.
|
|
||||||
PAM itself doesn't ship any template either. So avoid spamming the log
|
|
||||||
file if /etc/securetty wasn't found.
|
|
||||||
---
|
|
||||||
modules/pam_securetty/pam_securetty.c | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
|
|
||||||
index b4d71751..47a5cd9f 100644
|
|
||||||
--- a/modules/pam_securetty/pam_securetty.c
|
|
||||||
+++ b/modules/pam_securetty/pam_securetty.c
|
|
||||||
@@ -111,7 +111,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
|
|
||||||
#ifdef VENDORDIR
|
|
||||||
if (errno == ENOENT) {
|
|
||||||
if (stat(SECURETTY2_FILE, &ttyfileinfo)) {
|
|
||||||
- pam_syslog(pamh, LOG_NOTICE,
|
|
||||||
+ if (ctrl & PAM_DEBUG_ARG)
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG,
|
|
||||||
"Couldn't open %s: %m", SECURETTY2_FILE);
|
|
||||||
return PAM_SUCCESS; /* for compatibility with old securetty handling,
|
|
||||||
this needs to succeed. But we still log the
|
|
||||||
@@ -120,7 +121,8 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
|
|
||||||
securettyfile = SECURETTY2_FILE;
|
|
||||||
} else {
|
|
||||||
#endif
|
|
||||||
- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
|
|
||||||
+ if (ctrl & PAM_DEBUG_ARG)
|
|
||||||
+ pam_syslog(pamh, LOG_DEBUG, "Couldn't open %s: %m", SECURETTY_FILE);
|
|
||||||
return PAM_SUCCESS; /* for compatibility with old securetty handling,
|
|
||||||
this needs to succeed. But we still log the
|
|
||||||
error. */
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -4,9 +4,72 @@ Deprecate pam_umask explicit "usergroups" option and instead read it from /etc/l
|
|||||||
Original Author: Martin Pitt <martin.pitt@ubuntu.com>
|
Original Author: Martin Pitt <martin.pitt@ubuntu.com>
|
||||||
Bug-Debian: http://bugs.debian.org/583958
|
Bug-Debian: http://bugs.debian.org/583958
|
||||||
|
|
||||||
diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml
|
Index: Linux-PAM-1.5.2/modules/pam_umask/README
|
||||||
--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml 2020-11-25 17:57:02.000000000 +0100
|
===================================================================
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml 2021-08-12 16:02:56.108249895 +0200
|
--- Linux-PAM-1.5.2.orig/modules/pam_umask/README
|
||||||
|
+++ Linux-PAM-1.5.2/modules/pam_umask/README
|
||||||
|
@@ -15,7 +15,7 @@ following order:
|
||||||
|
|
||||||
|
• umask= argument
|
||||||
|
|
||||||
|
- • UMASK entry from /etc/login.defs
|
||||||
|
+ • UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB)
|
||||||
|
|
||||||
|
• UMASK= entry from /etc/default/login
|
||||||
|
|
||||||
|
@@ -38,7 +38,10 @@ usergroups
|
||||||
|
|
||||||
|
If the user is not root and the username is the same as primary group name,
|
||||||
|
the umask group bits are set to be the same as owner bits (examples: 022 ->
|
||||||
|
- 002, 077 -> 007).
|
||||||
|
+ 002, 077 -> 007). Note that using this option explicitly is discouraged.
|
||||||
|
+ pam_umask enables this functionality by default if /etc/login.defs enables
|
||||||
|
+ USERGROUPS_ENAB, and the umask is not set explicitly in other places than /
|
||||||
|
+ etc/login.defs.
|
||||||
|
|
||||||
|
nousergroups
|
||||||
|
|
||||||
|
Index: Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8
|
||||||
|
===================================================================
|
||||||
|
--- Linux-PAM-1.5.2.orig/modules/pam_umask/pam_umask.8
|
||||||
|
+++ Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8
|
||||||
|
@@ -68,7 +68,9 @@ umask= argument
|
||||||
|
.sp -1
|
||||||
|
.IP \(bu 2.3
|
||||||
|
.\}
|
||||||
|
-UMASK entry from /etc/login\&.defs
|
||||||
|
+UMASK entry from
|
||||||
|
+/etc/login\&.defs
|
||||||
|
+(influenced by USERGROUPS_ENAB)
|
||||||
|
.RE
|
||||||
|
.sp
|
||||||
|
.RS 4
|
||||||
|
@@ -79,7 +81,8 @@ UMASK entry from /etc/login\&.defs
|
||||||
|
.sp -1
|
||||||
|
.IP \(bu 2.3
|
||||||
|
.\}
|
||||||
|
-UMASK= entry from /etc/default/login
|
||||||
|
+UMASK= entry from
|
||||||
|
+/etc/default/login
|
||||||
|
.RE
|
||||||
|
.PP
|
||||||
|
The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create\&.
|
||||||
|
@@ -98,7 +101,10 @@ Don\*(Aqt print informative messages\&.
|
||||||
|
.PP
|
||||||
|
\fBusergroups\fR
|
||||||
|
.RS 4
|
||||||
|
-If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&.
|
||||||
|
+If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. Note that using this option explicitly is discouraged\&. pam_umask enables this functionality by default if
|
||||||
|
+/etc/login\&.defs
|
||||||
|
+enables USERGROUPS_ENAB, and the umask is not set explicitly in other places than
|
||||||
|
+/etc/login\&.defs\&.
|
||||||
|
.RE
|
||||||
|
.PP
|
||||||
|
\fBnousergroups\fR
|
||||||
|
Index: Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8.xml
|
||||||
|
===================================================================
|
||||||
|
--- Linux-PAM-1.5.2.orig/modules/pam_umask/pam_umask.8.xml
|
||||||
|
+++ Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8.xml
|
||||||
@@ -61,12 +61,13 @@
|
@@ -61,12 +61,13 @@
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -35,14 +98,15 @@ diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml Linux-PAM-1.5.1/
|
|||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c
|
Index: Linux-PAM-1.5.2/modules/pam_umask/pam_umask.c
|
||||||
--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c 2020-11-25 17:57:02.000000000 +0100
|
===================================================================
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c 2021-08-12 16:14:40.505589328 +0200
|
--- Linux-PAM-1.5.2.orig/modules/pam_umask/pam_umask.c
|
||||||
@@ -103,7 +103,23 @@
|
+++ Linux-PAM-1.5.2/modules/pam_umask/pam_umask.c
|
||||||
|
@@ -104,7 +104,23 @@ get_options (pam_handle_t *pamh, options
|
||||||
parse_option (pamh, *argv, options);
|
parse_option (pamh, *argv, options);
|
||||||
|
|
||||||
if (options->umask == NULL)
|
if (options->umask == NULL) {
|
||||||
- options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
|
- options->login_umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
|
||||||
+ {
|
+ {
|
||||||
+ options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
|
+ options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
|
||||||
+ /* login.defs' USERGROUPS_ENAB will modify the UMASK setting there by way
|
+ /* login.defs' USERGROUPS_ENAB will modify the UMASK setting there by way
|
||||||
@ -60,64 +124,6 @@ diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c Linux-PAM-1.5.1/modu
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
if (options->umask == NULL)
|
if (options->login_umask == NULL)
|
||||||
options->umask = pam_modutil_search_key (pamh, LOGIN_CONF, "UMASK");
|
options->login_umask = pam_modutil_search_key (pamh, LOGIN_CONF, "UMASK");
|
||||||
|
options->umask = options->login_umask;
|
||||||
--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8 2021-08-12 16:34:08.314505891 +0200
|
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8 2021-08-12 16:14:43.969615764 +0200
|
|
||||||
@@ -68,7 +68,9 @@
|
|
||||||
.sp -1
|
|
||||||
.IP \(bu 2.3
|
|
||||||
.\}
|
|
||||||
-UMASK entry from /etc/login\&.defs
|
|
||||||
+UMASK entry from
|
|
||||||
+/etc/login\&.defs
|
|
||||||
+(influenced by USERGROUPS_ENAB)
|
|
||||||
.RE
|
|
||||||
.sp
|
|
||||||
.RS 4
|
|
||||||
@@ -79,7 +81,8 @@
|
|
||||||
.sp -1
|
|
||||||
.IP \(bu 2.3
|
|
||||||
.\}
|
|
||||||
-UMASK= entry from /etc/default/login
|
|
||||||
+UMASK= entry from
|
|
||||||
+/etc/default/login
|
|
||||||
.RE
|
|
||||||
.PP
|
|
||||||
The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create\&.
|
|
||||||
@@ -98,7 +101,10 @@
|
|
||||||
.PP
|
|
||||||
\fBusergroups\fR
|
|
||||||
.RS 4
|
|
||||||
-If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&.
|
|
||||||
+If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. Note that using this option explicitly is discouraged\&. pam_umask enables this functionality by default if
|
|
||||||
+/etc/login\&.defs
|
|
||||||
+enables USERGROUPS_ENAB, and the umask is not set explicitly in other places than
|
|
||||||
+/etc/login\&.defs\&.
|
|
||||||
.RE
|
|
||||||
.PP
|
|
||||||
\fBnousergroups\fR
|
|
||||||
--- Linux-PAM-1.5.1.pre/modules/pam_umask/README 2021-08-12 16:34:08.638508373 +0200
|
|
||||||
+++ Linux-PAM-1.5.1/modules/pam_umask/README 2021-08-12 16:14:44.241617840 +0200
|
|
||||||
@@ -15,7 +15,7 @@
|
|
||||||
|
|
||||||
• umask= argument
|
|
||||||
|
|
||||||
- • UMASK entry from /etc/login.defs
|
|
||||||
+ • UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB)
|
|
||||||
|
|
||||||
• UMASK= entry from /etc/default/login
|
|
||||||
|
|
||||||
@@ -38,7 +38,10 @@
|
|
||||||
|
|
||||||
If the user is not root and the username is the same as primary group name,
|
|
||||||
the umask group bits are set to be the same as owner bits (examples: 022 ->
|
|
||||||
- 002, 077 -> 007).
|
|
||||||
+ 002, 077 -> 007). Note that using this option explicitly is discouraged.
|
|
||||||
+ pam_umask enables this functionality by default if /etc/login.defs enables
|
|
||||||
+ USERGROUPS_ENAB, and the umask is not set explicitly in other places than /
|
|
||||||
+ etc/login.defs.
|
|
||||||
|
|
||||||
nousergroups
|
|
||||||
|
|
||||||
|
@ -70,7 +70,7 @@ export CFLAGS="%{optflags} -DNDEBUG"
|
|||||||
--enable-isadir=../..%{_pam_moduledir} \
|
--enable-isadir=../..%{_pam_moduledir} \
|
||||||
--enable-securedir=%{_pam_moduledir} \
|
--enable-securedir=%{_pam_moduledir} \
|
||||||
--enable-vendordir=%{_distconfdir} \
|
--enable-vendordir=%{_distconfdir} \
|
||||||
--enable-tally2 --enable-cracklib
|
--enable-tally2
|
||||||
make -C modules/pam_unix
|
make -C modules/pam_unix
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
@ -1,31 +0,0 @@
|
|||||||
pam_unix: do not use crypt_checksalt when checking for password expiration
|
|
||||||
|
|
||||||
According to Zack Weinberg, the intended meaning of
|
|
||||||
CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
|
|
||||||
method", it is not supposed to mean "force a password change on next
|
|
||||||
login for any user with an existing stored hash using this method".
|
|
||||||
|
|
||||||
This reverts commit 4da9feb.
|
|
||||||
|
|
||||||
* modules/pam_unix/passverify.c (check_shadow_expiry)
|
|
||||||
[CRYPT_CHECKSALT_AVAILABLE]: Remove.
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
||||||
index f6132f805..5a19ed856 100644
|
|
||||||
--- a/modules/pam_unix/passverify.c
|
|
||||||
+++ b/modules/pam_unix/passverify.c
|
|
||||||
@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
|
|
||||||
D(("account expired"));
|
|
||||||
return PAM_ACCT_EXPIRED;
|
|
||||||
}
|
|
||||||
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
|
|
||||||
- if (spent->sp_lstchg == 0 ||
|
|
||||||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
|
|
||||||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
|
|
||||||
-#else
|
|
||||||
if (spent->sp_lstchg == 0) {
|
|
||||||
-#endif
|
|
||||||
D(("need a new password"));
|
|
||||||
*daysleft = 0;
|
|
||||||
return PAM_NEW_AUTHTOK_REQD;
|
|
Loading…
Reference in New Issue
Block a user