diff --git a/Linux-PAM-1.5.3.tar.xz b/Linux-PAM-1.5.3.tar.xz new file mode 100644 index 0000000..d1b6d47 --- /dev/null +++ b/Linux-PAM-1.5.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7ac4b50feee004a9fa88f1dfd2d2fa738a82896763050cd773b3c54b0a818283 +size 1020076 diff --git a/disable-pam_env-test.patch b/disable-pam_env-test.patch deleted file mode 100644 index 6093897..0000000 --- a/disable-pam_env-test.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Linux-PAM-1.6.0/modules/pam_env/Makefile.am.old 2024-01-17 11:29:36.000000000 +0100 -+++ Linux-PAM-1.6.0/modules/pam_env/Makefile.am 2024-01-18 16:45:11.923011145 +0100 -@@ -12,7 +12,7 @@ - endif - XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml - dist_check_SCRIPTS = tst-pam_env --TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) -+TESTS = $(dist_check_SCRIPTS) - - securelibdir = $(SECUREDIR) - if HAVE_VENDORDIR diff --git a/pam.changes b/pam.changes index 4147492..4f8e09a 100644 --- a/pam.changes +++ b/pam.changes @@ -1,12 +1,10 @@ ------------------------------------------------------------------- -Thu Jan 18 15:45:53 UTC 2024 - Thorsten Kukuk - -- disable-pam_env-test.patch: disable tst-pam_env-retval.c as it is - broken - -------------------------------------------------------------------- -Thu Jan 18 08:28:14 UTC 2024 - Thorsten Kukuk +Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk +- Add post 1.6.0 release fixes for pam_env: + - pam_env-fix-enable-vendordir-fallback.patch + - pam_env-fix_vendordir.patch + - pam_env-remove-escaped-newlines.patch - Update to version 1.6.0 - Added support of configuration files with arbitrarily long lines. - build: fixed build outside of the source tree. diff --git a/pam.spec b/pam.spec index 316680a..fa47dab 100644 --- a/pam.spec +++ b/pam.spec @@ -96,7 +96,12 @@ Source22: postlogin-account.pamd Source23: postlogin-password.pamd Source24: postlogin-session.pamd Patch1: pam-limit-nproc.patch -Patch2: disable-pam_env-test.patch +# https://github.com/linux-pam/linux-pam/pull/739 +Patch2: pam_env-fix_vendordir.patch +# https://github.com/linux-pam/linux-pam/pull/740 +Patch3: pam_env-fix-enable-vendordir-fallback.patch +# https://github.com/linux-pam/linux-pam/pull/741 +Patch4: pam_env-remove-escaped-newlines.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: flex @@ -210,6 +215,8 @@ building both PAM-aware applications and modules for use with PAM. cp -a %{SOURCE12} . %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build bash ./pam-login_defs-check.sh diff --git a/pam_env-fix-enable-vendordir-fallback.patch b/pam_env-fix-enable-vendordir-fallback.patch new file mode 100644 index 0000000..52c895d --- /dev/null +++ b/pam_env-fix-enable-vendordir-fallback.patch @@ -0,0 +1,51 @@ +From 28894b319488e8302899ee569b6e0911905f374e Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Thu, 18 Jan 2024 17:00:00 +0000 +Subject: [PATCH] pam_env: fix --enable-vendordir fallback logic + +* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF && +VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file +if the config file is specified via module arguments. + +Link: https://github.com/linux-pam/linux-pam/issues/738 +Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback") +--- + modules/pam_env/pam_env.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index a0b812fff..8b40b6a5a 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -850,20 +850,20 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file) + #ifdef USE_ECONF + /* If "file" is not NULL, only this file will be parsed. */ + retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list); +-#else ++#else /* !USE_ECONF */ + /* Only one file will be parsed. So, file has to be set. */ +- if (file == NULL) /* No filename has been set via argv. */ ++ if (file == NULL) { /* No filename has been set via argv. */ + file = DEFAULT_CONF_FILE; +-#ifdef VENDOR_DEFAULT_CONF_FILE +- /* +- * Check whether file is available. +- * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file. +- */ +- struct stat stat_buffer; +- if (stat(file, &stat_buffer) != 0 && errno == ENOENT) { +- file = VENDOR_DEFAULT_CONF_FILE; ++# ifdef VENDOR_DEFAULT_CONF_FILE ++ /* ++ * Check whether DEFAULT_CONF_FILE file is available. ++ * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file. ++ */ ++ struct stat stat_buffer; ++ if (stat(file, &stat_buffer) != 0 && errno == ENOENT) ++ file = VENDOR_DEFAULT_CONF_FILE; ++# endif + } +-#endif + retval = read_file(pamh, file, &conf_list); + #endif + diff --git a/pam_env-fix_vendordir.patch b/pam_env-fix_vendordir.patch new file mode 100644 index 0000000..862b6b6 --- /dev/null +++ b/pam_env-fix_vendordir.patch @@ -0,0 +1,51 @@ +From 0703453bec6ac54ad31d7245be4529796a3ef764 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 18 Jan 2024 18:08:05 +0100 +Subject: [PATCH] pam_env: check VENDORDIR after config.h inclusion + +The VENDORDIR define has to be checked after config.h +inclusion, otherwise the ifdef test always yields false. + +Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback") + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_env/pam_env.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index 59adc942c..a0b812fff 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -6,15 +6,6 @@ + * template for this file (via pam_mail) + */ + +-#define DEFAULT_ETC_ENVFILE "/etc/environment" +-#ifdef VENDORDIR +-#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment") +-#endif +-#define DEFAULT_READ_ENVFILE 1 +- +-#define DEFAULT_USER_ENVFILE ".pam_environment" +-#define DEFAULT_USER_READ_ENVFILE 0 +- + #include "config.h" + + #include +@@ -52,6 +43,15 @@ typedef struct var { + char *override; + } VAR; + ++#define DEFAULT_ETC_ENVFILE "/etc/environment" ++#ifdef VENDORDIR ++#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment") ++#endif ++#define DEFAULT_READ_ENVFILE 1 ++ ++#define DEFAULT_USER_ENVFILE ".pam_environment" ++#define DEFAULT_USER_READ_ENVFILE 0 ++ + #define DEFAULT_CONF_FILE (SCONFIGDIR "/pam_env.conf") + #ifdef VENDOR_SCONFIGDIR + #define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf") diff --git a/pam_env-remove-escaped-newlines.patch b/pam_env-remove-escaped-newlines.patch new file mode 100644 index 0000000..3085571 --- /dev/null +++ b/pam_env-remove-escaped-newlines.patch @@ -0,0 +1,54 @@ +From ef51c51523b4c6ce6275b2863a0de1a3a6dff1e5 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Thu, 18 Jan 2024 20:25:20 +0100 +Subject: [PATCH] pam_env: remove escaped newlines from econf lines + +The libeconf routines do not remove escaped newlines the way we want to +process them later on. Manually remove them from values. + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_env/pam_env.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c +index a0b812fff..5f53fbb10 100644 +--- a/modules/pam_env/pam_env.c ++++ b/modules/pam_env/pam_env.c +@@ -160,6 +160,28 @@ isDirectory(const char *path) { + return S_ISDIR(statbuf.st_mode); + } + ++/* ++ * Remove escaped newline from string. ++ * ++ * All occurrences of "\\n" will be removed from string. ++ */ ++static void ++econf_unescnl(char *val) ++{ ++ char *dest, *p; ++ ++ dest = p = val; ++ ++ while (*p != '\0') { ++ if (p[0] == '\\' && p[1] == '\n') { ++ p += 2; ++ } else { ++ *dest++ = *p++; ++ } ++ } ++ *dest = '\0'; ++} ++ + static int + econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim, + const char *name, const char *suffix, const char *subpath, +@@ -270,6 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli + keys[i], + econf_errString(error)); + } else { ++ econf_unescnl(val); + if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory."); + econf_free(keys);