pam/pam.spec
Thorsten Kukuk a01288951c - pam_access: rework resolving of tokens as hostname
- separate resolving of IP addresses from hostnames. Don't resolve TTYs or
    display variables as hostname.
  - Add "nodns" option to disallow resolving of tokens as hostname.
  - [pam_access-rework-resolving-of-tokens-as-hostname.patch, bsc#1233078, CVE-2024-10963]

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=305
2024-12-06 09:32:46 +00:00

536 lines
17 KiB
RPMSpec

#
# spec file for package pam
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
# Enable livepatching support for SLE15-SP4 onwards. It requires
# compiler support introduced there.
%define livepatchable 1
# Set variables for livepatching.
%define _other %{_topdir}/OTHER
%define tar_basename pam-livepatch-%{version}-%{release}
%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
%define clones_dest_dir %{tar_basename}/%{_arch}
%else
# Unsupported operating system.
%define livepatchable 0
%endif
%ifnarch x86_64
# Unsupported architectures must have livepatch disabled.
%define livepatchable 0
%endif
%bcond_without selinux
%define flavor @BUILD_FLAVOR@%{nil}
# List of config files for migration to /usr/etc
%define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
security/namespace.conf security/namespace.init security/sepermit.conf
%if "%{flavor}" == "full"
%define build_main 0
%define build_doc 1
%define build_extra 1
%define build_userdb 1
%define name_suffix -%{flavor}-src
%else
%define build_main 1
%define build_doc 0
%define build_extra 0
%define build_userdb 0
%define name_suffix %{nil}
%endif
#
%define libpam_so_version 0.85.1
%define libpam_misc_so_version 0.82.1
%define libpamc_so_version 0.82.1
%if ! %{defined _distconfdir}
%define _distconfdir %{_sysconfdir}
%endif
#
%{load:%{_sourcedir}/macros.pam}
#
Name: pam%{name_suffix}
#
Version: 1.7.0
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause
Group: System/Libraries
URL: https://github.com/linux-pam/linux-pam
Source: Linux-PAM-%{version}.tar.xz
Source1: Linux-PAM-%{version}.tar.xz.asc
Source2: macros.pam
Source3: other.pamd
Source4: common-auth.pamd
Source5: common-account.pamd
Source6: common-password.pamd
Source7: common-session.pamd
Source9: baselibs.conf
Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8
Source12: pam-login_defs-check.sh
Source13: pam.tmpfiles
Source20: common-session-nonlogin.pamd
Source21: postlogin-auth.pamd
Source22: postlogin-account.pamd
Source23: postlogin-password.pamd
Source24: postlogin-session.pamd
Patch1: pam-limit-nproc.patch
# PATCH-FIX-UPSTREAM: CVE-2024-10963
Patch2: pam_access-rework-resolving-of-tokens-as-hostname.patch
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: flex
BuildRequires: meson >= 0.62.0
BuildRequires: xz
Requires(post): permissions
# All login.defs variables require support from shadow side.
# Upgrade this symbol version only if new variables appear!
# Verify by shadow-login_defs-check.sh from shadow source package.
Recommends: login_defs-support-for-pam >= 1.5.2
BuildRequires: pkgconfig(libeconf)
%if %{with selinux}
BuildRequires: libselinux-devel
%endif
Obsoletes: pam_unix
Obsoletes: pam_unix-nis
Recommends: pam-manpages
Requires(pre): group(shadow)
Requires(pre): user(root)
%description
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
%if %{build_userdb}
%package -n pam-userdb
Summary: PAM module to authenticate against a separate database
Group: System/Libraries
Provides: pam-extra:%{_pam_moduledir}/pam_userdb.so
BuildRequires: libdb-4_8-devel
BuildRequires: pam-devel
%description -n pam-userdb
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains pam_userdb which is used to verify a
username/password pair against values stored in a Berkeley DB database.
%endif
%if %{build_extra}
%package -n pam-extra
Summary: PAM module with extended dependencies
Group: System/Libraries
BuildRequires: pkgconfig(libsystemd) >= 254
BuildRequires: pam-devel
Provides: pam:%{_sbindir}/pam_timestamp_check
Provides: pam:%{_pam_moduledir}/pam_limits.so
%description -n pam-extra
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains extra modules eg pam_issue and pam_timestamp which
can have extended dependencies.
%endif
%if %{build_doc}
%package -n pam-doc
Summary: Documentation for Pluggable Authentication Modules
Group: Documentation/HTML
BuildArch: noarch
%description -n pam-doc
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains the documentation.
%package -n pam-manpages
Summary: Manualpages for Pluggable Authentication Modules
Group: Documentation/HTML
Provides: pam:/%{_mandir}/man8/PAM.8.gz
BuildArch: noarch
BuildRequires: docbook5-xsl-stylesheets
BuildRequires: elinks
BuildRequires: xmlgraphics-fop
%description -n pam-manpages
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains the manual pages.
%endif
%package devel
Summary: Include Files and Libraries for PAM Development
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: pam = %{version}
%description devel
PAM (Pluggable Authentication Modules) is a system security tool which
allows system administrators to set authentication policy without
having to recompile programs which do authentication.
This package contains header files and static libraries used for
building both PAM-aware applications and modules for use with PAM.
%prep
%autosetup -p1 -n Linux-PAM-%{version}
cp -a %{SOURCE12} .
%build
bash ./pam-login_defs-check.sh
%if %{livepatchable}
CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
%endif
%meson -Dvendordir=%{_distconfdir} \
-Ddocdir=%{_docdir}/pam \
-Dhtmldir=%{_docdir}/pam/html \
-Dpdfdir=%{_docdir}/pam/pdf \
-Dsecuredir=%{_pam_moduledir} \
%if "%{flavor}" != "full"
-Dlogind=disabled \
-Dpam_userdb=disabled \
-Ddocs=disabled \
%endif
-Dexamples=false \
-Dnis=disabled
%meson_build
%if %{livepatchable}
# Ipa-clones are files generated by gcc which logs changes made across
# functions, and we need to know such changes to build livepatches
# correctly. These files are intended to be used by the livepatch
# developers and may be retrieved by using `osc getbinaries`.
#
# Create list of ipa-clones.
find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list
# Create ipa-clones destination folder and move clones there.
mkdir -p ipa-clones/%{clones_dest_dir}
while read f; do
_dest=ipa-clones/%{clones_dest_dir}/$f
mkdir -p ${_dest%/*}
cp $f $_dest
done < ipa-clones.list
# Create tar package with the clone files.
tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename}
# Copy tar package to the OTHERS folder
cp %{tar_package_name} %{_other}
%endif # livepatchable
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/%{_target_platform}/libpam -lpam
%if %{build_main}
%check
%meson_test
%endif
%install
%meson_install
mkdir -p %{buildroot}%{_pam_confdir}
mkdir -p %{buildroot}%{_pam_vendordir}
# install other.pamd and common-*.pamd
install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
install -m 644 %{SOURCE5} %{buildroot}%{_pam_vendordir}/common-account
install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/common-password
install -m 644 %{SOURCE7} %{buildroot}%{_pam_vendordir}/common-session
install -m 644 %{SOURCE20} %{buildroot}%{_pam_vendordir}/common-session-nonlogin
install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
#
# Install READMEs of PAM modules
#
DOC=%{buildroot}%{_defaultdocdir}/pam
%if "%{flavor}" == "full"
mkdir -p $DOC/modules
cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/"
%endif
# Install unix2_chkpwd
install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
# rpm macros
install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
# /run/motd.d
install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
# Remove manual pages for main package
%if !%{build_doc}
rm -rf %{buildroot}%{_mandir}/man?/*
%else
install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
# bsc#1188724
echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
%endif
%if !%{build_main}
rm -rf %{buildroot}{%{_distconfdir}/environment,%{_pam_secdistconfdir}/{a,f,g,n,p,s,t}*}
rm -rf %{buildroot}{%{_sysconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,la,lis,lo,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
%else
# Delete files for extra package
rm -rf %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limits.conf,%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
# Create filelist with translations
%find_lang Linux-PAM
%endif
%if %{build_main}
%verifyscript
%verify_permissions -e %{_sbindir}/unix_chkpwd
%verify_permissions -e %{_sbindir}/unix2_chkpwd
%post
/sbin/ldconfig
%set_permissions %{_sbindir}/unix_chkpwd
%set_permissions %{_sbindir}/unix2_chkpwd
%tmpfiles_create %{_tmpfilesdir}/pam.conf
%postun -p /sbin/ldconfig
%pre
for i in securetty %{config_files} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%posttrans
# Migration to /usr/etc.
for i in securetty %{config_files} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%files -f Linux-PAM.lang
%doc NEWS
%license COPYING
%dir %{_pam_confdir}
%dir %{_pam_vendordir}
%dir %{_pam_secconfdir}
%dir %{_pam_secdistconfdir}
%{_pam_vendordir}/other
%{_pam_vendordir}/common-*
%{_pam_vendordir}/postlogin-*
%{_distconfdir}/environment
%{_pam_secdistconfdir}/access.conf
%{_pam_secdistconfdir}/group.conf
%{_pam_secdistconfdir}/faillock.conf
%{_pam_secdistconfdir}/pam_env.conf
%if %{with selinux}
%{_pam_secdistconfdir}/sepermit.conf
%endif
%{_pam_secdistconfdir}/time.conf
%{_pam_secdistconfdir}/namespace.conf
%{_pam_secdistconfdir}/namespace.init
%{_pam_secdistconfdir}/pwhistory.conf
%dir %{_pam_secdistconfdir}/namespace.d
%{_libdir}/libpam.so.0
%{_libdir}/libpam.so.%{libpam_so_version}
%{_libdir}/libpamc.so.0
%{_libdir}/libpamc.so.%{libpamc_so_version}
%{_libdir}/libpam_misc.so.0
%{_libdir}/libpam_misc.so.%{libpam_misc_so_version}
%dir %{_pam_moduledir}
%{_pam_moduledir}/pam_access.so
%{_pam_moduledir}/pam_canonicalize_user.so
%{_pam_moduledir}/pam_debug.so
%{_pam_moduledir}/pam_deny.so
%{_pam_moduledir}/pam_echo.so
%{_pam_moduledir}/pam_env.so
%{_pam_moduledir}/pam_exec.so
%{_pam_moduledir}/pam_faildelay.so
%{_pam_moduledir}/pam_faillock.so
%{_pam_moduledir}/pam_filter.so
%dir %{_pam_moduledir}/pam_filter
%{_pam_moduledir}//pam_filter/upperLOWER
%{_pam_moduledir}/pam_ftp.so
%{_pam_moduledir}/pam_group.so
%{_pam_moduledir}/pam_keyinit.so
%{_pam_moduledir}/pam_listfile.so
%{_pam_moduledir}/pam_localuser.so
%{_pam_moduledir}/pam_loginuid.so
%{_pam_moduledir}/pam_mail.so
%{_pam_moduledir}/pam_mkhomedir.so
%{_pam_moduledir}/pam_motd.so
%{_pam_moduledir}/pam_namespace.so
%{_pam_moduledir}/pam_nologin.so
%{_pam_moduledir}/pam_permit.so
%{_pam_moduledir}/pam_pwhistory.so
%{_pam_moduledir}/pam_rhosts.so
%{_pam_moduledir}/pam_rootok.so
%{_pam_moduledir}/pam_securetty.so
%if %{with selinux}
%{_pam_moduledir}/pam_selinux.so
%{_pam_moduledir}/pam_sepermit.so
%endif
%{_pam_moduledir}/pam_setquota.so
%{_pam_moduledir}/pam_shells.so
%{_pam_moduledir}/pam_stress.so
%{_pam_moduledir}/pam_succeed_if.so
%{_pam_moduledir}/pam_time.so
%{_pam_moduledir}/pam_tty_audit.so
%{_pam_moduledir}/pam_umask.so
%{_pam_moduledir}/pam_unix.so
%{_pam_moduledir}/pam_usertype.so
%{_pam_moduledir}/pam_warn.so
%{_pam_moduledir}/pam_wheel.so
%{_pam_moduledir}/pam_xauth.so
%{_sbindir}/faillock
%{_sbindir}/mkhomedir_helper
%{_sbindir}/pam_namespace_helper
%{_sbindir}/pwhistory_helper
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update
%{_unitdir}/pam_namespace.service
%{_tmpfilesdir}/pam.conf
%files devel
%defattr(644,root,root,755)
%dir %{_includedir}/security
%{_includedir}/security/*.h
%{_libdir}/libpam.so
%{_libdir}/libpamc.so
%{_libdir}/libpam_misc.so
%{_rpmmacrodir}/macros.pam
%{_libdir}/pkgconfig/pam*.pc
%endif
%if %{build_userdb}
%files -n pam-userdb
%defattr(-,root,root,755)
%{_pam_moduledir}/pam_userdb.so
%{_mandir}/man8/pam_userdb.8%{?ext_man}
%endif
%if %{build_extra}
%files -n pam-extra
%defattr(-,root,root,755)
%dir %{_pam_secdistconfdir}
%dir %{_pam_secdistconfdir}/limits.d
%{_pam_secdistconfdir}/limits.conf
%{_pam_moduledir}/pam_limits.so
%{_pam_moduledir}/pam_issue.so
%{_pam_moduledir}/pam_timestamp.so
%{_sbindir}/pam_timestamp_check
%endif
%if %{build_doc}
%files -n pam-doc
%defattr(644,root,root,755)
%dir %{_defaultdocdir}/pam
%doc %{_defaultdocdir}/pam/html
%doc %{_defaultdocdir}/pam/modules
%doc %{_defaultdocdir}/pam/pdf
%doc %{_defaultdocdir}/pam/*.txt
%files -n pam-manpages
%{_mandir}/man3/pam*.3%{?ext_man}
%{_mandir}/man3/misc_conv.3%{?ext_man}
%{_mandir}/man5/environment.5%{?ext_man}
%{_mandir}/man5/*.conf.5%{?ext_man}
%{_mandir}/man5/pam.d.5%{?ext_man}
%{_mandir}/man5/motd.5%{?ext_man}
%{_mandir}/man8/PAM.8%{?ext_man}
%{_mandir}/man8/faillock.8%{?ext_man}
%{_mandir}/man8/mkhomedir_helper.8%{?ext_man}
%{_mandir}/man8/pam.8%{?ext_man}
%{_mandir}/man8/pam_access.8%{?ext_man}
%{_mandir}/man8/pam_canonicalize_user.8%{?ext_man}
%{_mandir}/man8/pam_debug.8%{?ext_man}
%{_mandir}/man8/pam_deny.8%{?ext_man}
%{_mandir}/man8/pam_echo.8%{?ext_man}
%{_mandir}/man8/pam_env.8%{?ext_man}
%{_mandir}/man8/pam_exec.8%{?ext_man}
%{_mandir}/man8/pam_faildelay.8%{?ext_man}
%{_mandir}/man8/pam_faillock.8%{?ext_man}
%{_mandir}/man8/pam_filter.8%{?ext_man}
%{_mandir}/man8/pam_ftp.8%{?ext_man}
%{_mandir}/man8/pam_group.8%{?ext_man}
%{_mandir}/man8/pam_issue.8%{?ext_man}
%{_mandir}/man8/pam_keyinit.8%{?ext_man}
%{_mandir}/man8/pam_limits.8%{?ext_man}
%{_mandir}/man8/pam_listfile.8%{?ext_man}
%{_mandir}/man8/pam_localuser.8%{?ext_man}
%{_mandir}/man8/pam_loginuid.8%{?ext_man}
%{_mandir}/man8/pam_mail.8%{?ext_man}
%{_mandir}/man8/pam_mkhomedir.8%{?ext_man}
%{_mandir}/man8/pam_motd.8%{?ext_man}
%{_mandir}/man8/pam_namespace.8%{?ext_man}
%{_mandir}/man8/pam_namespace_helper.8%{?ext_man}
%{_mandir}/man8/pam_nologin.8%{?ext_man}
%{_mandir}/man8/pam_permit.8%{?ext_man}
%{_mandir}/man8/pam_pwhistory.8%{?ext_man}
%{_mandir}/man8/pam_rhosts.8%{?ext_man}
%{_mandir}/man8/pam_rootok.8%{?ext_man}
%{_mandir}/man8/pam_securetty.8%{?ext_man}
%if %{with selinux}
%{_mandir}/man8/pam_selinux.8%{?ext_man}
%{_mandir}/man8/pam_sepermit.8%{?ext_man}
%endif
%{_mandir}/man8/pam_setquota.8%{?ext_man}
%{_mandir}/man8/pam_shells.8%{?ext_man}
%{_mandir}/man8/pam_stress.8%{?ext_man}
%{_mandir}/man8/pam_succeed_if.8%{?ext_man}
%{_mandir}/man8/pam_time.8%{?ext_man}
%{_mandir}/man8/pam_timestamp.8%{?ext_man}
%{_mandir}/man8/pam_timestamp_check.8%{?ext_man}
%{_mandir}/man8/pam_tty_audit.8%{?ext_man}
%{_mandir}/man8/pam_umask.8%{?ext_man}
%{_mandir}/man8/pam_unix.8%{?ext_man}
%{_mandir}/man8/pam_usertype.8%{?ext_man}
%{_mandir}/man8/pam_warn.8%{?ext_man}
%{_mandir}/man8/pam_wheel.8%{?ext_man}
%{_mandir}/man8/pam_xauth.8%{?ext_man}
%{_mandir}/man8/pwhistory_helper.8%{?ext_man}
%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_update.8%{?ext_man}
%endif
%changelog