e352b2c661
- Added support of configuration files with arbitrarily long lines.
- build: fixed build outside of the source tree.
- libpam: added use of getrandom(2) as a source of randomness if available.
- libpam: fixed calculation of fail delay with very long delays.
- libpam: fixed potential infinite recursion with includes.
- libpam: implemented string to number conversions validation when parsing
controls in configuration.
- pam_access: added quiet_log option.
- pam_access: fixed truncation of very long group names.
- pam_canonicalize_user: new module to canonicalize user name.
- pam_echo: fixed file handling to prevent overflows and short reads.
- pam_env: added support of '\' character in environment variable values.
- pam_exec: allowed expose_authtok for password PAM_TYPE.
- pam_exec: fixed stack overflow with binary output of programs.
- pam_faildelay: implemented parameter ranges validation.
- pam_listfile: changed to treat \r and \n exactly the same in configuration.
- pam_mkhomedir: hardened directory creation against timing attacks.
- Please note that using *at functions leads to more open file handles
during creation.
- pam_namespace: fixed potential local DoS (CVE-2024-22365).
- pam_nologin: fixed file handling to prevent short reads.
- pam_pwhistory: helper binary is now built only if SELinux support is
enabled.
- pam_pwhistory: implemented reliable usernames handling when remembering
passwords.
- pam_shells: changed to allow shell entries with absolute paths only.
- pam_succeed_if: fixed treating empty strings as numerical value 0.
- pam_unix: added support of disabled password aging.
- pam_unix: synchronized password aging with shadow.
OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=280
47 lines
1.4 KiB
Bash
47 lines
1.4 KiB
Bash
#!/bin/bash
|
|
|
|
# Extract list of variables supported by su/runuser.
|
|
#
|
|
# If you edit this file, you will probably need to edit
|
|
# shadow-login_defs-check.sh from shadow sources in a similar way.
|
|
|
|
set -o errexit
|
|
|
|
echo -n "Checking login.defs variables in pam... " >&2
|
|
grep -rh LOGIN_DEFS . |
|
|
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
|
|
LC_ALL=C sort -u >pam-login_defs-vars.lst
|
|
|
|
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
|
|
|
|
echo "does not match!" >&2
|
|
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
|
|
|
|
cat >&2 <<EOF
|
|
|
|
You have to perform following steps:
|
|
|
|
Check whether the error is false positive (script failed to extract
|
|
variables) or true positive (variable list changed).
|
|
|
|
If it is false positive:
|
|
- Fix this script.
|
|
- The same fix is needed in shadow package in shadow-login_defs-check.sh.
|
|
|
|
If it is true positive:
|
|
- Check-out shadow package and call shadow-login_defs-check.sh.
|
|
- Compare its output shadow-login_defs-check-pam.lst with
|
|
pam-login_defs-vars.lst in the pam build directory.
|
|
- Update shadow encryption_method_nis.patch, if needed.
|
|
- If encryption_method_nis.patch was updated, update
|
|
login_defs-support-for-pam symbol version in both shadow and
|
|
pam spec files accordingly.
|
|
- Update checksum in this script.
|
|
|
|
EOF
|
|
|
|
exit 1
|
|
else
|
|
echo "OK" >&2
|
|
fi
|