Accepting request 755047 from Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/755047
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_mount?expand=0&rev=67

bsc1153630-prevent-systemd-from-calling-pam_mount.patch

@@ -0,0 +1,34 @@
+Index: pam_mount-2.16/doc/pam_mount.8.in
+===================================================================
+--- pam_mount-2.16.orig/doc/pam_mount.8.in
++++ pam_mount-2.16/doc/pam_mount.8.in
+@@ -51,7 +51,7 @@ volumes are not allowed by the example p
+ pam_mount.
+ .SH PAM configuration
+ .PP
+-In addition, you must include two entries in the system's applicable
++In addition, you must include three entries in the system's applicable
+ /etc/pam.d/\fIservice\fP config files, as the following example shows:
+ .IP
+ .nf
+@@ -64,9 +64,12 @@ In addition, you must include two entrie
+     password required  pam_pwdb.so shadow nullok use_authtok
+     session  required  pam_pwdb.so
+     session  optional  pam_console.so
+++++ session [success=1 default=ignore] pam_succeed_if.so service = systemd-user
+ +++ session  optional  pam_mount.so
+ .fi
+ .PP
++The two lines marked "session" must be kept together!
++.PP
+ When "sufficient" is used in the second column, you must make sure that
+ pam_mount is added before this entry. Otherwise pam_mount will not get executed
+ should a previous PAM module succeed. Also be aware of the "include"
+@@ -84,6 +87,7 @@ account sufficient  pam_ldap.so
+ auth    required    pam_mount.so
+ auth    sufficient  pam_ldap.so use_first_pass
+ auth    required    pam_unix.so use_first_pass
++session [success=1 default=ignore] pam_succeed_if.so service = systemd-user
+ session optional    pam_mount.so
+ \(bu\(bu\(bu
+ .fi

pam_mount.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Nov 25 08:24:18 UTC 2019 - Josef Möllers <josef.moellers@suse.com>
+
+- Systemd-user must be prevented from invoking pam_mount.so in the
+  "session" management group eg by invoking pam_succeed_if.so to
+  skip the pam_mount entry when systemd-user is calling
+  pam_{open,close}_session.
+  [bsc#1153630,
+   bsc1153630-prevent-systemd-from-calling-pam_mount.patch]
+
 -------------------------------------------------------------------
 Sat Nov 17 09:18:54 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>
 

pam_mount.spec

@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -34,6 +34,7 @@ Source5:        baselibs.conf
 Source6:        %{name}.keyring
 Patch1:         pam_mount-0.47-enable-logout-kill.dif
 Patch2:         pam_mount-2.16-fix-luks2-mount.patch
+Patch3:         bsc1153630-prevent-systemd-from-calling-pam_mount.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  fdupes
 BuildRequires:  libtool
@@ -101,6 +102,7 @@ and transparent use of the OS's crypto layer.
 %setup -q
 %patch -P 1 -p1
 %patch -P 2 -p1
+%patch -P 3 -p1
 
 %build
 %configure --disable-static --with-slibdir="/%_lib" \