From 419f083e6103dd3195c2ed93f595ff3d0ed5c55acefcf5ca63df7e0870f0d03d Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 8 Dec 2019 09:33:54 +0000 Subject: [PATCH] Accepting request 750685 from home:jmoellers:branches:Linux-PAM OBS-URL: https://build.opensuse.org/request/show/750685 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_mount?expand=0&rev=62 --- ...event-systemd-from-calling-pam_mount.patch | 34 +++++++++++++++++++ pam_mount.changes | 10 ++++++ pam_mount.spec | 4 ++- 3 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 bsc1153630-prevent-systemd-from-calling-pam_mount.patch diff --git a/bsc1153630-prevent-systemd-from-calling-pam_mount.patch b/bsc1153630-prevent-systemd-from-calling-pam_mount.patch new file mode 100644 index 0000000..8512b56 --- /dev/null +++ b/bsc1153630-prevent-systemd-from-calling-pam_mount.patch @@ -0,0 +1,34 @@ +Index: pam_mount-2.16/doc/pam_mount.8.in +=================================================================== +--- pam_mount-2.16.orig/doc/pam_mount.8.in ++++ pam_mount-2.16/doc/pam_mount.8.in +@@ -51,7 +51,7 @@ volumes are not allowed by the example p + pam_mount. + .SH PAM configuration + .PP +-In addition, you must include two entries in the system's applicable ++In addition, you must include three entries in the system's applicable + /etc/pam.d/\fIservice\fP config files, as the following example shows: + .IP + .nf +@@ -64,9 +64,12 @@ In addition, you must include two entrie + password required pam_pwdb.so shadow nullok use_authtok + session required pam_pwdb.so + session optional pam_console.so +++++ session [success=1 default=ignore] pam_succeed_if.so service = systemd-user + +++ session optional pam_mount.so + .fi + .PP ++The two lines marked "session" must be kept together! ++.PP + When "sufficient" is used in the second column, you must make sure that + pam_mount is added before this entry. Otherwise pam_mount will not get executed + should a previous PAM module succeed. Also be aware of the "include" +@@ -84,6 +87,7 @@ account sufficient pam_ldap.so + auth required pam_mount.so + auth sufficient pam_ldap.so use_first_pass + auth required pam_unix.so use_first_pass ++session [success=1 default=ignore] pam_succeed_if.so service = systemd-user + session optional pam_mount.so + \(bu\(bu\(bu + .fi diff --git a/pam_mount.changes b/pam_mount.changes index 7f43028..d883070 100644 --- a/pam_mount.changes +++ b/pam_mount.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Nov 25 08:24:18 UTC 2019 - Josef Möllers + +- Systemd-user must be prevented from invoking pam_mount.so in the + "session" management group eg by invoking pam_succeed_if.so to + skip the pam_mount entry when systemd-user is calling + pam_{open,close}_session. + [bsc#1153630, + bsc1153630-prevent-systemd-from-calling-pam_mount.patch] + ------------------------------------------------------------------- Sat Nov 17 09:18:54 UTC 2018 - Matthias Fehring diff --git a/pam_mount.spec b/pam_mount.spec index 30cba17..f3831cf 100644 --- a/pam_mount.spec +++ b/pam_mount.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -34,6 +34,7 @@ Source5: baselibs.conf Source6: %{name}.keyring Patch1: pam_mount-0.47-enable-logout-kill.dif Patch2: pam_mount-2.16-fix-luks2-mount.patch +Patch3: bsc1153630-prevent-systemd-from-calling-pam_mount.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libtool @@ -101,6 +102,7 @@ and transparent use of the OS's crypto layer. %setup -q %patch -P 1 -p1 %patch -P 2 -p1 +%patch -P 3 -p1 %build %configure --disable-static --with-slibdir="/%_lib" \