From 0fc7ab76cc6e06e1cadaa090878e44fadd4d5a5655caf10f7c88cbc9c37e55a3 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 13 Jul 2021 13:43:07 +0000 Subject: [PATCH] - revert-check_shadow_expiry.diff: revert wrong CRYPT_SALT_METHOD_LEGACY check. - revert-check_shadow_expiry.diff: revert wrong CRYPT_SALT_METHOD_LEGACY check. OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=242 --- pam.changes | 6 ++++++ pam.spec | 4 +++- pam_unix-nis.changes | 6 ++++++ pam_unix-nis.spec | 2 ++ revert-check_shadow_expiry.diff | 31 +++++++++++++++++++++++++++++++ 5 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 revert-check_shadow_expiry.diff diff --git a/pam.changes b/pam.changes index 7ba0097..038c58d 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Jul 13 13:40:00 UTC 2021 - Thorsten Kukuk + +- revert-check_shadow_expiry.diff: revert wrong + CRYPT_SALT_METHOD_LEGACY check. + ------------------------------------------------------------------- Fri Jun 25 08:07:04 UTC 2021 - Callum Farmer diff --git a/pam.spec b/pam.spec index 82c75e2..763c0ca 100644 --- a/pam.spec +++ b/pam.spec @@ -61,6 +61,7 @@ Patch10: pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch Patch11: bsc1184358-prevent-LOCAL-from-being-resolved.patch # https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068 Patch100: pam_securetty-don-t-complain-about-missing-config.patch +Patch101: revert-check_shadow_expiry.diff BuildRequires: audit-devel BuildRequires: bison BuildRequires: cracklib-devel @@ -172,6 +173,7 @@ cp -a %{SOURCE12} . %patch10 -p1 %patch11 -p1 %patch100 -p1 +%patch101 -p1 %build bash ./pam-login_defs-check.sh @@ -191,7 +193,7 @@ CFLAGS="$CFLAGS -DNDEBUG" --enable-debug \ %endif --enable-tally2 --enable-cracklib -make %{?_smp_mflags} +%make_build gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam %check diff --git a/pam_unix-nis.changes b/pam_unix-nis.changes index 75b5e39..ebba241 100644 --- a/pam_unix-nis.changes +++ b/pam_unix-nis.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Jul 13 13:40:54 UTC 2021 - Thorsten Kukuk + +- revert-check_shadow_expiry.diff: revert wrong + CRYPT_SALT_METHOD_LEGACY check. + ------------------------------------------------------------------- Wed Jun 9 14:02:02 UTC 2021 - Ludwig Nussel diff --git a/pam_unix-nis.spec b/pam_unix-nis.spec index 2b5db09..dd8a6c1 100644 --- a/pam_unix-nis.spec +++ b/pam_unix-nis.spec @@ -36,6 +36,7 @@ URL: http://www.linux-pam.org/ Source: Linux-PAM-%{version}.tar.xz Source9: baselibs.conf Patch: Makefile-pam_unix-nis.diff +Patch1: revert-check_shadow_expiry.diff BuildRequires: pam-devel %if 0%{?suse_version} > 1320 BuildRequires: pkgconfig(libeconf) @@ -57,6 +58,7 @@ module has NIS support. %prep %setup -q -n Linux-PAM-%{version} %patch -p1 +%patch1 -p1 %build export CFLAGS="%{optflags} -DNDEBUG" diff --git a/revert-check_shadow_expiry.diff b/revert-check_shadow_expiry.diff new file mode 100644 index 0000000..ef87ed9 --- /dev/null +++ b/revert-check_shadow_expiry.diff @@ -0,0 +1,31 @@ +pam_unix: do not use crypt_checksalt when checking for password expiration + +According to Zack Weinberg, the intended meaning of +CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing +method", it is not supposed to mean "force a password change on next +login for any user with an existing stored hash using this method". + +This reverts commit 4da9feb. + +* modules/pam_unix/passverify.c (check_shadow_expiry) +[CRYPT_CHECKSALT_AVAILABLE]: Remove. + + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index f6132f805..5a19ed856 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry, + D(("account expired")); + return PAM_ACCT_EXPIRED; + } +-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE +- if (spent->sp_lstchg == 0 || +- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY || +- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) { +-#else + if (spent->sp_lstchg == 0) { +-#endif + D(("need a new password")); + *daysleft = 0; + return PAM_NEW_AUTHTOK_REQD;