Accepting request 961066 from Linux-PAM

OBS-URL: https://build.opensuse.org/request/show/961066 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=121
2022-03-14 18:33:58 +00:00 · 2022-03-14 18:33:58 +00:00 · 18053db418
commit 18053db418
parent e11a0c3af1 656f9b5474
7 changed files with 1781 additions and 194 deletions
--- a/0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
+++ b/0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
@ -1,25 +0,0 @@
-From 00a46bcead2857002ed720f22b558b6f6d349fc8 Mon Sep 17 00:00:00 2001
-From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
-Date: Tue, 2 Nov 2021 11:45:59 +0100
-Subject: [PATCH 1/3] Include pam_xauth_data.3.xml in source archive (#400)
-
---
- doc/man/Makefile.am | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
-index 78c891df..c6fd73db 100644
--- a/doc/man/Makefile.am
-+++ b/doc/man/Makefile.am
-@@ -43,7 +43,7 @@ XMLS = pam.3.xml pam.8.xml \
- 	pam_item_types_std.inc.xml pam_item_types_ext.inc.xml \
- 	pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \
- 	misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
-	pam_misc_setenv.3.xml
-+	pam_misc_setenv.3.xml pam_xauth_data.3.xml
- 
- if ENABLE_REGENERATE_MAN
- PAM.8: pam.8
-- 
-2.31.1
-
--- a/0002-Only-include-vendordir-in-manual-page-if-set-401.patch
+++ b/0002-Only-include-vendordir-in-manual-page-if-set-401.patch
@ -1,51 +0,0 @@
-From 04109c25a7dbd11404f7f23a9a405b9b9d6b7246 Mon Sep 17 00:00:00 2001
-From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
-Date: Tue, 2 Nov 2021 11:46:24 +0100
-Subject: [PATCH 2/3] Only include vendordir in manual page if set (#401)
-
---
- configure.ac      | 4 ++--
- doc/man/pam.8.xml | 5 ++---
- 2 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index c06bc7dd..eb98d69a 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -507,9 +507,9 @@ AC_ARG_ENABLE([vendordir],
- if test -n "$enable_vendordir"; then
-   AC_DEFINE_UNQUOTED([VENDORDIR], ["$enable_vendordir"],
- 		     [Directory for distribution provided configuration files])
-  STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir'"
-+  STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir' --stringparam profile.condition 'with_vendordir'"
- else
-  STRINGPARAM_VENDORDIR="--stringparam vendordir '<vendordir>'"
-+  STRINGPARAM_VENDORDIR="--stringparam profile.condition 'without_vendordir'"
- fi
- AC_SUBST([STRINGPARAM_VENDORDIR])
- 
-diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml
-index 464af0e5..8eef665a 100644
--- a/doc/man/pam.8.xml
-+++ b/doc/man/pam.8.xml
-@@ -158,15 +158,14 @@ closing hook for modules to affect the services available to a user.</para>
-           </para>
-         </listitem>
-       </varlistentry>
-      <varlistentry>
-+      <varlistentry condition="with_vendordir">
-         <term><filename>%vendordir%/pam.d</filename></term>
-         <listitem>
-           <para>
-             the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration
- 	    directory. Files in <filename>/etc/pam.d</filename> and
- 	    <filename>/usr/lib/pam.d</filename> override files with the same
-	    name in this directory. Only available if Linux-PAM was compiled
-	    with vendordir enabled.
-+	    name in this directory.
-           </para>
-         </listitem>
-       </varlistentry>
-- 
-2.31.1
-
--- a/0003-Use-vendor-specific-limits.conf-as-fallback-402.patch
+++ b/0003-Use-vendor-specific-limits.conf-as-fallback-402.patch
@ -1,61 +0,0 @@
-From 5deaac423159103d02b146afa753a8ebb7fddf09 Mon Sep 17 00:00:00 2001
-From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
-Date: Wed, 3 Nov 2021 09:02:40 +0100
-Subject: [PATCH 3/3] Use vendor specific limits.conf as fallback (#402)
-
-* Use vendor specific limits.conf as fallback
---
- modules/pam_limits/pam_limits.8.xml |  6 ++++++
- modules/pam_limits/pam_limits.c     | 19 ++++++++++++++++---
- 2 files changed, 22 insertions(+), 3 deletions(-)
-
-diff --git a/modules/pam_limits/pam_limits.8.xml b/modules/pam_limits/pam_limits.8.xml
-index bc46cbf4..c1c10eca 100644
--- a/modules/pam_limits/pam_limits.8.xml
-+++ b/modules/pam_limits/pam_limits.8.xml
-@@ -57,6 +57,12 @@
-       If a config file is explicitly specified with a module option then the
-       files in the above directory are not parsed.
-     </para>
-+    <para condition="with_vendordir">
-+      If there is no explicitly specified configuration file and
-+      <filename>/etc/security/limits.conf</filename> does not exist,
-+      <filename>%vendordir%/security/limits.conf</filename> is used.
-+      If this file does not exist, too, an error is thrown.
-+    </para>
-     <para>
-       The module must not be called by a multithreaded application.
-     </para>
-diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
-index 7cc45d77..53188965 100644
--- a/modules/pam_limits/pam_limits.c
-+++ b/modules/pam_limits/pam_limits.c
-@@ -816,9 +816,22 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
-         pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE);
-     fil = fopen(CONF_FILE, "r");
-     if (fil == NULL) {
-        pam_syslog (pamh, LOG_WARNING,
-		    "cannot read settings from %s: %m", CONF_FILE);
-        return PAM_SERVICE_ERR;
-+      int err = errno;
-+
-+#ifdef VENDORDIR
-+      /* if the specified file does not exist, and it is not provided by
-+         the user, try the vendor file as fallback. */
-+      if (pl->conf_file == NULL && err == ENOENT)
-+        fil = fopen(VENDORDIR"/security/limits.conf", "r");
-+
-+      if (fil == NULL)
-+#endif
-+        {
-+          pam_syslog (pamh, LOG_WARNING,
-+                      "cannot read settings from %s: %s", CONF_FILE,
-+                      strerror(err));
-+          return PAM_SERVICE_ERR;
-+        }
-     }
- 
-     /* start the show */
-- 
-2.31.1
-
--- a/pam-git.diff
+++ b/pam-git.diff
--- a/pam-hostnames-in-access_conf.patch
+++ b/pam-hostnames-in-access_conf.patch
@ -1,12 +1,52 @@
-Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
-===================================================================
--- Linux-PAM-1.3.91.orig/modules/pam_access/pam_access.c
-+++ Linux-PAM-1.3.91/modules/pam_access/pam_access.c
-@@ -699,10 +699,10 @@ string_match (pam_handle_t *pamh, const
-     return (NO);
+From d275f22cf28da287e93b5e5a1fdb8a68b2815982 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@suse.com>
+Date: Thu, 24 Feb 2022 10:37:32 +0100
+Subject: [PATCH] pam_access: handle hostnames in access.conf
+
+According to the manual page, the following entry is valid but does not
+work:
+-:root:ALL EXCEPT localhost
+
+See https://bugzilla.suse.com/show_bug.cgi?id=1019866
+
+Patched is based on PR#226 from Josef Moellers
+---
+ modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++-------
+ 1 file changed, 76 insertions(+), 19 deletions(-)
+
+diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
+index 0d033aa20..3cec542be 100644
+--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
+@@ -640,7 +640,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+       if ((str_len = strlen(string)) > tok_len
+ 	  && strcasecmp(tok, string + str_len - tok_len) == 0)
+ 	return YES;
+-    } else if (tok[tok_len - 1] == '.') {
+    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers (end with ".") */
+       struct addrinfo hint;
+ 
+       memset (&hint, '\0', sizeof (hint));
+@@ -681,7 +681,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+       return NO;
+     }
+ 
+-    /* Assume network/netmask with an IP of a host.  */
+    /* Assume network/netmask, IP address or hostname.  */
+     return network_netmask_match(pamh, tok, string, item);
 }
 
-
+@@ -699,7 +699,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
+     /*
+      * If the token has the magic value "ALL" the match always succeeds.
+      * Otherwise, return YES if the token fully matches the string.
+-	 * "NONE" token matches NULL string.
+     * "NONE" token matches NULL string.
+      */
+ 
+     if (strcasecmp(tok, "ALL") == 0) {		/* all: always matches */
+@@ -717,7 +717,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
+ 
 /* network_netmask_match - match a string against one token
  * where string is a hostname or ip (v4,v6) address and tok
 - * represents either a single ip (v4,v6) address or a network/netmask
@ -15,13 +55,11 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
  */
 static int
 network_netmask_match (pam_handle_t *pamh,
-@@ -711,10 +711,14 @@ network_netmask_match (pam_handle_t *pam
+@@ -726,10 +727,12 @@ network_netmask_match (pam_handle_t *pamh,
     char *netmask_ptr;
     char netmask_string[MAXHOSTNAMELEN + 1];
     int addr_type;
-+    struct addrinfo *ai;
-+    struct sockaddr_storage tok_addr;
-+    struct addrinfo hint;
+    struct addrinfo *ai = NULL;
 
     if (item->debug)
 -    pam_syslog (pamh, LOG_DEBUG,
@ -31,33 +69,17 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
     /* OK, check if tok is of type addr/mask */
     if ((netmask_ptr = strchr(tok, '/')) != NULL)
       {
-@@ -724,7 +728,7 @@ network_netmask_match (pam_handle_t *pam
- 	*netmask_ptr = 0;
- 	netmask_ptr++;
- 
-	if (isipaddr(tok, &addr_type, NULL) == NO)
-+	if (isipaddr(tok, &addr_type, &tok_addr) == NO)
- 	  { /* no netaddr */
- 	    return NO;
- 	  }
-@@ -748,19 +752,47 @@ network_netmask_match (pam_handle_t *pam
+@@ -763,54 +766,108 @@ network_netmask_match (pam_handle_t *pamh,
 	    netmask_ptr = number_to_netmask(netmask, addr_type,
 		netmask_string, MAXHOSTNAMELEN);
 	  }
 -	}
 +
-+	/*
-+	 * Although isipaddr() has already converted the IP address,
-+	 * we call getaddrinfo here to properly construct an addrinfo list
-+	 */
-+	memset (&hint, '\0', sizeof (hint));
-+	hint.ai_flags = 0;
-+	hint.ai_family = AF_UNSPEC;
-+
-+	ai = NULL;	/* just to be on the safe side */
-+
-+	/* The following should not fail ... */
-+	if (getaddrinfo (tok, NULL, &hint, &ai) != 0)
+        /*
+         * Construct an addrinfo list from the IP address.
+         * This should not fail as the input is a correct IP address...
+         */
+	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
 +	  {
 +	    return NO;
 +	  }
@ -70,15 +92,9 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
 +	 * It is either an IP address or a hostname.
 +	 * Let getaddrinfo sort everything out
 +	 */
-+	memset (&hint, '\0', sizeof (hint));
-+	hint.ai_flags = 0;
-+	hint.ai_family = AF_UNSPEC;
-+
-+	ai = NULL;	/* just to be on the safe side */
-+
-+	if (getaddrinfo (string, NULL, &hint, &ai) != 0)
+	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
 	  {
-+	    pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", string);
+	    pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
 +
 	    return NO;
 	  }
@ -87,13 +103,25 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
 
     if (isipaddr(string, NULL, NULL) != YES)
       {
- 	/* Assume network/netmask with a name of a host.  */
-	struct addrinfo hint;
-
+-	/* Assume network/netmask with a name of a host.  */
+ 	struct addrinfo hint;
+ 
+	/* Assume network/netmask with a name of a host.  */
 	memset (&hint, '\0', sizeof (hint));
 	hint.ai_flags = AI_CANONNAME;
 	hint.ai_family = AF_UNSPEC;
-@@ -773,29 +805,54 @@ network_netmask_match (pam_handle_t *pam
+ 
+ 	if (item->gai_rv != 0)
+	  {
+	    freeaddrinfo(ai);
+ 	    return NO;
+	  }
+ 	else if (!item->res &&
+ 		(item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
+	  {
+	    freeaddrinfo(ai);
+ 	    return NO;
+	  }
         else
 	  {
 	    struct addrinfo *runp = item->res;
@ -103,14 +131,18 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
 	      {
 		char buf[INET6_ADDRSTRLEN];
 
- 		DIAG_PUSH_IGNORE_CAST_ALIGN;
+-		DIAG_PUSH_IGNORE_CAST_ALIGN;
 -		inet_ntop (runp->ai_family,
 -			runp->ai_family == AF_INET
 -			? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
 -			: (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
 -			buf, sizeof (buf));
-+		(void) getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST);
- 		DIAG_POP_IGNORE_CAST_ALIGN;
+-		DIAG_POP_IGNORE_CAST_ALIGN;
+		if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
+		  {
+		    freeaddrinfo(ai);
+		    return NO;
+		  }
 
 -		if (are_addresses_equal(buf, tok, netmask_ptr))
 +		for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
@ -121,7 +153,11 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
 +                    if (runp->ai_family != runp1->ai_family)
 +                      continue;
 +
-+                    (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
+                    if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
+		      {
+			freeaddrinfo(ai);
+			return NO;
+		      }
 +
 +                    if (are_addresses_equal (buf, buf1, netmask_ptr))
 +                      {
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Fri Mar 11 11:25:35 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
+
+- pam-hostnames-in-access_conf.patch: update with upstream
+  submission. Fixes several bugs including memory leaks.
+
+-------------------------------------------------------------------
+Wed Feb  9 14:05:01 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
+
+- Move group.conf and faillock.conf to /usr/etc/security
+
+-------------------------------------------------------------------
+Mon Feb  7 09:46:16 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to current git for enhanced vendordir support (pam-git.diff)
+  Obsoletes:
+  - 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
+  - 0002-Only-include-vendordir-in-manual-page-if-set-401.patch
+  - 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch
+
 -------------------------------------------------------------------
 Mon Dec 13 13:06:47 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>

--- a/pam.spec
+++ b/pam.spec
@ -69,9 +69,7 @@ Patch2:         pam-hostnames-in-access_conf.patch
 Patch3:         pam-xauth_ownership.patch
 Patch4:         pam-bsc1177858-dont-free-environment-string.patch
 Patch10:        pam_xauth_data.3.xml.patch
-Patch11:        0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
-Patch12:        0002-Only-include-vendordir-in-manual-page-if-set-401.patch
-Patch13:        0003-Use-vendor-specific-limits.conf-as-fallback-402.patch
+Patch11:        pam-git.diff
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
@ -183,8 +181,6 @@ cp -a %{SOURCE12} .
 %patch4 -p1
 %patch10 -p1
 %patch11 -p1
-%patch12 -p1
-%patch13 -p1

 %build
 bash ./pam-login_defs-check.sh
@ -258,7 +254,7 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
 install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf

 mkdir %{buildroot}%{_distconfdir}/security
-mv %{buildroot}%{_sysconfdir}/security/limits.conf %{buildroot}%{_distconfdir}/security/limits.conf
+mv %{buildroot}%{_sysconfdir}/security/{limits.conf,faillock.conf,group.conf} %{buildroot}%{_distconfdir}/security/

 # Remove manual pages for main package
 %if !%{build_doc}
@ -328,8 +324,8 @@ done
 %endif
 %config(noreplace) %{_sysconfdir}/environment
 %config(noreplace) %{_pam_secconfdir}/access.conf
-%config(noreplace) %{_pam_secconfdir}/group.conf
-%config(noreplace) %{_pam_secconfdir}/faillock.conf
+%{_distconfdir}/security/group.conf
+%{_distconfdir}/security/faillock.conf
 %{_distconfdir}/security/limits.conf
 %config(noreplace) %{_pam_secconfdir}/pam_env.conf
 %if %{enable_selinux}