rpm/pam
SHA256
1
0
Fork 0
forked from pool/pam
Code Pull Requests Activity

Accepting request 961066 from Linux-PAM

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/961066
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=121
This commit is contained in:
Dominique Leuenberger 2022-03-14 18:33:58 +00:00 committed by Git OBS Bridge
commit 18053db418
7 changed files with 1781 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
View File

@ -1,25 +0,0 @@
From 00a46bcead2857002ed720f22b558b6f6d349fc8 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
Date: Tue, 2 Nov 2021 11:45:59 +0100
Subject: [PATCH 1/3] Include pam_xauth_data.3.xml in source archive (#400)
---
doc/man/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
index 78c891df..c6fd73db 100644
--- a/doc/man/Makefile.am
+++ b/doc/man/Makefile.am
@@ -43,7 +43,7 @@ XMLS = pam.3.xml pam.8.xml \
pam_item_types_std.inc.xml pam_item_types_ext.inc.xml \
pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \
misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
- pam_misc_setenv.3.xml
+ pam_misc_setenv.3.xml pam_xauth_data.3.xml
if ENABLE_REGENERATE_MAN
PAM.8: pam.8
--
2.31.1

51
0002-Only-include-vendordir-in-manual-page-if-set-401.patch
View File

@ -1,51 +0,0 @@
From 04109c25a7dbd11404f7f23a9a405b9b9d6b7246 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
Date: Tue, 2 Nov 2021 11:46:24 +0100
Subject: [PATCH 2/3] Only include vendordir in manual page if set (#401)
---
configure.ac | 4 ++--
doc/man/pam.8.xml | 5 ++---
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index c06bc7dd..eb98d69a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -507,9 +507,9 @@ AC_ARG_ENABLE([vendordir],
if test -n "$enable_vendordir"; then
AC_DEFINE_UNQUOTED([VENDORDIR], ["$enable_vendordir"],
[Directory for distribution provided configuration files])
- STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir'"
+ STRINGPARAM_VENDORDIR="--stringparam vendordir '$enable_vendordir' --stringparam profile.condition 'with_vendordir'"
else
- STRINGPARAM_VENDORDIR="--stringparam vendordir '<vendordir>'"
+ STRINGPARAM_VENDORDIR="--stringparam profile.condition 'without_vendordir'"
fi
AC_SUBST([STRINGPARAM_VENDORDIR])
diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml
index 464af0e5..8eef665a 100644
--- a/doc/man/pam.8.xml
+++ b/doc/man/pam.8.xml
@@ -158,15 +158,14 @@ closing hook for modules to affect the services available to a user.</para>
</para>
</listitem>
</varlistentry>
- <varlistentry>
+ <varlistentry condition="with_vendordir">
<term><filename>%vendordir%/pam.d</filename></term>
<listitem>
<para>
the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration
directory. Files in <filename>/etc/pam.d</filename> and
<filename>/usr/lib/pam.d</filename> override files with the same
- name in this directory. Only available if Linux-PAM was compiled
- with vendordir enabled.
+ name in this directory.
</para>
</listitem>
</varlistentry>
--
2.31.1

61
0003-Use-vendor-specific-limits.conf-as-fallback-402.patch
View File

@ -1,61 +0,0 @@
From 5deaac423159103d02b146afa753a8ebb7fddf09 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com>
Date: Wed, 3 Nov 2021 09:02:40 +0100
Subject: [PATCH 3/3] Use vendor specific limits.conf as fallback (#402)
* Use vendor specific limits.conf as fallback
---
modules/pam_limits/pam_limits.8.xml | 6 ++++++
modules/pam_limits/pam_limits.c | 19 ++++++++++++++++---
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/modules/pam_limits/pam_limits.8.xml b/modules/pam_limits/pam_limits.8.xml
index bc46cbf4..c1c10eca 100644
--- a/modules/pam_limits/pam_limits.8.xml
+++ b/modules/pam_limits/pam_limits.8.xml
@@ -57,6 +57,12 @@
If a config file is explicitly specified with a module option then the
files in the above directory are not parsed.
</para>
+ <para condition="with_vendordir">
+ If there is no explicitly specified configuration file and
+ <filename>/etc/security/limits.conf</filename> does not exist,
+ <filename>%vendordir%/security/limits.conf</filename> is used.
+ If this file does not exist, too, an error is thrown.
+ </para>
<para>
The module must not be called by a multithreaded application.
</para>
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 7cc45d77..53188965 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -816,9 +816,22 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE);
fil = fopen(CONF_FILE, "r");
if (fil == NULL) {
- pam_syslog (pamh, LOG_WARNING,
- "cannot read settings from %s: %m", CONF_FILE);
- return PAM_SERVICE_ERR;
+ int err = errno;
+
+#ifdef VENDORDIR
+ /* if the specified file does not exist, and it is not provided by
+ the user, try the vendor file as fallback. */
+ if (pl->conf_file == NULL && err == ENOENT)
+ fil = fopen(VENDORDIR"/security/limits.conf", "r");
+
+ if (fil == NULL)
+#endif
+ {
+ pam_syslog (pamh, LOG_WARNING,
+ "cannot read settings from %s: %s", CONF_FILE,
+ strerror(err));
+ return PAM_SERVICE_ERR;
+ }
}
/* start the show */
--
2.31.1

1672
pam-git.diff Normal file
View File

File diff suppressed because it is too large Load Diff

134
pam-hostnames-in-access_conf.patch
View File

@ -1,12 +1,52 @@
Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c From d275f22cf28da287e93b5e5a1fdb8a68b2815982 Mon Sep 17 00:00:00 2001
=================================================================== From: Thorsten Kukuk <kukuk@suse.com>
--- Linux-PAM-1.3.91.orig/modules/pam_access/pam_access.c Date: Thu, 24 Feb 2022 10:37:32 +0100
+++ Linux-PAM-1.3.91/modules/pam_access/pam_access.c Subject: [PATCH] pam_access: handle hostnames in access.conf
@@ -699,10 +699,10 @@ string_match (pam_handle_t *pamh, const
return (NO); According to the manual page, the following entry is valid but does not
work:
-:root:ALL EXCEPT localhost
See https://bugzilla.suse.com/show_bug.cgi?id=1019866
Patched is based on PR#226 from Josef Moellers
---
modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++-------
1 file changed, 76 insertions(+), 19 deletions(-)
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 0d033aa20..3cec542be 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -640,7 +640,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
if ((str_len = strlen(string)) > tok_len
&& strcasecmp(tok, string + str_len - tok_len) == 0)
return YES;
- } else if (tok[tok_len - 1] == '.') {
+ } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */
struct addrinfo hint;
memset (&hint, '\0', sizeof (hint));
@@ -681,7 +681,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
return NO;
}
- /* Assume network/netmask with an IP of a host. */
+ /* Assume network/netmask, IP address or hostname. */
return network_netmask_match(pamh, tok, string, item);
} }
- @@ -699,7 +699,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
/*
* If the token has the magic value "ALL" the match always succeeds.
* Otherwise, return YES if the token fully matches the string.
- * "NONE" token matches NULL string.
+ * "NONE" token matches NULL string.
*/
if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
@@ -717,7 +717,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
/* network_netmask_match - match a string against one token /* network_netmask_match - match a string against one token
* where string is a hostname or ip (v4,v6) address and tok * where string is a hostname or ip (v4,v6) address and tok
- * represents either a single ip (v4,v6) address or a network/netmask - * represents either a single ip (v4,v6) address or a network/netmask
@ -15,13 +55,11 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
*/ */
static int static int
network_netmask_match (pam_handle_t *pamh, network_netmask_match (pam_handle_t *pamh,
@@ -711,10 +711,14 @@ network_netmask_match (pam_handle_t *pam @@ -726,10 +727,12 @@ network_netmask_match (pam_handle_t *pamh,
char *netmask_ptr; char *netmask_ptr;
char netmask_string[MAXHOSTNAMELEN + 1]; char netmask_string[MAXHOSTNAMELEN + 1];
int addr_type; int addr_type;
+ struct addrinfo *ai; + struct addrinfo *ai = NULL;
+ struct sockaddr_storage tok_addr;
+ struct addrinfo hint;
if (item->debug) if (item->debug)
- pam_syslog (pamh, LOG_DEBUG, - pam_syslog (pamh, LOG_DEBUG,
@ -31,33 +69,17 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
/* OK, check if tok is of type addr/mask */ /* OK, check if tok is of type addr/mask */
if ((netmask_ptr = strchr(tok, '/')) != NULL) if ((netmask_ptr = strchr(tok, '/')) != NULL)
{ {
@@ -724,7 +728,7 @@ network_netmask_match (pam_handle_t *pam @@ -763,54 +766,108 @@ network_netmask_match (pam_handle_t *pamh,
*netmask_ptr = 0;
netmask_ptr++;
- if (isipaddr(tok, &addr_type, NULL) == NO)
+ if (isipaddr(tok, &addr_type, &tok_addr) == NO)
{ /* no netaddr */
return NO;
}
@@ -748,19 +752,47 @@ network_netmask_match (pam_handle_t *pam
netmask_ptr = number_to_netmask(netmask, addr_type, netmask_ptr = number_to_netmask(netmask, addr_type,
netmask_string, MAXHOSTNAMELEN); netmask_string, MAXHOSTNAMELEN);
} }
- } - }
+ +
+ /* + /*
+ * Although isipaddr() has already converted the IP address, + * Construct an addrinfo list from the IP address.
+ * we call getaddrinfo here to properly construct an addrinfo list + * This should not fail as the input is a correct IP address...
+ */ + */
+ memset (&hint, '\0', sizeof (hint)); + if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+ hint.ai_flags = 0;
+ hint.ai_family = AF_UNSPEC;
+
+ ai = NULL; /* just to be on the safe side */
+
+ /* The following should not fail ... */
+ if (getaddrinfo (tok, NULL, &hint, &ai) != 0)
+ { + {
+ return NO; + return NO;
+ } + }
@ -70,15 +92,9 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
+ * It is either an IP address or a hostname. + * It is either an IP address or a hostname.
+ * Let getaddrinfo sort everything out + * Let getaddrinfo sort everything out
+ */ + */
+ memset (&hint, '\0', sizeof (hint)); + if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+ hint.ai_flags = 0;
+ hint.ai_family = AF_UNSPEC;
+
+ ai = NULL; /* just to be on the safe side */
+
+ if (getaddrinfo (string, NULL, &hint, &ai) != 0)
{ {
+ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", string); + pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
+ +
return NO; return NO;
} }
@ -87,13 +103,25 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
if (isipaddr(string, NULL, NULL) != YES) if (isipaddr(string, NULL, NULL) != YES)
{ {
/* Assume network/netmask with a name of a host. */ - /* Assume network/netmask with a name of a host. */
- struct addrinfo hint; struct addrinfo hint;
-
+ /* Assume network/netmask with a name of a host. */
memset (&hint, '\0', sizeof (hint)); memset (&hint, '\0', sizeof (hint));
hint.ai_flags = AI_CANONNAME; hint.ai_flags = AI_CANONNAME;
hint.ai_family = AF_UNSPEC; hint.ai_family = AF_UNSPEC;
@@ -773,29 +805,54 @@ network_netmask_match (pam_handle_t *pam
if (item->gai_rv != 0)
+ {
+ freeaddrinfo(ai);
return NO;
+ }
else if (!item->res &&
(item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0)
+ {
+ freeaddrinfo(ai);
return NO;
+ }
else else
{ {
struct addrinfo *runp = item->res; struct addrinfo *runp = item->res;
@ -103,14 +131,18 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
{ {
char buf[INET6_ADDRSTRLEN]; char buf[INET6_ADDRSTRLEN];
DIAG_PUSH_IGNORE_CAST_ALIGN; - DIAG_PUSH_IGNORE_CAST_ALIGN;
- inet_ntop (runp->ai_family, - inet_ntop (runp->ai_family,
- runp->ai_family == AF_INET - runp->ai_family == AF_INET
- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr - ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr
- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, - : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr,
- buf, sizeof (buf)); - buf, sizeof (buf));
+ (void) getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST); - DIAG_POP_IGNORE_CAST_ALIGN;
DIAG_POP_IGNORE_CAST_ALIGN; + if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0)
+ {
+ freeaddrinfo(ai);
+ return NO;
+ }
- if (are_addresses_equal(buf, tok, netmask_ptr)) - if (are_addresses_equal(buf, tok, netmask_ptr))
+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
@ -121,7 +153,11 @@ Index: Linux-PAM-1.3.91/modules/pam_access/pam_access.c
+ if (runp->ai_family != runp1->ai_family) + if (runp->ai_family != runp1->ai_family)
+ continue; + continue;
+ +
+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); + if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0)
+ {
+ freeaddrinfo(ai);
+ return NO;
+ }
+ +
+ if (are_addresses_equal (buf, buf1, netmask_ptr)) + if (are_addresses_equal (buf, buf1, netmask_ptr))
+ { + {

20
pam.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Fri Mar 11 11:25:35 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
- pam-hostnames-in-access_conf.patch: update with upstream
submission. Fixes several bugs including memory leaks.
-------------------------------------------------------------------
Wed Feb 9 14:05:01 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
- Move group.conf and faillock.conf to /usr/etc/security
-------------------------------------------------------------------
Mon Feb 7 09:46:16 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
- Update to current git for enhanced vendordir support (pam-git.diff)
Obsoletes:
- 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch
- 0002-Only-include-vendordir-in-manual-page-if-set-401.patch
- 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Dec 13 13:06:47 UTC 2021 - Thorsten Kukuk <kukuk@suse.com> Mon Dec 13 13:06:47 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>

12
pam.spec
View File

@ -69,9 +69,7 @@ Patch2: pam-hostnames-in-access_conf.patch
Patch3: pam-xauth_ownership.patch Patch3: pam-xauth_ownership.patch
Patch4: pam-bsc1177858-dont-free-environment-string.patch Patch4: pam-bsc1177858-dont-free-environment-string.patch
Patch10: pam_xauth_data.3.xml.patch Patch10: pam_xauth_data.3.xml.patch
Patch11: 0001-Include-pam_xauth_data.3.xml-in-source-archive-400.patch Patch11: pam-git.diff
Patch12: 0002-Only-include-vendordir-in-manual-page-if-set-401.patch
Patch13: 0003-Use-vendor-specific-limits.conf-as-fallback-402.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: flex BuildRequires: flex
@ -183,8 +181,6 @@ cp -a %{SOURCE12} .
%patch4 -p1 %patch4 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1
%patch13 -p1
%build %build
bash ./pam-login_defs-check.sh bash ./pam-login_defs-check.sh
@ -258,7 +254,7 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
mkdir %{buildroot}%{_distconfdir}/security mkdir %{buildroot}%{_distconfdir}/security
mv %{buildroot}%{_sysconfdir}/security/limits.conf %{buildroot}%{_distconfdir}/security/limits.conf mv %{buildroot}%{_sysconfdir}/security/{limits.conf,faillock.conf,group.conf} %{buildroot}%{_distconfdir}/security/
# Remove manual pages for main package # Remove manual pages for main package
%if !%{build_doc} %if !%{build_doc}
@ -328,8 +324,8 @@ done
%endif %endif
%config(noreplace) %{_sysconfdir}/environment %config(noreplace) %{_sysconfdir}/environment
%config(noreplace) %{_pam_secconfdir}/access.conf %config(noreplace) %{_pam_secconfdir}/access.conf
%config(noreplace) %{_pam_secconfdir}/group.conf %{_distconfdir}/security/group.conf
%config(noreplace) %{_pam_secconfdir}/faillock.conf %{_distconfdir}/security/faillock.conf
%{_distconfdir}/security/limits.conf %{_distconfdir}/security/limits.conf
%config(noreplace) %{_pam_secconfdir}/pam_env.conf %config(noreplace) %{_pam_secconfdir}/pam_env.conf
%if %{enable_selinux} %if %{enable_selinux}