Accepting request 849468 from Linux-PAM

- Update to 1.5.0
  - obsoletes pam-bsc1178727-initialize-daysleft.patch
  - Multiple minor bug fixes, portability fixes, and documentation improvements.
  - Extended libpam API with pam_modutil_check_user_in_passwd function.
  - pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
  - pam_motd: read motd files with target user credentials skipping unreadable ones.
  - pam_pwhistory: added a SELinux helper executable.
  - pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
  - pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
  - pam_env: Reading of the user environment is deprecated and will be removed
             at some point in the future.
  - libpam: pam_modutil_drop_priv() now correctly sets the target user's
    supplementary groups, allowing pam_motd to filter messages accordingly
- Refresh pam-xauth_ownership.patch
- pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package
- pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package

- pam_cracklib: added code to check whether the password contains
  a substring of of the user's name of at least <N> characters length
  in some form.
  This is enabled by the new parameter "usersubstr=<N>"
  See bfef79dbe6
  [jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch]

- pam_xauth.c: do not free() a string which has been (successfully)
  passed to putenv().
  [bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch]

- Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft"
  to avoid spurious (and misleading)

OBS-URL: https://build.opensuse.org/request/show/849468
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=107

Linux-PAM-1.4.0-docs.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:351764a0643052564a4b840320744c7e402112a2a57d2ac04511a6d22dc52e04
-size 477712

Linux-PAM-1.4.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034
-size 988908

Linux-PAM-1.5.0-docs.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:75fefd2a601c76d5e289aa8c36234ec2ac398395f4a48caf5ef638c1131019a9
+size 441644

Linux-PAM-1.5.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8
+size 972228

pam-bsc1177858-dont-free-environment-string.patch

@@ -0,0 +1,26 @@
+Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c
++++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
+@@ -701,8 +701,9 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 			pam_syslog(pamh, LOG_ERR,
+ 				   "can't set environment variable '%s'",
+ 				   xauthority);
+-		putenv (xauthority); /* The environment owns this string now. */
+-		/* Don't free environment variables nor set them to NULL. */
++		if (putenv (xauthority) == 0) /* The environment owns this string now. */
++		    xauthority = NULL;
++		/* Don't free environment variables. */
+ 
+ 		/* set $DISPLAY in pam handle to make su - work */
+ 		{
+@@ -765,7 +766,8 @@ cleanup:
+ 		unsetenv (XAUTHENV);
+ 	free(cookiefile);
+ 	free(cookie);
+-	free(xauthority);
++	if (xauthority != NULL)	/* If it hasn't been successfully passed to putenv() ... */
++	    free(xauthority);
+ 	return retval;
+ }
+ 

pam-login_defs-check.sh

@@ -9,10 +9,10 @@ set -o errexit
 
 echo -n "Checking login.defs variables in pam... " >&2
 grep -rh LOGIN_DEFS . |
-	sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
+	sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
 	LC_ALL=C sort -u >pam-login_defs-vars.lst
 
-if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3c6e0020c31609690b69ef391654df930b74151d ; then
 
 	echo "does not match!" >&2
 	echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2

pam-pam_cracklib-add-usersubstr.patch

@@ -0,0 +1,81 @@
+Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
+===================================================================
+--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
++++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
+@@ -88,6 +88,7 @@ struct cracklib_options {
+ 	int reject_user;
+         int gecos_check;
+         int enforce_for_root;
++	int user_substr;
+         const char *cracklib_dictpath;
+ };
+ 
+@@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c
+ 	     if (!*(opt->cracklib_dictpath)) {
+ 		 opt->cracklib_dictpath = CRACKLIB_DICTS;
+ 	     }
++	 } else if ((str = pam_str_skip_prefix(*argv, "usersubstr=")) != NULL) {
++	     opt->user_substr = strtol(str, &ep, 10);
++	     if (ep == str)
++	         opt->user_substr = 0;
+ 	 } else {
+ 	     pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
+ 	 }
+@@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch
+     return 0;
+ }
+ 
++/*
++ * RETURNS: True if the password is unacceptable, else false
++ */
++static int usersubstr(int len, const char *new, char *user)
++{
++    int i, userlen;
++    int bad = 0;       // Assume it's OK unless proven otherwise
++    char *subuser = calloc(len+1, sizeof(char));
++
++    if (subuser == NULL) {
++       return 1;
++    }
++
++    userlen = strlen(user);
++
++    if (len >= CO_MIN_WORD_LENGTH &&
++	   userlen > len) {
++       for(i = 0; !bad && (i <= userlen - len); i++) {
++	   strncpy(subuser, user+i, len+1);
++	   subuser[len] = '\0';
++	   bad = wordcheck(new, subuser);
++       }
++    } else {
++       // if we already tested substrings, there's no need to test
++       // the whole username; all substrings would've been found :)
++       if (!bad)
++	   bad = wordcheck(new, user);
++    }
++
++    free(subuser);
++
++    return bad;
++}
++
++/*
++ * RETURNS: True if the password is unacceptable, else false
++ */
+ static int usercheck(struct cracklib_options *opt, const char *new,
+ 		     char *user)
+ {
+-    if (!opt->reject_user)
+-        return 0;
++    int bad = 0;
++
++    if (opt->reject_user)
++	bad = wordcheck(new, user);
++    if (!bad && opt->user_substr != 0)
++	bad = usersubstr(opt->user_substr, new, user);
+ 
+-    return wordcheck(new, user);
++    return bad;
+ }
+ 
+ static char * str_lower(char *string)

pam-xauth_ownership.patch

@@ -0,0 +1,105 @@
+diff -urN Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c
+--- Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c	2020-11-10 16:46:13.000000000 +0100
++++ Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c	2020-11-19 11:50:54.176925556 +0100
+@@ -355,11 +355,13 @@
+ 	char *cookiefile = NULL, *xauthority = NULL,
+ 	     *cookie = NULL, *display = NULL, *tmp = NULL,
+ 	     *xauthlocalhostname = NULL;
+-	const char *user, *xauth = NULL;
++	const char *user, *xauth = NULL, *login_name;
+ 	struct passwd *tpwd, *rpwd;
+ 	int fd, i, debug = 0;
+ 	int retval = PAM_SUCCESS;
+-	uid_t systemuser = 499, targetuser = 0;
++	uid_t systemuser = 499, targetuser = 0, uid;
++	gid_t gid;
++	struct stat st;
+ 
+ 	/* Parse arguments.  We don't understand many, so no sense in breaking
+ 	 * this into a separate function. */
+@@ -429,7 +431,16 @@
+ 		retval = PAM_SESSION_ERR;
+ 		goto cleanup;
+ 	}
+-	rpwd = pam_modutil_getpwuid(pamh, getuid());
++
++	login_name = pam_modutil_getlogin(pamh);
++	if (login_name == NULL) {
++		login_name = "";
++	}
++	if (*login_name)
++		rpwd = pam_modutil_getpwnam(pamh, login_name);
++	else
++		rpwd = pam_modutil_getpwuid(pamh, getuid());
++
+ 	if (rpwd == NULL) {
+ 		pam_syslog(pamh, LOG_ERR,
+ 			   "error determining invoking user's name");
+@@ -518,18 +529,26 @@
+ 			   cookiefile);
+ 	}
+ 
++	/* Get owner and group of the cookiefile */
++	uid = getuid();
++	gid = getgid();
++	if (stat(cookiefile, &st) == 0) {
++		uid = st.st_uid;
++		gid = st.st_gid;
++	}
++
+ 	/* Read the user's .Xauthority file.  Because the current UID is
+ 	 * the original user's UID, this will only fail if something has
+ 	 * gone wrong, or we have no cookies. */
+ 	if (debug) {
+ 		pam_syslog(pamh, LOG_DEBUG,
+-			   "running \"%s %s %s %s %s\" as %lu/%lu",
+-			   xauth, "-f", cookiefile, "nlist", display,
+-			   (unsigned long) getuid(), (unsigned long) getgid());
++			   "running \"%s %s %s %s %s %s\" as %lu/%lu",
++			   xauth, "-i", "-f", cookiefile, "nlist", display,
++			   (unsigned long) uid, (unsigned long) gid);
+ 	}
+ 	if (run_coprocess(pamh, NULL, &cookie,
+-			  getuid(), getgid(),
+-			  xauth, "-f", cookiefile, "nlist", display,
++			  uid, gid,
++			  xauth, "-i", "-f", cookiefile, "nlist", display,
+ 			  NULL) == 0) {
+ #ifdef WITH_SELINUX
+ 		char *context_raw = NULL;
+@@ -583,12 +602,12 @@
+ 						       cookiefile,
+ 						       "nlist",
+ 						       t,
+-						       (unsigned long) getuid(),
+-						       (unsigned long) getgid());
++						       (unsigned long) uid,
++						       (unsigned long) gid);
+ 					}
+ 					run_coprocess(pamh, NULL, &cookie,
+-						      getuid(), getgid(),
+-						      xauth, "-f", cookiefile,
++						      uid, gid,
++						      xauth, "-i", "-f", cookiefile,
+ 						      "nlist", t, NULL);
+ 				}
+ 				free(t);
+@@ -673,13 +692,17 @@
+ 			goto cleanup;
+ 		}
+ 
++		if (debug) {
++			pam_syslog(pamh, LOG_DEBUG, "set environment variable '%s'",
++				   xauthority);
++		}
+ 		/* Set the new variable in the environment. */
+ 		if (pam_putenv (pamh, xauthority) != PAM_SUCCESS)
+ 			pam_syslog(pamh, LOG_ERR,
+ 				   "can't set environment variable '%s'",
+ 				   xauthority);
+ 		putenv (xauthority); /* The environment owns this string now. */
+-		xauthority = NULL; /* Don't free environment variables. */
++		/* Don't free environment variables nor set them to NULL. */
+ 
+ 		/* set $DISPLAY in pam handle to make su - work */
+ 		{

pam.changes

@@ -1,3 +1,82 @@
+-------------------------------------------------------------------
+Thu Nov 19 15:43:33 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to 1.5.0
+  - obsoletes pam-bsc1178727-initialize-daysleft.patch
+  - Multiple minor bug fixes, portability fixes, and documentation improvements.
+  - Extended libpam API with pam_modutil_check_user_in_passwd function.
+  - pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
+  - pam_motd: read motd files with target user credentials skipping unreadable ones.
+  - pam_pwhistory: added a SELinux helper executable.
+  - pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
+  - pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
+  - pam_env: Reading of the user environment is deprecated and will be removed
+             at some point in the future.
+  - libpam: pam_modutil_drop_priv() now correctly sets the target user's
+    supplementary groups, allowing pam_motd to filter messages accordingly
+- Refresh pam-xauth_ownership.patch
+- pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package
+- pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package
+
+-------------------------------------------------------------------
+Wed Nov 18 13:02:15 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- pam_cracklib: added code to check whether the password contains
+  a substring of of the user's name of at least <N> characters length
+  in some form.
+  This is enabled by the new parameter "usersubstr=<N>"
+  See https://github.com/libpwquality/libpwquality/commit/bfef79dbe6aa525e9557bf4b0a61e6dde12749c4
+  [jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch]
+
+-------------------------------------------------------------------
+Wed Nov 18 10:02:32 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- pam_xauth.c: do not free() a string which has been (successfully)
+  passed to putenv().
+  [bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch]
+
+-------------------------------------------------------------------
+Fri Nov 13 09:13:18 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft"
+  to avoid spurious (and misleading)
+      Warning: your password will expire in ... days.
+  fixed upstream with commit db6b293046a
+  [bsc#1178727, pam-bsc1178727-initialize-daysleft.patch]
+
+-------------------------------------------------------------------
+Tue Nov 10 11:09:39 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Enable pam_faillock [bnc#1171562]
+
+-------------------------------------------------------------------
+Wed Oct  8 13:31:39 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- /usr/bin/xauth chokes on the old user's $HOME being on an NFS
+  file system. Run /usr/bin/xauth using the old user's uid/gid
+  Patch courtesy of Dr. Werner Fink.
+  [bsc#1174593, pam-xauth_ownership.patch]
+
+-------------------------------------------------------------------
+Thu Oct  8 02:33:16 UTC 2020 - Stanislav Brabec <sbrabec@suse.com>
+
+- pam-login_defs-check.sh: Fix the regexp to get a real variable
+  list (boo#1164274).
+
+-------------------------------------------------------------------
+Wed Jun 24 13:06:33 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- Revert the previous change [SR#815713].
+  The group is not necessary for PAM functionality but used only
+  during testing. The test system should therefore create this group.
+  [bsc#1171016, pam.spec]
+
+-------------------------------------------------------------------
+Mon Jun 15 15:05:18 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
+
+- Add requirement for group "wheel" to spec file.
+  [bsc#1171016, pam.spec]
+
 -------------------------------------------------------------------
 Mon Jun  8 13:19:12 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
 

pam.spec

@@ -27,7 +27,7 @@
 %endif
 Name:           pam
 #
-Version:        1.4.0
+Version:        1.5.0
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@@ -47,6 +47,11 @@ Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Patch2:         pam-limit-nproc.patch
 Patch4:         pam-hostnames-in-access_conf.patch
+Patch5:         pam-xauth_ownership.patch
+Patch6:         pam_cracklib-removal.patch
+Patch7:         pam_tally2-removal.patch
+Patch8:         pam-bsc1177858-dont-free-environment-string.patch
+Patch9:         pam-pam_cracklib-add-usersubstr.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
@@ -139,6 +144,11 @@ removed with one of the next releases.
 cp -a %{SOURCE12} .
 %patch2 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -R -p1
+%patch7 -R -p1
+%patch8 -p1
+%patch9 -p1
 
 %build
 bash ./pam-login_defs-check.sh
@@ -210,8 +220,6 @@ for i in pam_*/README; do
 	cp -fpv "$i" "$DOC/modules/README.${i%/*}"
 done
 popd
-# XXX Remove until whitelisted
-rm %{buildroot}/%{_lib}/security/pam_faillock.so
 # Install unix2_chkpwd
 install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/
 install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
@@ -310,6 +318,7 @@ done
 %{_mandir}/man8/pam_sepermit.8%{?ext_man}
 %{_mandir}/man8/pam_setquota.8%{?ext_man}
 %{_mandir}/man8/pam_shells.8%{?ext_man}
+%{_mandir}/man8/pam_stress.8%{?ext_man}
 %{_mandir}/man8/pam_succeed_if.8%{?ext_man}
 %{_mandir}/man8/pam_time.8%{?ext_man}
 %{_mandir}/man8/pam_timestamp.8%{?ext_man}
@@ -321,6 +330,7 @@ done
 %{_mandir}/man8/pam_warn.8%{?ext_man}
 %{_mandir}/man8/pam_wheel.8%{?ext_man}
 %{_mandir}/man8/pam_xauth.8%{?ext_man}
+%{_mandir}/man8/pwhistory_helper.8%{?ext_man}
 %{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_update.8%{?ext_man}
@@ -338,7 +348,7 @@ done
 /%{_lib}/security/pam_env.so
 /%{_lib}/security/pam_exec.so
 /%{_lib}/security/pam_faildelay.so
-#/%{_lib}/security/pam_faillock.so
+/%{_lib}/security/pam_faillock.so
 /%{_lib}/security/pam_filter.so
 %dir /%{_lib}/security/pam_filter
 /%{_lib}/security//pam_filter/upperLOWER
@@ -386,6 +396,7 @@ done
 /sbin/mkhomedir_helper
 /sbin/pam_namespace_helper
 /sbin/pam_timestamp_check
+/sbin/pwhistory_helper
 %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd
 %verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd
 %attr(0700,root,root) /sbin/unix_update
@@ -401,8 +412,6 @@ done
 /%{_lib}/security/pam_cracklib.so
 /%{_lib}/security/pam_tally2.so
 /sbin/pam_tally2
-%{_mandir}/man8/pam_cracklib.8%{?ext_man}
-%{_mandir}/man8/pam_tally2.8%{?ext_man}
 
 %files doc
 %defattr(644,root,root,755)