- Update to 1.5.0

- obsoletes pam-bsc1178727-initialize-daysleft.patch - Multiple minor bug fixes, portability fixes, and documentation improvements. - Extended libpam API with pam_modutil_check_user_in_passwd function. - pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660. - pam_motd: read motd files with target user credentials skipping unreadable ones. - pam_pwhistory: added a SELinux helper executable. - pam_unix, pam_usertype: implemented avoidance of certain timing attacks. - pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails. - pam_env: Reading of the user environment is deprecated and will be removed at some point in the future. - libpam: pam_modutil_drop_priv() now correctly sets the target user's supplementary groups, allowing pam_motd to filter messages accordingly - Refresh pam-xauth_ownership.patch - pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package - pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=228
2020-11-19 15:52:27 +00:00 · 2020-11-19 15:52:27 +00:00 · c4daf63ae5
commit c4daf63ae5
parent 6c61940629
11 changed files with 3115 additions and 138 deletions
--- a/Linux-PAM-1.4.0-docs.tar.xz
+++ b/Linux-PAM-1.4.0-docs.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:351764a0643052564a4b840320744c7e402112a2a57d2ac04511a6d22dc52e04
-size 477712
--- a/Linux-PAM-1.4.0.tar.xz
+++ b/Linux-PAM-1.4.0.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cd6d928c51e64139be3bdb38692c68183a509b83d4f2c221024ccd4bcddfd034
-size 988908
--- a/Linux-PAM-1.5.0-docs.tar.xz
+++ b/Linux-PAM-1.5.0-docs.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:75fefd2a601c76d5e289aa8c36234ec2ac398395f4a48caf5ef638c1131019a9
+size 441644
--- a/Linux-PAM-1.5.0.tar.xz
+++ b/Linux-PAM-1.5.0.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:02d39854b508fae9dc713f7733bbcdadbe17b50de965aedddd65bcb6cc7852c8
+size 972228
--- a/pam-bsc1178727-initialize-daysleft.patch
+++ b/pam-bsc1178727-initialize-daysleft.patch
@ -1,13 +0,0 @@
-Index: Linux-PAM-1.4.0/modules/pam_unix/pam_unix_acct.c
-===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_unix/pam_unix_acct.c
-+++ Linux-PAM-1.4.0/modules/pam_unix/pam_unix_acct.c
-@@ -189,7 +189,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
- 	unsigned long long ctrl;
- 	const void *void_uname;
- 	const char *uname;
-	int retval, daysleft;
-+	int retval, daysleft = -1;
- 	char buf[256];
- 
- 	D(("called."));
--- a/pam-pam_cracklib-add-usersubstr.patch
+++ b/pam-pam_cracklib-add-usersubstr.patch
@ -1,107 +1,3 @@
-Index: Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
-===================================================================
--- Linux-PAM-1.4.0.orig/doc/sag/Linux-PAM_SAG.txt
-+++ Linux-PAM-1.4.0/doc/sag/Linux-PAM_SAG.txt
-@@ -1003,6 +1003,14 @@ reject_username
-     Check whether the name of the user in straight or reversed form is
-     contained in the new password. If it is found the new password is rejected.
- 
-+usersubstr=N
-+
-+    Reject passwords which contain any substring of N or more consecutive
-+    characters of the user's name straight or in reverse order.
-+    N must be at least 4 for this to be applicable.
-+    Also, usernames shorter than N are not checked.
-+    If such a substring is found, the password is rejected.
-+
- gecoscheck
- 
-     Check whether the words from the GECOS field (usually full name of the
-Index: Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
-===================================================================
--- Linux-PAM-1.4.0.orig/doc/sag/html/sag-pam_cracklib.html
-+++ Linux-PAM-1.4.0/doc/sag/html/sag-pam_cracklib.html
-@@ -198,6 +198,15 @@
-               form is contained in the new password. If it is found the
-               new password is rejected.
-             </p></dd><dt><span class="term">
-+            <code class="option">usersubstr=<em class="replaceable"><code>N</code></em></code>
-+          </span></dt><dd><p>
-+             Reject passwords which contain any substring of N or more
-+             consecutive characters of the user's name straight or in
-+             reverse order.
-+             N must be at least 4 for this to be applicable.
-+             Also, usernames shorter than N are not checked.
-+             If such a substring is found, the password is rejected.
-+            </p></dd><dt><span class="term">
-             <code class="option">gecoscheck</code>
-           </span></dt><dd><p>
-               Check whether the words from the GECOS field (usually full name
-Index: Linux-PAM-1.4.0/modules/pam_cracklib/README
-===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/README
-+++ Linux-PAM-1.4.0/modules/pam_cracklib/README
-@@ -179,6 +179,14 @@ reject_username
-     Check whether the name of the user in straight or reversed form is
-     contained in the new password. If it is found the new password is rejected.
- 
-+usersubstr=N
-+
-+    Reject passwords which contain any substring of N or more consecutive
-+    characters of the user's name straight or in reverse order.
-+    N must be at least 4 for this to be applicable.
-+    Also, usernames shorter than N are not checked.
-+    If such a substring is found, the password is rejected.
-+
- gecoscheck
- 
-     Check whether the words from the GECOS field (usually full name of the
-Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
-===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8
-+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8
-@@ -232,6 +232,15 @@ Reject passwords which contain more than
- Check whether the name of the user in straight or reversed form is contained in the new password\&. If it is found the new password is rejected\&.
- .RE
- .PP
-+\fBusersubstr=\fR\fB\fIN\fR\fR
-+.RS 4
-+Reject passwords which contain any substring of N or more consecutive characters of the user\*(Aqs name straight or in
-+reverse order\&.
-+N must be at least 4 for this to be applicable\&.
-+Also, usernames shorter than N are not checked\&.
-+If such a substring is found, the password is rejected\&.
-+.RE
-+.PP
- \fBgecoscheck\fR
- .RS 4
- Check whether the words from the GECOS field (usually full name of the user) longer than 3 characters in straight or reversed form are contained in the new password\&. If any such word is found the new password is rejected\&.
-Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
-===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.8.xml
-+++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.8.xml
-@@ -396,6 +396,21 @@
-           </listitem>
-         </varlistentry>
- 
-+       <varlistentry>
-+         <term>
-+           <option>usersubstr=<replaceable>N</replaceable></option>
-+         </term>
-+         <listitem>
-+           <para>
-+             Reject passwords which contain any substring of N or more
-+             consecutive characters of the user's name straight or in
-+             reverse order. N must be at least 4 for this to be applicable.
-+             Also, usernames shorter than N are not checked.
-+             If such a substring is found, the password is rejected.
-+           </para>
-+          </listitem>
-+       </varlistentry>
-+
-         <varlistentry>
-           <term>
-             <option>gecoscheck</option>
 Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c
 ===================================================================
 --- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c
--- a/pam-xauth_ownership.patch
+++ b/pam-xauth_ownership.patch
@ -1,8 +1,7 @@
-Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
-===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c
-+++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
-@@ -355,11 +355,13 @@ pam_sm_open_session (pam_handle_t *pamh,
+diff -urN Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c
+--- Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c	2020-11-10 16:46:13.000000000 +0100
+++ Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c	2020-11-19 11:50:54.176925556 +0100
+@@ -355,11 +355,13 @@
 	char *cookiefile = NULL, *xauthority = NULL,
 	     *cookie = NULL, *display = NULL, *tmp = NULL,
 	     *xauthlocalhostname = NULL;
@ -18,7 +17,7 @@ Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
 
 	/* Parse arguments.  We don't understand many, so no sense in breaking
 	 * this into a separate function. */
-@@ -429,7 +431,16 @@ pam_sm_open_session (pam_handle_t *pamh,
+@@ -429,7 +431,16 @@
 		retval = PAM_SESSION_ERR;
 		goto cleanup;
 	}
@ -36,7 +35,7 @@ Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
 	if (rpwd == NULL) {
 		pam_syslog(pamh, LOG_ERR,
 			   "error determining invoking user's name");
-@@ -518,18 +529,26 @@ pam_sm_open_session (pam_handle_t *pamh,
+@@ -518,18 +529,26 @@
 			   cookiefile);
 	}
 
@ -67,8 +66,8 @@ Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
 +			  xauth, "-i", "-f", cookiefile, "nlist", display,
 			  NULL) == 0) {
 #ifdef WITH_SELINUX
- 		security_context_t context = NULL;
-@@ -583,12 +602,12 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 		char *context_raw = NULL;
+@@ -583,12 +602,12 @@
 						       cookiefile,
 						       "nlist",
 						       t,
@ -85,7 +84,7 @@ Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
 						      "nlist", t, NULL);
 				}
 				free(t);
-@@ -673,13 +692,17 @@ pam_sm_open_session (pam_handle_t *pamh,
+@@ -673,13 +692,17 @@
 			goto cleanup;
 		}
 
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Thu Nov 19 15:43:33 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to 1.5.0
+  - obsoletes pam-bsc1178727-initialize-daysleft.patch
+  - Multiple minor bug fixes, portability fixes, and documentation improvements.
+  - Extended libpam API with pam_modutil_check_user_in_passwd function.
+  - pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660.
+  - pam_motd: read motd files with target user credentials skipping unreadable ones.
+  - pam_pwhistory: added a SELinux helper executable.
+  - pam_unix, pam_usertype: implemented avoidance of certain timing attacks.
+  - pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails.
+  - pam_env: Reading of the user environment is deprecated and will be removed
+             at some point in the future.
+  - libpam: pam_modutil_drop_priv() now correctly sets the target user's
+    supplementary groups, allowing pam_motd to filter messages accordingly
+- Refresh pam-xauth_ownership.patch
+- pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package
+- pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package
+
 -------------------------------------------------------------------
 Wed Nov 18 13:02:15 UTC 2020 - Josef Möllers <josef.moellers@suse.com>

--- a/pam.spec
+++ b/pam.spec
@ -27,7 +27,7 @@
 %endif
 Name:           pam
 #
-Version:        1.4.0
+Version:        1.5.0
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@ -48,7 +48,8 @@ Source12:       pam-login_defs-check.sh
 Patch2:         pam-limit-nproc.patch
 Patch4:         pam-hostnames-in-access_conf.patch
 Patch5:         pam-xauth_ownership.patch
-Patch6:         pam-bsc1178727-initialize-daysleft.patch
+Patch6:         pam_cracklib-removal.patch
+Patch7:         pam_tally2-removal.patch
 Patch8:         pam-bsc1177858-dont-free-environment-string.patch
 Patch9:         pam-pam_cracklib-add-usersubstr.patch
 BuildRequires:  audit-devel
@ -144,7 +145,8 @@ cp -a %{SOURCE12} .
 %patch2 -p1
 %patch4 -p1
 %patch5 -p1
-%patch6 -p1
+%patch6 -R -p1
+%patch7 -R -p1
 %patch8 -p1
 %patch9 -p1

@ -316,6 +318,7 @@ done
 %{_mandir}/man8/pam_sepermit.8%{?ext_man}
 %{_mandir}/man8/pam_setquota.8%{?ext_man}
 %{_mandir}/man8/pam_shells.8%{?ext_man}
+%{_mandir}/man8/pam_stress.8%{?ext_man}
 %{_mandir}/man8/pam_succeed_if.8%{?ext_man}
 %{_mandir}/man8/pam_time.8%{?ext_man}
 %{_mandir}/man8/pam_timestamp.8%{?ext_man}
@ -327,6 +330,7 @@ done
 %{_mandir}/man8/pam_warn.8%{?ext_man}
 %{_mandir}/man8/pam_wheel.8%{?ext_man}
 %{_mandir}/man8/pam_xauth.8%{?ext_man}
+%{_mandir}/man8/pwhistory_helper.8%{?ext_man}
 %{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_update.8%{?ext_man}
@ -392,6 +396,7 @@ done
 /sbin/mkhomedir_helper
 /sbin/pam_namespace_helper
 /sbin/pam_timestamp_check
+/sbin/pwhistory_helper
 %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd
 %verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd
 %attr(0700,root,root) /sbin/unix_update
@ -407,8 +412,6 @@ done
 /%{_lib}/security/pam_cracklib.so
 /%{_lib}/security/pam_tally2.so
 /sbin/pam_tally2
-%{_mandir}/man8/pam_cracklib.8%{?ext_man}
-%{_mandir}/man8/pam_tally2.8%{?ext_man}

 %files doc
 %defattr(644,root,root,755)
--- a/pam_cracklib-removal.patch
+++ b/pam_cracklib-removal.patch
--- a/pam_tally2-removal.patch
+++ b/pam_tally2-removal.patch