diff --git a/pam.changes b/pam.changes index d8bcdc5..37d3691 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 12 14:42:54 UTC 2021 - Thorsten Kukuk + +- pam_umask-usergroups-login_defs.patch: Deprecate pam_umask + explicit "usergroups" option and instead read it from login.def's + "USERGROUP_ENAB" option if umask is only defined there. + [bsc#1189139] + ------------------------------------------------------------------- Tue Aug 3 09:26:00 UTC 2021 - pgajdos@suse.com diff --git a/pam.spec b/pam.spec index 3f7be43..67dd4c8 100644 --- a/pam.spec +++ b/pam.spec @@ -59,6 +59,7 @@ Patch8: pam-bsc1177858-dont-free-environment-string.patch Patch9: pam-pam_cracklib-add-usersubstr.patch Patch10: pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch Patch11: bsc1184358-prevent-LOCAL-from-being-resolved.patch +Patch12: pam_umask-usergroups-login_defs.patch # https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068 Patch100: pam_securetty-don-t-complain-about-missing-config.patch Patch101: revert-check_shadow_expiry.diff @@ -172,6 +173,7 @@ cp -a %{SOURCE12} . %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 %patch100 -p1 %patch101 -p1 diff --git a/pam_umask-usergroups-login_defs.patch b/pam_umask-usergroups-login_defs.patch new file mode 100644 index 0000000..cb3b2c2 --- /dev/null +++ b/pam_umask-usergroups-login_defs.patch @@ -0,0 +1,123 @@ +Description: +Deprecate pam_umask explicit "usergroups" option and instead read it from /etc/login.def's +"USERGROUP_ENAB" option if umask is only defined there. +Original Author: Martin Pitt +Bug-Debian: http://bugs.debian.org/583958 + +diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml +--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml 2021-08-12 16:02:56.108249895 +0200 +@@ -61,12 +61,13 @@ + + + +- UMASK entry from /etc/login.defs ++ UMASK entry from /etc/login.defs ++ (influenced by USERGROUPS_ENAB) + + + + +- UMASK= entry from /etc/default/login ++ UMASK= entry from /etc/default/login + + + +@@ -118,6 +119,11 @@ + If the user is not root and the username is the same as + primary group name, the umask group bits are set to be the + same as owner bits (examples: 022 -> 002, 077 -> 007). ++ Note that using this option explicitly is discouraged. pam_umask ++ enables this functionality by default if ++ /etc/login.defs enables ++ USERGROUPS_ENAB, and the umask is not set explicitly in other ++ places than /etc/login.defs. + + + +diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c +--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c 2021-08-12 16:14:40.505589328 +0200 +@@ -103,7 +103,23 @@ + parse_option (pamh, *argv, options); + + if (options->umask == NULL) +- options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK"); ++ { ++ options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK"); ++ /* login.defs' USERGROUPS_ENAB will modify the UMASK setting there by way ++ * of usergroups; but we don't want it to influence umask definitions ++ * from other places (like GECOS). ++ */ ++ if (options->umask != NULL) ++ { ++ char *result = pam_modutil_search_key (pamh, LOGIN_DEFS, ++ "USERGROUPS_ENAB"); ++ if (result != NULL) ++ { ++ options->usergroups = (strcasecmp (result, "yes") == 0); ++ free (result); ++ } ++ } ++ } + if (options->umask == NULL) + options->umask = pam_modutil_search_key (pamh, LOGIN_CONF, "UMASK"); + +--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8 2021-08-12 16:34:08.314505891 +0200 ++++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8 2021-08-12 16:14:43.969615764 +0200 +@@ -68,7 +68,9 @@ + .sp -1 + .IP \(bu 2.3 + .\} +-UMASK entry from /etc/login\&.defs ++UMASK entry from ++/etc/login\&.defs ++(influenced by USERGROUPS_ENAB) + .RE + .sp + .RS 4 +@@ -79,7 +81,8 @@ + .sp -1 + .IP \(bu 2.3 + .\} +-UMASK= entry from /etc/default/login ++UMASK= entry from ++/etc/default/login + .RE + .PP + The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create\&. +@@ -98,7 +101,10 @@ + .PP + \fBusergroups\fR + .RS 4 +-If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. ++If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. Note that using this option explicitly is discouraged\&. pam_umask enables this functionality by default if ++/etc/login\&.defs ++enables USERGROUPS_ENAB, and the umask is not set explicitly in other places than ++/etc/login\&.defs\&. + .RE + .PP + \fBnousergroups\fR +--- Linux-PAM-1.5.1.pre/modules/pam_umask/README 2021-08-12 16:34:08.638508373 +0200 ++++ Linux-PAM-1.5.1/modules/pam_umask/README 2021-08-12 16:14:44.241617840 +0200 +@@ -15,7 +15,7 @@ + + • umask= argument + +- • UMASK entry from /etc/login.defs ++ • UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB) + + • UMASK= entry from /etc/default/login + +@@ -38,7 +38,10 @@ + + If the user is not root and the username is the same as primary group name, + the umask group bits are set to be the same as owner bits (examples: 022 -> +- 002, 077 -> 007). ++ 002, 077 -> 007). Note that using this option explicitly is discouraged. ++ pam_umask enables this functionality by default if /etc/login.defs enables ++ USERGROUPS_ENAB, and the umask is not set explicitly in other places than / ++ etc/login.defs. + + nousergroups +