- pam_umask-usergroups-login_defs.patch: Deprecate pam_umask

explicit "usergroups" option and instead read it from login.def's "USERGROUP_ENAB" option if umask is only defined there. [bsc#1189139] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=245
2021-08-12 14:45:10 +00:00 · 2021-08-12 14:45:10 +00:00 · c6cae773e2
commit c6cae773e2
parent 39b8fe8e87
3 changed files with 133 additions and 0 deletions
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug 12 14:42:54 UTC 2021 - Thorsten Kukuk <kukuk@suse.com>
+
+- pam_umask-usergroups-login_defs.patch: Deprecate pam_umask
+  explicit "usergroups" option and instead read it from login.def's
+  "USERGROUP_ENAB" option if umask is only defined there.
+  [bsc#1189139]
+
 -------------------------------------------------------------------
 Tue Aug  3 09:26:00 UTC 2021 - pgajdos@suse.com

--- a/pam.spec
+++ b/pam.spec
@ -59,6 +59,7 @@ Patch8:         pam-bsc1177858-dont-free-environment-string.patch
 Patch9:         pam-pam_cracklib-add-usersubstr.patch
 Patch10:        pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
 Patch11:        bsc1184358-prevent-LOCAL-from-being-resolved.patch
+Patch12:        pam_umask-usergroups-login_defs.patch
 # https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068
 Patch100:       pam_securetty-don-t-complain-about-missing-config.patch
 Patch101:       revert-check_shadow_expiry.diff
@ -172,6 +173,7 @@ cp -a %{SOURCE12} .
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 %patch100 -p1
 %patch101 -p1

--- a/pam_umask-usergroups-login_defs.patch
+++ b/pam_umask-usergroups-login_defs.patch
@ -0,0 +1,123 @@
+Description:
+Deprecate pam_umask explicit "usergroups" option and instead read it from /etc/login.def's
+"USERGROUP_ENAB" option if umask is only defined there.
+Original Author: Martin Pitt <martin.pitt@ubuntu.com>
+Bug-Debian: http://bugs.debian.org/583958
+
+diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml
+--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml	2020-11-25 17:57:02.000000000 +0100
+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml	2021-08-12 16:02:56.108249895 +0200
+@@ -61,12 +61,13 @@
+         </listitem>
+         <listitem>
+           <para>
+-            UMASK entry from /etc/login.defs
+            UMASK entry from <filename>/etc/login.defs</filename>
+	    (influenced by USERGROUPS_ENAB)
+           </para>
+         </listitem>
+         <listitem>
+           <para>
+-            UMASK= entry from /etc/default/login
+            UMASK= entry from <filename>/etc/default/login</filename>
+           </para>
+         </listitem>
+       </itemizedlist>
+@@ -118,6 +119,11 @@
+               If the user is not root and the username is the same as
+               primary group name, the umask group bits are set to be the
+               same as owner bits (examples: 022 -> 002, 077 -> 007).
+	      Note that using this option explicitly is discouraged. pam_umask
+	      enables this functionality by default if
+	      <filename>/etc/login.defs</filename> enables
+	      USERGROUPS_ENAB, and the umask is not set explicitly in other
+	      places than <filename>/etc/login.defs</filename>.
+             </para>
+           </listitem>
+         </varlistentry>
+diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c
+--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c	2020-11-25 17:57:02.000000000 +0100
+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c	2021-08-12 16:14:40.505589328 +0200
+@@ -103,7 +103,23 @@
+     parse_option (pamh, *argv, options);
+ 
+   if (options->umask == NULL)
+-    options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
+    {
+      options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
+      /* login.defs' USERGROUPS_ENAB will modify the UMASK setting there by way
+       * of usergroups; but we don't want it to influence umask definitions
+       * from other places (like GECOS).
+       */
+      if (options->umask != NULL)
+       {
+         char *result = pam_modutil_search_key (pamh, LOGIN_DEFS,
+						"USERGROUPS_ENAB");
+         if (result != NULL)
+           {
+             options->usergroups = (strcasecmp (result, "yes") == 0);
+             free (result);
+           }
+       }
+    }
+   if (options->umask == NULL)
+     options->umask = pam_modutil_search_key (pamh, LOGIN_CONF, "UMASK");
+ 
+--- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8	2021-08-12 16:34:08.314505891 +0200
+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8	2021-08-12 16:14:43.969615764 +0200
+@@ -68,7 +68,9 @@
+ .sp -1
+ .IP \(bu 2.3
+ .\}
+-UMASK entry from /etc/login\&.defs
+UMASK entry from
+/etc/login\&.defs
+(influenced by USERGROUPS_ENAB)
+ .RE
+ .sp
+ .RS 4
+@@ -79,7 +81,8 @@
+ .sp -1
+ .IP \(bu 2.3
+ .\}
+-UMASK= entry from /etc/default/login
+UMASK= entry from
+/etc/default/login
+ .RE
+ .PP
+ The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create\&.
+@@ -98,7 +101,10 @@
+ .PP
+ \fBusergroups\fR
+ .RS 4
+-If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&.
+If the user is not root and the username is the same as primary group name, the umask group bits are set to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007)\&. Note that using this option explicitly is discouraged\&. pam_umask enables this functionality by default if
+/etc/login\&.defs
+enables USERGROUPS_ENAB, and the umask is not set explicitly in other places than
+/etc/login\&.defs\&.
+ .RE
+ .PP
+ \fBnousergroups\fR
+--- Linux-PAM-1.5.1.pre/modules/pam_umask/README	2021-08-12 16:34:08.638508373 +0200
+++ Linux-PAM-1.5.1/modules/pam_umask/README	2021-08-12 16:14:44.241617840 +0200
+@@ -15,7 +15,7 @@
+ 
+   • umask= argument
+ 
+-  • UMASK entry from /etc/login.defs
+  • UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB)
+ 
+   • UMASK= entry from /etc/default/login
+ 
+@@ -38,7 +38,10 @@
+ 
+     If the user is not root and the username is the same as primary group name,
+     the umask group bits are set to be the same as owner bits (examples: 022 ->
+-    002, 077 -> 007).
+    002, 077 -> 007). Note that using this option explicitly is discouraged.
+    pam_umask enables this functionality by default if /etc/login.defs enables
+    USERGROUPS_ENAB, and the umask is not set explicitly in other places than /
+    etc/login.defs.
+ 
+ nousergroups
+