Accepting request 1139944 from Linux-PAM
- Add post 1.6.0 release fixes for pam_env and pam_unix: - pam_env-fix-enable-vendordir-fallback.patch - pam_env-fix_vendordir.patch - pam_env-remove-escaped-newlines.patch - pam_unix-fix-password-aging-disabled.patch - Update to version 1.6.0 - Added support of configuration files with arbitrarily long lines. - build: fixed build outside of the source tree. - libpam: added use of getrandom(2) as a source of randomness if available. - libpam: fixed calculation of fail delay with very long delays. - libpam: fixed potential infinite recursion with includes. - libpam: implemented string to number conversions validation when parsing controls in configuration. - pam_access: added quiet_log option. - pam_access: fixed truncation of very long group names. - pam_canonicalize_user: new module to canonicalize user name. - pam_echo: fixed file handling to prevent overflows and short reads. - pam_env: added support of '\' character in environment variable values. - pam_exec: allowed expose_authtok for password PAM_TYPE. - pam_exec: fixed stack overflow with binary output of programs. - pam_faildelay: implemented parameter ranges validation. - pam_listfile: changed to treat \r and \n exactly the same in configuration. - pam_mkhomedir: hardened directory creation against timing attacks. - Please note that using *at functions leads to more open file handles during creation. - pam_namespace: fixed potential local DoS (CVE-2024-22365). - pam_nologin: fixed file handling to prevent short reads. - pam_pwhistory: helper binary is now built only if SELinux support is enabled. - pam_pwhistory: implemented reliable usernames handling when remembering OBS-URL: https://build.opensuse.org/request/show/1139944 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=134
This commit is contained in:
commit
daf3dbbb29
BIN
Linux-PAM-1.5.3.tar.xz
(Stored with Git LFS)
BIN
Linux-PAM-1.5.3.tar.xz
(Stored with Git LFS)
Binary file not shown.
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAABCgAGBQJkWBFQAAoJEKgEH6g54W42OoMP/R1O9dvpncrR4DfD3yJViTPw
|
||||
To3isPszsdHhw/uZUzCBEUMxhJgUgefzHGAng1EbTyX2eTLk/cnLY8pZLXr3pzC0
|
||||
5CfacxAqgjK8B/7CbchsZQCDal84E5jR8qyzVCM3IPxZQfpiR3HJzXVjhg/gnBcY
|
||||
L6v7FbLpcdM2keHHT1C/hyQfTnzyIdmwyzRdE1DF3ERbe3/1VlNmANNOacZ1H2T9
|
||||
Hs5dVIFiXwOO11Xku42oOo99LCqXyIsRnEogBFCORHNjD7B88lCdJAHssBdvWq5t
|
||||
/CJnoGtJrVCXs11JVPSNyW0rm24rZH9YCC6yVRIuMq6jjMBawFUlMAqamLoSA3hK
|
||||
4BPuPqQjHYk/D5H+m0HF2qRDpz76Bj1zdmYofqspeJf4QJOyOpMSXFY3pgsohuKW
|
||||
P8YQ44cAkmMswFqMSKGi9EVnf6SVXWQFoHJhtlbUgi7ef/4IICrbtgSSE96OGdlg
|
||||
Sdoplu3n+1HClaYqlHbjkd/m0Hc8QvOjovctb0Zoclnlup+u2JH4rDNqjxFUvkWB
|
||||
8CeILjebgBrNRqAFDx7fKBEQyHs5FLOtUU1SwBLXXSyMCHuMhr/tKBHcbDgMhpVP
|
||||
IiIyYGyEGUoIR/er5AgIX9e6/zcQbc8OvY+gTu9t+tw+HIt8hGvUUkuYX8LB1k6r
|
||||
zf06e/iTT4GL6AhJtbh3
|
||||
=2hyW
|
||||
-----END PGP SIGNATURE-----
|
BIN
Linux-PAM-1.6.0.tar.xz
(Stored with Git LFS)
Normal file
BIN
Linux-PAM-1.6.0.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
Linux-PAM-1.6.0.tar.xz.asc
Normal file
16
Linux-PAM-1.6.0.tar.xz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI
|
||||
n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm
|
||||
NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY
|
||||
U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3
|
||||
XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw
|
||||
6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi
|
||||
Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2
|
||||
gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n
|
||||
b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n
|
||||
NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ
|
||||
LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox
|
||||
zxDFnUsJ/JgmJm3y47J2
|
||||
=wzV/
|
||||
-----END PGP SIGNATURE-----
|
@ -1,51 +0,0 @@
|
||||
From 5fa961fd3b5b8cf5ba1a0cf49b10ebf79e273e96 Mon Sep 17 00:00:00 2001
|
||||
From: Pino Toscano <toscano.pino@tiscali.it>
|
||||
Date: Mon, 8 May 2023 18:39:36 +0200
|
||||
Subject: [PATCH] configure.ac: add --enable-examples option
|
||||
|
||||
Allow the user to not build the examples through --disable-examples
|
||||
(enabled by default); this can be useful:
|
||||
- when cross-compiling, as the examples are not useful
|
||||
- in distribution builds, not building stuff that is not used in any
|
||||
way
|
||||
---
|
||||
Makefile.am | 5 ++++-
|
||||
configure.ac | 5 +++++
|
||||
2 files changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index deb252680..2e8fede7b 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -4,11 +4,14 @@
|
||||
|
||||
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
|
||||
|
||||
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
|
||||
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests
|
||||
|
||||
if HAVE_DOC
|
||||
SUBDIRS += doc
|
||||
endif
|
||||
+if HAVE_EXAMPLES
|
||||
+SUBDIRS += examples
|
||||
+endif
|
||||
|
||||
CLEANFILES = *~
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index b9b0f8392..6666b1b26 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -224,6 +224,11 @@ AC_ARG_ENABLE([doc],
|
||||
WITH_DOC=$enableval, WITH_DOC=yes)
|
||||
AM_CONDITIONAL([HAVE_DOC], [test "x$WITH_DOC" = "xyes"])
|
||||
|
||||
+AC_ARG_ENABLE([examples],
|
||||
+ AS_HELP_STRING([--disable-examples],[Do not build the examples]),
|
||||
+ WITH_EXAMPLES=$enableval, WITH_EXAMPLES=yes)
|
||||
+AM_CONDITIONAL([HAVE_EXAMPLES], [test "x$WITH_EXAMPLES" = "xyes"])
|
||||
+
|
||||
AC_ARG_ENABLE([prelude],
|
||||
AS_HELP_STRING([--disable-prelude],[do not use prelude]),
|
||||
WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)
|
@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
|
||||
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
|
||||
LC_ALL=C sort -u >pam-login_defs-vars.lst
|
||||
|
||||
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != cda62ec4158236270a5a30ba1875fa2795926f23 ; then
|
||||
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
|
||||
|
||||
echo "does not match!" >&2
|
||||
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
|
||||
|
60
pam.changes
60
pam.changes
@ -1,3 +1,63 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 19 09:11:30 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
|
||||
|
||||
- Add post 1.6.0 release fixes for pam_env and pam_unix:
|
||||
- pam_env-fix-enable-vendordir-fallback.patch
|
||||
- pam_env-fix_vendordir.patch
|
||||
- pam_env-remove-escaped-newlines.patch
|
||||
- pam_unix-fix-password-aging-disabled.patch
|
||||
- Update to version 1.6.0
|
||||
- Added support of configuration files with arbitrarily long lines.
|
||||
- build: fixed build outside of the source tree.
|
||||
- libpam: added use of getrandom(2) as a source of randomness if available.
|
||||
- libpam: fixed calculation of fail delay with very long delays.
|
||||
- libpam: fixed potential infinite recursion with includes.
|
||||
- libpam: implemented string to number conversions validation when parsing
|
||||
controls in configuration.
|
||||
- pam_access: added quiet_log option.
|
||||
- pam_access: fixed truncation of very long group names.
|
||||
- pam_canonicalize_user: new module to canonicalize user name.
|
||||
- pam_echo: fixed file handling to prevent overflows and short reads.
|
||||
- pam_env: added support of '\' character in environment variable values.
|
||||
- pam_exec: allowed expose_authtok for password PAM_TYPE.
|
||||
- pam_exec: fixed stack overflow with binary output of programs.
|
||||
- pam_faildelay: implemented parameter ranges validation.
|
||||
- pam_listfile: changed to treat \r and \n exactly the same in configuration.
|
||||
- pam_mkhomedir: hardened directory creation against timing attacks.
|
||||
- Please note that using *at functions leads to more open file handles
|
||||
during creation.
|
||||
- pam_namespace: fixed potential local DoS (CVE-2024-22365).
|
||||
- pam_nologin: fixed file handling to prevent short reads.
|
||||
- pam_pwhistory: helper binary is now built only if SELinux support is
|
||||
enabled.
|
||||
- pam_pwhistory: implemented reliable usernames handling when remembering
|
||||
passwords.
|
||||
- pam_shells: changed to allow shell entries with absolute paths only.
|
||||
- pam_succeed_if: fixed treating empty strings as numerical value 0.
|
||||
- pam_unix: added support of disabled password aging.
|
||||
- pam_unix: synchronized password aging with shadow.
|
||||
- pam_unix: implemented string to number conversions validation.
|
||||
- pam_unix: fixed truncation of very long user names.
|
||||
- pam_unix: corrected rounds retrieval for configured encryption method.
|
||||
- pam_unix: implemented reliable usernames handling when remembering
|
||||
passwords.
|
||||
- pam_unix: changed to always run the helper to obtain shadow password
|
||||
entries.
|
||||
- pam_unix: unix_update helper binary is now built only if SELinux support
|
||||
is enabled.
|
||||
- pam_unix: added audit support to unix_update helper.
|
||||
- pam_userdb: added gdbm support.
|
||||
- Multiple minor bug fixes, portability fixes, documentation improvements,
|
||||
and translation updates.
|
||||
- The following patches are obsolete with the update:
|
||||
- pam_access-doc-IPv6-link-local.patch
|
||||
- pam_access-hostname-debug.patch
|
||||
- pam_shells-fix-econf-memory-leak.patch
|
||||
- pam_shells-fix-econf-memory-leak.patch
|
||||
- disable-examples.patch
|
||||
- pam-login_defs-check.sh: adjust checksum, SHA_CRYPT_MAX_ROUNDS
|
||||
is no longer used.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 23 09:20:06 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
|
||||
|
||||
|
32
pam.spec
32
pam.spec
@ -71,7 +71,7 @@
|
||||
#
|
||||
Name: pam%{name_suffix}
|
||||
#
|
||||
Version: 1.5.3
|
||||
Version: 1.6.0
|
||||
Release: 0
|
||||
Summary: A Security Tool that Provides Authentication for Applications
|
||||
License: GPL-2.0-or-later OR BSD-3-Clause
|
||||
@ -96,14 +96,14 @@ Source22: postlogin-account.pamd
|
||||
Source23: postlogin-password.pamd
|
||||
Source24: postlogin-session.pamd
|
||||
Patch1: pam-limit-nproc.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/594
|
||||
Patch2: pam_access-doc-IPv6-link-local.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/596
|
||||
Patch3: pam_access-hostname-debug.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/581
|
||||
Patch4: pam_shells-fix-econf-memory-leak.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/574
|
||||
Patch5: disable-examples.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/739
|
||||
Patch2: pam_env-fix_vendordir.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/740
|
||||
Patch3: pam_env-fix-enable-vendordir-fallback.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/741
|
||||
Patch4: pam_env-remove-escaped-newlines.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/744
|
||||
Patch5: pam_unix-fix-password-aging-disabled.patch
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: bison
|
||||
BuildRequires: flex
|
||||
@ -151,7 +151,9 @@ username/password pair against values stored in a Berkeley DB database.
|
||||
%package -n pam-extra
|
||||
Summary: PAM module with extended dependencies
|
||||
Group: System/Libraries
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
#BuildRequires: pkgconfig(systemd)
|
||||
# The systemd-mini package does not pass configure checks
|
||||
BuildRequires: systemd-devel >= 254
|
||||
BuildRequires: pam-devel
|
||||
Provides: pam:%{_sbindir}/pam_timestamp_check
|
||||
|
||||
@ -237,7 +239,9 @@ autoreconf
|
||||
--enable-isadir=../..%{_pam_moduledir} \
|
||||
--enable-securedir=%{_pam_moduledir} \
|
||||
--enable-vendordir=%{_prefix}/etc \
|
||||
%if "%{flavor}" == "full"
|
||||
--enable-logind \
|
||||
%endif
|
||||
--disable-examples \
|
||||
--disable-nis \
|
||||
%if %{with debug}
|
||||
@ -290,9 +294,13 @@ mkdir -p -m 755 %{buildroot}%{_libdir}
|
||||
mkdir -p %{buildroot}%{_distconfdir}/pam.d
|
||||
|
||||
%make_install
|
||||
/sbin/ldconfig -n %{buildroot}%{libdir}
|
||||
# XXX remove for now until we have a security review of the new module
|
||||
rm -f %{buildroot}%{_libdir}/security/pam_canonicalize_user.so
|
||||
/sbin/ldconfig -n %{buildroot}%{_libdir}
|
||||
# Install documentation
|
||||
%make_install -C doc
|
||||
# XXX remove for now until we have a security review, see above
|
||||
rm -f %{buildroot}%{_mandir}/man8/pam_canonicalize_user.8*
|
||||
# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
|
||||
install -d %{buildroot}%{_pam_secconfdir}/namespace.d
|
||||
# install other.pamd and common-*.pamd
|
||||
@ -343,7 +351,7 @@ echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
|
||||
|
||||
%if !%{build_main}
|
||||
rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
|
||||
rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir}}
|
||||
rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
|
||||
rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
|
||||
%else
|
||||
# Delete files for extra package
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 4ba3105511c3a55fc750a790f7310c6d7ebfdfda Mon Sep 17 00:00:00 2001
|
||||
From: Thorsten Kukuk <kukuk@suse.com>
|
||||
Date: Thu, 3 Aug 2023 17:11:32 +0200
|
||||
Subject: [PATCH] pam_access: document IPv6 link-local addresses (#582)
|
||||
|
||||
* modules/pam_access/access.conf.5.xml: Add example and note for IPv6
|
||||
link-local addresses
|
||||
* modules/pam_access/access.conf: Add example for IPv6 link-local
|
||||
addresses
|
||||
---
|
||||
modules/pam_access/access.conf | 3 +++
|
||||
modules/pam_access/access.conf.5.xml | 12 +++++++++++-
|
||||
2 files changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf
|
||||
index 47b6b84c1..9c8e21716 100644
|
||||
--- a/modules/pam_access/access.conf
|
||||
+++ b/modules/pam_access/access.conf
|
||||
@@ -115,6 +115,9 @@
|
||||
# User "john" should get access from ipv6 host address (same as above)
|
||||
#+:john:2001:4ca0:0:101:0:0:0:1
|
||||
#
|
||||
+# User "john" should get access from ipv6 local link host address
|
||||
+#+:john:fe80::de95:818c:1b55:7e42%eth0
|
||||
+#
|
||||
# User "john" should get access from ipv6 net/mask
|
||||
#+:john:2001:4ca0:0:101::/64
|
||||
#
|
||||
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
|
||||
index ff1cb2237..2dc5d477c 100644
|
||||
--- a/modules/pam_access/access.conf.5.xml
|
||||
+++ b/modules/pam_access/access.conf.5.xml
|
||||
@@ -188,6 +188,12 @@
|
||||
</para>
|
||||
<para>+:john foo:2001:db8:0:101::1</para>
|
||||
|
||||
+ <para>
|
||||
+ User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
|
||||
+ should get access from IPv6 link local host address.
|
||||
+ </para>
|
||||
+ <para>+:john foo:fe80::de95:818c:1b55:7e42%eth1</para>
|
||||
+
|
||||
<para>
|
||||
User <emphasis>john</emphasis> should get access from IPv6 net/mask.
|
||||
</para>
|
||||
@@ -222,6 +228,10 @@
|
||||
item and the line will be most probably ignored. For this reason, it is not
|
||||
recommended to put spaces around the ':' characters.
|
||||
</para>
|
||||
+ <para>
|
||||
+ An IPv6 link local host address must contain the interface
|
||||
+ identifier. IPv6 link local network/netmask is not supported.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 xml:id="access.conf-see_also">
|
||||
@@ -246,4 +256,4 @@
|
||||
introduced by Mike Becher <mike.becher@lrz-muenchen.de>.
|
||||
</para>
|
||||
</refsect1>
|
||||
-</refentry>
|
||||
\ No newline at end of file
|
||||
+</refentry>
|
@ -1,27 +0,0 @@
|
||||
From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001
|
||||
From: Thorsten Kukuk <kukuk@suse.com>
|
||||
Date: Fri, 4 Aug 2023 15:46:16 +0200
|
||||
Subject: [PATCH] pam_access: make non-resolveable hostname a debug output
|
||||
(#590)
|
||||
|
||||
* modules/pam_access/pam_access.c (network_netmask_match): Don't print
|
||||
an error if a string is not resolveable, only a debug message in debug
|
||||
mode. We even don't know if that entry is for remote logins or not.
|
||||
---
|
||||
modules/pam_access/pam_access.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
|
||||
index f70b7e495..985dc7de2 100644
|
||||
--- a/modules/pam_access/pam_access.c
|
||||
+++ b/modules/pam_access/pam_access.c
|
||||
@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh,
|
||||
*/
|
||||
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
|
||||
{
|
||||
- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
|
||||
+ if (item->debug)
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
|
||||
|
||||
return NO;
|
||||
}
|
51
pam_env-fix-enable-vendordir-fallback.patch
Normal file
51
pam_env-fix-enable-vendordir-fallback.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From 28894b319488e8302899ee569b6e0911905f374e Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@strace.io>
|
||||
Date: Thu, 18 Jan 2024 17:00:00 +0000
|
||||
Subject: [PATCH] pam_env: fix --enable-vendordir fallback logic
|
||||
|
||||
* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF &&
|
||||
VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file
|
||||
if the config file is specified via module arguments.
|
||||
|
||||
Link: https://github.com/linux-pam/linux-pam/issues/738
|
||||
Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
|
||||
---
|
||||
modules/pam_env/pam_env.c | 22 +++++++++++-----------
|
||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
|
||||
index a0b812fff..8b40b6a5a 100644
|
||||
--- a/modules/pam_env/pam_env.c
|
||||
+++ b/modules/pam_env/pam_env.c
|
||||
@@ -850,20 +850,20 @@ _parse_config_file(pam_handle_t *pamh, int ctrl, const char *file)
|
||||
#ifdef USE_ECONF
|
||||
/* If "file" is not NULL, only this file will be parsed. */
|
||||
retval = econf_read_file(pamh, file, " \t", PAM_ENV, ".conf", "security", &conf_list);
|
||||
-#else
|
||||
+#else /* !USE_ECONF */
|
||||
/* Only one file will be parsed. So, file has to be set. */
|
||||
- if (file == NULL) /* No filename has been set via argv. */
|
||||
+ if (file == NULL) { /* No filename has been set via argv. */
|
||||
file = DEFAULT_CONF_FILE;
|
||||
-#ifdef VENDOR_DEFAULT_CONF_FILE
|
||||
- /*
|
||||
- * Check whether file is available.
|
||||
- * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
|
||||
- */
|
||||
- struct stat stat_buffer;
|
||||
- if (stat(file, &stat_buffer) != 0 && errno == ENOENT) {
|
||||
- file = VENDOR_DEFAULT_CONF_FILE;
|
||||
+# ifdef VENDOR_DEFAULT_CONF_FILE
|
||||
+ /*
|
||||
+ * Check whether DEFAULT_CONF_FILE file is available.
|
||||
+ * If it does not exist, fall back to VENDOR_DEFAULT_CONF_FILE file.
|
||||
+ */
|
||||
+ struct stat stat_buffer;
|
||||
+ if (stat(file, &stat_buffer) != 0 && errno == ENOENT)
|
||||
+ file = VENDOR_DEFAULT_CONF_FILE;
|
||||
+# endif
|
||||
}
|
||||
-#endif
|
||||
retval = read_file(pamh, file, &conf_list);
|
||||
#endif
|
||||
|
51
pam_env-fix_vendordir.patch
Normal file
51
pam_env-fix_vendordir.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From 0703453bec6ac54ad31d7245be4529796a3ef764 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Date: Thu, 18 Jan 2024 18:08:05 +0100
|
||||
Subject: [PATCH] pam_env: check VENDORDIR after config.h inclusion
|
||||
|
||||
The VENDORDIR define has to be checked after config.h
|
||||
inclusion, otherwise the ifdef test always yields false.
|
||||
|
||||
Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
modules/pam_env/pam_env.c | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
|
||||
index 59adc942c..a0b812fff 100644
|
||||
--- a/modules/pam_env/pam_env.c
|
||||
+++ b/modules/pam_env/pam_env.c
|
||||
@@ -6,15 +6,6 @@
|
||||
* template for this file (via pam_mail)
|
||||
*/
|
||||
|
||||
-#define DEFAULT_ETC_ENVFILE "/etc/environment"
|
||||
-#ifdef VENDORDIR
|
||||
-#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
|
||||
-#endif
|
||||
-#define DEFAULT_READ_ENVFILE 1
|
||||
-
|
||||
-#define DEFAULT_USER_ENVFILE ".pam_environment"
|
||||
-#define DEFAULT_USER_READ_ENVFILE 0
|
||||
-
|
||||
#include "config.h"
|
||||
|
||||
#include <ctype.h>
|
||||
@@ -52,6 +43,15 @@ typedef struct var {
|
||||
char *override;
|
||||
} VAR;
|
||||
|
||||
+#define DEFAULT_ETC_ENVFILE "/etc/environment"
|
||||
+#ifdef VENDORDIR
|
||||
+#define VENDOR_DEFAULT_ETC_ENVFILE (VENDORDIR "/environment")
|
||||
+#endif
|
||||
+#define DEFAULT_READ_ENVFILE 1
|
||||
+
|
||||
+#define DEFAULT_USER_ENVFILE ".pam_environment"
|
||||
+#define DEFAULT_USER_READ_ENVFILE 0
|
||||
+
|
||||
#define DEFAULT_CONF_FILE (SCONFIGDIR "/pam_env.conf")
|
||||
#ifdef VENDOR_SCONFIGDIR
|
||||
#define VENDOR_DEFAULT_CONF_FILE (VENDOR_SCONFIGDIR "/pam_env.conf")
|
54
pam_env-remove-escaped-newlines.patch
Normal file
54
pam_env-remove-escaped-newlines.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From ef51c51523b4c6ce6275b2863a0de1a3a6dff1e5 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Date: Thu, 18 Jan 2024 20:25:20 +0100
|
||||
Subject: [PATCH] pam_env: remove escaped newlines from econf lines
|
||||
|
||||
The libeconf routines do not remove escaped newlines the way we want to
|
||||
process them later on. Manually remove them from values.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
modules/pam_env/pam_env.c | 23 +++++++++++++++++++++++
|
||||
1 file changed, 23 insertions(+)
|
||||
|
||||
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
|
||||
index a0b812fff..5f53fbb10 100644
|
||||
--- a/modules/pam_env/pam_env.c
|
||||
+++ b/modules/pam_env/pam_env.c
|
||||
@@ -160,6 +160,28 @@ isDirectory(const char *path) {
|
||||
return S_ISDIR(statbuf.st_mode);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Remove escaped newline from string.
|
||||
+ *
|
||||
+ * All occurrences of "\\n" will be removed from string.
|
||||
+ */
|
||||
+static void
|
||||
+econf_unescnl(char *val)
|
||||
+{
|
||||
+ char *dest, *p;
|
||||
+
|
||||
+ dest = p = val;
|
||||
+
|
||||
+ while (*p != '\0') {
|
||||
+ if (p[0] == '\\' && p[1] == '\n') {
|
||||
+ p += 2;
|
||||
+ } else {
|
||||
+ *dest++ = *p++;
|
||||
+ }
|
||||
+ }
|
||||
+ *dest = '\0';
|
||||
+}
|
||||
+
|
||||
static int
|
||||
econf_read_file(const pam_handle_t *pamh, const char *filename, const char *delim,
|
||||
const char *name, const char *suffix, const char *subpath,
|
||||
@@ -270,6 +292,7 @@ econf_read_file(const pam_handle_t *pamh, const char *filename, const char *deli
|
||||
keys[i],
|
||||
econf_errString(error));
|
||||
} else {
|
||||
+ econf_unescnl(val);
|
||||
if (asprintf(&(*lines)[i],"%s%c%s", keys[i], delim[0], val) < 0) {
|
||||
pam_syslog(pamh, LOG_ERR, "Cannot allocate memory.");
|
||||
econf_free(keys);
|
@ -1,22 +0,0 @@
|
||||
From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Date: Thu, 18 May 2023 17:55:21 +0200
|
||||
Subject: [PATCH] pam_shells: Plug econf memory leak
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
modules/pam_shells/pam_shells.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c
|
||||
index 05c09c656..276a56dd5 100644
|
||||
--- a/modules/pam_shells/pam_shells.c
|
||||
+++ b/modules/pam_shells/pam_shells.c
|
||||
@@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh)
|
||||
if (!retval)
|
||||
break;
|
||||
}
|
||||
+ econf_free (keys);
|
||||
econf_free (key_file);
|
||||
#else
|
||||
char shellFileLine[256];
|
27
pam_unix-fix-password-aging-disabled.patch
Normal file
27
pam_unix-fix-password-aging-disabled.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 9d40f55216b2de60ccb9b617c79b9280b9f29ead Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Date: Fri, 19 Jan 2024 10:09:00 +0100
|
||||
Subject: [PATCH] pam_unix: do not warn if password aging disabled
|
||||
|
||||
Later checks will print a warning if daysleft is 0. If password
|
||||
aging is disabled, leave daysleft at -1.
|
||||
|
||||
Fixes 9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb.
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
---
|
||||
modules/pam_unix/passverify.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
||||
index 5c4f862e7..1bc98fa25 100644
|
||||
--- a/modules/pam_unix/passverify.c
|
||||
+++ b/modules/pam_unix/passverify.c
|
||||
@@ -314,7 +314,6 @@ PAMH_ARG_DECL(int check_shadow_expiry,
|
||||
}
|
||||
if (spent->sp_lstchg < 0) {
|
||||
D(("password aging disabled"));
|
||||
- *daysleft = 0;
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
if (curdays < spent->sp_lstchg) {
|
Loading…
Reference in New Issue
Block a user