From 7ecc0544d0c6ae20ca94608552d51350a36932d7ae071196d8400fd97e3231d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Mon, 22 Jun 2020 13:29:55 +0000 Subject: [PATCH 1/4] Accepting request 815713 from home:jmoellers:branches:Linux-PAM OBS-URL: https://build.opensuse.org/request/show/815713 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=218 --- pam.changes | 6 ++++++ pam.spec | 1 + 2 files changed, 7 insertions(+) diff --git a/pam.changes b/pam.changes index f2c199e..d5e2e36 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Jun 15 15:05:18 UTC 2020 - Josef Möllers + +- Add requirement for group "wheel" to spec file. + [bsc#1171016, pam.spec] + ------------------------------------------------------------------- Mon Jun 8 13:19:12 UTC 2020 - Thorsten Kukuk diff --git a/pam.spec b/pam.spec index cff51f0..f5d9e2e 100644 --- a/pam.spec +++ b/pam.spec @@ -53,6 +53,7 @@ BuildRequires: cracklib-devel BuildRequires: flex BuildRequires: libtool BuildRequires: xz +Requires: group(wheel) Requires(post): permissions # All login.defs variables require support from shadow side. # Upgrade this symbol version only if new variables appear! From daeda00e6c80636049f511cce3e65964a9e9c9aba53dae782f933582a1e74338 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Mon, 29 Jun 2020 14:11:14 +0000 Subject: [PATCH 2/4] Accepting request 817074 from home:jmoellers:branches:Linux-PAM OBS-URL: https://build.opensuse.org/request/show/817074 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=219 --- pam.changes | 8 ++++++++ pam.spec | 1 - 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/pam.changes b/pam.changes index d5e2e36..6a13b9b 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Jun 24 13:06:33 UTC 2020 - Josef Möllers + +- Revert the previous change [SR#815713]. + The group is not necessary for PAM functionality but used only + during testing. The test system should therefore create this group. + [bsc#1171016, pam.spec] + ------------------------------------------------------------------- Mon Jun 15 15:05:18 UTC 2020 - Josef Möllers diff --git a/pam.spec b/pam.spec index f5d9e2e..cff51f0 100644 --- a/pam.spec +++ b/pam.spec @@ -53,7 +53,6 @@ BuildRequires: cracklib-devel BuildRequires: flex BuildRequires: libtool BuildRequires: xz -Requires: group(wheel) Requires(post): permissions # All login.defs variables require support from shadow side. # Upgrade this symbol version only if new variables appear! From ca72e1f704f4c62b22a824196bc9e8469d484ae715241daa18a4e74bec024df5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Thu, 8 Oct 2020 08:51:25 +0000 Subject: [PATCH 3/4] Accepting request 840140 from home:sbrabec:branches:util-linux-multibuild - pam-login_defs-check.sh: Fix the regexp to get a real variable list (boo#1164274). OBS-URL: https://build.opensuse.org/request/show/840140 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=220 --- pam-login_defs-check.sh | 4 ++-- pam.changes | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/pam-login_defs-check.sh b/pam-login_defs-check.sh index d1f9e38..b559d79 100644 --- a/pam-login_defs-check.sh +++ b/pam-login_defs-check.sh @@ -9,10 +9,10 @@ set -o errexit echo -n "Checking login.defs variables in pam... " >&2 grep -rh LOGIN_DEFS . | - sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' | + sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | LC_ALL=C sort -u >pam-login_defs-vars.lst -if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then +if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3c6e0020c31609690b69ef391654df930b74151d ; then echo "does not match!" >&2 echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2 diff --git a/pam.changes b/pam.changes index 6a13b9b..a7a0279 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Oct 8 02:33:16 UTC 2020 - Stanislav Brabec + +- pam-login_defs-check.sh: Fix the regexp to get a real variable + list (boo#1164274). + ------------------------------------------------------------------- Wed Jun 24 13:06:33 UTC 2020 - Josef Möllers From 51190216f3a0b7e06e8826ed46a770ea83ad660b399599f861c9bf64ec289fe7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Thu, 8 Oct 2020 09:10:15 +0000 Subject: [PATCH 4/4] Accepting request 840209 from home:jmoellers:branches:Linux-PAM OBS-URL: https://build.opensuse.org/request/show/840209 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=221 --- pam-xauth_ownership.patch | 106 ++++++++++++++++++++++++++++++++++++++ pam.changes | 8 +++ pam.spec | 2 + 3 files changed, 116 insertions(+) create mode 100644 pam-xauth_ownership.patch diff --git a/pam-xauth_ownership.patch b/pam-xauth_ownership.patch new file mode 100644 index 0000000..737af6f --- /dev/null +++ b/pam-xauth_ownership.patch @@ -0,0 +1,106 @@ +Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c +=================================================================== +--- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c ++++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c +@@ -355,11 +355,13 @@ pam_sm_open_session (pam_handle_t *pamh, + char *cookiefile = NULL, *xauthority = NULL, + *cookie = NULL, *display = NULL, *tmp = NULL, + *xauthlocalhostname = NULL; +- const char *user, *xauth = NULL; ++ const char *user, *xauth = NULL, *login_name; + struct passwd *tpwd, *rpwd; + int fd, i, debug = 0; + int retval = PAM_SUCCESS; +- uid_t systemuser = 499, targetuser = 0; ++ uid_t systemuser = 499, targetuser = 0, uid; ++ gid_t gid; ++ struct stat st; + + /* Parse arguments. We don't understand many, so no sense in breaking + * this into a separate function. */ +@@ -429,7 +431,16 @@ pam_sm_open_session (pam_handle_t *pamh, + retval = PAM_SESSION_ERR; + goto cleanup; + } +- rpwd = pam_modutil_getpwuid(pamh, getuid()); ++ ++ login_name = pam_modutil_getlogin(pamh); ++ if (login_name == NULL) { ++ login_name = ""; ++ } ++ if (*login_name) ++ rpwd = pam_modutil_getpwnam(pamh, login_name); ++ else ++ rpwd = pam_modutil_getpwuid(pamh, getuid()); ++ + if (rpwd == NULL) { + pam_syslog(pamh, LOG_ERR, + "error determining invoking user's name"); +@@ -518,18 +529,26 @@ pam_sm_open_session (pam_handle_t *pamh, + cookiefile); + } + ++ /* Get owner and group of the cookiefile */ ++ uid = getuid(); ++ gid = getgid(); ++ if (stat(cookiefile, &st) == 0) { ++ uid = st.st_uid; ++ gid = st.st_gid; ++ } ++ + /* Read the user's .Xauthority file. Because the current UID is + * the original user's UID, this will only fail if something has + * gone wrong, or we have no cookies. */ + if (debug) { + pam_syslog(pamh, LOG_DEBUG, +- "running \"%s %s %s %s %s\" as %lu/%lu", +- xauth, "-f", cookiefile, "nlist", display, +- (unsigned long) getuid(), (unsigned long) getgid()); ++ "running \"%s %s %s %s %s %s\" as %lu/%lu", ++ xauth, "-i", "-f", cookiefile, "nlist", display, ++ (unsigned long) uid, (unsigned long) gid); + } + if (run_coprocess(pamh, NULL, &cookie, +- getuid(), getgid(), +- xauth, "-f", cookiefile, "nlist", display, ++ uid, gid, ++ xauth, "-i", "-f", cookiefile, "nlist", display, + NULL) == 0) { + #ifdef WITH_SELINUX + security_context_t context = NULL; +@@ -583,12 +602,12 @@ pam_sm_open_session (pam_handle_t *pamh, + cookiefile, + "nlist", + t, +- (unsigned long) getuid(), +- (unsigned long) getgid()); ++ (unsigned long) uid, ++ (unsigned long) gid); + } + run_coprocess(pamh, NULL, &cookie, +- getuid(), getgid(), +- xauth, "-f", cookiefile, ++ uid, gid, ++ xauth, "-i", "-f", cookiefile, + "nlist", t, NULL); + } + free(t); +@@ -673,13 +692,17 @@ pam_sm_open_session (pam_handle_t *pamh, + goto cleanup; + } + ++ if (debug) { ++ pam_syslog(pamh, LOG_DEBUG, "set environment variable '%s'", ++ xauthority); ++ } + /* Set the new variable in the environment. */ + if (pam_putenv (pamh, xauthority) != PAM_SUCCESS) + pam_syslog(pamh, LOG_ERR, + "can't set environment variable '%s'", + xauthority); + putenv (xauthority); /* The environment owns this string now. */ +- xauthority = NULL; /* Don't free environment variables. */ ++ /* Don't free environment variables nor set them to NULL. */ + + /* set $DISPLAY in pam handle to make su - work */ + { diff --git a/pam.changes b/pam.changes index a7a0279..f8ad70f 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Oct 8 13:31:39 UTC 2020 - Josef Möllers + +- /usr/bin/xauth chokes on the old user's $HOME being on an NFS + file system. Run /usr/bin/xauth using the old user's uid/gid + Patch courtesy of Dr. Werner Fink. + [bsc#1174593, pam-xauth_ownership.patch] + ------------------------------------------------------------------- Thu Oct 8 02:33:16 UTC 2020 - Stanislav Brabec diff --git a/pam.spec b/pam.spec index cff51f0..6fc5819 100644 --- a/pam.spec +++ b/pam.spec @@ -47,6 +47,7 @@ Source11: unix2_chkpwd.8 Source12: pam-login_defs-check.sh Patch2: pam-limit-nproc.patch Patch4: pam-hostnames-in-access_conf.patch +Patch5: pam-xauth_ownership.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: cracklib-devel @@ -139,6 +140,7 @@ removed with one of the next releases. cp -a %{SOURCE12} . %patch2 -p1 %patch4 -p1 +%patch5 -p1 %build bash ./pam-login_defs-check.sh