rpm/pam
SHA256
1
0
Fork 0
forked from pool/pam
Code Pull Requests Activity

- Update to version 1.6.0

Browse Source 
- Added support of configuration files with arbitrarily long lines.
  - build: fixed build outside of the source tree.
  - libpam: added use of getrandom(2) as a source of randomness if available.
  - libpam: fixed calculation of fail delay with very long delays.
  - libpam: fixed potential infinite recursion with includes.
  - libpam: implemented string to number conversions validation when parsing
    controls in configuration.
  - pam_access: added quiet_log option.
  - pam_access: fixed truncation of very long group names.
  - pam_canonicalize_user: new module to canonicalize user name.
  - pam_echo: fixed file handling to prevent overflows and short reads.
  - pam_env: added support of '\' character in environment variable values.
  - pam_exec: allowed expose_authtok for password PAM_TYPE.
  - pam_exec: fixed stack overflow with binary output of programs.
  - pam_faildelay: implemented parameter ranges validation.
  - pam_listfile: changed to treat \r and \n exactly the same in configuration.
  - pam_mkhomedir: hardened directory creation against timing attacks.
  - Please note that using *at functions leads to more open file handles
    during creation.
  - pam_namespace: fixed potential local DoS (CVE-2024-22365).
  - pam_nologin: fixed file handling to prevent short reads.
  - pam_pwhistory: helper binary is now built only if SELinux support is
    enabled.
  - pam_pwhistory: implemented reliable usernames handling when remembering
    passwords.
  - pam_shells: changed to allow shell entries with absolute paths only.
  - pam_succeed_if: fixed treating empty strings as numerical value 0.
  - pam_unix: added support of disabled password aging.
  - pam_unix: synchronized password aging with shadow.

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=280
This commit is contained in:
Thorsten Kukuk 2024-01-18 09:18:10 +00:00 committed by Git OBS Bridge
parent add873f61e
commit e352b2c661
11 changed files with 77 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Linux-PAM-1.5.3.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

16
Linux-PAM-1.5.3.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJkWBFQAAoJEKgEH6g54W42OoMP/R1O9dvpncrR4DfD3yJViTPw
To3isPszsdHhw/uZUzCBEUMxhJgUgefzHGAng1EbTyX2eTLk/cnLY8pZLXr3pzC0
5CfacxAqgjK8B/7CbchsZQCDal84E5jR8qyzVCM3IPxZQfpiR3HJzXVjhg/gnBcY
L6v7FbLpcdM2keHHT1C/hyQfTnzyIdmwyzRdE1DF3ERbe3/1VlNmANNOacZ1H2T9
Hs5dVIFiXwOO11Xku42oOo99LCqXyIsRnEogBFCORHNjD7B88lCdJAHssBdvWq5t
/CJnoGtJrVCXs11JVPSNyW0rm24rZH9YCC6yVRIuMq6jjMBawFUlMAqamLoSA3hK
4BPuPqQjHYk/D5H+m0HF2qRDpz76Bj1zdmYofqspeJf4QJOyOpMSXFY3pgsohuKW
P8YQ44cAkmMswFqMSKGi9EVnf6SVXWQFoHJhtlbUgi7ef/4IICrbtgSSE96OGdlg
Sdoplu3n+1HClaYqlHbjkd/m0Hc8QvOjovctb0Zoclnlup+u2JH4rDNqjxFUvkWB
8CeILjebgBrNRqAFDx7fKBEQyHs5FLOtUU1SwBLXXSyMCHuMhr/tKBHcbDgMhpVP
IiIyYGyEGUoIR/er5AgIX9e6/zcQbc8OvY+gTu9t+tw+HIt8hGvUUkuYX8LB1k6r
zf06e/iTT4GL6AhJtbh3
=2hyW
-----END PGP SIGNATURE-----

BIN
Linux-PAM-1.6.0.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
Linux-PAM-1.6.0.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJlp6wnAAoJEKgEH6g54W42MiEP/A9ZznPwFC64SbhbvFYOt6dI
n7NMhzBK4NNw4FLuqeTtIDibNVZ5PkrPHTVaaUuZ2etIkAtUzQLJfB6AyIUY80Gm
NrURXs3LTGZT413A5hH21wUiMLFXIi8GGcz2THV9FJX4KruOkvxXVTxUH6ntlsHY
U+NpNbQXtbq7whzdb7A2W7Ofyg4/gG/QJuLil1cS0rlGg2GhGqxQKBpzvag3fFM3
XQClfUTF0ALhR6RH0HzolwEsOSp/C1US0mHHfBsvMlbkHrba5VrlQyvdximtzXxw
6+vNaYVd0SX40e3QCLFQ3yAwqAVK6g0lVlgohSCZbjDJgdcoklShE2x7GtVyzwMi
Vic7nkzANQPb0EH14Bo+SMQEOGtZ99tVUt4jX4Rt6f0P/pBCiF6ugJj/IJ67Ouu2
gp1aRVFrrhFetucdeZhnXb7IJ8h4FDtklRcOS8OgsPGJofLjZmVICrwt6sxpU30n
b/csdoJ1xrMuvo1RGAeSi58sz4KiyKxnTDJL1+7owoK6oNMkN2HR6pE4NH0Atm4n
NcQykgvavC6GZwUsMqrGQypG30LdkKiRScPqCerNYzi01iL7Zxw5BK/plFBwCqJQ
LQH1FUUKEUMA13dt/bUOMSUNmkyIC3PtE69g6XeLRL1M00gRwGgjn8azcYDzOWox
zxDFnUsJ/JgmJm3y47J2
=wzV/
-----END PGP SIGNATURE-----

51
disable-examples.patch
View File

@ -1,51 +0,0 @@
From 5fa961fd3b5b8cf5ba1a0cf49b10ebf79e273e96 Mon Sep 17 00:00:00 2001
From: Pino Toscano <toscano.pino@tiscali.it>
Date: Mon, 8 May 2023 18:39:36 +0200
Subject: [PATCH] configure.ac: add --enable-examples option
Allow the user to not build the examples through --disable-examples
(enabled by default); this can be useful:
- when cross-compiling, as the examples are not useful
- in distribution builds, not building stuff that is not used in any
way
---
Makefile.am | 5 ++++-
configure.ac | 5 +++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index deb252680..2e8fede7b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,11 +4,14 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests
if HAVE_DOC
SUBDIRS += doc
endif
+if HAVE_EXAMPLES
+SUBDIRS += examples
+endif
CLEANFILES = *~
diff --git a/configure.ac b/configure.ac
index b9b0f8392..6666b1b26 100644
--- a/configure.ac
+++ b/configure.ac
@@ -224,6 +224,11 @@ AC_ARG_ENABLE([doc],
WITH_DOC=$enableval, WITH_DOC=yes)
AM_CONDITIONAL([HAVE_DOC], [test "x$WITH_DOC" = "xyes"])
+AC_ARG_ENABLE([examples],
+ AS_HELP_STRING([--disable-examples],[Do not build the examples]),
+ WITH_EXAMPLES=$enableval, WITH_EXAMPLES=yes)
+AM_CONDITIONAL([HAVE_EXAMPLES], [test "x$WITH_EXAMPLES" = "xyes"])
+
AC_ARG_ENABLE([prelude],
AS_HELP_STRING([--disable-prelude],[do not use prelude]),
WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)

2
pam-login_defs-check.sh
View File

@ -12,7 +12,7 @@ grep -rh LOGIN_DEFS . |
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst LC_ALL=C sort -u >pam-login_defs-vars.lst
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != cda62ec4158236270a5a30ba1875fa2795926f23 ; then if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
echo "does not match!" >&2 echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2 echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2

54
pam.changes
View File

@ -1,3 +1,57 @@
-------------------------------------------------------------------
Thu Jan 18 08:28:14 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
- Update to version 1.6.0
- Added support of configuration files with arbitrarily long lines.
- build: fixed build outside of the source tree.
- libpam: added use of getrandom(2) as a source of randomness if available.
- libpam: fixed calculation of fail delay with very long delays.
- libpam: fixed potential infinite recursion with includes.
- libpam: implemented string to number conversions validation when parsing
controls in configuration.
- pam_access: added quiet_log option.
- pam_access: fixed truncation of very long group names.
- pam_canonicalize_user: new module to canonicalize user name.
- pam_echo: fixed file handling to prevent overflows and short reads.
- pam_env: added support of '\' character in environment variable values.
- pam_exec: allowed expose_authtok for password PAM_TYPE.
- pam_exec: fixed stack overflow with binary output of programs.
- pam_faildelay: implemented parameter ranges validation.
- pam_listfile: changed to treat \r and \n exactly the same in configuration.
- pam_mkhomedir: hardened directory creation against timing attacks.
- Please note that using *at functions leads to more open file handles
during creation.
- pam_namespace: fixed potential local DoS (CVE-2024-22365).
- pam_nologin: fixed file handling to prevent short reads.
- pam_pwhistory: helper binary is now built only if SELinux support is
enabled.
- pam_pwhistory: implemented reliable usernames handling when remembering
passwords.
- pam_shells: changed to allow shell entries with absolute paths only.
- pam_succeed_if: fixed treating empty strings as numerical value 0.
- pam_unix: added support of disabled password aging.
- pam_unix: synchronized password aging with shadow.
- pam_unix: implemented string to number conversions validation.
- pam_unix: fixed truncation of very long user names.
- pam_unix: corrected rounds retrieval for configured encryption method.
- pam_unix: implemented reliable usernames handling when remembering
passwords.
- pam_unix: changed to always run the helper to obtain shadow password
entries.
- pam_unix: unix_update helper binary is now built only if SELinux support
is enabled.
- pam_unix: added audit support to unix_update helper.
- pam_userdb: added gdbm support.
- Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
- The following patches are obsolete with the update:
- pam_access-doc-IPv6-link-local.patch
- pam_access-hostname-debug.patch
- pam_shells-fix-econf-memory-leak.patch
- pam_shells-fix-econf-memory-leak.patch
- pam-login_defs-check.sh: adjust checksum, SHA_CRYPT_MAX_ROUNDS
is no longer used.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Aug 23 09:20:06 UTC 2023 - Thorsten Kukuk <kukuk@suse.com> Wed Aug 23 09:20:06 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>

16
pam.spec
View File

@ -71,7 +71,7 @@
# #
Name: pam%{name_suffix} Name: pam%{name_suffix}
# #
Version: 1.5.3 Version: 1.6.0
Release: 0 Release: 0
Summary: A Security Tool that Provides Authentication for Applications Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause License: GPL-2.0-or-later OR BSD-3-Clause
@ -96,14 +96,6 @@ Source22: postlogin-account.pamd
Source23: postlogin-password.pamd Source23: postlogin-password.pamd
Source24: postlogin-session.pamd Source24: postlogin-session.pamd
Patch1: pam-limit-nproc.patch Patch1: pam-limit-nproc.patch
# https://github.com/linux-pam/linux-pam/pull/594
Patch2: pam_access-doc-IPv6-link-local.patch
# https://github.com/linux-pam/linux-pam/pull/596
Patch3: pam_access-hostname-debug.patch
# https://github.com/linux-pam/linux-pam/pull/581
Patch4: pam_shells-fix-econf-memory-leak.patch
# https://github.com/linux-pam/linux-pam/pull/574
Patch5: disable-examples.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: flex BuildRequires: flex
@ -214,10 +206,6 @@ building both PAM-aware applications and modules for use with PAM.
%setup -q -n Linux-PAM-%{version} %setup -q -n Linux-PAM-%{version}
cp -a %{SOURCE12} . cp -a %{SOURCE12} .
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build %build
bash ./pam-login_defs-check.sh bash ./pam-login_defs-check.sh
@ -237,7 +225,9 @@ autoreconf
--enable-isadir=../..%{_pam_moduledir} \ --enable-isadir=../..%{_pam_moduledir} \
--enable-securedir=%{_pam_moduledir} \ --enable-securedir=%{_pam_moduledir} \
--enable-vendordir=%{_prefix}/etc \ --enable-vendordir=%{_prefix}/etc \
%if "%{flavor}" == "full"
--enable-logind \ --enable-logind \
%endif
--disable-examples \ --disable-examples \
--disable-nis \ --disable-nis \
%if %{with debug} %if %{with debug}

63
pam_access-doc-IPv6-link-local.patch
View File

@ -1,63 +0,0 @@
From 4ba3105511c3a55fc750a790f7310c6d7ebfdfda Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Thu, 3 Aug 2023 17:11:32 +0200
Subject: [PATCH] pam_access: document IPv6 link-local addresses (#582)
* modules/pam_access/access.conf.5.xml: Add example and note for IPv6
link-local addresses
* modules/pam_access/access.conf: Add example for IPv6 link-local
addresses
---
modules/pam_access/access.conf | 3 +++
modules/pam_access/access.conf.5.xml | 12 +++++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf
index 47b6b84c1..9c8e21716 100644
--- a/modules/pam_access/access.conf
+++ b/modules/pam_access/access.conf
@@ -115,6 +115,9 @@
# User "john" should get access from ipv6 host address (same as above)
#+:john:2001:4ca0:0:101:0:0:0:1
#
+# User "john" should get access from ipv6 local link host address
+#+:john:fe80::de95:818c:1b55:7e42%eth0
+#
# User "john" should get access from ipv6 net/mask
#+:john:2001:4ca0:0:101::/64
#
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index ff1cb2237..2dc5d477c 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -188,6 +188,12 @@
</para>
<para>+:john foo:2001:db8:0:101::1</para>
+ <para>
+ User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
+ should get access from IPv6 link local host address.
+ </para>
+ <para>+:john foo:fe80::de95:818c:1b55:7e42%eth1</para>
+
<para>
User <emphasis>john</emphasis> should get access from IPv6 net/mask.
</para>
@@ -222,6 +228,10 @@
item and the line will be most probably ignored. For this reason, it is not
recommended to put spaces around the ':' characters.
</para>
+ <para>
+ An IPv6 link local host address must contain the interface
+ identifier. IPv6 link local network/netmask is not supported.
+ </para>
</refsect1>
<refsect1 xml:id="access.conf-see_also">
@@ -246,4 +256,4 @@
introduced by Mike Becher &lt;mike.becher@lrz-muenchen.de&gt;.
</para>
</refsect1>
-</refentry>
\ No newline at end of file
+</refentry>

27
pam_access-hostname-debug.patch
View File

@ -1,27 +0,0 @@
From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Fri, 4 Aug 2023 15:46:16 +0200
Subject: [PATCH] pam_access: make non-resolveable hostname a debug output
(#590)
* modules/pam_access/pam_access.c (network_netmask_match): Don't print
an error if a string is not resolveable, only a debug message in debug
mode. We even don't know if that entry is for remote logins or not.
---
modules/pam_access/pam_access.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index f70b7e495..985dc7de2 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh,
*/
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
{
- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
+ if (item->debug)
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
return NO;
}

22
pam_shells-fix-econf-memory-leak.patch
View File

@ -1,22 +0,0 @@
From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 18 May 2023 17:55:21 +0200
Subject: [PATCH] pam_shells: Plug econf memory leak
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_shells/pam_shells.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c
index 05c09c656..276a56dd5 100644
--- a/modules/pam_shells/pam_shells.c
+++ b/modules/pam_shells/pam_shells.c
@@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh)
if (!retval)
break;
}
+ econf_free (keys);
econf_free (key_file);
#else
char shellFileLine[256];