rpm/pam
SHA256
1
0
Fork 0
forked from pool/pam
Code Pull Requests Activity

Accepting request 1102711 from Linux-PAM

Browse Source 
Backport of upstream fixes for ALP

OBS-URL: https://build.opensuse.org/request/show/1102711
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=132
This commit is contained in:
Dominique Leuenberger 2023-08-09 15:23:52 +00:00 committed by Git OBS Bridge
commit f7d843d9b6
6 changed files with 191 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
disable-examples.patch Normal file
View File

@ -0,0 +1,51 @@
From 5fa961fd3b5b8cf5ba1a0cf49b10ebf79e273e96 Mon Sep 17 00:00:00 2001
From: Pino Toscano <toscano.pino@tiscali.it>
Date: Mon, 8 May 2023 18:39:36 +0200
Subject: [PATCH] configure.ac: add --enable-examples option
Allow the user to not build the examples through --disable-examples
(enabled by default); this can be useful:
- when cross-compiling, as the examples are not useful
- in distribution builds, not building stuff that is not used in any
way
---
Makefile.am | 5 ++++-
configure.ac | 5 +++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index deb252680..2e8fede7b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4,11 +4,14 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests
if HAVE_DOC
SUBDIRS += doc
endif
+if HAVE_EXAMPLES
+SUBDIRS += examples
+endif
CLEANFILES = *~
diff --git a/configure.ac b/configure.ac
index b9b0f8392..6666b1b26 100644
--- a/configure.ac
+++ b/configure.ac
@@ -224,6 +224,11 @@ AC_ARG_ENABLE([doc],
WITH_DOC=$enableval, WITH_DOC=yes)
AM_CONDITIONAL([HAVE_DOC], [test "x$WITH_DOC" = "xyes"])
+AC_ARG_ENABLE([examples],
+ AS_HELP_STRING([--disable-examples],[Do not build the examples]),
+ WITH_EXAMPLES=$enableval, WITH_EXAMPLES=yes)
+AM_CONDITIONAL([HAVE_EXAMPLES], [test "x$WITH_EXAMPLES" = "xyes"])
+
AC_ARG_ENABLE([prelude],
AS_HELP_STRING([--disable-prelude],[do not use prelude]),
WITH_PRELUDE=$enableval, WITH_PRELUDE=yes)

14
pam.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Mon Aug 7 09:41:27 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
- pam_access backports from upstream:
- pam_access-doc-IPv6-link-local.patch:
Document only partial supported IPv6 link local addresses
- pam_access-hostname-debug.patch:
Don't print error if we cannot resolve a hostname, does not
need to be a hostname
- pam_shells-fix-econf-memory-leak.patch:
Free econf keys variable
- disable-examples.patch:
Don't build examples
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 9 12:14:48 UTC 2023 - Thorsten Kukuk <kukuk@suse.com> Tue May 9 12:14:48 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>

14
pam.spec
View File

@ -96,6 +96,14 @@ Source22: postlogin-account.pamd
Source23: postlogin-password.pamd Source23: postlogin-password.pamd
Source24: postlogin-session.pamd Source24: postlogin-session.pamd
Patch1: pam-limit-nproc.patch Patch1: pam-limit-nproc.patch
# https://github.com/linux-pam/linux-pam/pull/594
Patch2: pam_access-doc-IPv6-link-local.patch
# https://github.com/linux-pam/linux-pam/pull/596
Patch3: pam_access-hostname-debug.patch
# https://github.com/linux-pam/linux-pam/pull/581
Patch4: pam_shells-fix-econf-memory-leak.patch
# https://github.com/linux-pam/linux-pam/pull/574
Patch5: disable-examples.patch
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: flex BuildRequires: flex
@ -206,6 +214,10 @@ building both PAM-aware applications and modules for use with PAM.
%setup -q -n Linux-PAM-%{version} %setup -q -n Linux-PAM-%{version}
cp -a %{SOURCE12} . cp -a %{SOURCE12} .
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build %build
bash ./pam-login_defs-check.sh bash ./pam-login_defs-check.sh
@ -216,6 +228,7 @@ CFLAGS="$CFLAGS -DNDEBUG"
%if %{livepatchable} %if %{livepatchable}
CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones" CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
%endif %endif
autoreconf
%configure \ %configure \
--includedir=%{_includedir}/security \ --includedir=%{_includedir}/security \
--docdir=%{_docdir}/pam \ --docdir=%{_docdir}/pam \
@ -225,6 +238,7 @@ CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
--enable-securedir=%{_pam_moduledir} \ --enable-securedir=%{_pam_moduledir} \
--enable-vendordir=%{_prefix}/etc \ --enable-vendordir=%{_prefix}/etc \
--enable-logind \ --enable-logind \
--disable-examples \
--disable-nis \ --disable-nis \
%if %{with debug} %if %{with debug}
--enable-debug --enable-debug

63
pam_access-doc-IPv6-link-local.patch Normal file
View File

@ -0,0 +1,63 @@
From 4ba3105511c3a55fc750a790f7310c6d7ebfdfda Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Thu, 3 Aug 2023 17:11:32 +0200
Subject: [PATCH] pam_access: document IPv6 link-local addresses (#582)
* modules/pam_access/access.conf.5.xml: Add example and note for IPv6
link-local addresses
* modules/pam_access/access.conf: Add example for IPv6 link-local
addresses
---
modules/pam_access/access.conf | 3 +++
modules/pam_access/access.conf.5.xml | 12 +++++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf
index 47b6b84c1..9c8e21716 100644
--- a/modules/pam_access/access.conf
+++ b/modules/pam_access/access.conf
@@ -115,6 +115,9 @@
# User "john" should get access from ipv6 host address (same as above)
#+:john:2001:4ca0:0:101:0:0:0:1
#
+# User "john" should get access from ipv6 local link host address
+#+:john:fe80::de95:818c:1b55:7e42%eth0
+#
# User "john" should get access from ipv6 net/mask
#+:john:2001:4ca0:0:101::/64
#
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index ff1cb2237..2dc5d477c 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -188,6 +188,12 @@
</para>
<para>+:john foo:2001:db8:0:101::1</para>
+ <para>
+ User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
+ should get access from IPv6 link local host address.
+ </para>
+ <para>+:john foo:fe80::de95:818c:1b55:7e42%eth1</para>
+
<para>
User <emphasis>john</emphasis> should get access from IPv6 net/mask.
</para>
@@ -222,6 +228,10 @@
item and the line will be most probably ignored. For this reason, it is not
recommended to put spaces around the ':' characters.
</para>
+ <para>
+ An IPv6 link local host address must contain the interface
+ identifier. IPv6 link local network/netmask is not supported.
+ </para>
</refsect1>
<refsect1 xml:id="access.conf-see_also">
@@ -246,4 +256,4 @@
introduced by Mike Becher &lt;mike.becher@lrz-muenchen.de&gt;.
</para>
</refsect1>
-</refentry>
\ No newline at end of file
+</refentry>

27
pam_access-hostname-debug.patch Normal file
View File

@ -0,0 +1,27 @@
From 741acf4ff707d53b94947736a01eeeda5e2c7e98 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Fri, 4 Aug 2023 15:46:16 +0200
Subject: [PATCH] pam_access: make non-resolveable hostname a debug output
(#590)
* modules/pam_access/pam_access.c (network_netmask_match): Don't print
an error if a string is not resolveable, only a debug message in debug
mode. We even don't know if that entry is for remote logins or not.
---
modules/pam_access/pam_access.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index f70b7e495..985dc7de2 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -876,7 +876,8 @@ network_netmask_match (pam_handle_t *pamh,
*/
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
{
- pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok);
+ if (item->debug)
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve hostname \"%s\"", tok);
return NO;
}

22
pam_shells-fix-econf-memory-leak.patch Normal file
View File

@ -0,0 +1,22 @@
From 1a734af22a9f35a9a09edaea44a4e0767de6343b Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 18 May 2023 17:55:21 +0200
Subject: [PATCH] pam_shells: Plug econf memory leak
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_shells/pam_shells.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c
index 05c09c656..276a56dd5 100644
--- a/modules/pam_shells/pam_shells.c
+++ b/modules/pam_shells/pam_shells.c
@@ -112,6 +112,7 @@ static int perform_check(pam_handle_t *pamh)
if (!retval)
break;
}
+ econf_free (keys);
econf_free (key_file);
#else
char shellFileLine[256];