Accepting request 1286682 from Linux-PAM

- hardcode disabling elogind, meson detection is unreliable in OBS - Update to version 1.7.1 - pam_access: do not resolve ttys or display variables as hostnames. - pam_access: added "nodns" option to disallow resolving of tokens as hostnames (CVE-2024-10963). - pam_limits: added support for rttime (RLIMIT_RTTIME). - pam_namespace: fixed potential privilege escalation (CVE-2025-6020). - meson: added support of elogind as a logind provider. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted OBS-URL: https://build.opensuse.org/request/show/1286682 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=145
- hardcode disabling elogind, meson detection is unreliable in OBS
2025-06-20 14:48:00 +00:00 · 2025-06-18 12:02:48 +00:00 · 2025-06-18 06:22:26 +00:00 · 2025-06-18 05:59:17 +00:00 · 2025-03-31 09:36:53 +00:00 · 2025-03-24 17:44:02 +00:00
12 changed files with 126 additions and 558 deletions
--- a/Linux-PAM-1.6.1.tar.xz
+++ b/Linux-PAM-1.6.1.tar.xz
--- a/Linux-PAM-1.6.1.tar.xz.asc
+++ b/Linux-PAM-1.6.1.tar.xz.asc
@@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
 sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
 47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
 RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
 mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
 cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
 fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
 PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
 o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
 0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
 9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
 UoUkHsbCWJU/ksn/9BIQ
 =Dbz2
 -----END PGP SIGNATURE-----
--- a/Linux-PAM-1.7.1.tar.xz
+++ b/Linux-PAM-1.7.1.tar.xz
--- a/Linux-PAM-1.7.1.tar.xz.asc
+++ b/Linux-PAM-1.7.1.tar.xz.asc
@@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCgAGBQJoUTDGAAoJEKgEH6g54W42RDQQAIKq+ltEn0g/lB0g+xU9SArO
 ItMiZDp6RaLDIRgOxbl1hnQyXvXcW5LYBT36u+e5PLKrtMzc8/S3kDtn2FRsS5KW
 aZaKmZI6UlEQVErMfX2F8/uPvcMRNmqHL7h3+BW8aIWp+WTBO3TIOZxVqNoDFbxj
 L/9G3KYTgcuKjb6XoDlicS68ImcLJC2BPjcaisaoqKRyK504jgYK6Wl6AFo7Fu8r
 PS134LM6gUUxMzdYCpISmO5tZh+uOqtCfbdeOY3bwBeupe2J4D6v7uASF7RqEXPX
 /imsmUkmqLmOOolvLflGDsiz1HaY05LW7CcJngXOV6WKU+HqBg9E5Xclnr0RyvBD
 tmFPeWlgPw+zg+BVUhGAUeLoFCknbtY/7TEB4Jh0Z/Tm+pOUVoQbhrUCI0rAgapN
 dA9i5DCUuEBXRul2YvG7EZGuYs77fzpf/J++b9XKB9kH1Bc3vaaZoaO+lbN8g6Ei
 CbZCmD0ct0UhUTX+FEUG9SkMTomyd9ihz6kuHcuo4eCVbVuDJpF+vEUjVb7no9Aw
 KlZ6/I45GRRjIYYk/vxpgNX05D8xeMxDkXEMcKAHsI/q4oOe7Hsuess47WioiVXL
 xNl6AHjJ4VMcz1xLPR8COA8L3uaZNtxuIGhazZFeJbrfJct5gsf9iv04pdAA73/B
 NtgHrE6GjGSmw+/xX22z
 =RQhR
 -----END PGP SIGNATURE-----
--- a/baselibs.conf
+++ b/baselibs.conf
@@ -4,3 +4,4 @@ pam
 	obsoletes "pam_unix-nis-<targettype>"
 pam-extra
 pam-devel
 pam-userdb
--- a/common-session-nonlogin.pamd
+++ b/common-session-nonlogin.pamd
@@ -8,7 +8,6 @@
 # non-interactive), but not if they don't create a new login session
 # (e.g. like cron, chfn, chsh, ...)
 #
 session	required	pam_limits.so
 session	required	pam_unix.so	try_first_pass
 session optional	pam_umask.so
 session optional	pam_env.so
--- a/common-session.pamd
+++ b/common-session.pamd
@@ -7,7 +7,6 @@
 # non-interactive).
 #
 session optional	pam_systemd.so
 session	required	pam_limits.so
 session	required	pam_unix.so	try_first_pass
 session optional	pam_umask.so
 session optional	pam_env.so
--- a/pam-bsc1194818-cursor-escape.patch
+++ b/pam-bsc1194818-cursor-escape.patch
@@ -1,36 +0,0 @@
 From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001
 From: Stanislav Brabec <sbrabec@suse.cz>
 Date: Mon, 22 Jul 2024 23:18:16 +0200
 Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input
 Use the canonical terminal mode (line mode) and set ECHOCTL to prevent
 cursor escape from the login prompt using arrows or escape sequences.
 ICANON is the default in most cases anyway. ECHOCTL is default on tty, but
 for example not on pty, allowing cursor to escape.
 Stanislav Brabec <sbrabec@suse.com>
 ---
 libpam_misc/misc_conv.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
 index 7410e929..6b839b48 100644
 --- a/libpam_misc/misc_conv.c
 +++ b/libpam_misc/misc_conv.c
@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr)
 	    return -1;
 	}
 	memcpy(&term_tmp, &term_before, sizeof(term_tmp));
 -	if (!echo) {
 +	if (echo)
 +	    term_tmp.c_lflag |= ICANON | ECHOCTL;
 +	else
 	    term_tmp.c_lflag &= ~(ECHO);
 -	}
 	have_term = 1;
 	/*
 -- 
 2.45.2
--- a/pam.changes
+++ b/pam.changes
@@ -1,3 +1,74 @@
 -------------------------------------------------------------------
 Wed Jun 18 12:01:57 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
 - hardcode disabling elogind, meson detection is unreliable in OBS
 -------------------------------------------------------------------
 Wed Jun 18 05:38:35 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
 - Update to version 1.7.1
  - pam_access: do not resolve ttys or display variables as hostnames.
  - pam_access: added "nodns" option to disallow resolving of tokens
    as hostnames (CVE-2024-10963).
  - pam_limits: added support for rttime (RLIMIT_RTTIME).
  - pam_namespace: fixed potential privilege escalation (CVE-2025-6020).
  - meson: added support of elogind as a logind provider.
  - Multiple minor bug fixes, build fixes, portability fixes,
    documentation improvements, and translation updates.
 - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted
 -------------------------------------------------------------------
 Mon Mar 24 17:41:34 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
 - Remove unix2_chkpwd, no consumer left
 -------------------------------------------------------------------
 Thu Dec  5 12:44:33 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
 - pam_access: rework resolving of tokens as hostname
  - separate resolving of IP addresses from hostnames. Don't resolve TTYs or
    display variables as hostname.
  - Add "nodns" option to disallow resolving of tokens as hostname.
  - [pam_access-rework-resolving-of-tokens-as-hostname.patch, bsc#1233078,
   CVE-2024-10963]
 -------------------------------------------------------------------
 Thu Oct 24 11:57:20 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 - Update to version 1.7.0
  - build: changed build system from autotools to meson.
  - libpam_misc: use ECHOCTL in the terminal input
  - pam_access: support UID and GID in access.conf
  - pam_env: install environment file in vendordir if vendordir is enabled
  - pam_issue: only count class user if logind support is enabled
  - pam_limits: use systemd-logind instead of utmp if logind support is enabled
  - pam_unix: compare password hashes in constant time
  - Multiple minor bug fixes, build fixes, portability fixes,
    documentation improvements, and translation updates.
 - Drop upstream patches:
  - pam-bsc1194818-cursor-escape.patch
  - pam_limits-systemd.patch
  - pam_issue-systemd.patch
 -------------------------------------------------------------------
 Thu Sep 12 07:50:55 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 - baselibs.conf: add pam-userdb
 -------------------------------------------------------------------
 Tue Sep 10 08:22:02 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 - pam_limits-systemd.patch: update to final PR
 -------------------------------------------------------------------
 Fri Sep  6 08:13:22 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 - Add systemd-logind support to pam_limits (pam_limits-systemd.patch)
 - Remove /usr/etc/pam.d, everything should be migrated
 - Remove pam_limits from default common-sessions* files. pam_limits
  is now part of pam-extra and not in our default generated config.
 - pam_issue-systemd.patch: only count class user sessions
 -------------------------------------------------------------------
 Wed Aug  7 14:44:56 UTC 2024 - Stanislav Brabec <sbrabec@suse.com>
@@ -1189,7 +1260,6 @@ Wed Feb 23 12:45:03 UTC 2011 - vcizek@novell.com
  * correct parsing of "quiet" option
 -------------------------------------------------------------------
 Wed Feb 23 10:00:22 UTC 2011 - vcizek@novell.com
 - fix for bnc#673826 (pam_listfile)
--- a/pam.spec
+++ b/pam.spec
@@ -36,10 +36,10 @@
 %endif
 %bcond_without selinux
 %bcond_with debug
 %define flavor @BUILD_FLAVOR@%{nil}
 # List of config files for migration to /usr/etc
 %define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
 	security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
 	security/namespace.conf security/namespace.init security/sepermit.conf
@@ -64,14 +64,13 @@
 %define libpamc_so_version 0.82.1
 %if ! %{defined _distconfdir}
  %define _distconfdir %{_sysconfdir}
  %define config_noreplace 1
 %endif
 #
 %{load:%{_sourcedir}/macros.pam}
 #
 Name:           pam%{name_suffix}
 #
-Version:        1.6.1
+Version:        1.7.1
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@@ -86,8 +85,6 @@ Source5:        common-account.pamd
 Source6:        common-password.pamd
 Source7:        common-session.pamd
 Source9:        baselibs.conf
 Source10:       unix2_chkpwd.c
 Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Source13:       pam.tmpfiles
 Source20:       common-session-nonlogin.pamd
@@ -96,12 +93,10 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
 # https://github.com/linux-pam/linux-pam/pull/816
 Patch2:         pam-bsc1194818-cursor-escape.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
-BuildRequires:  libtool
+BuildRequires:  meson >= 0.62.0
 BuildRequires:  xz
 Requires(post): permissions
 # All login.defs variables require support from shadow side.
@@ -145,11 +140,10 @@ username/password pair against values stored in a Berkeley DB database.
 %package -n pam-extra
 Summary:        PAM module with extended dependencies
 Group:          System/Libraries
-#BuildRequires:  pkgconfig(systemd) 
+BuildRequires:  pkgconfig(libsystemd) >= 254
 # The systemd-mini package does not pass configure checks
 BuildRequires:  systemd-devel >= 254
 BuildRequires:  pam-devel
 Provides:	pam:%{_sbindir}/pam_timestamp_check
 Provides:       pam:%{_pam_moduledir}/pam_limits.so
 %description -n pam-extra
 PAM (Pluggable Authentication Modules) is a system security tool that
@@ -212,32 +206,26 @@ cp -a %{SOURCE12} .
 %build
 bash ./pam-login_defs-check.sh
 export CFLAGS="%{optflags}"
 %if !%{with debug}
 CFLAGS="$CFLAGS -DNDEBUG"
 %endif
 %if %{livepatchable}
 CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
 %endif
 autoreconf
 %configure \
 	--includedir=%{_includedir}/security \
 	--docdir=%{_docdir}/pam \
 	--htmldir=%{_docdir}/pam/html \
 	--pdfdir=%{_docdir}/pam/pdf \
 	--enable-isadir=../..%{_pam_moduledir} \
 	--enable-securedir=%{_pam_moduledir} \
 	--enable-vendordir=%{_prefix}/etc \
 %if "%{flavor}" == "full"
 	--enable-logind \
 %endif
        --disable-examples \
 	--disable-nis \
 %if %{with debug}
 	--enable-debug
 %endif
-%make_build
+%meson -Dvendordir=%{_distconfdir} \
       -Ddocdir=%{_docdir}/pam \
       -Dhtmldir=%{_docdir}/pam/html \
       -Dpdfdir=%{_docdir}/pam/pdf \
       -Dsecuredir=%{_pam_moduledir} \
 %if "%{flavor}" != "full"
       -Dlogind=disabled \
       -Dpam_userdb=disabled \
       -Ddocs=disabled \
 %else
       -Dlogind=enabled \
 %endif
       -Delogind=disabled \
       -Dexamples=false \
       -Dnis=disabled
 %meson_build
 %if %{livepatchable}
@@ -265,29 +253,17 @@ cp %{tar_package_name} %{_other}
 %endif # livepatchable
 gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
 %if %{build_main}
 %check
-%make_build check
+%meson_test
 %endif
 %install
 %meson_install
 mkdir -p %{buildroot}%{_pam_confdir}
 mkdir -p %{buildroot}%{_pam_vendordir}
 mkdir -p %{buildroot}%{_includedir}/security
 mkdir -p %{buildroot}%{_pam_moduledir}
 mkdir -p %{buildroot}/sbin
 mkdir -p -m 755 %{buildroot}%{_libdir}
 # For compat reasons
 mkdir -p %{buildroot}%{_distconfdir}/pam.d
 %make_install
 /sbin/ldconfig -n %{buildroot}%{_libdir}
 # Install documentation
 %make_install -C doc
 # install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
 install -d %{buildroot}%{_pam_secconfdir}/namespace.d
 # install other.pamd and common-*.pamd
 install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
 install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
@@ -299,23 +275,14 @@ install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
 install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
 install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
 install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
 mkdir -p %{buildroot}%{_prefix}/lib/motd.d
 #
 # Remove crap
 #
 find %{buildroot} -type f -name "*.la" -delete -print
 #
 # Install READMEs of PAM modules
 #
 DOC=%{buildroot}%{_defaultdocdir}/pam
 %if "%{flavor}" == "full"
 mkdir -p $DOC/modules
-pushd modules
+cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/"
-for i in pam_*/README; do
+%endif
 	cp -fpv "$i" "$DOC/modules/README.${i%/*}"
 done
 popd
 # Install unix2_chkpwd
 install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
 # rpm macros
 install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
@@ -323,24 +290,23 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
 install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
 mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
 mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment
 # Remove manual pages for main package
 %if !%{build_doc}
 rm -rf %{buildroot}%{_mandir}/man?/*
 %else
 install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
 # bsc#1188724
 echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
 %endif
 %if !%{build_main}
-rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
+rm -rf %{buildroot}{%{_distconfdir}/environment,%{_pam_secdistconfdir}/{a,f,g,n,p,s,t}*}
 rm -rf %{buildroot}{%{_sysconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
 rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
-rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
+rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,la,lis,lo,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
 %else
 # Delete files for extra package
-rm -rf  %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
+rm -rf  %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limits.conf,%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
 # Create filelist with translations
 %find_lang Linux-PAM
@@ -351,12 +317,10 @@ rm -rf  %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timest
 %verifyscript
 %verify_permissions -e %{_sbindir}/unix_chkpwd
 %verify_permissions -e %{_sbindir}/unix2_chkpwd
 %post
 /sbin/ldconfig
 %set_permissions %{_sbindir}/unix_chkpwd
 %set_permissions %{_sbindir}/unix2_chkpwd
 %tmpfiles_create %{_tmpfilesdir}/pam.conf
 %postun -p /sbin/ldconfig
@@ -374,31 +338,17 @@ done
 %files -f Linux-PAM.lang
 %doc NEWS
 %license COPYING
 %exclude %{_defaultdocdir}/pam/html
 %exclude %{_defaultdocdir}/pam/modules
 %exclude %{_defaultdocdir}/pam/pdf
 %exclude %{_defaultdocdir}/pam/*.txt
 %dir %{_pam_confdir}
 %dir %{_pam_vendordir}
 %dir %{_pam_secconfdir}
 %dir %{_pam_secdistconfdir}
 %dir %{_pam_secdistconfdir}/limits.d
 # /usr/etc/pam.d is for compat reasons
 %dir %{_distconfdir}/pam.d
 %dir %{_prefix}/lib/motd.d
 %if %{defined config_noreplace}
 %config(noreplace) %{_pam_confdir}/other
 %config(noreplace) %{_pam_confdir}/common-*
 %else
 %{_pam_vendordir}/other
 %{_pam_vendordir}/common-*
 %{_pam_vendordir}/postlogin-*
 %endif
 %{_distconfdir}/environment
 %{_pam_secdistconfdir}/access.conf
 %{_pam_secdistconfdir}/group.conf
 %{_pam_secdistconfdir}/faillock.conf
 %{_pam_secdistconfdir}/limits.conf
 %{_pam_secdistconfdir}/pam_env.conf
 %if %{with selinux}
 %{_pam_secdistconfdir}/sepermit.conf
@@ -430,7 +380,6 @@ done
 %{_pam_moduledir}/pam_ftp.so
 %{_pam_moduledir}/pam_group.so
 %{_pam_moduledir}/pam_keyinit.so
 %{_pam_moduledir}/pam_limits.so
 %{_pam_moduledir}/pam_listfile.so
 %{_pam_moduledir}/pam_localuser.so
 %{_pam_moduledir}/pam_loginuid.so
@@ -465,7 +414,6 @@ done
 %{_sbindir}/pam_namespace_helper
 %{_sbindir}/pwhistory_helper
 %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
 %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
 %attr(0700,root,root) %{_sbindir}/unix_update
 %{_unitdir}/pam_namespace.service
 %{_tmpfilesdir}/pam.conf
@@ -491,6 +439,10 @@ done
 %if %{build_extra}
 %files -n pam-extra
 %defattr(-,root,root,755)
 %dir %{_pam_secdistconfdir}
 %dir %{_pam_secdistconfdir}/limits.d
 %{_pam_secdistconfdir}/limits.conf
 %{_pam_moduledir}/pam_limits.so
 %{_pam_moduledir}/pam_issue.so
 %{_pam_moduledir}/pam_timestamp.so
 %{_sbindir}/pam_timestamp_check
@@ -565,7 +517,6 @@ done
 %{_mandir}/man8/pam_wheel.8%{?ext_man}
 %{_mandir}/man8/pam_xauth.8%{?ext_man}
 %{_mandir}/man8/pwhistory_helper.8%{?ext_man}
 %{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_update.8%{?ext_man}
--- a/unix2_chkpwd.8
+++ b/unix2_chkpwd.8
@@ -1,79 +0,0 @@
 .\" Copyright (C) 2003 International Business Machines Corporation
 .\" This file is distributed according to the GNU General Public License.
 .\" See the file COPYING in the top level source directory for details.
 .\"
 .de Sh \" Subsection
 .br
 .if t .Sp
 .ne 5
 .PP
 \fB\\$1\fR
 .PP
 ..
 .de Sp \" Vertical space (when we can't use .PP)
 .if t .sp .5v
 .if n .sp
 ..
 .de Ip \" List item
 .br
 .ie \\n(.$>=3 .ne \\$3
 .el .ne 3
 .IP "\\$1" \\$2
 ..
 .TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
 .SH NAME
 unix2_chkpwd \- helper binary that verifies the password of the current user
 .SH "SYNOPSIS"
 .ad l
 .hy 0
 /sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
 .sp
 .ad
 .hy
 .SH "DESCRIPTION"
 .PP
 \fBunix2_chkpwd\fR is a helper program for applications that verifies 
 the password of the current user.  It is not intended to be run directly from 
 the command line and logs a security violation if done so. 
 It is typically installed setuid root or setgid shadow and called by
 applications, which only wishes to do an user authentification and
 nothing more.
 .SH "OPTIONS"
 .PP
 unix2_chkpwd requires the following arguments:
 .TP
 \fIpam_service\fR
 The name of the service using unix2_chkpwd. This is required to be one of
 the services in /etc/pam.d
 .TP
 \fIusername\fR
 The name of the user whose password you want to verify.
 .SH "INPUTS"
 .PP
 unix2_chkpwd expects the password via stdin.
 .SH "RETURN CODES"
 .PP
 \fBunix2_chkpwd\fR has the following return codes:
 .TP
 1
 unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
 .TP
 0
 The password is correct.
 .SH "HISTORY"
 Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
 .SH "SEE ALSO"
 .PP
 \fBpam\fR(8)
 .SH AUTHOR
 Emily Ratliff.
--- a/unix2_chkpwd.c
+++ b/unix2_chkpwd.c
@@ -1,337 +0,0 @@
 /*
 * Set*id helper program for PAM authentication.
 *
 * It is supposed to be called from pam_unix2's
 * pam_sm_authenticate function if the function notices
 * that it's unable to get the password from the shadow file
 * because it doesn't have sufficient permissions.
 *
 * Copyright (C) 2002 SuSE Linux AG
 *
 * Written by okir@suse.de, loosely based on unix_chkpwd
 * by Andrew Morgan.
 */
 #include <security/pam_appl.h>
 #include <security/_pam_macros.h>
 #include <sys/types.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
 #include <pwd.h>
 #include <signal.h>
 #include <fcntl.h>
 #include <ctype.h>
 #include <errno.h>
 #define BUFLEN	1024
 #ifndef LOGINDEFS
 #define LOGINDEFS	"/etc/login.defs"
 #endif
 #define LOGINDEFS_FAIL_DELAY_KEY	"FAIL_DELAY"
 #define DEFAULT_FAIL_DELAY_S	10
 #define PASSWD_CRACKER_DELAY_MS	100
 enum {
 	UNIX_PASSED = 0,
 	UNIX_FAILED = 1
 };
 static char *	program_name;
 static char	pass[64];
 static int	npass = -1;
 /*
 * Log error messages
 */
 static void
 _log_err(int err, const char *format,...)
 {
 	va_list args;
 	va_start(args, format);
 	openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
 	vsyslog(err, format, args);
 	va_end(args);
 	closelog();
 }
 static void
 su_sighandler(int sig)
 {
 	if (sig > 0) {
 		_log_err(LOG_NOTICE, "caught signal %d.", sig);
 		exit(sig);
 	}
 }
 /*
 * Setup signal handlers
 */
 static void
 setup_signals(void)
 {
 	struct sigaction action;
 	memset((void *) &action, 0, sizeof(action));
 	action.sa_handler = su_sighandler;
 	action.sa_flags = SA_RESETHAND;
 	sigaction(SIGILL, &action, NULL);
 	sigaction(SIGTRAP, &action, NULL);
 	sigaction(SIGBUS, &action, NULL);
 	sigaction(SIGSEGV, &action, NULL);
 	action.sa_handler = SIG_IGN;
 	action.sa_flags = 0;
 	sigaction(SIGTERM, &action, NULL);
 	sigaction(SIGHUP, &action, NULL);
 	sigaction(SIGINT, &action, NULL);
 	sigaction(SIGQUIT, &action, NULL);
 	sigaction(SIGALRM, &action, NULL);
 }
 static int
 _converse(int num_msg, const struct pam_message **msg,
 		struct pam_response **resp, void *appdata_ptr)
 {
 	struct	pam_response *reply;
 	int	num;
 	if (!(reply = malloc(sizeof(*reply) * num_msg)))
 		return PAM_CONV_ERR;
 	for (num = 0; num < num_msg; num++) {
 		reply[num].resp_retcode = PAM_SUCCESS;
 		reply[num].resp = NULL;
 		switch (msg[num]->msg_style) {
 		case PAM_PROMPT_ECHO_ON:
 			return PAM_CONV_ERR;
 		case PAM_PROMPT_ECHO_OFF:
 			/* read the password from stdin */
 			if (npass < 0) {
 				npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
 				if (npass < 0) {
 					_log_err(LOG_DEBUG, "error reading password");
 					return UNIX_FAILED;
 				}
 				pass[npass] = '\0';
 			}
 			reply[num].resp = strdup(pass);
 			break;
 		case PAM_TEXT_INFO:
 		case PAM_ERROR_MSG:
 			/* ignored */
 			break;
 		default:
 			/* Must be an error of some sort... */
 			return PAM_CONV_ERR;
 		}
 	}
 	*resp = reply;
 	return PAM_SUCCESS;
 }
 static int
 _authenticate(const char *service, const char *user)
 {
 	struct pam_conv conv = { _converse, NULL };
 	pam_handle_t	*pamh;
 	int		err;
 	err = pam_start(service, user, &conv, &pamh);
 	if (err != PAM_SUCCESS) {
 		_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
 				service, user, err);
 		return UNIX_FAILED;
 	}
 	err = pam_authenticate(pamh, 0);
 	if (err != PAM_SUCCESS)
 		_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
 				service, user,
 				pam_strerror(pamh, err));
 	if (err == PAM_SUCCESS)
 	{
 		err = pam_acct_mgmt(pamh, 0);
 		if (err == PAM_SUCCESS)
 		{
 			int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
 			if (err2 != PAM_SUCCESS)
 				_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
 					service, user,
 					pam_strerror(pamh, err2));
 				/*
 				 * ignore errors on refresh credentials.
 				 * If this did not work we use the old once.
 				 */
 		} else {
 			_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
 				service, user,
 				pam_strerror(pamh, err));
 		}
 	}
 	pam_end(pamh, err);
 	if (err != PAM_SUCCESS)
 		return UNIX_FAILED;
 	return UNIX_PASSED;
 }
 static char *
 getuidname(uid_t uid)
 {
 	struct passwd *pw;
 	static char username[32];
 	pw = getpwuid(uid);
 	if (pw == NULL)
 		return NULL;
 	strncpy(username, pw->pw_name, sizeof(username));
 	username[sizeof(username) - 1] = '\0';
 	endpwent();
 	return username;
 }
 static int
 sane_pam_service(const char *name)
 {
 	const char *sp;
 	char	path[128];
 	if (strlen(name) > 32)
 		return 0;
 	for (sp = name; *sp; sp++) {
 		if (!isalnum(*sp) && *sp != '_' && *sp != '-')
 			return 0;
 	}
 	snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
 	return access(path, R_OK) == 0;
 }
 static int
 get_system_fail_delay (void)
 {
 	FILE *fs;
 	char buf[BUFLEN];
 	long int delay = -1;
 	char *s;
 	int l;
 	fs = fopen(LOGINDEFS, "r");
 	if (NULL == fs) {
 		goto bail_out;
 	}
 	while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
 		if  (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
 			continue;
 		}
 		s = buf + strspn(buf, " \t");
 		l = strcspn(s, " \t");
 		if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
 			continue;
 		}
 		s += l;
 		s += strspn(s, " \t");
 		errno = 0;
 		delay = strtol(s, NULL, 10);
 		if (errno) {
 			delay = -1;
 		}
 		break;
 	}
 	fclose (fs);
 bail_out:
 	delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
 	return (int)delay;
 }
 int
 main(int argc, char *argv[])
 {
 	const char *program_name;
 	char	*service, *user;
 	int	fd;
 	int result = UNIX_FAILED;
 	uid_t	uid;
 	uid = getuid();
 	/*
 	 * Make sure standard file descriptors are connected.
 	 */
 	while ((fd = open("/dev/null", O_RDWR)) <= 2)
 		;
 	close(fd);
 	/*
 	 * Get the program name
 	 */
 	if (argc == 0)
 		program_name = "unix2_chkpwd";
 	else if ((program_name = strrchr(argv[0], '/')) != NULL)
 		program_name++;
 	else
 		program_name = argv[0];
 	/*
 	 * Catch or ignore as many signal as possible.
 	 */
 	setup_signals();
 	/*
 	 * Check argument list
 	 */
 	if (argc < 2 || argc > 3) {
 		_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
 		return UNIX_FAILED;
 	}
 	/*
 	 * Get the service name and do some sanity checks on it
 	 */
 	service = argv[1];
 	if (!sane_pam_service(service)) {
 		_log_err(LOG_ERR, "Illegal service name '%s'", service);
 		return UNIX_FAILED;
 	}
 	/*
 	 * Discourage users messing around (fat chance)
 	 */
 	if (isatty(STDIN_FILENO) && uid != 0) {
 		_log_err(LOG_NOTICE,
 			"Inappropriate use of Unix helper binary [UID=%d]",
 			 uid);
 		fprintf(stderr,
 			"This binary is not designed for running in this way\n"
 			"-- the system administrator has been informed\n");
 		sleep(10);	/* this should discourage/annoy the user */
 		return UNIX_FAILED;
 	}
 	/*
 	 * determine the caller's user name
 	 */
 	user = getuidname(uid);
 	if (argc == 3 && strcmp(user, argv[2])) {
 		user = argv[2];
 	}
 	result = _authenticate(service, user);
 	/* Discourage use of this program as a
 	 * password cracker */
 	usleep(PASSWD_CRACKER_DELAY_MS * 1000);
 	if (result != UNIX_PASSED && uid != 0)
 		sleep(get_system_fail_delay());
 	return result;
 }
Author	SHA256	Message	Date
Ana Guerrero	bae1b1a6c9	Accepting request 1286682 from Linux-PAM - hardcode disabling elogind, meson detection is unreliable in OBS - Update to version 1.7.1 - pam_access: do not resolve ttys or display variables as hostnames. - pam_access: added "nodns" option to disallow resolving of tokens as hostnames (CVE-2024-10963). - pam_limits: added support for rttime (RLIMIT_RTTIME). - pam_namespace: fixed potential privilege escalation (CVE-2025-6020). - meson: added support of elogind as a logind provider. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted OBS-URL: https://build.opensuse.org/request/show/1286682 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=145	2025-06-20 14:48:00 +00:00
Thorsten Kukuk	12d827a80e	- hardcode disabling elogind, meson detection is unreliable in OBS OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=309	2025-06-18 12:02:48 +00:00
Thorsten Kukuk	a7cbf492ab	OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=308	2025-06-18 06:22:26 +00:00
Thorsten Kukuk	d181fd6fc7	- Update to version 1.7.1 - pam_access: do not resolve ttys or display variables as hostnames. - pam_access: added "nodns" option to disallow resolving of tokens as hostnames (CVE-2024-10963). - pam_limits: added support for rttime (RLIMIT_RTTIME). - pam_namespace: fixed potential privilege escalation (CVE-2025-6020). - meson: added support of elogind as a logind provider. - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=307	2025-06-18 05:59:17 +00:00
Ana Guerrero	8b74d4167f	Accepting request 1255709 from Linux-PAM - Remove unix2_chkpwd, no consumer left OBS-URL: https://build.opensuse.org/request/show/1255709 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=144	2025-03-31 09:36:53 +00:00
Thorsten Kukuk	137ec2595f	- Remove unix2_chkpwd, no consumer left OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=306	2025-03-24 17:44:02 +00:00
Ana Guerrero	035f728da8	Accepting request 1228723 from Linux-PAM OBS-URL: https://build.opensuse.org/request/show/1228723 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=143	2024-12-08 10:36:05 +00:00
Thorsten Kukuk	a01288951c	- pam_access: rework resolving of tokens as hostname - separate resolving of IP addresses from hostnames. Don't resolve TTYs or display variables as hostname. - Add "nodns" option to disallow resolving of tokens as hostname. - [pam_access-rework-resolving-of-tokens-as-hostname.patch, bsc#1233078, CVE-2024-10963] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=305	2024-12-06 09:32:46 +00:00
Ana Guerrero	95ff3dbfc4	Accepting request 1218188 from Linux-PAM Update OBS-URL: https://build.opensuse.org/request/show/1218188 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=142	2024-10-27 10:24:03 +00:00
Thorsten Kukuk	a28cd8540f	OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=304	2024-10-25 06:36:02 +00:00
Thorsten Kukuk	ed4a5b0650	OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=303	2024-10-24 12:26:52 +00:00
Thorsten Kukuk	8f4235636c	- Update to version 1.7.0 - build: changed build system from autotools to meson. - libpam_misc: use ECHOCTL in the terminal input - pam_access: support UID and GID in access.conf - pam_env: install environment file in vendordir if vendordir is enabled - pam_issue: only count class user if logind support is enabled - pam_limits: use systemd-logind instead of utmp if logind support is enabled - pam_unix: compare password hashes in constant time - Multiple minor bug fixes, build fixes, portability fixes, documentation improvements, and translation updates. - Drop upstream patches: - pam-bsc1194818-cursor-escape.patch - pam_limits-systemd.patch - pam_issue-systemd.patch OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=302	2024-10-24 12:22:19 +00:00
Ana Guerrero	57200379e7	Accepting request 1200265 from Linux-PAM - baselibs.conf: add pam-userdb - pam_limits-systemd.patch: update to final PR - Add systemd-logind support to pam_limits (pam_limits-systemd.patch) - Remove /usr/etc/pam.d, everything should be migrated - Remove pam_limits from default common-sessions* files. pam_limits is now part of pam-extra and not in our default generated config. - pam_issue-systemd.patch: only count class user sessions OBS-URL: https://build.opensuse.org/request/show/1200265 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=141	2024-09-18 13:26:01 +00:00
Thorsten Kukuk	51c24506c1	- baselibs.conf: add pam-userdb OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=301	2024-09-12 07:58:58 +00:00
Thorsten Kukuk	af312c25cf	- pam_limits-systemd.patch: update to final PR OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=300	2024-09-10 08:22:27 +00:00
Thorsten Kukuk	0f70ad3ce6	- Add systemd-logind support to pam_limits (pam_limits-systemd.patch) - Remove /usr/etc/pam.d, everything should be migrated - Remove pam_limits from default common-sessions* files. pam_limits is now part of pam-extra and not in our default generated config. - pam_issue-systemd.patch: only count class user sessions OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=299	2024-09-09 08:32:13 +00:00