Accepting request 1286682 from Linux-PAM

- hardcode disabling elogind, meson detection is unreliable in OBS

- Update to version 1.7.1
  - pam_access: do not resolve ttys or display variables as hostnames.
  - pam_access: added "nodns" option to disallow resolving of tokens
    as hostnames (CVE-2024-10963).
  - pam_limits: added support for rttime (RLIMIT_RTTIME).
  - pam_namespace: fixed potential privilege escalation (CVE-2025-6020).
  - meson: added support of elogind as a logind provider.
  - Multiple minor bug fixes, build fixes, portability fixes,
    documentation improvements, and translation updates.
- pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted

OBS-URL: https://build.opensuse.org/request/show/1286682
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=145

Linux-PAM-1.6.1.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
-sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
-47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
-RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
-mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
-cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
-fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
-PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
-o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
-0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
-9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
-UoUkHsbCWJU/ksn/9BIQ
-=Dbz2
------END PGP SIGNATURE-----

Linux-PAM-1.7.1.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJoUTDGAAoJEKgEH6g54W42RDQQAIKq+ltEn0g/lB0g+xU9SArO
+ItMiZDp6RaLDIRgOxbl1hnQyXvXcW5LYBT36u+e5PLKrtMzc8/S3kDtn2FRsS5KW
+aZaKmZI6UlEQVErMfX2F8/uPvcMRNmqHL7h3+BW8aIWp+WTBO3TIOZxVqNoDFbxj
+L/9G3KYTgcuKjb6XoDlicS68ImcLJC2BPjcaisaoqKRyK504jgYK6Wl6AFo7Fu8r
+PS134LM6gUUxMzdYCpISmO5tZh+uOqtCfbdeOY3bwBeupe2J4D6v7uASF7RqEXPX
+/imsmUkmqLmOOolvLflGDsiz1HaY05LW7CcJngXOV6WKU+HqBg9E5Xclnr0RyvBD
+tmFPeWlgPw+zg+BVUhGAUeLoFCknbtY/7TEB4Jh0Z/Tm+pOUVoQbhrUCI0rAgapN
+dA9i5DCUuEBXRul2YvG7EZGuYs77fzpf/J++b9XKB9kH1Bc3vaaZoaO+lbN8g6Ei
+CbZCmD0ct0UhUTX+FEUG9SkMTomyd9ihz6kuHcuo4eCVbVuDJpF+vEUjVb7no9Aw
+KlZ6/I45GRRjIYYk/vxpgNX05D8xeMxDkXEMcKAHsI/q4oOe7Hsuess47WioiVXL
+xNl6AHjJ4VMcz1xLPR8COA8L3uaZNtxuIGhazZFeJbrfJct5gsf9iv04pdAA73/B
+NtgHrE6GjGSmw+/xX22z
+=RQhR
+-----END PGP SIGNATURE-----

baselibs.conf

@@ -4,3 +4,4 @@ pam
 	obsoletes "pam_unix-nis-<targettype>"
 pam-extra
 pam-devel
+pam-userdb

common-session-nonlogin.pamd

@@ -8,7 +8,6 @@
 # non-interactive), but not if they don't create a new login session
 # (e.g. like cron, chfn, chsh, ...)
 #
-session	required	pam_limits.so
 session	required	pam_unix.so	try_first_pass
 session optional	pam_umask.so
 session optional	pam_env.so

common-session.pamd

@@ -7,7 +7,6 @@
 # non-interactive).
 #
 session optional	pam_systemd.so
-session	required	pam_limits.so
 session	required	pam_unix.so	try_first_pass
 session optional	pam_umask.so
 session optional	pam_env.so

pam-bsc1194818-cursor-escape.patch

@@ -1,36 +0,0 @@
-From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001
-From: Stanislav Brabec <sbrabec@suse.cz>
-Date: Mon, 22 Jul 2024 23:18:16 +0200
-Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input
-
-Use the canonical terminal mode (line mode) and set ECHOCTL to prevent
-cursor escape from the login prompt using arrows or escape sequences.
-
-ICANON is the default in most cases anyway. ECHOCTL is default on tty, but
-for example not on pty, allowing cursor to escape.
-
-Stanislav Brabec <sbrabec@suse.com>
----
- libpam_misc/misc_conv.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
-index 7410e929..6b839b48 100644
---- a/libpam_misc/misc_conv.c
-+++ b/libpam_misc/misc_conv.c
-@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr)
- 	    return -1;
- 	}
- 	memcpy(&term_tmp, &term_before, sizeof(term_tmp));
--	if (!echo) {
-+	if (echo)
-+	    term_tmp.c_lflag |= ICANON | ECHOCTL;
-+	else
- 	    term_tmp.c_lflag &= ~(ECHO);
--	}
- 	have_term = 1;
- 
- 	/*
--- 
-2.45.2
-

pam.changes

@@ -1,3 +1,74 @@
+-------------------------------------------------------------------
+Wed Jun 18 12:01:57 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- hardcode disabling elogind, meson detection is unreliable in OBS
+
+-------------------------------------------------------------------
+Wed Jun 18 05:38:35 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to version 1.7.1
+  - pam_access: do not resolve ttys or display variables as hostnames.
+  - pam_access: added "nodns" option to disallow resolving of tokens
+    as hostnames (CVE-2024-10963).
+  - pam_limits: added support for rttime (RLIMIT_RTTIME).
+  - pam_namespace: fixed potential privilege escalation (CVE-2025-6020).
+  - meson: added support of elogind as a logind provider.
+  - Multiple minor bug fixes, build fixes, portability fixes,
+    documentation improvements, and translation updates.
+- pam_access-rework-resolving-of-tokens-as-hostname.patch got obsoleted
+
+-------------------------------------------------------------------
+Mon Mar 24 17:41:34 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Remove unix2_chkpwd, no consumer left
+
+-------------------------------------------------------------------
+Thu Dec  5 12:44:33 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
+
+- pam_access: rework resolving of tokens as hostname
+  - separate resolving of IP addresses from hostnames. Don't resolve TTYs or
+    display variables as hostname.
+  - Add "nodns" option to disallow resolving of tokens as hostname.
+  - [pam_access-rework-resolving-of-tokens-as-hostname.patch, bsc#1233078,
+   CVE-2024-10963]
+
+-------------------------------------------------------------------
+Thu Oct 24 11:57:20 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to version 1.7.0
+  - build: changed build system from autotools to meson.
+  - libpam_misc: use ECHOCTL in the terminal input
+  - pam_access: support UID and GID in access.conf
+  - pam_env: install environment file in vendordir if vendordir is enabled
+  - pam_issue: only count class user if logind support is enabled
+  - pam_limits: use systemd-logind instead of utmp if logind support is enabled
+  - pam_unix: compare password hashes in constant time
+  - Multiple minor bug fixes, build fixes, portability fixes,
+    documentation improvements, and translation updates.
+- Drop upstream patches:
+  - pam-bsc1194818-cursor-escape.patch
+  - pam_limits-systemd.patch
+  - pam_issue-systemd.patch
+
+-------------------------------------------------------------------
+Thu Sep 12 07:50:55 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- baselibs.conf: add pam-userdb
+
+-------------------------------------------------------------------
+Tue Sep 10 08:22:02 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- pam_limits-systemd.patch: update to final PR
+
+-------------------------------------------------------------------
+Fri Sep  6 08:13:22 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- Add systemd-logind support to pam_limits (pam_limits-systemd.patch)
+- Remove /usr/etc/pam.d, everything should be migrated
+- Remove pam_limits from default common-sessions* files. pam_limits
+  is now part of pam-extra and not in our default generated config.
+- pam_issue-systemd.patch: only count class user sessions
+
 -------------------------------------------------------------------
 Wed Aug  7 14:44:56 UTC 2024 - Stanislav Brabec <sbrabec@suse.com>
 
@@ -1189,7 +1260,6 @@ Wed Feb 23 12:45:03 UTC 2011 - vcizek@novell.com
   * correct parsing of "quiet" option
 
 -------------------------------------------------------------------
-
 Wed Feb 23 10:00:22 UTC 2011 - vcizek@novell.com
 
 - fix for bnc#673826 (pam_listfile)

pam.spec

@@ -36,10 +36,10 @@
 %endif
 
 %bcond_without selinux
-%bcond_with debug
 
 %define flavor @BUILD_FLAVOR@%{nil}
 
+# List of config files for migration to /usr/etc
 %define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
 	security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
 	security/namespace.conf security/namespace.init security/sepermit.conf
@@ -64,14 +64,13 @@
 %define libpamc_so_version 0.82.1
 %if ! %{defined _distconfdir}
   %define _distconfdir %{_sysconfdir}
-  %define config_noreplace 1
 %endif
 #
 %{load:%{_sourcedir}/macros.pam}
 #
 Name:           pam%{name_suffix}
 #
-Version:        1.6.1
+Version:        1.7.1
 Release:        0
 Summary:        A Security Tool that Provides Authentication for Applications
 License:        GPL-2.0-or-later OR BSD-3-Clause
@@ -86,8 +85,6 @@ Source5:        common-account.pamd
 Source6:        common-password.pamd
 Source7:        common-session.pamd
 Source9:        baselibs.conf
-Source10:       unix2_chkpwd.c
-Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Source13:       pam.tmpfiles
 Source20:       common-session-nonlogin.pamd
@@ -96,12 +93,10 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
-# https://github.com/linux-pam/linux-pam/pull/816
-Patch2:         pam-bsc1194818-cursor-escape.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  flex
-BuildRequires:  libtool
+BuildRequires:  meson >= 0.62.0
 BuildRequires:  xz
 Requires(post): permissions
 # All login.defs variables require support from shadow side.
@@ -145,11 +140,10 @@ username/password pair against values stored in a Berkeley DB database.
 %package -n pam-extra
 Summary:        PAM module with extended dependencies
 Group:          System/Libraries
-#BuildRequires:  pkgconfig(systemd) 
-# The systemd-mini package does not pass configure checks
-BuildRequires:  systemd-devel >= 254
+BuildRequires:  pkgconfig(libsystemd) >= 254
 BuildRequires:  pam-devel
 Provides:	pam:%{_sbindir}/pam_timestamp_check
+Provides:       pam:%{_pam_moduledir}/pam_limits.so
 
 %description -n pam-extra
 PAM (Pluggable Authentication Modules) is a system security tool that
@@ -212,32 +206,26 @@ cp -a %{SOURCE12} .
 
 %build
 bash ./pam-login_defs-check.sh
-export CFLAGS="%{optflags}"
-%if !%{with debug}
-CFLAGS="$CFLAGS -DNDEBUG"
-%endif
 %if %{livepatchable}
 CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
 %endif
-autoreconf
-%configure \
-	--includedir=%{_includedir}/security \
-	--docdir=%{_docdir}/pam \
-	--htmldir=%{_docdir}/pam/html \
-	--pdfdir=%{_docdir}/pam/pdf \
-	--enable-isadir=../..%{_pam_moduledir} \
-	--enable-securedir=%{_pam_moduledir} \
-	--enable-vendordir=%{_prefix}/etc \
-%if "%{flavor}" == "full"
-	--enable-logind \
-%endif
-        --disable-examples \
-	--disable-nis \
-%if %{with debug}
-	--enable-debug
-%endif
 
-%make_build
+%meson -Dvendordir=%{_distconfdir} \
+       -Ddocdir=%{_docdir}/pam \
+       -Dhtmldir=%{_docdir}/pam/html \
+       -Dpdfdir=%{_docdir}/pam/pdf \
+       -Dsecuredir=%{_pam_moduledir} \
+%if "%{flavor}" != "full"
+       -Dlogind=disabled \
+       -Dpam_userdb=disabled \
+       -Ddocs=disabled \
+%else
+       -Dlogind=enabled \
+%endif
+       -Delogind=disabled \
+       -Dexamples=false \
+       -Dnis=disabled
+%meson_build
 
 %if %{livepatchable}
 
@@ -265,29 +253,17 @@ cp %{tar_package_name} %{_other}
 
 %endif # livepatchable
 
-gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
-
 %if %{build_main}
 %check
-%make_build check
+%meson_test
 %endif
 
 %install
+%meson_install
+
 mkdir -p %{buildroot}%{_pam_confdir}
 mkdir -p %{buildroot}%{_pam_vendordir}
-mkdir -p %{buildroot}%{_includedir}/security
-mkdir -p %{buildroot}%{_pam_moduledir}
-mkdir -p %{buildroot}/sbin
-mkdir -p -m 755 %{buildroot}%{_libdir}
-# For compat reasons
-mkdir -p %{buildroot}%{_distconfdir}/pam.d
 
-%make_install
-/sbin/ldconfig -n %{buildroot}%{_libdir}
-# Install documentation
-%make_install -C doc
-# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
-install -d %{buildroot}%{_pam_secconfdir}/namespace.d
 # install other.pamd and common-*.pamd
 install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
 install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
@@ -299,23 +275,14 @@ install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
 install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
 install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
 install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
-mkdir -p %{buildroot}%{_prefix}/lib/motd.d
-#
-# Remove crap
-#
-find %{buildroot} -type f -name "*.la" -delete -print
 #
 # Install READMEs of PAM modules
 #
 DOC=%{buildroot}%{_defaultdocdir}/pam
+%if "%{flavor}" == "full"
 mkdir -p $DOC/modules
-pushd modules
-for i in pam_*/README; do
-	cp -fpv "$i" "$DOC/modules/README.${i%/*}"
-done
-popd
-# Install unix2_chkpwd
-install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
+cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/"
+%endif
 
 # rpm macros
 install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
@@ -323,24 +290,23 @@ install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
 install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
 
 mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
-mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment
 
 # Remove manual pages for main package
 %if !%{build_doc}
 rm -rf %{buildroot}%{_mandir}/man?/*
 %else
-install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
 # bsc#1188724
 echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
 %endif
 
 %if !%{build_main}
-rm -rf %{buildroot}{%{_sysconfdir},%{_distconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
+rm -rf %{buildroot}{%{_distconfdir}/environment,%{_pam_secdistconfdir}/{a,f,g,n,p,s,t}*}
+rm -rf %{buildroot}{%{_sysconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
 rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
-rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,l,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
+rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,la,lis,lo,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
 %else
 # Delete files for extra package
-rm -rf  %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
+rm -rf  %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limits.conf,%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
 
 # Create filelist with translations
 %find_lang Linux-PAM
@@ -351,12 +317,10 @@ rm -rf  %{buildroot}{%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timest
 
 %verifyscript
 %verify_permissions -e %{_sbindir}/unix_chkpwd
-%verify_permissions -e %{_sbindir}/unix2_chkpwd
 
 %post
 /sbin/ldconfig
 %set_permissions %{_sbindir}/unix_chkpwd
-%set_permissions %{_sbindir}/unix2_chkpwd
 %tmpfiles_create %{_tmpfilesdir}/pam.conf
 
 %postun -p /sbin/ldconfig
@@ -374,31 +338,17 @@ done
 %files -f Linux-PAM.lang
 %doc NEWS
 %license COPYING
-%exclude %{_defaultdocdir}/pam/html
-%exclude %{_defaultdocdir}/pam/modules
-%exclude %{_defaultdocdir}/pam/pdf
-%exclude %{_defaultdocdir}/pam/*.txt
 %dir %{_pam_confdir}
 %dir %{_pam_vendordir}
 %dir %{_pam_secconfdir}
 %dir %{_pam_secdistconfdir}
-%dir %{_pam_secdistconfdir}/limits.d
-# /usr/etc/pam.d is for compat reasons
-%dir %{_distconfdir}/pam.d
-%dir %{_prefix}/lib/motd.d
-%if %{defined config_noreplace}
-%config(noreplace) %{_pam_confdir}/other
-%config(noreplace) %{_pam_confdir}/common-*
-%else
 %{_pam_vendordir}/other
 %{_pam_vendordir}/common-*
 %{_pam_vendordir}/postlogin-*
-%endif
 %{_distconfdir}/environment
 %{_pam_secdistconfdir}/access.conf
 %{_pam_secdistconfdir}/group.conf
 %{_pam_secdistconfdir}/faillock.conf
-%{_pam_secdistconfdir}/limits.conf
 %{_pam_secdistconfdir}/pam_env.conf
 %if %{with selinux}
 %{_pam_secdistconfdir}/sepermit.conf
@@ -430,7 +380,6 @@ done
 %{_pam_moduledir}/pam_ftp.so
 %{_pam_moduledir}/pam_group.so
 %{_pam_moduledir}/pam_keyinit.so
-%{_pam_moduledir}/pam_limits.so
 %{_pam_moduledir}/pam_listfile.so
 %{_pam_moduledir}/pam_localuser.so
 %{_pam_moduledir}/pam_loginuid.so
@@ -465,7 +414,6 @@ done
 %{_sbindir}/pam_namespace_helper
 %{_sbindir}/pwhistory_helper
 %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
-%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
 %attr(0700,root,root) %{_sbindir}/unix_update
 %{_unitdir}/pam_namespace.service
 %{_tmpfilesdir}/pam.conf
@@ -491,6 +439,10 @@ done
 %if %{build_extra}
 %files -n pam-extra
 %defattr(-,root,root,755)
+%dir %{_pam_secdistconfdir}
+%dir %{_pam_secdistconfdir}/limits.d
+%{_pam_secdistconfdir}/limits.conf
+%{_pam_moduledir}/pam_limits.so
 %{_pam_moduledir}/pam_issue.so
 %{_pam_moduledir}/pam_timestamp.so
 %{_sbindir}/pam_timestamp_check
@@ -565,7 +517,6 @@ done
 %{_mandir}/man8/pam_wheel.8%{?ext_man}
 %{_mandir}/man8/pam_xauth.8%{?ext_man}
 %{_mandir}/man8/pwhistory_helper.8%{?ext_man}
-%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_update.8%{?ext_man}
 

unix2_chkpwd.8

@@ -1,79 +0,0 @@
-.\" Copyright (C) 2003 International Business Machines Corporation
-.\" This file is distributed according to the GNU General Public License.
-.\" See the file COPYING in the top level source directory for details.
-.\"
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
-.SH NAME
-unix2_chkpwd \- helper binary that verifies the password of the current user
-.SH "SYNOPSIS"
-.ad l
-.hy 0
-
-/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
-.sp
-.ad
-.hy
-.SH "DESCRIPTION"
-.PP
-\fBunix2_chkpwd\fR is a helper program for applications that verifies 
-the password of the current user.  It is not intended to be run directly from 
-the command line and logs a security violation if done so. 
-
-It is typically installed setuid root or setgid shadow and called by
-applications, which only wishes to do an user authentification and
-nothing more.
-
-.SH "OPTIONS"
-.PP
-unix2_chkpwd requires the following arguments:
-.TP
-\fIpam_service\fR
-The name of the service using unix2_chkpwd. This is required to be one of
-the services in /etc/pam.d
-.TP
-\fIusername\fR
-The name of the user whose password you want to verify.
-
-.SH "INPUTS"
-.PP
-unix2_chkpwd expects the password via stdin.
-
-.SH "RETURN CODES"
-.PP
-\fBunix2_chkpwd\fR has the following return codes:
-.TP
-1
-unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
-
-.TP
-0
-The password is correct.
-
-.SH "HISTORY"
-Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
-
-.SH "SEE ALSO"
-
-.PP
-\fBpam\fR(8)
-
-.SH AUTHOR
-Emily Ratliff.

unix2_chkpwd.c

@@ -1,337 +0,0 @@
-/*
- * Set*id helper program for PAM authentication.
- *
- * It is supposed to be called from pam_unix2's
- * pam_sm_authenticate function if the function notices
- * that it's unable to get the password from the shadow file
- * because it doesn't have sufficient permissions.
- *
- * Copyright (C) 2002 SuSE Linux AG
- *
- * Written by okir@suse.de, loosely based on unix_chkpwd
- * by Andrew Morgan.
- */
-
-#include <security/pam_appl.h>
-#include <security/_pam_macros.h>
-
-#include <sys/types.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <pwd.h>
-#include <signal.h>
-#include <fcntl.h>
-#include <ctype.h>
-#include <errno.h>
-
-#define BUFLEN	1024
-#ifndef LOGINDEFS
-#define LOGINDEFS	"/etc/login.defs"
-#endif
-#define LOGINDEFS_FAIL_DELAY_KEY	"FAIL_DELAY"
-#define DEFAULT_FAIL_DELAY_S	10
-
-#define PASSWD_CRACKER_DELAY_MS	100
-
-enum {
-	UNIX_PASSED = 0,
-	UNIX_FAILED = 1
-};
-
-static char *	program_name;
-static char	pass[64];
-static int	npass = -1;
-
-/*
- * Log error messages
- */
-static void
-_log_err(int err, const char *format,...)
-{
-	va_list args;
-
-	va_start(args, format);
-	openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
-	vsyslog(err, format, args);
-	va_end(args);
-	closelog();
-}
-
-static void
-su_sighandler(int sig)
-{
-	if (sig > 0) {
-		_log_err(LOG_NOTICE, "caught signal %d.", sig);
-		exit(sig);
-	}
-}
-
-/*
- * Setup signal handlers
- */
-static void
-setup_signals(void)
-{
-	struct sigaction action;
-
-	memset((void *) &action, 0, sizeof(action));
-	action.sa_handler = su_sighandler;
-	action.sa_flags = SA_RESETHAND;
-	sigaction(SIGILL, &action, NULL);
-	sigaction(SIGTRAP, &action, NULL);
-	sigaction(SIGBUS, &action, NULL);
-	sigaction(SIGSEGV, &action, NULL);
-	action.sa_handler = SIG_IGN;
-	action.sa_flags = 0;
-	sigaction(SIGTERM, &action, NULL);
-	sigaction(SIGHUP, &action, NULL);
-	sigaction(SIGINT, &action, NULL);
-	sigaction(SIGQUIT, &action, NULL);
-	sigaction(SIGALRM, &action, NULL);
-}
-
-static int
-_converse(int num_msg, const struct pam_message **msg,
-		struct pam_response **resp, void *appdata_ptr)
-{
-	struct	pam_response *reply;
-	int	num;
-
-	if (!(reply = malloc(sizeof(*reply) * num_msg)))
-		return PAM_CONV_ERR;
-
-	for (num = 0; num < num_msg; num++) {
-		reply[num].resp_retcode = PAM_SUCCESS;
-		reply[num].resp = NULL;
-		switch (msg[num]->msg_style) {
-		case PAM_PROMPT_ECHO_ON:
-			return PAM_CONV_ERR;
-		case PAM_PROMPT_ECHO_OFF:
-			/* read the password from stdin */
-			if (npass < 0) {
-				npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
-				if (npass < 0) {
-					_log_err(LOG_DEBUG, "error reading password");
-					return UNIX_FAILED;
-				}
-				pass[npass] = '\0';
-			}
-			reply[num].resp = strdup(pass);
-			break;
-		case PAM_TEXT_INFO:
-		case PAM_ERROR_MSG:
-			/* ignored */
-			break;
-		default:
-			/* Must be an error of some sort... */
-			return PAM_CONV_ERR;
-		}
-	}
-
-	*resp = reply;
-	return PAM_SUCCESS;
-}
-
-static int
-_authenticate(const char *service, const char *user)
-{
-	struct pam_conv conv = { _converse, NULL };
-	pam_handle_t	*pamh;
-	int		err;
-
-	err = pam_start(service, user, &conv, &pamh);
-	if (err != PAM_SUCCESS) {
-		_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
-				service, user, err);
-		return UNIX_FAILED;
-	}
-	
-	err = pam_authenticate(pamh, 0);
-	if (err != PAM_SUCCESS)
-		_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
-				service, user,
-				pam_strerror(pamh, err));
-
-	if (err == PAM_SUCCESS)
-	{
-		err = pam_acct_mgmt(pamh, 0);
-		if (err == PAM_SUCCESS)
- 		{
-			int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
-			if (err2 != PAM_SUCCESS)
-				_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
-					service, user,
-					pam_strerror(pamh, err2));
-				/*
-				 * ignore errors on refresh credentials.
-				 * If this did not work we use the old once.
-				 */
-		} else {
-			_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
-				service, user,
-				pam_strerror(pamh, err));
-		}
-	}
-	
-	pam_end(pamh, err);
-
-	if (err != PAM_SUCCESS)
-		return UNIX_FAILED;
-	return UNIX_PASSED;
-}
-
-static char *
-getuidname(uid_t uid)
-{
-	struct passwd *pw;
-	static char username[32];
-
-	pw = getpwuid(uid);
-	if (pw == NULL)
-		return NULL;
-
-	strncpy(username, pw->pw_name, sizeof(username));
-	username[sizeof(username) - 1] = '\0';
-	
-	endpwent();
-	return username;
-}
-
-static int
-sane_pam_service(const char *name)
-{
-	const char *sp;
-	char	path[128];
-
-	if (strlen(name) > 32)
-		return 0;
-	for (sp = name; *sp; sp++) {
-		if (!isalnum(*sp) && *sp != '_' && *sp != '-')
-			return 0;
-	}
-
-	snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
-	return access(path, R_OK) == 0;
-}
-
-static int
-get_system_fail_delay (void)
-{
-	FILE *fs;
-	char buf[BUFLEN];
-	long int delay = -1;
-	char *s;
-	int l;
-
-	fs = fopen(LOGINDEFS, "r");
-	if (NULL == fs) {
-		goto bail_out;
-	}
-
-	while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
-		if  (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
-			continue;
-		}
-		s = buf + strspn(buf, " \t");
-		l = strcspn(s, " \t");
-		if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
-			continue;
-		}
-		s += l;
-		s += strspn(s, " \t");
-		errno = 0;
-		delay = strtol(s, NULL, 10);
-		if (errno) {
-			delay = -1;
-		}
-		break;
-	}
-	fclose (fs);
-bail_out:
-	delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
-	return (int)delay;
-}
-
-int
-main(int argc, char *argv[])
-{
-	const char *program_name;
-	char	*service, *user;
-	int	fd;
-	int result = UNIX_FAILED;
-	uid_t	uid;
-
-	uid = getuid();
-
-	/*
-	 * Make sure standard file descriptors are connected.
-	 */
-	while ((fd = open("/dev/null", O_RDWR)) <= 2)
-		;
-	close(fd);
-
-	/*
-	 * Get the program name
-	 */
-	if (argc == 0)
-		program_name = "unix2_chkpwd";
-	else if ((program_name = strrchr(argv[0], '/')) != NULL)
-		program_name++;
-	else
-		program_name = argv[0];
-
-	/*
-	 * Catch or ignore as many signal as possible.
-	 */
-	setup_signals();
-
-	/*
-	 * Check argument list
-	 */
-	if (argc < 2 || argc > 3) {
-		_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
-		return UNIX_FAILED;
-	}
-
-	/*
-	 * Get the service name and do some sanity checks on it
-	 */
-	service = argv[1];
-	if (!sane_pam_service(service)) {
-		_log_err(LOG_ERR, "Illegal service name '%s'", service);
-		return UNIX_FAILED;
-	}
-
-	/*
-	 * Discourage users messing around (fat chance)
-	 */
-	if (isatty(STDIN_FILENO) && uid != 0) {
-		_log_err(LOG_NOTICE,
-			"Inappropriate use of Unix helper binary [UID=%d]",
-			 uid);
-		fprintf(stderr,
-			"This binary is not designed for running in this way\n"
-			"-- the system administrator has been informed\n");
-		sleep(10);	/* this should discourage/annoy the user */
-		return UNIX_FAILED;
-	}
-
-	/*
-	 * determine the caller's user name
-	 */
-	user = getuidname(uid);
-	if (argc == 3 && strcmp(user, argv[2])) {
-		user = argv[2];
-	}
-	result = _authenticate(service, user);
-	/* Discourage use of this program as a
-	 * password cracker */
-	usleep(PASSWD_CRACKER_DELAY_MS * 1000);
-	if (result != UNIX_PASSED && uid != 0)
-		sleep(get_system_fail_delay());
-	return result;
-}