From 3ee029c9957516408b1a057874761ace7fe2bb0710033fb21f419e1743ec89cf Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Wed, 2 Aug 2017 08:48:56 +0000 Subject: [PATCH 1/8] - Split into pam_kwallet and pam_kwallet common to allow -32bit pkg necessary for pam-config integration - Add baselibs.conf for -32bit pkg OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=32 --- baselibs.conf | 4 ++++ pam_kwallet.changes | 7 +++++++ pam_kwallet.spec | 23 ++++++++++++++++++----- 3 files changed, 29 insertions(+), 5 deletions(-) create mode 100644 baselibs.conf diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..c229a20 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,4 @@ +pam_kwallet + requires "pam_kwallet = " + supplements "packageand(pam_kwallet:pam-)" + diff --git a/pam_kwallet.changes b/pam_kwallet.changes index a7e493e..b3d7506 100644 --- a/pam_kwallet.changes +++ b/pam_kwallet.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Aug 2 08:48:28 UTC 2017 - fabian@ritter-vogt.de + +- Split into pam_kwallet and pam_kwallet common to allow -32bit pkg + necessary for pam-config integration +- Add baselibs.conf for -32bit pkg + ------------------------------------------------------------------- Tue Jul 18 16:14:48 CEST 2017 - fabian@ritter-vogt.de diff --git a/pam_kwallet.spec b/pam_kwallet.spec index 88ce53f..e8d4122 100644 --- a/pam_kwallet.spec +++ b/pam_kwallet.spec @@ -19,7 +19,7 @@ Name: pam_kwallet Version: 5.10.4 Release: 0 -Summary: A PAM Module for kwallet signing +Summary: A PAM Module for KWallet signing License: LGPL-2.1 and GPL-2.0+ and GPL-3.0 Group: System/GUI/KDE Url: http://www.kde.org/ @@ -30,13 +30,22 @@ BuildRequires: libgcrypt-devel >= 1.5.0 BuildRequires: pam-devel BuildRequires: socat BuildRequires: xz -Requires: kwalletd5 -Requires: socat +Requires: %{name}-common = %{version} %description This PAM module allows you to automatically open your kwallet when signing into your account. +%package common +Summary: Support files for the KWallet PAM module +Group: System/GUI/KDE +Requires: kwalletd5 +Requires: socat + +%description common +This package contains support files used by the KWallet PAM +module. + %prep %setup -q -n kwallet-pam-%{version} @@ -50,8 +59,12 @@ when signing into your account. %files %defattr(-,root,root) %doc COPYING* -%config %{_kf5_configdir}/autostart/pam_kwallet_init.desktop -%{_kf5_libexecdir}/pam_kwallet_init /%{_lib}/security/pam_kwallet5.so +%files common +%defattr(-,root,root) +%doc COPYING* +%config %{_kf5_configdir}/autostart/pam_kwallet_init.desktop +%{_kf5_libexecdir}/pam_kwallet_init + %changelog From d3c7676b1e12b9c3455d61b0eceab1716cebd9cc53ea051457a6d1994a470928 Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Wed, 2 Aug 2017 08:49:23 +0000 Subject: [PATCH 2/8] Mention baselibs.conf in .spec OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=33 --- pam_kwallet.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pam_kwallet.spec b/pam_kwallet.spec index e8d4122..a63bdc6 100644 --- a/pam_kwallet.spec +++ b/pam_kwallet.spec @@ -23,7 +23,8 @@ Summary: A PAM Module for KWallet signing License: LGPL-2.1 and GPL-2.0+ and GPL-3.0 Group: System/GUI/KDE Url: http://www.kde.org/ -Source: http://download.kde.org/stable/plasma/%{version}/kwallet-pam-%{version}.tar.xz +Source0: http://download.kde.org/stable/plasma/%{version}/kwallet-pam-%{version}.tar.xz +Source1: baselibs.conf BuildRequires: extra-cmake-modules >= 1.2.0 BuildRequires: kf5-filesystem BuildRequires: libgcrypt-devel >= 1.5.0 From d90f30f862aa5db224a77a043b03f07dd6f4515c8fdb307edb9678561234d626 Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Wed, 2 Aug 2017 09:11:37 +0000 Subject: [PATCH 3/8] Add scriptlets for pam-config OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=34 --- baselibs.conf | 2 +- pam_kwallet.spec | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/baselibs.conf b/baselibs.conf index c229a20..1f9893a 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,4 +1,4 @@ pam_kwallet requires "pam_kwallet = " supplements "packageand(pam_kwallet:pam-)" - + post "%{_sbindir}/pam-config -a --kwallet5 || :" diff --git a/pam_kwallet.spec b/pam_kwallet.spec index a63bdc6..00b3647 100644 --- a/pam_kwallet.spec +++ b/pam_kwallet.spec @@ -32,6 +32,7 @@ BuildRequires: pam-devel BuildRequires: socat BuildRequires: xz Requires: %{name}-common = %{version} +Requires(postun): coreutils pam pam-config %description This PAM module allows you to automatically open your kwallet @@ -57,6 +58,16 @@ module. %install %kf5_makeinstall -C build +# Due to boo#728586 it is necessary to duplicate this in the 32bit variant. +# So you need to edit baselibs.conf if you change this. +%post + %{_sbindir}/pam-config -a --kwallet5 || : + +%postun + if [ "$1" = "0" ]; then + %{_sbindir}/pam-config -d --kwallet5 || : + fi + %files %defattr(-,root,root) %doc COPYING* From 2442481fd33edbf397a11ff78c61fe6b098e8ce9d4a14b8dac9312dab02e0863 Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Wed, 2 Aug 2017 09:27:59 +0000 Subject: [PATCH 4/8] - Register with pam-config automatically (boo#1029942) OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=35 --- pam_kwallet.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/pam_kwallet.changes b/pam_kwallet.changes index b3d7506..6180a80 100644 --- a/pam_kwallet.changes +++ b/pam_kwallet.changes @@ -4,6 +4,7 @@ Wed Aug 2 08:48:28 UTC 2017 - fabian@ritter-vogt.de - Split into pam_kwallet and pam_kwallet common to allow -32bit pkg necessary for pam-config integration - Add baselibs.conf for -32bit pkg +- Register with pam-config automatically (boo#1029942) ------------------------------------------------------------------- Tue Jul 18 16:14:48 CEST 2017 - fabian@ritter-vogt.de From 76487bf872e68e07cb83897ec4d865e79492e90446bd403977f0a0a78b6db15d Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Wed, 2 Aug 2017 17:51:38 +0000 Subject: [PATCH 5/8] - Only use pam-config on TW, where it will be available soon OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=36 --- baselibs.conf | 3 +++ pam_kwallet.changes | 1 + pam_kwallet.spec | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/baselibs.conf b/baselibs.conf index 1f9893a..9134c05 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,4 +1,7 @@ pam_kwallet requires "pam_kwallet = " supplements "packageand(pam_kwallet:pam-)" + post "%if 0%{?suse_version} >= 1330" post "%{_sbindir}/pam-config -a --kwallet5 || :" + post "%endif" + post ":" diff --git a/pam_kwallet.changes b/pam_kwallet.changes index 6180a80..e21f552 100644 --- a/pam_kwallet.changes +++ b/pam_kwallet.changes @@ -5,6 +5,7 @@ Wed Aug 2 08:48:28 UTC 2017 - fabian@ritter-vogt.de necessary for pam-config integration - Add baselibs.conf for -32bit pkg - Register with pam-config automatically (boo#1029942) +- Only use pam-config on TW, where it will be available soon ------------------------------------------------------------------- Tue Jul 18 16:14:48 CEST 2017 - fabian@ritter-vogt.de diff --git a/pam_kwallet.spec b/pam_kwallet.spec index 00b3647..a13e5fc 100644 --- a/pam_kwallet.spec +++ b/pam_kwallet.spec @@ -32,7 +32,9 @@ BuildRequires: pam-devel BuildRequires: socat BuildRequires: xz Requires: %{name}-common = %{version} +%if 0%{?suse_version} >= 1330 Requires(postun): coreutils pam pam-config +%endif %description This PAM module allows you to automatically open your kwallet @@ -58,6 +60,7 @@ module. %install %kf5_makeinstall -C build +%if 0%{?suse_version} >= 1330 # Due to boo#728586 it is necessary to duplicate this in the 32bit variant. # So you need to edit baselibs.conf if you change this. %post @@ -67,6 +70,7 @@ module. if [ "$1" = "0" ]; then %{_sbindir}/pam-config -d --kwallet5 || : fi +%endif %files %defattr(-,root,root) From d1ba8a781950780810b1814208b9a6a2ddd919f3181a546092af3e539c3f6158 Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Wed, 2 Aug 2017 20:17:36 +0000 Subject: [PATCH 6/8] - Disable pam-config for now, kwallet-pam needs some upstream discussions first before it's viable to use... OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=37 --- baselibs.conf | 2 +- pam_kwallet.changes | 2 ++ pam_kwallet.spec | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/baselibs.conf b/baselibs.conf index 9134c05..3bed450 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,7 +1,7 @@ pam_kwallet requires "pam_kwallet = " supplements "packageand(pam_kwallet:pam-)" - post "%if 0%{?suse_version} >= 1330" + post "%if 0 && 0%{?suse_version} >= 1330" post "%{_sbindir}/pam-config -a --kwallet5 || :" post "%endif" post ":" diff --git a/pam_kwallet.changes b/pam_kwallet.changes index e21f552..be16e71 100644 --- a/pam_kwallet.changes +++ b/pam_kwallet.changes @@ -6,6 +6,8 @@ Wed Aug 2 08:48:28 UTC 2017 - fabian@ritter-vogt.de - Add baselibs.conf for -32bit pkg - Register with pam-config automatically (boo#1029942) - Only use pam-config on TW, where it will be available soon +- Disable pam-config for now, kwallet-pam needs some upstream + discussions first before it's viable to use... ------------------------------------------------------------------- Tue Jul 18 16:14:48 CEST 2017 - fabian@ritter-vogt.de diff --git a/pam_kwallet.spec b/pam_kwallet.spec index a13e5fc..b9cf07d 100644 --- a/pam_kwallet.spec +++ b/pam_kwallet.spec @@ -32,7 +32,7 @@ BuildRequires: pam-devel BuildRequires: socat BuildRequires: xz Requires: %{name}-common = %{version} -%if 0%{?suse_version} >= 1330 +%if 0 && 0%{?suse_version} >= 1330 Requires(postun): coreutils pam pam-config %endif @@ -60,7 +60,7 @@ module. %install %kf5_makeinstall -C build -%if 0%{?suse_version} >= 1330 +%if 0 && 0%{?suse_version} >= 1330 # Due to boo#728586 it is necessary to duplicate this in the 32bit variant. # So you need to edit baselibs.conf if you change this. %post From 51db465ce56e2da5bd3b035e85161706f67a6c4f65d13227e8cf431be5eb4c6d Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Wed, 9 Aug 2017 08:40:05 +0000 Subject: [PATCH 7/8] - Add various patches (pending upstream review) to fix several issues: * 0001-Several-cleanups.patch * 0002-Avoid-dropping-privileges-by-initializing-gcrypt-sec.patch * 0003-Check-for-a-graphical-session.patch OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=38 --- 0001-Several-cleanups.patch | 162 ++++++++++++++++++ ...rivileges-by-initializing-gcrypt-sec.patch | 38 ++++ 0003-Check-for-a-graphical-session.patch | 72 ++++++++ pam_kwallet.changes | 9 + pam_kwallet.spec | 9 + 5 files changed, 290 insertions(+) create mode 100644 0001-Several-cleanups.patch create mode 100644 0002-Avoid-dropping-privileges-by-initializing-gcrypt-sec.patch create mode 100644 0003-Check-for-a-graphical-session.patch diff --git a/0001-Several-cleanups.patch b/0001-Several-cleanups.patch new file mode 100644 index 0000000..4bde8e2 --- /dev/null +++ b/0001-Several-cleanups.patch @@ -0,0 +1,162 @@ +From a6369519e080b741fea731ab42bb19e84c6e6fdb Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Thu, 3 Aug 2017 09:02:14 +0200 +Subject: [PATCH 1/3] Several cleanups + +- No cppcheck warnings anymore +- Use snprintf everywhere +- Avoid pointless multiplication with sizeof(char) +- Avoid memory leaks +--- + pam_kwallet.c | 44 ++++++++++++++++++++++++++++++++------------ + 1 file changed, 32 insertions(+), 12 deletions(-) + +diff --git a/pam_kwallet.c b/pam_kwallet.c +index d88c5e0..cba57e7 100644 +--- a/pam_kwallet.c ++++ b/pam_kwallet.c +@@ -151,13 +151,14 @@ static int set_env(pam_handle_t *pamh, const char *name, const char *value) + //We do not return because pam_putenv might work + } + +- char *pamEnv = malloc(strlen(name) + strlen(value) + 2); //2 is for = and \0 ++ size_t pamEnvSize = strlen(name) + strlen(value) + 2; //2 is for = and \0 ++ char *pamEnv = malloc(pamEnvSize); + if (!pamEnv) { + pam_syslog(pamh, LOG_WARNING, "%s: Impossible to allocate memory for pamEnv", logPrefix); + return -1; + } + +- sprintf (pamEnv, "%s=%s", name, value); ++ snprintf (pamEnv, pamEnvSize, "%s=%s", name, value); + int ret = pam_putenv(pamh, pamEnv); + free(pamEnv); + +@@ -240,6 +241,11 @@ cleanup: + return result; + } + ++static void cleanup_free(pam_handle_t *pamh, void *ptr, int error_status) ++{ ++ free(ptr); ++} ++ + PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) + { + pam_syslog(pamh, LOG_INFO, "%s: pam_sm_authenticate\n", logPrefix); +@@ -297,14 +303,17 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons + return PAM_IGNORE; + } + +- char *key = malloc(sizeof(char) * KWALLET_PAM_KEYSIZE); +- if (kwallet_hash(password, userInfo, key) != 0) { ++ char *key = malloc(KWALLET_PAM_KEYSIZE); ++ if (!key || kwallet_hash(password, userInfo, key) != 0) { ++ free(key); + pam_syslog(pamh, LOG_ERR, "%s: Fail into creating the hash", logPrefix); + return PAM_IGNORE; + } + +- result = pam_set_data(pamh, kwalletPamDataKey, key, NULL); ++ result = pam_set_data(pamh, kwalletPamDataKey, key, cleanup_free); ++ + if (result != PAM_SUCCESS) { ++ free(key); + pam_syslog(pamh, LOG_ERR, "%s: Impossible to store the hashed password: %s", logPrefix + , pam_strerror(pamh, result)); + return PAM_IGNORE; +@@ -385,9 +394,8 @@ cleanup: + static int better_write(int fd, const char *buffer, int len) + { + size_t writtenBytes = 0; +- int result; + while(writtenBytes < len) { +- result = write(fd, buffer + writtenBytes, len - writtenBytes); ++ int result = write(fd, buffer + writtenBytes, len - writtenBytes); + if (result < 0) { + if (errno != EAGAIN && errno != EINTR) { + return -1; +@@ -450,6 +458,7 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha + if (result != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "%s: Impossible to set %s env, %s", + logPrefix, envVar, pam_strerror(pamh, result)); ++ free(fullSocket); + return; + } + +@@ -459,12 +468,15 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha + if (strlen(fullSocket) > sizeof(local.sun_path)) { + pam_syslog(pamh, LOG_ERR, "%s: socket path %s too long to open", + logPrefix, fullSocket); ++ free(fullSocket); + return; + } + strcpy(local.sun_path, fullSocket); ++ free(fullSocket); ++ fullSocket = NULL; + unlink(local.sun_path);//Just in case it exists from a previous login + +- pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, fullSocket); ++ pam_syslog(pamh, LOG_INFO, "%s: final socket path: %s", logPrefix, local.sun_path); + + size_t len = strlen(local.sun_path) + sizeof(local.sun_family); + if (bind(envSocket, (struct sockaddr *)&local, len) == -1) { +@@ -477,7 +489,7 @@ static void start_kwallet(pam_handle_t *pamh, struct passwd *userInfo, const cha + return; + } + +- if (chown(fullSocket, userInfo->pw_uid, userInfo->pw_gid) == -1) { ++ if (chown(local.sun_path, userInfo->pw_uid, userInfo->pw_gid) == -1) { + pam_syslog(pamh, LOG_INFO, "%s: Couldn't change ownership of the socket", logPrefix); + return; + } +@@ -655,7 +667,8 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key) + #else + char *fixpath = "share/apps/kwallet/kdewallet.salt"; + #endif +- char *path = (char*) malloc(strlen(userInfo->pw_dir) + strlen(kdehome) + strlen(fixpath) + 3);//3 == / and \0 ++ size_t pathSize = strlen(userInfo->pw_dir) + strlen(kdehome) + strlen(fixpath) + 3;//3 == /, / and \0 ++ char *path = (char*) malloc(pathSize); + sprintf(path, "%s/%s/%s", userInfo->pw_dir, kdehome, fixpath); + + struct stat info; +@@ -666,21 +679,26 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key) + FILE *fd = fopen(path, "r"); + if (fd == NULL) { + syslog(LOG_ERR, "%s: Couldn't open file: %s because: %d-%s", logPrefix, path, errno, strerror(errno)); ++ free(path); + return 1; + } +- salt = (char*) malloc(sizeof(char) * KWALLET_PAM_SALTSIZE); ++ salt = (char*) malloc(KWALLET_PAM_SALTSIZE); + memset(salt, '\0', KWALLET_PAM_SALTSIZE); + fread(salt, KWALLET_PAM_SALTSIZE, 1, fd); + fclose(fd); + } ++ free(path); ++ + if (salt == NULL) { + syslog(LOG_ERR, "%s-kwalletd: Couldn't create or read the salt file", logPrefix); + return 1; + } + + gcry_error_t error; ++ + error = gcry_control(GCRYCTL_INIT_SECMEM, 32768, 0); + if (error != 0) { ++ free(salt); + syslog(LOG_ERR, "%s-kwalletd: Can't get secure memory: %d", logPrefix, error); + return 1; + } +@@ -691,5 +709,7 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key) + GCRY_KDF_PBKDF2, GCRY_MD_SHA512, + salt, KWALLET_PAM_SALTSIZE, + KWALLET_PAM_ITERATIONS,KWALLET_PAM_KEYSIZE, key); +- return 0; ++ ++ free(salt); ++ return (int) error; // gcry_kdf_derive returns 0 on success + } +-- +2.13.2 + diff --git a/0002-Avoid-dropping-privileges-by-initializing-gcrypt-sec.patch b/0002-Avoid-dropping-privileges-by-initializing-gcrypt-sec.patch new file mode 100644 index 0000000..d77821a --- /dev/null +++ b/0002-Avoid-dropping-privileges-by-initializing-gcrypt-sec.patch @@ -0,0 +1,38 @@ +From a8153375a5006f5ca766b58a1a8f488699314a74 Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Thu, 3 Aug 2017 09:27:10 +0200 +Subject: [PATCH 2/3] Avoid dropping privileges by initializing gcrypt secmem + +It's a documented side effect that initialization of secure memory in gcrypt +drops privileges if getuid() != geteuid(). This results in breaking setuid +callers, like sudo or su. +--- + pam_kwallet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/pam_kwallet.c b/pam_kwallet.c +index cba57e7..dc61115 100644 +--- a/pam_kwallet.c ++++ b/pam_kwallet.c +@@ -696,12 +696,18 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key) + + gcry_error_t error; + ++ /* We cannot call GCRYCTL_INIT_SECMEM as it drops privileges if getuid() != geteuid(). ++ * PAM modules are in many cases executed through setuid binaries, which this call ++ * would break. ++ * It was never effective anyway as neither key nor passphrase are in secure memory, ++ * which is a prerequisite for secure operation... + error = gcry_control(GCRYCTL_INIT_SECMEM, 32768, 0); + if (error != 0) { + free(salt); + syslog(LOG_ERR, "%s-kwalletd: Can't get secure memory: %d", logPrefix, error); + return 1; + } ++ */ + + gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); + +-- +2.13.2 + diff --git a/0003-Check-for-a-graphical-session.patch b/0003-Check-for-a-graphical-session.patch new file mode 100644 index 0000000..1a5d015 --- /dev/null +++ b/0003-Check-for-a-graphical-session.patch @@ -0,0 +1,72 @@ +From f5f27799e1b6875be7f34edac3a9f98a2b550b2c Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Thu, 3 Aug 2017 09:50:30 +0200 +Subject: [PATCH 3/3] Check for a graphical session + +Avoid running if it detects a text session. This can be overridden by adding +"force_run" as argument. +--- + pam_kwallet.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/pam_kwallet.c b/pam_kwallet.c +index dc61115..34bc045 100644 +--- a/pam_kwallet.c ++++ b/pam_kwallet.c +@@ -72,6 +72,7 @@ const static char *kwalletd = NULL; + const static char *socketPath = NULL; + const static char *kwalletPamDataKey = NULL; + const static char *logPrefix = NULL; ++static int force_run = 0; + + #ifdef KWALLET5 + const static char *envVar = "PAM_KWALLET5_LOGIN"; +@@ -98,6 +99,8 @@ static void parseArguments(int argc, const char **argv) + kwalletd = argv[x] + 9; + } else if (strstr(argv[x], "socketPath=") != NULL) { + socketPath= argv[x] + 11; ++ } else if (strcmp(argv[x], "force_run") == 0) { ++ force_run = 1; + } + } + #ifdef KWALLET5 +@@ -241,6 +244,24 @@ cleanup: + return result; + } + ++static int is_graphical_session(pam_handle_t *pamh) ++{ ++ //Detect a graphical session ++ const char *pam_tty = NULL, *pam_xdisplay = NULL, ++ *xdg_session_type = NULL, *display = NULL; ++ ++ pam_get_item(pamh, PAM_TTY, (const void**) &pam_tty); ++#ifdef PAM_XDISPLAY ++ pam_get_item(pamh, PAM_XDISPLAY, (const void**) &pam_xdisplay); ++#endif ++ xdg_session_type = get_env(pamh, "XDG_SESSION_TYPE"); ++ ++ return (pam_xdisplay && strlen(pam_xdisplay) != 0) ++ || (pam_tty && pam_tty[0] == ':') ++ || (xdg_session_type && strcmp(xdg_session_type, "x11") == 0) ++ || (xdg_session_type && strcmp(xdg_session_type, "wayland") == 0); ++} ++ + static void cleanup_free(pam_handle_t *pamh, void *ptr, int error_status) + { + free(ptr); +@@ -537,6 +558,11 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, cons + + parseArguments(argc, argv); + ++ if (!force_run && !is_graphical_session(pamh)) { ++ pam_syslog(pamh, LOG_INFO, "%s: not a graphical session, skipping. Use force_run parameter to ignore this.", logPrefix); ++ return PAM_IGNORE; ++ } ++ + int result; + result = pam_set_data(pamh, "sm_open_session", "1", NULL); + if (result != PAM_SUCCESS) { +-- +2.13.2 + diff --git a/pam_kwallet.changes b/pam_kwallet.changes index be16e71..dc91559 100644 --- a/pam_kwallet.changes +++ b/pam_kwallet.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Aug 9 08:39:00 UTC 2017 - fabian@ritter-vogt.de + +- Add various patches (pending upstream review) to fix several + issues: + * 0001-Several-cleanups.patch + * 0002-Avoid-dropping-privileges-by-initializing-gcrypt-sec.patch + * 0003-Check-for-a-graphical-session.patch + ------------------------------------------------------------------- Wed Aug 2 08:48:28 UTC 2017 - fabian@ritter-vogt.de diff --git a/pam_kwallet.spec b/pam_kwallet.spec index b9cf07d..68db0f3 100644 --- a/pam_kwallet.spec +++ b/pam_kwallet.spec @@ -25,6 +25,12 @@ Group: System/GUI/KDE Url: http://www.kde.org/ Source0: http://download.kde.org/stable/plasma/%{version}/kwallet-pam-%{version}.tar.xz Source1: baselibs.conf +# PATCH-FIX-UPSTREAM +Patch1: 0001-Several-cleanups.patch +# PATCH-FIX-UPSTREAM +Patch2: 0002-Avoid-dropping-privileges-by-initializing-gcrypt-sec.patch +# PATCH-FIX-UPSTREAM +Patch3: 0003-Check-for-a-graphical-session.patch BuildRequires: extra-cmake-modules >= 1.2.0 BuildRequires: kf5-filesystem BuildRequires: libgcrypt-devel >= 1.5.0 @@ -52,6 +58,9 @@ module. %prep %setup -q -n kwallet-pam-%{version} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %cmake_kf5 -d build -- -DLIBEXEC_INSTALL_DIR=%{_kf5_libexecdir} -DCMAKE_INSTALL_PREFIX=/ From 390d25e14117081eee03d36065c19dcf518c04c86d7a9d86655a5783136fc622 Mon Sep 17 00:00:00 2001 From: Luca Beltrame Date: Tue, 22 Aug 2017 21:15:39 +0000 Subject: [PATCH 8/8] Plasma 5.10.5 OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=39 --- baselibs.conf | 2 +- kwallet-pam-5.10.4.tar.xz | 3 --- kwallet-pam-5.10.5.tar.xz | 3 +++ pam_kwallet.changes | 11 +++++++++++ pam_kwallet.spec | 6 +++--- 5 files changed, 18 insertions(+), 7 deletions(-) delete mode 100644 kwallet-pam-5.10.4.tar.xz create mode 100644 kwallet-pam-5.10.5.tar.xz diff --git a/baselibs.conf b/baselibs.conf index 3bed450..9134c05 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,7 +1,7 @@ pam_kwallet requires "pam_kwallet = " supplements "packageand(pam_kwallet:pam-)" - post "%if 0 && 0%{?suse_version} >= 1330" + post "%if 0%{?suse_version} >= 1330" post "%{_sbindir}/pam-config -a --kwallet5 || :" post "%endif" post ":" diff --git a/kwallet-pam-5.10.4.tar.xz b/kwallet-pam-5.10.4.tar.xz deleted file mode 100644 index 92db787..0000000 --- a/kwallet-pam-5.10.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0227751c8f68970e184c2e723796bf11966ae045b904e7a6b07d1e4b9e7729ea -size 17912 diff --git a/kwallet-pam-5.10.5.tar.xz b/kwallet-pam-5.10.5.tar.xz new file mode 100644 index 0000000..341db15 --- /dev/null +++ b/kwallet-pam-5.10.5.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c42e444c9c85dc5bbc60bbd666d20ea72162ddd38dc18254c47c48a0ca404073 +size 17908 diff --git a/pam_kwallet.changes b/pam_kwallet.changes index dc91559..e196f68 100644 --- a/pam_kwallet.changes +++ b/pam_kwallet.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Aug 22 19:11:31 CEST 2017 - fabian@ritter-vogt.de + +- Update to 5.10.5 + * New bugfix release + * For more details please see: + * https://www.kde.org/announcements/plasma-5.10.5.php +- Changes since 5.10.4: + * None +- Enable pam-config integration on TW + ------------------------------------------------------------------- Wed Aug 9 08:39:00 UTC 2017 - fabian@ritter-vogt.de diff --git a/pam_kwallet.spec b/pam_kwallet.spec index 68db0f3..257b6ae 100644 --- a/pam_kwallet.spec +++ b/pam_kwallet.spec @@ -17,7 +17,7 @@ Name: pam_kwallet -Version: 5.10.4 +Version: 5.10.5 Release: 0 Summary: A PAM Module for KWallet signing License: LGPL-2.1 and GPL-2.0+ and GPL-3.0 @@ -38,7 +38,7 @@ BuildRequires: pam-devel BuildRequires: socat BuildRequires: xz Requires: %{name}-common = %{version} -%if 0 && 0%{?suse_version} >= 1330 +%if 0%{?suse_version} >= 1330 Requires(postun): coreutils pam pam-config %endif @@ -69,7 +69,7 @@ module. %install %kf5_makeinstall -C build -%if 0 && 0%{?suse_version} >= 1330 +%if 0%{?suse_version} >= 1330 # Due to boo#728586 it is necessary to duplicate this in the 32bit variant. # So you need to edit baselibs.conf if you change this. %post