- Add systemd-logind support to pam_limits (pam_limits-systemd.patch)

- Remove /usr/etc/pam.d, everything should be migrated - Remove pam_limits from default common-sessions* files. pam_limits is now part of pam-extra and not in our default generated config. - pam_issue-systemd.patch: only count class user sessions OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=299
2024-09-09 08:32:13 +00:00 · 2024-09-09 08:32:13 +00:00 · 0f70ad3ce6
commit 0f70ad3ce6
27 changed files with 3817 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/Linux-PAM-1.6.1.tar.xz
+++ b/Linux-PAM-1.6.1.tar.xz
--- a/Linux-PAM-1.6.1.tar.xz.asc
+++ b/Linux-PAM-1.6.1.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
+sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
+47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
+RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
+mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
+cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
+fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
+PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
+o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
+0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
+9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
+UoUkHsbCWJU/ksn/9BIQ
+=Dbz2
+-----END PGP SIGNATURE-----
--- a/3
+++ b/3
@ -0,0 +1,3 @@
+<multibuild>
+  <flavor>full</flavor>
+</multibuild>
--- a/baselibs.conf
+++ b/baselibs.conf
@ -0,0 +1,6 @@
+pam
+	requires "(systemd-<targettype> if systemd)"
+	obsoletes "pam_unix-<targettype>"
+	obsoletes "pam_unix-nis-<targettype>"
+pam-extra
+pam-devel
--- a/common-account.pamd
+++ b/common-account.pamd
@ -0,0 +1,9 @@
+#
+# /etc/pam.d/common-account - account settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the account modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired.
+#
+account	required	pam_unix.so	try_first_pass
--- a/common-auth.pamd
+++ b/common-auth.pamd
@ -0,0 +1,11 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+auth	required	pam_env.so
+auth	required	pam_unix.so	try_first_pass
--- a/common-password.pamd
+++ b/common-password.pamd
@ -0,0 +1,11 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define  the services to be
+# used to change user passwords.
+#
+# The "nullok" option allows users to change an empty password, else
+# empty passwords are treated as locked accounts.
+#
+password        required        pam_unix.so     nullok
--- a/common-session-nonlogin.pamd
+++ b/common-session-nonlogin.pamd
@ -0,0 +1,13 @@
+#
+# /etc/pam.d/common-session-nonlogin - session-related modules common
+# to services not doing a real login
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive), but not if they don't create a new login session
+# (e.g. like cron, chfn, chsh, ...)
+#
+session	required	pam_unix.so	try_first_pass
+session optional	pam_umask.so
+session optional	pam_env.so
--- a/common-session.pamd
+++ b/common-session.pamd
@ -0,0 +1,12 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+session optional	pam_systemd.so
+session	required	pam_unix.so	try_first_pass
+session optional	pam_umask.so
+session optional	pam_env.so
--- a/macros.pam
+++ b/macros.pam
@ -0,0 +1,8 @@
+%_pam_libdir         %{_libdir}
+%_pam_moduledir      %{_libdir}/security
+%_pam_secconfdir     %{_sysconfdir}/security
+%_pam_secdistconfdir %{_distconfdir}/security
+%_pam_confdir        %{_sysconfdir}/pam.d
+%_pam_vendordir      %{_prefix}/lib/pam.d
+# legacy, to be retired
+%_pamdir             %{_pam_moduledir}
--- a/other.pamd
+++ b/other.pamd
@ -0,0 +1,10 @@
+#%PAM-1.0
+auth	 required	pam_warn.so
+auth	 required	pam_deny.so
+account  required	pam_warn.so
+account	 required	pam_deny.so
+password required	pam_warn.so
+password required	pam_deny.so
+session  required       pam_warn.so
+session	 required	pam_deny.so
+
--- a/pam-bsc1194818-cursor-escape.patch
+++ b/pam-bsc1194818-cursor-escape.patch
@ -0,0 +1,36 @@
+From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001
+From: Stanislav Brabec <sbrabec@suse.cz>
+Date: Mon, 22 Jul 2024 23:18:16 +0200
+Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input
+
+Use the canonical terminal mode (line mode) and set ECHOCTL to prevent
+cursor escape from the login prompt using arrows or escape sequences.
+
+ICANON is the default in most cases anyway. ECHOCTL is default on tty, but
+for example not on pty, allowing cursor to escape.
+
+Stanislav Brabec <sbrabec@suse.com>
+---
+ libpam_misc/misc_conv.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
+index 7410e929..6b839b48 100644
+--- a/libpam_misc/misc_conv.c
+++ b/libpam_misc/misc_conv.c
+@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr)
+ 	    return -1;
+ 	}
+ 	memcpy(&term_tmp, &term_before, sizeof(term_tmp));
+-	if (!echo) {
+	if (echo)
+	    term_tmp.c_lflag |= ICANON | ECHOCTL;
+	else
+ 	    term_tmp.c_lflag &= ~(ECHO);
+-	}
+ 	have_term = 1;
+ 
+ 	/*
+-- 
+2.45.2
+
--- a/pam-limit-nproc.patch
+++ b/pam-limit-nproc.patch
@ -0,0 +1,11 @@
+Index: Linux-PAM-1.3.1/modules/pam_limits/limits.conf
+===================================================================
+--- Linux-PAM-1.3.1.orig/modules/pam_limits/limits.conf
+++ Linux-PAM-1.3.1/modules/pam_limits/limits.conf
+@@ -47,4 +47,6 @@
+ #ftp             hard    nproc           0
+ #@student        -       maxlogins       4
+ 
+# No limits for nproc, use systemd configuration instead
+
+ # End of file
--- a/pam-login_defs-check.sh
+++ b/pam-login_defs-check.sh
@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Extract list of variables supported by su/runuser.
+#
+# If you edit this file, you will probably need to edit
+# shadow-login_defs-check.sh from shadow sources in a similar way.
+
+set -o errexit
+
+echo -n "Checking login.defs variables in pam... " >&2
+grep -rh LOGIN_DEFS . |
+	sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
+	LC_ALL=C sort -u >pam-login_defs-vars.lst
+
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
+
+	echo "does not match!" >&2
+	echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
+
+cat >&2 <<EOF
+
+You have to perform following steps:
+
+Check whether the error is false positive (script failed to extract
+variables) or true positive (variable list changed).
+
+If it is false positive:
+- Fix this script.
+- The same fix is needed in shadow package in shadow-login_defs-check.sh.
+
+If it is true positive:
+- Check-out shadow package and call shadow-login_defs-check.sh.
+- Compare its output shadow-login_defs-check-pam.lst with
+  pam-login_defs-vars.lst in the pam build directory.
+- Update shadow encryption_method_nis.patch, if needed.
+- If encryption_method_nis.patch was updated, update
+  login_defs-support-for-pam symbol version in both shadow and
+  pam spec files accordingly.
+- Update checksum in this script.
+
+EOF
+
+	exit 1
+else
+	echo "OK" >&2
+fi
--- a/pam.changes
+++ b/pam.changes
--- a/pam.spec
+++ b/pam.spec
@ -0,0 +1,579 @@
+#
+# spec file for package pam
+#
+# Copyright (c) 2020 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
+# Enable livepatching support for SLE15-SP4 onwards. It requires
+# compiler support introduced there.
+%define livepatchable 1
+
+# Set variables for livepatching.
+%define _other %{_topdir}/OTHER
+%define tar_basename pam-livepatch-%{version}-%{release}
+%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
+%define clones_dest_dir %{tar_basename}/%{_arch}
+%else
+# Unsupported operating system.
+%define livepatchable 0
+%endif
+
+%ifnarch x86_64
+# Unsupported architectures must have livepatch disabled.
+%define livepatchable 0
+%endif
+
+%bcond_without selinux
+%bcond_with debug
+
+%define flavor @BUILD_FLAVOR@%{nil}
+
+%define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
+	security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
+	security/namespace.conf security/namespace.init security/sepermit.conf
+
+%if "%{flavor}" == "full"
+%define build_main 0
+%define build_doc 1
+%define build_extra 1
+%define build_userdb 1
+%define name_suffix -%{flavor}-src
+%else
+%define build_main 1
+%define build_doc 0
+%define build_extra 0
+%define build_userdb 0
+%define name_suffix %{nil}
+%endif
+
+#
+%define libpam_so_version 0.85.1
+%define libpam_misc_so_version 0.82.1
+%define libpamc_so_version 0.82.1
+%if ! %{defined _distconfdir}
+  %define _distconfdir %{_sysconfdir}
+  %define config_noreplace 1
+%endif
+#
+%{load:%{_sourcedir}/macros.pam}
+#
+Name:           pam%{name_suffix}
+#
+Version:        1.6.1
+Release:        0
+Summary:        A Security Tool that Provides Authentication for Applications
+License:        GPL-2.0-or-later OR BSD-3-Clause
+Group:          System/Libraries
+URL:            https://github.com/linux-pam/linux-pam
+Source:         Linux-PAM-%{version}.tar.xz
+Source1:        Linux-PAM-%{version}.tar.xz.asc
+Source2:        macros.pam
+Source3:        other.pamd
+Source4:        common-auth.pamd
+Source5:        common-account.pamd
+Source6:        common-password.pamd
+Source7:        common-session.pamd
+Source9:        baselibs.conf
+Source10:       unix2_chkpwd.c
+Source11:       unix2_chkpwd.8
+Source12:       pam-login_defs-check.sh
+Source13:       pam.tmpfiles
+Source20:       common-session-nonlogin.pamd
+Source21:       postlogin-auth.pamd
+Source22:       postlogin-account.pamd
+Source23:       postlogin-password.pamd
+Source24:       postlogin-session.pamd
+Patch1:         pam-limit-nproc.patch
+# https://github.com/linux-pam/linux-pam/pull/816
+Patch2:         pam-bsc1194818-cursor-escape.patch
+# https://github.com/linux-pam/linux-pam/pull/826
+Patch3:         pam_limits-systemd.patch
+# https://github.com/linux-pam/linux-pam/pull/825
+Patch4:         pam_issue-systemd.patch
+BuildRequires:  audit-devel
+BuildRequires:  bison
+BuildRequires:  flex
+BuildRequires:  libtool
+BuildRequires:  xz
+Requires(post): permissions
+# All login.defs variables require support from shadow side.
+# Upgrade this symbol version only if new variables appear!
+# Verify by shadow-login_defs-check.sh from shadow source package.
+Recommends:     login_defs-support-for-pam >= 1.5.2
+BuildRequires:  pkgconfig(libeconf)
+%if %{with selinux}
+BuildRequires:  libselinux-devel
+%endif
+Obsoletes:      pam_unix
+Obsoletes:      pam_unix-nis
+Recommends:     pam-manpages
+Requires(pre):  group(shadow)
+Requires(pre):  user(root)
+
+%description
+PAM (Pluggable Authentication Modules) is a system security tool that
+allows system administrators to set authentication policies without
+having to recompile programs that do authentication.
+
+%if %{build_userdb}
+%package -n pam-userdb
+Summary:        PAM module to authenticate against a separate database
+Group:          System/Libraries
+Provides:       pam-extra:%{_pam_moduledir}/pam_userdb.so
+BuildRequires:  libdb-4_8-devel
+BuildRequires:  pam-devel
+
+%description -n pam-userdb
+PAM (Pluggable Authentication Modules) is a system security tool that
+allows system administrators to set authentication policies without
+having to recompile programs that do authentication.
+
+This package contains pam_userdb which is used to verify a
+username/password pair against values stored in a Berkeley DB database.
+%endif
+
+
+%if %{build_extra}
+%package -n pam-extra
+Summary:        PAM module with extended dependencies
+Group:          System/Libraries
+#BuildRequires:  pkgconfig(systemd) 
+# The systemd-mini package does not pass configure checks
+BuildRequires:  systemd-devel >= 254
+BuildRequires:  pam-devel
+Provides:	pam:%{_sbindir}/pam_timestamp_check
+Provides:       pam:%{_pam_moduledir}/pam_limits.so
+
+%description -n pam-extra
+PAM (Pluggable Authentication Modules) is a system security tool that
+allows system administrators to set authentication policies without
+having to recompile programs that do authentication.
+
+This package contains extra modules eg pam_issue and pam_timestamp which
+can have extended dependencies.
+%endif
+
+%if %{build_doc}
+
+%package -n pam-doc
+Summary:        Documentation for Pluggable Authentication Modules
+Group:          Documentation/HTML
+BuildArch:      noarch
+
+%description -n pam-doc
+PAM (Pluggable Authentication Modules) is a system security tool that
+allows system administrators to set authentication policies without
+having to recompile programs that do authentication.
+
+This package contains the documentation.
+
+%package -n pam-manpages
+Summary:        Manualpages for Pluggable Authentication Modules
+Group:          Documentation/HTML
+Provides:       pam:/%{_mandir}/man8/PAM.8.gz
+BuildArch:      noarch
+BuildRequires:  docbook5-xsl-stylesheets
+BuildRequires:  elinks
+BuildRequires:  xmlgraphics-fop
+
+%description -n pam-manpages
+PAM (Pluggable Authentication Modules) is a system security tool that
+allows system administrators to set authentication policies without
+having to recompile programs that do authentication.
+
+This package contains the manual pages.
+
+%endif
+
+%package devel
+Summary:        Include Files and Libraries for PAM Development
+Group:          Development/Libraries/C and C++
+Requires:       glibc-devel
+Requires:       pam = %{version}
+
+%description devel
+PAM (Pluggable Authentication Modules) is a system security tool which
+allows system administrators to set authentication policy without
+having to recompile programs which do authentication.
+
+This package contains header files and static libraries used for
+building both PAM-aware applications and modules for use with PAM.
+
+%prep
+%autosetup -p1 -n Linux-PAM-%{version}
+cp -a %{SOURCE12} .
+
+%build
+bash ./pam-login_defs-check.sh
+export CFLAGS="%{optflags}"
+%if !%{with debug}
+CFLAGS="$CFLAGS -DNDEBUG"
+%endif
+%if %{livepatchable}
+CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
+%endif
+autoreconf
+%configure \
+	--includedir=%{_includedir}/security \
+	--docdir=%{_docdir}/pam \
+	--htmldir=%{_docdir}/pam/html \
+	--pdfdir=%{_docdir}/pam/pdf \
+	--enable-isadir=../..%{_pam_moduledir} \
+	--enable-securedir=%{_pam_moduledir} \
+	--enable-vendordir=%{_prefix}/etc \
+%if "%{flavor}" == "full"
+	--enable-logind \
+%endif
+        --disable-examples \
+	--disable-nis \
+%if %{with debug}
+	--enable-debug
+%endif
+
+%make_build
+
+%if %{livepatchable}
+
+# Ipa-clones are files generated by gcc which logs changes made across
+# functions, and we need to know such changes to build livepatches
+# correctly. These files are intended to be used by the livepatch
+# developers and may be retrieved by using `osc getbinaries`.
+#
+# Create list of ipa-clones.
+find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list
+
+# Create ipa-clones destination folder and move clones there.
+mkdir -p ipa-clones/%{clones_dest_dir}
+while read f; do
+  _dest=ipa-clones/%{clones_dest_dir}/$f
+  mkdir -p ${_dest%/*}
+  cp $f $_dest
+done < ipa-clones.list
+
+# Create tar package with the clone files.
+tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename}
+
+# Copy tar package to the OTHERS folder
+cp %{tar_package_name} %{_other}
+
+%endif # livepatchable
+
+gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
+
+%if %{build_main}
+%check
+%make_build check
+%endif
+
+%install
+mkdir -p %{buildroot}%{_pam_confdir}
+mkdir -p %{buildroot}%{_pam_vendordir}
+mkdir -p %{buildroot}%{_includedir}/security
+mkdir -p %{buildroot}%{_pam_moduledir}
+mkdir -p %{buildroot}/sbin
+mkdir -p -m 755 %{buildroot}%{_libdir}
+# For compat reasons
+mkdir -p %{buildroot}%{_distconfdir}/pam.d
+
+%make_install
+/sbin/ldconfig -n %{buildroot}%{_libdir}
+# Install documentation
+%make_install -C doc
+# install /etc/security/namespace.d used by pam_namespace.so for namespace.conf iscript
+install -d %{buildroot}%{_pam_secconfdir}/namespace.d
+# install other.pamd and common-*.pamd
+install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
+install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
+install -m 644 %{SOURCE5} %{buildroot}%{_pam_vendordir}/common-account
+install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/common-password
+install -m 644 %{SOURCE7} %{buildroot}%{_pam_vendordir}/common-session
+install -m 644 %{SOURCE20} %{buildroot}%{_pam_vendordir}/common-session-nonlogin
+install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
+install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
+install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
+install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
+mkdir -p %{buildroot}%{_prefix}/lib/motd.d
+#
+# Remove crap
+#
+find %{buildroot} -type f -name "*.la" -delete -print
+#
+# Install READMEs of PAM modules
+#
+DOC=%{buildroot}%{_defaultdocdir}/pam
+mkdir -p $DOC/modules
+pushd modules
+for i in pam_*/README; do
+	cp -fpv "$i" "$DOC/modules/README.${i%/*}"
+done
+popd
+# Install unix2_chkpwd
+install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
+
+# rpm macros
+install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
+# /run/motd.d
+install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
+
+mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
+mv %{buildroot}%{_sysconfdir}/environment %{buildroot}%{_distconfdir}/environment
+
+# Remove manual pages for main package
+%if !%{build_doc}
+rm -rf %{buildroot}%{_mandir}/man?/*
+%else
+install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
+# bsc#1188724
+echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
+%endif
+
+%if !%{build_main}
+rm -rf %{buildroot}{%{_distconfdir}/environment,%{_pam_secdistconfdir}/{a,f,g,n,p,s,t}*}
+rm -rf %{buildroot}{%{_sysconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
+rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
+rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,la,lis,lo,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
+%else
+# Delete files for extra package
+rm -rf  %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limits.conf,%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
+
+# Create filelist with translations
+%find_lang Linux-PAM
+
+%endif
+
+%if %{build_main}
+
+%verifyscript
+%verify_permissions -e %{_sbindir}/unix_chkpwd
+%verify_permissions -e %{_sbindir}/unix2_chkpwd
+
+%post
+/sbin/ldconfig
+%set_permissions %{_sbindir}/unix_chkpwd
+%set_permissions %{_sbindir}/unix2_chkpwd
+%tmpfiles_create %{_tmpfilesdir}/pam.conf
+
+%postun -p /sbin/ldconfig
+%pre
+for i in securetty %{config_files} ; do
+  test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
+done
+
+%posttrans
+# Migration to /usr/etc.
+for i in securetty %{config_files} ; do
+  test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
+done
+
+%files -f Linux-PAM.lang
+%doc NEWS
+%license COPYING
+%exclude %{_defaultdocdir}/pam/html
+%exclude %{_defaultdocdir}/pam/modules
+%exclude %{_defaultdocdir}/pam/pdf
+%exclude %{_defaultdocdir}/pam/*.txt
+%dir %{_pam_confdir}
+%dir %{_pam_vendordir}
+%dir %{_pam_secconfdir}
+%dir %{_pam_secdistconfdir}
+%dir %{_prefix}/lib/motd.d
+%if %{defined config_noreplace}
+%config(noreplace) %{_pam_confdir}/other
+%config(noreplace) %{_pam_confdir}/common-*
+%else
+%{_pam_vendordir}/other
+%{_pam_vendordir}/common-*
+%{_pam_vendordir}/postlogin-*
+%endif
+%{_distconfdir}/environment
+%{_pam_secdistconfdir}/access.conf
+%{_pam_secdistconfdir}/group.conf
+%{_pam_secdistconfdir}/faillock.conf
+%{_pam_secdistconfdir}/pam_env.conf
+%if %{with selinux}
+%{_pam_secdistconfdir}/sepermit.conf
+%endif
+%{_pam_secdistconfdir}/time.conf
+%{_pam_secdistconfdir}/namespace.conf
+%{_pam_secdistconfdir}/namespace.init
+%{_pam_secdistconfdir}/pwhistory.conf
+%dir %{_pam_secdistconfdir}/namespace.d
+%{_libdir}/libpam.so.0
+%{_libdir}/libpam.so.%{libpam_so_version}
+%{_libdir}/libpamc.so.0
+%{_libdir}/libpamc.so.%{libpamc_so_version}
+%{_libdir}/libpam_misc.so.0
+%{_libdir}/libpam_misc.so.%{libpam_misc_so_version}
+%dir %{_pam_moduledir}
+%{_pam_moduledir}/pam_access.so
+%{_pam_moduledir}/pam_canonicalize_user.so
+%{_pam_moduledir}/pam_debug.so
+%{_pam_moduledir}/pam_deny.so
+%{_pam_moduledir}/pam_echo.so
+%{_pam_moduledir}/pam_env.so
+%{_pam_moduledir}/pam_exec.so
+%{_pam_moduledir}/pam_faildelay.so
+%{_pam_moduledir}/pam_faillock.so
+%{_pam_moduledir}/pam_filter.so
+%dir %{_pam_moduledir}/pam_filter
+%{_pam_moduledir}//pam_filter/upperLOWER
+%{_pam_moduledir}/pam_ftp.so
+%{_pam_moduledir}/pam_group.so
+%{_pam_moduledir}/pam_keyinit.so
+%{_pam_moduledir}/pam_listfile.so
+%{_pam_moduledir}/pam_localuser.so
+%{_pam_moduledir}/pam_loginuid.so
+%{_pam_moduledir}/pam_mail.so
+%{_pam_moduledir}/pam_mkhomedir.so
+%{_pam_moduledir}/pam_motd.so
+%{_pam_moduledir}/pam_namespace.so
+%{_pam_moduledir}/pam_nologin.so
+%{_pam_moduledir}/pam_permit.so
+%{_pam_moduledir}/pam_pwhistory.so
+%{_pam_moduledir}/pam_rhosts.so
+%{_pam_moduledir}/pam_rootok.so
+%{_pam_moduledir}/pam_securetty.so
+%if %{with selinux}
+%{_pam_moduledir}/pam_selinux.so
+%{_pam_moduledir}/pam_sepermit.so
+%endif
+%{_pam_moduledir}/pam_setquota.so
+%{_pam_moduledir}/pam_shells.so
+%{_pam_moduledir}/pam_stress.so
+%{_pam_moduledir}/pam_succeed_if.so
+%{_pam_moduledir}/pam_time.so
+%{_pam_moduledir}/pam_tty_audit.so
+%{_pam_moduledir}/pam_umask.so
+%{_pam_moduledir}/pam_unix.so
+%{_pam_moduledir}/pam_usertype.so
+%{_pam_moduledir}/pam_warn.so
+%{_pam_moduledir}/pam_wheel.so
+%{_pam_moduledir}/pam_xauth.so
+%{_sbindir}/faillock
+%{_sbindir}/mkhomedir_helper
+%{_sbindir}/pam_namespace_helper
+%{_sbindir}/pwhistory_helper
+%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
+%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
+%attr(0700,root,root) %{_sbindir}/unix_update
+%{_unitdir}/pam_namespace.service
+%{_tmpfilesdir}/pam.conf
+
+%files devel
+%defattr(644,root,root,755)
+%dir %{_includedir}/security
+%{_includedir}/security/*.h
+%{_libdir}/libpam.so
+%{_libdir}/libpamc.so
+%{_libdir}/libpam_misc.so
+%{_rpmmacrodir}/macros.pam
+%{_libdir}/pkgconfig/pam*.pc
+%endif
+
+%if %{build_userdb}
+%files -n pam-userdb
+%defattr(-,root,root,755)
+%{_pam_moduledir}/pam_userdb.so
+%{_mandir}/man8/pam_userdb.8%{?ext_man}
+%endif
+
+%if %{build_extra}
+%files -n pam-extra
+%defattr(-,root,root,755)
+%dir %{_pam_secdistconfdir}
+%dir %{_pam_secdistconfdir}/limits.d
+%{_pam_secdistconfdir}/limits.conf
+%{_pam_moduledir}/pam_limits.so
+%{_pam_moduledir}/pam_issue.so
+%{_pam_moduledir}/pam_timestamp.so
+%{_sbindir}/pam_timestamp_check
+%endif
+
+%if %{build_doc}
+
+%files -n pam-doc
+%defattr(644,root,root,755)
+%dir %{_defaultdocdir}/pam
+%doc %{_defaultdocdir}/pam/html
+%doc %{_defaultdocdir}/pam/modules
+%doc %{_defaultdocdir}/pam/pdf
+%doc %{_defaultdocdir}/pam/*.txt
+
+%files -n pam-manpages
+%{_mandir}/man3/pam*.3%{?ext_man}
+%{_mandir}/man3/misc_conv.3%{?ext_man}
+%{_mandir}/man5/environment.5%{?ext_man}
+%{_mandir}/man5/*.conf.5%{?ext_man}
+%{_mandir}/man5/pam.d.5%{?ext_man}
+%{_mandir}/man5/motd.5%{?ext_man}
+%{_mandir}/man8/PAM.8%{?ext_man}
+%{_mandir}/man8/faillock.8%{?ext_man}
+%{_mandir}/man8/mkhomedir_helper.8%{?ext_man}
+%{_mandir}/man8/pam.8%{?ext_man}
+%{_mandir}/man8/pam_access.8%{?ext_man}
+%{_mandir}/man8/pam_canonicalize_user.8%{?ext_man}
+%{_mandir}/man8/pam_debug.8%{?ext_man}
+%{_mandir}/man8/pam_deny.8%{?ext_man}
+%{_mandir}/man8/pam_echo.8%{?ext_man}
+%{_mandir}/man8/pam_env.8%{?ext_man}
+%{_mandir}/man8/pam_exec.8%{?ext_man}
+%{_mandir}/man8/pam_faildelay.8%{?ext_man}
+%{_mandir}/man8/pam_faillock.8%{?ext_man}
+%{_mandir}/man8/pam_filter.8%{?ext_man}
+%{_mandir}/man8/pam_ftp.8%{?ext_man}
+%{_mandir}/man8/pam_group.8%{?ext_man}
+%{_mandir}/man8/pam_issue.8%{?ext_man}
+%{_mandir}/man8/pam_keyinit.8%{?ext_man}
+%{_mandir}/man8/pam_limits.8%{?ext_man}
+%{_mandir}/man8/pam_listfile.8%{?ext_man}
+%{_mandir}/man8/pam_localuser.8%{?ext_man}
+%{_mandir}/man8/pam_loginuid.8%{?ext_man}
+%{_mandir}/man8/pam_mail.8%{?ext_man}
+%{_mandir}/man8/pam_mkhomedir.8%{?ext_man}
+%{_mandir}/man8/pam_motd.8%{?ext_man}
+%{_mandir}/man8/pam_namespace.8%{?ext_man}
+%{_mandir}/man8/pam_namespace_helper.8%{?ext_man}
+%{_mandir}/man8/pam_nologin.8%{?ext_man}
+%{_mandir}/man8/pam_permit.8%{?ext_man}
+%{_mandir}/man8/pam_pwhistory.8%{?ext_man}
+%{_mandir}/man8/pam_rhosts.8%{?ext_man}
+%{_mandir}/man8/pam_rootok.8%{?ext_man}
+%{_mandir}/man8/pam_securetty.8%{?ext_man}
+%if %{with selinux}
+%{_mandir}/man8/pam_selinux.8%{?ext_man}
+%{_mandir}/man8/pam_sepermit.8%{?ext_man}
+%endif
+%{_mandir}/man8/pam_setquota.8%{?ext_man}
+%{_mandir}/man8/pam_shells.8%{?ext_man}
+%{_mandir}/man8/pam_stress.8%{?ext_man}
+%{_mandir}/man8/pam_succeed_if.8%{?ext_man}
+%{_mandir}/man8/pam_time.8%{?ext_man}
+%{_mandir}/man8/pam_timestamp.8%{?ext_man}
+%{_mandir}/man8/pam_timestamp_check.8%{?ext_man}
+%{_mandir}/man8/pam_tty_audit.8%{?ext_man}
+%{_mandir}/man8/pam_umask.8%{?ext_man}
+%{_mandir}/man8/pam_unix.8%{?ext_man}
+%{_mandir}/man8/pam_usertype.8%{?ext_man}
+%{_mandir}/man8/pam_warn.8%{?ext_man}
+%{_mandir}/man8/pam_wheel.8%{?ext_man}
+%{_mandir}/man8/pam_xauth.8%{?ext_man}
+%{_mandir}/man8/pwhistory_helper.8%{?ext_man}
+%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
+%{_mandir}/man8/unix_chkpwd.8%{?ext_man}
+%{_mandir}/man8/unix_update.8%{?ext_man}
+
+%endif
+
+%changelog
--- a/pam.tmpfiles
+++ b/pam.tmpfiles
@ -0,0 +1,4 @@
+#Type Path               Mode User Group Age Argument
+D     /run/faillock      0755 root root  -   -
+D     /run/motd.d        0755 root root  -   -
+D     /run/pam_timestamp 0755 root root  -   -
--- a/pam_issue-systemd.patch
+++ b/pam_issue-systemd.patch
@ -0,0 +1,51 @@
+From 8401cef10cd5f62849c5fcfef4c82db92712296c Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@suse.com>
+Date: Wed, 4 Sep 2024 16:07:56 +0200
+Subject: [PATCH] pam_issue: only count class user
+
+Since systemd added new types of classes (e.g. manager*), we cannot
+use the count of all sessions anymore, but have to check which class
+this is.
+
+This is backward compatible, systemd v209 or newer is required.
+---
+ modules/pam_issue/pam_issue.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c
+index aade642ec5..e2c555c405 100644
+--- a/modules/pam_issue/pam_issue.c
+++ b/modules/pam_issue/pam_issue.c
+@@ -165,13 +165,31 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt)
+ 		{
+ 		    unsigned int users = 0;
+ #ifdef USE_LOGIND
+-		    int sessions = sd_get_sessions(NULL);
+		    char **sessions_list;
+		    int sessions = sd_get_sessions(&sessions_list);
+ 
+ 		    if (sessions < 0) {
+ 		      pam_syslog(pamh, LOG_ERR, "logind error: %s",
+ 				 strerror(-sessions));
+ 		      _pam_drop(issue);
+ 		      return PAM_SERVICE_ERR;
+		    } else if (sessions > 0 && sessions_list != NULL) {
+		      int i;
+
+		      for (i = 0; i < sessions; i++) {
+			char *class;
+
+			if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL)
+			  continue;
+
+			if (strncmp(class, "user", 4) == 0) // user, user-early, user-incomplete
+			  users++;
+			free(class);
+		      }
+
+		      for (i = 0; i < sessions; i++)
+			free(sessions_list[i]);
+		      free(sessions_list);
+ 		    } else {
+ 		      users = sessions;
+ 		    }
--- a/pam_limits-systemd.patch
+++ b/pam_limits-systemd.patch
@ -0,0 +1,156 @@
+From 62368315c0479657742f34074822b1f9b8608c65 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@suse.com>
+Date: Fri, 6 Sep 2024 11:55:46 +0200
+Subject: [PATCH] pam_limits: use systemd-logind instead of utmp (#822)
+
+The utmp database is unreliable for counting logged in users, since
+there is no standard which defines who should create an entry at which
+time for which reason. And it has a Y2038 problem with glibc/x86-64.
+Query systemd-logind for the number of user sessions instead.
+---
+ modules/pam_limits/Makefile.am  |  4 +-
+ modules/pam_limits/pam_limits.c | 80 +++++++++++++++++++++++++++++++--
+ 2 files changed, 79 insertions(+), 5 deletions(-)
+
+diff --git a/modules/pam_limits/Makefile.am b/modules/pam_limits/Makefile.am
+index ab3cf33ed..3f64d79bb 100644
+--- a/modules/pam_limits/Makefile.am
+++ b/modules/pam_limits/Makefile.am
+@@ -24,7 +24,7 @@ limits_conf_dir = $(SCONFIGDIR)/limits.d
+ 
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include \
+ 	    -DLIMITS_FILE_DIR=\"$(limits_conf_dir)\" \
+-	    $(WARN_CFLAGS)
+	    $(LOGIND_CFLAGS) $(WARN_CFLAGS)
+ AM_LDFLAGS = -no-undefined -avoid-version -module
+ if HAVE_VERSIONING
+   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+@@ -32,7 +32,7 @@ endif
+ 
+ securelib_LTLIBRARIES = pam_limits.la
+ pam_limits_la_LIBADD = $(top_builddir)/libpam_internal/libpam_internal.la \
+-		       $(top_builddir)/libpam/libpam.la
+		       $(top_builddir)/libpam/libpam.la $(SYSTEMD_LIBS)
+ 
+ dist_secureconf_DATA = limits.conf
+ 
+diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
+index 75c584fca..4b4a45f18 100644
+--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
+@@ -36,7 +36,12 @@
+ #include <sys/resource.h>
+ #include <limits.h>
+ #include <glob.h>
+#ifdef USE_LOGIND
+#include <systemd/sd-login.h>
+#else
+ #include <utmp.h>
+#endif
+
+ #ifndef UT_USER  /* some systems have ut_name instead of ut_user */
+ #define UT_USER ut_user
+ #endif
+@@ -240,7 +245,6 @@ static int
+ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
+               struct pam_limit_s *pl)
+ {
+-    struct utmp *ut;
+     int count;
+ 
+     if (ctrl & PAM_DEBUG_ARG) {
+@@ -255,8 +259,6 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
+         return LOGIN_ERR;
+     }
+ 
+-    setutent();
+-
+     /* Because there is no definition about when an application
+        actually adds a utmp entry, some applications bizarrely do the
+        utmp call before the have PAM authenticate them to the system:
+@@ -273,6 +275,77 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
+ 	count = 1;
+     }
+ 
+#ifdef USE_LOGIND
+    char **sessions_list;
+    int sessions = sd_get_sessions(&sessions_list);
+
+    /* maxlogins needs to be 2 with systemd-logind because
+       of the systemd --user process started with first login by
+       pam_systemd.
+       Which is also calling pam_limits, but in this very first special
+       case the session does already exist and is counted twice.
+       With start of the second session, session manager is already running
+       and no longer counted. */
+    if (limit == 1) {
+        pam_syslog(pamh, LOG_WARNING, "Maxlogin limit needs to be 2 or higher with systemd-logind");
+        return LIMIT_ERR;
+    }
+
+    if (sessions < 0) {
+      pam_syslog(pamh, LOG_ERR, "logind error getting session list: %s",
+		 strerror(-sessions));
+      return LIMIT_ERR;
+    } else if (sessions > 0 && sessions_list != NULL && !pl->flag_numsyslogins) {
+      int i;
+
+      for (i = 0; i < sessions; i++) {
+	char *user = NULL;
+	char *class = NULL;
+
+	if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL)
+	  continue;
+
+	if (strncmp(class, "user", 4) != 0)  { /* user, user-early, user-incomplete */
+	  free (class);
+	  continue;
+	}
+
+	if (sd_session_get_username(sessions_list[i], &user) < 0 || user == NULL) {
+	  pam_syslog(pamh, LOG_ERR, "logind error getting username: %s",
+		     strerror(-sessions));
+	  return LIMIT_ERR;
+	}
+
+	if (((pl->login_limit_def == LIMITS_DEF_USER)
+	     || (pl->login_limit_def == LIMITS_DEF_GROUP)
+	     || (pl->login_limit_def == LIMITS_DEF_DEFAULT))
+	    && strcmp(name, user) != 0) {
+	  free(user);
+	  continue;
+	}
+	if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
+	    && pl->login_group != NULL
+	    && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
+	  free(user);
+	  continue;
+	}
+	free(user);
+
+	if (++count > limit) {
+	  break;
+	}
+      }
+      for (i = 0; i < sessions; i++)
+	free(sessions_list[i]);
+      free(sessions_list);
+    } else {
+      count = sessions;
+    }
+#else
+    struct utmp *ut;
+
+    setutent();
+
+     while((ut = getutent())) {
+ #ifdef USER_PROCESS
+         if (ut->ut_type != USER_PROCESS) {
+@@ -311,6 +384,7 @@ check_logins (pam_handle_t *pamh, const char *name, int limit, int ctrl,
+ 	}
+     }
+     endutent();
+#endif
+     if (count > limit) {
+ 	if (name) {
+ 	    pam_syslog(pamh, LOG_NOTICE,
--- a/postlogin-account.pamd
+++ b/postlogin-account.pamd
@ -0,0 +1,10 @@
+#
+# /etc/pam.d/postlogin-account - account settings common to login services
+#
+# This file is included from login service-specific PAM config files,
+# and contains the PAM modules which should be called after
+# the modules of "common-account".
+#
+# This file should only be included from services doing real logins,
+# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
+#
--- a/postlogin-auth.pamd
+++ b/postlogin-auth.pamd
@ -0,0 +1,10 @@
+#
+# /etc/pam.d/postlogin-auth - authentication settings common to login services
+#
+# This file is included from login service-specific PAM config files,
+# and contains the PAM modules which should be called after
+# the modules of "common-auth".
+#
+# This file should only be included from services doing real logins,
+# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
+#
--- a/postlogin-password.pamd
+++ b/postlogin-password.pamd
@ -0,0 +1,10 @@
+#
+# /etc/pam.d/postlogin-password - password settings common to login services
+#
+# This file is included from login service-specific PAM config files,
+# and contains the PAM modules which should be called after
+# the modules of "common-password".
+#
+# This file should only be included from services doing real logins,
+# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
+#
--- a/postlogin-session.pamd
+++ b/postlogin-session.pamd
@ -0,0 +1,10 @@
+#
+# /etc/pam.d/postlogin-session - session settings common to login services
+#
+# This file is included from login service-specific PAM config files,
+# and contains the PAM modules which should be called after
+# the modules of "common-session".
+#
+# This file should only be included from services doing real logins,
+# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
+#
--- a/unix2_chkpwd.8
+++ b/unix2_chkpwd.8
@ -0,0 +1,79 @@
+.\" Copyright (C) 2003 International Business Machines Corporation
+.\" This file is distributed according to the GNU General Public License.
+.\" See the file COPYING in the top level source directory for details.
+.\"
+.de Sh \" Subsection
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Ip \" List item
+.br
+.ie \\n(.$>=3 .ne \\$3
+.el .ne 3
+.IP "\\$1" \\$2
+..
+.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
+.SH NAME
+unix2_chkpwd \- helper binary that verifies the password of the current user
+.SH "SYNOPSIS"
+.ad l
+.hy 0
+
+/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
+.sp
+.ad
+.hy
+.SH "DESCRIPTION"
+.PP
+\fBunix2_chkpwd\fR is a helper program for applications that verifies 
+the password of the current user.  It is not intended to be run directly from 
+the command line and logs a security violation if done so. 
+
+It is typically installed setuid root or setgid shadow and called by
+applications, which only wishes to do an user authentification and
+nothing more.
+
+.SH "OPTIONS"
+.PP
+unix2_chkpwd requires the following arguments:
+.TP
+\fIpam_service\fR
+The name of the service using unix2_chkpwd. This is required to be one of
+the services in /etc/pam.d
+.TP
+\fIusername\fR
+The name of the user whose password you want to verify.
+
+.SH "INPUTS"
+.PP
+unix2_chkpwd expects the password via stdin.
+
+.SH "RETURN CODES"
+.PP
+\fBunix2_chkpwd\fR has the following return codes:
+.TP
+1
+unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
+
+.TP
+0
+The password is correct.
+
+.SH "HISTORY"
+Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
+
+.SH "SEE ALSO"
+
+.PP
+\fBpam\fR(8)
+
+.SH AUTHOR
+Emily Ratliff.
--- a/unix2_chkpwd.c
+++ b/unix2_chkpwd.c
@ -0,0 +1,337 @@
+/*
+ * Set*id helper program for PAM authentication.
+ *
+ * It is supposed to be called from pam_unix2's
+ * pam_sm_authenticate function if the function notices
+ * that it's unable to get the password from the shadow file
+ * because it doesn't have sufficient permissions.
+ *
+ * Copyright (C) 2002 SuSE Linux AG
+ *
+ * Written by okir@suse.de, loosely based on unix_chkpwd
+ * by Andrew Morgan.
+ */
+
+#include <security/pam_appl.h>
+#include <security/_pam_macros.h>
+
+#include <sys/types.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <ctype.h>
+#include <errno.h>
+
+#define BUFLEN	1024
+#ifndef LOGINDEFS
+#define LOGINDEFS	"/etc/login.defs"
+#endif
+#define LOGINDEFS_FAIL_DELAY_KEY	"FAIL_DELAY"
+#define DEFAULT_FAIL_DELAY_S	10
+
+#define PASSWD_CRACKER_DELAY_MS	100
+
+enum {
+	UNIX_PASSED = 0,
+	UNIX_FAILED = 1
+};
+
+static char *	program_name;
+static char	pass[64];
+static int	npass = -1;
+
+/*
+ * Log error messages
+ */
+static void
+_log_err(int err, const char *format,...)
+{
+	va_list args;
+
+	va_start(args, format);
+	openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
+	vsyslog(err, format, args);
+	va_end(args);
+	closelog();
+}
+
+static void
+su_sighandler(int sig)
+{
+	if (sig > 0) {
+		_log_err(LOG_NOTICE, "caught signal %d.", sig);
+		exit(sig);
+	}
+}
+
+/*
+ * Setup signal handlers
+ */
+static void
+setup_signals(void)
+{
+	struct sigaction action;
+
+	memset((void *) &action, 0, sizeof(action));
+	action.sa_handler = su_sighandler;
+	action.sa_flags = SA_RESETHAND;
+	sigaction(SIGILL, &action, NULL);
+	sigaction(SIGTRAP, &action, NULL);
+	sigaction(SIGBUS, &action, NULL);
+	sigaction(SIGSEGV, &action, NULL);
+	action.sa_handler = SIG_IGN;
+	action.sa_flags = 0;
+	sigaction(SIGTERM, &action, NULL);
+	sigaction(SIGHUP, &action, NULL);
+	sigaction(SIGINT, &action, NULL);
+	sigaction(SIGQUIT, &action, NULL);
+	sigaction(SIGALRM, &action, NULL);
+}
+
+static int
+_converse(int num_msg, const struct pam_message **msg,
+		struct pam_response **resp, void *appdata_ptr)
+{
+	struct	pam_response *reply;
+	int	num;
+
+	if (!(reply = malloc(sizeof(*reply) * num_msg)))
+		return PAM_CONV_ERR;
+
+	for (num = 0; num < num_msg; num++) {
+		reply[num].resp_retcode = PAM_SUCCESS;
+		reply[num].resp = NULL;
+		switch (msg[num]->msg_style) {
+		case PAM_PROMPT_ECHO_ON:
+			return PAM_CONV_ERR;
+		case PAM_PROMPT_ECHO_OFF:
+			/* read the password from stdin */
+			if (npass < 0) {
+				npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
+				if (npass < 0) {
+					_log_err(LOG_DEBUG, "error reading password");
+					return UNIX_FAILED;
+				}
+				pass[npass] = '\0';
+			}
+			reply[num].resp = strdup(pass);
+			break;
+		case PAM_TEXT_INFO:
+		case PAM_ERROR_MSG:
+			/* ignored */
+			break;
+		default:
+			/* Must be an error of some sort... */
+			return PAM_CONV_ERR;
+		}
+	}
+
+	*resp = reply;
+	return PAM_SUCCESS;
+}
+
+static int
+_authenticate(const char *service, const char *user)
+{
+	struct pam_conv conv = { _converse, NULL };
+	pam_handle_t	*pamh;
+	int		err;
+
+	err = pam_start(service, user, &conv, &pamh);
+	if (err != PAM_SUCCESS) {
+		_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
+				service, user, err);
+		return UNIX_FAILED;
+	}
+	
+	err = pam_authenticate(pamh, 0);
+	if (err != PAM_SUCCESS)
+		_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
+				service, user,
+				pam_strerror(pamh, err));
+
+	if (err == PAM_SUCCESS)
+	{
+		err = pam_acct_mgmt(pamh, 0);
+		if (err == PAM_SUCCESS)
+ 		{
+			int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
+			if (err2 != PAM_SUCCESS)
+				_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
+					service, user,
+					pam_strerror(pamh, err2));
+				/*
+				 * ignore errors on refresh credentials.
+				 * If this did not work we use the old once.
+				 */
+		} else {
+			_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
+				service, user,
+				pam_strerror(pamh, err));
+		}
+	}
+	
+	pam_end(pamh, err);
+
+	if (err != PAM_SUCCESS)
+		return UNIX_FAILED;
+	return UNIX_PASSED;
+}
+
+static char *
+getuidname(uid_t uid)
+{
+	struct passwd *pw;
+	static char username[32];
+
+	pw = getpwuid(uid);
+	if (pw == NULL)
+		return NULL;
+
+	strncpy(username, pw->pw_name, sizeof(username));
+	username[sizeof(username) - 1] = '\0';
+	
+	endpwent();
+	return username;
+}
+
+static int
+sane_pam_service(const char *name)
+{
+	const char *sp;
+	char	path[128];
+
+	if (strlen(name) > 32)
+		return 0;
+	for (sp = name; *sp; sp++) {
+		if (!isalnum(*sp) && *sp != '_' && *sp != '-')
+			return 0;
+	}
+
+	snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
+	return access(path, R_OK) == 0;
+}
+
+static int
+get_system_fail_delay (void)
+{
+	FILE *fs;
+	char buf[BUFLEN];
+	long int delay = -1;
+	char *s;
+	int l;
+
+	fs = fopen(LOGINDEFS, "r");
+	if (NULL == fs) {
+		goto bail_out;
+	}
+
+	while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
+		if  (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
+			continue;
+		}
+		s = buf + strspn(buf, " \t");
+		l = strcspn(s, " \t");
+		if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
+			continue;
+		}
+		s += l;
+		s += strspn(s, " \t");
+		errno = 0;
+		delay = strtol(s, NULL, 10);
+		if (errno) {
+			delay = -1;
+		}
+		break;
+	}
+	fclose (fs);
+bail_out:
+	delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
+	return (int)delay;
+}
+
+int
+main(int argc, char *argv[])
+{
+	const char *program_name;
+	char	*service, *user;
+	int	fd;
+	int result = UNIX_FAILED;
+	uid_t	uid;
+
+	uid = getuid();
+
+	/*
+	 * Make sure standard file descriptors are connected.
+	 */
+	while ((fd = open("/dev/null", O_RDWR)) <= 2)
+		;
+	close(fd);
+
+	/*
+	 * Get the program name
+	 */
+	if (argc == 0)
+		program_name = "unix2_chkpwd";
+	else if ((program_name = strrchr(argv[0], '/')) != NULL)
+		program_name++;
+	else
+		program_name = argv[0];
+
+	/*
+	 * Catch or ignore as many signal as possible.
+	 */
+	setup_signals();
+
+	/*
+	 * Check argument list
+	 */
+	if (argc < 2 || argc > 3) {
+		_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
+		return UNIX_FAILED;
+	}
+
+	/*
+	 * Get the service name and do some sanity checks on it
+	 */
+	service = argv[1];
+	if (!sane_pam_service(service)) {
+		_log_err(LOG_ERR, "Illegal service name '%s'", service);
+		return UNIX_FAILED;
+	}
+
+	/*
+	 * Discourage users messing around (fat chance)
+	 */
+	if (isatty(STDIN_FILENO) && uid != 0) {
+		_log_err(LOG_NOTICE,
+			"Inappropriate use of Unix helper binary [UID=%d]",
+			 uid);
+		fprintf(stderr,
+			"This binary is not designed for running in this way\n"
+			"-- the system administrator has been informed\n");
+		sleep(10);	/* this should discourage/annoy the user */
+		return UNIX_FAILED;
+	}
+
+	/*
+	 * determine the caller's user name
+	 */
+	user = getuidname(uid);
+	if (argc == 3 && strcmp(user, argv[2])) {
+		user = argv[2];
+	}
+	result = _authenticate(service, user);
+	/* Discourage use of this program as a
+	 * password cracker */
+	usleep(PASSWD_CRACKER_DELAY_MS * 1000);
+	if (result != UNIX_PASSED && uid != 0)
+		sleep(get_system_fail_delay());
+	return result;
+}