diff --git a/macros.pam b/macros.pam new file mode 100644 index 0000000..774327a --- /dev/null +++ b/macros.pam @@ -0,0 +1,5 @@ +%_pam_libdir %{_libdir} +%_pam_moduledir %{_libdir}/security +%_pam_secconfdir %{_sysconfdir}/security +%_pam_confdir %{_sysconfdir}/pam.d +%_pam_vendordir %{_datadir}/pam.d diff --git a/pam.spec b/pam.spec index c6edf8f..b5f148a 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.5.1 -Release: 8%{?dist} +Release: 9%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -11,6 +11,7 @@ License: BSD and GPLv2+ Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz Source1: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz.asc Source2: https://releases.pagure.org/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2 +Source3: macros.%{name} Source5: other.pamd Source6: system-auth.pamd Source7: password-auth.pamd @@ -32,13 +33,7 @@ Patch4: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.5.1-no_cryp # https://github.com/linux-pam/linux-pam/commit/ec0e724fe53188c5c762c34ca9db6681c0de01b8 Patch5: pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch - -%global _pamlibdir %{_libdir} -%global _moduledir %{_libdir}/security -%global _secconfdir %{_sysconfdir}/security -%global _pamconfdir %{_sysconfdir}/pam.d -%global _pamvendordir %{_datadir}/pam.d -%global _systemdlibdir /usr/lib/systemd/system +%{load:%{SOURCE3}} %if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} %global WITH_SELINUX 1 @@ -72,6 +67,7 @@ BuildRequires: libdb-devel BuildRequires: linuxdoc-tools, elinks, libxslt BuildRequires: docbook-style-xsl, docbook-dtds BuildRequires: gcc +BuildRequires: systemd URL: http://www.linux-pam.org/ @@ -123,7 +119,7 @@ autoreconf -i %build %configure \ --disable-rpath \ - --libdir=%{_pamlibdir} \ + --libdir=%{_pam_libdir} \ --includedir=%{_includedir}/security \ --enable-vendordir=%{_datadir} \ %if ! %{WITH_SELINUX} @@ -144,12 +140,15 @@ for readme in modules/pam_*/README ; do cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` done +# Install the macros file +install -D -m 644 %{SOURCE3} %{buildroot}%{_rpmconfigdir}/macros.d/macros.%{name} + # Install the binaries, libraries, and modules. make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=: %if %{WITH_SELINUX} # Temporary compat link -ln -sf pam_sepermit.so $RPM_BUILD_ROOT%{_moduledir}/pam_selinux_permit.so +ln -sf pam_sepermit.so $RPM_BUILD_ROOT%{_pam_moduledir}/pam_selinux_permit.so %endif # RPM uses docs from source tree @@ -158,16 +157,16 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/Linux-PAM rm -f $RPM_BUILD_ROOT%{_sysconfdir}/environment # Install default configuration files. -install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir} -install -d -m 755 $RPM_BUILD_ROOT%{_pamvendordir} -install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other -install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth -install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth -install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth -install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth -install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util -install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin -install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd +install -d -m 755 $RPM_BUILD_ROOT%{_pam_confdir} +install -d -m 755 $RPM_BUILD_ROOT%{_pam_vendordir} +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pam_confdir}/other +install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pam_confdir}/system-auth +install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pam_confdir}/password-auth +install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pam_confdir}/fingerprint-auth +install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pam_confdir}/smartcard-auth +install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pam_confdir}/config-util +install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pam_confdir}/postlogin +install -m 600 /dev/null $RPM_BUILD_ROOT%{_pam_secconfdir}/opasswd install -d -m 755 $RPM_BUILD_ROOT/var/log install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/motd.d @@ -182,23 +181,23 @@ ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/smartcard-auth.5 for phase in auth acct passwd session ; do - ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so + ln -sf pam_unix.so $RPM_BUILD_ROOT%{_pam_moduledir}/pam_unix_${phase}.so done # Remove .la files and make new .so links -- this depends on the value # of _libdir not changing, and *not* being /usr/lib. for lib in libpam libpamc libpam_misc ; do -rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.la +rm -f $RPM_BUILD_ROOT%{_pam_libdir}/${lib}.la done -rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la +rm -f $RPM_BUILD_ROOT%{_pam_moduledir}/*.la -%if "%{_pamlibdir}" != "%{_libdir}" +%if "%{_pam_libdir}" != "%{_libdir}" install -d -m 755 $RPM_BUILD_ROOT%{_libdir} for lib in libpam libpamc libpam_misc ; do pushd $RPM_BUILD_ROOT%{_libdir} -ln -sf %{_pamlibdir}/${lib}.so.*.* ${lib}.so +ln -sf %{_pam_libdir}/${lib}.so.*.* ${lib}.so popd -rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.so +rm -f $RPM_BUILD_ROOT%{_pam_libdir}/${lib}.so done %endif @@ -221,7 +220,7 @@ if [ -d ${dir} ] ; then %if ! %{WITH_AUDIT} [ ${dir} = "modules/pam_tty_audit" ] && continue %endif - if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then + if ! ls -1 $RPM_BUILD_ROOT%{_pam_moduledir}/`basename ${dir}`*.so ; then echo ERROR `basename ${dir}` did not build a module. exit 1 fi @@ -230,9 +229,9 @@ done # Check for module problems. Specifically, check that every module we just # installed can actually be loaded by a minimal PAM-aware application. -/sbin/ldconfig -n $RPM_BUILD_ROOT%{_pamlibdir} -for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do - if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pamlibdir} \ +/sbin/ldconfig -n $RPM_BUILD_ROOT%{_pam_libdir} +for module in $RPM_BUILD_ROOT%{_pam_moduledir}/pam*.so ; do + if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pam_libdir} \ %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT%{_libdir} ${module} ; then echo ERROR module: ${module} cannot be loaded. exit 1 @@ -242,21 +241,22 @@ done %ldconfig_scriptlets %files -f Linux-PAM.lang -%dir %{_pamconfdir} -%dir %{_pamvendordir} -%config(noreplace) %{_pamconfdir}/other -%config(noreplace) %{_pamconfdir}/system-auth -%config(noreplace) %{_pamconfdir}/password-auth -%config(noreplace) %{_pamconfdir}/fingerprint-auth -%config(noreplace) %{_pamconfdir}/smartcard-auth -%config(noreplace) %{_pamconfdir}/config-util -%config(noreplace) %{_pamconfdir}/postlogin +%dir %{_pam_confdir} +%dir %{_pam_vendordir} +%config(noreplace) %{_pam_confdir}/other +%config(noreplace) %{_pam_confdir}/system-auth +%config(noreplace) %{_pam_confdir}/password-auth +%config(noreplace) %{_pam_confdir}/fingerprint-auth +%config(noreplace) %{_pam_confdir}/smartcard-auth +%config(noreplace) %{_pam_confdir}/config-util +%config(noreplace) %{_pam_confdir}/postlogin +%{_rpmconfigdir}/macros.d/macros.%{name} %{!?_licensedir:%global license %%doc} %license Copyright %license gpl-2.0.txt -%{_pamlibdir}/libpam.so.* -%{_pamlibdir}/libpamc.so.* -%{_pamlibdir}/libpam_misc.so.* +%{_pam_libdir}/libpam.so.* +%{_pam_libdir}/libpamc.so.* +%{_pam_libdir}/libpam_misc.so.* %{_sbindir}/pam_console_apply %{_sbindir}/pam_namespace_helper %{_sbindir}/faillock @@ -265,85 +265,85 @@ done %attr(0700,root,root) %{_sbindir}/unix_update %attr(0755,root,root) %{_sbindir}/mkhomedir_helper %attr(0755,root,root) %{_sbindir}/pwhistory_helper -%dir %{_moduledir} -%{_moduledir}/pam_access.so -%{_moduledir}/pam_chroot.so -%{_moduledir}/pam_console.so -%{_moduledir}/pam_debug.so -%{_moduledir}/pam_deny.so -%{_moduledir}/pam_echo.so -%{_moduledir}/pam_env.so -%{_moduledir}/pam_exec.so -%{_moduledir}/pam_faildelay.so -%{_moduledir}/pam_faillock.so -%{_moduledir}/pam_filter.so -%{_moduledir}/pam_ftp.so -%{_moduledir}/pam_group.so -%{_moduledir}/pam_issue.so -%{_moduledir}/pam_keyinit.so -%{_moduledir}/pam_lastlog.so -%{_moduledir}/pam_limits.so -%{_moduledir}/pam_listfile.so -%{_moduledir}/pam_localuser.so -%{_moduledir}/pam_loginuid.so -%{_moduledir}/pam_mail.so -%{_moduledir}/pam_mkhomedir.so -%{_moduledir}/pam_motd.so -%{_moduledir}/pam_namespace.so -%{_moduledir}/pam_nologin.so -%{_moduledir}/pam_permit.so -%{_moduledir}/pam_postgresok.so -%{_moduledir}/pam_pwhistory.so -%{_moduledir}/pam_rhosts.so -%{_moduledir}/pam_rootok.so +%dir %{_pam_moduledir} +%{_pam_moduledir}/pam_access.so +%{_pam_moduledir}/pam_chroot.so +%{_pam_moduledir}/pam_console.so +%{_pam_moduledir}/pam_debug.so +%{_pam_moduledir}/pam_deny.so +%{_pam_moduledir}/pam_echo.so +%{_pam_moduledir}/pam_env.so +%{_pam_moduledir}/pam_exec.so +%{_pam_moduledir}/pam_faildelay.so +%{_pam_moduledir}/pam_faillock.so +%{_pam_moduledir}/pam_filter.so +%{_pam_moduledir}/pam_ftp.so +%{_pam_moduledir}/pam_group.so +%{_pam_moduledir}/pam_issue.so +%{_pam_moduledir}/pam_keyinit.so +%{_pam_moduledir}/pam_lastlog.so +%{_pam_moduledir}/pam_limits.so +%{_pam_moduledir}/pam_listfile.so +%{_pam_moduledir}/pam_localuser.so +%{_pam_moduledir}/pam_loginuid.so +%{_pam_moduledir}/pam_mail.so +%{_pam_moduledir}/pam_mkhomedir.so +%{_pam_moduledir}/pam_motd.so +%{_pam_moduledir}/pam_namespace.so +%{_pam_moduledir}/pam_nologin.so +%{_pam_moduledir}/pam_permit.so +%{_pam_moduledir}/pam_postgresok.so +%{_pam_moduledir}/pam_pwhistory.so +%{_pam_moduledir}/pam_rhosts.so +%{_pam_moduledir}/pam_rootok.so %if %{WITH_SELINUX} -%{_moduledir}/pam_selinux.so -%{_moduledir}/pam_selinux_permit.so -%{_moduledir}/pam_sepermit.so +%{_pam_moduledir}/pam_selinux.so +%{_pam_moduledir}/pam_selinux_permit.so +%{_pam_moduledir}/pam_sepermit.so %endif -%{_moduledir}/pam_securetty.so -%{_moduledir}/pam_setquota.so -%{_moduledir}/pam_shells.so -%{_moduledir}/pam_stress.so -%{_moduledir}/pam_succeed_if.so -%{_moduledir}/pam_time.so -%{_moduledir}/pam_timestamp.so +%{_pam_moduledir}/pam_securetty.so +%{_pam_moduledir}/pam_setquota.so +%{_pam_moduledir}/pam_shells.so +%{_pam_moduledir}/pam_stress.so +%{_pam_moduledir}/pam_succeed_if.so +%{_pam_moduledir}/pam_time.so +%{_pam_moduledir}/pam_timestamp.so %if %{WITH_AUDIT} -%{_moduledir}/pam_tty_audit.so +%{_pam_moduledir}/pam_tty_audit.so %endif -%{_moduledir}/pam_umask.so -%{_moduledir}/pam_unix.so -%{_moduledir}/pam_unix_acct.so -%{_moduledir}/pam_unix_auth.so -%{_moduledir}/pam_unix_passwd.so -%{_moduledir}/pam_unix_session.so -%{_moduledir}/pam_userdb.so -%{_moduledir}/pam_usertype.so -%{_moduledir}/pam_warn.so -%{_moduledir}/pam_wheel.so -%{_moduledir}/pam_xauth.so -%{_moduledir}/pam_filter -%{_systemdlibdir}/pam_namespace.service -%dir %{_secconfdir} -%config(noreplace) %{_secconfdir}/access.conf -%config(noreplace) %{_secconfdir}/chroot.conf -%config %{_secconfdir}/console.perms -%config(noreplace) %{_secconfdir}/console.handlers -%config(noreplace) %{_secconfdir}/faillock.conf -%config(noreplace) %{_secconfdir}/group.conf -%config(noreplace) %{_secconfdir}/limits.conf -%dir %{_secconfdir}/limits.d -%config(noreplace) %{_secconfdir}/namespace.conf -%dir %{_secconfdir}/namespace.d -%attr(755,root,root) %config(noreplace) %{_secconfdir}/namespace.init -%config(noreplace) %{_secconfdir}/pam_env.conf -%config(noreplace) %{_secconfdir}/time.conf -%config(noreplace) %{_secconfdir}/opasswd -%dir %{_secconfdir}/console.apps -%dir %{_secconfdir}/console.perms.d +%{_pam_moduledir}/pam_umask.so +%{_pam_moduledir}/pam_unix.so +%{_pam_moduledir}/pam_unix_acct.so +%{_pam_moduledir}/pam_unix_auth.so +%{_pam_moduledir}/pam_unix_passwd.so +%{_pam_moduledir}/pam_unix_session.so +%{_pam_moduledir}/pam_userdb.so +%{_pam_moduledir}/pam_usertype.so +%{_pam_moduledir}/pam_warn.so +%{_pam_moduledir}/pam_wheel.so +%{_pam_moduledir}/pam_xauth.so +%{_pam_moduledir}/pam_filter +%{_unitdir}/pam_namespace.service +%dir %{_pam_secconfdir} +%config(noreplace) %{_pam_secconfdir}/access.conf +%config(noreplace) %{_pam_secconfdir}/chroot.conf +%config %{_pam_secconfdir}/console.perms +%config(noreplace) %{_pam_secconfdir}/console.handlers +%config(noreplace) %{_pam_secconfdir}/faillock.conf +%config(noreplace) %{_pam_secconfdir}/group.conf +%config(noreplace) %{_pam_secconfdir}/limits.conf +%dir %{_pam_secconfdir}/limits.d +%config(noreplace) %{_pam_secconfdir}/namespace.conf +%dir %{_pam_secconfdir}/namespace.d +%attr(755,root,root) %config(noreplace) %{_pam_secconfdir}/namespace.init +%config(noreplace) %{_pam_secconfdir}/pam_env.conf +%config(noreplace) %{_pam_secconfdir}/time.conf +%config(noreplace) %{_pam_secconfdir}/opasswd +%dir %{_pam_secconfdir}/console.apps +%dir %{_pam_secconfdir}/console.perms.d %dir /var/run/console %if %{WITH_SELINUX} -%config(noreplace) %{_secconfdir}/sepermit.conf +%config(noreplace) %{_pam_secconfdir}/sepermit.conf %dir /var/run/sepermit %endif %dir /var/run/faillock @@ -384,6 +384,9 @@ test "$FILE" != %{_sysconfdir}/authselect/fingerprint-auth && \ exit 0 %changelog +* Thu Jul 22 2021 Iker Pedrosa - 1.5.1-9 +- Add macros file to allow other packages to stop hardcoding directory names + * Fri Jul 9 2021 Iker Pedrosa - 1.5.1-8 - Fix issues detected by covscan tool