From bcd73c678e2247f96db66d05037478e8fbe593e6 Mon Sep 17 00:00:00 2001 From: ipedrosa Date: Wed, 11 Nov 2020 15:18:15 +0100 Subject: [PATCH] - Rebase to release 1.5.0 - Rebase to pam-redhat-1.1.4 - Remove pam_cracklib, pam_tally and pam_tally2 - spec file cleanup --- .gitignore | 2 + pam-1.1.6-limits-user.patch | 20 - pam-1.1.8-audit-user-mgmt.patch | 31 - ...3.1-faillock-change-file-permissions.patch | 50 -- pam-1.4.0-coverity.patch | 131 --- pam-1.4.0-determine-user-exists.patch | 123 --- pam-1.4.0-full-relro.patch | 67 -- pam-1.4.0-libpam-start-leak.patch | 84 -- pam-1.4.0-motd-filter-files.patch | 186 ---- pam-1.4.0-motd-privilege-message.patch | 27 - pam-1.4.0-noflex.patch | 24 - pam-1.4.0-nouserenv.patch | 15 - pam-1.4.0-pwhistory-helper.patch | 808 ------------------ pam-1.4.0-redhat-modules.patch | 25 - pam-1.4.0-unix-init-daysleft.patch | 32 - pam-1.5.0-noflex.patch | 24 + pam-1.5.0-redhat-modules.patch | 25 + pam.spec | 69 +- sources | 6 +- 19 files changed, 68 insertions(+), 1681 deletions(-) delete mode 100644 pam-1.1.6-limits-user.patch delete mode 100644 pam-1.1.8-audit-user-mgmt.patch delete mode 100644 pam-1.3.1-faillock-change-file-permissions.patch delete mode 100644 pam-1.4.0-coverity.patch delete mode 100644 pam-1.4.0-determine-user-exists.patch delete mode 100644 pam-1.4.0-full-relro.patch delete mode 100644 pam-1.4.0-libpam-start-leak.patch delete mode 100644 pam-1.4.0-motd-filter-files.patch delete mode 100644 pam-1.4.0-motd-privilege-message.patch delete mode 100644 pam-1.4.0-noflex.patch delete mode 100644 pam-1.4.0-nouserenv.patch delete mode 100644 pam-1.4.0-pwhistory-helper.patch delete mode 100644 pam-1.4.0-redhat-modules.patch delete mode 100644 pam-1.4.0-unix-init-daysleft.patch create mode 100644 pam-1.5.0-noflex.patch create mode 100644 pam-1.5.0-redhat-modules.patch diff --git a/.gitignore b/.gitignore index 6a92d94..6feb1e9 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ /Linux-PAM-1.3.1.tar.xz.asc /Linux-PAM-1.4.0.tar.xz /Linux-PAM-1.4.0.tar.xz.asc +/Linux-PAM-1.5.0.tar.xz +/Linux-PAM-1.5.0.tar.xz.asc diff --git a/pam-1.1.6-limits-user.patch b/pam-1.1.6-limits-user.patch deleted file mode 100644 index 3c17b78..0000000 --- a/pam-1.1.6-limits-user.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf ---- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100 -@@ -1,5 +1,16 @@ - # /etc/security/limits.conf - # -+#This file sets the resource limits for the users logged in via PAM. -+#It does not affect resource limits of the system services. -+# -+#Also note that configuration files in /etc/security/limits.d directory, -+#which are read in alphabetical order, override the settings in this -+#file in case the domain is the same or more specific. -+#That means for example that setting a limit for wildcard domain here -+#can be overriden with a wildcard setting in a config file in the -+#subdirectory, but a user specific setting here can be overriden only -+#with a user specific setting in the subdirectory. -+# - #Each line describes a limit for a user in the form: - # - # diff --git a/pam-1.1.8-audit-user-mgmt.patch b/pam-1.1.8-audit-user-mgmt.patch deleted file mode 100644 index 277a569..0000000 --- a/pam-1.1.8-audit-user-mgmt.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c ---- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200 -@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv ) - #ifdef HAVE_LIBAUDIT - char buf[64]; - int audit_fd = audit_open(); -- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); -- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); -+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset); -+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, -+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1); - if (audit_fd >=0) - close(audit_fd); - #endif -@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv ) - } - else if ( !cline_reset ) { - #ifdef HAVE_LIBAUDIT -- char buf[64]; - int audit_fd = audit_open(); -- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); -- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); -+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, -+ "pam_tally2-reset-all-accts reset=0", "*", -1, -+ NULL, NULL, ttyname(STDIN_FILENO), 1); - if (audit_fd >=0) - close(audit_fd); - #endif diff --git a/pam-1.3.1-faillock-change-file-permissions.patch b/pam-1.3.1-faillock-change-file-permissions.patch deleted file mode 100644 index f9d777d..0000000 --- a/pam-1.3.1-faillock-change-file-permissions.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 395915dae1571e10e2766c999974de864655ea3a Mon Sep 17 00:00:00 2001 -From: ikerexxe -Date: Mon, 15 Jun 2020 09:52:11 +0200 -Subject: [PATCH] pam_faillock: change /run/faillock/$USER permissions to 0660 - -Nowadays, /run/faillock/$USER files have user:root ownership and 0600 -permissions. This forces the process that writes to these files to have -CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660 -the capability can be removed, which leads to a more secure system. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822 ---- - modules/pam_faillock/faillock.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c -index e492f5f9..4ea94cbe 100644 ---- a/modules/pam_faillock/faillock.c -+++ b/modules/pam_faillock/faillock.c -@@ -76,7 +76,7 @@ open_tally (const char *dir, const char *user, uid_t uid, int create) - flags |= O_CREAT; - } - -- fd = open(path, flags, 0600); -+ fd = open(path, flags, 0660); - - free(path); - -@@ -88,6 +88,18 @@ open_tally (const char *dir, const char *user, uid_t uid, int create) - if (st.st_uid != uid) { - ignore_return(fchown(fd, uid, -1)); - } -+ -+ /* -+ * If umask is set to 022, as will probably in most systems, then the -+ * group will not be able to write to the file. So, change the file -+ * permissions just in case. -+ * Note: owners of this file are user:root, so if the permissions are -+ * not changed the root process writing to this file will require -+ * CAP_DAC_OVERRIDE. -+ */ -+ if (!(st.st_mode & S_IWGRP)) { -+ ignore_return(fchmod(fd, 0660)); -+ } - } - } - --- -2.26.2 - diff --git a/pam-1.4.0-coverity.patch b/pam-1.4.0-coverity.patch deleted file mode 100644 index 99351fe..0000000 --- a/pam-1.4.0-coverity.patch +++ /dev/null @@ -1,131 +0,0 @@ -diff -up Linux-PAM-1.4.0/libpam_misc/misc_conv.c.coverity Linux-PAM-1.4.0/libpam_misc/misc_conv.c ---- Linux-PAM-1.4.0/libpam_misc/misc_conv.c.coverity 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/libpam_misc/misc_conv.c 2020-06-23 10:19:32.999827223 +0200 -@@ -211,7 +211,7 @@ static int read_string(int echo, const c - line[nc] = '\0'; - } - *retstr = strdup(line); -- _pam_overwrite(line); -+ _pam_overwrite_n(line, sizeof(line)); - if (!*retstr) { - D(("no memory for response string")); - nc = -1; -@@ -244,7 +244,7 @@ static int read_string(int echo, const c - D(("the timer appears to have expired")); - - *retstr = NULL; -- _pam_overwrite(line); -+ _pam_overwrite_n(line, sizeof(line)); - - cleanexit: - -diff -up Linux-PAM-1.4.0/libpam/pam_handlers.c.coverity Linux-PAM-1.4.0/libpam/pam_handlers.c -diff -up Linux-PAM-1.4.0/modules/pam_access/pam_access.c.coverity Linux-PAM-1.4.0/modules/pam_access/pam_access.c ---- Linux-PAM-1.4.0/modules/pam_access/pam_access.c.coverity 2020-06-23 10:19:32.999827223 +0200 -+++ Linux-PAM-1.4.0/modules/pam_access/pam_access.c 2020-06-23 10:21:17.113398827 +0200 -@@ -811,7 +811,7 @@ pam_sm_authenticate (pam_handle_t *pamh, - const char *user=NULL; - const void *void_from=NULL; - const char *from; -- const char *default_config = PAM_ACCESS_CONFIG; -+ const char * const default_config = PAM_ACCESS_CONFIG; - struct passwd *user_pw; - char hostname[MAXHOSTNAMELEN + 1]; - int rv; -diff -up Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c.coverity Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c ---- Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c.coverity 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c 2020-06-23 10:22:40.357855843 +0200 -@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS] - #endif - }; - --static int str2rlimit(char *name) { -+static int str2rlimit(const char *name) { - int i; - if (!name || *name == '\0') - return -1; -@@ -352,7 +352,7 @@ static int str2rlimit(char *name) { - return -1; - } - --static rlim_t str2rlim_t(char *value) { -+static rlim_t str2rlim_t(const char *value) { - unsigned long long rlimit = 0; - - if (!value) return (rlim_t)rlimit; -@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_hand - FILE *limitsfile; - const char *proclimits = "/proc/1/limits"; - char line[256]; -- char *hard, *soft, *name; -+ const char *hard, *soft, *name; - - if (!(limitsfile = fopen(proclimits, "r"))) { - pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno)); -diff -up Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c.coverity Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c ---- Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c.coverity 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c 2020-06-23 10:19:32.999827223 +0200 -@@ -65,7 +65,7 @@ static int set_loginuid(pam_handle_t *pa - fd = open("/proc/self/uid_map", O_RDONLY); - if (fd >= 0) { - count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); -- if (strncmp(uid_map, host_uid_map, count) != 0) -+ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0) - rc = PAM_IGNORE; - close(fd); - } -diff -up Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c.coverity Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c ---- Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c.coverity 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c 2020-06-23 10:19:33.000827228 +0200 -@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd, - { - pam_syslog(NULL, LOG_DEBUG, - "unable to open or stat src file %s: %m", newsource); -+ if (srcfd >= 0) -+ close(srcfd); - closedir(d); - - #ifndef PATH_MAX -diff -up Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c.coverity Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c ---- Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c.coverity 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c 2020-06-23 10:19:33.000827228 +0200 -@@ -1488,6 +1488,7 @@ static int create_instance(struct polydi - if (fstat(fd, &newstatbuf) < 0) { - pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", - ipath); -+ close(fd); - rmdir(ipath); - return PAM_SESSION_ERR; - } -diff -up Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c.coverity Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c ---- Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c.coverity 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c 2020-06-23 10:26:21.405069413 +0200 -@@ -55,15 +55,17 @@ log_callback (int type UNUSED, const cha - int audit_fd; - va_list ap; - -- va_start(ap, fmt); - #ifdef HAVE_LIBAUDIT - audit_fd = audit_open(); - - if (audit_fd >= 0) { - char *buf; -+ int ret; - -- if (vasprintf (&buf, fmt, ap) < 0) { -- va_end(ap); -+ va_start(ap, fmt); -+ ret = vasprintf (&buf, fmt, ap); -+ va_end(ap); -+ if (ret < 0) { - return 0; - } - audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, -@@ -75,6 +77,7 @@ log_callback (int type UNUSED, const cha - } - - #endif -+ va_start(ap, fmt); - vsyslog (LOG_USER | LOG_INFO, fmt, ap); - va_end(ap); - return 0; diff --git a/pam-1.4.0-determine-user-exists.patch b/pam-1.4.0-determine-user-exists.patch deleted file mode 100644 index 3e08b93..0000000 --- a/pam-1.4.0-determine-user-exists.patch +++ /dev/null @@ -1,123 +0,0 @@ -From af0faf666c5008e54dfe43684f210e3581ff1bca Mon Sep 17 00:00:00 2001 -From: ikerexxe -Date: Tue, 16 Jun 2020 14:32:36 +0200 -Subject: [PATCH 1/2] pam_unix: avoid determining if user exists - -Taking a look at the time for the password prompt to appear it was -possible to determine if a user existed in a system. Solved it by -matching the runtime until the password prompt was shown by always -checking the password hash for an existing and a non-existing user. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598 ---- - modules/pam_unix/passverify.c | 6 ++++++ - modules/pam_unix/support.c | 33 ++++++++++++++++++++++++++------- - 2 files changed, 32 insertions(+), 7 deletions(-) - -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index a571b4f7..7455eae6 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -1096,6 +1096,12 @@ helper_verify_password(const char *name, const char *p, int nullok) - if (pwd == NULL || hash == NULL) { - helper_log_err(LOG_NOTICE, "check pass; user unknown"); - retval = PAM_USER_UNKNOWN; -+ } else if (p[0] == '\0' && nullok) { -+ if (hash[0] == '\0') { -+ retval = PAM_SUCCESS; -+ } else { -+ retval = PAM_AUTH_ERR; -+ } - } else { - retval = verify_pwd_hash(p, hash, nullok); - } -diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c -index 41db1f04..dc67238c 100644 ---- a/modules/pam_unix/support.c -+++ b/modules/pam_unix/support.c -@@ -601,6 +601,8 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name - char *salt = NULL; - int daysleft; - int retval; -+ int execloop = 1; -+ int nonexistent = 1; - - D(("called")); - -@@ -624,14 +626,31 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name - - /* UNIX passwords area */ - -- retval = get_pwd_hash(pamh, name, &pwd, &salt); -+ /* -+ * Execute this loop twice: one checking the password hash of an existing -+ * user and another one for a non-existing user. This way the runtimes -+ * are equal, making it more difficult to differentiate existing from -+ * non-existing users. -+ */ -+ while (execloop) { -+ retval = get_pwd_hash(pamh, name, &pwd, &salt); - -- if (retval == PAM_UNIX_RUN_HELPER) { -- /* salt will not be set here so we can return immediately */ -- if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) -- return 1; -- else -- return 0; -+ if (retval == PAM_UNIX_RUN_HELPER) { -+ execloop = 0; -+ if(nonexistent) { -+ get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt); -+ } -+ /* salt will not be set here so we can return immediately */ -+ if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) -+ return 1; -+ else -+ return 0; -+ } else if (retval == PAM_USER_UNKNOWN) { -+ name = "root"; -+ nonexistent = 0; -+ } else { -+ execloop = 0; -+ } - } - - /* Does this user have a password? */ --- -2.26.2 - - -From 0e9b286afe1224b91ff00936058b084ad4b776e4 Mon Sep 17 00:00:00 2001 -From: ikerexxe -Date: Tue, 16 Jun 2020 14:44:04 +0200 -Subject: [PATCH 2/2] pam_usertype: avoid determining if user exists - -Taking a look at the time for the password prompt to appear it was -possible to determine if a user existed in a system. Solved it by -matching the runtime until the password prompt was shown by always -checking the password hash for an existing and a non-existing user. - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598 ---- - modules/pam_usertype/pam_usertype.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c -index 2807c306..d03b73b5 100644 ---- a/modules/pam_usertype/pam_usertype.c -+++ b/modules/pam_usertype/pam_usertype.c -@@ -139,8 +139,11 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts, - "error retrieving information about user %s", username); - } - -+ pam_modutil_getpwnam(pamh, "root"); -+ - return PAM_USER_UNKNOWN; - } -+ pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:"); - - *_uid = pwd->pw_uid; - --- -2.26.2 - diff --git a/pam-1.4.0-full-relro.patch b/pam-1.4.0-full-relro.patch deleted file mode 100644 index 3f0d211..0000000 --- a/pam-1.4.0-full-relro.patch +++ /dev/null @@ -1,67 +0,0 @@ -diff -up Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am ---- Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am.relro 2020-06-22 13:06:45.397887922 +0200 -+++ Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am 2020-06-22 13:11:50.898150263 +0200 -@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi - - AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -I$(srcdir)/.. @PIE_CFLAGS@ $(WARN_CFLAGS) --AM_LDFLAGS = @PIE_LDFLAGS@ -+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - LDADD = $(top_builddir)/libpam/libpam.la - - securelibfilter_PROGRAMS = upperLOWER -diff -up Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am ---- Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am.relro 2020-06-22 13:06:45.397887922 +0200 -+++ Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am 2020-06-22 13:11:57.015235608 +0200 -@@ -31,6 +31,8 @@ endif - - sbin_PROGRAMS = mkhomedir_helper - mkhomedir_helper_SOURCES = mkhomedir_helper.c -+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la - - check_PROGRAMS = tst-pam_mkhomedir-retval -diff -up Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am ---- Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am.relro 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am 2020-06-22 13:06:45.398887936 +0200 -@@ -29,6 +29,8 @@ if HAVE_VERSIONING - pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map - endif - -+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) - - securelib_LTLIBRARIES = pam_tally2.la -diff -up Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am ---- Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am.relro 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am 2020-06-22 13:06:45.398887936 +0200 -@@ -38,7 +38,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS) - pam_timestamp_check_SOURCES = pam_timestamp_check.c - pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ - pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la --pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ -+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - - hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c - hmacfile_LDADD = $(top_builddir)/libpam/libpam.la -diff -up Linux-PAM-1.4.0/modules/pam_unix/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_unix/Makefile.am ---- Linux-PAM-1.4.0/modules/pam_unix/Makefile.am.relro 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_unix/Makefile.am 2020-06-22 13:06:45.398887936 +0200 -@@ -48,13 +48,13 @@ bigcrypt_LDADD = @LIBCRYPT@ - unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ - passverify.c - unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" --unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ -+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ - - unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ - passverify.c - unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" --unix_update_LDFLAGS = @PIE_LDFLAGS@ -+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ - - if ENABLE_REGENERATE_MAN diff --git a/pam-1.4.0-libpam-start-leak.patch b/pam-1.4.0-libpam-start-leak.patch deleted file mode 100644 index 2733b56..0000000 --- a/pam-1.4.0-libpam-start-leak.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 50ab1eda259ff039922b2774895f09bf0a57e078 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 4 Nov 2020 17:21:47 +0100 -Subject: [PATCH 1/2] libpam: Fix memory leak with pam_start_confdir() - -Found with AddressSanitzer in pam_wrapper tests. - -==985738== 44 bytes in 4 blocks are definitely lost in loss record 18 of 18 -==985738== at 0x4839809: malloc (vg_replace_malloc.c:307) -==985738== by 0x48957E1: _pam_strdup (pam_misc.c:129) -==985738== by 0x489851B: _pam_start_internal (pam_start.c:85) -==985738== by 0x4849C8C: libpam_pam_start_confdir (pam_wrapper.c:418) -==985738== by 0x484AF94: pwrap_pam_start (pam_wrapper.c:1461) -==985738== by 0x484AFEE: pam_start (pam_wrapper.c:1483) -==985738== by 0x401723: setup_noconv (test_pam_wrapper.c:189) -==985738== by 0x4889E82: ??? (in /usr/lib64/libcmocka.so.0.7.0) -==985738== by 0x488A444: _cmocka_run_group_tests (in /usr/lib64/libcmocka.so.0.7.0) -==985738== by 0x403EE5: main (test_pam_wrapper.c:1059) - -Signed-off-by: Andreas Schneider ---- - libpam/pam_end.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/libpam/pam_end.c b/libpam/pam_end.c -index 942253d8..406b1478 100644 ---- a/libpam/pam_end.c -+++ b/libpam/pam_end.c -@@ -56,6 +56,9 @@ int pam_end(pam_handle_t *pamh, int pam_status) - _pam_overwrite(pamh->user); - _pam_drop(pamh->user); - -+ _pam_overwrite(pamh->confdir); -+ _pam_drop(pamh->confdir); -+ - _pam_overwrite(pamh->prompt); - _pam_drop(pamh->prompt); /* prompt for pam_get_user() */ - --- -2.26.2 - - -From 51318fd423a8ab4456a278ef0aff6ad449aab916 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 4 Nov 2020 17:23:09 +0100 -Subject: [PATCH 2/2] libpam: Fix memory leak on error path in - _pam_start_internal() - -Signed-off-by: Andreas Schneider ---- - libpam/pam_start.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/libpam/pam_start.c b/libpam/pam_start.c -index 59d06224..99dd0389 100644 ---- a/libpam/pam_start.c -+++ b/libpam/pam_start.c -@@ -115,6 +115,7 @@ static int _pam_start_internal ( - pam_syslog(*pamh, LOG_CRIT, "pam_start: malloc failed for pam_conv"); - _pam_drop((*pamh)->service_name); - _pam_drop((*pamh)->user); -+ _pam_drop((*pamh)->confdir); - _pam_drop(*pamh); - return (PAM_BUF_ERR); - } else { -@@ -128,6 +129,7 @@ static int _pam_start_internal ( - _pam_drop((*pamh)->pam_conversation); - _pam_drop((*pamh)->service_name); - _pam_drop((*pamh)->user); -+ _pam_drop((*pamh)->confdir); - _pam_drop(*pamh); - return PAM_ABORT; - } -@@ -145,6 +147,7 @@ static int _pam_start_internal ( - _pam_drop((*pamh)->pam_conversation); - _pam_drop((*pamh)->service_name); - _pam_drop((*pamh)->user); -+ _pam_drop((*pamh)->confdir); - _pam_drop(*pamh); - return PAM_ABORT; - } --- -2.26.2 - diff --git a/pam-1.4.0-motd-filter-files.patch b/pam-1.4.0-motd-filter-files.patch deleted file mode 100644 index 3d1685e..0000000 --- a/pam-1.4.0-motd-filter-files.patch +++ /dev/null @@ -1,186 +0,0 @@ -From 16cebfeb30a8bd7c7dc269190a054c25b0f8d044 Mon Sep 17 00:00:00 2001 -From: ikerexxe -Date: Tue, 15 Sep 2020 15:54:10 +0200 -Subject: [PATCH 1/2] pam_motd: filter motd by user and group - -modules/pam_motd/pam_motd.c: filter motd by user and group owning the -proper files. This is achieved by changing the ids of the process -reading the files from root to the target user. - -Resolves: -https://bugzilla.redhat.com/show_bug.cgi?id=1861640 ---- - modules/pam_motd/pam_motd.c | 97 ++++++++++++++++++++++++++++--------- - 1 file changed, 75 insertions(+), 22 deletions(-) - -diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c -index 46f4fe61..a4fd0e59 100644 ---- a/modules/pam_motd/pam_motd.c -+++ b/modules/pam_motd/pam_motd.c -@@ -282,6 +282,72 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, - _pam_drop(dirscans); - } - -+static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs) -+{ -+ struct passwd *pw; -+ const char *username; -+ int retval; -+ -+ retval = pam_get_user(pamh, &username, "key user"); -+ -+ if (retval == PAM_SUCCESS) { -+ pw = pam_modutil_getpwnam (pamh, username); -+ } else { -+ return PAM_SESSION_ERR; -+ } -+ -+ if (pw == NULL || pam_modutil_drop_priv(pamh, privs, pw)) { -+ return PAM_SESSION_ERR; -+ } -+ -+ return PAM_SUCCESS; -+} -+ -+static int try_to_display(pam_handle_t *pamh, char **motd_path_split, -+ unsigned int num_motd_paths, -+ char **motd_dir_path_split, -+ unsigned int num_motd_dir_paths, int report_missing) -+{ -+ PAM_MODUTIL_DEF_PRIVS(privs); -+ -+ if (drop_privileges(pamh, &privs) != PAM_SUCCESS) { -+ pam_syslog(pamh, LOG_ERR, "Unable to drop privileges"); -+ return PAM_SESSION_ERR; -+ } -+ -+ if (motd_path_split != NULL) { -+ unsigned int i; -+ -+ for (i = 0; i < num_motd_paths; i++) { -+ int fd = open(motd_path_split[i], O_RDONLY, 0); -+ -+ if (fd >= 0) { -+ try_to_display_fd(pamh, fd); -+ close(fd); -+ -+ /* We found and displayed a file, -+ * move onto next filename. -+ */ -+ break; -+ } -+ } -+ } -+ -+ if (motd_dir_path_split != NULL) { -+ try_to_display_directories_with_overrides(pamh, -+ motd_dir_path_split, -+ num_motd_dir_paths, -+ report_missing); -+ } -+ -+ if (pam_modutil_regain_priv(pamh, &privs)) { -+ pam_syslog(pamh, LOG_ERR, "Unable to regain privileges"); -+ return PAM_SESSION_ERR; -+ } -+ -+ return PAM_SUCCESS; -+} -+ - int pam_sm_open_session(pam_handle_t *pamh, int flags, - int argc, const char **argv) - { -@@ -358,25 +424,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, - } - } - -- if (motd_path_split != NULL) { -- unsigned int i; -- -- for (i = 0; i < num_motd_paths; i++) { -- int fd = open(motd_path_split[i], O_RDONLY, 0); -- -- if (fd >= 0) { -- try_to_display_fd(pamh, fd); -- close(fd); -- -- /* We found and displayed a file, move onto next filename. */ -- break; -- } -- } -- } -- -- if (motd_dir_path_split != NULL) -- try_to_display_directories_with_overrides(pamh, motd_dir_path_split, -- num_motd_dir_paths, report_missing); -+ retval = try_to_display(pamh, motd_path_split, num_motd_paths, -+ motd_dir_path_split, num_motd_dir_paths, -+ report_missing); - - out: - _pam_drop(motd_path_copy); -@@ -384,9 +434,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, - _pam_drop(motd_dir_path_copy); - _pam_drop(motd_dir_path_split); - -- retval = pam_putenv(pamh, "MOTD_SHOWN=pam"); -- -- return retval == PAM_SUCCESS ? PAM_IGNORE : retval; -+ if (retval == PAM_SUCCESS) { -+ retval = pam_putenv(pamh, "MOTD_SHOWN=pam"); -+ return retval == PAM_SUCCESS ? PAM_IGNORE : retval; -+ } else { -+ return retval; -+ } - } - - /* end of module definition */ --- -2.26.2 - - -From ad8b6feaf8ea989368676acaea905998a807986e Mon Sep 17 00:00:00 2001 -From: ikerexxe -Date: Wed, 14 Oct 2020 11:30:00 +0200 -Subject: [PATCH 2/2] pam_motd: document file filtering - -modules/pam_motd/pam_motd.8.xml: document file filtering of motd -messages. -NEWS: annotate change. ---- - NEWS | 3 +++ - modules/pam_motd/pam_motd.8.xml | 5 +++-- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/NEWS b/NEWS -index e8c0de87..c3b338e2 100644 ---- a/NEWS -+++ b/NEWS -@@ -1,5 +1,8 @@ - Linux-PAM NEWS -- history of user-visible changes. - -+Release 1.5.0 -+* pam_motd: read motd files with target user credentials skipping unreadable ones. -+ - Release 1.4.0 - * Multiple minor bug fixes and documentation improvements - * Fixed grammar of messages printed via pam_prompt -diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml -index b533530b..0afd4c99 100644 ---- a/modules/pam_motd/pam_motd.8.xml -+++ b/modules/pam_motd/pam_motd.8.xml -@@ -64,8 +64,9 @@ - override files with the same name in /usr/lib/motd.d/. - - -- Files the in the directories listed above are displayed in -- lexicographic order by name. -+ Files in the directories listed above are displayed in lexicographic -+ order by name. Moreover, the files are filtered by reading them with the -+ credentials of the target user authenticating on the system. - - - To silence a message, --- -2.26.2 - diff --git a/pam-1.4.0-motd-privilege-message.patch b/pam-1.4.0-motd-privilege-message.patch deleted file mode 100644 index 065e3a0..0000000 --- a/pam-1.4.0-motd-privilege-message.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 9f24bbeeb4fe04bc396898cd9825478ad52c5ac7 Mon Sep 17 00:00:00 2001 -From: ikerexxe -Date: Wed, 21 Oct 2020 09:47:20 +0200 -Subject: [PATCH] pam_motd: unset prompt value to drop privileges - -modules/pam_motd/pam_motd.c: set NULL value instead of "key user" for the -prompt when dropping privileges. ---- - modules/pam_motd/pam_motd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c -index a4fd0e59..6ac8cba2 100644 ---- a/modules/pam_motd/pam_motd.c -+++ b/modules/pam_motd/pam_motd.c -@@ -288,7 +288,7 @@ static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs) - const char *username; - int retval; - -- retval = pam_get_user(pamh, &username, "key user"); -+ retval = pam_get_user(pamh, &username, NULL); - - if (retval == PAM_SUCCESS) { - pw = pam_modutil_getpwnam (pamh, username); --- -2.26.2 - diff --git a/pam-1.4.0-noflex.patch b/pam-1.4.0-noflex.patch deleted file mode 100644 index 966864b..0000000 --- a/pam-1.4.0-noflex.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up Linux-PAM-1.4.0/doc/Makefile.am.noflex Linux-PAM-1.4.0/doc/Makefile.am ---- Linux-PAM-1.4.0/doc/Makefile.am.noflex 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/doc/Makefile.am 2020-06-22 12:32:01.994741087 +0200 -@@ -2,7 +2,7 @@ - # Copyright (c) 2005, 2006 Thorsten Kukuk - # - --SUBDIRS = man specs sag adg mwg -+SUBDIRS = man sag adg mwg - - CLEANFILES = *~ - -diff -up Linux-PAM-1.4.0/Makefile.am.noflex Linux-PAM-1.4.0/Makefile.am ---- Linux-PAM-1.4.0/Makefile.am.noflex 2020-06-22 12:32:01.994741087 +0200 -+++ Linux-PAM-1.4.0/Makefile.am 2020-06-22 12:39:36.932129391 +0200 -@@ -4,7 +4,7 @@ - - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news - --SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests - - if HAVE_DOC - SUBDIRS += doc diff --git a/pam-1.4.0-nouserenv.patch b/pam-1.4.0-nouserenv.patch deleted file mode 100644 index 27bb91f..0000000 --- a/pam-1.4.0-nouserenv.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml.nouserenv Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml ---- Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml.nouserenv 2020-06-22 13:00:37.480755648 +0200 -+++ Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml 2020-06-22 13:05:06.038501660 +0200 -@@ -158,7 +158,10 @@ - - - Turns on or off the reading of the user specific environment -- file. 0 is off, 1 is on. By default this option is off. -+ file. 0 is off, 1 is on. By default this option is off as user -+ supplied environment variables in the PAM environment could affect -+ behavior of subsequent modules in the stack without the consent -+ of the system administrator. - - - diff --git a/pam-1.4.0-pwhistory-helper.patch b/pam-1.4.0-pwhistory-helper.patch deleted file mode 100644 index 5301afa..0000000 --- a/pam-1.4.0-pwhistory-helper.patch +++ /dev/null @@ -1,808 +0,0 @@ -diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am ---- Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am 2020-06-22 13:22:13.740840867 +0200 -@@ -1,5 +1,6 @@ - # - # Copyright (c) 2008, 2009 Thorsten Kukuk -+# Copyright (c) 2013 Red Hat, Inc. - # - - CLEANFILES = *~ -@@ -8,9 +9,9 @@ MAINTAINERCLEANFILES = $(MANS) README - EXTRA_DIST = $(XMLS) - - if HAVE_DOC --dist_man_MANS = pam_pwhistory.8 -+dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 - endif --XMLS = README.xml pam_pwhistory.8.xml -+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml - dist_check_SCRIPTS = tst-pam_pwhistory - TESTS = $(dist_check_SCRIPTS) - -@@ -18,18 +19,26 @@ securelibdir = $(SECUREDIR) - secureconfdir = $(SCONFIGDIR) - - AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -- $(WARN_CFLAGS) --AM_LDFLAGS = -no-undefined -avoid-version -module -+ $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" -+ -+pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module - if HAVE_VERSIONING -- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -+ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map - endif - - noinst_HEADERS = opasswd.h - - securelib_LTLIBRARIES = pam_pwhistory.la --pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ -+pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) -+pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ - pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c - -+sbin_PROGRAMS = pwhistory_helper -+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@ -+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c -+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ -+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ -+ - if ENABLE_REGENERATE_MAN - dist_noinst_DATA = README - -include $(top_srcdir)/Make.xml.rules -diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c ---- Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c 2020-06-22 13:24:02.424365617 +0200 -@@ -1,5 +1,6 @@ - /* - * Copyright (c) 2008 Thorsten Kukuk -+ * Copyright (c) 2013 Red Hat, Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -38,6 +39,7 @@ - #endif - - #include -+#include - #include - #include - #include -@@ -47,6 +49,7 @@ - #include - #include - #include -+#include - #include - - #if defined HAVE_LIBXCRYPT -@@ -55,7 +58,14 @@ - #include - #endif - -+#ifdef HELPER_COMPILE -+#define pam_modutil_getpwnam(h,n) getpwnam(n) -+#define pam_modutil_getspnam(h,n) getspnam(n) -+#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__) -+#else -+#include - #include -+#endif - #include - - #include "opasswd.h" -@@ -76,6 +86,19 @@ typedef struct { - char *old_passwords; - } opwd; - -+#ifdef HELPER_COMPILE -+void -+helper_log_err(int err, const char *format, ...) -+{ -+ va_list args; -+ -+ va_start(args, format); -+ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV); -+ vsyslog(err, format, args); -+ va_end(args); -+ closelog(); -+} -+#endif - - static int - parse_entry (char *line, opwd *data) -@@ -117,8 +140,8 @@ compare_password(const char *newpass, co - } - - /* Check, if the new password is already in the opasswd file. */ --int --check_old_pass (pam_handle_t *pamh, const char *user, -+PAMH_ARG_DECL(int -+check_old_pass, const char *user, - const char *newpass, int debug) - { - int retval = PAM_SUCCESS; -@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons - opwd entry; - int found = 0; - -+#ifndef HELPER_COMPILE -+ if (SELINUX_ENABLED) -+ return PAM_PWHISTORY_RUN_HELPER; -+#endif -+ - if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) - { - if (errno != ENOENT) -@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons - return retval; - } - --int --save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, -- const char *oldpass, int howmany, int debug UNUSED) -+PAMH_ARG_DECL(int -+save_old_pass, const char *user, -+ int howmany, int debug UNUSED) - { - char opasswd_tmp[] = TMP_PASSWORDS_FILE; - struct stat opasswd_stat; -@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const - char *buf = NULL; - size_t buflen = 0; - int found = 0; -+ struct passwd *pwd; -+ const char *oldpass; -+ -+ pwd = pam_modutil_getpwnam (pamh, user); -+ if (pwd == NULL) -+ return PAM_USER_UNKNOWN; - - if (howmany <= 0) - return PAM_SUCCESS; - -+#ifndef HELPER_COMPILE -+ if (SELINUX_ENABLED) -+ return PAM_PWHISTORY_RUN_HELPER; -+#endif -+ -+ if ((strcmp(pwd->pw_passwd, "x") == 0) || -+ ((pwd->pw_passwd[0] == '#') && -+ (pwd->pw_passwd[1] == '#') && -+ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) -+ { -+ struct spwd *spw = pam_modutil_getspnam (pamh, user); -+ -+ if (spw == NULL) -+ return PAM_USER_UNKNOWN; -+ oldpass = spw->sp_pwdp; -+ } -+ else -+ oldpass = pwd->pw_passwd; -+ - if (oldpass == NULL || *oldpass == '\0') - return PAM_SUCCESS; - -@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const - { - char *out; - -- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0) -+ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0) - { - retval = PAM_AUTHTOK_ERR; - if (oldpf) -diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h ---- Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h 2020-06-22 13:13:23.722445347 +0200 -@@ -1,5 +1,6 @@ - /* - * Copyright (c) 2008 Thorsten Kukuk -+ * Copyright (c) 2013 Red Hat, Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -36,10 +37,32 @@ - #ifndef __OPASSWD_H__ - #define __OPASSWD_H__ - --extern int check_old_pass (pam_handle_t *pamh, const char *user, -- const char *newpass, int debug); --extern int save_old_pass (pam_handle_t *pamh, const char *user, -- uid_t uid, const char *oldpass, -- int howmany, int debug); -+#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT -+ -+#ifdef WITH_SELINUX -+#include -+#define SELINUX_ENABLED is_selinux_enabled()>0 -+#else -+#define SELINUX_ENABLED 0 -+#endif -+ -+#ifdef HELPER_COMPILE -+#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__) -+#define PAMH_ARG(...) __VA_ARGS__ -+#else -+#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__) -+#define PAMH_ARG(...) pamh, __VA_ARGS__ -+#endif -+ -+#ifdef HELPER_COMPILE -+void -+helper_log_err(int err, const char *format, ...); -+#endif -+ -+PAMH_ARG_DECL(int -+check_old_pass, const char *user, const char *newpass, int debug); -+ -+PAMH_ARG_DECL(int -+save_old_pass, const char *user, int howmany, int debug); - - #endif /* __OPASSWD_H__ */ -diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c ---- Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c 2020-06-22 13:25:23.107497539 +0200 -@@ -3,6 +3,7 @@ - * - * Copyright (c) 2008, 2012 Thorsten Kukuk - * Author: Thorsten Kukuk -+ * Copyright (c) 2013 Red Hat, Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -46,10 +47,14 @@ - #include - #include - #include --#include - #include - #include - #include -+#include -+#include -+#include -+#include -+#include - - #include - #include -@@ -60,6 +65,7 @@ - #include "pam_inline.h" - - #define DEFAULT_BUFLEN 2048 -+#define MAX_FD_NO 20000 - - struct options_t { - int debug; -@@ -105,6 +111,184 @@ parse_option (pam_handle_t *pamh, const - pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); - } - -+static int -+run_save_helper(pam_handle_t *pamh, const char *user, -+ int howmany, int debug) -+{ -+ int retval, child; -+ struct sigaction newsa, oldsa; -+ -+ memset(&newsa, '\0', sizeof(newsa)); -+ newsa.sa_handler = SIG_DFL; -+ sigaction(SIGCHLD, &newsa, &oldsa); -+ -+ child = fork(); -+ if (child == 0) -+ { -+ int i = 0; -+ struct rlimit rlim; -+ int dummyfds[2]; -+ static char *envp[] = { NULL }; -+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; -+ -+ /* replace std file descriptors with a dummy pipe */ -+ if (pipe2(dummyfds, O_NONBLOCK) == 0) -+ { -+ dup2(dummyfds[0], STDIN_FILENO); -+ dup2(dummyfds[1], STDOUT_FILENO); -+ dup2(dummyfds[1], STDERR_FILENO); -+ } -+ -+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0) -+ { -+ if (rlim.rlim_max >= MAX_FD_NO) -+ rlim.rlim_max = MAX_FD_NO; -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) -+ { -+ if (i != dummyfds[0]) -+ close(i); -+ } -+ } -+ -+ /* exec binary helper */ -+ args[0] = strdup(PWHISTORY_HELPER); -+ args[1] = strdup("save"); -+ args[2] = x_strdup(user); -+ asprintf(&args[3], "%d", howmany); -+ asprintf(&args[4], "%d", debug); -+ -+ execve(args[0], args, envp); -+ -+ _exit(PAM_SYSTEM_ERR); -+ } -+ else if (child > 0) -+ { -+ /* wait for child */ -+ int rc = 0; -+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */ -+ if (rc < 0) -+ { -+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc); -+ retval = PAM_SYSTEM_ERR; -+ } -+ else if (!WIFEXITED(retval)) -+ { -+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval); -+ retval = PAM_SYSTEM_ERR; -+ } -+ else -+ { -+ retval = WEXITSTATUS(retval); -+ } -+ } -+ else -+ { -+ retval = PAM_SYSTEM_ERR; -+ } -+ -+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ -+ -+ return retval; -+} -+ -+static int -+run_check_helper(pam_handle_t *pamh, const char *user, -+ const char *newpass, int debug) -+{ -+ int retval, child, fds[2]; -+ struct sigaction newsa, oldsa; -+ -+ /* create a pipe for the password */ -+ if (pipe(fds) != 0) -+ return PAM_SYSTEM_ERR; -+ -+ memset(&newsa, '\0', sizeof(newsa)); -+ newsa.sa_handler = SIG_DFL; -+ sigaction(SIGCHLD, &newsa, &oldsa); -+ -+ child = fork(); -+ if (child == 0) -+ { -+ int i = 0; -+ struct rlimit rlim; -+ int dummyfds[2]; -+ static char *envp[] = { NULL }; -+ char *args[] = { NULL, NULL, NULL, NULL, NULL }; -+ -+ /* reopen stdin as pipe */ -+ dup2(fds[0], STDIN_FILENO); -+ -+ /* replace std file descriptors with a dummy pipe */ -+ if (pipe2(dummyfds, O_NONBLOCK) == 0) -+ { -+ dup2(dummyfds[1], STDOUT_FILENO); -+ dup2(dummyfds[1], STDERR_FILENO); -+ } -+ -+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0) -+ { -+ if (rlim.rlim_max >= MAX_FD_NO) -+ rlim.rlim_max = MAX_FD_NO; -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) -+ { -+ if (i != dummyfds[0]) -+ close(i); -+ } -+ } -+ -+ /* exec binary helper */ -+ args[0] = strdup(PWHISTORY_HELPER); -+ args[1] = strdup("check"); -+ args[2] = x_strdup(user); -+ asprintf(&args[3], "%d", debug); -+ -+ execve(args[0], args, envp); -+ -+ _exit(PAM_SYSTEM_ERR); -+ } -+ else if (child > 0) -+ { -+ /* wait for child */ -+ int rc = 0; -+ if (newpass == NULL) -+ newpass = ""; -+ -+ /* send the password to the child */ -+ if (write(fds[1], newpass, strlen(newpass)+1) == -1) -+ { -+ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m"); -+ retval = PAM_SYSTEM_ERR; -+ } -+ newpass = NULL; -+ close(fds[0]); /* close here to avoid possible SIGPIPE above */ -+ close(fds[1]); -+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */ -+ if (rc < 0) -+ { -+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc); -+ retval = PAM_SYSTEM_ERR; -+ } -+ else if (!WIFEXITED(retval)) -+ { -+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval); -+ retval = PAM_SYSTEM_ERR; -+ } -+ else -+ { -+ retval = WEXITSTATUS(retval); -+ } -+ } -+ else -+ { -+ close(fds[0]); -+ close(fds[1]); -+ retval = PAM_SYSTEM_ERR; -+ } -+ -+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ -+ -+ return retval; -+} - - /* This module saves the current crypted password in /etc/security/opasswd - and then compares the new password with all entries in this file. */ -@@ -112,7 +296,6 @@ parse_option (pam_handle_t *pamh, const - int - pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) - { -- struct passwd *pwd; - const char *newpass; - const char *user; - int retval, tries; -@@ -148,31 +331,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - return PAM_SUCCESS; - } - -- pwd = pam_modutil_getpwnam (pamh, user); -- if (pwd == NULL) -- return PAM_USER_UNKNOWN; -- -- if ((strcmp(pwd->pw_passwd, "x") == 0) || -- ((pwd->pw_passwd[0] == '#') && -- (pwd->pw_passwd[1] == '#') && -- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) -- { -- struct spwd *spw = pam_modutil_getspnam (pamh, user); -- if (spw == NULL) -- return PAM_USER_UNKNOWN; -+ retval = save_old_pass (pamh, user, options.remember, options.debug); - -- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, -- options.remember, options.debug); -- if (retval != PAM_SUCCESS) -- return retval; -- } -- else -- { -- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd, -- options.remember, options.debug); -- if (retval != PAM_SUCCESS) -- return retval; -- } -+ if (retval == PAM_PWHISTORY_RUN_HELPER) -+ retval = run_save_helper(pamh, user, options.remember, options.debug); -+ -+ if (retval != PAM_SUCCESS) -+ return retval; - - newpass = NULL; - tries = 0; -@@ -201,8 +366,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - if (options.debug) - pam_syslog (pamh, LOG_DEBUG, "check against old password file"); - -- if (check_old_pass (pamh, user, newpass, -- options.debug) != PAM_SUCCESS) -+ retval = check_old_pass (pamh, user, newpass, options.debug); -+ if (retval == PAM_PWHISTORY_RUN_HELPER) -+ retval = run_check_helper(pamh, user, newpass, options.debug); -+ -+ if (retval != PAM_SUCCESS) - { - if (getuid() || options.enforce_for_root || - (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) -diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml ---- Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2020-06-22 13:13:23.723445361 +0200 -+++ Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2020-06-22 13:13:23.723445361 +0200 -@@ -0,0 +1,68 @@ -+ -+ -+ -+ -+ -+ -+ pwhistory_helper -+ 8 -+ Linux-PAM Manual -+ -+ -+ -+ pwhistory_helper -+ Helper binary that transfers password hashes from passwd or shadow to opasswd -+ -+ -+ -+ -+ pwhistory_helper -+ -+ ... -+ -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ pwhistory_helper is a helper program for the -+ pam_pwhistory module that transfers password hashes -+ from passwd or shadow file to the opasswd file and checks a password -+ supplied by user against the existing hashes in the opasswd file. -+ -+ -+ -+ The purpose of the helper is to enable tighter confinement of -+ login and password changing services. The helper is thus called only -+ when SELinux is enabled on the system. -+ -+ -+ -+ The interface of the helper - command line options, and input/output -+ data format are internal to the pam_pwhistory -+ module and it should not be called directly from applications. -+ -+ -+ -+ -+ SEE ALSO -+ -+ -+ pam_pwhistory8 -+ -+ -+ -+ -+ -+ AUTHOR -+ -+ Written by Tomas Mraz based on the code originally in -+ pam_pwhistory and pam_unix modules. -+ -+ -+ -+ -diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c ---- Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2020-06-22 13:13:23.723445361 +0200 -+++ Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c 2020-06-22 13:13:23.723445361 +0200 -@@ -0,0 +1,209 @@ -+/* -+ * Copyright (c) 2013 Red Hat, Inc. -+ * Author: Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "opasswd.h" -+ -+#define MAXPASS 200 -+ -+static void -+su_sighandler(int sig) -+{ -+#ifndef SA_RESETHAND -+ /* emulate the behaviour of the SA_RESETHAND flag */ -+ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) { -+ struct sigaction sa; -+ memset(&sa, '\0', sizeof(sa)); -+ sa.sa_handler = SIG_DFL; -+ sigaction(sig, &sa, NULL); -+ } -+#endif -+ if (sig > 0) { -+ _exit(sig); -+ } -+} -+ -+static void -+setup_signals(void) -+{ -+ struct sigaction action; /* posix signal structure */ -+ -+ /* -+ * Setup signal handlers -+ */ -+ (void) memset((void *) &action, 0, sizeof(action)); -+ action.sa_handler = su_sighandler; -+#ifdef SA_RESETHAND -+ action.sa_flags = SA_RESETHAND; -+#endif -+ (void) sigaction(SIGILL, &action, NULL); -+ (void) sigaction(SIGTRAP, &action, NULL); -+ (void) sigaction(SIGBUS, &action, NULL); -+ (void) sigaction(SIGSEGV, &action, NULL); -+ action.sa_handler = SIG_IGN; -+ action.sa_flags = 0; -+ (void) sigaction(SIGTERM, &action, NULL); -+ (void) sigaction(SIGHUP, &action, NULL); -+ (void) sigaction(SIGINT, &action, NULL); -+ (void) sigaction(SIGQUIT, &action, NULL); -+} -+ -+static int -+read_passwords(int fd, int npass, char **passwords) -+{ -+ int rbytes = 0; -+ int offset = 0; -+ int i = 0; -+ char *pptr; -+ while (npass > 0) -+ { -+ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); -+ -+ if (rbytes < 0) -+ { -+ if (errno == EINTR) continue; -+ break; -+ } -+ if (rbytes == 0) -+ break; -+ -+ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes)) -+ != NULL) -+ { -+ rbytes -= pptr - (passwords[i]+offset) + 1; -+ i++; -+ offset = 0; -+ npass--; -+ if (rbytes > 0) -+ { -+ if (npass > 0) -+ memcpy(passwords[i], pptr+1, rbytes); -+ memset(pptr+1, '\0', rbytes); -+ } -+ } -+ offset += rbytes; -+ } -+ -+ /* clear up */ -+ if (offset > 0 && npass > 0) -+ memset(passwords[i], '\0', offset); -+ -+ return i; -+} -+ -+ -+static int -+check_history(const char *user, const char *debug) -+{ -+ char pass[MAXPASS + 1]; -+ char *passwords[] = { pass }; -+ int npass; -+ int dbg = atoi(debug); /* no need to be too fancy here */ -+ int retval; -+ -+ /* read the password from stdin (a pipe from the pam_pwhistory module) */ -+ npass = read_passwords(STDIN_FILENO, 1, passwords); -+ -+ if (npass != 1) -+ { /* is it a valid password? */ -+ helper_log_err(LOG_DEBUG, "no password supplied"); -+ return PAM_AUTHTOK_ERR; -+ } -+ -+ retval = check_old_pass(user, pass, dbg); -+ -+ memset(pass, '\0', MAXPASS); /* clear memory of the password */ -+ -+ return retval; -+} -+ -+static int -+save_history(const char *user, const char *howmany, const char *debug) -+{ -+ int num = atoi(howmany); -+ int dbg = atoi(debug); /* no need to be too fancy here */ -+ int retval; -+ -+ retval = save_old_pass(user, num, dbg); -+ -+ return retval; -+} -+ -+int -+main(int argc, char *argv[]) -+{ -+ const char *option; -+ const char *user; -+ -+ /* -+ * Catch or ignore as many signal as possible. -+ */ -+ setup_signals(); -+ -+ /* -+ * we establish that this program is running with non-tty stdin. -+ * this is to discourage casual use. -+ */ -+ -+ if (isatty(STDIN_FILENO) || argc < 4) -+ { -+ fprintf(stderr, -+ "This binary is not designed for running in this way.\n"); -+ sleep(10); /* this should discourage/annoy the user */ -+ return PAM_SYSTEM_ERR; -+ } -+ -+ option = argv[1]; -+ user = argv[2]; -+ -+ if (strcmp(option, "check") == 0 && argc == 4) -+ return check_history(user, argv[3]); -+ else if (strcmp(option, "save") == 0 && argc == 5) -+ return save_history(user, argv[3], argv[4]); -+ -+ return PAM_SYSTEM_ERR; -+} -+ diff --git a/pam-1.4.0-redhat-modules.patch b/pam-1.4.0-redhat-modules.patch deleted file mode 100644 index 5003173..0000000 --- a/pam-1.4.0-redhat-modules.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -up Linux-PAM-1.4.0/configure.ac.redhat-modules Linux-PAM-1.4.0/configure.ac ---- Linux-PAM-1.4.0/configure.ac.redhat-modules 2020-06-08 12:17:27.000000000 +0200 -+++ Linux-PAM-1.4.0/configure.ac 2020-06-22 12:55:55.889827909 +0200 -@@ -712,6 +712,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil - po/Makefile.in \ - Make.xml.rules \ - modules/Makefile \ -+ modules/pam_chroot/Makefile modules/pam_console/Makefile \ -+ modules/pam_postgresok/Makefile \ - modules/pam_access/Makefile modules/pam_cracklib/Makefile \ - modules/pam_debug/Makefile modules/pam_deny/Makefile \ - modules/pam_echo/Makefile modules/pam_env/Makefile \ -diff -up Linux-PAM-1.4.0/modules/Makefile.am.redhat-modules Linux-PAM-1.4.0/modules/Makefile.am ---- Linux-PAM-1.4.0/modules/Makefile.am.redhat-modules 2020-06-22 12:55:55.889827909 +0200 -+++ Linux-PAM-1.4.0/modules/Makefile.am 2020-06-22 12:59:19.718670992 +0200 -@@ -56,6 +56,9 @@ SUBDIRS := \ - pam_debug \ - pam_deny \ - pam_echo \ -+ pam_chroot \ -+ pam_console \ -+ pam_postgresok \ - pam_env \ - pam_exec \ - pam_faildelay \ diff --git a/pam-1.4.0-unix-init-daysleft.patch b/pam-1.4.0-unix-init-daysleft.patch deleted file mode 100644 index 7939f2c..0000000 --- a/pam-1.4.0-unix-init-daysleft.patch +++ /dev/null @@ -1,32 +0,0 @@ -From db6b293046aee4735f3aa2d1713742ed4b533219 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 22 Jul 2020 11:47:55 +0200 -Subject: [PATCH] Fix missing initialization of daysleft - -The daysleft otherwise stays uninitialized if there is no shadow entry. - -Regression from commit f5adefa. - -Fixes #255 - -* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft. ---- - modules/pam_unix/pam_unix_acct.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c -index de8d65c1..f46f2308 100644 ---- a/modules/pam_unix/pam_unix_acct.c -+++ b/modules/pam_unix/pam_unix_acct.c -@@ -189,7 +189,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) - unsigned long long ctrl; - const void *void_uname; - const char *uname; -- int retval, daysleft; -+ int retval, daysleft = -1; - char buf[256]; - - D(("called.")); --- -2.26.2 - diff --git a/pam-1.5.0-noflex.patch b/pam-1.5.0-noflex.patch new file mode 100644 index 0000000..282b482 --- /dev/null +++ b/pam-1.5.0-noflex.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.5.0/doc/Makefile.am.noflex Linux-PAM-1.5.0/doc/Makefile.am +--- Linux-PAM-1.5.0/doc/Makefile.am.noflex 2020-11-10 16:46:13.000000000 +0100 ++++ Linux-PAM-1.5.0/doc/Makefile.am 2020-11-11 11:39:00.980421433 +0100 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + +diff -up Linux-PAM-1.5.0/Makefile.am.noflex Linux-PAM-1.5.0/Makefile.am +--- Linux-PAM-1.5.0/Makefile.am.noflex 2020-11-11 11:39:00.980421433 +0100 ++++ Linux-PAM-1.5.0/Makefile.am 2020-11-11 11:39:15.887625418 +0100 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news + +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests + + if HAVE_DOC + SUBDIRS += doc diff --git a/pam-1.5.0-redhat-modules.patch b/pam-1.5.0-redhat-modules.patch new file mode 100644 index 0000000..92d04da --- /dev/null +++ b/pam-1.5.0-redhat-modules.patch @@ -0,0 +1,25 @@ +diff -up Linux-PAM-1.5.0/configure.ac.redhat-modules Linux-PAM-1.5.0/configure.ac +--- Linux-PAM-1.5.0/configure.ac.redhat-modules 2020-11-11 11:21:21.947857371 +0100 ++++ Linux-PAM-1.5.0/configure.ac 2020-11-11 11:22:58.638193747 +0100 +@@ -639,6 +639,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + po/Makefile.in \ + Make.xml.rules \ + modules/Makefile \ ++ modules/pam_chroot/Makefile modules/pam_console/Makefile \ ++ modules/pam_postgresok/Makefile \ + modules/pam_access/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ +diff -up Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules Linux-PAM-1.5.0/modules/Makefile.am +--- Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules 2020-11-10 16:46:13.000000000 +0100 ++++ Linux-PAM-1.5.0/modules/Makefile.am 2020-11-11 11:21:21.947857371 +0100 +@@ -47,6 +47,9 @@ SUBDIRS := \ + pam_debug \ + pam_deny \ + pam_echo \ ++ pam_chroot \ ++ pam_console \ ++ pam_postgresok \ + pam_env \ + pam_exec \ + pam_faildelay \ diff --git a/pam.spec b/pam.spec index a1f7a0c..eb4ed04 100644 --- a/pam.spec +++ b/pam.spec @@ -1,9 +1,9 @@ -%global pam_redhat_version 1.1.3 +%global pam_redhat_version 1.1.4 Summary: An extensible library which provides authentication for applications Name: pam -Version: 1.4.0 -Release: 7%{?dist} +Version: 1.5.0 +Release: 1%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -24,37 +24,9 @@ Source15: pamtmp.conf Source16: postlogin.pamd Source17: postlogin.5 Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -Patch1: pam-1.4.0-redhat-modules.patch -Patch9: pam-1.4.0-noflex.patch -# https://github.com/linux-pam/linux-pam/commit/cbdef051ab5d4031656d14ac6cdb1f6c2d8d6595 -Patch10: pam-1.4.0-nouserenv.patch -# https://github.com/linux-pam/linux-pam/commit/adc037167ad293242d9c69c4d427da1001f26706 -Patch13: pam-1.1.6-limits-user.patch -Patch15: pam-1.4.0-full-relro.patch -# https://github.com/linux-pam/linux-pam/commit/f787845843da96cc29ea1f864e29fb17379b36b7 -Patch29: pam-1.4.0-pwhistory-helper.patch -Patch31: pam-1.1.8-audit-user-mgmt.patch -Patch33: pam-1.3.0-unix-nomsg.patch -# https://github.com/linux-pam/linux-pam/commit/655b5e3cf32cb2bd6606cb8ab696b8f00f87051e -# https://github.com/linux-pam/linux-pam/commit/a6a1b9f788a79b2a09827c72a755f471c2e05100 -# https://github.com/linux-pam/linux-pam/commit/2bae5daf16d4466185fac89539d653b269a3ea01 -# https://github.com/linux-pam/linux-pam/commit/276ad5b8e48aa77c24ef25e18d2e97f66c83d68c -Patch34: pam-1.4.0-coverity.patch -# https://github.com/linux-pam/linux-pam/commit/af0faf666c5008e54dfe43684f210e3581ff1bca -# https://github.com/linux-pam/linux-pam/commit/0e9b286afe1224b91ff00936058b084ad4b776e4 -Patch57: pam-1.4.0-determine-user-exists.patch -# https://github.com/linux-pam/linux-pam/commit/395915dae1571e10e2766c999974de864655ea3a -Patch58: pam-1.3.1-faillock-change-file-permissions.patch -# https://github.com/linux-pam/linux-pam/commit/16cebfeb30a8bd7c7dc269190a054c25b0f8d044 -# https://github.com/linux-pam/linux-pam/commit/ad8b6feaf8ea989368676acaea905998a807986e -Patch59: pam-1.4.0-motd-filter-files.patch -# https://github.com/linux-pam/linux-pam/commit/db6b293046aee4735f3aa2d1713742ed4b533219 -Patch60: pam-1.4.0-unix-init-daysleft.patch -# https://github.com/linux-pam/linux-pam/commit/9f24bbeeb4fe04bc396898cd9825478ad52c5ac7 -Patch61: pam-1.4.0-motd-privilege-message.patch -# https://github.com/linux-pam/linux-pam/commit/50ab1eda259ff039922b2774895f09bf0a57e078 -# https://github.com/linux-pam/linux-pam/commit/51318fd423a8ab4456a278ef0aff6ad449aab916 -Patch62: pam-1.4.0-libpam-start-leak.patch +Patch1: pam-1.5.0-redhat-modules.patch +Patch2: pam-1.5.0-noflex.patch +Patch3: pam-1.3.0-unix-nomsg.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -135,20 +107,8 @@ mv pam-redhat-%{pam_redhat_version}/* modules cp %{SOURCE18} . %patch1 -p1 -b .redhat-modules -%patch9 -p1 -b .noflex -%patch10 -p1 -b .nouserenv -%patch13 -p1 -b .limits -%patch15 -p1 -b .relro -%patch29 -p1 -b .pwhhelper -%patch31 -p1 -b .audit-user-mgmt -%patch33 -p1 -b .nomsg -%patch34 -p1 -b .coverity -%patch57 -p1 -b .determine-user-exists -%patch58 -p1 -b .faillock-change-file-permissions -%patch59 -p1 -b .motd-filter-files -%patch60 -p1 -b .unix-init-daysleft -%patch61 -p1 -b .motd-privilege-message -%patch62 -p1 -b .libpam-start-leak +%patch2 -p1 -b .noflex +%patch3 -p1 -b .nomsg autoreconf -i @@ -176,9 +136,6 @@ for readme in modules/pam_*/README ; do cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` done -rm -rf doc/txts/README.pam_tally* -rm -rf doc/sag/html/*pam_tally* - # Install the binaries, libraries, and modules. make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=: @@ -256,10 +213,6 @@ if [ -d ${dir} ] ; then %if ! %{WITH_AUDIT} [ ${dir} = "modules/pam_tty_audit" ] && continue %endif - # pam_tally, pam_tally2 and pam_cracklib have been deprecated and will be removed in next upstream release. So, they have been removed downstream - [ ${dir} = "modules/pam_tally" ] && continue - [ ${dir} = "modules/pam_tally2" ] && continue - [ ${dir} = "modules/pam_cracklib" ] && continue if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then echo ERROR `basename ${dir}` did not build a module. exit 1 @@ -408,6 +361,12 @@ done %doc doc/sag/*.txt doc/sag/html %changelog +* Wed Nov 11 2020 Iker Pedrosa - 1.5.0-1 +- Rebase to release 1.5.0 +- Rebase to pam-redhat-1.1.4 +- Remove pam_cracklib, pam_tally and pam_tally2 +- spec file cleanup + * Fri Nov 6 2020 Iker Pedrosa - 1.4.0-7 - libpam: fix memory leak in pam_start (#1894630) diff --git a/sources b/sources index d7c666a..908f61d 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (Linux-PAM-1.4.0.tar.xz) = 26eda95c45598a500bc142da4d1abf93d03b3bbb0f2390fa87c72dcbffa208dbfa115c0b411095c31ee9955e36422ccf3e2df3bd486818fafffef8c4310798c4 -SHA512 (Linux-PAM-1.4.0.tar.xz.asc) = df8d35840838854b2cd6fdb5763e6b3a713dda839c1bc36e752243e76ea0414e99351b32691a6e08f2ee07013c6c4142f21e469374ec06be66887384207933b4 -SHA512 (pam-redhat-1.1.3.tar.bz2) = 5f048e55c51342c3eaecc1c150e9643e6b226b413ac3e6f095fc983293ea7a6bd68e27d663a3c90be0d86b8277d15a1565ee5d7831fb49950144f6391091e8f9 +SHA512 (Linux-PAM-1.5.0.tar.xz) = 27be57465371f86c101f93c15f4475e63867c02f8f5af40d3f83b2106bfc8a46b8079302214e17f198ef903dc35b72d00b0e9bdff63ed2ecd8c69543e278f4bf +SHA512 (Linux-PAM-1.5.0.tar.xz.asc) = be90e6ebcc01933c109cb1715bcb303f29b56cb1e00b684bada804fa9d2390cec09551fefaf3529f3f12ba0f57bc83976021a0c16a42f5a3067d87dec94e5ad0 +SHA512 (pam-redhat-1.1.4.tar.bz2) = ad3b53744505faf7c93b1f0c1ef4434c2567b97e292859963401b0c117e824704713c69f7a661cccd3aecd1208facb39c433703c1f3cdea1dbda2c380006bfc4