Add a patch to not use crypt_checksalt for password expiration

Resolves: #1965345, #1967150

pam-1.4.0-drop-priv-initgroups.patch

@@ -0,0 +1,66 @@
+From 62d826471e87e27b39a36ccbeee58999e2514a92 Mon Sep 17 00:00:00 2001
+From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
+Date: Thu, 5 Nov 2020 14:06:53 +0100
+Subject: [PATCH] libpam: add supplementary groups on priv drop
+
+Replace the setgroups(0, NULL) call in pam_modutil_drop_priv() with a
+call to initgroups().  This makes sure that the user's supplementary
+groups are also configured.  Fall back to setgroups(0, NULL) in case the
+initgroups() call fails.
+
+This fixes the permission check in pam_motd: this feature was intended
+to allow setting permissions on a motd file to prevent it from being
+shown to users who are not a member of a particular group (for example,
+wheel).
+
+Closes #292
+---
+ NEWS                      |  2 ++
+ libpam/pam_modutil_priv.c | 17 +++++++++++++----
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index d0f583e4..5f86660d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -2,6 +2,8 @@
+ 
+ Release 1.5.0
+ * pam_motd: read motd files with target user credentials skipping unreadable ones.
++* libpam: pam_modutil_drop_priv() now correctly sets the target user's
++          supplementary groups, allowing pam_motd to filter messages accordingly
+ 
+ Release 1.4.0
+ * Multiple minor bug fixes and documentation improvements
+diff --git a/libpam/pam_modutil_priv.c b/libpam/pam_modutil_priv.c
+index e22fab1a..a463e06a 100644
+--- a/libpam/pam_modutil_priv.c
++++ b/libpam/pam_modutil_priv.c
+@@ -107,11 +107,20 @@ int pam_modutil_drop_priv(pam_handle_t *pamh,
+ 	 * We should care to leave process credentials in consistent state.
+ 	 * That is, e.g. if change_gid() succeeded but change_uid() failed,
+ 	 * we should try to restore old gid.
++	 *
++	 * We try to add the supplementary groups on a best-effort
++	 * basis.  If it fails, it's not fatal: we fall back to using an
++	 * empty list.
+ 	 */
+-	if (setgroups(0, NULL)) {
+-		pam_syslog(pamh, LOG_ERR,
+-			   "pam_modutil_drop_priv: setgroups failed: %m");
+-		return cleanup(p);
++	if (initgroups(pw->pw_name, pw->pw_gid)) {
++		pam_syslog(pamh, LOG_WARNING,
++			   "pam_modutil_drop_priv: initgroups failed: %m");
++
++		if (setgroups(0, NULL)) {
++			pam_syslog(pamh, LOG_ERR,
++				   "pam_modutil_drop_priv: setgroups failed: %m");
++			return cleanup(p);
++		}
+ 	}
+ 	if (change_gid(pw->pw_gid, &p->old_gid)) {
+ 		pam_syslog(pamh, LOG_ERR,
+-- 
+2.28.0
+

pam-1.4.0-no_crypt_checksalt_for_pw_expiration.patch

@@ -0,0 +1,39 @@
+From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Thu, 10 Jun 2021 14:00:00 +0000
+Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for
+ password expiration
+
+According to Zack Weinberg, the intended meaning of
+CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
+method", it is not supposed to mean "force a password change on next
+login for any user with an existing stored hash using this method".
+
+This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
+
+* modules/pam_unix/passverify.c (check_shadow_expiry)
+[CRYPT_CHECKSALT_AVAILABLE]: Remove.
+
+Closes: https://github.com/linux-pam/linux-pam/issues/367
+---
+ modules/pam_unix/passverify.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index f6132f80..5a19ed85 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
+ 		D(("account expired"));
+ 		return PAM_ACCT_EXPIRED;
+ 	}
+-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
+-	if (spent->sp_lstchg == 0 ||
+-	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
+-	    crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
+-#else
+ 	if (spent->sp_lstchg == 0) {
+-#endif
+ 		D(("need a new password"));
+ 		*daysleft = 0;
+ 		return PAM_NEW_AUTHTOK_REQD;

pam-1.4.0-unix-blank-check-with-root.patch

@@ -0,0 +1,98 @@
+From 30fdfb90d9864bcc254a62760aaa149d373fd4eb Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 20 Nov 2020 13:38:23 +0100
+Subject: [PATCH] Second blank check with root for non-existent users must
+ never return 1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The commit af0faf66 ("pam_unix: avoid determining if user exists") introduced
+a regression where the blank check could return 1 if root had an empty
+password hash because in the second case the password hash of root was
+used. We now always return 0 in this case.
+
+The issue was found by Johannes Löthberg.
+
+Fixes #284
+
+* modules/pam_unix/support.c (_unix_blankpasswd): Make the loop
+to cover the complete blank check so both existing and non existing
+cases are identical except for the possible return value.
+---
+ modules/pam_unix/support.c | 39 +++++++++++++-------------------------
+ 1 file changed, 13 insertions(+), 26 deletions(-)
+
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
+index d669e951..27ca7127 100644
+--- a/modules/pam_unix/support.c
++++ b/modules/pam_unix/support.c
+@@ -601,8 +601,9 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
+ 	char *salt = NULL;
+ 	int daysleft;
+ 	int retval;
+-	int execloop = 1;
+-	int nonexistent = 1;
++	int blank = 0;
++	int execloop;
++	int nonexistent_check = 1;
+ 
+ 	D(("called"));
+ 
+@@ -632,43 +633,29 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
+ 	 * are equal, making it more difficult to differentiate existing from
+ 	 * non-existing users.
+ 	 */
+-	while (execloop) {
++	for (execloop = 0; execloop < 2; ++execloop) {
+ 		retval = get_pwd_hash(pamh, name, &pwd, &salt);
+ 
+ 		if (retval == PAM_UNIX_RUN_HELPER) {
+-			execloop = 0;
+-			if(nonexistent) {
+-				get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt);
+-			}
+-			/* salt will not be set here so we can return immediately */
+ 			if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
+-				return 1;
+-			else
+-				return 0;
++				blank = nonexistent_check;
+ 		} else if (retval == PAM_USER_UNKNOWN) {
+ 			name = "root";
+-			nonexistent = 0;
+-		} else {
+-			execloop = 0;
++			nonexistent_check = 0;
++			continue;
++		} else if (salt != NULL) {
++			if (strlen(salt) == 0)
++				blank = nonexistent_check;
+ 		}
+-	}
+-
+-	/* Does this user have a password? */
+-	if (salt == NULL) {
+-		retval = 0;
+-	} else {
+-		if (strlen(salt) == 0)
+-			retval = 1;
+-		else
+-			retval = 0;
++		name = "pam_unix_non_existent:";
++		/* non-existent user check will not affect the blank value */
+ 	}
+ 
+ 	/* tidy up */
+-
+ 	if (salt)
+ 		_pam_delete(salt);
+ 
+-	return retval;
++	return blank;
+ }
+ 
+ int _unix_verify_password(pam_handle_t * pamh, const char *name
+-- 
+2.28.0
+

pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.4.0
-Release: 7%{?dist}
+Release: 11%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -55,6 +55,12 @@ Patch61: pam-1.4.0-motd-privilege-message.patch
 # https://github.com/linux-pam/linux-pam/commit/50ab1eda259ff039922b2774895f09bf0a57e078
 # https://github.com/linux-pam/linux-pam/commit/51318fd423a8ab4456a278ef0aff6ad449aab916
 Patch62: pam-1.4.0-libpam-start-leak.patch
+# https://github.com/linux-pam/linux-pam/commit/62d826471e87e27b39a36ccbeee58999e2514a92
+Patch63: pam-1.4.0-drop-priv-initgroups.patch
+# https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb
+Patch64: pam-1.4.0-unix-blank-check-with-root.patch
+# https://github.com/linux-pam/linux-pam/pull/368
+Patch65: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.4.0-no_crypt_checksalt_for_pw_expiration.patch
 
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@@ -72,6 +78,7 @@ Patch62: pam-1.4.0-libpam-start-leak.patch
 %global _performance_build 1
 
 Requires: libpwquality >= 0.9.9
+BuildRequires: make
 BuildRequires: autoconf >= 2.60
 BuildRequires: automake, libtool
 BuildRequires: bison, flex, sed
@@ -149,6 +156,9 @@ cp %{SOURCE18} .
 %patch60 -p1 -b .unix-init-daysleft
 %patch61 -p1 -b .motd-privilege-message
 %patch62 -p1 -b .libpam-start-leak
+%patch63 -p1 -b .drop-priv-initgroups
+%patch64 -p1 -b .unix-blank-check-with-root
+%patch65 -p1 -b .no_crypt_checksalt_for_pw_expiration
 
 autoreconf -i
 
@@ -408,6 +418,20 @@ done
 %doc doc/sag/*.txt doc/sag/html
 
 %changelog
+* Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.4.0-11
+- Add a patch to not use crypt_checksalt for password expiration
+  Resolves: #1965345, #1967150
+
+* Fri Dec  4 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-10
+- Add BuildRequires: make (#1902520)
+
+* Thu Nov 26 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-9
+- fix CVE-2020-27780: authentication bypass when the user doesn't exist
+  and root password is blank (#1901173)
+
+* Mon Nov 16 2020 Allison Karlitskaya <allison.karlitskaya@redhat.com> - 1.4.0-8
+- libpam: add supplementary groups on priv drop (#1896452)
+
 * Fri Nov  6 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-7
 - libpam: fix memory leak in pam_start (#1894630)