Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package google-guest-oslogin for
openSUSE:Factory checked in at 2024-04-23 18:55:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/google-guest-oslogin (Old)
and /work/SRC/openSUSE:Factory/.google-guest-oslogin.new.27645 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-guest-oslogin"
Tue Apr 23 18:55:15 2024 rev:26 rq:1164370 version:20240311.00
Changes:
--------
---
/work/SRC/openSUSE:Factory/google-guest-oslogin/google-guest-oslogin.changes
2024-03-01 23:39:45.166457371 +0100
+++
/work/SRC/openSUSE:Factory/.google-guest-oslogin.new.27645/google-guest-oslogin.changes
2024-04-23 18:55:34.645391570 +0200
@@ -1,0 +2,13 @@
+Wed Apr 3 12:56:40 UTC 2024 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Fix file permissions for google_authorized_principals binary (bsc#1222171)
+
+-------------------------------------------------------------------
+Fri Mar 22 13:20:40 UTC 2024 - John Paul Adrian Glaubitz
<[email protected]>
+
+- Update to version 20240311.00 (bsc#1218548, bsc#1221900, bsc#1221901)
+ * pam: Bring back pam's account management implementation (#133)
+ * Change error messages when checking login policy (#129)
+ * Remove quintonamore from OWNERS (#128)
+
+-------------------------------------------------------------------
Old:
----
google-guest-oslogin-20231116.00.tar.gz
New:
----
google-guest-oslogin-20240311.00.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ google-guest-oslogin.spec ++++++
--- /var/tmp/diff_new_pack.Lu1jGf/_old 2024-04-23 18:55:35.261413756 +0200
+++ /var/tmp/diff_new_pack.Lu1jGf/_new 2024-04-23 18:55:35.261413756 +0200
@@ -19,7 +19,7 @@
%{!?_pam_moduledir: %define _pam_moduledir %{_pamdir}}
Name: google-guest-oslogin
-Version: 20231116.00
+Version: 20240311.00
Release: 0
Summary: Google Cloud Guest OS Login
License: Apache-2.0
@@ -82,12 +82,12 @@
%license LICENSE
%attr(0755,root,root) %{_bindir}/google_authorized_keys
%attr(0755,root,root) %{_bindir}/google_authorized_keys_sk
+%attr(0755,root,root) %{_bindir}/google_authorized_principals
%attr(0755,root,root) %{_bindir}/google_oslogin_nss_cache
%{_mandir}/man8/*
%{_libdir}/libnss*
%{_pam_moduledir}/*
%{_presetdir}/*
-%{_bindir}/google_authorized_principals
%{_sbindir}/*
%{_unitdir}/*
++++++ google-guest-oslogin-20231116.00.tar.gz ->
google-guest-oslogin-20240311.00.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20231116.00/OWNERS
new/guest-oslogin-20240311.00/OWNERS
--- old/guest-oslogin-20231116.00/OWNERS 2023-11-16 01:38:30.000000000
+0100
+++ new/guest-oslogin-20240311.00/OWNERS 2024-03-07 19:57:15.000000000
+0100
@@ -13,5 +13,4 @@
- jjerger
- karnvadaliya
- koln67
- - quintonamore
- zmarano
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20231116.00/packaging/google-compute-engine-oslogin.spec
new/guest-oslogin-20240311.00/packaging/google-compute-engine-oslogin.spec
--- old/guest-oslogin-20231116.00/packaging/google-compute-engine-oslogin.spec
2023-11-16 01:38:30.000000000 +0100
+++ new/guest-oslogin-20240311.00/packaging/google-compute-engine-oslogin.spec
2024-03-07 19:57:15.000000000 +0100
@@ -67,6 +67,7 @@
/%{_lib}/libnss_cache_oslogin-%{version}.so
/%{_lib}/libnss_oslogin.so.2
/%{_lib}/libnss_cache_oslogin.so.2
+/%{_lib}/security/pam_oslogin_admin.so
/%{_lib}/security/pam_oslogin_login.so
/usr/bin/google_authorized_keys
/usr/bin/google_authorized_keys_sk
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20231116.00/src/Makefile
new/guest-oslogin-20240311.00/src/Makefile
--- old/guest-oslogin-20231116.00/src/Makefile 2023-11-16 01:38:30.000000000
+0100
+++ new/guest-oslogin-20240311.00/src/Makefile 2024-03-07 19:57:15.000000000
+0100
@@ -47,6 +47,7 @@
NSS_OSLOGIN = libnss_oslogin-$(VERSION).so
NSS_CACHE_OSLOGIN = libnss_cache_oslogin-$(VERSION).so
+PAM_ADMIN = pam_oslogin_admin.so
PAM_LOGIN = pam_oslogin_login.so
BINARIES = google_oslogin_nss_cache google_authorized_keys
google_authorized_keys_sk google_authorized_principals
@@ -54,7 +55,7 @@
.PHONY: all clean install
.DEFAULT_GOAL := all
-all: $(NSS_OSLOGIN) $(NSS_CACHE_OSLOGIN) $(PAM_LOGIN) $(BINARIES)
+all: $(NSS_OSLOGIN) $(NSS_CACHE_OSLOGIN) $(PAM_LOGIN) $(PAM_ADMIN) $(BINARIES)
clean:
rm -f $(BINARIES)
@@ -75,6 +76,9 @@
$(PAM_LOGIN): pam/pam_oslogin_login.o oslogin_sshca.o oslogin_utils.o
$(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS)
+$(PAM_ADMIN): pam/pam_oslogin_admin.o oslogin_sshca.o oslogin_utils.o
+ $(CXX) $(CXXFLAGS) $(CPPFLAGS) -shared $^ -o $@ $(PAMLIBS)
+
# Utilities.
google_authorized_principals: authorized_principals/authorized_principals.o
oslogin_utils.o oslogin_sshca.o
@@ -100,7 +104,7 @@
ln -sf $(NSS_OSLOGIN) $(DEST_LIBDIR)/$(NSS_OSLOGIN_SONAME)
ln -sf $(NSS_CACHE_OSLOGIN) $(DEST_LIBDIR)/$(NSS_CACHE_OSLOGIN_SONAME)
# PAM modules
- install -m 0644 -t $(DEST_PAMDIR) $(PAM_LOGIN)
+ install -m 0644 -t $(DEST_PAMDIR) $(PAM_LOGIN) $(PAM_ADMIN)
# Binaries
install -m 0755 -t $(DEST_BINDIR) $(BINARIES)
# Manpages
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20231116.00/src/include/oslogin_utils.h
new/guest-oslogin-20240311.00/src/include/oslogin_utils.h
--- old/guest-oslogin-20231116.00/src/include/oslogin_utils.h 2023-11-16
01:38:30.000000000 +0100
+++ new/guest-oslogin-20240311.00/src/include/oslogin_utils.h 2024-03-07
19:57:15.000000000 +0100
@@ -297,6 +297,11 @@
// AuthoOptions wraps authorization options.
struct AuthOptions {
+ // admin_policy_required determines if a user is only authorized if admin
+ // policy is available for such a user. i.e. AuthorizeUser() should return
+ // false if adminLogin is not available.
+ bool admin_policy_required;
+
// security_key determines if the MDS "/users?..." should use
// the view=securityKey parameter.
bool security_key;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/guest-oslogin-20231116.00/src/oslogin_utils.cc
new/guest-oslogin-20240311.00/src/oslogin_utils.cc
--- old/guest-oslogin-20231116.00/src/oslogin_utils.cc 2023-11-16
01:38:30.000000000 +0100
+++ new/guest-oslogin-20240311.00/src/oslogin_utils.cc 2024-03-07
19:57:15.000000000 +0100
@@ -1279,18 +1279,18 @@
long http_code = 0;
// Invalid user, just leave from here - the principal will not be
allowed/authorized.
if (!HttpGet(url.str(), &response, &http_code)) {
- SysLogErr("Failed to validate organization user %s has login permission.",
user_name);
+ SysLogErr("Failed to validate that OS Login user %s has %s permission.",
user_name, policy);
return false;
}
if (http_code != 200) {
- SysLogErr("Failed to validate organization user %s has login permission, "
- "got HTTP response code: %lu", user_name, http_code);
+ SysLogErr("Failed to validate that OS Login user %s has %s permission; "
+ "got HTTP response code: %lu", user_name, policy, http_code);
return false;
}
if (!ParseJsonToSuccess(response)) {
- SysLogErr("Organization user %s does not have login permission.",
user_name);
+ SysLogErr("OS Login user %s does not have %s permission.", user_name,
policy);
return false;
}
@@ -1388,6 +1388,9 @@
}
} else {
remove(sudoers_filename.c_str());
+ if (opts.admin_policy_required) {
+ return false;
+ }
}
return true;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20231116.00/src/pam/pam_oslogin_admin.cc
new/guest-oslogin-20240311.00/src/pam/pam_oslogin_admin.cc
--- old/guest-oslogin-20231116.00/src/pam/pam_oslogin_admin.cc 1970-01-01
01:00:00.000000000 +0100
+++ new/guest-oslogin-20240311.00/src/pam/pam_oslogin_admin.cc 2024-03-07
19:57:15.000000000 +0100
@@ -0,0 +1,53 @@
+// Copyright 2024 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <security/pam_modules.h>
+
+#include <compat.h>
+#include <oslogin_utils.h>
+
+using std::string;
+
+using oslogin_utils::AuthOptions;
+
+extern "C" {
+
+// pm_sm_acct_mgmt is the account management PAM implementation for admin
users (or users
+// with the proper loginAdmin policy). This account management module is
intended for custom
+// configuration handling only, where users need a way to in their stack
configurations to
+// differentiate a OS Login user. The Google Guest Agent will not manage the
lifecycle of
+// this module, it will not add this to the stack as part of the
standard/default configuration
+// set.
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const char** argv) {
+ struct AuthOptions opts;
+ const char *user_name;
+ string user_response;
+
+ if (pam_get_user(pamh, &user_name, NULL) != PAM_SUCCESS) {
+ PAM_SYSLOG(pamh, LOG_INFO, "Could not get pam user.");
+ return PAM_PERM_DENIED;
+ }
+
+ opts = { 0 };
+ opts.admin_policy_required = true;
+
+ if (!AuthorizeUser(user_name, opts, &user_response)) {
+ return PAM_PERM_DENIED;
+ }
+
+ return PAM_SUCCESS;
+}
+
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/guest-oslogin-20231116.00/src/pam/pam_oslogin_login.cc
new/guest-oslogin-20240311.00/src/pam/pam_oslogin_login.cc
--- old/guest-oslogin-20231116.00/src/pam/pam_oslogin_login.cc 2023-11-16
01:38:30.000000000 +0100
+++ new/guest-oslogin-20240311.00/src/pam/pam_oslogin_login.cc 2024-03-07
19:57:15.000000000 +0100
@@ -22,6 +22,7 @@
#include <compat.h>
#include <oslogin_utils.h>
+using oslogin_utils::AuthOptions;
using oslogin_utils::ContinueSession;
using oslogin_utils::GetUser;
using oslogin_utils::ParseJsonToChallenges;
@@ -32,6 +33,32 @@
extern "C" {
+// pm_sm_acct_mgmt is the account management PAM implementation for non-admin
users (or users
+// without the proper loginAdmin policy). This account management module is
intended for custom
+// configuration handling only, where users need a way to in their stack
configurations to
+// differentiate a OS Login user. The Google Guest Agent will not manage the
lifecycle of
+// this module, it will not add this to the stack as part of the
standard/default configuration
+// set.
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const char** argv) {
+ struct AuthOptions opts;
+ const char *user_name;
+ string user_response;
+
+ if (pam_get_user(pamh, &user_name, NULL) != PAM_SUCCESS) {
+ PAM_SYSLOG(pamh, LOG_INFO, "Could not get pam user.");
+ return PAM_PERM_DENIED;
+ }
+
+ opts = { 0 };
+
+ if (!AuthorizeUser(user_name, opts, &user_response)) {
+ return PAM_PERM_DENIED;
+ }
+
+ return PAM_SUCCESS;
+}
+
PAM_EXTERN int
pam_sm_setcred(pam_handle_t* pamh, int flags, int argc, const char** argv) {
return PAM_SUCCESS;
