Hello community, here is the log from the commit of package pam for openSUSE:Factory checked in at 2020-11-23 15:36:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam (Old) and /work/SRC/openSUSE:Factory/.pam.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam" Mon Nov 23 15:36:12 2020 rev:107 rq:849468 version:1.5.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pam/pam.changes 2020-11-17 12:09:51.383773201 +0100 +++ /work/SRC/openSUSE:Factory/.pam.new.5913/pam.changes 2020-11-23 18:53:46.601567431 +0100 @@ -1,0 +2,79 @@ +Thu Nov 19 15:43:33 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- Update to 1.5.0 + - obsoletes pam-bsc1178727-initialize-daysleft.patch + - Multiple minor bug fixes, portability fixes, and documentation improvements. + - Extended libpam API with pam_modutil_check_user_in_passwd function. + - pam_faillock: changed /run/faillock/$USER permissions from 0600 to 0660. + - pam_motd: read motd files with target user credentials skipping unreadable ones. + - pam_pwhistory: added a SELinux helper executable. + - pam_unix, pam_usertype: implemented avoidance of certain timing attacks. + - pam_wheel: implemented PAM_RUSER fallback for the case when getlogin fails. + - pam_env: Reading of the user environment is deprecated and will be removed + at some point in the future. + - libpam: pam_modutil_drop_priv() now correctly sets the target user's + supplementary groups, allowing pam_motd to filter messages accordingly +- Refresh pam-xauth_ownership.patch +- pam_tally2-removal.patch: Re-add pam_tally2 for deprecated sub-package +- pam_cracklib-removal.patch: Re-add pam_cracklib for deprecated sub-package + +------------------------------------------------------------------- +Wed Nov 18 13:02:15 UTC 2020 - Josef Möllers <josef.moell...@suse.com> + +- pam_cracklib: added code to check whether the password contains + a substring of of the user's name of at least <N> characters length + in some form. + This is enabled by the new parameter "usersubstr=<N>" + See https://github.com/libpwquality/libpwquality/commit/bfef79dbe6aa525e9557bf4b0a61e6dde12749c4 + [jsc#SLE-16719, jsc#SLE-16720, pam-pam_cracklib-add-usersubstr.patch] + +------------------------------------------------------------------- +Wed Nov 18 10:02:32 UTC 2020 - Josef Möllers <josef.moell...@suse.com> + +- pam_xauth.c: do not free() a string which has been (successfully) + passed to putenv(). + [bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch] + +------------------------------------------------------------------- +Fri Nov 13 09:13:18 UTC 2020 - Josef Möllers <josef.moell...@suse.com> + +- Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft" + to avoid spurious (and misleading) + Warning: your password will expire in ... days. + fixed upstream with commit db6b293046a + [bsc#1178727, pam-bsc1178727-initialize-daysleft.patch] + +------------------------------------------------------------------- +Tue Nov 10 11:09:39 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- Enable pam_faillock [bnc#1171562] + +------------------------------------------------------------------- +Wed Oct 8 13:31:39 UTC 2020 - Josef Möllers <josef.moell...@suse.com> + +- /usr/bin/xauth chokes on the old user's $HOME being on an NFS + file system. Run /usr/bin/xauth using the old user's uid/gid + Patch courtesy of Dr. Werner Fink. + [bsc#1174593, pam-xauth_ownership.patch] + +------------------------------------------------------------------- +Thu Oct 8 02:33:16 UTC 2020 - Stanislav Brabec <sbra...@suse.com> + +- pam-login_defs-check.sh: Fix the regexp to get a real variable + list (boo#1164274). + +------------------------------------------------------------------- +Wed Jun 24 13:06:33 UTC 2020 - Josef Möllers <josef.moell...@suse.com> + +- Revert the previous change [SR#815713]. + The group is not necessary for PAM functionality but used only + during testing. The test system should therefore create this group. + [bsc#1171016, pam.spec] + +------------------------------------------------------------------- +Mon Jun 15 15:05:18 UTC 2020 - Josef Möllers <josef.moell...@suse.com> + +- Add requirement for group "wheel" to spec file. + [bsc#1171016, pam.spec] + +------------------------------------------------------------------- Old: ---- Linux-PAM-1.4.0-docs.tar.xz Linux-PAM-1.4.0.tar.xz New: ---- Linux-PAM-1.5.0-docs.tar.xz Linux-PAM-1.5.0.tar.xz pam-bsc1177858-dont-free-environment-string.patch pam-pam_cracklib-add-usersubstr.patch pam-xauth_ownership.patch pam_cracklib-removal.patch pam_tally2-removal.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ --- /var/tmp/diff_new_pack.j3lsOX/_old 2020-11-23 18:53:47.353568191 +0100 +++ /var/tmp/diff_new_pack.j3lsOX/_new 2020-11-23 18:53:47.353568191 +0100 @@ -27,7 +27,7 @@ %endif Name: pam # -Version: 1.4.0 +Version: 1.5.0 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0-or-later OR BSD-3-Clause @@ -47,6 +47,11 @@ Source12: pam-login_defs-check.sh Patch2: pam-limit-nproc.patch Patch4: pam-hostnames-in-access_conf.patch +Patch5: pam-xauth_ownership.patch +Patch6: pam_cracklib-removal.patch +Patch7: pam_tally2-removal.patch +Patch8: pam-bsc1177858-dont-free-environment-string.patch +Patch9: pam-pam_cracklib-add-usersubstr.patch BuildRequires: audit-devel BuildRequires: bison BuildRequires: cracklib-devel @@ -139,6 +144,11 @@ cp -a %{SOURCE12} . %patch2 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -R -p1 +%patch7 -R -p1 +%patch8 -p1 +%patch9 -p1 %build bash ./pam-login_defs-check.sh @@ -210,8 +220,6 @@ cp -fpv "$i" "$DOC/modules/README.${i%/*}" done popd -# XXX Remove until whitelisted -rm %{buildroot}/%{_lib}/security/pam_faillock.so # Install unix2_chkpwd install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/ install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/ @@ -310,6 +318,7 @@ %{_mandir}/man8/pam_sepermit.8%{?ext_man} %{_mandir}/man8/pam_setquota.8%{?ext_man} %{_mandir}/man8/pam_shells.8%{?ext_man} +%{_mandir}/man8/pam_stress.8%{?ext_man} %{_mandir}/man8/pam_succeed_if.8%{?ext_man} %{_mandir}/man8/pam_time.8%{?ext_man} %{_mandir}/man8/pam_timestamp.8%{?ext_man} @@ -321,6 +330,7 @@ %{_mandir}/man8/pam_warn.8%{?ext_man} %{_mandir}/man8/pam_wheel.8%{?ext_man} %{_mandir}/man8/pam_xauth.8%{?ext_man} +%{_mandir}/man8/pwhistory_helper.8%{?ext_man} %{_mandir}/man8/unix2_chkpwd.8%{?ext_man} %{_mandir}/man8/unix_chkpwd.8%{?ext_man} %{_mandir}/man8/unix_update.8%{?ext_man} @@ -338,7 +348,7 @@ /%{_lib}/security/pam_env.so /%{_lib}/security/pam_exec.so /%{_lib}/security/pam_faildelay.so -#/%{_lib}/security/pam_faillock.so +/%{_lib}/security/pam_faillock.so /%{_lib}/security/pam_filter.so %dir /%{_lib}/security/pam_filter /%{_lib}/security//pam_filter/upperLOWER @@ -386,6 +396,7 @@ /sbin/mkhomedir_helper /sbin/pam_namespace_helper /sbin/pam_timestamp_check +/sbin/pwhistory_helper %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd %verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd %attr(0700,root,root) /sbin/unix_update @@ -401,8 +412,6 @@ /%{_lib}/security/pam_cracklib.so /%{_lib}/security/pam_tally2.so /sbin/pam_tally2 -%{_mandir}/man8/pam_cracklib.8%{?ext_man} -%{_mandir}/man8/pam_tally2.8%{?ext_man} %files doc %defattr(644,root,root,755) ++++++ Linux-PAM-1.4.0-docs.tar.xz -> Linux-PAM-1.5.0-docs.tar.xz ++++++ ++++ 5573 lines of diff (skipped) ++++++ Linux-PAM-1.4.0-docs.tar.xz -> Linux-PAM-1.5.0.tar.xz ++++++ ++++ 304986 lines of diff (skipped) ++++++ pam-bsc1177858-dont-free-environment-string.patch ++++++ Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c =================================================================== --- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c +++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c @@ -701,8 +701,9 @@ pam_sm_open_session (pam_handle_t *pamh, pam_syslog(pamh, LOG_ERR, "can't set environment variable '%s'", xauthority); - putenv (xauthority); /* The environment owns this string now. */ - /* Don't free environment variables nor set them to NULL. */ + if (putenv (xauthority) == 0) /* The environment owns this string now. */ + xauthority = NULL; + /* Don't free environment variables. */ /* set $DISPLAY in pam handle to make su - work */ { @@ -765,7 +766,8 @@ cleanup: unsetenv (XAUTHENV); free(cookiefile); free(cookie); - free(xauthority); + if (xauthority != NULL) /* If it hasn't been successfully passed to putenv() ... */ + free(xauthority); return retval; } ++++++ pam-login_defs-check.sh ++++++ --- /var/tmp/diff_new_pack.j3lsOX/_old 2020-11-23 18:53:48.109568956 +0100 +++ /var/tmp/diff_new_pack.j3lsOX/_new 2020-11-23 18:53:48.113568961 +0100 @@ -9,10 +9,10 @@ echo -n "Checking login.defs variables in pam... " >&2 grep -rh LOGIN_DEFS . | - sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' | + sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' | LC_ALL=C sort -u >pam-login_defs-vars.lst -if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then +if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3c6e0020c31609690b69ef391654df930b74151d ; then echo "does not match!" >&2 echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2 ++++++ pam-pam_cracklib-add-usersubstr.patch ++++++ Index: Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c =================================================================== --- Linux-PAM-1.4.0.orig/modules/pam_cracklib/pam_cracklib.c +++ Linux-PAM-1.4.0/modules/pam_cracklib/pam_cracklib.c @@ -88,6 +88,7 @@ struct cracklib_options { int reject_user; int gecos_check; int enforce_for_root; + int user_substr; const char *cracklib_dictpath; }; @@ -185,6 +186,10 @@ _pam_parse (pam_handle_t *pamh, struct c if (!*(opt->cracklib_dictpath)) { opt->cracklib_dictpath = CRACKLIB_DICTS; } + } else if ((str = pam_str_skip_prefix(*argv, "usersubstr=")) != NULL) { + opt->user_substr = strtol(str, &ep, 10); + if (ep == str) + opt->user_substr = 0; } else { pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv); } @@ -525,13 +530,54 @@ static int wordcheck(const char *new, ch return 0; } +/* + * RETURNS: True if the password is unacceptable, else false + */ +static int usersubstr(int len, const char *new, char *user) +{ + int i, userlen; + int bad = 0; // Assume it's OK unless proven otherwise + char *subuser = calloc(len+1, sizeof(char)); + + if (subuser == NULL) { + return 1; + } + + userlen = strlen(user); + + if (len >= CO_MIN_WORD_LENGTH && + userlen > len) { + for(i = 0; !bad && (i <= userlen - len); i++) { + strncpy(subuser, user+i, len+1); + subuser[len] = '\0'; + bad = wordcheck(new, subuser); + } + } else { + // if we already tested substrings, there's no need to test + // the whole username; all substrings would've been found :) + if (!bad) + bad = wordcheck(new, user); + } + + free(subuser); + + return bad; +} + +/* + * RETURNS: True if the password is unacceptable, else false + */ static int usercheck(struct cracklib_options *opt, const char *new, char *user) { - if (!opt->reject_user) - return 0; + int bad = 0; + + if (opt->reject_user) + bad = wordcheck(new, user); + if (!bad && opt->user_substr != 0) + bad = usersubstr(opt->user_substr, new, user); - return wordcheck(new, user); + return bad; } static char * str_lower(char *string) ++++++ pam-xauth_ownership.patch ++++++ diff -urN Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c --- Linux-PAM-1.5.0/modules/pam_xauth/pam_xauth.c 2020-11-10 16:46:13.000000000 +0100 +++ Linux-PAM-1.5.0.xauth/modules/pam_xauth/pam_xauth.c 2020-11-19 11:50:54.176925556 +0100 @@ -355,11 +355,13 @@ char *cookiefile = NULL, *xauthority = NULL, *cookie = NULL, *display = NULL, *tmp = NULL, *xauthlocalhostname = NULL; - const char *user, *xauth = NULL; + const char *user, *xauth = NULL, *login_name; struct passwd *tpwd, *rpwd; int fd, i, debug = 0; int retval = PAM_SUCCESS; - uid_t systemuser = 499, targetuser = 0; + uid_t systemuser = 499, targetuser = 0, uid; + gid_t gid; + struct stat st; /* Parse arguments. We don't understand many, so no sense in breaking * this into a separate function. */ @@ -429,7 +431,16 @@ retval = PAM_SESSION_ERR; goto cleanup; } - rpwd = pam_modutil_getpwuid(pamh, getuid()); + + login_name = pam_modutil_getlogin(pamh); + if (login_name == NULL) { + login_name = ""; + } + if (*login_name) + rpwd = pam_modutil_getpwnam(pamh, login_name); + else + rpwd = pam_modutil_getpwuid(pamh, getuid()); + if (rpwd == NULL) { pam_syslog(pamh, LOG_ERR, "error determining invoking user's name"); @@ -518,18 +529,26 @@ cookiefile); } + /* Get owner and group of the cookiefile */ + uid = getuid(); + gid = getgid(); + if (stat(cookiefile, &st) == 0) { + uid = st.st_uid; + gid = st.st_gid; + } + /* Read the user's .Xauthority file. Because the current UID is * the original user's UID, this will only fail if something has * gone wrong, or we have no cookies. */ if (debug) { pam_syslog(pamh, LOG_DEBUG, - "running \"%s %s %s %s %s\" as %lu/%lu", - xauth, "-f", cookiefile, "nlist", display, - (unsigned long) getuid(), (unsigned long) getgid()); + "running \"%s %s %s %s %s %s\" as %lu/%lu", + xauth, "-i", "-f", cookiefile, "nlist", display, + (unsigned long) uid, (unsigned long) gid); } if (run_coprocess(pamh, NULL, &cookie, - getuid(), getgid(), - xauth, "-f", cookiefile, "nlist", display, + uid, gid, + xauth, "-i", "-f", cookiefile, "nlist", display, NULL) == 0) { #ifdef WITH_SELINUX char *context_raw = NULL; @@ -583,12 +602,12 @@ cookiefile, "nlist", t, - (unsigned long) getuid(), - (unsigned long) getgid()); + (unsigned long) uid, + (unsigned long) gid); } run_coprocess(pamh, NULL, &cookie, - getuid(), getgid(), - xauth, "-f", cookiefile, + uid, gid, + xauth, "-i", "-f", cookiefile, "nlist", t, NULL); } free(t); @@ -673,13 +692,17 @@ goto cleanup; } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "set environment variable '%s'", + xauthority); + } /* Set the new variable in the environment. */ if (pam_putenv (pamh, xauthority) != PAM_SUCCESS) pam_syslog(pamh, LOG_ERR, "can't set environment variable '%s'", xauthority); putenv (xauthority); /* The environment owns this string now. */ - xauthority = NULL; /* Don't free environment variables. */ + /* Don't free environment variables nor set them to NULL. */ /* set $DISPLAY in pam handle to make su - work */ { ++++++ pam_cracklib-removal.patch ++++++ ++++ 1740 lines (skipped) ++++++ pam_tally2-removal.patch ++++++ ++++ 1332 lines (skipped) _______________________________________________ openSUSE Commits mailing list -- commit@lists.opensuse.org To unsubscribe, email commit-le...@lists.opensuse.org List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
