Hello community, here is the log from the commit of package pam.15082 for openSUSE:Leap:15.2:Update checked in at 2020-11-27 06:23:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/pam.15082 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.pam.15082.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam.15082" Fri Nov 27 06:23:29 2020 rev:1 rq:850326 version:1.3.0 Changes: -------- New Changes file: --- /dev/null 2020-11-18 17:46:03.679371574 +0100 +++ /work/SRC/openSUSE:Leap:15.2:Update/.pam.15082.new.5913/pam.changes 2020-11-27 06:23:29.969082038 +0100 @@ -0,0 +1,1580 @@ +------------------------------------------------------------------- +Wed Nov 18 10:43:23 UTC 2020 - Josef Möllers <[email protected]> + +- pam_xauth.c: do not free() a string which has been (successfully) + passed to putenv(). + [bsc#1177858, pam-bsc1177858-dont-free-environment-string.patch] + +------------------------------------------------------------------- +Fri Nov 13 09:31:35 UTC 2020 - Josef Möllers <[email protected]> + +- Initialize pam_unix pam_sm_acct_mgmt() local variable "daysleft" + to avoid spurious (and misleading) + Warning: your password will expire in ... days. + fixed upstream with commit db6b293046a + [bsc#1178727, pam-bsc1178727-initialize-daysleft.patch] + +------------------------------------------------------------------- +Thu Oct 15 13:51:55 UTC 2020 - Josef Möllers <[email protected]> + +- /usr/bin/xauth chokes on the old user's $HOME being on an NFS + file system. Run /usr/bin/xauth using the old user's uid/gid + Patch courtesy of Dr. Werner Fink. + [bsc#1174593, pam-xauth_ownership.patch] + +------------------------------------------------------------------- +Fri Mar 20 15:52:18 UTC 2020 - Josef Möllers <[email protected]> + +- Moved pam_userdb to a separate package pam-extra. + [bsc#1166510, pam.spec] + +------------------------------------------------------------------- +Fri Mar 13 07:31:35 UTC 2020 - Marcus Meissner <[email protected]> + +- disable libdb usage and pam_userdb again, as this causes some license + conflicts. (bsc#1166510) + +------------------------------------------------------------------- +Fri Feb 21 13:06:51 UTC 2020 - Josef Möllers <[email protected]> + +- Add libdb as build-time dependency to enable pam_userdb module. + Enable pam_userdb.so + [jsc#sle-7258, bsc#1164562, pam.spec] + +------------------------------------------------------------------- +Mon Nov 19 10:07:23 UTC 2018 - [email protected] + +- When comparing an incoming IP address with an entry in + access.conf that only specified a single host (ie no netmask), + the incoming IP address was used rather than the IP address from + access.conf, effectively comparing the incoming address with + itself. (Also fixed a small typo while I was at it) + [bsc#1115640, use-correct-IP-address.patch, CVE-2018-17953] + +------------------------------------------------------------------- +Thu Oct 11 14:40:45 UTC 2018 - [email protected] + +- Remove limits for nproc from /etc/security/limits.conf + ie remove pam-limit-nproc.patch + [bsc#1110700, pam-limit-nproc.patch] + +------------------------------------------------------------------- +Thu May 3 07:08:50 UTC 2018 - [email protected] + +- pam_umask.8 needed to be patched as well. + [bsc#1089884, pam-fix-config-order-in-manpage.patch] + +------------------------------------------------------------------- +Wed May 2 12:32:40 UTC 2018 - [email protected] + +- Changed order of configuration files to reflect actual code. + [bsc#1089884, pam-fix-config-order-in-manpage.patch] + +------------------------------------------------------------------- +Thu Feb 22 15:10:42 UTC 2018 - [email protected] + +- Use %license (boo#1082318) + +------------------------------------------------------------------- +Thu Oct 12 08:55:29 UTC 2017 - [email protected] + +- Prerequire group(shadow), user(root) + +------------------------------------------------------------------- +Fri Jan 27 10:35:29 UTC 2017 - [email protected] + +- Allow symbolic hostnames in access.conf file. + [pam-hostnames-in-access_conf.patch, boo#1019866] + +------------------------------------------------------------------- +Thu Dec 8 12:41:05 UTC 2016 - [email protected] + +- Increased nproc limits for non-privileged users to 4069/16384. + Removed limits for "root". + [pam-limit-nproc.patch, bsc#1012494, bsc#1013706] + +------------------------------------------------------------------- +Sun Jul 31 11:08:19 UTC 2016 - [email protected] + +- pam-limit-nproc.patch: increased process limit to help + Chrome/Chromuim users with really lots of tabs. New limit gets + closer to UserTasksMax parameter in logind.conf + +------------------------------------------------------------------- +Thu Jul 28 14:29:09 CEST 2016 - [email protected] + +- Add doc directory to filelist. + +------------------------------------------------------------------- +Mon May 2 10:44:38 CEST 2016 - [email protected] + +- Remove obsolete README.pam_tally [bsc#977973] + +------------------------------------------------------------------- +Thu Apr 28 13:51:59 CEST 2016 - [email protected] + +- Update Linux-PAM to version 1.3.0 +- Rediff encryption_method_nis.diff +- Link pam_unix against libtirpc and external libnsl to enable + IPv6 support. + +------------------------------------------------------------------- +Thu Apr 14 14:06:18 CEST 2016 - [email protected] + +- Add /sbin/unix2_chkpwd (moved from pam-modules) + +------------------------------------------------------------------- +Mon Apr 11 15:09:04 CEST 2016 - [email protected] + +- Remove (since accepted upstream): + - 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch + - 0002-Remove-enable-static-modules-option-and-support-from.patch + - 0003-fix-nis-checks.patch + - 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch + - 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch + +------------------------------------------------------------------- +Fri Apr 1 15:32:37 CEST 2016 - [email protected] + +- Add 0005-Use-TI-RPC-functions-if-we-compile-and-link-against-.patch + - Replace IPv4 only functions + +------------------------------------------------------------------- +Fri Apr 1 10:37:58 CEST 2016 - [email protected] + +- Fix typo in common-account.pamd [bnc#959439] + +------------------------------------------------------------------- +Tue Mar 29 14:25:02 CEST 2016 - [email protected] + +- Add 0004-PAM_EXTERN-isn-t-needed-anymore-but-don-t-remove-it-.patch + - readd PAM_EXTERN for external PAM modules + +------------------------------------------------------------------- +Wed Mar 23 11:21:16 CET 2016 - [email protected] + +- Add 0001-Remove-YP-dependencies-from-pam_access-they-were-nev.patch +- Add 0002-Remove-enable-static-modules-option-and-support-from.patch +- Add 0003-fix-nis-checks.patch + +------------------------------------------------------------------- +Sat Jul 25 16:03:33 UTC 2015 - [email protected] + +- Add folder /etc/security/limits.d as mentioned in 'man pam_limits' + +------------------------------------------------------------------- +Fri Jun 26 09:39:42 CEST 2015 - [email protected] + +- Update to version 1.2.1 + - security update for CVE-2015-3238 + +------------------------------------------------------------------- +Mon Apr 27 17:14:40 CEST 2015 - [email protected] + +- Update to version 1.2.0 + - obsoletes Linux-PAM-git-20150109.diff + +------------------------------------------------------------------- +Fri Jan 9 15:37:28 CET 2015 - [email protected] + +- Re-add lost patch encryption_method_nis.diff [bnc#906660] + +------------------------------------------------------------------- +Fri Jan 9 14:53:50 CET 2015 - [email protected] + +- Update to current git: + - Linux-PAM-git-20150109.diff replaces Linux-PAM-git-20140127.diff + - obsoletes pam_loginuid-log_write_errors.diff + - obsoletes pam_xauth-sigpipe.diff + - obsoletes bug-870433_pam_timestamp-fix-directory-traversal.patch + +------------------------------------------------------------------- +Fri Jan 9 11:10:45 UTC 2015 - [email protected] + +- increase process limit to 1200 to help chromium users with many tabs + +------------------------------------------------------------------- +Tue May 6 14:31:36 UTC 2014 - [email protected] ++++ 1383 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.pam.15082.new.5913/pam.changes New: ---- Linux-PAM-1.3.0-docs.tar.bz2 Linux-PAM-1.3.0.tar.bz2 baselibs.conf common-account.pamd common-auth.pamd common-password.pamd common-session.pamd encryption_method_nis.diff etc.environment fix-man-links.dif other.pamd pam-bsc1177858-dont-free-environment-string.patch pam-bsc1178727-initialize-daysleft.patch pam-fix-config-order-in-manpage.patch pam-hostnames-in-access_conf.patch pam-xauth_ownership.patch pam.changes pam.spec securetty unix2_chkpwd.8 unix2_chkpwd.c use-correct-IP-address.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam.spec ++++++ # # spec file for package pam # # Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # %define enable_selinux 1 Name: pam Url: http://www.linux-pam.org/ BuildRequires: audit-devel BuildRequires: bison BuildRequires: cracklib-devel BuildRequires: flex %if 0%{?suse_version} > 1320 BuildRequires: pkgconfig(libnsl) BuildRequires: pkgconfig(libtirpc) %endif %if %{enable_selinux} BuildRequires: libselinux-devel %endif %define libpam_so_version 0.84.2 %define libpam_misc_so_version 0.82.1 %define libpamc_so_version 0.82.1 # Version: 1.3.0 Release: 0 Summary: A Security Tool that Provides Authentication for Applications License: GPL-2.0+ or BSD-3-Clause Group: System/Libraries PreReq: permissions %if 0%{?suse_version} >= 1330 Requires(pre): group(shadow) Requires(pre): user(root) %endif #DL-URL: https://fedorahosted.org/releases/l/i/linux-pam/ Source: Linux-PAM-%{version}.tar.bz2 Source1: Linux-PAM-%{version}-docs.tar.bz2 Source2: securetty Source3: other.pamd Source4: common-auth.pamd Source5: common-account.pamd Source6: common-password.pamd Source7: common-session.pamd Source8: etc.environment Source9: baselibs.conf Source10: unix2_chkpwd.c Source11: unix2_chkpwd.8 Patch0: fix-man-links.dif Patch3: encryption_method_nis.diff Patch4: pam-hostnames-in-access_conf.patch Patch5: pam-fix-config-order-in-manpage.patch Patch6: use-correct-IP-address.patch Patch8: pam-xauth_ownership.patch Patch9: pam-bsc1178727-initialize-daysleft.patch Patch10: pam-bsc1177858-dont-free-environment-string.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # Remove with next version update: BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool %description PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set authentication policies without having to recompile programs that do authentication. %package extra Summary: PAM module to authenticate against a separate database Group: System/Libraries%description BuildRequires: libdb-4_8-devel BuildRequires: pam-devel %description extra PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set authentication policies without having to recompile programs that do authentication. This package contains useful extra modules eg pam_userdb which is used to verify a username/password pair against values stored in a Berkeley DB database. %package doc Summary: Documentation for Pluggable Authentication Modules Group: Documentation/HTML %if 0%{?suse_version} >= 1140 BuildArch: noarch %endif %description doc PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set authentication policies without having to recompile programs that do authentication. This package contains the documentation. %package devel Summary: Include Files and Libraries for PAM-Development Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: pam = %{version} %description devel PAM (Pluggable Authentication Modules) is a system security tool which allows system administrators to set authentication policy without having to recompile programs which do authentication. This package contains header files and static libraries used for building both PAM-aware applications and modules for use with PAM. %prep %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p1 %patch3 -p0 %patch4 -p0 %patch5 -p1 %patch6 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %build autoreconf -fiv export CFLAGS="%optflags -DNDEBUG" %configure \ --sbindir=/sbin \ --includedir=%_includedir/security \ --docdir=%{_docdir}/pam \ --htmldir=%{_docdir}/pam/html \ --pdfdir=%{_docdir}/pam/pdf \ --libdir=/%{_lib} \ --enable-isadir=../../%{_lib}/security \ --enable-securedir=/%{_lib}/security make %{?_smp_mflags} %__cc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o $RPM_BUILD_DIR/unix2_chkpwd -L$RPM_BUILD_DIR/Linux-PAM-%{version}/libpam/.libs/ -lpam %check make %{?_smp_mflags} check %install mkdir -p $RPM_BUILD_ROOT/etc/pam.d mkdir -p $RPM_BUILD_ROOT/usr/include/security mkdir -p $RPM_BUILD_ROOT/%{_lib}/security mkdir -p $RPM_BUILD_ROOT/sbin mkdir -p -m 755 $RPM_BUILD_ROOT%{_libdir} make DESTDIR=$RPM_BUILD_ROOT install /sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib} # Install documentation make -C doc install DESTDIR=$RPM_BUILD_ROOT # install /etc/environment install -m 644 %{SOURCE8} $RPM_BUILD_ROOT/etc/environment # install securetty install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc %ifarch s390 s390x echo "ttyS0" >> $RPM_BUILD_ROOT/etc/securetty echo "ttyS1" >> $RPM_BUILD_ROOT/etc/securetty echo "hvc0" >> $RPM_BUILD_ROOT/etc/securetty echo "hvc1" >> $RPM_BUILD_ROOT/etc/securetty echo "hvc2" >> $RPM_BUILD_ROOT/etc/securetty echo "hvc3" >> $RPM_BUILD_ROOT/etc/securetty echo "hvc4" >> $RPM_BUILD_ROOT/etc/securetty echo "hvc5" >> $RPM_BUILD_ROOT/etc/securetty echo "hvc6" >> $RPM_BUILD_ROOT/etc/securetty echo "hvc7" >> $RPM_BUILD_ROOT/etc/securetty echo "sclp_line0" >> $RPM_BUILD_ROOT/etc/securetty echo "ttysclp0" >> $RPM_BUILD_ROOT/etc/securetty %endif # install other.pamd and common-*.pamd install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/other install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/etc/pam.d/common-auth install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/common-account install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/common-password install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc/pam.d/common-session rm $RPM_BUILD_ROOT/%{_lib}/libpam.so ln -sf ../../%{_lib}/libpam.so.%{libpam_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam.so rm $RPM_BUILD_ROOT/%{_lib}/libpamc.so ln -sf ../../%{_lib}/libpamc.so.%{libpamc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpamc.so rm $RPM_BUILD_ROOT/%{_lib}/libpam_misc.so ln -sf ../../%{_lib}/libpam_misc.so.%{libpam_misc_so_version} $RPM_BUILD_ROOT%{_libdir}/libpam_misc.so # # Remove crap # rm -rf $RPM_BUILD_ROOT/%{_lib}/*.la $RPM_BUILD_ROOT/%{_lib}/security/*.la for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session; do ln -f $RPM_BUILD_ROOT/%{_lib}/security/pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/$x.so done # # Install READMEs of PAM modules # DOC=$RPM_BUILD_ROOT%{_defaultdocdir}/pam mkdir -p $DOC/modules ( cd modules; for i in pam_*/README ; do cp -fpv ${i} $DOC/modules/README.`dirname ${i}` done ) # # pam_tally is deprecated since ages # rm -f $RPM_BUILD_ROOT/%{_lib}/security/pam_tally.so rm -f $RPM_BUILD_ROOT/sbin/pam_tally rm -f $RPM_BUILD_ROOT%{_mandir}/man8/pam_tally.8* rm -f $RPM_BUILD_ROOT%{_defaultdocdir}/pam/modules/README.pam_tally # Install unix2_chkpwd install -m 755 $RPM_BUILD_DIR/unix2_chkpwd $RPM_BUILD_ROOT/sbin/ install -m 644 $RPM_SOURCE_DIR/unix2_chkpwd.8 $RPM_BUILD_ROOT%{_mandir}/man8/ # Create filelist with translatins %{find_lang} Linux-PAM %verifyscript %verify_permissions -e /sbin/unix_chkpwd %verify_permissions -e /sbin/unix2_chkpwd %post /sbin/ldconfig %set_permissions /sbin/unix_chkpwd %set_permissions /sbin/unix2_chkpwd %postun -p /sbin/ldconfig %files -f Linux-PAM.lang %defattr(-,root,root) %dir %{_sysconfdir}/pam.d %dir %{_sysconfdir}/security %dir %{_sysconfdir}/security/limits.d %dir %{_defaultdocdir}/pam %config(noreplace) %{_sysconfdir}/pam.d/other %config(noreplace) %{_sysconfdir}/pam.d/common-* %config(noreplace) %{_sysconfdir}/securetty %config(noreplace) %{_sysconfdir}/environment %config(noreplace) %{_sysconfdir}/security/access.conf %config(noreplace) %{_sysconfdir}/security/group.conf %config(noreplace) %{_sysconfdir}/security/limits.conf %config(noreplace) %{_sysconfdir}/security/pam_env.conf %if %{enable_selinux} %config(noreplace) %{_sysconfdir}/security/sepermit.conf %endif %config(noreplace) %{_sysconfdir}/security/time.conf %config(noreplace) %{_sysconfdir}/security/namespace.conf %config(noreplace) %{_sysconfdir}/security/namespace.init %doc NEWS %license COPYING %doc %{_mandir}/man5/environment.5* %doc %{_mandir}/man5/*.conf.5* %doc %{_mandir}/man5/pam.d.5* %dir %{_mandir}/man8 %doc %{_mandir}/man8/pam.8.gz %doc %{_mandir}/man8/pam_access.8.gz %doc %{_mandir}/man8/pam_cracklib.8.gz %doc %{_mandir}/man8/pam_debug.8.gz %doc %{_mandir}/man8/pam_deny.8.gz %doc %{_mandir}/man8/pam_echo.8.gz %doc %{_mandir}/man8/pam_env.8.gz %doc %{_mandir}/man8/pam_exec.8.gz %doc %{_mandir}/man8/pam_faildelay.8.gz %doc %{_mandir}/man8/pam_filter.8.gz %doc %{_mandir}/man8/pam_ftp.8.gz %doc %{_mandir}/man8/pam_group.8.gz %doc %{_mandir}/man8/pam_issue.8.gz %doc %{_mandir}/man8/pam_keyinit.8.gz %doc %{_mandir}/man8/pam_lastlog.8.gz %doc %{_mandir}/man8/pam_limits.8.gz %doc %{_mandir}/man8/pam_listfile.8.gz %doc %{_mandir}/man8/pam_localuser.8.gz %doc %{_mandir}/man8/pam_loginuid.8.gz %doc %{_mandir}/man8/pam_mail.8.gz %doc %{_mandir}/man8/pam_mkhomedir.8.gz %doc %{_mandir}/man8/pam_motd.8.gz %doc %{_mandir}/man8/pam_namespace.8.gz %doc %{_mandir}/man8/pam_nologin.8.gz %doc %{_mandir}/man8/pam_permit.8.gz %doc %{_mandir}/man8/pam_pwhistory.8.gz %doc %{_mandir}/man8/pam_rhosts.8.gz %doc %{_mandir}/man8/pam_rootok.8.gz %doc %{_mandir}/man8/pam_securetty.8.gz %doc %{_mandir}/man8/pam_selinux.8.gz %doc %{_mandir}/man8/pam_sepermit.8.gz %doc %{_mandir}/man8/pam_shells.8.gz %doc %{_mandir}/man8/pam_succeed_if.8.gz %doc %{_mandir}/man8/pam_tally2.8.gz %doc %{_mandir}/man8/pam_time.8.gz %doc %{_mandir}/man8/pam_timestamp.8.gz %doc %{_mandir}/man8/pam_timestamp_check.8.gz %doc %{_mandir}/man8/pam_tty_audit.8.gz %doc %{_mandir}/man8/pam_umask.8.gz %doc %{_mandir}/man8/pam_unix.8.gz %doc %{_mandir}/man8/pam_warn.8.gz %doc %{_mandir}/man8/pam_wheel.8.gz %doc %{_mandir}/man8/pam_xauth.8.gz %doc %{_mandir}/man8/PAM.8.gz %doc %{_mandir}/man8/mkhomedir_helper.8.gz %doc %{_mandir}/man8/unix2_chkpwd.8.gz %doc %{_mandir}/man8/unix_chkpwd.8.gz %doc %{_mandir}/man8/unix_update.8.gz /%{_lib}/libpam.so.0 /%{_lib}/libpam.so.%{libpam_so_version} /%{_lib}/libpamc.so.0 /%{_lib}/libpamc.so.%{libpamc_so_version} /%{_lib}/libpam_misc.so.0 /%{_lib}/libpam_misc.so.%{libpam_misc_so_version} %dir /%{_lib}/security /%{_lib}/security/pam_access.so /%{_lib}/security/pam_cracklib.so /%{_lib}/security/pam_debug.so /%{_lib}/security/pam_deny.so /%{_lib}/security/pam_echo.so /%{_lib}/security/pam_env.so /%{_lib}/security/pam_exec.so /%{_lib}/security/pam_faildelay.so /%{_lib}/security/pam_filter.so %dir /%{_lib}/security/pam_filter /%{_lib}/security//pam_filter/upperLOWER /%{_lib}/security/pam_ftp.so /%{_lib}/security/pam_group.so /%{_lib}/security/pam_issue.so /%{_lib}/security/pam_keyinit.so /%{_lib}/security/pam_lastlog.so /%{_lib}/security/pam_limits.so /%{_lib}/security/pam_listfile.so /%{_lib}/security/pam_localuser.so /%{_lib}/security/pam_loginuid.so /%{_lib}/security/pam_mail.so /%{_lib}/security/pam_mkhomedir.so /%{_lib}/security/pam_motd.so /%{_lib}/security/pam_namespace.so /%{_lib}/security/pam_nologin.so /%{_lib}/security/pam_permit.so /%{_lib}/security/pam_pwhistory.so /%{_lib}/security/pam_rhosts.so /%{_lib}/security/pam_rootok.so /%{_lib}/security/pam_securetty.so %if %{enable_selinux} /%{_lib}/security/pam_selinux.so /%{_lib}/security/pam_sepermit.so %endif /%{_lib}/security/pam_shells.so /%{_lib}/security/pam_stress.so /%{_lib}/security/pam_succeed_if.so /%{_lib}/security/pam_tally2.so /%{_lib}/security/pam_time.so /%{_lib}/security/pam_timestamp.so /%{_lib}/security/pam_tty_audit.so /%{_lib}/security/pam_umask.so /%{_lib}/security/pam_unix.so /%{_lib}/security/pam_unix_acct.so /%{_lib}/security/pam_unix_auth.so /%{_lib}/security/pam_unix_passwd.so /%{_lib}/security/pam_unix_session.so /%{_lib}/security/pam_warn.so /%{_lib}/security/pam_wheel.so /%{_lib}/security/pam_xauth.so /sbin/mkhomedir_helper /sbin/pam_tally2 /sbin/pam_timestamp_check %verify(not mode) %attr(4755,root,shadow) /sbin/unix_chkpwd %verify(not mode) %attr(4755,root,shadow) /sbin/unix2_chkpwd %attr(0700,root,root) /sbin/unix_update %files extra %defattr(-,root,root,755) %attr(755,root,root) /%{_lib}/security/pam_userdb.so %attr(644,root,root) %doc %{_mandir}/man8/pam_userdb.8.gz %files doc %defattr(644,root,root,755) %dir %{_defaultdocdir}/pam %doc %{_defaultdocdir}/pam/html %doc %{_defaultdocdir}/pam/modules %doc %{_defaultdocdir}/pam/pdf %doc %{_defaultdocdir}/pam/*.txt %files devel %defattr(644,root,root,755) %dir /usr/include/security %doc %{_mandir}/man3/pam* %doc %{_mandir}/man3/misc_conv.3* %{_includedir}/security/*.h %{_libdir}/libpam.so %{_libdir}/libpamc.so %{_libdir}/libpam_misc.so %changelog ++++++ baselibs.conf ++++++ pam pam-devel pam-extra ++++++ common-account.pamd ++++++ # # /etc/pam.d/common-account - account settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the account modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired. # account required pam_unix.so try_first_pass ++++++ common-auth.pamd ++++++ # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_env.so auth required pam_unix.so try_first_pass ++++++ common-password.pamd ++++++ # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. # # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # password requisite pam_cracklib.so password required pam_unix.so use_authtok nullok try_first_pass ++++++ common-session.pamd ++++++ # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # session required pam_limits.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_env.so session optional pam_systemd.so ++++++ encryption_method_nis.diff ++++++ --- modules/pam_unix/pam_unix_passwd.c +++ modules/pam_unix/pam_unix_passwd.c 2016/04/11 13:49:32 @@ -840,6 +840,29 @@ * rebuild the password database file. */ + + /* if it is a NIS account, check for special hash algo */ + if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) { + /* preset encryption method with value from /etc/login.defs */ + int j; + char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS); + if (val) { + for (j = 0; j < UNIX_CTRLS_; ++j) { + if (unix_args[j].token && unix_args[j].is_hash_algo + && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) { + break; + } + } + if (j >= UNIX_CTRLS_) { + pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val); + } else { + ctrl &= unix_args[j].mask; /* for turning things off */ + ctrl |= unix_args[j].flag; /* for turning things on */ + } + free (val); + } + } + /* * First we encrypt the new password. */ --- modules/pam_unix/support.c +++ modules/pam_unix/support.c 2016/04/11 13:49:32 @@ -31,8 +31,8 @@ #include "support.h" #include "passverify.h" -static char * -search_key (const char *key, const char *filename) +char * +_unix_search_key (const char *key, const char *filename) { FILE *fp; char *buf = NULL; @@ -153,7 +153,7 @@ } /* preset encryption method with value from /etc/login.defs */ - val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS); + val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS); if (val) { for (j = 0; j < UNIX_CTRLS_; ++j) { if (unix_args[j].token && unix_args[j].is_hash_algo @@ -171,7 +171,7 @@ /* read number of rounds for crypt algo */ if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) { - val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); + val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS); if (val) { *rounds = strtol(val, NULL, 10); --- modules/pam_unix/support.h +++ modules/pam_unix/support.h 2016/04/11 13:49:32 @@ -174,4 +174,5 @@ extern int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user, int *daysleft); +extern char *_unix_search_key(const char *key, const char *filename); #endif /* _PAM_UNIX_SUPPORT_H */ ++++++ etc.environment ++++++ # # This file is parsed by pam_env module # # Syntax: simple "KEY=VAL" pairs on seperate lines # ++++++ fix-man-links.dif ++++++ Index: Linux-PAM-1.1.8/doc/man/pam.8 =================================================================== --- Linux-PAM-1.1.8.orig/doc/man/pam.8 +++ Linux-PAM-1.1.8/doc/man/pam.8 @@ -1 +1 @@ -.so PAM.8 +.so man8/PAM.8 Index: Linux-PAM-1.1.8/doc/man/pam.d.5 =================================================================== --- Linux-PAM-1.1.8.orig/doc/man/pam.d.5 +++ Linux-PAM-1.1.8/doc/man/pam.d.5 @@ -1 +1 @@ -.so pam.conf.5 +.so man5/pam.conf.5 Index: Linux-PAM-1.1.8/doc/man/pam_get_authtok_noverify.3 =================================================================== --- Linux-PAM-1.1.8.orig/doc/man/pam_get_authtok_noverify.3 +++ Linux-PAM-1.1.8/doc/man/pam_get_authtok_noverify.3 @@ -1 +1 @@ -.so pam_get_authtok.3 +.so man3/pam_get_authtok.3 Index: Linux-PAM-1.1.8/doc/man/pam_get_authtok_verify.3 =================================================================== --- Linux-PAM-1.1.8.orig/doc/man/pam_get_authtok_verify.3 +++ Linux-PAM-1.1.8/doc/man/pam_get_authtok_verify.3 @@ -1 +1 @@ -.so pam_get_authtok.3 +.so man3/pam_get_authtok.3 Index: Linux-PAM-1.1.8/doc/man/pam_verror.3 =================================================================== --- Linux-PAM-1.1.8.orig/doc/man/pam_verror.3 +++ Linux-PAM-1.1.8/doc/man/pam_verror.3 @@ -1 +1 @@ -.so pam_error.3 +.so man3/pam_error.3 Index: Linux-PAM-1.1.8/doc/man/pam_vinfo.3 =================================================================== --- Linux-PAM-1.1.8.orig/doc/man/pam_vinfo.3 +++ Linux-PAM-1.1.8/doc/man/pam_vinfo.3 @@ -1 +1 @@ -.so pam_info.3 +.so man3/pam_info.3 Index: Linux-PAM-1.1.8/doc/man/pam_vprompt.3 =================================================================== --- Linux-PAM-1.1.8.orig/doc/man/pam_vprompt.3 +++ Linux-PAM-1.1.8/doc/man/pam_vprompt.3 @@ -1 +1 @@ -.so pam_prompt.3 +.so man3/pam_prompt.3 Index: Linux-PAM-1.1.8/doc/man/pam_vsyslog.3 =================================================================== --- Linux-PAM-1.1.8.orig/doc/man/pam_vsyslog.3 +++ Linux-PAM-1.1.8/doc/man/pam_vsyslog.3 @@ -1 +1 @@ -.so pam_syslog.3 +.so man3/pam_syslog.3 ++++++ other.pamd ++++++ #%PAM-1.0 auth required pam_warn.so auth required pam_deny.so account required pam_warn.so account required pam_deny.so password required pam_warn.so password required pam_deny.so session required pam_warn.so session required pam_deny.so ++++++ pam-bsc1177858-dont-free-environment-string.patch ++++++ Index: Linux-PAM-1.3.0/modules/pam_xauth/pam_xauth.c =================================================================== --- Linux-PAM-1.3.0.orig/modules/pam_xauth/pam_xauth.c +++ Linux-PAM-1.3.0/modules/pam_xauth/pam_xauth.c @@ -697,8 +697,9 @@ pam_sm_open_session (pam_handle_t *pamh, pam_syslog(pamh, LOG_ERR, "can't set environment variable '%s'", xauthority); - putenv (xauthority); /* The environment owns this string now. */ - /* Don't free environment variables nor set them to NULL. */ + if (putenv (xauthority) == 0) /* The environment owns this string now. */ + xauthority = NULL; + /* Don't free environment variables. */ /* set $DISPLAY in pam handle to make su - work */ { @@ -761,7 +762,8 @@ cleanup: unsetenv (XAUTHENV); free(cookiefile); free(cookie); - free(xauthority); + if (xauthority != NULL) /* If it hasn't been successfully passed to putenv() ... */ + free(xauthority); return retval; } ++++++ pam-bsc1178727-initialize-daysleft.patch ++++++ Index: Linux-PAM-1.3.0/modules/pam_unix/pam_unix_acct.c =================================================================== --- Linux-PAM-1.3.0.orig/modules/pam_unix/pam_unix_acct.c +++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_acct.c @@ -188,7 +188,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int unsigned int ctrl; const void *void_uname; const char *uname; - int retval, daysleft; + int retval, daysleft = -1; struct spwd *spent; struct passwd *pwent; char buf[256]; ++++++ pam-fix-config-order-in-manpage.patch ++++++ Index: Linux-PAM-1.3.0/modules/pam_umask/pam_umask.8.xml =================================================================== --- Linux-PAM-1.3.0.orig/modules/pam_umask/pam_umask.8.xml +++ Linux-PAM-1.3.0/modules/pam_umask/pam_umask.8.xml @@ -48,22 +48,22 @@ <itemizedlist> <listitem> <para> - umask= argument + umask= entry in the user's GECOS field </para> </listitem> <listitem> <para> - umask= entry in the user's GECOS field + umask= argument </para> </listitem> <listitem> <para> - UMASK= entry from /etc/default/login + UMASK= entry from /etc/login.defs </para> </listitem> <listitem> <para> - UMASK entry from /etc/login.defs + UMASK= entry from /etc/default/login </para> </listitem> </itemizedlist> Index: Linux-PAM-1.3.0/modules/pam_umask/pam_umask.8 =================================================================== --- Linux-PAM-1.3.0.orig/modules/pam_umask/pam_umask.8 +++ Linux-PAM-1.3.0/modules/pam_umask/pam_umask.8 @@ -46,7 +46,7 @@ The PAM module tries to get the umask va .sp -1 .IP \(bu 2.3 .\} -umask= argument +umask= entry in the user\*(Aqs GECOS field .RE .sp .RS 4 @@ -57,7 +57,7 @@ umask= argument .sp -1 .IP \(bu 2.3 .\} -umask= entry in the user\*(Aqs GECOS field +umask= argument .RE .sp .RS 4 @@ -68,7 +68,7 @@ umask= entry in the user\*(Aqs GECOS fie .sp -1 .IP \(bu 2.3 .\} -UMASK= entry from /etc/default/login +UMASK= entry from /etc/login\&.defs .RE .sp .RS 4 @@ -79,7 +79,7 @@ UMASK= entry from /etc/default/login .sp -1 .IP \(bu 2.3 .\} -UMASK entry from /etc/login\&.defs +UMASK= entry from /etc/default/login .RE .PP The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create\&. ++++++ pam-hostnames-in-access_conf.patch ++++++ Index: modules/pam_access/pam_access.c =================================================================== --- modules/pam_access/pam_access.c.orig +++ modules/pam_access/pam_access.c @@ -692,10 +692,10 @@ string_match (pam_handle_t *pamh, const return (NO); } - /* network_netmask_match - match a string against one token * where string is a hostname or ip (v4,v6) address and tok - * represents either a single ip (v4,v6) address or a network/netmask + * represents either a hostname, a single ip (v4,v6) address + * or a network/netmask */ static int network_netmask_match (pam_handle_t *pamh, @@ -704,10 +704,14 @@ network_netmask_match (pam_handle_t *pam char *netmask_ptr; char netmask_string[MAXHOSTNAMELEN + 1]; int addr_type; + struct addrinfo *ai; + struct sockaddr_storage tok_addr; + struct addrinfo hint; if (item->debug) - pam_syslog (pamh, LOG_DEBUG, + pam_syslog (pamh, LOG_DEBUG, "network_netmask_match: tok=%s, item=%s", tok, string); + /* OK, check if tok is of type addr/mask */ if ((netmask_ptr = strchr(tok, '/')) != NULL) { @@ -717,7 +721,7 @@ network_netmask_match (pam_handle_t *pam *netmask_ptr = 0; netmask_ptr++; - if (isipaddr(tok, &addr_type, NULL) == NO) + if (isipaddr(tok, &addr_type, &tok_addr) == NO) { /* no netaddr */ return NO; } @@ -739,19 +743,47 @@ network_netmask_match (pam_handle_t *pam netmask_ptr = number_to_netmask(netmask, addr_type, netmask_string, MAXHOSTNAMELEN); } - } + + /* + * Although isipaddr() has already converted the IP address, + * we call getaddrinfo here to properly construct an addrinfo list + */ + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = 0; + hint.ai_family = AF_UNSPEC; + + ai = NULL; /* just to be on the safe side */ + + /* The following should not fail ... */ + if (getaddrinfo (tok, NULL, &hint, &ai) != 0) + { + return NO; + } + } else - /* NO, then check if it is only an addr */ - if (isipaddr(tok, NULL, NULL) != YES) + { + /* + * It is either an IP address or a hostname. + * Let getaddrinfo sort everything out + */ + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = 0; + hint.ai_family = AF_UNSPEC; + + ai = NULL; /* just to be on the safe side */ + + if (getaddrinfo (string, NULL, &hint, &ai) != 0) { + pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", string); + return NO; } + netmask_ptr = NULL; + } if (isipaddr(string, NULL, NULL) != YES) { /* Assume network/netmask with a name of a host. */ - struct addrinfo hint; - memset (&hint, '\0', sizeof (hint)); hint.ai_flags = AI_CANONNAME; hint.ai_family = AF_UNSPEC; @@ -764,27 +796,52 @@ network_netmask_match (pam_handle_t *pam else { struct addrinfo *runp = item->res; + struct addrinfo *runp1; while (runp != NULL) { char buf[INET6_ADDRSTRLEN]; - inet_ntop (runp->ai_family, - runp->ai_family == AF_INET - ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr - : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, - buf, sizeof (buf)); + (void) getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST); - if (are_addresses_equal(buf, tok, netmask_ptr)) + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) { - return YES; + char buf1[INET6_ADDRSTRLEN]; + + if (runp->ai_family != runp1->ai_family) + continue; + + (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); + + if (are_addresses_equal (buf, buf1, netmask_ptr)) + { + freeaddrinfo(ai); + return YES; + } } runp = runp->ai_next; } } } else - return (are_addresses_equal(string, tok, netmask_ptr)); + { + struct addrinfo *runp1; + + for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) + { + char buf1[INET6_ADDRSTRLEN]; + + (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); + + if (are_addresses_equal(string, buf1, netmask_ptr)) + { + freeaddrinfo(ai); + return YES; + } + } + } + + freeaddrinfo(ai); return NO; } ++++++ pam-xauth_ownership.patch ++++++ Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c =================================================================== --- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c +++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c @@ -355,11 +355,13 @@ pam_sm_open_session (pam_handle_t *pamh, char *cookiefile = NULL, *xauthority = NULL, *cookie = NULL, *display = NULL, *tmp = NULL, *xauthlocalhostname = NULL; - const char *user, *xauth = NULL; + const char *user, *xauth = NULL, *login_name; struct passwd *tpwd, *rpwd; int fd, i, debug = 0; int retval = PAM_SUCCESS; - uid_t systemuser = 499, targetuser = 0; + uid_t systemuser = 499, targetuser = 0, uid; + gid_t gid; + struct stat st; /* Parse arguments. We don't understand many, so no sense in breaking * this into a separate function. */ @@ -429,7 +431,16 @@ pam_sm_open_session (pam_handle_t *pamh, retval = PAM_SESSION_ERR; goto cleanup; } - rpwd = pam_modutil_getpwuid(pamh, getuid()); + + login_name = pam_modutil_getlogin(pamh); + if (login_name == NULL) { + login_name = ""; + } + if (*login_name) + rpwd = pam_modutil_getpwnam(pamh, login_name); + else + rpwd = pam_modutil_getpwuid(pamh, getuid()); + if (rpwd == NULL) { pam_syslog(pamh, LOG_ERR, "error determining invoking user's name"); @@ -518,18 +529,26 @@ pam_sm_open_session (pam_handle_t *pamh, cookiefile); } + /* Get owner and group of the cookiefile */ + uid = getuid(); + gid = getgid(); + if (stat(cookiefile, &st) == 0) { + uid = st.st_uid; + gid = st.st_gid; + } + /* Read the user's .Xauthority file. Because the current UID is * the original user's UID, this will only fail if something has * gone wrong, or we have no cookies. */ if (debug) { pam_syslog(pamh, LOG_DEBUG, - "running \"%s %s %s %s %s\" as %lu/%lu", - xauth, "-f", cookiefile, "nlist", display, - (unsigned long) getuid(), (unsigned long) getgid()); + "running \"%s %s %s %s %s %s\" as %lu/%lu", + xauth, "-i", "-f", cookiefile, "nlist", display, + (unsigned long) uid, (unsigned long) gid); } if (run_coprocess(pamh, NULL, &cookie, - getuid(), getgid(), - xauth, "-f", cookiefile, "nlist", display, + uid, gid, + xauth, "-i", "-f", cookiefile, "nlist", display, NULL) == 0) { #ifdef WITH_SELINUX security_context_t context = NULL; @@ -583,12 +602,12 @@ pam_sm_open_session (pam_handle_t *pamh, cookiefile, "nlist", t, - (unsigned long) getuid(), - (unsigned long) getgid()); + (unsigned long) uid, + (unsigned long) gid); } run_coprocess(pamh, NULL, &cookie, - getuid(), getgid(), - xauth, "-f", cookiefile, + uid, gid, + xauth, "-i", "-f", cookiefile, "nlist", t, NULL); } free(t); @@ -673,13 +692,17 @@ pam_sm_open_session (pam_handle_t *pamh, goto cleanup; } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "set environment variable '%s'", + xauthority); + } /* Set the new variable in the environment. */ if (pam_putenv (pamh, xauthority) != PAM_SUCCESS) pam_syslog(pamh, LOG_ERR, "can't set environment variable '%s'", xauthority); putenv (xauthority); /* The environment owns this string now. */ - xauthority = NULL; /* Don't free environment variables. */ + /* Don't free environment variables nor set them to NULL. */ /* set $DISPLAY in pam handle to make su - work */ { ++++++ securetty ++++++ # # This file contains the device names of tty lines (one per line, # without leading /dev/) on which root is allowed to login. # tty1 tty2 tty3 tty4 tty5 tty6 ++++++ unix2_chkpwd.8 ++++++ .\" Copyright (C) 2003 International Business Machines Corporation .\" This file is distributed according to the GNU General Public License. .\" See the file COPYING in the top level source directory for details. .\" .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual" .SH NAME unix2_chkpwd \- helper binary that verifies the password of the current user .SH "SYNOPSIS" .ad l .hy 0 /sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR .sp .ad .hy .SH "DESCRIPTION" .PP \fBunix2_chkpwd\fR is a helper program for applications that verifies the password of the current user. It is not intended to be run directly from the command line and logs a security violation if done so. It is typically installed setuid root or setgid shadow and called by applications, which only wishes to do an user authentification and nothing more. .SH "OPTIONS" .PP unix2_chkpwd requires the following arguments: .TP \fIpam_service\fR The name of the service using unix2_chkpwd. This is required to be one of the services in /etc/pam.d .TP \fIusername\fR The name of the user whose password you want to verify. .SH "INPUTS" .PP unix2_chkpwd expects the password via stdin. .SH "RETURN CODES" .PP \fBunix2_chkpwd\fR has the following return codes: .TP 1 unix2_chkpwd was inappropriately called from the command line or the password is incorrect. .TP 0 The password is correct. .SH "HISTORY" Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan .SH "SEE ALSO" .PP \fBpam\fR(8) .SH AUTHOR Emily Ratliff. ++++++ unix2_chkpwd.c ++++++ /* * Set*id helper program for PAM authentication. * * It is supposed to be called from pam_unix2's * pam_sm_authenticate function if the function notices * that it's unable to get the password from the shadow file * because it doesn't have sufficient permissions. * * Copyright (C) 2002 SuSE Linux AG * * Written by [email protected], loosely based on unix_chkpwd * by Andrew Morgan. */ #include <security/pam_appl.h> #include <security/_pam_macros.h> #include <sys/types.h> #include <stdarg.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <syslog.h> #include <unistd.h> #include <pwd.h> #include <signal.h> #include <fcntl.h> #include <ctype.h> #include <errno.h> #define BUFLEN 1024 #ifndef LOGINDEFS #define LOGINDEFS "/etc/login.defs" #endif #define LOGINDEFS_FAIL_DELAY_KEY "FAIL_DELAY" #define DEFAULT_FAIL_DELAY_S 10 #define PASSWD_CRACKER_DELAY_MS 100 enum { UNIX_PASSED = 0, UNIX_FAILED = 1 }; static char * program_name; static char pass[64]; static int npass = -1; /* * Log error messages */ static void _log_err(int err, const char *format,...) { va_list args; va_start(args, format); openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH); vsyslog(err, format, args); va_end(args); closelog(); } static void su_sighandler(int sig) { if (sig > 0) { _log_err(LOG_NOTICE, "caught signal %d.", sig); exit(sig); } } /* * Setup signal handlers */ static void setup_signals(void) { struct sigaction action; memset((void *) &action, 0, sizeof(action)); action.sa_handler = su_sighandler; action.sa_flags = SA_RESETHAND; sigaction(SIGILL, &action, NULL); sigaction(SIGTRAP, &action, NULL); sigaction(SIGBUS, &action, NULL); sigaction(SIGSEGV, &action, NULL); action.sa_handler = SIG_IGN; action.sa_flags = 0; sigaction(SIGTERM, &action, NULL); sigaction(SIGHUP, &action, NULL); sigaction(SIGINT, &action, NULL); sigaction(SIGQUIT, &action, NULL); sigaction(SIGALRM, &action, NULL); } static int _converse(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { struct pam_response *reply; int num; if (!(reply = malloc(sizeof(*reply) * num_msg))) return PAM_CONV_ERR; for (num = 0; num < num_msg; num++) { reply[num].resp_retcode = PAM_SUCCESS; reply[num].resp = NULL; switch (msg[num]->msg_style) { case PAM_PROMPT_ECHO_ON: return PAM_CONV_ERR; case PAM_PROMPT_ECHO_OFF: /* read the password from stdin */ if (npass < 0) { npass = read(STDIN_FILENO, pass, sizeof(pass)-1); if (npass < 0) { _log_err(LOG_DEBUG, "error reading password"); return UNIX_FAILED; } pass[npass] = '\0'; } reply[num].resp = strdup(pass); break; case PAM_TEXT_INFO: case PAM_ERROR_MSG: /* ignored */ break; default: /* Must be an error of some sort... */ return PAM_CONV_ERR; } } *resp = reply; return PAM_SUCCESS; } static int _authenticate(const char *service, const char *user) { struct pam_conv conv = { _converse, NULL }; pam_handle_t *pamh; int err; err = pam_start(service, user, &conv, &pamh); if (err != PAM_SUCCESS) { _log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)", service, user, err); return UNIX_FAILED; } err = pam_authenticate(pamh, 0); if (err != PAM_SUCCESS) _log_err(LOG_ERR, "pam_authenticate(%s, %s): %s", service, user, pam_strerror(pamh, err)); if (err == PAM_SUCCESS) { err = pam_acct_mgmt(pamh, 0); if (err == PAM_SUCCESS) { int err2 = pam_setcred(pamh, PAM_REFRESH_CRED); if (err2 != PAM_SUCCESS) _log_err(LOG_ERR, "pam_setcred(%s, %s): %s", service, user, pam_strerror(pamh, err2)); /* * ignore errors on refresh credentials. * If this did not work we use the old once. */ } else { _log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s", service, user, pam_strerror(pamh, err)); } } pam_end(pamh, err); if (err != PAM_SUCCESS) return UNIX_FAILED; return UNIX_PASSED; } static char * getuidname(uid_t uid) { struct passwd *pw; static char username[32]; pw = getpwuid(uid); if (pw == NULL) return NULL; strncpy(username, pw->pw_name, sizeof(username)); username[sizeof(username) - 1] = '\0'; endpwent(); return username; } static int sane_pam_service(const char *name) { const char *sp; char path[128]; if (strlen(name) > 32) return 0; for (sp = name; *sp; sp++) { if (!isalnum(*sp) && *sp != '_' && *sp != '-') return 0; } snprintf(path, sizeof(path), "/etc/pam.d/%s", name); return access(path, R_OK) == 0; } static int get_system_fail_delay (void) { FILE *fs; char buf[BUFLEN]; long int delay = -1; char *s; int l; fs = fopen(LOGINDEFS, "r"); if (NULL == fs) { goto bail_out; } while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) { if (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) { continue; } s = buf + strspn(buf, " \t"); l = strcspn(s, " \t"); if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) { continue; } s += l; s += strspn(s, " \t"); errno = 0; delay = strtol(s, NULL, 10); if (errno) { delay = -1; } break; } fclose (fs); bail_out: delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay; return (int)delay; } int main(int argc, char *argv[]) { const char *program_name; char *service, *user; int fd; int result = UNIX_FAILED; uid_t uid; uid = getuid(); /* * Make sure standard file descriptors are connected. */ while ((fd = open("/dev/null", O_RDWR)) <= 2) ; close(fd); /* * Get the program name */ if (argc == 0) program_name = "unix2_chkpwd"; else if ((program_name = strrchr(argv[0], '/')) != NULL) program_name++; else program_name = argv[0]; /* * Catch or ignore as many signal as possible. */ setup_signals(); /* * Check argument list */ if (argc < 2 || argc > 3) { _log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc); return UNIX_FAILED; } /* * Get the service name and do some sanity checks on it */ service = argv[1]; if (!sane_pam_service(service)) { _log_err(LOG_ERR, "Illegal service name '%s'", service); return UNIX_FAILED; } /* * Discourage users messing around (fat chance) */ if (isatty(STDIN_FILENO) && uid != 0) { _log_err(LOG_NOTICE, "Inappropriate use of Unix helper binary [UID=%d]", uid); fprintf(stderr, "This binary is not designed for running in this way\n" "-- the system administrator has been informed\n"); sleep(10); /* this should discourage/annoy the user */ return UNIX_FAILED; } /* * determine the caller's user name */ user = getuidname(uid); if (argc == 3 && strcmp(user, argv[2])) { user = argv[2]; } result = _authenticate(service, user); /* Discourage use of this program as a * password cracker */ usleep(PASSWD_CRACKER_DELAY_MS * 1000); if (result != UNIX_PASSED && uid != 0) sleep(get_system_fail_delay()); return result; } ++++++ use-correct-IP-address.patch ++++++ Index: Linux-PAM-1.3.0/modules/pam_access/pam_access.c =================================================================== --- Linux-PAM-1.3.0.orig/modules/pam_access/pam_access.c +++ Linux-PAM-1.3.0/modules/pam_access/pam_access.c @@ -728,7 +728,7 @@ network_netmask_match (pam_handle_t *pam /* check netmask */ if (isipaddr(netmask_ptr, NULL, NULL) == NO) - { /* netmask as integre value */ + { /* netmask as integer value */ char *endptr = NULL; netmask = strtol(netmask_ptr, &endptr, 0); if ((endptr == NULL) || (*endptr != '\0')) @@ -772,9 +772,9 @@ network_netmask_match (pam_handle_t *pam ai = NULL; /* just to be on the safe side */ - if (getaddrinfo (string, NULL, &hint, &ai) != 0) + if (getaddrinfo (tok, NULL, &hint, &ai) != 0) { - pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", string); + pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); return NO; } _______________________________________________ openSUSE Commits mailing list -- [email protected] To unsubscribe, email [email protected] List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette List Archives: https://lists.opensuse.org/archives/list/[email protected]
