Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pam for openSUSE:Factory checked in
at 2021-04-14 10:09:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam (Old)
and /work/SRC/openSUSE:Factory/.pam.new.2401 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam"
Wed Apr 14 10:09:27 2021 rev:111 rq:883611 version:1.5.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam/pam.changes 2021-02-22 14:22:44.175571460
+0100
+++ /work/SRC/openSUSE:Factory/.pam.new.2401/pam.changes 2021-04-14
10:09:29.401342832 +0200
@@ -1,0 +2,20 @@
+Wed Apr 7 12:20:40 UTC 2021 - Josef M??llers <josef.moell...@suse.com>
+
+- If "LOCAL" is configured in access.conf, and a login attempt from
+ a remote host is made, pam_access tries to resolve "LOCAL" as
+ a hostname and logs a failure.
+ Checking explicitly for "LOCAL" and rejecting access in this case
+ resolves this issue.
+ [bsc#1184358, bsc1184358-prevent-LOCAL-from-being-resolved.patch]
+
+-------------------------------------------------------------------
+Wed Mar 31 11:43:17 UTC 2021 - Josef M??llers <josef.moell...@suse.com>
+
+- pam_limits: "unlimited" is not a legitimate value for "nofile"
+ (see setrlimit(2)). So, when "nofile" is set to one of the
+ "unlimited" values, it is set to the contents of
+ "/proc/sys/fs/nr_open" instead.
+ Also changed the manpage of pam_limits to express this.
+ [bsc#1181443, pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch]
+
+-------------------------------------------------------------------
New:
----
bsc1184358-prevent-LOCAL-from-being-resolved.patch
pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam.spec ++++++
--- /var/tmp/diff_new_pack.K3P9nM/_old 2021-04-14 10:09:30.045343918 +0200
+++ /var/tmp/diff_new_pack.K3P9nM/_new 2021-04-14 10:09:30.049343924 +0200
@@ -65,6 +65,8 @@
Patch7: pam_tally2-removal.patch
Patch8: pam-bsc1177858-dont-free-environment-string.patch
Patch9: pam-pam_cracklib-add-usersubstr.patch
+Patch10: pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
+Patch11: bsc1184358-prevent-LOCAL-from-being-resolved.patch
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: cracklib-devel
@@ -176,6 +178,8 @@
%patch7 -R -p1
%patch8 -p1
%patch9 -p1
+%patch10 -p1
+%patch11 -p1
%if 0%{?usrmerged}
%patch99 -p1
%endif
++++++ bsc1184358-prevent-LOCAL-from-being-resolved.patch ++++++
>From c4dbba499f335ad88536244254d2d444b8e1c17c Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tm...@fedoraproject.org>
Date: Tue, 6 Apr 2021 12:27:38 +0200
Subject: [PATCH] pam_access: clean up the remote host matching code
* modules/pam_access/pam_access.c (from_match): Split out remote_match()
function and avoid calling it when matching against LOCAL keyword.
There is also no point in doing domain match against TTY or SERVICE.
---
modules/pam_access/pam_access.c | 42 +++++++++++++++++++++------------
1 file changed, 27 insertions(+), 15 deletions(-)
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 98848c54..b493c7bd 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -160,6 +160,7 @@ static int list_match (pam_handle_t *, char *, char *,
struct login_info *,
static int user_match (pam_handle_t *, char *, struct login_info *);
static int group_match (pam_handle_t *, const char *, const char *, int);
static int from_match (pam_handle_t *, char *, struct login_info *);
+static int remote_match (pam_handle_t *, char *, struct login_info *);
static int string_match (pam_handle_t *, const char *, const char *, int);
static int network_netmask_match (pam_handle_t *, const char *, const char *,
struct login_info *);
@@ -589,11 +590,9 @@ group_match (pam_handle_t *pamh, const char *tok, const
char* usr,
/* from_match - match a host or tty against a list of tokens */
static int
-from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
+from_match (pam_handle_t *pamh, char *tok, struct login_info *item)
{
const char *string = item->from;
- int tok_len;
- int str_len;
int rv;
if (item->debug)
@@ -616,13 +615,28 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct
login_info *item)
} else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) {
/* ALL or exact match */
return rv;
- } else if (tok[0] == '.') { /* domain: match last
fields */
- if ((str_len = strlen(string)) > (tok_len = strlen(tok))
- && strcasecmp(tok, string + str_len - tok_len) == 0)
- return (YES);
- } else if (item->from_remote_host == 0) { /* local: no PAM_RHOSTS */
- if (strcasecmp(tok, "LOCAL") == 0)
- return (YES);
+ } else if (strcasecmp(tok, "LOCAL") == 0) {
+ /* LOCAL matches only local accesses */
+ if (!item->from_remote_host)
+ return YES;
+ return NO;
+ } else if (item->from_remote_host) {
+ return remote_match(pamh, tok, item);
+ }
+ return NO;
+}
+
+static int
+remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+{
+ const char *string = item->from;
+ size_t tok_len = strlen(tok);
+ size_t str_len;
+
+ if (tok[0] == '.') { /* domain: match last fields */
+ if ((str_len = strlen(string)) > tok_len
+ && strcasecmp(tok, string + str_len - tok_len) == 0)
+ return YES;
} else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
struct addrinfo hint;
@@ -661,13 +675,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct
login_info *item)
runp = runp->ai_next;
}
}
- } else {
- /* Assume network/netmask with a IP of a host. */
- if (network_netmask_match(pamh, tok, string, item))
- return YES;
+ return NO;
}
- return NO;
+ /* Assume network/netmask with an IP of a host. */
+ return network_netmask_match(pamh, tok, string, item);
}
/* string_match - match a string against one token */
++++++ pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch ++++++
++++ 755 lines (skipped)
