Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pam for openSUSE:Factory checked in
at 2021-09-20 23:31:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam (Old)
and /work/SRC/openSUSE:Factory/.pam.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam"
Mon Sep 20 23:31:43 2021 rev:116 rq:919240 version:1.5.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam/pam.changes 2021-08-18 08:55:16.723017132
+0200
+++ /work/SRC/openSUSE:Factory/.pam.new.1899/pam.changes 2021-09-20
23:31:45.503070189 +0200
@@ -1,0 +2,52 @@
+Wed Sep 15 13:34:52 UTC 2021 - Thorsten Kukuk <ku...@suse.com>
+
+- Rename motd.tmpfiles to pam.tmpfiles
+ - Add /run/faillock directory
+
+-------------------------------------------------------------------
+Fri Sep 10 10:08:28 UTC 2021 - Thorsten Kukuk <ku...@suse.com>
+
+- pam-login_defs-check.sh: adjust for new login.defs variable usages
+
+-------------------------------------------------------------------
+Mon Sep 6 11:51:30 UTC 2021 - Josef M??llers <josef.moell...@suse.com>
+
+- Update to 1.5.2
+ Noteworthy changes in Linux-PAM 1.5.2:
+
+ * pam_exec: implemented quiet_log option.
+ * pam_mkhomedir: added support of HOME_MODE and UMASK from
+ /etc/login.defs.
+ * pam_timestamp: changed hmac algorithm to call openssl instead
+ of the bundled sha1 implementation if selected, added option
+ to select the hash algorithm to use with HMAC.
+ * Added pkgconfig files for provided libraries.
+ * Added --with-systemdunitdir configure option to specify systemd
+ unit directory.
+ * Added --with-misc-conv-bufsize configure option to specify the
+ buffer size in libpam_misc's misc_conv() function, raised the
+ default value for this parameter from 512 to 4096.
+ * Multiple minor bug fixes, portability fixes, documentation
+ improvements, and translation updates.
+
+ pam_tally2 has been removed upstream, remove pam_tally2-removal.patch
+
+ pam_cracklib has been removed from the upstream sources. This
+ obsoletes pam-pam_cracklib-add-usersubstr.patch and
+ pam_cracklib-removal.patch.
+ The following patches have been accepted upstream and, so,
+ are obsolete:
+ - pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
+ - pam_securetty-don-t-complain-about-missing-config.patch
+ - bsc1184358-prevent-LOCAL-from-being-resolved.patch
+ - revert-check_shadow_expiry.diff
+
+ [Linux-PAM-1.5.2-docs.tar.xz, Linux-PAM-1.5.2-docs.tar.xz.asc,
+ Linux-PAM-1.5.2.tar.xz, Linux-PAM-1.5.2.tar.xz.asc,
+ pam-pam_cracklib-add-usersubstr.patch, pam_cracklib-removal.patch,
+ pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch,
+ pam_securetty-don-t-complain-about-missing-config.patch,
+ bsc1184358-prevent-LOCAL-from-being-resolved.patch,
+ revert-check_shadow_expiry.diff]
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/pam/pam_unix-nis.changes 2021-07-17
23:36:23.662082749 +0200
+++ /work/SRC/openSUSE:Factory/.pam.new.1899/pam_unix-nis.changes
2021-09-20 23:31:45.551070248 +0200
@@ -1,0 +2,5 @@
+Fri Sep 10 10:23:13 UTC 2021 - Thorsten Kukuk <ku...@suse.com>
+
+- Update to version 1.5.2
+
+-------------------------------------------------------------------
Old:
----
Linux-PAM-1.5.1-docs.tar.xz
Linux-PAM-1.5.1.tar.xz
bsc1184358-prevent-LOCAL-from-being-resolved.patch
motd.tmpfiles
pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
pam-pam_cracklib-add-usersubstr.patch
pam_cracklib-removal.patch
pam_securetty-don-t-complain-about-missing-config.patch
pam_tally2-removal.patch
revert-check_shadow_expiry.diff
New:
----
Linux-PAM-1.5.2-docs.tar.xz
Linux-PAM-1.5.2-docs.tar.xz.asc
Linux-PAM-1.5.2.tar.xz
Linux-PAM-1.5.2.tar.xz.asc
pam.tmpfiles
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam.spec ++++++
--- /var/tmp/diff_new_pack.Vx9Sf3/_old 2021-09-20 23:31:46.259071123 +0200
+++ /var/tmp/diff_new_pack.Vx9Sf3/_new 2021-09-20 23:31:46.263071127 +0200
@@ -31,7 +31,7 @@
#
Name: pam
#
-Version: 1.5.1
+Version: 1.5.2
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause
@@ -49,23 +49,16 @@
Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8
Source12: pam-login_defs-check.sh
-Source13: motd.tmpfiles
+Source13: pam.tmpfiles
+Source14: Linux-PAM-%{version}-docs.tar.xz.asc
+Source15: Linux-PAM-%{version}.tar.xz.asc
Patch2: pam-limit-nproc.patch
Patch4: pam-hostnames-in-access_conf.patch
Patch5: pam-xauth_ownership.patch
-Patch6: pam_cracklib-removal.patch
-Patch7: pam_tally2-removal.patch
Patch8: pam-bsc1177858-dont-free-environment-string.patch
-Patch9: pam-pam_cracklib-add-usersubstr.patch
-Patch10: pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
-Patch11: bsc1184358-prevent-LOCAL-from-being-resolved.patch
Patch12: pam_umask-usergroups-login_defs.patch
-#
https://github.com/linux-pam/linux-pam/commit/e842a5fc075002f46672ebcd8e896624f1ec8068
-Patch100: pam_securetty-don-t-complain-about-missing-config.patch
-Patch101: revert-check_shadow_expiry.diff
BuildRequires: audit-devel
BuildRequires: bison
-BuildRequires: cracklib-devel
BuildRequires: flex
BuildRequires: libtool
BuildRequires: xz
@@ -121,9 +114,7 @@
%package doc
Summary: Documentation for Pluggable Authentication Modules
Group: Documentation/HTML
-%if 0%{?suse_version} >= 1140
BuildArch: noarch
-%endif
%description doc
PAM (Pluggable Authentication Modules) is a system security tool that
@@ -146,36 +137,14 @@
This package contains header files and static libraries used for
building both PAM-aware applications and modules for use with PAM.
-%package deprecated
-Summary: Deprecated PAM Modules
-Group: System/Libraries
-Provides: pam:/%{_lib}/security/pam_cracklib.so
-Provides: pam:/%{_lib}/security/pam_tally2.so
-
-%description deprecated
-PAM (Pluggable Authentication Modules) is a system security tool that
-allows system administrators to set authentication policies without
-having to recompile programs that do authentication.
-
-This package contains deprecated extra modules like pam_cracklib and
-pam_tally2, which are no longer supported upstream and will be completly
-removed with one of the next releases.
-
%prep
%setup -q -n Linux-PAM-%{version} -b 1
cp -a %{SOURCE12} .
%patch2 -p1
%patch4 -p1
%patch5 -p1
-%patch6 -R -p1
-%patch7 -R -p1
%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
%patch12 -p1
-%patch100 -p1
-%patch101 -p1
%build
bash ./pam-login_defs-check.sh
@@ -192,9 +161,9 @@
--enable-securedir=%{_pam_moduledir} \
--enable-vendordir=%{_distconfdir} \
%if %{with debug}
- --enable-debug \
+ --enable-debug
%endif
- --enable-tally2 --enable-cracklib
+
%make_build
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE
%{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o
%{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/libpam/.libs -lpam
@@ -246,7 +215,7 @@
# rpm macros
install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
# /run/motd.d
-install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/motd.conf
+install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
# Create filelist with translations
%find_lang Linux-PAM
@@ -258,7 +227,7 @@
/sbin/ldconfig
%set_permissions %{_sbindir}/unix_chkpwd
%set_permissions %{_sbindir}/unix2_chkpwd
-%tmpfiles_create %{_tmpfilesdir}/motd.conf
+%tmpfiles_create %{_tmpfilesdir}/pam.conf
%postun -p /sbin/ldconfig
%pre
@@ -279,7 +248,6 @@
%dir %{_pam_secconfdir}
%dir %{_pam_secconfdir}/limits.d
%dir %{_prefix}/lib/motd.d
-%ghost %dir %{_rundir}/motd.d
%if %{defined config_noreplace}
%config(noreplace) %{_pam_confdir}/other
%config(noreplace) %{_pam_confdir}/common-*
@@ -421,7 +389,7 @@
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update
%{_unitdir}/pam_namespace.service
-%{_tmpfilesdir}/motd.conf
+%{_tmpfilesdir}/pam.conf
%files -n pam_unix
%defattr(-,root,root,755)
@@ -436,12 +404,6 @@
%{_pam_moduledir}/pam_userdb.so
%{_mandir}/man8/pam_userdb.8%{?ext_man}
-%files deprecated
-%defattr(-,root,root,755)
-%{_pam_moduledir}/pam_cracklib.so
-%{_pam_moduledir}/pam_tally2.so
-%{_sbindir}/pam_tally2
-
%files doc
%defattr(644,root,root,755)
%dir %{_defaultdocdir}/pam
@@ -460,5 +422,6 @@
%{_libdir}/libpamc.so
%{_libdir}/libpam_misc.so
%{_rpmmacrodir}/macros.pam
+%{_libdir}/pkgconfig/pam*.pc
%changelog
++++++ pam_unix-nis.spec ++++++
--- /var/tmp/diff_new_pack.Vx9Sf3/_old 2021-09-20 23:31:46.299071172 +0200
+++ /var/tmp/diff_new_pack.Vx9Sf3/_new 2021-09-20 23:31:46.303071177 +0200
@@ -27,7 +27,7 @@
%endif
Name: pam_unix-nis
#
-Version: 1.5.1
+Version: 1.5.2
Release: 0
Summary: PAM module for standard UNIX and NIS authentication
License: GPL-2.0-or-later OR BSD-3-Clause
@@ -36,7 +36,6 @@
Source: Linux-PAM-%{version}.tar.xz
Source9: baselibs.conf
Patch: Makefile-pam_unix-nis.diff
-Patch1: revert-check_shadow_expiry.diff
BuildRequires: pam-devel
%if 0%{?suse_version} > 1320
BuildRequires: pkgconfig(libeconf)
@@ -58,7 +57,6 @@
%prep
%setup -q -n Linux-PAM-%{version}
%patch -p1
-%patch1 -p1
%build
export CFLAGS="%{optflags} -DNDEBUG"
@@ -69,8 +67,7 @@
--pdfdir=%{_docdir}/pam/pdf \
--enable-isadir=../..%{_pam_moduledir} \
--enable-securedir=%{_pam_moduledir} \
- --enable-vendordir=%{_distconfdir} \
- --enable-tally2 --enable-cracklib
+ --enable-vendordir=%{_distconfdir}
make -C modules/pam_unix
%install
++++++ Linux-PAM-1.5.1-docs.tar.xz -> Linux-PAM-1.5.2-docs.tar.xz ++++++
Binary files old/Linux-PAM-1.5.1/doc/adg/Linux-PAM_ADG.pdf and
new/Linux-PAM-1.5.2/doc/adg/Linux-PAM_ADG.pdf differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.5.1/doc/adg/Linux-PAM_ADG.txt
new/Linux-PAM-1.5.2/doc/adg/Linux-PAM_ADG.txt
--- old/Linux-PAM-1.5.1/doc/adg/Linux-PAM_ADG.txt 2020-11-25
17:59:21.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/adg/Linux-PAM_ADG.txt 2021-09-03
14:02:52.000000000 +0200
@@ -322,9 +322,9 @@
way the module can be given notification of the pass/fail nature of the
tear-down process, and perform any last minute tasks that are appropriate to
the module before it is unlinked. This argument can be logically OR'd with
-PAM_DATA_SILENT to indicate to indicate that the module should not treat the
-call too seriously. It is generally used to indicate that the current closing
-of the library is in a fork(2)ed process, and that the parent will take care of
+PAM_DATA_SILENT to indicate that the module should not treat the call too
+seriously. It is generally used to indicate that the current closing of the
+library is in a fork(2)ed process, and that the parent will take care of
cleaning up things that exist outside of the current process space (files
etc.).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Linux-PAM-1.5.1/doc/adg/html/adg-interface-by-app-expected.html
new/Linux-PAM-1.5.2/doc/adg/html/adg-interface-by-app-expected.html
--- old/Linux-PAM-1.5.1/doc/adg/html/adg-interface-by-app-expected.html
2020-11-25 17:59:23.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/adg/html/adg-interface-by-app-expected.html
2021-09-03 14:02:54.000000000 +0200
@@ -75,7 +75,7 @@
of the pass/fail nature of the tear-down process, and perform any
last minute tasks that are appropriate to the module before it is
unlinked. This argument can be logically OR'd with
- <span class="emphasis"><em>PAM_DATA_SILENT</em></span> to indicate to
indicate that
+ <span class="emphasis"><em>PAM_DATA_SILENT</em></span> to indicate that
the module should not treat the call too seriously. It is generally
used to indicate that the current closing of the library is in a
<span class="citerefentry"><span
class="refentrytitle">fork</span>(2)</span>ed
Binary files old/Linux-PAM-1.5.1/doc/mwg/Linux-PAM_MWG.pdf and
new/Linux-PAM-1.5.2/doc/mwg/Linux-PAM_MWG.pdf differ
Binary files old/Linux-PAM-1.5.1/doc/sag/Linux-PAM_SAG.pdf and
new/Linux-PAM-1.5.2/doc/sag/Linux-PAM_SAG.pdf differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.5.1/doc/sag/Linux-PAM_SAG.txt
new/Linux-PAM-1.5.2/doc/sag/Linux-PAM_SAG.txt
--- old/Linux-PAM-1.5.1/doc/sag/Linux-PAM_SAG.txt 2020-11-25
17:59:07.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/sag/Linux-PAM_SAG.txt 2021-09-03
14:02:34.000000000 +0200
@@ -375,7 +375,8 @@
this action indicates that the return code should be thought of as
indicative of the module failing. If this module is the first in the stack
- to fail, its status value will be used for that of the whole stack.
+ to fail, its status value will be used for that of the whole stack. This is
+ the default action for all return codes.
die
@@ -394,7 +395,8 @@
done
equivalent to ok with the side effect of terminating the module stack and
- PAM immediately returning to the application.
+ PAM immediately returning to the application unless there was a non-ignored
+ module failure before.
N (an unsigned integer)
@@ -410,6 +412,9 @@
clear all memory of the state of the module stack and start again with the
next stacked module.
+If a return code's action is not specifically defined via a valueN token, and
+the default value is not specified, that return code's action defaults to bad.
+
Each of the four keywords: required; requisite; sufficient; and optional, have
an equivalent expression in terms of the [...] syntax. They are as follows:
@@ -1188,7 +1193,7 @@
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
- XDG_DATA_HOME @{HOME}/share/
+ XDG_DATA_HOME DEFAULT=@{HOME}/share/
Silly examples of escaped variables, just to show how they work.
@@ -1205,8 +1210,8 @@
6.6.??pam_exec - call an external command
-pam_exec.so [ debug ] [ expose_authtok ] [ seteuid ] [ quiet ] [ stdout ] [ log
-=file ] [ type=type ] command [ ... ]
+pam_exec.so [ debug ] [ expose_authtok ] [ seteuid ] [ quiet ] [ quiet_log ] [
+stdout ] [ log=file ] [ type=type ] command [ ... ]
6.6.1.??DESCRIPTION
@@ -1253,6 +1258,11 @@
Per default pam_exec.so will echo the exit status of the external command
if it fails. Specifying this option will suppress the message.
+quiet_log
+
+ Per default pam_exec.so will log the exit status of the external command if
+ it fails. Specifying this option will suppress the log message.
+
seteuid
Per default pam_exec.so will execute the external command with the real
@@ -2169,7 +2179,9 @@
2.6.12 and higher)
All items support the values -1, unlimited or infinity indicating no limit,
-except for priority, nice, and nonewprivs.
+except for priority, nice, and nonewprivs. If nofile is to be set to one of
+these values, it will be set to the contents of /proc/sys/fs/nr_open instead
+(see setrlimit(3)).
If a hard limit or soft limit of a resource is set to a valid value, but
outside of the supported range of the local system, the system may reject the
@@ -2660,8 +2672,12 @@
umask=mask
- The user file-creation mask is set to mask. The default value of mask is
- 0022.
+ The file mode creation mask is set to mask. The default value of mask is
+ 0022. If this option is not specified, then the permissions of created user
+ home directory is set to the value of HOME_MODE configuration item from /
+ etc/login.defs. If there is no such configuration item then the value is
+ computed from the value of UMASK in the same file. If there is no such
+ configuration option either the default value of 0755 is used for the mode.
skel=/path/to/skel/directory
@@ -3938,6 +3954,9 @@
attempts to authenticate the user, a pam_timestamp will treat a sufficiently
recent timestamp file as grounds for succeeding.
+The default encryption hash is taken from the HMAC_CRYPTO_ALGO variable from /
+etc/login.defs.
+
6.32.2.??OPTIONS
timestampdir=directory
@@ -4343,7 +4362,8 @@
debug
- Print debug information.
+ Print debug information. Note that password hashes, both from db and
+ computed, will be printed to syslog.
dump
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Linux-PAM-1.5.1/doc/sag/html/sag-configuration-file.html
new/Linux-PAM-1.5.2/doc/sag/html/sag-configuration-file.html
--- old/Linux-PAM-1.5.1/doc/sag/html/sag-configuration-file.html
2020-11-25 17:59:11.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/sag/html/sag-configuration-file.html
2021-09-03 14:02:39.000000000 +0200
@@ -162,10 +162,12 @@
this action indicates that the return code should be thought
of as indicative of the module failing. If this module is the
first in the stack to fail, its status value will be used for
- that of the whole stack.
+ that of the whole stack. This is the default action for
+ all return codes.
</p></dd><dt><span class="term">die</span></dt><dd><p>
- equivalent to bad with the side effect of terminating the
- module stack and PAM immediately returning to the application.
+ equivalent to <span class="emphasis"><em>bad</em></span> with the
side effect of
+ terminating the module stack and PAM immediately returning to
+ the application.
</p></dd><dt><span class="term">ok</span></dt><dd><p>
this tells PAM that the administrator thinks this return code
should contribute directly to the return code of the full
@@ -176,8 +178,9 @@
indicative of a modules failure, this 'ok' value will not be
used to override that value.
</p></dd><dt><span class="term">done</span></dt><dd><p>
- equivalent to ok with the side effect of terminating the module
- stack and PAM immediately returning to the application.
+ equivalent to <span class="emphasis"><em>ok</em></span> with the
side effect of
+ terminating the module stack and PAM immediately returning to the
+ application unless there was a non-ignored module failure before.
</p></dd><dt><span class="term">N (an unsigned
integer)</span></dt><dd><p>
jump over the next N modules in the stack.
Note that N equal to 0 is not allowed,
@@ -196,6 +199,11 @@
clear all memory of the state of the module stack and
start again with the next stacked module.
</p></dd></dl></div><p>
+ If a return code's action is not specifically defined via a
+ <span class="emphasis"><em>valueN</em></span> token, and the
+ <span class="emphasis"><em>default</em></span> value is not specified,
that return
+ code's action defaults to <span class="emphasis"><em>bad</em></span>.
+ </p><p>
Each of the four keywords: required; requisite; sufficient; and
optional, have an equivalent expression in terms of the [...]
syntax. They are as follows:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_env.html
new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_env.html
--- old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_env.html 2020-11-25
17:59:11.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_env.html 2021-09-03
14:02:39.000000000 +0200
@@ -152,7 +152,7 @@
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
- XDG_DATA_HOME @{HOME}/share/
+ XDG_DATA_HOME DEFAULT=@{HOME}/share/
</pre><p>
Silly examples of escaped variables, just to show how they work.
</p><pre class="programlisting">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_exec.html
new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_exec.html
--- old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_exec.html 2020-11-25
17:59:11.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_exec.html 2021-09-03
14:02:39.000000000 +0200
@@ -7,6 +7,8 @@
] [
quiet
] [
+ quiet_log
+ ] [
stdout
] [
log=<em class="replaceable"><code>file</code></em>
@@ -65,6 +67,12 @@
external command if it fails.
Specifying this option will suppress the message.
</p></dd><dt><span class="term">
+ <code class="option">quiet_log</code>
+ </span></dt><dd><p>
+ Per default pam_exec.so will log the exit status of the
+ external command if it fails.
+ Specifying this option will suppress the log message.
+ </p></dd><dt><span class="term">
<code class="option">seteuid</code>
</span></dt><dd><p>
Per default pam_exec.so will execute the external command
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_limits.html
new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_limits.html
--- old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_limits.html 2020-11-25
17:59:11.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_limits.html 2021-09-03
14:02:39.000000000 +0200
@@ -104,6 +104,8 @@
<span class="emphasis"><em>unlimited</em></span> or <span
class="emphasis"><em>infinity</em></span> indicating no limit,
except for <span class="emphasis"><em>priority</em></span>, <span
class="emphasis"><em>nice</em></span>,
and <span class="emphasis"><em>nonewprivs</em></span>.
+ If <span class="emphasis"><em>nofile</em></span> is to be set to one of
these values,
+ it will be set to the contents of /proc/sys/fs/nr_open instead (see
setrlimit(3)).
</p><p>
If a hard limit or soft limit of a resource is set to a valid value,
but outside of the supported range of the local system, the system
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_mkhomedir.html
new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_mkhomedir.html
--- old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_mkhomedir.html 2020-11-25
17:59:12.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_mkhomedir.html 2021-09-03
14:02:39.000000000 +0200
@@ -29,9 +29,16 @@
</p></dd><dt><span class="term">
<code class="option">umask=<em
class="replaceable"><code>mask</code></em></code>
</span></dt><dd><p>
- The user file-creation mask is set to
- <em class="replaceable"><code>mask</code></em>. The default value
of mask is
- 0022.
+ The file mode creation mask is set to
+ <em class="replaceable"><code>mask</code></em>. The default value
of mask
+ is 0022. If this option is not specified, then the permissions
+ of created user home directory is set to the value of
+ <code class="option">HOME_MODE</code> configuration item from
+ <code class="filename">/etc/login.defs</code>. If there is no such
+ configuration item then the value is computed from the
+ value of <code class="option">UMASK</code> in the same file. If
+ there is no such configuration option either the default
+ value of 0755 is used for the mode.
</p></dd><dt><span class="term">
<code class="option">skel=<em
class="replaceable"><code>/path/to/skel/directory</code></em></code>
</span></dt><dd><p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_timestamp.html
new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_timestamp.html
--- old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_timestamp.html 2020-11-25
17:59:12.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_timestamp.html 2021-09-03
14:02:40.000000000 +0200
@@ -17,6 +17,10 @@
for the user. When an application attempts to authenticate the user, a
<span class="emphasis"><em>pam_timestamp</em></span> will treat a sufficiently
recent timestamp
file as grounds for succeeding.
+ </p><p>
+ The default encryption hash is taken from the
+ <span class="emphasis"><em>HMAC_CRYPTO_ALGO</em></span> variable from
+ <span class="emphasis"><em>/etc/login.defs</em></span>.
</p></div><div class="section"><div class="titlepage"><div><div><h3
class="title"><a
name="sag-pam_timestamp-options"></a>6.32.2.??OPTIONS</h3></div></div></div><div
class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">timestampdir=<em
class="replaceable"><code>directory</code></em></code>
</span></dt><dd><p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_userdb.html
new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_userdb.html
--- old/Linux-PAM-1.5.1/doc/sag/html/sag-pam_userdb.html 2020-11-25
17:59:12.000000000 +0100
+++ new/Linux-PAM-1.5.2/doc/sag/html/sag-pam_userdb.html 2021-09-03
14:02:40.000000000 +0200
@@ -40,7 +40,8 @@
</p></dd><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
- Print debug information.
+ Print debug information. Note that password hashes, both from db
+ and computed, will be printed to syslog.
</p></dd><dt><span class="term">
<code class="option">dump</code>
</span></dt><dd><p>
++++++ Linux-PAM-1.5.1-docs.tar.xz -> Linux-PAM-1.5.2.tar.xz ++++++
++++ 306451 lines of diff (skipped)
++++++ baselibs.conf ++++++
--- /var/tmp/diff_new_pack.Vx9Sf3/_old 2021-09-20 23:31:46.907071923 +0200
+++ /var/tmp/diff_new_pack.Vx9Sf3/_new 2021-09-20 23:31:46.907071923 +0200
@@ -1,7 +1,6 @@
pam
requires "(systemd-<targettype> if systemd)"
pam-extra
-pam-deprecated
pam-devel
pam_unix
conflicts "pam_unix-nis-<targettype>"
++++++ pam-login_defs-check.sh ++++++
--- /var/tmp/diff_new_pack.Vx9Sf3/_old 2021-09-20 23:31:47.027072072 +0200
+++ /var/tmp/diff_new_pack.Vx9Sf3/_new 2021-09-20 23:31:47.027072072 +0200
@@ -12,7 +12,7 @@
sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS,
*"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst
-if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') !=
3c6e0020c31609690b69ef391654df930b74151d ; then
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') !=
e9750fd874b9b55fc151d424ae048050e3858d57 ; then
echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')"
>&2
++++++ pam.tmpfiles ++++++
#Type Path Mode User Group Age Argument
d /run/faillock 0755 root root - -
d /run/motd.d 0755 root root - -
++++++ pam_umask-usergroups-login_defs.patch ++++++
--- /var/tmp/diff_new_pack.Vx9Sf3/_old 2021-09-20 23:31:47.059072111 +0200
+++ /var/tmp/diff_new_pack.Vx9Sf3/_new 2021-09-20 23:31:47.059072111 +0200
@@ -4,9 +4,72 @@
Original Author: Martin Pitt <martin.p...@ubuntu.com>
Bug-Debian: http://bugs.debian.org/583958
-diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml
Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml
---- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8.xml 2020-11-25
17:57:02.000000000 +0100
-+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8.xml 2021-08-12
16:02:56.108249895 +0200
+Index: Linux-PAM-1.5.2/modules/pam_umask/README
+===================================================================
+--- Linux-PAM-1.5.2.orig/modules/pam_umask/README
++++ Linux-PAM-1.5.2/modules/pam_umask/README
+@@ -15,7 +15,7 @@ following order:
+
+ ??? umask= argument
+
+- ??? UMASK entry from /etc/login.defs
++ ??? UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB)
+
+ ??? UMASK= entry from /etc/default/login
+
+@@ -38,7 +38,10 @@ usergroups
+
+ If the user is not root and the username is the same as primary group
name,
+ the umask group bits are set to be the same as owner bits (examples: 022
->
+- 002, 077 -> 007).
++ 002, 077 -> 007). Note that using this option explicitly is discouraged.
++ pam_umask enables this functionality by default if /etc/login.defs enables
++ USERGROUPS_ENAB, and the umask is not set explicitly in other places than
/
++ etc/login.defs.
+
+ nousergroups
+
+Index: Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8
+===================================================================
+--- Linux-PAM-1.5.2.orig/modules/pam_umask/pam_umask.8
++++ Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8
+@@ -68,7 +68,9 @@ umask= argument
+ .sp -1
+ .IP \(bu 2.3
+ .\}
+-UMASK entry from /etc/login\&.defs
++UMASK entry from
++/etc/login\&.defs
++(influenced by USERGROUPS_ENAB)
+ .RE
+ .sp
+ .RS 4
+@@ -79,7 +81,8 @@ UMASK entry from /etc/login\&.defs
+ .sp -1
+ .IP \(bu 2.3
+ .\}
+-UMASK= entry from /etc/default/login
++UMASK= entry from
++/etc/default/login
+ .RE
+ .PP
+ The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also
in addition to the umask= entry recognizes pri= entry, which sets the nice
priority value for the session, and ulimit= entry, which sets the maximum size
of files the processes in the session can create\&.
+@@ -98,7 +101,10 @@ Don\*(Aqt print informative messages\&.
+ .PP
+ \fBusergroups\fR
+ .RS 4
+-If the user is not root and the username is the same as primary group name,
the umask group bits are set to be the same as owner bits (examples: 022 \->
002, 077 \-> 007)\&.
++If the user is not root and the username is the same as primary group name,
the umask group bits are set to be the same as owner bits (examples: 022 \->
002, 077 \-> 007)\&. Note that using this option explicitly is discouraged\&.
pam_umask enables this functionality by default if
++/etc/login\&.defs
++enables USERGROUPS_ENAB, and the umask is not set explicitly in other places
than
++/etc/login\&.defs\&.
+ .RE
+ .PP
+ \fBnousergroups\fR
+Index: Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8.xml
+===================================================================
+--- Linux-PAM-1.5.2.orig/modules/pam_umask/pam_umask.8.xml
++++ Linux-PAM-1.5.2/modules/pam_umask/pam_umask.8.xml
@@ -61,12 +61,13 @@
</listitem>
<listitem>
@@ -35,14 +98,15 @@
</para>
</listitem>
</varlistentry>
-diff -urN Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c
Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c
---- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.c 2020-11-25
17:57:02.000000000 +0100
-+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.c 2021-08-12
16:14:40.505589328 +0200
-@@ -103,7 +103,23 @@
+Index: Linux-PAM-1.5.2/modules/pam_umask/pam_umask.c
+===================================================================
+--- Linux-PAM-1.5.2.orig/modules/pam_umask/pam_umask.c
++++ Linux-PAM-1.5.2/modules/pam_umask/pam_umask.c
+@@ -104,7 +104,23 @@ get_options (pam_handle_t *pamh, options
parse_option (pamh, *argv, options);
- if (options->umask == NULL)
-- options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
+ if (options->umask == NULL) {
+- options->login_umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
+ {
+ options->umask = pam_modutil_search_key (pamh, LOGIN_DEFS, "UMASK");
+ /* login.defs' USERGROUPS_ENAB will modify the UMASK setting there by
way
@@ -51,73 +115,15 @@
+ */
+ if (options->umask != NULL)
+ {
-+ char *result = pam_modutil_search_key (pamh, LOGIN_DEFS,
++ char *result = pam_modutil_search_key (pamh, LOGIN_DEFS,
+ "USERGROUPS_ENAB");
-+ if (result != NULL)
-+ {
-+ options->usergroups = (strcasecmp (result, "yes") == 0);
-+ free (result);
-+ }
++ if (result != NULL)
++ {
++ options->usergroups = (strcasecmp (result, "yes") == 0);
++ free (result);
++ }
+ }
+ }
- if (options->umask == NULL)
- options->umask = pam_modutil_search_key (pamh, LOGIN_CONF, "UMASK");
-
---- Linux-PAM-1.5.1.pre/modules/pam_umask/pam_umask.8 2021-08-12
16:34:08.314505891 +0200
-+++ Linux-PAM-1.5.1/modules/pam_umask/pam_umask.8 2021-08-12
16:14:43.969615764 +0200
-@@ -68,7 +68,9 @@
- .sp -1
- .IP \(bu 2.3
- .\}
--UMASK entry from /etc/login\&.defs
-+UMASK entry from
-+/etc/login\&.defs
-+(influenced by USERGROUPS_ENAB)
- .RE
- .sp
- .RS 4
-@@ -79,7 +81,8 @@
- .sp -1
- .IP \(bu 2.3
- .\}
--UMASK= entry from /etc/default/login
-+UMASK= entry from
-+/etc/default/login
- .RE
- .PP
- The GECOS field is split on comma \*(Aq,\*(Aq characters\&. The module also
in addition to the umask= entry recognizes pri= entry, which sets the nice
priority value for the session, and ulimit= entry, which sets the maximum size
of files the processes in the session can create\&.
-@@ -98,7 +101,10 @@
- .PP
- \fBusergroups\fR
- .RS 4
--If the user is not root and the username is the same as primary group name,
the umask group bits are set to be the same as owner bits (examples: 022 \->
002, 077 \-> 007)\&.
-+If the user is not root and the username is the same as primary group name,
the umask group bits are set to be the same as owner bits (examples: 022 \->
002, 077 \-> 007)\&. Note that using this option explicitly is discouraged\&.
pam_umask enables this functionality by default if
-+/etc/login\&.defs
-+enables USERGROUPS_ENAB, and the umask is not set explicitly in other places
than
-+/etc/login\&.defs\&.
- .RE
- .PP
- \fBnousergroups\fR
---- Linux-PAM-1.5.1.pre/modules/pam_umask/README 2021-08-12
16:34:08.638508373 +0200
-+++ Linux-PAM-1.5.1/modules/pam_umask/README 2021-08-12 16:14:44.241617840
+0200
-@@ -15,7 +15,7 @@
-
- ??? umask= argument
-
-- ??? UMASK entry from /etc/login.defs
-+ ??? UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB)
-
- ??? UMASK= entry from /etc/default/login
-
-@@ -38,7 +38,10 @@
-
- If the user is not root and the username is the same as primary group
name,
- the umask group bits are set to be the same as owner bits (examples: 022
->
-- 002, 077 -> 007).
-+ 002, 077 -> 007). Note that using this option explicitly is discouraged.
-+ pam_umask enables this functionality by default if /etc/login.defs enables
-+ USERGROUPS_ENAB, and the umask is not set explicitly in other places than
/
-+ etc/login.defs.
-
- nousergroups
-
+ if (options->login_umask == NULL)
+ options->login_umask = pam_modutil_search_key (pamh, LOGIN_CONF,
"UMASK");
+ options->umask = options->login_umask;
