[arch-commits] Commit in pam/trunk (4 files)
Date: Wednesday, August 12, 2020 @ 19:24:27
Author: tpowa
Revision: 393557
Prevent determining if user exists through timing, Fix pam_faillock, Backup
etc/security/faillock.conf, Drop cracklib dependency
Added:
pam/trunk/0e9b286afe1224b91ff00936058b084ad4b776e4.patch
pam/trunk/395915dae1571e10e2766c74de864655ea3a.patch
pam/trunk/af0faf666c5008e54dfe43684f210e3581ff1bca.patch
Modified:
pam/trunk/PKGBUILD
+
0e9b286afe1224b91ff00936058b084ad4b776e4.patch | 31
395915dae1571e10e2766c74de864655ea3a.patch | 47
PKGBUILD | 26 +--
af0faf666c5008e54dfe43684f210e3581ff1bca.patch | 85 +++
4 files changed, 184 insertions(+), 5 deletions(-)
Added: 0e9b286afe1224b91ff00936058b084ad4b776e4.patch
===
--- 0e9b286afe1224b91ff00936058b084ad4b776e4.patch
(rev 0)
+++ 0e9b286afe1224b91ff00936058b084ad4b776e4.patch 2020-08-12 19:24:27 UTC
(rev 393557)
@@ -0,0 +1,31 @@
+From 0e9b286afe1224b91ff00936058b084ad4b776e4 Mon Sep 17 00:00:00 2001
+From: ikerexxe
+Date: Tue, 16 Jun 2020 14:44:04 +0200
+Subject: [PATCH] pam_usertype: avoid determining if user exists
+
+Taking a look at the time for the password prompt to appear it was
+possible to determine if a user existed in a system. Solved it by
+matching the runtime until the password prompt was shown by always
+checking the password hash for an existing and a non-existing user.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
+---
+ modules/pam_usertype/pam_usertype.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/modules/pam_usertype/pam_usertype.c
b/modules/pam_usertype/pam_usertype.c
+index 2807c306..d03b73b5 100644
+--- a/modules/pam_usertype/pam_usertype.c
b/modules/pam_usertype/pam_usertype.c
+@@ -139,8 +139,11 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts,
+"error retrieving information about user %s",
username);
+ }
+
++pam_modutil_getpwnam(pamh, "root");
++
+ return PAM_USER_UNKNOWN;
+ }
++pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:");
+
+ *_uid = pwd->pw_uid;
+
Added: 395915dae1571e10e2766c74de864655ea3a.patch
===
--- 395915dae1571e10e2766c74de864655ea3a.patch
(rev 0)
+++ 395915dae1571e10e2766c74de864655ea3a.patch 2020-08-12 19:24:27 UTC
(rev 393557)
@@ -0,0 +1,47 @@
+From 395915dae1571e10e2766c74de864655ea3a Mon Sep 17 00:00:00 2001
+From: ikerexxe
+Date: Mon, 15 Jun 2020 09:52:11 +0200
+Subject: [PATCH] pam_faillock: change /run/faillock/$USER permissions to 0660
+
+Nowadays, /run/faillock/$USER files have user:root ownership and 0600
+permissions. This forces the process that writes to these files to have
+CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660
+the capability can be removed, which leads to a more secure system.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822
+---
+ modules/pam_faillock/faillock.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c
+index e492f5f9..4ea94cbe 100644
+--- a/modules/pam_faillock/faillock.c
b/modules/pam_faillock/faillock.c
+@@ -76,7 +76,7 @@ open_tally (const char *dir, const char *user, uid_t uid,
int create)
+ flags |= O_CREAT;
+ }
+
+- fd = open(path, flags, 0600);
++ fd = open(path, flags, 0660);
+
+ free(path);
+
+@@ -88,6 +88,18 @@ open_tally (const char *dir, const char *user, uid_t uid,
int create)
+ if (st.st_uid != uid) {
+ ignore_return(fchown(fd, uid, -1));
+ }
++
++ /*
++ * If umask is set to 022, as will probably in most
systems, then the
++ * group will not be able to write to the file. So,
change the file
++ * permissions just in case.
++ * Note: owners of this file are user:root, so if the
permissions are
++ * not changed the root process writing to this file
will require
++ * CAP_DAC_OVERRIDE.
++ */
++ if (!(st.st_mode & S_IWGRP)) {
++ ignore_return(fchmod(fd, 0660));
++ }
+ }
+ }
+
Modified: PKGBUILD
===
--- PKGBUILD2020-08-12 18:48:08 UTC (rev 393556)
+++ PKGBUILD2020-08-12 19:24:27 UTC (rev 393557)
@@ -3,16 +3,20 @@
pkgname=pam
pkgver=1.4.0
-pkgrel=2
+pkgrel=3
pkgdesc="PAM (Pluggable Authentication Modules) library"
[arch-commits] Commit in pam/trunk (4 files)
Date: Friday, October 12, 2012 @ 05:18:35
Author: tpowa
Revision: 168470
upgpkg: pam 1.1.6-1
update to 1.1.6, update pam_unix2 2.9.1
Added:
pam/trunk/pam_namespace-build-1.1.6.patch
pam/trunk/pam_unix2-glibc216.patch
Modified:
pam/trunk/PKGBUILD
Deleted:
pam/trunk/pam-glibc-2.16.patch
-+
PKGBUILD| 27 ++-
pam-glibc-2.16.patch| 10 --
pam_namespace-build-1.1.6.patch | 11 +++
pam_unix2-glibc216.patch| 20
4 files changed, 45 insertions(+), 23 deletions(-)
Modified: PKGBUILD
===
--- PKGBUILD2012-10-12 07:20:49 UTC (rev 168469)
+++ PKGBUILD2012-10-12 09:18:35 UTC (rev 168470)
@@ -3,8 +3,8 @@
# Contributor: judd jvi...@zeroflux.org
pkgname=pam
-pkgver=1.1.5
-pkgrel=5
+pkgver=1.1.6
+pkgrel=1
pkgdesc=PAM (Pluggable Authentication Modules) library
arch=('i686' 'x86_64')
license=('GPL2')
@@ -14,30 +14,34 @@
backup=(etc/security/{access.conf,group.conf,limits.conf,namespace.conf,namespace.init,pam_env.conf,time.conf}
etc/default/passwd etc/environment)
source=(https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-$pkgver.tar.bz2
#http://www.kernel.org/pub/linux/libs/pam/library/Linux-PAM-$pkgver.tar.bz2
-ftp://ftp.suse.com/pub/people/kukuk/pam/pam_unix2/pam_unix2-2.6.tar.bz2
- pam-glibc-2.16.patch)
+ftp://ftp.archlinux.org/other/pam_unix2/pam_unix2-2.9.1.tar.bz2
+pam_unix2-glibc216.patch
+pam_namespace-build-1.1.6.patch)
options=('!libtool' '!emptydirs')
-md5sums=('927ee5585bdec5256c75117e9348aa47'
- 'e2788389a6c59224110a45fcff30e02b')
+md5sums=('7b73e58b7ce79ffa321d408de06db2c4'
+ 'da6a46e5f8cd3eaa7cbc4fc3a7e2b555'
+ 'dac109f68e04a4df37575fda6001ea17'
+ '440a510164ba5eb69bf41e129746ff44')
build() {
cd $srcdir/Linux-PAM-$pkgver
- patch -Np1 -i ../pam-glibc-2.16.patch
./configure --libdir=/usr/lib
+ patch -Np0 -i ../pam_namespace-build-1.1.6.patch
make
- cd $srcdir/pam_unix2-2.6
+ cd $srcdir/pam_unix2-2.9.1
+ patch -Np1 -i ../pam_unix2-glibc216.patch
./configure --libdir=/usr/lib
make
}
package() {
cd $srcdir/Linux-PAM-$pkgver
- make DESTDIR=$pkgdir install
+ make DESTDIR=$pkgdir SCONFIGDIR=/etc/security install
# build pam_unix2 module
# source ftp://ftp.suse.com/pub/people/kukuk/pam/pam_unix2
- cd $srcdir/pam_unix2-2.6
+ cd $srcdir/pam_unix2-2.9.1
make DESTDIR=$pkgdir install
# add the realtime permissions for audio users
@@ -60,6 +64,3 @@
# set unix_chkpwd uid
chmod +s $pkgdir/sbin/unix_chkpwd
}
-md5sums=('927ee5585bdec5256c75117e9348aa47'
- 'e2788389a6c59224110a45fcff30e02b'
- '469023948632df30d2cb2015b77aa0fe')
Deleted: pam-glibc-2.16.patch
===
--- pam-glibc-2.16.patch2012-10-12 07:20:49 UTC (rev 168469)
+++ pam-glibc-2.16.patch2012-10-12 09:18:35 UTC (rev 168470)
@@ -1,10 +0,0 @@
a/modules/pam_unix/pam_unix_acct.c 2011-06-21 11:04:56.0 +0200
-+++ b/modules/pam_unix/pam_unix_acct.c 2012-07-05 16:04:35.643727485 +0200
-@@ -41,6 +41,7 @@
- #include string.h
- #include unistd.h
- #include sys/types.h
-+#include sys/resource.h
- #include syslog.h
- #include pwd.h
- #include shadow.h
Added: pam_namespace-build-1.1.6.patch
===
--- pam_namespace-build-1.1.6.patch (rev 0)
+++ pam_namespace-build-1.1.6.patch 2012-10-12 09:18:35 UTC (rev 168470)
@@ -0,0 +1,11 @@
+--- modules/pam_namespace/Makefile~2012-10-12 10:59:13.557550706 +0200
modules/pam_namespace/Makefile 2012-10-12 10:59:13.564217270 +0200
+@@ -869,7 +869,7 @@
+
+
+ install-data-local:
+- mkdir -p $(namespaceddir)
++ mkdir -p $(DESTDIR)$(namespaceddir)
+ README: pam_namespace.8.xml namespace.conf.5.xml
+ -include $(top_srcdir)/Make.xml.rules
+
Added: pam_unix2-glibc216.patch
===
--- pam_unix2-glibc216.patch(rev 0)
+++ pam_unix2-glibc216.patch2012-10-12 09:18:35 UTC (rev 168470)
@@ -0,0 +1,20 @@
+Index: pam_unix2-2.9.1/src/read-files.c
+===
+--- pam_unix2-2.9.1.orig/src/read-files.c
pam_unix2-2.9.1/src/read-files.c
+@@ -30,8 +30,14 @@
+ #include errno.h
+ #include fcntl.h
+ #include nss.h
+-#include bits/libc-lock.h
++#include pthread.h
+ #define __libc_lock_t pthread_mutex_t
++#define __libc_lock_define_initialized(CLASS,NAME) \
++ CLASS __libc_lock_t NAME = PTHREAD_MUTEX_INITIALIZER;
++#define __libc_lock_lock(NAME) \
++ pthread_mutex_lock, ((NAME))
++#define __libc_lock_unlock(NAME) \
++ pthread_mutex_unlock, ((NAME))
+
+ #include read-files.h
+
