rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to release 1.6.0

Browse Source 
Resolves: #2258964

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
This commit is contained in:
Iker Pedrosa 2024-01-24 10:10:36 +01:00
parent ca0f1de7dd
commit 0243c7bff9
8 changed files with 59 additions and 351 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
pam-1.5.3-noflex.patch
View File

@ -1,26 +0,0 @@
Index: Linux-PAM-1.5.3/doc/Makefile.am
===================================================================
--- Linux-PAM-1.5.3.orig/doc/Makefile.am
+++ Linux-PAM-1.5.3/doc/Makefile.am
@@ -2,7 +2,7 @@
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
#
-SUBDIRS = man specs sag adg mwg
+SUBDIRS = man sag adg mwg
CLEANFILES = *~
Index: Linux-PAM-1.5.3/Makefile.am
===================================================================
--- Linux-PAM-1.5.3.orig/Makefile.am
+++ Linux-PAM-1.5.3/Makefile.am
@@ -4,7 +4,7 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
if HAVE_DOC
SUBDIRS += doc

64
pam-1.5.3-pwhistory-null-filename-arg.patch
View File

@ -1,64 +0,0 @@
From 80dc2d410595b5193d32f965185710df27f3984e Mon Sep 17 00:00:00 2001
From: Md Zain Hasib <hasibm@vmware.com>
Date: Sat, 29 Jul 2023 11:01:35 +0530
Subject: [PATCH] pam_pwhistory: fix passing NULL filename argument to
pwhistory helper
This change fixes a bug when pwhistory_helper is invoked from
pam_pwhistory with an NULL filename, pwhistory_helper receives a short
circuited argc count of 3, ignoring the rest of the arguments passed
due to filename being NULL. To resolve the issue, an empty string is
passed in case the filename is empty, which is later changed back to
NULL in pwhistory_helper so that it can be passed to opasswd to read
the default opasswd file.
* modules/pam_pwhistory/pam_pwhistory.c (run_save_helper,
run_check_helper): Replace NULL filename argument with an empty string.
* modules/pam_pwhistory/pwhistory_helper.c (main): Replace empty string
filename argument with NULL.
Fixes: 11c35109a67f ("pam_pwhistory: Enable alternate location for password history file (#396)")
Signed-off-by: Dmitry V. Levin <ldv@strace.io>
---
modules/pam_pwhistory/pam_pwhistory.c | 4 ++--
modules/pam_pwhistory/pwhistory_helper.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c
index 5a7fb811..98ddffce 100644
--- a/modules/pam_pwhistory/pam_pwhistory.c
+++ b/modules/pam_pwhistory/pam_pwhistory.c
@@ -141,7 +141,7 @@ run_save_helper(pam_handle_t *pamh, const char *user,
args[0] = (char *)PWHISTORY_HELPER;
args[1] = (char *)"save";
args[2] = (char *)user;
- args[3] = (char *)filename;
+ args[3] = (char *)((filename != NULL) ? filename : "");
DIAG_POP_IGNORE_CAST_QUAL;
if (asprintf(&args[4], "%d", howmany) < 0 ||
asprintf(&args[5], "%d", debug) < 0)
@@ -228,7 +228,7 @@ run_check_helper(pam_handle_t *pamh, const char *user,
args[0] = (char *)PWHISTORY_HELPER;
args[1] = (char *)"check";
args[2] = (char *)user;
- args[3] = (char *)filename;
+ args[3] = (char *)((filename != NULL) ? filename : "");
DIAG_POP_IGNORE_CAST_QUAL;
if (asprintf(&args[4], "%d", debug) < 0)
{
diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c
index 469d95fa..fb9a1e31 100644
--- a/modules/pam_pwhistory/pwhistory_helper.c
+++ b/modules/pam_pwhistory/pwhistory_helper.c
@@ -108,7 +108,7 @@ main(int argc, char *argv[])
option = argv[1];
user = argv[2];
- filename = argv[3];
+ filename = (argv[3][0] != '\0') ? argv[3] : NULL;
if (strcmp(option, "check") == 0 && argc == 5)
return check_history(user, filename, argv[4]);
--
2.41.0

26
pam-1.5.3-redhat-modules.patch
View File

@ -1,26 +0,0 @@
Index: Linux-PAM-1.5.3/configure.ac
===================================================================
--- Linux-PAM-1.5.3.orig/configure.ac
+++ Linux-PAM-1.5.3/configure.ac
@@ -754,6 +754,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
po/Makefile.in \
Make.xml.rules \
modules/Makefile \
+ modules/pam_chroot/Makefile \
+ modules/pam_postgresok/Makefile \
modules/pam_access/Makefile \
modules/pam_debug/Makefile modules/pam_deny/Makefile \
modules/pam_echo/Makefile modules/pam_env/Makefile \
Index: Linux-PAM-1.5.3/modules/Makefile.am
===================================================================
--- Linux-PAM-1.5.3.orig/modules/Makefile.am
+++ Linux-PAM-1.5.3/modules/Makefile.am
@@ -47,6 +47,8 @@ SUBDIRS := \
pam_debug \
pam_deny \
pam_echo \
+ pam_chroot \
+ pam_postgresok \
pam_env \
pam_exec \
pam_faildelay \

225
pam-1.5.3-userdb-gdbm.patch
View File

@ -1,225 +0,0 @@
From 45c2c496dcf89f568b90fcf403af9d63b2361fbd Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Mon, 10 Jul 2023 12:45:12 +0200
Subject: [PATCH] pam_userdb: enable GDBM support
* configure.ac: add `gdbm` option to `enable-db`
* modules/pam_userdb/pam_userdb.c: conditionally provide database access
depending on the database technology
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
configure.ac | 10 +++-
modules/pam_userdb/pam_userdb.c | 90 ++++++++++++++++++++++++++++-----
2 files changed, 86 insertions(+), 14 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6666b1b2..7565a830 100644
--- a/configure.ac
+++ b/configure.ac
@@ -436,10 +436,10 @@ if test -n "$opt_randomdev"; then
AC_DEFINE_UNQUOTED(PAM_PATH_RANDOMDEV, "$opt_randomdev", [Random device path.])
fi
-dnl check for libdb or libndbm as fallback. Some libndbm compat
+dnl check for libdb or gdbm or libndbm as fallback. Some libndbm compat
dnl libraries are unusable, so try libdb first.
AC_ARG_ENABLE([db],
- AS_HELP_STRING([--enable-db=(db|ndbm|yes|no)],[Default behavior 'yes', which is to check for libdb first, followed by ndbm. Use 'no' to disable db support.]),
+ AS_HELP_STRING([--enable-db=(db|gdbm|ndbm|yes|no)],[Default behavior 'yes', which is to check for libdb first, followed by gdbm and ndbm. Use 'no' to disable db support.]),
WITH_DB=$enableval, WITH_DB=yes)
AC_ARG_WITH([db-uniquename],
AS_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.]))
@@ -451,6 +451,12 @@ if test x"$WITH_DB" != xno ; then
[LIBDB="-ldb$with_db_uniquename"; break])
LIBS=$old_libs
fi
+ if test x"$WITH_DB" = xgdbm ; then
+ AC_CHECK_LIB([gdbm],[gdbm_store], LIBDB="-lgdbm", LIBDB="")
+ if test -n "$LIBDB" ; then
+ AC_CHECK_HEADERS(gdbm.h)
+ fi
+ fi
if test -z "$LIBDB" ; then
AC_CHECK_LIB([ndbm],[dbm_store], LIBDB="-lndbm", LIBDB="")
if test -n "$LIBDB" ; then
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
index 297403b0..0b5e5965 100644
--- a/modules/pam_userdb/pam_userdb.c
+++ b/modules/pam_userdb/pam_userdb.c
@@ -25,6 +25,8 @@
#ifdef HAVE_NDBM_H
# include <ndbm.h>
+#elif defined(HAVE_GDBM_H)
+# include <gdbm.h>
#else
# ifdef HAVE_DB_H
# define DB_DBM_HSEARCH 1 /* use the dbm interface */
@@ -40,6 +42,12 @@
#include <security/_pam_macros.h>
#include "pam_inline.h"
+#ifndef HAVE_GDBM_H
+# define COND_UNUSED UNUSED
+#else
+# define COND_UNUSED
+#endif /* HAVE_GDBM_H */
+
/*
* Conversation function to obtain the user's password
*/
@@ -129,6 +137,60 @@ _pam_parse (pam_handle_t *pamh, int argc, const char **argv,
return ctrl;
}
+/*
+ * Database abstraction functions
+ */
+static void *
+db_open(const char *database, mode_t file_mode)
+{
+#ifdef HAVE_GDBM_H
+ return gdbm_open(database, 4096, GDBM_READER, file_mode, NULL);
+#else
+ return dbm_open(database, O_RDONLY, file_mode);
+#endif /* HAVE_GDBM_H */
+}
+
+static datum
+db_firstkey(void *dbm)
+{
+#ifdef HAVE_GDBM_H
+ return gdbm_firstkey(dbm);
+#else
+ return dbm_firstkey(dbm);
+#endif /* HAVE_GDBM_H */
+}
+
+static datum
+db_nextkey(void *dbm, datum key COND_UNUSED)
+{
+#ifdef HAVE_GDBM_H
+ return gdbm_nextkey(dbm, key);
+#else
+ return dbm_nextkey(dbm);
+#endif /* HAVE_GDBM_H */
+}
+
+static datum
+db_fetch(void *dbm, datum key)
+{
+#ifdef HAVE_GDBM_H
+ return gdbm_fetch(dbm, key);
+#else
+ return dbm_fetch(dbm, key);
+#endif /* HAVE_GDBM_H */
+}
+
+static int
+db_close(void *dbm)
+{
+#ifdef HAVE_GDBM_H
+ return gdbm_close(dbm);
+#else
+ dbm_close(dbm);
+ return 0;
+#endif /* HAVE_GDBM_H */
+}
+
/*
* Looks up a user name in a database and checks the password
@@ -143,11 +205,15 @@ static int
user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
const char *user, const char *pass, int ctrl)
{
+#ifdef HAVE_GDBM_H
+ GDBM_FILE *dbm;
+#else
DBM *dbm;
+#endif
datum key, data;
/* Open the DB file. */
- dbm = dbm_open(database, O_RDONLY, 0644);
+ dbm = db_open(database, 0644);
if (dbm == NULL) {
pam_syslog(pamh, LOG_ERR,
"user_lookup: could not open database `%s': %m", database);
@@ -157,9 +223,9 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
/* dump out the database contents for debugging */
if (ctrl & PAM_DUMP_ARG) {
pam_syslog(pamh, LOG_INFO, "Database dump:");
- for (key = dbm_firstkey(dbm); key.dptr != NULL;
- key = dbm_nextkey(dbm)) {
- data = dbm_fetch(dbm, key);
+ for (key = db_firstkey(dbm); key.dptr != NULL;
+ key = db_nextkey(dbm, key)) {
+ data = db_fetch(dbm, key);
pam_syslog(pamh, LOG_INFO,
"key[len=%d] = `%s', data[len=%d] = `%s'",
key.dsize, key.dptr, data.dsize, data.dptr);
@@ -180,7 +246,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
}
if (key.dptr) {
- data = dbm_fetch(dbm, key);
+ data = db_fetch(dbm, key);
pam_overwrite_n(key.dptr, key.dsize);
free(key.dptr);
}
@@ -196,7 +262,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
if (ctrl & PAM_KEY_ONLY_ARG)
{
- dbm_close (dbm);
+ db_close (dbm);
return 0; /* found it, data contents don't matter */
}
@@ -275,7 +341,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
}
- dbm_close(dbm);
+ db_close(dbm);
if (compare == 0)
return 0; /* match */
else
@@ -290,14 +356,14 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
/* probably we should check dbm_error() here */
if ((ctrl & PAM_KEY_ONLY_ARG) == 0) {
- dbm_close(dbm);
+ db_close(dbm);
return 1; /* not key_only, so no entry => no entry for the user */
}
/* now handle the key_only case */
- for (key = dbm_firstkey(dbm);
+ for (key = db_firstkey(dbm);
key.dptr != NULL;
- key = dbm_nextkey(dbm)) {
+ key = db_nextkey(dbm, key)) {
int compare;
/* first compare the user portion (case sensitive) */
compare = strncmp(key.dptr, user, strlen(user));
@@ -322,12 +388,12 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
}
}
if (compare == 0) {
- dbm_close(dbm);
+ db_close(dbm);
return 0; /* match */
}
}
}
- dbm_close(dbm);
+ db_close(dbm);
if (saw_user)
return -1; /* saw the user, but password mismatch */
else
--
2.41.0

24
pam-1.6.0-noflex.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up Linux-PAM-1.6.0/doc/Makefile.am.noflex Linux-PAM-1.6.0/doc/Makefile.am
--- Linux-PAM-1.6.0/doc/Makefile.am.noflex 2024-01-23 13:19:04.681955581 +0100
+++ Linux-PAM-1.6.0/doc/Makefile.am 2024-01-23 13:19:49.740014426 +0100
@@ -2,7 +2,7 @@
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
#
-SUBDIRS = man specs sag adg mwg
+SUBDIRS = man sag adg mwg
CLEANFILES = *~
DISTCLEANFILES = custom-html.xsl custom-man.xsl
diff -up Linux-PAM-1.6.0/Makefile.am.noflex Linux-PAM-1.6.0/Makefile.am
--- Linux-PAM-1.6.0/Makefile.am.noflex 2024-01-23 13:19:04.681955581 +0100
+++ Linux-PAM-1.6.0/Makefile.am 2024-01-23 13:21:03.428109219 +0100
@@ -4,7 +4,7 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc xtests
if HAVE_DOC
SUBDIRS += doc

24
pam-1.6.0-redhat-modules.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up Linux-PAM-1.6.0/configure.ac.redhat-modules Linux-PAM-1.6.0/configure.ac
--- Linux-PAM-1.6.0/configure.ac.redhat-modules 2024-01-23 13:16:34.854753145 +0100
+++ Linux-PAM-1.6.0/configure.ac 2024-01-23 13:17:52.855859922 +0100
@@ -774,6 +774,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
po/Makefile.in \
Make.xml.rules \
modules/Makefile \
+ modules/pam_chroot/Makefile \
+ modules/pam_postgresok/Makefile \
modules/pam_access/Makefile \
modules/pam_canonicalize_user/Makefile \
modules/pam_debug/Makefile modules/pam_deny/Makefile \
diff -up Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules Linux-PAM-1.6.0/modules/Makefile.am
--- Linux-PAM-1.6.0/modules/Makefile.am.redhat-modules 2024-01-17 11:29:36.000000000 +0100
+++ Linux-PAM-1.6.0/modules/Makefile.am 2024-01-23 13:16:34.855753147 +0100
@@ -48,6 +48,8 @@ SUBDIRS := \
pam_debug \
pam_deny \
pam_echo \
+ pam_chroot \
+ pam_postgresok \
pam_env \
pam_exec \
pam_faildelay \

17
pam.spec
View File

@ -3,8 +3,8 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.5.3
Release: 10%{?dist}
Version: 1.6.0
Release: 1%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp and pam_loginuid modules are GPLv2+.
@ -22,11 +22,9 @@ Source13: config-util.5
Source15: pamtmp.conf
Source17: postlogin.5
Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Patch1: pam-1.5.3-redhat-modules.patch
Patch2: pam-1.5.3-noflex.patch
Patch1: pam-1.6.0-redhat-modules.patch
Patch2: pam-1.6.0-noflex.patch
Patch3: pam-1.5.3-unix-nomsg.patch
Patch4: pam-1.5.3-pwhistory-null-filename-arg.patch
Patch5: pam-1.5.3-userdb-gdbm.patch
%{load:%{SOURCE3}}
@ -121,8 +119,6 @@ cp %{SOURCE18} .
%patch -P 1 -p1 -b .redhat-modules
%patch -P 2 -p1 -b .noflex
%patch -P 3 -p1 -b .nomsg
%patch -P 4 -p1 -b .pwhistory-null-filename-arg
%patch -P 5 -p1 -b .userdb-gdbm
autoreconf -i
@ -263,6 +259,7 @@ done
%attr(0755,root,root) %{_sbindir}/pwhistory_helper
%dir %{_pam_moduledir}
%{_pam_moduledir}/pam_access.so
%{_pam_moduledir}/pam_canonicalize_user.so
%{_pam_moduledir}/pam_chroot.so
%{_pam_moduledir}/pam_debug.so
%{_pam_moduledir}/pam_deny.so
@ -359,6 +356,10 @@ done
%{_pam_libdir}/libpam_misc.so.%{so_ver}*
%changelog
* Tue Jan 23 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.6.0-1
- Rebase to release 1.6.0
Resolves: #2258964
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org>
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

4
sources
View File

@ -1,3 +1,3 @@
SHA512 (Linux-PAM-1.5.3.tar.xz) = af88e8c1b6a9b737ffaffff7dd9ed8eec996d1fbb5804fb76f590bed66d8a1c2c6024a534d7a7b6d18496b300f3d6571a08874cf406cd2e8cea1d5eff49c136a
SHA512 (Linux-PAM-1.5.3.tar.xz.asc) = a00c6d6ecc26020513a71cb70597950c95aa4f8b8514e6b8184d5a828be92bc21aad1a03096e142cff6a5e3bdd990999d2cff054ea8db0b5b37173560b8d3932
SHA512 (Linux-PAM-1.6.0.tar.xz) = 7af07edb71a79275ad7f7f3bd82a4619b12a23a10f5fb2e5d810c6aadb718fd739ed17ca336c3420945d48d326e91874d8e45cfc5a4bf01a0cc5f9663bd2a0ad
SHA512 (Linux-PAM-1.6.0.tar.xz.asc) = bfed774bf49b13f11ab4251fe6223ce04ecf57e7123ce245b8e885c345449af528317e8500360efef12beabd14b99cd3ae6d7ad61074955958018062c36ba476
SHA512 (pam-redhat-1.2.0.tar.xz) = f676a6c8df0cf3836018b1a67ded1d40937b88ff046e5c6b22bac46cb05e27970ef6a7ce224269e4c0d1ca9375c72e77880cf9114e936a7de9c423bf443d27ee