import pam-1.3.1-8.el8
This commit is contained in:
parent
bb5b2b7f4b
commit
100cee4ba3
88
SOURCES/pam-1.3.1-authtok-verify-fix.patch
Normal file
88
SOURCES/pam-1.3.1-authtok-verify-fix.patch
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Wed, 7 Aug 2019 12:22:55 +0200
|
||||||
|
Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification
|
||||||
|
|
||||||
|
If password was already verified by previous modules in the stack
|
||||||
|
it does not need to be verified by pam_get_authtok_verify either.
|
||||||
|
|
||||||
|
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
|
||||||
|
appropriately.
|
||||||
|
(pam_get_authtok_verify): Do not prompt if authtok_verified is set and
|
||||||
|
set it when the password is verified.
|
||||||
|
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
|
||||||
|
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
|
||||||
|
---
|
||||||
|
libpam/pam_get_authtok.c | 10 ++++++++++
|
||||||
|
libpam/pam_private.h | 1 +
|
||||||
|
libpam/pam_start.c | 1 +
|
||||||
|
3 files changed, 12 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
|
||||||
|
index 800c6e5..99eb25f 100644
|
||||||
|
--- a/libpam/pam_get_authtok.c
|
||||||
|
+++ b/libpam/pam_get_authtok.c
|
||||||
|
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
||||||
|
}
|
||||||
|
else if (chpass)
|
||||||
|
{
|
||||||
|
+ pamh->authtok_verified = 0;
|
||||||
|
+
|
||||||
|
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
|
||||||
|
PROMPT1, authtok_type,
|
||||||
|
strlen (authtok_type) > 0?" ":"");
|
||||||
|
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
|
||||||
|
if (retval != PAM_SUCCESS)
|
||||||
|
return retval;
|
||||||
|
|
||||||
|
+ if (chpass > 1)
|
||||||
|
+ pamh->authtok_verified = 1;
|
||||||
|
+
|
||||||
|
return pam_get_item(pamh, item, (const void **)authtok);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
|
||||||
|
if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
|
||||||
|
return PAM_SYSTEM_ERR;
|
||||||
|
|
||||||
|
+ if (pamh->authtok_verified)
|
||||||
|
+ return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
|
||||||
|
+
|
||||||
|
if (prompt != NULL)
|
||||||
|
{
|
||||||
|
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
|
||||||
|
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
|
||||||
|
if (retval != PAM_SUCCESS)
|
||||||
|
return retval;
|
||||||
|
|
||||||
|
+ pamh->authtok_verified = 1;
|
||||||
|
+
|
||||||
|
return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
|
||||||
|
}
|
||||||
|
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
|
||||||
|
index 7ff9f75..58a26f5 100644
|
||||||
|
--- a/libpam/pam_private.h
|
||||||
|
+++ b/libpam/pam_private.h
|
||||||
|
@@ -172,6 +172,7 @@ struct pam_handle {
|
||||||
|
#ifdef HAVE_LIBAUDIT
|
||||||
|
int audit_state; /* keep track of reported audit messages */
|
||||||
|
#endif
|
||||||
|
+ int authtok_verified;
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Values for select arg to _pam_dispatch() */
|
||||||
|
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
|
||||||
|
index 328416d..e27c64b 100644
|
||||||
|
--- a/libpam/pam_start.c
|
||||||
|
+++ b/libpam/pam_start.c
|
||||||
|
@@ -94,6 +94,7 @@ int pam_start (
|
||||||
|
#endif
|
||||||
|
(*pamh)->xdisplay = NULL;
|
||||||
|
(*pamh)->authtok_type = NULL;
|
||||||
|
+ (*pamh)->authtok_verified = 0;
|
||||||
|
memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
|
||||||
|
|
||||||
|
if (((*pamh)->pam_conversation = (struct pam_conv *)
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
1186
SOURCES/pam-1.3.1-faillock-update.patch
Normal file
1186
SOURCES/pam-1.3.1-faillock-update.patch
Normal file
File diff suppressed because it is too large
Load Diff
70
SOURCES/pam-1.3.1-fds-closing.patch
Normal file
70
SOURCES/pam-1.3.1-fds-closing.patch
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
diff -up Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c
|
||||||
|
--- Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing 2017-02-10 11:10:15.000000000 +0100
|
||||||
|
+++ Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c 2019-10-16 16:07:31.259021159 +0200
|
||||||
|
@@ -10,6 +10,7 @@
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <syslog.h>
|
||||||
|
#include <sys/resource.h>
|
||||||
|
+#include <dirent.h>
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Creates a pipe, closes its write end, redirects fd to its read end.
|
||||||
|
@@ -116,27 +117,45 @@ redirect_out(pam_handle_t *pamh, enum pa
|
||||||
|
static void
|
||||||
|
close_fds(void)
|
||||||
|
{
|
||||||
|
+ DIR *dir = NULL;
|
||||||
|
+ struct dirent *dent;
|
||||||
|
+ int dfd = -1;
|
||||||
|
+ int fd;
|
||||||
|
+ struct rlimit rlim;
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* An arbitrary upper limit for the maximum file descriptor number
|
||||||
|
* returned by RLIMIT_NOFILE.
|
||||||
|
*/
|
||||||
|
- const int MAX_FD_NO = 65535;
|
||||||
|
+ const unsigned int MAX_FD_NO = 65535;
|
||||||
|
|
||||||
|
/* The lower limit is the same as for _POSIX_OPEN_MAX. */
|
||||||
|
- const int MIN_FD_NO = 20;
|
||||||
|
+ const unsigned int MIN_FD_NO = 20;
|
||||||
|
|
||||||
|
- int fd;
|
||||||
|
- struct rlimit rlim;
|
||||||
|
-
|
||||||
|
- if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
|
||||||
|
- fd = MAX_FD_NO;
|
||||||
|
- else if (rlim.rlim_max < MIN_FD_NO)
|
||||||
|
- fd = MIN_FD_NO;
|
||||||
|
- else
|
||||||
|
- fd = rlim.rlim_max - 1;
|
||||||
|
+ /* If /proc is mounted, we can optimize which fd can be closed. */
|
||||||
|
+ if ((dir = opendir("/proc/self/fd")) != NULL) {
|
||||||
|
+ if ((dfd = dirfd(dir)) >= 0) {
|
||||||
|
+ while ((dent = readdir(dir)) != NULL) {
|
||||||
|
+ fd = atoi(dent->d_name);
|
||||||
|
+ if (fd > STDERR_FILENO && fd != dfd)
|
||||||
|
+ close(fd);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ closedir(dir);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* If /proc isn't available, fallback to the previous behavior. */
|
||||||
|
+ if (dfd < 0) {
|
||||||
|
+ if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
|
||||||
|
+ fd = MAX_FD_NO;
|
||||||
|
+ else if (rlim.rlim_max < MIN_FD_NO)
|
||||||
|
+ fd = MIN_FD_NO;
|
||||||
|
+ else
|
||||||
|
+ fd = rlim.rlim_max - 1;
|
||||||
|
|
||||||
|
- for (; fd > STDERR_FILENO; --fd)
|
||||||
|
- close(fd);
|
||||||
|
+ for (; fd > STDERR_FILENO; --fd)
|
||||||
|
+ close(fd);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
82
SOURCES/pam-1.3.1-lastlog-no-showfailed.patch
Normal file
82
SOURCES/pam-1.3.1-lastlog-no-showfailed.patch
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
From c426914fa166ffb0482b6f6ad659ddf17d5dfaa1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nir Soffer <nsoffer@redhat.com>
|
||||||
|
Date: Wed, 9 Jan 2019 23:41:16 +0200
|
||||||
|
Subject: [PATCH] pam_lastlog: Improve silent option documentation
|
||||||
|
|
||||||
|
The silent option explicitly silents only the last login message and not
|
||||||
|
bad logins. Add a note to the manual to make this clear.
|
||||||
|
|
||||||
|
* modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"
|
||||||
|
---
|
||||||
|
modules/pam_lastlog/pam_lastlog.8.xml | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
|
||||||
|
index c8f247e..bc2e1be 100644
|
||||||
|
--- a/modules/pam_lastlog/pam_lastlog.8.xml
|
||||||
|
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
|
||||||
|
@@ -102,6 +102,7 @@
|
||||||
|
<para>
|
||||||
|
Don't inform the user about any previous login,
|
||||||
|
just update the <filename>/var/log/lastlog</filename> file.
|
||||||
|
+ This option does not affect display of bad login attempts.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
|
From 7d036249a9772c546ede1f38ad68b3f1575216d6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nir Soffer <nsoffer@redhat.com>
|
||||||
|
Date: Sun, 6 Jan 2019 00:36:27 +0200
|
||||||
|
Subject: [PATCH] pam_lastlog: Respect PAM_SILENT flag
|
||||||
|
|
||||||
|
pam_lastlog module will not log info about failed login if the session
|
||||||
|
was opened with PAM_SILENT flag.
|
||||||
|
|
||||||
|
Example use case enabled by this change:
|
||||||
|
|
||||||
|
sudo --non-interactive program
|
||||||
|
|
||||||
|
If this command is run by another program expecting specific output from
|
||||||
|
the command run by sudo, the unexpected info about failed logins will
|
||||||
|
break this program.
|
||||||
|
|
||||||
|
* modules/pam_lastlog/pam_lastlog.c: Respect silent option.
|
||||||
|
(_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
|
||||||
|
---
|
||||||
|
modules/pam_lastlog/pam_lastlog.c | 11 ++++++-----
|
||||||
|
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
|
||||||
|
index 18bf7be..e980c04 100644
|
||||||
|
--- a/modules/pam_lastlog/pam_lastlog.c
|
||||||
|
+++ b/modules/pam_lastlog/pam_lastlog.c
|
||||||
|
@@ -135,11 +135,6 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||||
|
{
|
||||||
|
int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE);
|
||||||
|
|
||||||
|
- /* does the appliction require quiet? */
|
||||||
|
- if (flags & PAM_SILENT) {
|
||||||
|
- ctrl |= LASTLOG_QUIET;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
/* step through arguments */
|
||||||
|
for (; argc-- > 0; ++argv) {
|
||||||
|
|
||||||
|
@@ -168,6 +163,12 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* does the appliction require quiet? */
|
||||||
|
+ if (flags & PAM_SILENT) {
|
||||||
|
+ ctrl |= LASTLOG_QUIET;
|
||||||
|
+ ctrl &= ~LASTLOG_BTMP;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
D(("ctrl = %o", ctrl));
|
||||||
|
return ctrl;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
227
SOURCES/pam-1.3.1-lastlog-unlimited-fsize.patch
Normal file
227
SOURCES/pam-1.3.1-lastlog-unlimited-fsize.patch
Normal file
@ -0,0 +1,227 @@
|
|||||||
|
From 3a3e70739834cd5cbd17469907ef718c81ae40c0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Carlos Santos <casantos@redhat.com>
|
||||||
|
Date: Wed, 11 Sep 2019 11:50:28 -0300
|
||||||
|
Subject: [PATCH] pam_lastlog: document the 'unlimited' option
|
||||||
|
|
||||||
|
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_lastlog/pam_lastlog.8.xml | 18 ++++++++++++++++++
|
||||||
|
1 file changed, 18 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
|
||||||
|
index bc2e1be..f10e94a 100644
|
||||||
|
--- a/modules/pam_lastlog/pam_lastlog.8.xml
|
||||||
|
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
|
||||||
|
@@ -48,6 +48,9 @@
|
||||||
|
<arg choice="opt">
|
||||||
|
inactive=<days>
|
||||||
|
</arg>
|
||||||
|
+ <arg choice="opt">
|
||||||
|
+ unlimited
|
||||||
|
+ </arg>
|
||||||
|
</cmdsynopsis>
|
||||||
|
</refsynopsisdiv>
|
||||||
|
|
||||||
|
@@ -196,6 +199,18 @@
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term>
|
||||||
|
+ <option>unlimited</option>
|
||||||
|
+ </term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ If the <emphasis>fsize</emphasis> limit is set, this option can be
|
||||||
|
+ used to override it, preventing failures on systems with large UID
|
||||||
|
+ values that lead lastlog to become a huge sparse file.
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
@@ -300,6 +315,9 @@
|
||||||
|
<refsect1 id='pam_lastlog-see_also'>
|
||||||
|
<title>SEE ALSO</title>
|
||||||
|
<para>
|
||||||
|
+ <citerefentry>
|
||||||
|
+ <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||||
|
+ </citerefentry>,
|
||||||
|
<citerefentry>
|
||||||
|
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
||||||
|
</citerefentry>,
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
|
From 9349333a9ae958205294cd25e97fd6b4805bd82b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Carlos Santos <casantos@redhat.com>
|
||||||
|
Date: Tue, 10 Sep 2019 23:08:30 -0300
|
||||||
|
Subject: [PATCH] pam_lastlog: prevent crash due to reduced 'fsize' limit
|
||||||
|
|
||||||
|
It a reduced fsize limit is set in /etc/security/limits.conf and
|
||||||
|
pam_limits is in use pam_lastlog may cause a crash, e.g.
|
||||||
|
|
||||||
|
----- begin /etc/pam.d/su ----
|
||||||
|
auth sufficient pam_rootok.so
|
||||||
|
auth required pam_wheel.so use_uid
|
||||||
|
auth required pam_env.so
|
||||||
|
auth required pam_unix.so nullok
|
||||||
|
account required pam_unix.so
|
||||||
|
password required pam_unix.so nullok
|
||||||
|
session required pam_limits.so
|
||||||
|
session required pam_env.so
|
||||||
|
session required pam_unix.so
|
||||||
|
session optional pam_lastlog.so
|
||||||
|
----- end /etc/pam.d/su -----
|
||||||
|
|
||||||
|
----- begin /etc/security/limits.d/fsize.conf -----
|
||||||
|
* soft fsize 1710
|
||||||
|
* hard fsize 1710
|
||||||
|
----- end /etc/security/limits.d/fsize.conf -----
|
||||||
|
|
||||||
|
# id user1
|
||||||
|
uid=1000(user1) gid=1000(user1) groups=1000(user1)
|
||||||
|
# su - user1
|
||||||
|
Last login: Wed Sep 11 01:52:44 UTC 2019 on console
|
||||||
|
$ exit
|
||||||
|
# id user2
|
||||||
|
uid=60000(user2) gid=60000(user2) groups=60000(user2)
|
||||||
|
# su - user2
|
||||||
|
File size limit exceeded
|
||||||
|
|
||||||
|
This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
|
||||||
|
attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
|
||||||
|
|
||||||
|
In order to fix this, and an 'unlimited' option, which leads to saving
|
||||||
|
the 'fsize' limit and set it to unlimited before writing lastlog. After
|
||||||
|
that, restore the saved value. If 'fsize' is already unlimited nothing
|
||||||
|
is done.
|
||||||
|
|
||||||
|
Failing to set the 'fsize' limit is not a fatal error. With luck the
|
||||||
|
configured limit will suffice, so we try to write lastlog anyway, even
|
||||||
|
under the risk of dying due to a SIGXFSZ.
|
||||||
|
|
||||||
|
Failing to restore the 'fsize' limit is a fatal error, since we don't
|
||||||
|
want to keep it unlimited.
|
||||||
|
|
||||||
|
Signed-off-by: Carlos Santos <casantos@redhat.com>
|
||||||
|
---
|
||||||
|
modules/pam_lastlog/pam_lastlog.c | 66 ++++++++++++++++++++++++++-----
|
||||||
|
1 file changed, 57 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
|
||||||
|
index e980c04..a135c9f 100644
|
||||||
|
--- a/modules/pam_lastlog/pam_lastlog.c
|
||||||
|
+++ b/modules/pam_lastlog/pam_lastlog.c
|
||||||
|
@@ -25,6 +25,8 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
+#include <sys/time.h>
|
||||||
|
+#include <sys/resource.h>
|
||||||
|
#include <syslog.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
@@ -82,15 +84,16 @@ struct lastlog {
|
||||||
|
|
||||||
|
/* argument parsing */
|
||||||
|
|
||||||
|
-#define LASTLOG_DATE 01 /* display the date of the last login */
|
||||||
|
-#define LASTLOG_HOST 02 /* display the last host used (if set) */
|
||||||
|
-#define LASTLOG_LINE 04 /* display the last terminal used */
|
||||||
|
-#define LASTLOG_NEVER 010 /* display a welcome message for first login */
|
||||||
|
-#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
|
||||||
|
-#define LASTLOG_QUIET 040 /* keep quiet about things */
|
||||||
|
-#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
|
||||||
|
-#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
|
||||||
|
-#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
|
||||||
|
+#define LASTLOG_DATE 01 /* display the date of the last login */
|
||||||
|
+#define LASTLOG_HOST 02 /* display the last host used (if set) */
|
||||||
|
+#define LASTLOG_LINE 04 /* display the last terminal used */
|
||||||
|
+#define LASTLOG_NEVER 010 /* display a welcome message for first login */
|
||||||
|
+#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
|
||||||
|
+#define LASTLOG_QUIET 040 /* keep quiet about things */
|
||||||
|
+#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
|
||||||
|
+#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
|
||||||
|
+#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
|
||||||
|
+#define LASTLOG_UNLIMITED 01000 /* unlimited file size (ignore 'fsize' limit) */
|
||||||
|
|
||||||
|
static int
|
||||||
|
_pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
|
||||||
|
@@ -158,6 +161,8 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||||
|
ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE);
|
||||||
|
} else if (!strcmp(*argv,"showfailed")) {
|
||||||
|
ctrl |= LASTLOG_BTMP;
|
||||||
|
+ } else if (!strcmp(*argv,"unlimited")) {
|
||||||
|
+ ctrl |= LASTLOG_UNLIMITED;
|
||||||
|
} else {
|
||||||
|
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
|
||||||
|
}
|
||||||
|
@@ -373,6 +378,12 @@ static int
|
||||||
|
last_login_write(pam_handle_t *pamh, int announce, int last_fd,
|
||||||
|
uid_t uid, const char *user)
|
||||||
|
{
|
||||||
|
+ static struct rlimit no_limit = {
|
||||||
|
+ RLIM_INFINITY,
|
||||||
|
+ RLIM_INFINITY
|
||||||
|
+ };
|
||||||
|
+ struct rlimit old_limit;
|
||||||
|
+ int setrlimit_res;
|
||||||
|
struct flock last_lock;
|
||||||
|
struct lastlog last_login;
|
||||||
|
time_t ll_time;
|
||||||
|
@@ -427,6 +438,31 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
|
||||||
|
sleep(LASTLOG_IGNORE_LOCK_TIME);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Failing to set the 'fsize' limit is not a fatal error. We try to write
|
||||||
|
+ * lastlog anyway, under the risk of dying due to a SIGXFSZ.
|
||||||
|
+ */
|
||||||
|
+ D(("setting limit for 'fsize'"));
|
||||||
|
+
|
||||||
|
+ if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimted */
|
||||||
|
+ setrlimit_res = -1;
|
||||||
|
+ } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) {
|
||||||
|
+ if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */
|
||||||
|
+ setrlimit_res = -1;
|
||||||
|
+ } else {
|
||||||
|
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &no_limit);
|
||||||
|
+ if (setrlimit_res != 0)
|
||||||
|
+ pam_syslog(pamh, LOG_WARNING, "Could not set limit for 'fsize': %m");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ setrlimit_res = -1;
|
||||||
|
+ if (errno == EINVAL) {
|
||||||
|
+ pam_syslog(pamh, LOG_INFO, "Limit for 'fsize' not supported: %m");
|
||||||
|
+ } else {
|
||||||
|
+ pam_syslog(pamh, LOG_WARNING, "Could not get limit for 'fsize': %m");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
D(("writing to the lastlog file"));
|
||||||
|
if (pam_modutil_write (last_fd, (char *) &last_login,
|
||||||
|
sizeof (last_login)) != sizeof(last_login)) {
|
||||||
|
@@ -434,6 +470,18 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
|
||||||
|
retval = PAM_SERVICE_ERR;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Failing to restore the 'fsize' limit is a fatal error.
|
||||||
|
+ */
|
||||||
|
+ D(("restoring limit for 'fsize'"));
|
||||||
|
+ if (setrlimit_res == 0) {
|
||||||
|
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &old_limit);
|
||||||
|
+ if (setrlimit_res != 0) {
|
||||||
|
+ pam_syslog(pamh, LOG_ERR, "Could not restore limit for 'fsize': %m");
|
||||||
|
+ retval = PAM_SERVICE_ERR;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
last_lock.l_type = F_UNLCK;
|
||||||
|
(void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
|
||||||
|
D(("unlocked"));
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
25
SOURCES/pam-1.3.1-motd-manpage.patch
Normal file
25
SOURCES/pam-1.3.1-motd-manpage.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
diff -up Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.motd-manpage Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml
|
||||||
|
--- Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml.motd-manpage 2018-05-18 11:50:46.000000000 +0200
|
||||||
|
+++ Linux-PAM-1.3.1/modules/pam_motd/pam_motd.8.xml 2019-12-19 10:29:36.243558251 +0100
|
||||||
|
@@ -31,10 +31,19 @@
|
||||||
|
<para>
|
||||||
|
pam_motd is a PAM module that can be used to display
|
||||||
|
arbitrary motd (message of the day) files after a successful
|
||||||
|
- login. By default the <filename>/etc/motd</filename> file is
|
||||||
|
+ login. By default the <filename>/etc/motd</filename> file and
|
||||||
|
+ all files from <filename>/etc/motd.d</filename> are
|
||||||
|
shown. The message size is limited to 64KB.
|
||||||
|
</para>
|
||||||
|
-
|
||||||
|
+ <para>
|
||||||
|
+ To silence a message,
|
||||||
|
+ a symbolic link with target <filename>/dev/null</filename>
|
||||||
|
+ may be placed in <filename>/etc/motd.d</filename> with
|
||||||
|
+ the same filename as the message to be silenced. Example:
|
||||||
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ <command>ln -sfn /dev/null /etc/motd.d/my_motd</command>
|
||||||
|
+ </para>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1 id="pam_motd-options">
|
131
SOURCES/pam-1.3.1-namespace-mntopts.patch
Normal file
131
SOURCES/pam-1.3.1-namespace-mntopts.patch
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml
|
||||||
|
index c7698cb..a94b49e 100644
|
||||||
|
--- a/modules/pam_namespace/namespace.conf.5.xml
|
||||||
|
+++ b/modules/pam_namespace/namespace.conf.5.xml
|
||||||
|
@@ -122,9 +122,14 @@
|
||||||
|
<para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable>
|
||||||
|
- value of this flag is passed to the mount call when the tmpfs mount is
|
||||||
|
done. It allows for example the specification of the maximum size of the
|
||||||
|
- tmpfs instance that is created by the mount call. See <citerefentry>
|
||||||
|
- <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
|
||||||
|
- </citerefentry> for details.
|
||||||
|
+ tmpfs instance that is created by the mount call. In addition to
|
||||||
|
+ options specified in the <citerefentry>
|
||||||
|
+ <refentrytitle>tmpfs</refentrytitle><manvolnum>5</manvolnum>
|
||||||
|
+ </citerefentry> manual the <emphasis>nosuid</emphasis>,
|
||||||
|
+ <emphasis>noexec</emphasis>, and <emphasis>nodev</emphasis> flags
|
||||||
|
+ can be used to respectively disable setuid bit effect, disable running
|
||||||
|
+ executables, and disable devices to be interpreted on the mounted
|
||||||
|
+ tmpfs filesystem.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
||||||
|
index f541f89..660c7a1 100644
|
||||||
|
--- a/modules/pam_namespace/pam_namespace.c
|
||||||
|
+++ b/modules/pam_namespace/pam_namespace.c
|
||||||
|
@@ -230,6 +230,73 @@ static int parse_iscript_params(char *params, struct polydir_s *poly)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+struct mntflag {
|
||||||
|
+ const char *name;
|
||||||
|
+ size_t len;
|
||||||
|
+ unsigned long flag;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#define LITERAL_AND_LEN(x) x, sizeof(x) - 1
|
||||||
|
+
|
||||||
|
+static const struct mntflag mntflags[] = {
|
||||||
|
+ { LITERAL_AND_LEN("noexec"), MS_NOEXEC },
|
||||||
|
+ { LITERAL_AND_LEN("nosuid"), MS_NOSUID },
|
||||||
|
+ { LITERAL_AND_LEN("nodev"), MS_NODEV }
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+static int filter_mntopts(const char *opts, char **filtered,
|
||||||
|
+ unsigned long *mountflags)
|
||||||
|
+{
|
||||||
|
+ size_t origlen = strlen(opts);
|
||||||
|
+ const char *end;
|
||||||
|
+ char *dest;
|
||||||
|
+
|
||||||
|
+ dest = *filtered = NULL;
|
||||||
|
+ *mountflags = 0;
|
||||||
|
+
|
||||||
|
+ if (origlen == 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ do {
|
||||||
|
+ size_t len;
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ end = strchr(opts, ',');
|
||||||
|
+ if (end == NULL) {
|
||||||
|
+ len = strlen(opts);
|
||||||
|
+ } else {
|
||||||
|
+ len = end - opts;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < (int)(sizeof(mntflags)/sizeof(mntflags[0])); i++) {
|
||||||
|
+ if (mntflags[i].len != len)
|
||||||
|
+ continue;
|
||||||
|
+ if (memcmp(mntflags[i].name, opts, len) == 0) {
|
||||||
|
+ *mountflags |= mntflags[i].flag;
|
||||||
|
+ opts = end;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (opts != end) {
|
||||||
|
+ if (dest != NULL) {
|
||||||
|
+ *dest = ',';
|
||||||
|
+ ++dest;
|
||||||
|
+ } else {
|
||||||
|
+ dest = *filtered = calloc(1, origlen + 1);
|
||||||
|
+ if (dest == NULL)
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ memcpy(dest, opts, len);
|
||||||
|
+ dest += len;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ opts = end + 1;
|
||||||
|
+ } while (end != NULL);
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int parse_method(char *method, struct polydir_s *poly,
|
||||||
|
struct instance_data *idata)
|
||||||
|
{
|
||||||
|
@@ -289,7 +356,8 @@ static int parse_method(char *method, struct polydir_s *poly,
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
free(poly->mount_opts); /* if duplicate mntopts specified */
|
||||||
|
- if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) {
|
||||||
|
+ poly->mount_opts = NULL;
|
||||||
|
+ if (filter_mntopts(flag+namelen+1, &poly->mount_opts, &poly->mount_flags) != 0) {
|
||||||
|
pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@@ -1484,7 +1552,7 @@ static int ns_setup(struct polydir_s *polyptr,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (polyptr->method == TMPFS) {
|
||||||
|
- if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) {
|
||||||
|
+ if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) {
|
||||||
|
pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
|
||||||
|
polyptr->dir);
|
||||||
|
return PAM_SESSION_ERR;
|
||||||
|
diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h
|
||||||
|
index 47ebcc3..1522386 100644
|
||||||
|
--- a/modules/pam_namespace/pam_namespace.h
|
||||||
|
+++ b/modules/pam_namespace/pam_namespace.h
|
||||||
|
@@ -166,6 +166,7 @@ struct polydir_s {
|
||||||
|
unsigned int flags; /* polydir flags */
|
||||||
|
char *init_script; /* path to init script */
|
||||||
|
char *mount_opts; /* mount options for tmpfs mount */
|
||||||
|
+ unsigned long mount_flags; /* mount flags for tmpfs mount */
|
||||||
|
uid_t owner; /* user which should own the polydir */
|
||||||
|
gid_t group; /* group which should own the polydir */
|
||||||
|
mode_t mode; /* mode of the polydir */
|
33
SOURCES/pam-1.3.1-tty-audit-manfix.patch
Normal file
33
SOURCES/pam-1.3.1-tty-audit-manfix.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Wed, 7 Aug 2019 18:13:57 +0200
|
||||||
|
Subject: [PATCH] pam_tty_audit: Manual page clarification about password
|
||||||
|
logging
|
||||||
|
|
||||||
|
* modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
|
||||||
|
can be sometimes logged even when the option is not set.
|
||||||
|
---
|
||||||
|
modules/pam_tty_audit/pam_tty_audit.8.xml | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
|
||||||
|
index 59a3406..e346c68 100644
|
||||||
|
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
|
||||||
|
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
|
||||||
|
@@ -149,6 +149,13 @@
|
||||||
|
greater than or equal to <replaceable>min_uid</replaceable> will be
|
||||||
|
matched.
|
||||||
|
</para>
|
||||||
|
+ <para>
|
||||||
|
+ Please note that passwords in some circumstances may be logged by TTY auditing
|
||||||
|
+ even if the <option>log_passwd</option> is not used. For example, all input to
|
||||||
|
+ an ssh session will be logged - even if there is a password being typed into
|
||||||
|
+ some software running at the remote host because only the local TTY state
|
||||||
|
+ affects the local TTY auditing.
|
||||||
|
+ </para>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1 id='pam_tty_audit-examples'>
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
57
SOURCES/pam-1.3.1-unix-improve-logging.patch
Normal file
57
SOURCES/pam-1.3.1-unix-improve-logging.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
From a6845905869ccabb5eb802be37241eabec085dc7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Mon, 14 Oct 2019 16:52:46 +0200
|
||||||
|
Subject: [PATCH] pam_unix: Add logging useful for debugging problems
|
||||||
|
|
||||||
|
Two messages added about obtaining the username are guarded
|
||||||
|
by the debug option as these should not be normally
|
||||||
|
logged - they can be useful for debugging but they do not
|
||||||
|
indicate any special condition.
|
||||||
|
|
||||||
|
The message about authenticating user with blank password is
|
||||||
|
still just LOG_DEBUG priority but it is logged unconditionally
|
||||||
|
because it is somewhat extraordinary condition to have an user
|
||||||
|
with blank password.
|
||||||
|
|
||||||
|
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
|
||||||
|
D() macro calls which are not enabled on production builds with
|
||||||
|
regular pam_syslog() calls.
|
||||||
|
---
|
||||||
|
modules/pam_unix/pam_unix_auth.c | 7 ++++---
|
||||||
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
|
||||||
|
index 681e49d..3fca945 100644
|
||||||
|
--- a/modules/pam_unix/pam_unix_auth.c
|
||||||
|
+++ b/modules/pam_unix/pam_unix_auth.c
|
||||||
|
@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||||
|
AUTH_RETURN;
|
||||||
|
}
|
||||||
|
if (on(UNIX_DEBUG, ctrl))
|
||||||
|
- D(("username [%s] obtained", name));
|
||||||
|
+ pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);
|
||||||
|
} else {
|
||||||
|
- D(("trouble reading username"));
|
||||||
|
if (retval == PAM_CONV_AGAIN) {
|
||||||
|
D(("pam_get_user/conv() function is not ready yet"));
|
||||||
|
/* it is safe to resume this function so we translate this
|
||||||
|
* retval to the value that indicates we're happy to resume.
|
||||||
|
*/
|
||||||
|
retval = PAM_INCOMPLETE;
|
||||||
|
+ } else if (on(UNIX_DEBUG, ctrl)) {
|
||||||
|
+ pam_syslog(pamh, LOG_DEBUG, "could not obtain username");
|
||||||
|
}
|
||||||
|
AUTH_RETURN;
|
||||||
|
}
|
||||||
|
@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||||
|
/* if this user does not have a password... */
|
||||||
|
|
||||||
|
if (_unix_blankpasswd(pamh, ctrl, name)) {
|
||||||
|
- D(("user '%s' has blank passwd", name));
|
||||||
|
+ pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);
|
||||||
|
name = NULL;
|
||||||
|
retval = PAM_SUCCESS;
|
||||||
|
AUTH_RETURN;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -3,7 +3,7 @@
|
|||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.3.1
|
Version: 1.3.1
|
||||||
Release: 4%{?dist}
|
Release: 8%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -44,6 +44,15 @@ Patch32: pam-1.2.1-console-devname.patch
|
|||||||
Patch33: pam-1.3.0-unix-nomsg.patch
|
Patch33: pam-1.3.0-unix-nomsg.patch
|
||||||
Patch34: pam-1.3.1-coverity.patch
|
Patch34: pam-1.3.1-coverity.patch
|
||||||
Patch35: pam-1.3.1-console-build.patch
|
Patch35: pam-1.3.1-console-build.patch
|
||||||
|
Patch36: pam-1.3.1-faillock-update.patch
|
||||||
|
Patch37: pam-1.3.1-namespace-mntopts.patch
|
||||||
|
Patch38: pam-1.3.1-lastlog-no-showfailed.patch
|
||||||
|
Patch39: pam-1.3.1-lastlog-unlimited-fsize.patch
|
||||||
|
Patch40: pam-1.3.1-unix-improve-logging.patch
|
||||||
|
Patch41: pam-1.3.1-tty-audit-manfix.patch
|
||||||
|
Patch42: pam-1.3.1-fds-closing.patch
|
||||||
|
Patch43: pam-1.3.1-authtok-verify-fix.patch
|
||||||
|
Patch44: pam-1.3.1-motd-manpage.patch
|
||||||
|
|
||||||
%define _pamlibdir %{_libdir}
|
%define _pamlibdir %{_libdir}
|
||||||
%define _moduledir %{_libdir}/security
|
%define _moduledir %{_libdir}/security
|
||||||
@ -127,6 +136,15 @@ cp %{SOURCE18} .
|
|||||||
%patch33 -p1 -b .nomsg
|
%patch33 -p1 -b .nomsg
|
||||||
%patch34 -p1 -b .coverity
|
%patch34 -p1 -b .coverity
|
||||||
%patch35 -p1 -b .console-build
|
%patch35 -p1 -b .console-build
|
||||||
|
%patch36 -p1 -b .faillock-update
|
||||||
|
%patch37 -p1 -b .mntopts
|
||||||
|
%patch38 -p1 -b .no-showfailed
|
||||||
|
%patch39 -p1 -b .unlimited-fsize
|
||||||
|
%patch40 -p1 -b .improve-logging
|
||||||
|
%patch41 -p1 -b .tty-audit-manfix
|
||||||
|
%patch42 -p1 -b .fds-closing
|
||||||
|
%patch43 -p1 -b .authtok-verify-fix
|
||||||
|
%patch44 -p1 -b .motd-manpage
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -152,6 +170,9 @@ for readme in modules/pam_*/README ; do
|
|||||||
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
|
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
|
||||||
done
|
done
|
||||||
|
|
||||||
|
rm -rf doc/txts/README.pam_tally*
|
||||||
|
rm -rf doc/sag/html/*pam_tally*
|
||||||
|
|
||||||
# Install the binaries, libraries, and modules.
|
# Install the binaries, libraries, and modules.
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
|
make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
|
||||||
|
|
||||||
@ -176,7 +197,6 @@ install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
|
|||||||
install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
|
install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
|
||||||
install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
|
install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
|
||||||
install -d -m 755 $RPM_BUILD_ROOT/var/log
|
install -d -m 755 $RPM_BUILD_ROOT/var/log
|
||||||
install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
|
|
||||||
install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock
|
install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock
|
||||||
|
|
||||||
# Install man pages.
|
# Install man pages.
|
||||||
@ -336,6 +356,7 @@ done
|
|||||||
%config(noreplace) %{_secconfdir}/chroot.conf
|
%config(noreplace) %{_secconfdir}/chroot.conf
|
||||||
%config %{_secconfdir}/console.perms
|
%config %{_secconfdir}/console.perms
|
||||||
%config(noreplace) %{_secconfdir}/console.handlers
|
%config(noreplace) %{_secconfdir}/console.handlers
|
||||||
|
%config(noreplace) %{_secconfdir}/faillock.conf
|
||||||
%config(noreplace) %{_secconfdir}/group.conf
|
%config(noreplace) %{_secconfdir}/group.conf
|
||||||
%config(noreplace) %{_secconfdir}/limits.conf
|
%config(noreplace) %{_secconfdir}/limits.conf
|
||||||
%dir %{_secconfdir}/limits.d
|
%dir %{_secconfdir}/limits.d
|
||||||
@ -352,7 +373,6 @@ done
|
|||||||
%config(noreplace) %{_secconfdir}/sepermit.conf
|
%config(noreplace) %{_secconfdir}/sepermit.conf
|
||||||
%dir /var/run/sepermit
|
%dir /var/run/sepermit
|
||||||
%endif
|
%endif
|
||||||
%ghost %verify(not md5 size mtime) /var/log/tallylog
|
|
||||||
%dir /var/run/faillock
|
%dir /var/run/faillock
|
||||||
%{_prefix}/lib/tmpfiles.d/pam.conf
|
%{_prefix}/lib/tmpfiles.d/pam.conf
|
||||||
%{_mandir}/man5/*
|
%{_mandir}/man5/*
|
||||||
@ -369,6 +389,24 @@ done
|
|||||||
%doc doc/specs/rfc86.0.txt
|
%doc doc/specs/rfc86.0.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 19 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-8
|
||||||
|
- pam_motd: Document how to properly silence unwanted motd messages
|
||||||
|
|
||||||
|
* Mon Dec 16 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-6
|
||||||
|
- pam_faillock: Fix regression in admin_group support
|
||||||
|
|
||||||
|
* Wed Oct 16 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-5
|
||||||
|
- pam_faillock: Support configuration file /etc/security/faillock.conf
|
||||||
|
- pam_faillock: Support local_users_only option
|
||||||
|
- pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts
|
||||||
|
- Drop tallylog and pam_tally[2] documentation
|
||||||
|
- pam_lastlog: Do not display failed attempts with PAM_SILENT flag
|
||||||
|
- pam_lastlog: Support unlimited option to override fsize limit
|
||||||
|
- pam_unix: Log if user authenticated without password
|
||||||
|
- pam_tty_audit: Improve manual page
|
||||||
|
- Optimize closing fds when spawning helpers
|
||||||
|
- Fix duplicate password verification in pam_authtok_verify()
|
||||||
|
|
||||||
* Fri Dec 7 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-4
|
* Fri Dec 7 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-4
|
||||||
- Drop pam_tally2 which was obsoleted and deprecated long time ago
|
- Drop pam_tally2 which was obsoleted and deprecated long time ago
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user