diff --git a/pam-1.6.1-pam-access-local.patch b/pam-1.6.1-pam-access-local.patch new file mode 100644 index 0000000..89a0d39 --- /dev/null +++ b/pam-1.6.1-pam-access-local.patch @@ -0,0 +1,119 @@ +From ecaaf4456e5aeacae1acdb1775bb5aadd3b19e13 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Wed, 16 Oct 2024 12:41:09 +0200 +Subject: [PATCH 1/2] pam_access: always match local address + +* modules/pam_access/pam_access.c: match the local address regardless of + the IP version in use. + +In some circumstances the `localhost` may be translated to IPv4 or IPv6, +but the configuration file only indicated the address for one of the two +versions. Since the originating value is set in `PAM_RHOST` and PAM has +no control over it, let's match the local addresses regardless of the IP +version in use. + +Resolves: https://issues.redhat.com/browse/RHEL-23018 +Signed-off-by: Iker Pedrosa +--- + modules/pam_access/pam_access.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index bfbc6d57..48e7c7e9 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -306,6 +306,23 @@ isipaddr (const char *string, int *addr_type, + return is_ip; + } + ++/* is_local_addr - checks if the IP address is local */ ++static int ++is_local_addr (const char *string, int addr_type) ++{ ++ if (addr_type == AF_INET) { ++ if (strcmp(string, "127.0.0.1") == 0) { ++ return YES; ++ } ++ } else if (addr_type == AF_INET6) { ++ if (strcmp(string, "::1") == 0) { ++ return YES; ++ } ++ } ++ ++ return NO; ++} ++ + + /* are_addresses_equal - translate IP address strings to real IP + * addresses and compare them to find out if they are equal. +@@ -327,9 +344,18 @@ are_addresses_equal (const char *ipaddr0, const char *ipaddr1, + if (isipaddr (ipaddr1, &addr_type1, &addr1) == NO) + return NO; + +- if (addr_type0 != addr_type1) +- /* different address types */ ++ if (addr_type0 != addr_type1) { ++ /* different address types, but there is still a possibility that they are ++ * both local addresses ++ */ ++ int local1 = is_local_addr(ipaddr0, addr_type0); ++ int local2 = is_local_addr(ipaddr1, addr_type1); ++ ++ if (local1 == YES && local2 == YES) ++ return YES; ++ + return NO; ++ } + + if (netmask != NULL) { + /* Got a netmask, so normalize addresses? */ +-- +2.47.0 + + +From 641dfd1084508c63f3590e93a35b80ffc50774e5 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Fri, 18 Oct 2024 10:27:07 +0200 +Subject: [PATCH 2/2] pam_access: clarify `LOCAL` keyword behaviour + +* modules/pam_access/access.conf.5.xml: `LOCAL` keyword behaviour + explanation was focused on the development internals. Let's clarify it + by rephrasing it to something a sysadmin can understand. + +Resolves: https://issues.redhat.com/browse/RHEL-39943 +Signed-off-by: Iker Pedrosa +--- + modules/pam_access/access.conf.5.xml | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml +index 35a1a8fe..0b93db00 100644 +--- a/modules/pam_access/access.conf.5.xml ++++ b/modules/pam_access/access.conf.5.xml +@@ -79,17 +79,12 @@ + with network mask (where network mask can be a decimal number or an + internet address also), ALL (which always matches) + or LOCAL. The LOCAL +- keyword matches if and only if +- pam_get_item3, +- when called with an item_type of +- PAM_RHOST, returns NULL or an +- empty string (and therefore the +- origins field is compared against the +- return value of +- pam_get_item3 +- called with an item_type of +- PAM_TTY or, absent that, +- PAM_SERVICE). ++ keyword matches when the user connects without a network ++ connection (e.g., su, ++ login). A connection through the loopback ++ device (e.g., ssh user@localhost) is ++ considered a network connection, and thus, the ++ LOCAL keyword does not match. + + + +-- +2.47.0 + diff --git a/pam.spec b/pam.spec index f97bb58..12db17d 100644 --- a/pam.spec +++ b/pam.spec @@ -4,7 +4,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.6.1 -Release: 5%{?dist} +Release: 6%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp and pam_loginuid modules are GPLv2+. @@ -29,6 +29,8 @@ Patch3: pam-1.5.3-unix-nomsg.patch Patch4: pam-1.6.1-sast-fixes.patch # https://github.com/linux-pam/linux-pam/commit/aabd5314a6d76968c377969b49118a2df3f97003 Patch5: pam-1.6.1-pam-env-econf-read-file-fixes.patch +# https://github.com/linux-pam/linux-pam/commit/641dfd1084508c63f3590e93a35b80ffc50774e5 +Patch6: pam-1.6.1-pam-access-local.patch %{load:%{SOURCE3}} @@ -124,6 +126,7 @@ cp %{SOURCE18} . %patch -P 3 -p1 -b .nomsg %patch -P 4 -p1 -b .sast-fixes %patch -P 5 -p1 -b .pam-env-econf-read-file-fixes +%patch -P 6 -p1 -b .pam-access-local autoreconf -i @@ -362,6 +365,10 @@ done %{_pam_libdir}/libpam_misc.so.%{so_ver}* %changelog +* Mon Nov 4 2024 Iker Pedrosa - 1.6.1-6 +- pam_access: always match local address and clarify LOCAL keyword behaviour. + Resolves: RHEL-65223 + * Tue Oct 29 2024 Troy Dawson - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018