diff --git a/pam-1.1.5-unix-build.patch b/pam-1.1.5-unix-build.patch deleted file mode 100644 index d1f30d0..0000000 --- a/pam-1.1.5-unix-build.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c ---- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build 2012-07-23 18:46:27.709804094 +0200 -+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c 2012-07-23 18:46:27.764805293 +0200 -@@ -47,6 +47,8 @@ - #include /* for time() */ - #include - #include -+#include -+#include - - #include - -diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build 2012-07-23 18:55:16.433314731 +0200 -+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c 2012-07-23 18:54:48.064697131 +0200 -@@ -53,6 +53,7 @@ - #include - #include - #include -+#include - #include - - #include -diff -up Linux-PAM-1.1.5/modules/pam_unix/support.c.build Linux-PAM-1.1.5/modules/pam_unix/support.c ---- Linux-PAM-1.1.5/modules/pam_unix/support.c.build 2012-07-23 18:46:27.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_unix/support.c 2012-07-23 18:54:23.645165507 +0200 -@@ -18,6 +18,7 @@ - #include - #include - #include -+#include - #include - #ifdef HAVE_RPCSVC_YPCLNT_H - #include diff --git a/pam-1.1.6-audit-data.patch b/pam-1.1.6-audit-data.patch deleted file mode 100644 index c41f513..0000000 --- a/pam-1.1.6-audit-data.patch +++ /dev/null @@ -1,173 +0,0 @@ -diff -up Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata Linux-PAM-1.1.6/modules/pam_faillock/main.c ---- Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata 2012-09-03 15:18:19.077405822 +0200 -+++ Linux-PAM-1.1.6/modules/pam_faillock/main.c 2012-09-03 15:18:19.082405927 +0200 -@@ -42,6 +42,7 @@ - #include - #include - #include -+#include - #ifdef HAVE_LIBAUDIT - #include - #endif -@@ -142,7 +143,7 @@ do_user(struct options *opts, const char - snprintf(buf, sizeof(buf), "faillock reset uid=%u", - pwd->pw_uid); - audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, NULL, rv == 0); -+ buf, NULL, NULL, ttyname(fileno(stdin)), rv == 0); - } - close(audit_fd); - } -diff -up Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata 2012-09-03 15:18:19.077405822 +0200 -+++ Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c 2012-09-03 15:18:19.083405948 +0200 -@@ -264,6 +264,7 @@ check_tally(pam_handle_t *pamh, struct o - if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ - char buf[64]; - int audit_fd; -+ const void *rhost = NULL, *tty = NULL; - - audit_fd = audit_open(); - /* If there is an error & audit support is in the kernel report error */ -@@ -271,9 +272,11 @@ check_tally(pam_handle_t *pamh, struct o - errno == EAFNOSUPPORT)) - return PAM_SYSTEM_ERR; - -+ (void)pam_get_item(pamh, PAM_TTY, &tty); -+ (void)pam_get_item(pamh, PAM_RHOST, &rhost); - snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); - audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -- NULL, NULL, NULL, 1); -+ rhost, NULL, tty, 1); - } - #endif - opts->flags |= FAILLOCK_FLAG_UNLOCKED; -@@ -378,6 +381,7 @@ write_tally(pam_handle_t *pamh, struct o - #ifdef HAVE_LIBAUDIT - char buf[64]; - int audit_fd; -+ const void *tty = NULL, *rhost = NULL; - - audit_fd = audit_open(); - /* If there is an error & audit support is in the kernel report error */ -@@ -385,13 +389,15 @@ write_tally(pam_handle_t *pamh, struct o - errno == EAFNOSUPPORT)) - return PAM_SYSTEM_ERR; - -+ (void)pam_get_item(pamh, PAM_TTY, &tty); -+ (void)pam_get_item(pamh, PAM_RHOST, &rhost); - snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); - audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, -- NULL, NULL, NULL, 1); -+ rhost, NULL, tty, 1); - - if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { - audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, -- NULL, NULL, NULL, 1); -+ rhost, NULL, tty, 1); - } - close(audit_fd); - #endif -diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c ---- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-09-03 15:18:19.083405948 +0200 -@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pam - int audit_fd = audit_open(); - security_context_t default_raw=NULL; - security_context_t selected_raw=NULL; -+ const void *tty = NULL, *rhost = NULL; - rc = -1; - if (audit_fd < 0) { - if (errno == EINVAL || errno == EPROTONOSUPPORT || -@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pam - pam_syslog(pamh, LOG_ERR, "Error connecting to audit system."); - return rc; - } -+ (void)pam_get_item(pamh, PAM_TTY, &tty); -+ (void)pam_get_item(pamh, PAM_RHOST, &rhost); - if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { - pam_syslog(pamh, LOG_ERR, "Error translating default context."); - default_raw = NULL; -@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pam - goto out; - } - if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, -- msg, NULL, NULL, NULL, success) <= 0) { -+ msg, rhost, NULL, tty, success) <= 0) { - pam_syslog(pamh, LOG_ERR, "Error sending audit message."); - goto out; - } -diff -up Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c ---- Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c 2012-09-03 15:20:06.071641000 +0200 -@@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldt - #ifdef HAVE_LIBAUDIT - char buf[64]; - int audit_fd = -1; -+ const void *rhost = NULL, *tty = NULL; - #endif - - if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) { -@@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldt - if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || - errno == EAFNOSUPPORT)) - return PAM_SYSTEM_ERR; -+ (void)pam_get_item(pamh, PAM_TTY, &tty); -+ (void)pam_get_item(pamh, PAM_RHOST, &rhost); - #endif - if (opts->deny != 0 && /* deny==0 means no deny */ - tally->fail_cnt > opts->deny && /* tally>deny means exceeded */ -@@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldt - /* First say that max number was hit. */ - snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); - audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, -- NULL, NULL, NULL, 1); -+ rhost, NULL, tty, 1); - } - #endif - if (uid) { -@@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldt - #ifdef HAVE_LIBAUDIT - snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); - audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -- NULL, NULL, NULL, 1); -+ rhost, NULL, tty, 1); - #endif - rv = PAM_SUCCESS; - goto cleanup; -@@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldt - #ifdef HAVE_LIBAUDIT - snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); - audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -- NULL, NULL, NULL, 1); -+ rhost, NULL, tty, 1); - #endif - rv = PAM_SUCCESS; - goto cleanup; -@@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldt - if (tally->fail_cnt == opts->deny+1) { - /* First say that max number was hit. */ - audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, -- NULL, NULL, NULL, 1); -+ rhost, NULL, tty, 1); - } - #endif - -@@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv ) - int audit_fd = audit_open(); - snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); - audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, NULL, 1); -+ buf, NULL, NULL, ttyname(fileno(stdin)), 1); - if (audit_fd >=0) - close(audit_fd); - #endif -@@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv ) - int audit_fd = audit_open(); - snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); - audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, NULL, 1); -+ buf, NULL, NULL, ttyname(fileno(stdin)), 1); - if (audit_fd >=0) - close(audit_fd); - #endif diff --git a/pam-1.1.6-autoupdate.patch b/pam-1.1.6-autoupdate.patch deleted file mode 100644 index ce2cee3..0000000 --- a/pam-1.1.6-autoupdate.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/configure.in b/configure.in -index ae762a2..729e7f1 100644 ---- a/configure.in -+++ b/configure.in -@@ -3,7 +3,8 @@ AC_INIT - AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y]) - AC_CONFIG_AUX_DIR([build-aux]) - AM_INIT_AUTOMAKE("Linux-PAM", 1.1.6) --AC_PREREQ(2.61) -+LT_INIT -+AC_PREREQ([2.68]) - AC_CONFIG_HEADERS([config.h]) - AC_CONFIG_MACRO_DIR([m4]) - AC_CANONICAL_HOST -@@ -82,7 +83,6 @@ AM_PROG_LEX - AC_PROG_INSTALL - AC_PROG_LN_S - AC_PROG_MAKE_SET --AC_PROG_LIBTOOL - AM_PROG_CC_C_O - PAM_LD_AS_NEEDED - PAM_LD_NO_UNDEFINED -@@ -532,7 +532,7 @@ AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) - AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) - - AC_ARG_ENABLE([regenerate-docu], -- AC_HELP_STRING([--disable-regenerate-docu], [Don't re-build documentation from XML souces]), -+ AS_HELP_STRING([--disable-regenerate-docu],[Don't re-build documentation from XML sources]), - [enable_docu=$enableval], [enable_docu=yes]) - dnl - dnl Check for xsltproc diff --git a/pam-1.1.6-crypt-null-check.patch b/pam-1.1.6-crypt-null-check.patch deleted file mode 100644 index 78d7b91..0000000 --- a/pam-1.1.6-crypt-null-check.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 8 Feb 2013 15:04:26 +0100 -Subject: [PATCH] Add checks for crypt() returning NULL. - -modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return. -modules/pam_unix/bigcrypt.c (bigcrypt): Likewise. ---- - modules/pam_pwhistory/opasswd.c | 2 +- - modules/pam_unix/bigcrypt.c | 9 +++++++++ - 2 files changed, 10 insertions(+), 1 deletions(-) - -diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c -index 274fdb9..836d713 100644 ---- a/modules/pam_pwhistory/opasswd.c -+++ b/modules/pam_pwhistory/opasswd.c -@@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass) - outval = crypt (newpass, oldpass); - #endif - -- return strcmp(outval, oldpass) == 0; -+ return outval != NULL && strcmp(outval, oldpass) == 0; - } - - /* Check, if the new password is already in the opasswd file. */ -diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c -index e10d1c5..e1d57a0 100644 ---- a/modules/pam_unix/bigcrypt.c -+++ b/modules/pam_unix/bigcrypt.c -@@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt) - #else - tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */ - #endif -+ if (tmp_ptr == NULL) { -+ free(dec_c2_cryptbuf); -+ return NULL; -+ } - /* and place in the static area */ - strncpy(cipher_ptr, tmp_ptr, 13); - cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; -@@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt) - #else - tmp_ptr = crypt(plaintext_ptr, salt_ptr); - #endif -+ if (tmp_ptr == NULL) { -+ _pam_overwrite(dec_c2_cryptbuf); -+ free(dec_c2_cryptbuf); -+ return NULL; -+ } - - /* skip the salt for seg!=0 */ - strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE); --- -1.7.7.6 - diff --git a/pam-1.1.6-install-empty.patch b/pam-1.1.6-install-empty.patch deleted file mode 100644 index 9767577..0000000 --- a/pam-1.1.6-install-empty.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am.empty Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am ---- Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am.empty 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am 2012-08-17 15:08:33.487322476 +0200 -@@ -40,7 +40,7 @@ if HAVE_UNSHARE - secureconf_SCRIPTS = namespace.init - - install-data-local: -- mkdir -p $(namespaceddir) -+ mkdir -p $(DESTDIR)$(namespaceddir) - endif - - -diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.empty Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am ---- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.empty 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am 2012-08-17 15:08:13.692856948 +0200 -@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX - securelib_LTLIBRARIES = pam_sepermit.la - - install-data-local: -- mkdir -p $(sepermitlockdir) -+ mkdir -p $(DESTDIR)$(sepermitlockdir) - endif - if ENABLE_REGENERATE_MAN - noinst_DATA = README pam_sepermit.8 sepermit.conf.5 diff --git a/pam-1.1.6-lastlog-retval.patch b/pam-1.1.6-lastlog-retval.patch deleted file mode 100644 index 3c385f6..0000000 --- a/pam-1.1.6-lastlog-retval.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c -index 50e5a59..bd454ff 100644 ---- a/modules/pam_lastlog/pam_lastlog.c -+++ b/modules/pam_lastlog/pam_lastlog.c -@@ -479,6 +479,10 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt - } - } - -+ if (retval != 0) -+ pam_syslog(pamh, LOG_WARNING, "corruption detected in %s", _PATH_BTMP); -+ retval = PAM_SUCCESS; -+ - if (failed) { - /* we want the date? */ - if (announce & LASTLOG_DATE) { diff --git a/pam-1.1.6-namespace-mntopts.patch b/pam-1.1.6-namespace-mntopts.patch deleted file mode 100644 index 20c55f6..0000000 --- a/pam-1.1.6-namespace-mntopts.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml -index 673099b..f28350d 100644 ---- a/modules/pam_namespace/namespace.conf.5.xml -+++ b/modules/pam_namespace/namespace.conf.5.xml -@@ -119,6 +119,14 @@ - contain the user name and will be shared among all users. - - -+ mntopts=value -+ - this flag value is passed to the mount call when the tmpfs mount is done. -+ It allows for example the specification of the maximum size of the tmpfs -+ instance that is created by the mount call. See -+ mount8 -+ for details. -+ -+ - - The directory where polyinstantiated instances are to be - created, must exist and must have, by default, the mode of 0000. The -diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c -index a40f05e..e0d5e30 100644 ---- a/modules/pam_namespace/pam_namespace.c -+++ b/modules/pam_namespace/pam_namespace.c -@@ -64,6 +64,7 @@ static void del_polydir(struct polydir_s *poly) - if (poly) { - free(poly->uid); - free(poly->init_script); -+ free(poly->mount_opts); - free(poly); - } - } -@@ -237,9 +238,9 @@ static int parse_method(char *method, struct polydir_s *poly, - static const char *method_names[] = { "user", "context", "level", "tmpdir", - "tmpfs", NULL }; - static const char *flag_names[] = { "create", "noinit", "iscript", -- "shared", NULL }; -+ "shared", "mntopts", NULL }; - static const unsigned int flag_values[] = { POLYDIR_CREATE, POLYDIR_NOINIT, -- POLYDIR_ISCRIPT, POLYDIR_SHARED }; -+ POLYDIR_ISCRIPT, POLYDIR_SHARED, POLYDIR_MNTOPTS }; - int i; - char *flag; - -@@ -279,6 +280,20 @@ static int parse_method(char *method, struct polydir_s *poly, - return -1; - }; - break; -+ -+ case POLYDIR_MNTOPTS: -+ if (flag[namelen] != '=') -+ break; -+ if (poly->method != TMPFS) { -+ pam_syslog(idata->pamh, LOG_WARNING, "Mount options applicable only to tmpfs method"); -+ break; -+ } -+ free(poly->mount_opts); /* if duplicate mntopts specified */ -+ if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) { -+ pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); -+ return -1; -+ } -+ break; - } - } - } -@@ -1464,7 +1479,7 @@ static int ns_setup(struct polydir_s *polyptr, - } - - if (polyptr->method == TMPFS) { -- if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) { -+ if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) { - pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", - polyptr->dir); - return PAM_SESSION_ERR; -diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h -index 51d2388..47ebcc3 100644 ---- a/modules/pam_namespace/pam_namespace.h -+++ b/modules/pam_namespace/pam_namespace.h -@@ -116,6 +116,7 @@ - #define POLYDIR_NOINIT 0x00000004 /* no init script */ - #define POLYDIR_SHARED 0x00000008 /* share context/level instances among users */ - #define POLYDIR_ISCRIPT 0x00000010 /* non default init script */ -+#define POLYDIR_MNTOPTS 0x00000020 /* mount options for tmpfs mount */ - - - #define NAMESPACE_MAX_DIR_LEN 80 -@@ -164,6 +165,7 @@ struct polydir_s { - uid_t *uid; /* list of override uids */ - unsigned int flags; /* polydir flags */ - char *init_script; /* path to init script */ -+ char *mount_opts; /* mount options for tmpfs mount */ - uid_t owner; /* user which should own the polydir */ - gid_t group; /* group which should own the polydir */ - mode_t mode; /* mode of the polydir */ diff --git a/pam-1.1.6-rootok-audit.patch b/pam-1.1.6-rootok-audit.patch deleted file mode 100644 index d396175..0000000 --- a/pam-1.1.6-rootok-audit.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff -up Linux-PAM-1.1.6/modules/pam_rootok/Makefile.am.audit Linux-PAM-1.1.6/modules/pam_rootok/Makefile.am ---- Linux-PAM-1.1.6/modules/pam_rootok/Makefile.am.audit 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_rootok/Makefile.am 2013-07-04 10:30:21.000000000 +0200 -@@ -25,7 +25,7 @@ if HAVE_VERSIONING - endif - - securelib_LTLIBRARIES = pam_rootok.la --pam_rootok_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -+pam_rootok_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ - - if ENABLE_REGENERATE_MAN - noinst_DATA = README -diff -up Linux-PAM-1.1.6/modules/pam_rootok/pam_rootok.c.audit Linux-PAM-1.1.6/modules/pam_rootok/pam_rootok.c ---- Linux-PAM-1.1.6/modules/pam_rootok/pam_rootok.c.audit 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_rootok/pam_rootok.c 2013-03-22 09:41:48.000000000 +0100 -@@ -28,7 +28,11 @@ - - #ifdef WITH_SELINUX - #include --#include -+#include -+#endif -+ -+#ifdef HAVE_LIBAUDIT -+#include - #endif - - /* argument parsing */ -@@ -55,6 +59,61 @@ _pam_parse (const pam_handle_t *pamh, in - return ctrl; - } - -+#ifdef WITH_SELINUX -+static int -+log_callback (int type, const char *fmt, ...) -+{ -+ int audit_fd; -+ va_list ap; -+ -+ va_start(ap, fmt); -+#ifdef HAVE_LIBAUDIT -+ audit_fd = audit_open(); -+ -+ if (audit_fd >= 0) { -+ char *buf; -+ -+ if (vasprintf (&buf, fmt, ap) < 0) -+ return 0; -+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, -+ NULL, 0); -+ audit_close(audit_fd); -+ free(buf); -+ return 0; -+ } -+ -+#endif -+ vsyslog (LOG_USER | LOG_INFO, fmt, ap); -+ va_end(ap); -+ return 0; -+} -+ -+static int -+selinux_check_root (void) -+{ -+ int status = -1; -+ security_context_t user_context; -+ union selinux_callback old_callback; -+ -+ if (is_selinux_enabled() < 1) -+ return 0; -+ -+ old_callback = selinux_get_callback(SELINUX_CB_LOG); -+ /* setup callbacks */ -+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); -+ if ((status = getprevcon(&user_context)) < 0) { -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ return status; -+ } -+ -+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); -+ -+ selinux_set_callback(SELINUX_CB_LOG, old_callback); -+ freecon(user_context); -+ return status; -+} -+#endif -+ - static int - check_for_root (pam_handle_t *pamh, int ctrl) - { -@@ -62,7 +121,7 @@ check_for_root (pam_handle_t *pamh, int - - if (getuid() == 0) - #ifdef WITH_SELINUX -- if (is_selinux_enabled()<1 || checkPasswdAccess(PASSWD__ROOTOK)==0) -+ if (selinux_check_root() == 0 || security_getenforce() == 0) - #endif - retval = PAM_SUCCESS; - diff --git a/pam-1.1.6-selinux-manualctx.patch b/pam-1.1.6-selinux-manualctx.patch deleted file mode 100644 index b9afeab..0000000 --- a/pam-1.1.6-selinux-manualctx.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c ---- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx 2012-09-03 15:23:21.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-11-30 21:03:40.000000000 +0100 -@@ -161,81 +161,6 @@ query_response (pam_handle_t *pamh, cons - return rc; - } - --static security_context_t --manual_context (pam_handle_t *pamh, const char *user, int debug) --{ -- security_context_t newcon=NULL; -- context_t new_context; -- int mls_enabled = is_selinux_mls_enabled(); -- char *type=NULL; -- char *response=NULL; -- -- while (1) { -- if (query_response(pamh, -- _("Would you like to enter a security context? [N] "), NULL, -- &response, debug) != PAM_SUCCESS) -- return NULL; -- -- if ((response[0] == 'y') || (response[0] == 'Y')) -- { -- if (mls_enabled) -- new_context = context_new ("user:role:type:level"); -- else -- new_context = context_new ("user:role:type"); -- -- if (!new_context) -- goto fail_set; -- -- if (context_user_set (new_context, user)) -- goto fail_set; -- -- _pam_drop(response); -- /* Allow the user to enter each field of the context individually */ -- if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS && -- response[0] != '\0') { -- if (context_role_set (new_context, response)) -- goto fail_set; -- if (get_default_type(response, &type)) -- goto fail_set; -- if (context_type_set (new_context, type)) -- goto fail_set; -- _pam_drop(type); -- } -- _pam_drop(response); -- -- if (mls_enabled) -- { -- if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS && -- response[0] != '\0') { -- if (context_range_set (new_context, response)) -- goto fail_set; -- } -- _pam_drop(response); -- } -- -- /* Get the string value of the context and see if it is valid. */ -- if (!security_check_context(context_str(new_context))) { -- newcon = strdup(context_str(new_context)); -- context_free (new_context); -- return newcon; -- } -- else -- send_text(pamh,_("Not a valid security context"),debug); -- -- context_free (new_context); -- } -- else { -- _pam_drop(response); -- return NULL; -- } -- } /* end while */ -- fail_set: -- free(type); -- _pam_drop(response); -- context_free (new_context); -- return NULL; --} -- - static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) - { - struct av_decision avd; -@@ -606,11 +531,6 @@ compute_exec_context(pam_handle_t *pamh, - data->exec_context = context_from_env(pamh, data->default_user_context, - env_params, use_current_range, - debug); -- } else { -- if (seuser) { -- data->exec_context = manual_context(pamh, seuser, debug); -- free(seuser); -- } - } - - if (!data->exec_context) { diff --git a/pam-1.1.6-sepermit-user.patch b/pam-1.1.6-sepermit-user.patch deleted file mode 100644 index 9a003ee..0000000 --- a/pam-1.1.6-sepermit-user.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am ---- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit 2013-07-24 12:55:08.822987098 -0400 -+++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am 2013-07-24 12:55:11.653004214 -0400 -@@ -24,7 +24,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/inclu - -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ - -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" - --pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -+pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -lsystemd-login - pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module - if HAVE_VERSIONING - pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -diff -up Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c ---- Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit 2012-08-15 07:08:43.000000000 -0400 -+++ Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c 2013-07-24 13:17:24.088061506 -0400 -@@ -65,6 +65,7 @@ - #include - - #include -+#include - - #define MODULE "pam_sepermit" - #define OPT_DELIM ":" -@@ -187,6 +188,25 @@ sepermit_unlock(pam_handle_t *pamh, void - } - - static int -+check_user_session(pam_handle_t *pamh) { -+ char *session = NULL; -+ char *class = NULL; -+ int rc; -+ -+ if (sd_pid_get_session(0, &session)) -+ return -1; -+ rc = sd_session_get_class(session, &class); -+ pam_syslog(pamh, LOG_ERR, "Session %s", session); -+ if (rc == 0) { -+ rc = strcmp(class, "user"); -+ pam_syslog(pamh, LOG_ERR, "Class %s", class); -+ } -+ free(session); -+ free(class); -+ return rc; -+} -+ -+static int - sepermit_lock(pam_handle_t *pamh, const char *user, int debug) - { - char buf[PATH_MAX]; -@@ -319,7 +339,7 @@ sepermit_match(pam_handle_t *pamh, const - if (*sense == PAM_SUCCESS) { - if (ignore) - *sense = PAM_IGNORE; -- if (geteuid() == 0 && exclusive) -+ if (geteuid() == 0 && exclusive && check_user_session(pamh) != 0) - if (sepermit_lock(pamh, user, debug) < 0) - *sense = PAM_AUTH_ERR; - } diff --git a/pam-1.1.6-strict-aliasing.patch b/pam-1.1.6-strict-aliasing.patch deleted file mode 100644 index 1409b24..0000000 --- a/pam-1.1.6-strict-aliasing.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c -index ce4f7d6..dc95ab1 100644 ---- a/modules/pam_namespace/md5.c -+++ b/modules/pam_namespace/md5.c -@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) - byteReverse(ctx->in, 14); - - /* Append length in bits and transform */ -- ((uint32 *) ctx->in)[14] = ctx->bits[0]; -- ((uint32 *) ctx->in)[15] = ctx->bits[1]; -+ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); - - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); -diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c -index 7881db5..94f0485 100644 ---- a/modules/pam_unix/md5.c -+++ b/modules/pam_unix/md5.c -@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) - byteReverse(ctx->in, 14); - - /* Append length in bits and transform */ -- ((uint32 *) ctx->in)[14] = ctx->bits[0]; -- ((uint32 *) ctx->in)[15] = ctx->bits[1]; -+ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); - - MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); - byteReverse((unsigned char *) ctx->buf, 4); diff --git a/pam-1.1.6-tty-audit-echo.patch b/pam-1.1.6-tty-audit-echo.patch deleted file mode 100644 index 754591a..0000000 --- a/pam-1.1.6-tty-audit-echo.patch +++ /dev/null @@ -1,100 +0,0 @@ -diff -up Linux-PAM-1.1.6/configure.in.tty-audit-echo Linux-PAM-1.1.6/configure.in ---- Linux-PAM-1.1.6/configure.in.tty-audit-echo 2013-08-07 15:41:08.245745447 +0200 -+++ Linux-PAM-1.1.6/configure.in 2013-08-07 18:13:04.358958936 +0200 -@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then - fi - if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then - AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.]) -+ -+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [], -+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]), -+ [[#include ]]) - fi - else - LIBAUDIT="" -diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml ---- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml 2013-08-07 18:08:55.310028229 +0200 -@@ -77,6 +77,19 @@ - - - -+ -+ -+ -+ -+ -+ -+ Log keystrokes when ECHO mode is off but ICANON mode is active. -+ This is the mode in which the tty is placed during password entry. -+ By default, passwords are not logged. This option may not be -+ available on older kernels (3.9?). -+ -+ -+ - - - -@@ -161,6 +174,8 @@ session required pam_tty_audit.so disabl - - pam_tty_audit was written by Miloslav Trmač - <mitr@redhat.com>. -+ The log_passwd option was added by Richard Guy Briggs -+ <rgb@redhat.com>. - - - -diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c ---- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c 2013-08-07 18:09:29.428694493 +0200 -@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, - struct audit_tty_status *old_status, new_status; - const char *user; - int i, fd, open_only; -+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD -+ int log_passwd; -+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ - - (void)flags; - -@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, - - command = CMD_NONE; - open_only = 0; -+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD -+ log_passwd = 0; -+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ - for (i = 0; i < argc; i++) - { - if (strncmp (argv[i], "enable=", 7) == 0 -@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, - } - else if (strcmp (argv[i], "open_only") == 0) - open_only = 1; -+ else if (strcmp (argv[i], "log_passwd") == 0) -+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD -+ log_passwd = 1; -+#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ -+ pam_syslog (pamh, LOG_WARNING, -+ "The log_passwd option was not available at compile time."); -+#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel." -+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ - else - { - pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); -@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, - } - - new_status.enabled = (command == CMD_ENABLE ? 1 : 0); -- if (old_status->enabled == new_status.enabled) -+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD -+ new_status.log_passwd = log_passwd; -+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ -+ if (old_status->enabled == new_status.enabled -+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD -+ && old_status->log_passwd == new_status.log_passwd -+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ -+ ) - { - open_only = 1; /* to clean up old_status */ - goto ok_fd; diff --git a/pam-1.1.7-unix-build.patch b/pam-1.1.7-unix-build.patch new file mode 100644 index 0000000..a6b5322 --- /dev/null +++ b/pam-1.1.7-unix-build.patch @@ -0,0 +1,43 @@ +diff -up Linux-PAM-1.1.7/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.7/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.1.7/modules/pam_unix/pam_unix_acct.c.build 2013-09-13 13:22:12.715064174 +0200 ++++ Linux-PAM-1.1.7/modules/pam_unix/pam_unix_acct.c 2013-09-13 13:22:12.754065021 +0200 +@@ -49,6 +49,8 @@ + #include /* for time() */ + #include + #include ++#include ++#include + + #include + +diff -up Linux-PAM-1.1.7/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.7/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.1.7/modules/pam_unix/pam_unix_passwd.c.build 2013-09-13 13:22:12.716064196 +0200 ++++ Linux-PAM-1.1.7/modules/pam_unix/pam_unix_passwd.c 2013-09-13 14:06:01.581056247 +0200 +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -262,7 +263,7 @@ static int _unix_run_update_binary(pam_h + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); + /* wait for helper to complete: */ +- while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR); ++ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR); + if (rc<0) { + pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m"); + retval = PAM_AUTHTOK_ERR; +diff -up Linux-PAM-1.1.7/modules/pam_unix/support.c.build Linux-PAM-1.1.7/modules/pam_unix/support.c +--- Linux-PAM-1.1.7/modules/pam_unix/support.c.build 2013-09-13 13:22:12.716064196 +0200 ++++ Linux-PAM-1.1.7/modules/pam_unix/support.c 2013-09-13 13:22:12.755065042 +0200 +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #ifdef HAVE_RPCSVC_YPCLNT_H + #include diff --git a/pam.spec b/pam.spec index 441dd1a..b65bc7b 100644 --- a/pam.spec +++ b/pam.spec @@ -2,8 +2,8 @@ Summary: An extensible library which provides authentication for applications Name: pam -Version: 1.1.6 -Release: 14%{?dist} +Version: 1.1.7 +Release: 1%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -38,31 +38,13 @@ Patch10: pam-1.1.3-nouserenv.patch Patch11: pam-1.1.3-console-abstract.patch Patch12: pam-1.1.3-faillock-screensaver.patch Patch13: pam-1.1.6-limits-user.patch -Patch14: pam-1.1.6-audit-data.patch Patch15: pam-1.1.6-full-relro.patch # FIPS related - non upstreamable Patch20: pam-1.1.5-unix-no-fallback.patch -# Upstreamed -Patch21: pam-1.1.6-install-empty.patch -# -Patch22: pam-1.1.5-unix-build.patch -# Upstreamed -Patch23: pam-1.1.6-autoupdate.patch -# Upstreamed -Patch24: pam-1.1.6-namespace-mntopts.patch -# Upstreamed -Patch25: pam-1.1.6-crypt-null-check.patch -# Upstreamed -Patch26: pam-1.1.6-lastlog-retval.patch -# Sent to upstream for review -Patch27: pam-1.1.6-strict-aliasing.patch -# Upstreamed -Patch28: pam-1.1.6-selinux-manualctx.patch +# Upstreamed partially +Patch22: pam-1.1.7-unix-build.patch Patch29: pam-1.1.6-pwhistory-helper.patch -Patch30: pam-1.1.6-rootok-audit.patch Patch31: pam-1.1.6-use-links.patch -Patch32: pam-1.1.6-sepermit-user.patch -Patch33: pam-1.1.6-tty-audit-echo.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -94,7 +76,6 @@ Requires: libselinux >= 1.33.2 %endif Requires: glibc >= 2.3.90-37 BuildRequires: libdb-devel -BuildRequires: systemd-devel # Following deps are necessary only to build the pam library documentation. BuildRequires: linuxdoc-tools, elinks, libxslt BuildRequires: docbook-style-xsl, docbook-dtds @@ -136,22 +117,11 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch11 -p1 -b .abstract %patch12 -p1 -b .screensaver %patch13 -p1 -b .limits -%patch14 -p1 -b .audata %patch15 -p1 -b .relro %patch20 -p1 -b .no-fallback -%patch21 -p1 -b .empty %patch22 -p1 -b .build -%patch23 -p1 -b .autoupdate -%patch24 -p1 -b .mntopts -%patch25 -p1 -b .null-check -%patch26 -p1 -b .retval -%patch27 -p1 -b .strict-aliasing -%patch28 -p1 -b .manualctx %patch29 -p1 -b .pwhhelper -%patch30 -p1 -b .audit %patch31 -p1 -b .links -%patch32 -p1 -b .sepermit-user -%patch33 -p1 -b .tty-audit-echo %build @@ -400,6 +370,9 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Sep 13 2013 Tomáš Mráz 1.1.7-1 +- new upstream release + * Wed Aug 7 2013 Tomáš Mráz 1.1.6-14 - use links instead of w3m to create txt documentation - recognize login session in pam_sepermit to prevent gdm from locking (#969174)