- update internal db4 to 4.5.20 version

- move setgid before setuid in pam_keyinit (#212329)
- make username check in pam_unix consistent with useradd (#212153)

.cvsignore

@@ -1,3 +1,3 @@
-db-4.3.29.tar.gz
 Linux-PAM-0.99.6.2.tar.bz2
 pam-redhat-0.99.6-2.tar.bz2
+db-4.5.20.tar.gz

pam-0.99.6.2-namespace-preserve-uid.patch

@@ -0,0 +1,8 @@
+--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init.preserve-uid	2006-06-27 15:07:43.000000000 +0200
++++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init	2006-10-13 10:51:03.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/sh -p
+ # This is only a boilerplate for the instance initialization script.
+ # It receives polydir path as $1 and the instance path as $2.
+ #

pam-0.99.6.2-selinux-drop-multiple.patch

@@ -0,0 +1,125 @@
+--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.drop-multiple	2006-06-18 10:26:59.000000000 +0200
++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml	2006-11-10 17:47:16.000000000 +0100
+@@ -25,9 +25,6 @@
+ 	debug
+       </arg>
+       <arg choice="opt">
+-	multiple
+-      </arg>
+-      <arg choice="opt">
+ 	open
+       </arg>
+       <arg choice="opt">
+@@ -93,18 +90,6 @@
+       </varlistentry>
+       <varlistentry>
+         <term>
+-          <option>multiple</option>
+-        </term>
+-        <listitem>
+-          <para>
+-            Tells pam_selinux.so to allow the user to  select  the
+-            security context  they  will  login  with, if the user has
+-            more than one role.
+-          </para>
+-        </listitem>
+-      </varlistentry>
+-      <varlistentry>
+-        <term>
+           <option>open</option>
+         </term>
+         <listitem>
+--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.drop-multiple	2006-11-10 17:44:33.000000000 +0100
++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2006-11-10 17:44:33.000000000 +0100
+@@ -89,56 +89,6 @@
+ }
+ 
+ static security_context_t
+-select_context (pam_handle_t *pamh, security_context_t* contextlist,
+-		int debug)
+-{
+-  char *responses;
+-  char *text=calloc(PATH_MAX,1);
+-
+-  if (text == NULL)
+-    return (security_context_t) strdup(contextlist[0]);
+-
+-  snprintf(text, PATH_MAX,
+-	   _("Your default context is %s. \n"), contextlist[0]);
+-  send_text(pamh,text,debug);
+-  free(text);
+-  query_response(pamh,_("Do you want to choose a different one? [n]"),
+-		 &responses,debug);
+-  if (responses && ((responses[0] == 'y') ||
+-		    (responses[0] == 'Y')))
+-    {
+-      int choice=0;
+-      int i;
+-      const char *prompt=_("Enter number of choice: ");
+-      int len=strlen(prompt);
+-      char buf[PATH_MAX];
+-
+-      _pam_drop(responses);
+-      for (i = 0; contextlist[i]; i++) {
+-	len+=strlen(contextlist[i]) + 10;
+-      }
+-      text=calloc(len,1);
+-      for (i = 0; contextlist[i]; i++) {
+-	snprintf(buf, PATH_MAX,
+-		 "[%d] %s\n", i+1, contextlist[i]);
+-	strncat(text,buf,len);
+-      }
+-      strcat(text,prompt);
+-      while ((choice < 1) || (choice > i)) {
+-	query_response(pamh,text,&responses,debug);
+-	choice = strtol (responses, NULL, 10);
+-	_pam_drop(responses);
+-      }
+-      free(text);
+-      return (security_context_t) strdup(contextlist[choice-1]);
+-    }
+-  else if (responses)
+-    _pam_drop(responses);
+-
+-  return (security_context_t) strdup(contextlist[0]);
+-}
+-
+-static security_context_t
+ manual_context (pam_handle_t *pamh, const char *user, int debug)
+ {
+   security_context_t newcon;
+@@ -322,7 +272,7 @@
+ 		    int argc, const char **argv)
+ {
+   int i, debug = 0, ttys=1, has_tty=isatty(0);
+-  int verbose=0, multiple=0, close_session=0;
++  int verbose=0, close_session=0;
+   int ret = 0;
+   security_context_t* contextlist = NULL;
+   int num_contexts = 0;
+@@ -342,9 +292,6 @@
+     if (strcmp(argv[i], "verbose") == 0) {
+       verbose = 1;
+     }
+-    if (strcmp(argv[i], "multiple") == 0) {
+-      multiple = 1;
+-    }
+     if (strcmp(argv[i], "close") == 0) {
+       close_session = 1;
+     }
+@@ -377,13 +324,8 @@
+ 	  free(level);
+   }
+   if (num_contexts > 0) {
+-    if (multiple && (num_contexts > 1) && has_tty) {
+-      user_context = select_context(pamh,contextlist, debug);
+-      freeconary(contextlist);
+-    } else {
+-      user_context = (security_context_t) strdup(contextlist[0]);
+-      freeconary(contextlist);
+-    }
++    user_context = (security_context_t) strdup(contextlist[0]);
++    freeconary(contextlist);
+   } else {
+     if (has_tty) {
+       user_context = manual_context(pamh,username,debug);

pam.spec

@@ -4,14 +4,14 @@
 %define _sysconfdir /etc
 
 %define pwdb_version 0.62
-%define db_version 4.3.29
+%define db_version 4.5.20
-%define db_conflicting_version 4.4.0
+%define db_conflicting_version 4.6.0
 %define pam_redhat_version 0.99.6-2
 
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.6.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPL or BSD
 Group: System Environment/Base
 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -28,12 +28,17 @@ Patch1: pam-0.99.5.0-redhat-modules.patch
 Patch21: pam-0.78-unix-hpux-aging.patch
 Patch34: pam-0.99.4.0-dbpam.patch
 Patch70: pam-0.99.2.1-selinux-nofail.patch
-Patch80: pam-0.99.5.0-selinux-drop-multiple.patch
+Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
 Patch81: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch82: pam-0.99.3.0-tally-fail-close.patch
 Patch84: pam-0.99.6.2-selinux-keycreate.patch
 Patch85: pam-0.99.6.0-succif-session.patch
 Patch86: pam-0.99.6.2-namespace-no-unmount.patch
+Patch87: pam-0.99.6.2-namespace-preserve-uid.patch
+Patch88: pam-0.99.6.2-doc-add-ids.patch
+Patch89: pam-0.99.6.2-namespace-overflow.patch
+Patch90: pam-0.99.6.2-keyinit-setgid.patch
+Patch91: pam-0.99.6.2-unix-username.patch
 
 BuildRoot: %{_tmppath}/%{name}-root
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -41,14 +46,14 @@ Obsoletes: pamconfig
 Prereq: grep, mktemp, sed, coreutils, /sbin/ldconfig
 BuildRequires: autoconf, automake, libtool
 BuildRequires: bison, flex, sed
-BuildRequires: cracklib, cracklib-dicts >= 2.8
+BuildRequires: cracklib-devel, cracklib-dicts >= 2.8
 BuildRequires: perl, pkgconfig
 %if %{WITH_AUDIT}
 BuildRequires: audit-libs-devel >= 1.0.8
 Requires: audit-libs >= 1.0.8
 %endif
-BuildRequires: libselinux-devel >= 1.27.7
+BuildRequires: libselinux-devel >= 1.33.1-2
-Requires: libselinux >= 1.27.7
+Requires: libselinux >= 1.33.1-2
 BuildRequires: glibc >= 2.3.90-37
 Requires: glibc >= 2.3.90-37
 # Following deps are necessary only to build the pam library documentation.
@@ -95,6 +100,11 @@ cp %{SOURCE7} .
 %patch84 -p1 -b .keycreate
 %patch85 -p0 -b .session
 %patch86 -p1 -b .no-unmount
+%patch87 -p1 -b .preserve-uid
+%patch88 -p0 -b .add-ids
+%patch89 -p1 -b .overflow
+%patch90 -p1 -b .setgid
+%patch91 -p1 -b .username
 
 autoreconf
 
@@ -153,6 +163,9 @@ install -m 644 other.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/other
 install -m 644 system-auth.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/system-auth
 install -m 644 config-util.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/config-util
 install -m 600 /dev/null $RPM_BUILD_ROOT%{_sysconfdir}/security/opasswd
+install -d -m 755 $RPM_BUILD_ROOT/var/log
+install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/faillog
+install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
 
 # Forcibly strip binaries.
 strip $RPM_BUILD_ROOT%{_sbindir}/* ||:
@@ -353,6 +366,8 @@ fi
 %dir %{_sysconfdir}/security/console.perms.d
 %config %{_sysconfdir}/security/console.perms.d/50-default.perms
 %dir /var/run/console
+%config(noreplace) %verify(not md5 size mtime) /var/log/faillog
+%config(noreplace) %verify(not md5 size mtime) /var/log/tallylog
 %{_mandir}/man5/*
 %{_mandir}/man8/*
 
@@ -367,6 +382,22 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Mon Nov 13 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-4
+- update internal db4 to 4.5.20 version
+- move setgid before setuid in pam_keyinit (#212329)
+- make username check in pam_unix consistent with useradd (#212153)
+
+* Tue Oct 24 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-3.3
+- don't overflow a buffer in pam_namespace (#211989)
+
+* Mon Oct 16 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-3.2
+- /var/log/faillog and tallylog must be %config(noreplace)
+
+* Fri Oct 13 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-3.1
+- preserve effective uid in namespace.init script (LSPP for newrole)
+- include /var/log/faillog and tallylog to filelist (#209646)
+- add ids to .xml docs so the generated html is always the same (#210569)
+
 * Thu Sep 28 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-3
 - add pam_namespace option no_unmount_on_close, required for newrole
 

sources

@@ -1,3 +1,3 @@
-13585a20ce32f113b8e8cdb57f52e3bb  db-4.3.29.tar.gz
 52844c64efa6f8b6a9ed702eec341a4c  Linux-PAM-0.99.6.2.tar.bz2
 03b4148754928c045b28650f14f427af  pam-redhat-0.99.6-2.tar.bz2
+b0f1c777708cb8e9d37fb47e7ed3312d  db-4.5.20.tar.gz