rpms/pam
6
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 9.0.0 Alpha bootstrap

Browse Source 
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/pam#767f761a2d5d99b87ebc44c4ad751467b46b1d97
This commit is contained in:
Petr Šabata 2020-10-15 22:44:37 +02:00
parent d2734fe8e3
commit 6165e91cb4
35 changed files with 4891 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -0,0 +1,6 @@
*.src.rpm
*.tar.bz2
/Linux-PAM-1.3.1.tar.xz
/Linux-PAM-1.3.1.tar.xz.asc
/Linux-PAM-1.4.0.tar.xz
/Linux-PAM-1.4.0.tar.xz.asc

36
config-util.5 Normal file
View File

@ -0,0 +1,36 @@
.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
.SH NAME
config-util \- Common PAM configuration file for configuration utilities
.SH SYNOPSIS
.B /etc/pam.d/config-util
.sp 2
.SH DESCRIPTION
The purpose of this configuration file is to provide common
configuration file for all configuration utilities which must be run
from the supervisor account and use the userhelper wrapper application.
.sp
The
.BR config-util
configuration file is included from all individual configuration
files of such utilities with the help of the
.BR include
directive.
There are not usually any other modules in the individual configuration
files of these utilities.
.sp
It is possible for example to modify duration of the validity of the
authentication timestamp there. See
.BR pam_timestamp(8)
for details.
.SH BUGS
.sp 2
None known.
.SH "SEE ALSO"
pam(8), config-util(5), pam_timestamp(8)

8
config-util.pamd Normal file
View File

@ -0,0 +1,8 @@
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth include system-auth
account required pam_permit.so
session required pam_permit.so
session optional pam_xauth.so
session optional pam_timestamp.so

75
dlopen.sh Executable file
View File

@ -0,0 +1,75 @@
#!/bin/sh
tempdir=`mktemp -d /tmp/dlopenXXXXXX`
test -n "$tempdir" || exit 1
cat >> $tempdir/dlopen.c << _EOF
#include <dlfcn.h>
#include <stdio.h>
#include <limits.h>
#include <sys/stat.h>
/* Simple program to see if dlopen() would succeed. */
int main(int argc, char **argv)
{
int i;
struct stat st;
char buf[PATH_MAX];
for (i = 1; i < argc; i++) {
if (dlopen(argv[i], RTLD_NOW)) {
fprintf(stdout, "dlopen() of \"%s\" succeeded.\n",
argv[i]);
} else {
snprintf(buf, sizeof(buf), "./%s", argv[i]);
if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) {
fprintf(stdout, "dlopen() of \"./%s\" "
"succeeded.\n", argv[i]);
} else {
fprintf(stdout, "dlopen() of \"%s\" failed: "
"%s\n", argv[i], dlerror());
return 1;
}
}
}
return 0;
}
_EOF
for arg in $@ ; do
case "$arg" in
"")
;;
-I*|-D*|-f*|-m*|-g*|-O*|-W*)
cflags="$cflags $arg"
;;
-l*|-L*)
ldflags="$ldflags $arg"
;;
/*)
modules="$modules $arg"
;;
*)
modules="$modules $arg"
;;
esac
done
${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl
retval=0
for module in $modules ; do
case "$module" in
"")
;;
/*)
$tempdir/dlopen "$module"
retval=$?
;;
*)
$tempdir/dlopen ./"$module"
retval=$?
;;
esac
done
rm -f $tempdir/dlopen $tempdir/dlopen.c
rmdir $tempdir
exit $retval

19
fingerprint-auth.pamd Normal file
View File

@ -0,0 +1,19 @@
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

339
gpl-2.0.txt Normal file
View File

@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

5
other.pamd Normal file
View File

@ -0,0 +1,5 @@
#%PAM-1.0
auth required pam_deny.so
account required pam_deny.so
password required pam_deny.so
session required pam_deny.so

20
pam-1.1.6-limits-user.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf
--- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100
@@ -1,5 +1,16 @@
# /etc/security/limits.conf
#
+#This file sets the resource limits for the users logged in via PAM.
+#It does not affect resource limits of the system services.
+#
+#Also note that configuration files in /etc/security/limits.d directory,
+#which are read in alphabetical order, override the settings in this
+#file in case the domain is the same or more specific.
+#That means for example that setting a limit for wildcard domain here
+#can be overriden with a wildcard setting in a config file in the
+#subdirectory, but a user specific setting here can be overriden only
+#with a user specific setting in the subdirectory.
+#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>

31
pam-1.1.8-audit-user-mgmt.patch Normal file
View File

@ -0,0 +1,31 @@
diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c
--- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200
@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv )
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd = audit_open();
- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset);
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1);
if (audit_fd >=0)
close(audit_fd);
#endif
@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv )
}
else if ( !cline_reset ) {
#ifdef HAVE_LIBAUDIT
- char buf[64];
int audit_fd = audit_open();
- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
+ "pam_tally2-reset-all-accts reset=0", "*", -1,
+ NULL, NULL, ttyname(STDIN_FILENO), 1);
if (audit_fd >=0)
close(audit_fd);
#endif

16
pam-1.3.0-unix-nomsg.patch Normal file
View File

@ -0,0 +1,16 @@
diff -up Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg 2016-04-11 13:08:47.000000000 +0200
+++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c 2017-04-20 16:51:24.853106709 +0200
@@ -687,12 +687,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
return PAM_SUCCESS;
} else if (off(UNIX__IAMROOT, ctrl) ||
(on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
- /* instruct user what is happening */
- if (off(UNIX__QUIET, ctrl)) {
- retval = pam_info(pamh, _("Changing password for %s."), user);
- if (retval != PAM_SUCCESS)
- return retval;
- }
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL);
if (retval != PAM_SUCCESS) {

50
pam-1.3.1-faillock-change-file-permissions.patch Normal file
View File

@ -0,0 +1,50 @@
From 395915dae1571e10e2766c999974de864655ea3a Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Mon, 15 Jun 2020 09:52:11 +0200
Subject: [PATCH] pam_faillock: change /run/faillock/$USER permissions to 0660
Nowadays, /run/faillock/$USER files have user:root ownership and 0600
permissions. This forces the process that writes to these files to have
CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660
the capability can be removed, which leads to a more secure system.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822
---
modules/pam_faillock/faillock.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c
index e492f5f9..4ea94cbe 100644
--- a/modules/pam_faillock/faillock.c
+++ b/modules/pam_faillock/faillock.c
@@ -76,7 +76,7 @@ open_tally (const char *dir, const char *user, uid_t uid, int create)
flags |= O_CREAT;
}
- fd = open(path, flags, 0600);
+ fd = open(path, flags, 0660);
free(path);
@@ -88,6 +88,18 @@ open_tally (const char *dir, const char *user, uid_t uid, int create)
if (st.st_uid != uid) {
ignore_return(fchown(fd, uid, -1));
}
+
+ /*
+ * If umask is set to 022, as will probably in most systems, then the
+ * group will not be able to write to the file. So, change the file
+ * permissions just in case.
+ * Note: owners of this file are user:root, so if the permissions are
+ * not changed the root process writing to this file will require
+ * CAP_DAC_OVERRIDE.
+ */
+ if (!(st.st_mode & S_IWGRP)) {
+ ignore_return(fchmod(fd, 0660));
+ }
}
}
--
2.26.2

131
pam-1.4.0-coverity.patch Normal file
View File

@ -0,0 +1,131 @@
diff -up Linux-PAM-1.4.0/libpam_misc/misc_conv.c.coverity Linux-PAM-1.4.0/libpam_misc/misc_conv.c
--- Linux-PAM-1.4.0/libpam_misc/misc_conv.c.coverity 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/libpam_misc/misc_conv.c 2020-06-23 10:19:32.999827223 +0200
@@ -211,7 +211,7 @@ static int read_string(int echo, const c
line[nc] = '\0';
}
*retstr = strdup(line);
- _pam_overwrite(line);
+ _pam_overwrite_n(line, sizeof(line));
if (!*retstr) {
D(("no memory for response string"));
nc = -1;
@@ -244,7 +244,7 @@ static int read_string(int echo, const c
D(("the timer appears to have expired"));
*retstr = NULL;
- _pam_overwrite(line);
+ _pam_overwrite_n(line, sizeof(line));
cleanexit:
diff -up Linux-PAM-1.4.0/libpam/pam_handlers.c.coverity Linux-PAM-1.4.0/libpam/pam_handlers.c
diff -up Linux-PAM-1.4.0/modules/pam_access/pam_access.c.coverity Linux-PAM-1.4.0/modules/pam_access/pam_access.c
--- Linux-PAM-1.4.0/modules/pam_access/pam_access.c.coverity 2020-06-23 10:19:32.999827223 +0200
+++ Linux-PAM-1.4.0/modules/pam_access/pam_access.c 2020-06-23 10:21:17.113398827 +0200
@@ -811,7 +811,7 @@ pam_sm_authenticate (pam_handle_t *pamh,
const char *user=NULL;
const void *void_from=NULL;
const char *from;
- const char *default_config = PAM_ACCESS_CONFIG;
+ const char * const default_config = PAM_ACCESS_CONFIG;
struct passwd *user_pw;
char hostname[MAXHOSTNAMELEN + 1];
int rv;
diff -up Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c.coverity Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c
--- Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c.coverity 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c 2020-06-23 10:22:40.357855843 +0200
@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS]
#endif
};
-static int str2rlimit(char *name) {
+static int str2rlimit(const char *name) {
int i;
if (!name || *name == '\0')
return -1;
@@ -352,7 +352,7 @@ static int str2rlimit(char *name) {
return -1;
}
-static rlim_t str2rlim_t(char *value) {
+static rlim_t str2rlim_t(const char *value) {
unsigned long long rlimit = 0;
if (!value) return (rlim_t)rlimit;
@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_hand
FILE *limitsfile;
const char *proclimits = "/proc/1/limits";
char line[256];
- char *hard, *soft, *name;
+ const char *hard, *soft, *name;
if (!(limitsfile = fopen(proclimits, "r"))) {
pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
diff -up Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c.coverity Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c
--- Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c.coverity 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c 2020-06-23 10:19:32.999827223 +0200
@@ -65,7 +65,7 @@ static int set_loginuid(pam_handle_t *pa
fd = open("/proc/self/uid_map", O_RDONLY);
if (fd >= 0) {
count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
- if (strncmp(uid_map, host_uid_map, count) != 0)
+ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0)
rc = PAM_IGNORE;
close(fd);
}
diff -up Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c.coverity Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c
--- Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c.coverity 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c 2020-06-23 10:19:33.000827228 +0200
@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd,
{
pam_syslog(NULL, LOG_DEBUG,
"unable to open or stat src file %s: %m", newsource);
+ if (srcfd >= 0)
+ close(srcfd);
closedir(d);
#ifndef PATH_MAX
diff -up Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c.coverity Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c
--- Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c.coverity 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c 2020-06-23 10:19:33.000827228 +0200
@@ -1488,6 +1488,7 @@ static int create_instance(struct polydi
if (fstat(fd, &newstatbuf) < 0) {
pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
ipath);
+ close(fd);
rmdir(ipath);
return PAM_SESSION_ERR;
}
diff -up Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c.coverity Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c
--- Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c.coverity 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c 2020-06-23 10:26:21.405069413 +0200
@@ -55,15 +55,17 @@ log_callback (int type UNUSED, const cha
int audit_fd;
va_list ap;
- va_start(ap, fmt);
#ifdef HAVE_LIBAUDIT
audit_fd = audit_open();
if (audit_fd >= 0) {
char *buf;
+ int ret;
- if (vasprintf (&buf, fmt, ap) < 0) {
- va_end(ap);
+ va_start(ap, fmt);
+ ret = vasprintf (&buf, fmt, ap);
+ va_end(ap);
+ if (ret < 0) {
return 0;
}
audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
@@ -75,6 +77,7 @@ log_callback (int type UNUSED, const cha
}
#endif
+ va_start(ap, fmt);
vsyslog (LOG_USER | LOG_INFO, fmt, ap);
va_end(ap);
return 0;

123
pam-1.4.0-determine-user-exists.patch Normal file
View File

@ -0,0 +1,123 @@
From af0faf666c5008e54dfe43684f210e3581ff1bca Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Tue, 16 Jun 2020 14:32:36 +0200
Subject: [PATCH 1/2] pam_unix: avoid determining if user exists
Taking a look at the time for the password prompt to appear it was
possible to determine if a user existed in a system. Solved it by
matching the runtime until the password prompt was shown by always
checking the password hash for an existing and a non-existing user.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
---
modules/pam_unix/passverify.c | 6 ++++++
modules/pam_unix/support.c | 33 ++++++++++++++++++++++++++-------
2 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index a571b4f7..7455eae6 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -1096,6 +1096,12 @@ helper_verify_password(const char *name, const char *p, int nullok)
if (pwd == NULL || hash == NULL) {
helper_log_err(LOG_NOTICE, "check pass; user unknown");
retval = PAM_USER_UNKNOWN;
+ } else if (p[0] == '\0' && nullok) {
+ if (hash[0] == '\0') {
+ retval = PAM_SUCCESS;
+ } else {
+ retval = PAM_AUTH_ERR;
+ }
} else {
retval = verify_pwd_hash(p, hash, nullok);
}
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 41db1f04..dc67238c 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -601,6 +601,8 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
char *salt = NULL;
int daysleft;
int retval;
+ int execloop = 1;
+ int nonexistent = 1;
D(("called"));
@@ -624,14 +626,31 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
/* UNIX passwords area */
- retval = get_pwd_hash(pamh, name, &pwd, &salt);
+ /*
+ * Execute this loop twice: one checking the password hash of an existing
+ * user and another one for a non-existing user. This way the runtimes
+ * are equal, making it more difficult to differentiate existing from
+ * non-existing users.
+ */
+ while (execloop) {
+ retval = get_pwd_hash(pamh, name, &pwd, &salt);
- if (retval == PAM_UNIX_RUN_HELPER) {
- /* salt will not be set here so we can return immediately */
- if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
- return 1;
- else
- return 0;
+ if (retval == PAM_UNIX_RUN_HELPER) {
+ execloop = 0;
+ if(nonexistent) {
+ get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt);
+ }
+ /* salt will not be set here so we can return immediately */
+ if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
+ return 1;
+ else
+ return 0;
+ } else if (retval == PAM_USER_UNKNOWN) {
+ name = "root";
+ nonexistent = 0;
+ } else {
+ execloop = 0;
+ }
}
/* Does this user have a password? */
--
2.26.2
From 0e9b286afe1224b91ff00936058b084ad4b776e4 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Tue, 16 Jun 2020 14:44:04 +0200
Subject: [PATCH 2/2] pam_usertype: avoid determining if user exists
Taking a look at the time for the password prompt to appear it was
possible to determine if a user existed in a system. Solved it by
matching the runtime until the password prompt was shown by always
checking the password hash for an existing and a non-existing user.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
---
modules/pam_usertype/pam_usertype.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c
index 2807c306..d03b73b5 100644
--- a/modules/pam_usertype/pam_usertype.c
+++ b/modules/pam_usertype/pam_usertype.c
@@ -139,8 +139,11 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts,
"error retrieving information about user %s", username);
}
+ pam_modutil_getpwnam(pamh, "root");
+
return PAM_USER_UNKNOWN;
}
+ pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:");
*_uid = pwd->pw_uid;
--
2.26.2

67
pam-1.4.0-full-relro.patch Normal file
View File

@ -0,0 +1,67 @@
diff -up Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am
--- Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am.relro 2020-06-22 13:06:45.397887922 +0200
+++ Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am 2020-06-22 13:11:50.898150263 +0200
@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
-I$(srcdir)/.. @PIE_CFLAGS@ $(WARN_CFLAGS)
-AM_LDFLAGS = @PIE_LDFLAGS@
+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
LDADD = $(top_builddir)/libpam/libpam.la
securelibfilter_PROGRAMS = upperLOWER
diff -up Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am
--- Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am.relro 2020-06-22 13:06:45.397887922 +0200
+++ Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am 2020-06-22 13:11:57.015235608 +0200
@@ -31,6 +31,8 @@ endif
sbin_PROGRAMS = mkhomedir_helper
mkhomedir_helper_SOURCES = mkhomedir_helper.c
+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
check_PROGRAMS = tst-pam_mkhomedir-retval
diff -up Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am
--- Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am.relro 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am 2020-06-22 13:06:45.398887936 +0200
@@ -29,6 +29,8 @@ if HAVE_VERSIONING
pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
securelib_LTLIBRARIES = pam_tally2.la
diff -up Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am
--- Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am.relro 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am 2020-06-22 13:06:45.398887936 +0200
@@ -38,7 +38,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
pam_timestamp_check_SOURCES = pam_timestamp_check.c
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
diff -up Linux-PAM-1.4.0/modules/pam_unix/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_unix/Makefile.am
--- Linux-PAM-1.4.0/modules/pam_unix/Makefile.am.relro 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_unix/Makefile.am 2020-06-22 13:06:45.398887936 +0200
@@ -48,13 +48,13 @@ bigcrypt_LDADD = @LIBCRYPT@
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
-unix_update_LDFLAGS = @PIE_LDFLAGS@
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
if ENABLE_REGENERATE_MAN

186
pam-1.4.0-motd-filter-files.patch Normal file
View File

@ -0,0 +1,186 @@
From 16cebfeb30a8bd7c7dc269190a054c25b0f8d044 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Tue, 15 Sep 2020 15:54:10 +0200
Subject: [PATCH 1/2] pam_motd: filter motd by user and group
modules/pam_motd/pam_motd.c: filter motd by user and group owning the
proper files. This is achieved by changing the ids of the process
reading the files from root to the target user.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1861640
---
modules/pam_motd/pam_motd.c | 97 ++++++++++++++++++++++++++++---------
1 file changed, 75 insertions(+), 22 deletions(-)
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
index 46f4fe61..a4fd0e59 100644
--- a/modules/pam_motd/pam_motd.c
+++ b/modules/pam_motd/pam_motd.c
@@ -282,6 +282,72 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
_pam_drop(dirscans);
}
+static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs)
+{
+ struct passwd *pw;
+ const char *username;
+ int retval;
+
+ retval = pam_get_user(pamh, &username, "key user");
+
+ if (retval == PAM_SUCCESS) {
+ pw = pam_modutil_getpwnam (pamh, username);
+ } else {
+ return PAM_SESSION_ERR;
+ }
+
+ if (pw == NULL || pam_modutil_drop_priv(pamh, privs, pw)) {
+ return PAM_SESSION_ERR;
+ }
+
+ return PAM_SUCCESS;
+}
+
+static int try_to_display(pam_handle_t *pamh, char **motd_path_split,
+ unsigned int num_motd_paths,
+ char **motd_dir_path_split,
+ unsigned int num_motd_dir_paths, int report_missing)
+{
+ PAM_MODUTIL_DEF_PRIVS(privs);
+
+ if (drop_privileges(pamh, &privs) != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "Unable to drop privileges");
+ return PAM_SESSION_ERR;
+ }
+
+ if (motd_path_split != NULL) {
+ unsigned int i;
+
+ for (i = 0; i < num_motd_paths; i++) {
+ int fd = open(motd_path_split[i], O_RDONLY, 0);
+
+ if (fd >= 0) {
+ try_to_display_fd(pamh, fd);
+ close(fd);
+
+ /* We found and displayed a file,
+ * move onto next filename.
+ */
+ break;
+ }
+ }
+ }
+
+ if (motd_dir_path_split != NULL) {
+ try_to_display_directories_with_overrides(pamh,
+ motd_dir_path_split,
+ num_motd_dir_paths,
+ report_missing);
+ }
+
+ if (pam_modutil_regain_priv(pamh, &privs)) {
+ pam_syslog(pamh, LOG_ERR, "Unable to regain privileges");
+ return PAM_SESSION_ERR;
+ }
+
+ return PAM_SUCCESS;
+}
+
int pam_sm_open_session(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
@@ -358,25 +424,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
}
}
- if (motd_path_split != NULL) {
- unsigned int i;
-
- for (i = 0; i < num_motd_paths; i++) {
- int fd = open(motd_path_split[i], O_RDONLY, 0);
-
- if (fd >= 0) {
- try_to_display_fd(pamh, fd);
- close(fd);
-
- /* We found and displayed a file, move onto next filename. */
- break;
- }
- }
- }
-
- if (motd_dir_path_split != NULL)
- try_to_display_directories_with_overrides(pamh, motd_dir_path_split,
- num_motd_dir_paths, report_missing);
+ retval = try_to_display(pamh, motd_path_split, num_motd_paths,
+ motd_dir_path_split, num_motd_dir_paths,
+ report_missing);
out:
_pam_drop(motd_path_copy);
@@ -384,9 +434,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
_pam_drop(motd_dir_path_copy);
_pam_drop(motd_dir_path_split);
- retval = pam_putenv(pamh, "MOTD_SHOWN=pam");
-
- return retval == PAM_SUCCESS ? PAM_IGNORE : retval;
+ if (retval == PAM_SUCCESS) {
+ retval = pam_putenv(pamh, "MOTD_SHOWN=pam");
+ return retval == PAM_SUCCESS ? PAM_IGNORE : retval;
+ } else {
+ return retval;
+ }
}
/* end of module definition */
--
2.26.2
From ad8b6feaf8ea989368676acaea905998a807986e Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Wed, 14 Oct 2020 11:30:00 +0200
Subject: [PATCH 2/2] pam_motd: document file filtering
modules/pam_motd/pam_motd.8.xml: document file filtering of motd
messages.
NEWS: annotate change.
---
NEWS | 3 +++
modules/pam_motd/pam_motd.8.xml | 5 +++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index e8c0de87..c3b338e2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,8 @@
Linux-PAM NEWS -- history of user-visible changes.
+Release 1.5.0
+* pam_motd: read motd files with target user credentials skipping unreadable ones.
+
Release 1.4.0
* Multiple minor bug fixes and documentation improvements
* Fixed grammar of messages printed via pam_prompt
diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml
index b533530b..0afd4c99 100644
--- a/modules/pam_motd/pam_motd.8.xml
+++ b/modules/pam_motd/pam_motd.8.xml
@@ -64,8 +64,9 @@
override files with the same name in <filename>/usr/lib/motd.d/</filename>.
</para>
<para>
- Files the in the directories listed above are displayed in
- lexicographic order by name.
+ Files in the directories listed above are displayed in lexicographic
+ order by name. Moreover, the files are filtered by reading them with the
+ credentials of the target user authenticating on the system.
</para>
<para>
To silence a message,
--
2.26.2

24
pam-1.4.0-noflex.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up Linux-PAM-1.4.0/doc/Makefile.am.noflex Linux-PAM-1.4.0/doc/Makefile.am
--- Linux-PAM-1.4.0/doc/Makefile.am.noflex 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/doc/Makefile.am 2020-06-22 12:32:01.994741087 +0200
@@ -2,7 +2,7 @@
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
#
-SUBDIRS = man specs sag adg mwg
+SUBDIRS = man sag adg mwg
CLEANFILES = *~
diff -up Linux-PAM-1.4.0/Makefile.am.noflex Linux-PAM-1.4.0/Makefile.am
--- Linux-PAM-1.4.0/Makefile.am.noflex 2020-06-22 12:32:01.994741087 +0200
+++ Linux-PAM-1.4.0/Makefile.am 2020-06-22 12:39:36.932129391 +0200
@@ -4,7 +4,7 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
if HAVE_DOC
SUBDIRS += doc

15
pam-1.4.0-nouserenv.patch Normal file
View File

@ -0,0 +1,15 @@
diff -up Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml.nouserenv Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml
--- Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml.nouserenv 2020-06-22 13:00:37.480755648 +0200
+++ Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml 2020-06-22 13:05:06.038501660 +0200
@@ -158,7 +158,10 @@
<listitem>
<para>
Turns on or off the reading of the user specific environment
- file. 0 is off, 1 is on. By default this option is off.
+ file. 0 is off, 1 is on. By default this option is off as user
+ supplied environment variables in the PAM environment could affect
+ behavior of subsequent modules in the stack without the consent
+ of the system administrator.
</para>
</listitem>
</varlistentry>

808
pam-1.4.0-pwhistory-helper.patch Normal file
View File

@ -0,0 +1,808 @@
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am
--- Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am 2020-06-22 13:22:13.740840867 +0200
@@ -1,5 +1,6 @@
#
# Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2013 Red Hat, Inc.
#
CLEANFILES = *~
@@ -8,9 +9,9 @@ MAINTAINERCLEANFILES = $(MANS) README
EXTRA_DIST = $(XMLS)
if HAVE_DOC
-dist_man_MANS = pam_pwhistory.8
+dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8
endif
-XMLS = README.xml pam_pwhistory.8.xml
+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
dist_check_SCRIPTS = tst-pam_pwhistory
TESTS = $(dist_check_SCRIPTS)
@@ -18,18 +19,26 @@ securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- $(WARN_CFLAGS)
-AM_LDFLAGS = -no-undefined -avoid-version -module
+ $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\"
+
+pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
noinst_HEADERS = opasswd.h
securelib_LTLIBRARIES = pam_pwhistory.la
-pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
+pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
+pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
+sbin_PROGRAMS = pwhistory_helper
+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c
+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
+
if ENABLE_REGENERATE_MAN
dist_noinst_DATA = README
-include $(top_srcdir)/Make.xml.rules
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c
--- Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c 2020-06-22 13:24:02.424365617 +0200
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
+ * Copyright (c) 2013 Red Hat, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -38,6 +39,7 @@
#endif
#include <pwd.h>
+#include <shadow.h>
#include <time.h>
#include <ctype.h>
#include <errno.h>
@@ -47,6 +49,7 @@
#include <string.h>
#include <stdlib.h>
#include <syslog.h>
+#include <stdarg.h>
#include <sys/stat.h>
#if defined HAVE_LIBXCRYPT
@@ -55,7 +58,14 @@
#include <crypt.h>
#endif
+#ifdef HELPER_COMPILE
+#define pam_modutil_getpwnam(h,n) getpwnam(n)
+#define pam_modutil_getspnam(h,n) getspnam(n)
+#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__)
+#else
+#include <security/pam_modutil.h>
#include <security/pam_ext.h>
+#endif
#include <security/pam_modules.h>
#include "opasswd.h"
@@ -76,6 +86,19 @@ typedef struct {
char *old_passwords;
} opwd;
+#ifdef HELPER_COMPILE
+void
+helper_log_err(int err, const char *format, ...)
+{
+ va_list args;
+
+ va_start(args, format);
+ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
+ vsyslog(err, format, args);
+ va_end(args);
+ closelog();
+}
+#endif
static int
parse_entry (char *line, opwd *data)
@@ -117,8 +140,8 @@ compare_password(const char *newpass, co
}
/* Check, if the new password is already in the opasswd file. */
-int
-check_old_pass (pam_handle_t *pamh, const char *user,
+PAMH_ARG_DECL(int
+check_old_pass, const char *user,
const char *newpass, int debug)
{
int retval = PAM_SUCCESS;
@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons
opwd entry;
int found = 0;
+#ifndef HELPER_COMPILE
+ if (SELINUX_ENABLED)
+ return PAM_PWHISTORY_RUN_HELPER;
+#endif
+
if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
{
if (errno != ENOENT)
@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons
return retval;
}
-int
-save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
- const char *oldpass, int howmany, int debug UNUSED)
+PAMH_ARG_DECL(int
+save_old_pass, const char *user,
+ int howmany, int debug UNUSED)
{
char opasswd_tmp[] = TMP_PASSWORDS_FILE;
struct stat opasswd_stat;
@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const
char *buf = NULL;
size_t buflen = 0;
int found = 0;
+ struct passwd *pwd;
+ const char *oldpass;
+
+ pwd = pam_modutil_getpwnam (pamh, user);
+ if (pwd == NULL)
+ return PAM_USER_UNKNOWN;
if (howmany <= 0)
return PAM_SUCCESS;
+#ifndef HELPER_COMPILE
+ if (SELINUX_ENABLED)
+ return PAM_PWHISTORY_RUN_HELPER;
+#endif
+
+ if ((strcmp(pwd->pw_passwd, "x") == 0) ||
+ ((pwd->pw_passwd[0] == '#') &&
+ (pwd->pw_passwd[1] == '#') &&
+ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
+ {
+ struct spwd *spw = pam_modutil_getspnam (pamh, user);
+
+ if (spw == NULL)
+ return PAM_USER_UNKNOWN;
+ oldpass = spw->sp_pwdp;
+ }
+ else
+ oldpass = pwd->pw_passwd;
+
if (oldpass == NULL || *oldpass == '\0')
return PAM_SUCCESS;
@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const
{
char *out;
- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0)
+ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0)
{
retval = PAM_AUTHTOK_ERR;
if (oldpf)
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h
--- Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h 2020-06-22 13:13:23.722445347 +0200
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
+ * Copyright (c) 2013 Red Hat, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -36,10 +37,32 @@
#ifndef __OPASSWD_H__
#define __OPASSWD_H__
-extern int check_old_pass (pam_handle_t *pamh, const char *user,
- const char *newpass, int debug);
-extern int save_old_pass (pam_handle_t *pamh, const char *user,
- uid_t uid, const char *oldpass,
- int howmany, int debug);
+#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#define SELINUX_ENABLED is_selinux_enabled()>0
+#else
+#define SELINUX_ENABLED 0
+#endif
+
+#ifdef HELPER_COMPILE
+#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__)
+#define PAMH_ARG(...) __VA_ARGS__
+#else
+#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__)
+#define PAMH_ARG(...) pamh, __VA_ARGS__
+#endif
+
+#ifdef HELPER_COMPILE
+void
+helper_log_err(int err, const char *format, ...);
+#endif
+
+PAMH_ARG_DECL(int
+check_old_pass, const char *user, const char *newpass, int debug);
+
+PAMH_ARG_DECL(int
+save_old_pass, const char *user, int howmany, int debug);
#endif /* __OPASSWD_H__ */
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c
--- Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c 2020-06-22 13:25:23.107497539 +0200
@@ -3,6 +3,7 @@
*
* Copyright (c) 2008, 2012 Thorsten Kukuk
* Author: Thorsten Kukuk <kukuk@thkukuk.de>
+ * Copyright (c) 2013 Red Hat, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -46,10 +47,14 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
-#include <shadow.h>
#include <syslog.h>
#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <sys/wait.h>
+#include <signal.h>
+#include <fcntl.h>
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
@@ -60,6 +65,7 @@
#include "pam_inline.h"
#define DEFAULT_BUFLEN 2048
+#define MAX_FD_NO 20000
struct options_t {
int debug;
@@ -105,6 +111,184 @@ parse_option (pam_handle_t *pamh, const
pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
}
+static int
+run_save_helper(pam_handle_t *pamh, const char *user,
+ int howmany, int debug)
+{
+ int retval, child;
+ struct sigaction newsa, oldsa;
+
+ memset(&newsa, '\0', sizeof(newsa));
+ newsa.sa_handler = SIG_DFL;
+ sigaction(SIGCHLD, &newsa, &oldsa);
+
+ child = fork();
+ if (child == 0)
+ {
+ int i = 0;
+ struct rlimit rlim;
+ int dummyfds[2];
+ static char *envp[] = { NULL };
+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
+
+ /* replace std file descriptors with a dummy pipe */
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
+ {
+ dup2(dummyfds[0], STDIN_FILENO);
+ dup2(dummyfds[1], STDOUT_FILENO);
+ dup2(dummyfds[1], STDERR_FILENO);
+ }
+
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
+ {
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
+ {
+ if (i != dummyfds[0])
+ close(i);
+ }
+ }
+
+ /* exec binary helper */
+ args[0] = strdup(PWHISTORY_HELPER);
+ args[1] = strdup("save");
+ args[2] = x_strdup(user);
+ asprintf(&args[3], "%d", howmany);
+ asprintf(&args[4], "%d", debug);
+
+ execve(args[0], args, envp);
+
+ _exit(PAM_SYSTEM_ERR);
+ }
+ else if (child > 0)
+ {
+ /* wait for child */
+ int rc = 0;
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
+ if (rc < 0)
+ {
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc);
+ retval = PAM_SYSTEM_ERR;
+ }
+ else if (!WIFEXITED(retval))
+ {
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval);
+ retval = PAM_SYSTEM_ERR;
+ }
+ else
+ {
+ retval = WEXITSTATUS(retval);
+ }
+ }
+ else
+ {
+ retval = PAM_SYSTEM_ERR;
+ }
+
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
+
+ return retval;
+}
+
+static int
+run_check_helper(pam_handle_t *pamh, const char *user,
+ const char *newpass, int debug)
+{
+ int retval, child, fds[2];
+ struct sigaction newsa, oldsa;
+
+ /* create a pipe for the password */
+ if (pipe(fds) != 0)
+ return PAM_SYSTEM_ERR;
+
+ memset(&newsa, '\0', sizeof(newsa));
+ newsa.sa_handler = SIG_DFL;
+ sigaction(SIGCHLD, &newsa, &oldsa);
+
+ child = fork();
+ if (child == 0)
+ {
+ int i = 0;
+ struct rlimit rlim;
+ int dummyfds[2];
+ static char *envp[] = { NULL };
+ char *args[] = { NULL, NULL, NULL, NULL, NULL };
+
+ /* reopen stdin as pipe */
+ dup2(fds[0], STDIN_FILENO);
+
+ /* replace std file descriptors with a dummy pipe */
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
+ {
+ dup2(dummyfds[1], STDOUT_FILENO);
+ dup2(dummyfds[1], STDERR_FILENO);
+ }
+
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
+ {
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
+ {
+ if (i != dummyfds[0])
+ close(i);
+ }
+ }
+
+ /* exec binary helper */
+ args[0] = strdup(PWHISTORY_HELPER);
+ args[1] = strdup("check");
+ args[2] = x_strdup(user);
+ asprintf(&args[3], "%d", debug);
+
+ execve(args[0], args, envp);
+
+ _exit(PAM_SYSTEM_ERR);
+ }
+ else if (child > 0)
+ {
+ /* wait for child */
+ int rc = 0;
+ if (newpass == NULL)
+ newpass = "";
+
+ /* send the password to the child */
+ if (write(fds[1], newpass, strlen(newpass)+1) == -1)
+ {
+ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m");
+ retval = PAM_SYSTEM_ERR;
+ }
+ newpass = NULL;
+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
+ close(fds[1]);
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
+ if (rc < 0)
+ {
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc);
+ retval = PAM_SYSTEM_ERR;
+ }
+ else if (!WIFEXITED(retval))
+ {
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval);
+ retval = PAM_SYSTEM_ERR;
+ }
+ else
+ {
+ retval = WEXITSTATUS(retval);
+ }
+ }
+ else
+ {
+ close(fds[0]);
+ close(fds[1]);
+ retval = PAM_SYSTEM_ERR;
+ }
+
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
+
+ return retval;
+}
/* This module saves the current crypted password in /etc/security/opasswd
and then compares the new password with all entries in this file. */
@@ -112,7 +296,6 @@ parse_option (pam_handle_t *pamh, const
int
pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- struct passwd *pwd;
const char *newpass;
const char *user;
int retval, tries;
@@ -148,31 +331,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
return PAM_SUCCESS;
}
- pwd = pam_modutil_getpwnam (pamh, user);
- if (pwd == NULL)
- return PAM_USER_UNKNOWN;
-
- if ((strcmp(pwd->pw_passwd, "x") == 0) ||
- ((pwd->pw_passwd[0] == '#') &&
- (pwd->pw_passwd[1] == '#') &&
- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
- {
- struct spwd *spw = pam_modutil_getspnam (pamh, user);
- if (spw == NULL)
- return PAM_USER_UNKNOWN;
+ retval = save_old_pass (pamh, user, options.remember, options.debug);
- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
- options.remember, options.debug);
- if (retval != PAM_SUCCESS)
- return retval;
- }
- else
- {
- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd,
- options.remember, options.debug);
- if (retval != PAM_SUCCESS)
- return retval;
- }
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
+ retval = run_save_helper(pamh, user, options.remember, options.debug);
+
+ if (retval != PAM_SUCCESS)
+ return retval;
newpass = NULL;
tries = 0;
@@ -201,8 +366,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
if (options.debug)
pam_syslog (pamh, LOG_DEBUG, "check against old password file");
- if (check_old_pass (pamh, user, newpass,
- options.debug) != PAM_SUCCESS)
+ retval = check_old_pass (pamh, user, newpass, options.debug);
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
+ retval = run_check_helper(pamh, user, newpass, options.debug);
+
+ if (retval != PAM_SUCCESS)
{
if (getuid() || options.enforce_for_root ||
(flags & PAM_CHANGE_EXPIRED_AUTHTOK))
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml
--- Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2020-06-22 13:13:23.723445361 +0200
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2020-06-22 13:13:23.723445361 +0200
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pwhistory_helper">
+
+ <refmeta>
+ <refentrytitle>pwhistory_helper</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pwhistory_helper-name">
+ <refname>pwhistory_helper</refname>
+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
+ <command>pwhistory_helper</command>
+ <arg choice="opt">
+ ...
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pwhistory_helper-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
+ from passwd or shadow file to the opasswd file and checks a password
+ supplied by user against the existing hashes in the opasswd file.
+ </para>
+
+ <para>
+ The purpose of the helper is to enable tighter confinement of
+ login and password changing services. The helper is thus called only
+ when SELinux is enabled on the system.
+ </para>
+
+ <para>
+ The interface of the helper - command line options, and input/output
+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
+ module and it should not be called directly from applications.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pwhistory_helper-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pwhistory_helper-author'>
+ <title>AUTHOR</title>
+ <para>
+ Written by Tomas Mraz based on the code originally in
+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
+ </para>
+ </refsect1>
+
+</refentry>
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c
--- Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2020-06-22 13:13:23.723445361 +0200
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c 2020-06-22 13:13:23.723445361 +0200
@@ -0,0 +1,209 @@
+/*
+ * Copyright (c) 2013 Red Hat, Inc.
+ * Author: Tomas Mraz <tmraz@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <errno.h>
+#include <unistd.h>
+#include <signal.h>
+#include <security/_pam_types.h>
+#include <security/_pam_macros.h>
+#include "opasswd.h"
+
+#define MAXPASS 200
+
+static void
+su_sighandler(int sig)
+{
+#ifndef SA_RESETHAND
+ /* emulate the behaviour of the SA_RESETHAND flag */
+ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) {
+ struct sigaction sa;
+ memset(&sa, '\0', sizeof(sa));
+ sa.sa_handler = SIG_DFL;
+ sigaction(sig, &sa, NULL);
+ }
+#endif
+ if (sig > 0) {
+ _exit(sig);
+ }
+}
+
+static void
+setup_signals(void)
+{
+ struct sigaction action; /* posix signal structure */
+
+ /*
+ * Setup signal handlers
+ */
+ (void) memset((void *) &action, 0, sizeof(action));
+ action.sa_handler = su_sighandler;
+#ifdef SA_RESETHAND
+ action.sa_flags = SA_RESETHAND;
+#endif
+ (void) sigaction(SIGILL, &action, NULL);
+ (void) sigaction(SIGTRAP, &action, NULL);
+ (void) sigaction(SIGBUS, &action, NULL);
+ (void) sigaction(SIGSEGV, &action, NULL);
+ action.sa_handler = SIG_IGN;
+ action.sa_flags = 0;
+ (void) sigaction(SIGTERM, &action, NULL);
+ (void) sigaction(SIGHUP, &action, NULL);
+ (void) sigaction(SIGINT, &action, NULL);
+ (void) sigaction(SIGQUIT, &action, NULL);
+}
+
+static int
+read_passwords(int fd, int npass, char **passwords)
+{
+ int rbytes = 0;
+ int offset = 0;
+ int i = 0;
+ char *pptr;
+ while (npass > 0)
+ {
+ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
+
+ if (rbytes < 0)
+ {
+ if (errno == EINTR) continue;
+ break;
+ }
+ if (rbytes == 0)
+ break;
+
+ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes))
+ != NULL)
+ {
+ rbytes -= pptr - (passwords[i]+offset) + 1;
+ i++;
+ offset = 0;
+ npass--;
+ if (rbytes > 0)
+ {
+ if (npass > 0)
+ memcpy(passwords[i], pptr+1, rbytes);
+ memset(pptr+1, '\0', rbytes);
+ }
+ }
+ offset += rbytes;
+ }
+
+ /* clear up */
+ if (offset > 0 && npass > 0)
+ memset(passwords[i], '\0', offset);
+
+ return i;
+}
+
+
+static int
+check_history(const char *user, const char *debug)
+{
+ char pass[MAXPASS + 1];
+ char *passwords[] = { pass };
+ int npass;
+ int dbg = atoi(debug); /* no need to be too fancy here */
+ int retval;
+
+ /* read the password from stdin (a pipe from the pam_pwhistory module) */
+ npass = read_passwords(STDIN_FILENO, 1, passwords);
+
+ if (npass != 1)
+ { /* is it a valid password? */
+ helper_log_err(LOG_DEBUG, "no password supplied");
+ return PAM_AUTHTOK_ERR;
+ }
+
+ retval = check_old_pass(user, pass, dbg);
+
+ memset(pass, '\0', MAXPASS); /* clear memory of the password */
+
+ return retval;
+}
+
+static int
+save_history(const char *user, const char *howmany, const char *debug)
+{
+ int num = atoi(howmany);
+ int dbg = atoi(debug); /* no need to be too fancy here */
+ int retval;
+
+ retval = save_old_pass(user, num, dbg);
+
+ return retval;
+}
+
+int
+main(int argc, char *argv[])
+{
+ const char *option;
+ const char *user;
+
+ /*
+ * Catch or ignore as many signal as possible.
+ */
+ setup_signals();
+
+ /*
+ * we establish that this program is running with non-tty stdin.
+ * this is to discourage casual use.
+ */
+
+ if (isatty(STDIN_FILENO) || argc < 4)
+ {
+ fprintf(stderr,
+ "This binary is not designed for running in this way.\n");
+ sleep(10); /* this should discourage/annoy the user */
+ return PAM_SYSTEM_ERR;
+ }
+
+ option = argv[1];
+ user = argv[2];
+
+ if (strcmp(option, "check") == 0 && argc == 4)
+ return check_history(user, argv[3]);
+ else if (strcmp(option, "save") == 0 && argc == 5)
+ return save_history(user, argv[3], argv[4]);
+
+ return PAM_SYSTEM_ERR;
+}
+

25
pam-1.4.0-redhat-modules.patch Normal file
View File

@ -0,0 +1,25 @@
diff -up Linux-PAM-1.4.0/configure.ac.redhat-modules Linux-PAM-1.4.0/configure.ac
--- Linux-PAM-1.4.0/configure.ac.redhat-modules 2020-06-08 12:17:27.000000000 +0200
+++ Linux-PAM-1.4.0/configure.ac 2020-06-22 12:55:55.889827909 +0200
@@ -712,6 +712,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
po/Makefile.in \
Make.xml.rules \
modules/Makefile \
+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
+ modules/pam_postgresok/Makefile \
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
modules/pam_debug/Makefile modules/pam_deny/Makefile \
modules/pam_echo/Makefile modules/pam_env/Makefile \
diff -up Linux-PAM-1.4.0/modules/Makefile.am.redhat-modules Linux-PAM-1.4.0/modules/Makefile.am
--- Linux-PAM-1.4.0/modules/Makefile.am.redhat-modules 2020-06-22 12:55:55.889827909 +0200
+++ Linux-PAM-1.4.0/modules/Makefile.am 2020-06-22 12:59:19.718670992 +0200
@@ -56,6 +56,9 @@ SUBDIRS := \
pam_debug \
pam_deny \
pam_echo \
+ pam_chroot \
+ pam_console \
+ pam_postgresok \
pam_env \
pam_exec \
pam_faildelay \

2258
pam.spec Normal file
View File

File diff suppressed because it is too large Load Diff

5
pamtmp.conf Normal file
View File

@ -0,0 +1,5 @@
d /run/console 0755 root root -
d /run/faillock 0755 root root -
d /run/sepermit 0755 root root -
d /run/motd.d 0755 root root -
f /var/log/tallylog 0600 root root -

18
password-auth.pamd Normal file
View File

@ -0,0 +1,18 @@
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

46
postlogin.5 Normal file
View File

@ -0,0 +1,46 @@
.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
.SH NAME
postlogin \- Common configuration file for PAMified services
.SH SYNOPSIS
.B /etc/pam.d/postlogin
.sp 2
.SH DESCRIPTION
The purpose of this PAM configuration file is to provide a common
place for all PAM modules which should be called after the stack
configured in
.BR system-auth
or the other common PAM configuration files.
.sp
The
.BR postlogin
configuration file is included from all individual service configuration
files that provide login service with shell or file access.
.SH NOTES
The modules in the postlogin configuration file are executed regardless
of the success or failure of the modules in the
.BR system-auth
configuration file.
.SH BUGS
.sp 2
Sometimes it would be useful to be able to skip the postlogin modules in
case the substack of the
.BR system-auth
modules failed. Unfortunately the current Linux-PAM library does not
provide any way how to achieve this.
.SH "SEE ALSO"
pam(8), config-util(5), system-auth(5)
The three
.BR Linux-PAM
Guides, for
.BR "system administrators" ", "
.BR "module developers" ", "
and
.BR "application developers" ". "

8
postlogin.pamd Normal file
View File

@ -0,0 +1,8 @@
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed

19
smartcard-auth.pamd Normal file
View File

@ -0,0 +1,19 @@
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth required pam_env.so
auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password optional pam_pkcs11.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

3
sources Normal file
View File

@ -0,0 +1,3 @@
SHA512 (Linux-PAM-1.4.0.tar.xz) = 26eda95c45598a500bc142da4d1abf93d03b3bbb0f2390fa87c72dcbffa208dbfa115c0b411095c31ee9955e36422ccf3e2df3bd486818fafffef8c4310798c4
SHA512 (Linux-PAM-1.4.0.tar.xz.asc) = df8d35840838854b2cd6fdb5763e6b3a713dda839c1bc36e752243e76ea0414e99351b32691a6e08f2ee07013c6c4142f21e469374ec06be66887384207933b4
SHA512 (pam-redhat-1.1.3.tar.bz2) = 5f048e55c51342c3eaecc1c150e9643e6b226b413ac3e6f095fc983293ea7a6bd68e27d663a3c90be0d86b8277d15a1565ee5d7831fb49950144f6391091e8f9

58
system-auth.5 Normal file
View File

@ -0,0 +1,58 @@
.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
.SH NAME
system-auth \- Common configuration file for PAMified services
.SH SYNOPSIS
.B /etc/pam.d/system-auth
.B /etc/pam.d/password-auth
.B /etc/pam.d/fingerprint-auth
.B /etc/pam.d/smartcard-auth
.sp 2
.SH DESCRIPTION
The purpose of these configuration files are to provide a common
interface for all applications and service daemons calling into
the PAM library.
.sp
The
.BR system-auth
configuration file is included from nearly all individual service configuration
files with the help of the
.BR substack
directive.
.sp
The
.BR password-auth
.BR fingerprint-auth
.BR smartcard-auth
configuration files are for applications which handle authentication from
different types of devices via simultaneously running individual conversations
instead of one aggregate conversation.
.SH NOTES
Previously these common configuration files were included with the help
of the
.BR include
directive. This limited the use of the different action types of modules.
With the use of
.BR substack
directive to include these common configuration files this limitation
no longer applies.
.SH BUGS
.sp 2
None known.
.SH "SEE ALSO"
pam(8), config-util(5), postlogin(5)
The three
.BR Linux-PAM
Guides, for
.BR "system administrators" ", "
.BR "module developers" ", "
and
.BR "application developers" ". "

18
system-auth.pamd Normal file
View File

@ -0,0 +1,18 @@
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

71
tests/Test-coverage-for-TTY-auditing/Makefile Normal file
View File

@ -0,0 +1,71 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/pam/Sanity/Test-coverage-for-TTY-auditing
# Description: Test for Test coverage for TTY auditing
# Author: Dalibor Pospisil <dapospis@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/pam/Sanity/Test-coverage-for-TTY-auditing
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
@test -x runtest.sh || chmod a+x runtest.sh
@if [ -e /usr/share/beakerlib/plugins/try-check-final.sh ]; then \
/usr/share/beakerlib/plugins/try-check-final.sh verify_plugin; \
elif [ -e /mnt/tests/CoreOS/beaker/plugin-tcf/try-check-final.sh ]; then \
/mnt/tests/CoreOS/beaker/plugin-tcf/try-check-final.sh verify_plugin; \
elif [ -e /mnt/qa/scratch/dapospis/try-check-final.sh ]; then \
/mnt/qa/scratch/dapospis/try-check-final.sh verify_plugin; \
fi;
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Dalibor Pospisil <dapospis@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "RhtsRequires: test(/CoreOS/beaker/plugin-tcf)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for Test coverage for TTY auditing" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: pam" >> $(METADATA)
@echo "Requires: pam /usr/bin/bc /usr/bin/expect /usr/bin/pcregrep" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/Test-coverage-for-TTY-auditing/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/pam/Sanity/Test-coverage-for-TTY-auditing
Description: Test for Test coverage for TTY auditing
Author: Dalibor Pospisil <dapospis@redhat.com>
Bug summary: Test coverage for TTY auditing

119
tests/Test-coverage-for-TTY-auditing/runtest.sh Normal file
View File

@ -0,0 +1,119 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/pam/Sanity/Test-coverage-for-TTY-auditing
# Description: Test for Test coverage for TTY auditing
# Author: Dalibor Pospisil <dapospis@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh
. /usr/lib/beakerlib/beakerlib.sh
PACKAGES="pam"
BINARIES="pcregrep expect bc"
rlJournalStart &&{
rlPhaseStartSetup &&{
rlTry "Setup phase" && {
for PACKAGE in $PACKAGES; do
rlAssertRpm $PACKAGE
done
for BINARY in $BINARIES; do
rlRun "which $BINARY" 0 "Check presence of $BINARY"
done
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlFileBackup --clean /etc/pam.d/
rlRun "echo 'session required pam_tty_audit.so disable=* enable=root' >>/etc/pam.d/system-auth"
rlRun "cat /etc/pam.d/system-auth"
rlFin; }
rlPhaseEnd;}
rlPhaseStartTest &&{
rlTry "Test phase" && {
rlTry "backup audit.log" &&{
cat /var/log/audit/audit.log >./audit.log
rlFin; }
unalias su >& /dev/null
rlTry "su root, bc some expressions" &&{
expect <<EOF
set env(TERM) vt100
set timeout 5
spawn su -l root
expect {
timeout { exit 2 }
eof { exit 1 }
"#" { send -- "bc\r" }
}
expect -re "For details type .warranty.." { send -- "1+1\r" }
expect {
timeout { exit 2 }
eof { exit 1 }
"2" { send -- "10^2\r" }
}
expect {
timeout { exit 2 }
eof { exit 1 }
"100" { send -- "\033\[A\033\[A\r" }
}
expect {
timeout { exit 2 }
eof { exit 1 }
"2" { send -- "quit\r" }
}
expect {
timeout { exit 2 }
eof { exit 1 }
"#" { send -- "exit\r" }
}
expect {
timeout { exit 2 }
eof { exit 0 }
}
EOF
rlFin; }
rlTry &&{
rlLog "wait 3s"
sleep 3s
rlFin; }
rlRun "diff ./audit.log /var/log/audit/audit.log | grep '>' | sed -e 's/> //' | tee ./log" 0-255
rlChk "check that audit.log contains what it should" &&{
aureport --tty -ts recent -if ./log |tee log.txt
rlRun "pcregrep -M 'bc \"1\+1\",(<ret>|<nl>)(\n|\r)?.*\"10\^2\",(<ret>|<nl>)(\r|\n)?.*<up>,<up>,(<ret>|<nl>)' log.txt"
rlFin; }
rlFin; }
#PS1="[test] " bash
rlPhaseEnd;}
rlPhaseStartCleanup &&{
rlChk "Cleanup phase" && {
rlFileRestore
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlFin; }
rlTCFcheckFinal
rlPhaseEnd;}
rlJournalPrintText
rlJournalEnd;}

70
tests/pam_unix/Makefile Normal file
View File

@ -0,0 +1,70 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/pam/Sanity/pam_unix
# Description: Test for module pam_unix
# Author: David Spurek <dspurek@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/pam/Sanity/pam_unix
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: David Spurek <dspurek@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for module pam_unix" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 15m" >> $(METADATA)
@echo "RunFor: pam" >> $(METADATA)
@echo "RhtsRequires: library(distribution/ConditionalPhases)" >> $(METADATA)
@echo "RhtsRequires: library(distribution/dpcommon)" >> $(METADATA)
@echo "RhtsRequires: library(distribution/testUser)" >> $(METADATA)
@echo "RhtsRequires: library(openssh/basic)" >> $(METADATA)
@echo "RhtsRequires: library(pam/basic)" >> $(METADATA)
@echo "Requires: pam" >> $(METADATA)
@echo "Requires: expect" >> $(METADATA)
@echo "Requires: openssh-server openssh-clients" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

3
tests/pam_unix/PURPOSE Normal file
View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/pam/Sanity/pam_unix
Description: Test for module pam_unix
Author: David Spurek <dspurek@redhat.com>

174
tests/pam_unix/runtest.sh Normal file
View File

@ -0,0 +1,174 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/pam/Sanity/pam_unix
# Description: Test for module pam_unix
# Author: David Spurek <dspurek@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh
PACKAGE="pam"
PACKAGES=( "pam" "expect" )
_PASSWORD1="jf@#Faffo"
_PASSWORD2="0m4nchU!!F"
function do_passwd {
expect <<EOF
set timeout 5
spawn -noecho su $1 -c passwd
expect {
timeout {puts timeout; exit 1}
eof {exit 2}
-nocase "(current)*password" { puts "$2"; send -- "$2\r"}
}
expect {
timeout {puts timeout; exit 1}
eof {exit 3}
-nocase "new*password" { puts "$3"; send -- "$3\r"}
}
expect {
timeout {puts timeout; exit 1}
eof {exit 4}
-nocase "has been already used" { puts "exit 6" ; exit 6}
-nocase "retype*password" { puts "$3"; send -- "$3\r"}
}
expect {
timeout {exit 5}
-nocase "has been already used" { puts "exit 6" ; exit 6}
eof
}
puts "end"
EOF
}
rlJournalStart && {
rlPhaseStartSetup && {
tcfTry "Setup phase" && {
tcfRun "rlCheckMakefileRequires"
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
CleanupRegister "rlRun 'rm -r $TmpDir' 0 'Removing tmp directory'"
CleanupRegister 'rlRun "popd"'
rlRun "pushd $TmpDir"
CleanupRegister 'rlRun "pamCleanup"'
rlRun "pamSetup"
CleanupRegister 'rlRun "rlFileRestore"'
rlFileBackup "/etc/security/opasswd" && >/etc/security/opasswd
tcfFin; }
rlPhaseEnd; }
tcfTry "Tests" --no-assert && {
tcfChk && {
rlPhaseStartTest "test option remember" && {
tcfChk "setup" && {
CleanupRegister --mark 'rlRun "testUserCleanup"'
rlRun "testUserSetup 2"
PWA=( ':3533tjh^397*:~21081^*p@w!~18374_0' ':4273tjh^397*:~3709^*p@w!~19467_1' ':31388tjh^397*:~32486^*p@w!~12258_2' ':10233tjh^397*:~620^*p@w!~19779_3' ':26151tjh^397*:~8077^*p@w!~29968_4' ':26593tjh^397*:~4665^*p@w!~16428_5' ':23163tjh^397*:~16784^*p@w!~4822_6' ':4065tjh^397*:~14355^*p@w!~4119_7' ':16312tjh^397*:~30577^*p@w!~26223_8' )
rlRun "echo ${PWA[0]} | passwd --stdin ${testUser[1]}"
CleanupRegister 'rlRun "pamRestoreFiles"'
rlRun "pamBackupFiles"
#rlRun "sed -i -e 's/^password\s\+sufficient\s\+pam_unix.so/\0 remember=5/' $sys_auth"
rlRun "pamReplaceServiceModuleRule su password pam_unix.so '' '' '' '$(pamGetServiceRuleAgruments su password pam_unix.so) remember=5'"
#rlRun "cat $sys_auth"
rlRun "pamGetServiceRules --prefix su password"
tcfFin; }
tcfTry "test remember option" && {
NEWPW=${PWA[0]}
for i in `seq 6`; do
rlLog "change passwrd #$i"
OLDPW=$NEWPW; NEWPW=${PWA[$i]}
rlRun "do_passwd ${testUser[1]} ${OLDPW} ${NEWPW}" 0
done
rlLog "change passwrd #$i"
rlLog "Try change to password that have been alredy used (should fail)"
OLDPW=$NEWPW;
rlRun "do_passwd ${testUser[1]} ${OLDPW} ${PWA[1]}" 6
for i in 7 8 1; do
rlLog "change passwrd #$i"
OLDPW=$NEWPW; NEWPW=${PWA[$i]}
rlRun "do_passwd ${testUser[1]} ${OLDPW} ${NEWPW}" 0
done
tcfFin; }
tcfTry "test vhange the password to a previous password of test1" && {
# change the password to a previous password of test1, the password change should be allowed.
rlLog "Change the password to a previous password of test1, the password change should be allowed"
echo ${PWA[0]} | passwd --stdin $testUser
rlRun "do_passwd $testUser ${PWA[0]} ${PWA[5]}" 0
tcfFin; }
tcfChk "cleanup" && {
CleanupDo --mark
tcfFin; }
rlPhaseEnd; }; :
tcfFin; }
# Run the test for >=RHEL-6.9 and >=RHEL-7.3 and <>RHEL(Fedora)
! rlIsRHEL '<6.9' && { ! rlIsRHEL '<7.3' || rlIsRHEL 6; } && tcfChk && {
rlPhaseStartTest "test option no_pass_expiry" && {
tcfChk "setup" && {
CleanupRegister --mark 'rlRun "testUserCleanup"'
rlRun "testUserSetup"
CleanupRegister 'rlRun "sshCleanup"'
rlRun "sshSetup"
rlRun "sshKeyGen"
rlRun "sshCopyID --user $testUser --password $testUserPasswd"
CleanupRegister 'rlRun "sshdRestore"'
rlRun "sshdStart"
CleanupRegister 'rlRun "pamRestoreFiles"'
rlRun "pamBackupFiles"
rlRun "pamGetServiceRules --prefix su account"
tcfFin; }
tcfTry "test" && {
rlRun "sshRun --user $testUser --key 'id'"
rlRun "chage -d 0 $testUser"
rlRun "sshRun --user $testUser --key 'id'" 1-255
rlRun "pamReplaceServiceModuleRule sshd account pam_unix.so '' '' '' '$(pamGetServiceRuleAgruments su password pam_unix.so) no_pass_expiry'"
rlRun "pamGetServiceRules --prefix sshd account"
rlRun "sshRun --user $testUser --key 'id'"
tcfFin; }
tcfChk "cleanup" && {
CleanupDo --mark
tcfFin; }
rlPhaseEnd; }; :
tcfFin; }; :
tcfFin; }
rlPhaseStartCleanup && {
tcfChk "Cleanup phase" && {
CleanupDo
tcfFin; }
tcfCheckFinal
rlPhaseEnd; }
rlJournalPrintText
rlJournalEnd; }

33
tests/tests.yml Normal file
View File

@ -0,0 +1,33 @@
---
# Tests that run in classic context
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- pam_unix
- Test-coverage-for-TTY-auditing
required_packages:
- bc
- expect
- findutils # beakerlib needs find command
- openssh-clients
- openssh-server
- pam
- pcre-tools
# Tests that run in container context
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- container
tests:
- Test-coverage-for-TTY-auditing
required_packages:
- bc
- expect
- findutils # beakerlib needs find command
- pam
- pcre-tools