- pam_unix: fix missing initialization of daysleft (#1887077)

- pam_motd: change privilege message prompt to default (#1861640)

pam-1.4.0-motd-privilege-message.patch

@@ -0,0 +1,27 @@
+From 9f24bbeeb4fe04bc396898cd9825478ad52c5ac7 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Wed, 21 Oct 2020 09:47:20 +0200
+Subject: [PATCH] pam_motd: unset prompt value to drop privileges
+
+modules/pam_motd/pam_motd.c: set NULL value instead of "key user" for the
+prompt when dropping privileges.
+---
+ modules/pam_motd/pam_motd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
+index a4fd0e59..6ac8cba2 100644
+--- a/modules/pam_motd/pam_motd.c
++++ b/modules/pam_motd/pam_motd.c
+@@ -288,7 +288,7 @@ static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs)
+     const char *username;
+     int retval;
+ 
+-    retval = pam_get_user(pamh, &username, "key user");
++    retval = pam_get_user(pamh, &username, NULL);
+ 
+     if (retval == PAM_SUCCESS) {
+         pw = pam_modutil_getpwnam (pamh, username);
+-- 
+2.26.2
+

pam-1.4.0-unix-init-daysleft.patch

@@ -0,0 +1,32 @@
+From db6b293046aee4735f3aa2d1713742ed4b533219 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Wed, 22 Jul 2020 11:47:55 +0200
+Subject: [PATCH] Fix missing initialization of daysleft
+
+The daysleft otherwise stays uninitialized if there is no shadow entry.
+
+Regression from commit f5adefa.
+
+Fixes #255
+
+* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft.
+---
+ modules/pam_unix/pam_unix_acct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
+index de8d65c1..f46f2308 100644
+--- a/modules/pam_unix/pam_unix_acct.c
++++ b/modules/pam_unix/pam_unix_acct.c
+@@ -189,7 +189,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 	unsigned long long ctrl;
+ 	const void *void_uname;
+ 	const char *uname;
+-	int retval, daysleft;
++	int retval, daysleft = -1;
+ 	char buf[256];
+ 
+ 	D(("called."));
+-- 
+2.26.2
+

pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.4.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -48,6 +48,10 @@ Patch58: pam-1.3.1-faillock-change-file-permissions.patch
 # https://github.com/linux-pam/linux-pam/commit/16cebfeb30a8bd7c7dc269190a054c25b0f8d044
 # https://github.com/linux-pam/linux-pam/commit/ad8b6feaf8ea989368676acaea905998a807986e
 Patch59: pam-1.4.0-motd-filter-files.patch
+# https://github.com/linux-pam/linux-pam/commit/db6b293046aee4735f3aa2d1713742ed4b533219
+Patch60: pam-1.4.0-unix-init-daysleft.patch
+# https://github.com/linux-pam/linux-pam/commit/9f24bbeeb4fe04bc396898cd9825478ad52c5ac7
+Patch61: pam-1.4.0-motd-privilege-message.patch
 
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@@ -139,6 +143,8 @@ cp %{SOURCE18} .
 %patch57 -p1 -b .determine-user-exists
 %patch58 -p1 -b .faillock-change-file-permissions
 %patch59 -p1 -b .motd-filter-files
+%patch60 -p1 -b .unix-init-daysleft
+%patch61 -p1 -b .motd-privilege-message
 
 autoreconf -i
 
@@ -398,6 +404,10 @@ done
 %doc doc/sag/*.txt doc/sag/html
 
 %changelog
+* Mon Oct 19 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-6
+- pam_unix: fix missing initialization of daysleft  (#1887077)
+- pam_motd: change privilege message prompt to default (#1861640)
+
 * Wed Oct 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-5
 - pam_motd: read motd files with target user credentials skipping unreadable ones (#1861640)
 - Clarify upstreamed patches