diff --git a/pam-1.4.0-motd-filter-files.patch b/pam-1.4.0-motd-filter-files.patch new file mode 100644 index 0000000..3d1685e --- /dev/null +++ b/pam-1.4.0-motd-filter-files.patch @@ -0,0 +1,186 @@ +From 16cebfeb30a8bd7c7dc269190a054c25b0f8d044 Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Tue, 15 Sep 2020 15:54:10 +0200 +Subject: [PATCH 1/2] pam_motd: filter motd by user and group + +modules/pam_motd/pam_motd.c: filter motd by user and group owning the +proper files. This is achieved by changing the ids of the process +reading the files from root to the target user. + +Resolves: +https://bugzilla.redhat.com/show_bug.cgi?id=1861640 +--- + modules/pam_motd/pam_motd.c | 97 ++++++++++++++++++++++++++++--------- + 1 file changed, 75 insertions(+), 22 deletions(-) + +diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c +index 46f4fe61..a4fd0e59 100644 +--- a/modules/pam_motd/pam_motd.c ++++ b/modules/pam_motd/pam_motd.c +@@ -282,6 +282,72 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, + _pam_drop(dirscans); + } + ++static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs) ++{ ++ struct passwd *pw; ++ const char *username; ++ int retval; ++ ++ retval = pam_get_user(pamh, &username, "key user"); ++ ++ if (retval == PAM_SUCCESS) { ++ pw = pam_modutil_getpwnam (pamh, username); ++ } else { ++ return PAM_SESSION_ERR; ++ } ++ ++ if (pw == NULL || pam_modutil_drop_priv(pamh, privs, pw)) { ++ return PAM_SESSION_ERR; ++ } ++ ++ return PAM_SUCCESS; ++} ++ ++static int try_to_display(pam_handle_t *pamh, char **motd_path_split, ++ unsigned int num_motd_paths, ++ char **motd_dir_path_split, ++ unsigned int num_motd_dir_paths, int report_missing) ++{ ++ PAM_MODUTIL_DEF_PRIVS(privs); ++ ++ if (drop_privileges(pamh, &privs) != PAM_SUCCESS) { ++ pam_syslog(pamh, LOG_ERR, "Unable to drop privileges"); ++ return PAM_SESSION_ERR; ++ } ++ ++ if (motd_path_split != NULL) { ++ unsigned int i; ++ ++ for (i = 0; i < num_motd_paths; i++) { ++ int fd = open(motd_path_split[i], O_RDONLY, 0); ++ ++ if (fd >= 0) { ++ try_to_display_fd(pamh, fd); ++ close(fd); ++ ++ /* We found and displayed a file, ++ * move onto next filename. ++ */ ++ break; ++ } ++ } ++ } ++ ++ if (motd_dir_path_split != NULL) { ++ try_to_display_directories_with_overrides(pamh, ++ motd_dir_path_split, ++ num_motd_dir_paths, ++ report_missing); ++ } ++ ++ if (pam_modutil_regain_priv(pamh, &privs)) { ++ pam_syslog(pamh, LOG_ERR, "Unable to regain privileges"); ++ return PAM_SESSION_ERR; ++ } ++ ++ return PAM_SUCCESS; ++} ++ + int pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) + { +@@ -358,25 +424,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, + } + } + +- if (motd_path_split != NULL) { +- unsigned int i; +- +- for (i = 0; i < num_motd_paths; i++) { +- int fd = open(motd_path_split[i], O_RDONLY, 0); +- +- if (fd >= 0) { +- try_to_display_fd(pamh, fd); +- close(fd); +- +- /* We found and displayed a file, move onto next filename. */ +- break; +- } +- } +- } +- +- if (motd_dir_path_split != NULL) +- try_to_display_directories_with_overrides(pamh, motd_dir_path_split, +- num_motd_dir_paths, report_missing); ++ retval = try_to_display(pamh, motd_path_split, num_motd_paths, ++ motd_dir_path_split, num_motd_dir_paths, ++ report_missing); + + out: + _pam_drop(motd_path_copy); +@@ -384,9 +434,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, + _pam_drop(motd_dir_path_copy); + _pam_drop(motd_dir_path_split); + +- retval = pam_putenv(pamh, "MOTD_SHOWN=pam"); +- +- return retval == PAM_SUCCESS ? PAM_IGNORE : retval; ++ if (retval == PAM_SUCCESS) { ++ retval = pam_putenv(pamh, "MOTD_SHOWN=pam"); ++ return retval == PAM_SUCCESS ? PAM_IGNORE : retval; ++ } else { ++ return retval; ++ } + } + + /* end of module definition */ +-- +2.26.2 + + +From ad8b6feaf8ea989368676acaea905998a807986e Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Wed, 14 Oct 2020 11:30:00 +0200 +Subject: [PATCH 2/2] pam_motd: document file filtering + +modules/pam_motd/pam_motd.8.xml: document file filtering of motd +messages. +NEWS: annotate change. +--- + NEWS | 3 +++ + modules/pam_motd/pam_motd.8.xml | 5 +++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/NEWS b/NEWS +index e8c0de87..c3b338e2 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,8 @@ + Linux-PAM NEWS -- history of user-visible changes. + ++Release 1.5.0 ++* pam_motd: read motd files with target user credentials skipping unreadable ones. ++ + Release 1.4.0 + * Multiple minor bug fixes and documentation improvements + * Fixed grammar of messages printed via pam_prompt +diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml +index b533530b..0afd4c99 100644 +--- a/modules/pam_motd/pam_motd.8.xml ++++ b/modules/pam_motd/pam_motd.8.xml +@@ -64,8 +64,9 @@ + override files with the same name in /usr/lib/motd.d/. + + +- Files the in the directories listed above are displayed in +- lexicographic order by name. ++ Files in the directories listed above are displayed in lexicographic ++ order by name. Moreover, the files are filtered by reading them with the ++ credentials of the target user authenticating on the system. + + + To silence a message, +-- +2.26.2 + diff --git a/pam.spec b/pam.spec index 366738e..ddb9b21 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.4.0 -Release: 4%{?dist} +Release: 5%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -26,19 +26,28 @@ Source17: postlogin.5 Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch1: pam-1.4.0-redhat-modules.patch Patch9: pam-1.4.0-noflex.patch +# https://github.com/linux-pam/linux-pam/commit/cbdef051ab5d4031656d14ac6cdb1f6c2d8d6595 Patch10: pam-1.4.0-nouserenv.patch +# https://github.com/linux-pam/linux-pam/commit/adc037167ad293242d9c69c4d427da1001f26706 Patch13: pam-1.1.6-limits-user.patch Patch15: pam-1.4.0-full-relro.patch -# Upstreamed partially +# https://github.com/linux-pam/linux-pam/commit/f787845843da96cc29ea1f864e29fb17379b36b7 Patch29: pam-1.4.0-pwhistory-helper.patch Patch31: pam-1.1.8-audit-user-mgmt.patch Patch33: pam-1.3.0-unix-nomsg.patch +# https://github.com/linux-pam/linux-pam/commit/655b5e3cf32cb2bd6606cb8ab696b8f00f87051e +# https://github.com/linux-pam/linux-pam/commit/a6a1b9f788a79b2a09827c72a755f471c2e05100 +# https://github.com/linux-pam/linux-pam/commit/2bae5daf16d4466185fac89539d653b269a3ea01 +# https://github.com/linux-pam/linux-pam/commit/276ad5b8e48aa77c24ef25e18d2e97f66c83d68c Patch34: pam-1.4.0-coverity.patch # https://github.com/linux-pam/linux-pam/commit/af0faf666c5008e54dfe43684f210e3581ff1bca # https://github.com/linux-pam/linux-pam/commit/0e9b286afe1224b91ff00936058b084ad4b776e4 Patch57: pam-1.4.0-determine-user-exists.patch # https://github.com/linux-pam/linux-pam/commit/395915dae1571e10e2766c999974de864655ea3a Patch58: pam-1.3.1-faillock-change-file-permissions.patch +# https://github.com/linux-pam/linux-pam/commit/16cebfeb30a8bd7c7dc269190a054c25b0f8d044 +# https://github.com/linux-pam/linux-pam/commit/ad8b6feaf8ea989368676acaea905998a807986e +Patch59: pam-1.4.0-motd-filter-files.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -129,6 +138,7 @@ cp %{SOURCE18} . %patch34 -p1 -b .coverity %patch57 -p1 -b .determine-user-exists %patch58 -p1 -b .faillock-change-file-permissions +%patch59 -p1 -b .motd-filter-files autoreconf -i @@ -388,6 +398,10 @@ done %doc doc/sag/*.txt doc/sag/html %changelog +* Wed Oct 14 2020 Iker Pedrosa - 1.4.0-5 +- pam_motd: read motd files with target user credentials skipping unreadable ones (#1861640) +- Clarify upstreamed patches + * Tue Aug 04 2020 Tom Stellard - 1.4.0-4 - Add BuildRequires: gcc - https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/#_packaging