diff --git a/pam-1.3.1-authtok-verify-fix.patch b/pam-1.3.1-authtok-verify-fix.patch new file mode 100644 index 0000000..6c40cdc --- /dev/null +++ b/pam-1.3.1-authtok-verify-fix.patch @@ -0,0 +1,88 @@ +From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 7 Aug 2019 12:22:55 +0200 +Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification + +If password was already verified by previous modules in the stack +it does not need to be verified by pam_get_authtok_verify either. + +* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified + appropriately. + (pam_get_authtok_verify): Do not prompt if authtok_verified is set and + set it when the password is verified. +* libpam/pam_private.h: Add authtok_verified to the pam handle struct. +* libpam/pam_start.c (pam_start): Initialize authtok_verified. +--- + libpam/pam_get_authtok.c | 10 ++++++++++ + libpam/pam_private.h | 1 + + libpam/pam_start.c | 1 + + 3 files changed, 12 insertions(+) + +diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c +index 800c6e5..99eb25f 100644 +--- a/libpam/pam_get_authtok.c ++++ b/libpam/pam_get_authtok.c +@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, + } + else if (chpass) + { ++ pamh->authtok_verified = 0; ++ + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + PROMPT1, authtok_type, + strlen (authtok_type) > 0?" ":""); +@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, + if (retval != PAM_SUCCESS) + return retval; + ++ if (chpass > 1) ++ pamh->authtok_verified = 1; ++ + return pam_get_item(pamh, item, (const void **)authtok); + } + +@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, + if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK) + return PAM_SYSTEM_ERR; + ++ if (pamh->authtok_verified) ++ return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok); ++ + if (prompt != NULL) + { + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, +@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, + if (retval != PAM_SUCCESS) + return retval; + ++ pamh->authtok_verified = 1; ++ + return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok); + } +diff --git a/libpam/pam_private.h b/libpam/pam_private.h +index 7ff9f75..58a26f5 100644 +--- a/libpam/pam_private.h ++++ b/libpam/pam_private.h +@@ -172,6 +172,7 @@ struct pam_handle { + #ifdef HAVE_LIBAUDIT + int audit_state; /* keep track of reported audit messages */ + #endif ++ int authtok_verified; + }; + + /* Values for select arg to _pam_dispatch() */ +diff --git a/libpam/pam_start.c b/libpam/pam_start.c +index 328416d..e27c64b 100644 +--- a/libpam/pam_start.c ++++ b/libpam/pam_start.c +@@ -94,6 +94,7 @@ int pam_start ( + #endif + (*pamh)->xdisplay = NULL; + (*pamh)->authtok_type = NULL; ++ (*pamh)->authtok_verified = 0; + memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth)); + + if (((*pamh)->pam_conversation = (struct pam_conv *) +-- +2.20.1 + diff --git a/pam-1.3.1-fds-closing.patch b/pam-1.3.1-fds-closing.patch new file mode 100644 index 0000000..7f5f772 --- /dev/null +++ b/pam-1.3.1-fds-closing.patch @@ -0,0 +1,70 @@ +diff -up Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c +--- Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing 2017-02-10 11:10:15.000000000 +0100 ++++ Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c 2019-10-16 16:07:31.259021159 +0200 +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + + /* + * Creates a pipe, closes its write end, redirects fd to its read end. +@@ -116,27 +117,45 @@ redirect_out(pam_handle_t *pamh, enum pa + static void + close_fds(void) + { ++ DIR *dir = NULL; ++ struct dirent *dent; ++ int dfd = -1; ++ int fd; ++ struct rlimit rlim; ++ + /* + * An arbitrary upper limit for the maximum file descriptor number + * returned by RLIMIT_NOFILE. + */ +- const int MAX_FD_NO = 65535; ++ const unsigned int MAX_FD_NO = 65535; + + /* The lower limit is the same as for _POSIX_OPEN_MAX. */ +- const int MIN_FD_NO = 20; ++ const unsigned int MIN_FD_NO = 20; + +- int fd; +- struct rlimit rlim; +- +- if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) +- fd = MAX_FD_NO; +- else if (rlim.rlim_max < MIN_FD_NO) +- fd = MIN_FD_NO; +- else +- fd = rlim.rlim_max - 1; ++ /* If /proc is mounted, we can optimize which fd can be closed. */ ++ if ((dir = opendir("/proc/self/fd")) != NULL) { ++ if ((dfd = dirfd(dir)) >= 0) { ++ while ((dent = readdir(dir)) != NULL) { ++ fd = atoi(dent->d_name); ++ if (fd > STDERR_FILENO && fd != dfd) ++ close(fd); ++ } ++ } ++ closedir(dir); ++ } ++ ++ /* If /proc isn't available, fallback to the previous behavior. */ ++ if (dfd < 0) { ++ if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) ++ fd = MAX_FD_NO; ++ else if (rlim.rlim_max < MIN_FD_NO) ++ fd = MIN_FD_NO; ++ else ++ fd = rlim.rlim_max - 1; + +- for (; fd > STDERR_FILENO; --fd) +- close(fd); ++ for (; fd > STDERR_FILENO; --fd) ++ close(fd); ++ } + } + + int diff --git a/pam-1.3.1-lastlog-no-showfailed.patch b/pam-1.3.1-lastlog-no-showfailed.patch new file mode 100644 index 0000000..6b68d9d --- /dev/null +++ b/pam-1.3.1-lastlog-no-showfailed.patch @@ -0,0 +1,82 @@ +From c426914fa166ffb0482b6f6ad659ddf17d5dfaa1 Mon Sep 17 00:00:00 2001 +From: Nir Soffer +Date: Wed, 9 Jan 2019 23:41:16 +0200 +Subject: [PATCH] pam_lastlog: Improve silent option documentation + +The silent option explicitly silents only the last login message and not +bad logins. Add a note to the manual to make this clear. + +* modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed" +--- + modules/pam_lastlog/pam_lastlog.8.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml +index c8f247e..bc2e1be 100644 +--- a/modules/pam_lastlog/pam_lastlog.8.xml ++++ b/modules/pam_lastlog/pam_lastlog.8.xml +@@ -102,6 +102,7 @@ + + Don't inform the user about any previous login, + just update the /var/log/lastlog file. ++ This option does not affect display of bad login attempts. + + + +-- +2.20.1 + +From 7d036249a9772c546ede1f38ad68b3f1575216d6 Mon Sep 17 00:00:00 2001 +From: Nir Soffer +Date: Sun, 6 Jan 2019 00:36:27 +0200 +Subject: [PATCH] pam_lastlog: Respect PAM_SILENT flag + +pam_lastlog module will not log info about failed login if the session +was opened with PAM_SILENT flag. + +Example use case enabled by this change: + + sudo --non-interactive program + +If this command is run by another program expecting specific output from +the command run by sudo, the unexpected info about failed logins will +break this program. + +* modules/pam_lastlog/pam_lastlog.c: Respect silent option. + (_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set. +--- + modules/pam_lastlog/pam_lastlog.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c +index 18bf7be..e980c04 100644 +--- a/modules/pam_lastlog/pam_lastlog.c ++++ b/modules/pam_lastlog/pam_lastlog.c +@@ -135,11 +135,6 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) + { + int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE); + +- /* does the appliction require quiet? */ +- if (flags & PAM_SILENT) { +- ctrl |= LASTLOG_QUIET; +- } +- + /* step through arguments */ + for (; argc-- > 0; ++argv) { + +@@ -168,6 +163,12 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) + } + } + ++ /* does the appliction require quiet? */ ++ if (flags & PAM_SILENT) { ++ ctrl |= LASTLOG_QUIET; ++ ctrl &= ~LASTLOG_BTMP; ++ } ++ + D(("ctrl = %o", ctrl)); + return ctrl; + } +-- +2.20.1 + diff --git a/pam-1.3.1-lastlog-unlimited-fsize.patch b/pam-1.3.1-lastlog-unlimited-fsize.patch new file mode 100644 index 0000000..1067d6f --- /dev/null +++ b/pam-1.3.1-lastlog-unlimited-fsize.patch @@ -0,0 +1,227 @@ +From 3a3e70739834cd5cbd17469907ef718c81ae40c0 Mon Sep 17 00:00:00 2001 +From: Carlos Santos +Date: Wed, 11 Sep 2019 11:50:28 -0300 +Subject: [PATCH] pam_lastlog: document the 'unlimited' option + +Signed-off-by: Carlos Santos +--- + modules/pam_lastlog/pam_lastlog.8.xml | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml +index bc2e1be..f10e94a 100644 +--- a/modules/pam_lastlog/pam_lastlog.8.xml ++++ b/modules/pam_lastlog/pam_lastlog.8.xml +@@ -48,6 +48,9 @@ + + inactive=<days> + ++ ++ unlimited ++ + + + +@@ -196,6 +199,18 @@ + + + ++ ++ ++ ++ ++ ++ ++ If the fsize limit is set, this option can be ++ used to override it, preventing failures on systems with large UID ++ values that lead lastlog to become a huge sparse file. ++ ++ ++ + + + +@@ -300,6 +315,9 @@ + + SEE ALSO + ++ ++ limits.conf5 ++ , + + pam.conf5 + , +-- +2.20.1 + +From 9349333a9ae958205294cd25e97fd6b4805bd82b Mon Sep 17 00:00:00 2001 +From: Carlos Santos +Date: Tue, 10 Sep 2019 23:08:30 -0300 +Subject: [PATCH] pam_lastlog: prevent crash due to reduced 'fsize' limit + +It a reduced fsize limit is set in /etc/security/limits.conf and +pam_limits is in use pam_lastlog may cause a crash, e.g. + + ----- begin /etc/pam.d/su ---- + auth sufficient pam_rootok.so + auth required pam_wheel.so use_uid + auth required pam_env.so + auth required pam_unix.so nullok + account required pam_unix.so + password required pam_unix.so nullok + session required pam_limits.so + session required pam_env.so + session required pam_unix.so + session optional pam_lastlog.so + ----- end /etc/pam.d/su ----- + + ----- begin /etc/security/limits.d/fsize.conf ----- + * soft fsize 1710 + * hard fsize 1710 + ----- end /etc/security/limits.d/fsize.conf ----- + + # id user1 + uid=1000(user1) gid=1000(user1) groups=1000(user1) + # su - user1 + Last login: Wed Sep 11 01:52:44 UTC 2019 on console + $ exit + # id user2 + uid=60000(user2) gid=60000(user2) groups=60000(user2) + # su - user2 + File size limit exceeded + +This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog +attempts to write /var/log/lastlog, leading to a SIGXFSZ signal. + +In order to fix this, and an 'unlimited' option, which leads to saving +the 'fsize' limit and set it to unlimited before writing lastlog. After +that, restore the saved value. If 'fsize' is already unlimited nothing +is done. + +Failing to set the 'fsize' limit is not a fatal error. With luck the +configured limit will suffice, so we try to write lastlog anyway, even +under the risk of dying due to a SIGXFSZ. + +Failing to restore the 'fsize' limit is a fatal error, since we don't +want to keep it unlimited. + +Signed-off-by: Carlos Santos +--- + modules/pam_lastlog/pam_lastlog.c | 66 ++++++++++++++++++++++++++----- + 1 file changed, 57 insertions(+), 9 deletions(-) + +diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c +index e980c04..a135c9f 100644 +--- a/modules/pam_lastlog/pam_lastlog.c ++++ b/modules/pam_lastlog/pam_lastlog.c +@@ -25,6 +25,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + +@@ -82,15 +84,16 @@ struct lastlog { + + /* argument parsing */ + +-#define LASTLOG_DATE 01 /* display the date of the last login */ +-#define LASTLOG_HOST 02 /* display the last host used (if set) */ +-#define LASTLOG_LINE 04 /* display the last terminal used */ +-#define LASTLOG_NEVER 010 /* display a welcome message for first login */ +-#define LASTLOG_DEBUG 020 /* send info to syslog(3) */ +-#define LASTLOG_QUIET 040 /* keep quiet about things */ +-#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */ +-#define LASTLOG_BTMP 0200 /* display failed login info from btmp */ +-#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */ ++#define LASTLOG_DATE 01 /* display the date of the last login */ ++#define LASTLOG_HOST 02 /* display the last host used (if set) */ ++#define LASTLOG_LINE 04 /* display the last terminal used */ ++#define LASTLOG_NEVER 010 /* display a welcome message for first login */ ++#define LASTLOG_DEBUG 020 /* send info to syslog(3) */ ++#define LASTLOG_QUIET 040 /* keep quiet about things */ ++#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */ ++#define LASTLOG_BTMP 0200 /* display failed login info from btmp */ ++#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */ ++#define LASTLOG_UNLIMITED 01000 /* unlimited file size (ignore 'fsize' limit) */ + + static int + _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, +@@ -158,6 +161,8 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) + ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE); + } else if (!strcmp(*argv,"showfailed")) { + ctrl |= LASTLOG_BTMP; ++ } else if (!strcmp(*argv,"unlimited")) { ++ ctrl |= LASTLOG_UNLIMITED; + } else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -373,6 +378,12 @@ static int + last_login_write(pam_handle_t *pamh, int announce, int last_fd, + uid_t uid, const char *user) + { ++ static struct rlimit no_limit = { ++ RLIM_INFINITY, ++ RLIM_INFINITY ++ }; ++ struct rlimit old_limit; ++ int setrlimit_res; + struct flock last_lock; + struct lastlog last_login; + time_t ll_time; +@@ -427,6 +438,31 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, + sleep(LASTLOG_IGNORE_LOCK_TIME); + } + ++ /* ++ * Failing to set the 'fsize' limit is not a fatal error. We try to write ++ * lastlog anyway, under the risk of dying due to a SIGXFSZ. ++ */ ++ D(("setting limit for 'fsize'")); ++ ++ if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimted */ ++ setrlimit_res = -1; ++ } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) { ++ if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */ ++ setrlimit_res = -1; ++ } else { ++ setrlimit_res = setrlimit(RLIMIT_FSIZE, &no_limit); ++ if (setrlimit_res != 0) ++ pam_syslog(pamh, LOG_WARNING, "Could not set limit for 'fsize': %m"); ++ } ++ } else { ++ setrlimit_res = -1; ++ if (errno == EINVAL) { ++ pam_syslog(pamh, LOG_INFO, "Limit for 'fsize' not supported: %m"); ++ } else { ++ pam_syslog(pamh, LOG_WARNING, "Could not get limit for 'fsize': %m"); ++ } ++ } ++ + D(("writing to the lastlog file")); + if (pam_modutil_write (last_fd, (char *) &last_login, + sizeof (last_login)) != sizeof(last_login)) { +@@ -434,6 +470,18 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd, + retval = PAM_SERVICE_ERR; + } + ++ /* ++ * Failing to restore the 'fsize' limit is a fatal error. ++ */ ++ D(("restoring limit for 'fsize'")); ++ if (setrlimit_res == 0) { ++ setrlimit_res = setrlimit(RLIMIT_FSIZE, &old_limit); ++ if (setrlimit_res != 0) { ++ pam_syslog(pamh, LOG_ERR, "Could not restore limit for 'fsize': %m"); ++ retval = PAM_SERVICE_ERR; ++ } ++ } ++ + last_lock.l_type = F_UNLCK; + (void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */ + D(("unlocked")); +-- +2.20.1 + diff --git a/pam-1.3.1-namespace-mntopts.patch b/pam-1.3.1-namespace-mntopts.patch new file mode 100644 index 0000000..111da4b --- /dev/null +++ b/pam-1.3.1-namespace-mntopts.patch @@ -0,0 +1,136 @@ +diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml +index c7698cb..a94b49e 100644 +--- a/modules/pam_namespace/namespace.conf.5.xml ++++ b/modules/pam_namespace/namespace.conf.5.xml +@@ -122,9 +122,14 @@ + mntopts=value + - value of this flag is passed to the mount call when the tmpfs mount is + done. It allows for example the specification of the maximum size of the +- tmpfs instance that is created by the mount call. See +- mount8 +- for details. ++ tmpfs instance that is created by the mount call. In addition to ++ options specified in the ++ tmpfs5 ++ manual the nosuid, ++ noexec, and nodev flags ++ can be used to respectively disable setuid bit effect, disable running ++ executables, and disable devices to be interpreted on the mounted ++ tmpfs filesystem. + + + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index f541f89..0fd59fb 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -230,6 +230,78 @@ static int parse_iscript_params(char *params, struct polydir_s *poly) + return 0; + } + ++struct mntflag { ++ const char *name; ++ size_t size; ++ unsigned long flag; ++}; ++ ++#define LITERAL_AND_SIZE(x) x, sizeof(x) ++ ++static const struct mntflag mntflags[] = { ++ { LITERAL_AND_SIZE("noexec"), MS_NOEXEC }, ++ { LITERAL_AND_SIZE("nosuid"), MS_NOSUID }, ++ { LITERAL_AND_SIZE("nodev"), MS_NODEV } ++ }; ++ ++static int filter_mntopts(const char *opts, char **filtered, ++ unsigned long *mountflags) ++{ ++ size_t origlen = strlen(opts); ++ const char *end; ++ char *dest; ++ ++ *filtered = NULL; ++ *mountflags = 0; ++ ++ if (origlen == 0) ++ return 0; ++ ++ dest = *filtered = calloc(1, origlen); ++ if (*filtered == NULL) ++ return -1; ++ ++ do { ++ size_t len; ++ int i; ++ ++ end = strchr(opts, ','); ++ if (end == NULL) { ++ len = strlen(opts); ++ } else { ++ len = end - opts; ++ } ++ ++ for (i = 0; i < (int)(sizeof(mntflags)/sizeof(mntflags[0])); i++) { ++ if (mntflags[i].size - 1 != len) ++ continue; ++ if (strncmp(mntflags[i].name, opts, len) == 0) { ++ *mountflags |= mntflags[i].flag; ++ opts = end; ++ break; ++ } ++ } ++ ++ if (opts != end) { ++ if (dest != *filtered) { ++ *dest = ','; ++ ++dest; ++ } ++ strncpy(dest, opts, len); ++ dest += len; ++ } ++ ++ opts = end + 1; ++ } while (end != NULL); ++ ++ if (dest == *filtered) { ++ /* nothing left */ ++ free(dest); ++ *filtered = NULL; ++ } ++ return 0; ++} ++ + static int parse_method(char *method, struct polydir_s *poly, + struct instance_data *idata) + { +@@ -289,7 +361,8 @@ static int parse_method(char *method, struct polydir_s *poly, + break; + } + free(poly->mount_opts); /* if duplicate mntopts specified */ +- if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) { ++ poly->mount_opts = NULL; ++ if (filter_mntopts(flag+namelen+1, &poly->mount_opts, &poly->mount_flags) != 0) { + pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error"); + return -1; + } +@@ -1484,7 +1557,7 @@ static int ns_setup(struct polydir_s *polyptr, + } + + if (polyptr->method == TMPFS) { +- if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) { ++ if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m", + polyptr->dir); + return PAM_SESSION_ERR; +diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h +index 47ebcc3..1522386 100644 +--- a/modules/pam_namespace/pam_namespace.h ++++ b/modules/pam_namespace/pam_namespace.h +@@ -166,6 +166,7 @@ struct polydir_s { + unsigned int flags; /* polydir flags */ + char *init_script; /* path to init script */ + char *mount_opts; /* mount options for tmpfs mount */ ++ unsigned long mount_flags; /* mount flags for tmpfs mount */ + uid_t owner; /* user which should own the polydir */ + gid_t group; /* group which should own the polydir */ + mode_t mode; /* mode of the polydir */ diff --git a/pam-1.3.1-tty-audit-manfix.patch b/pam-1.3.1-tty-audit-manfix.patch new file mode 100644 index 0000000..3d17963 --- /dev/null +++ b/pam-1.3.1-tty-audit-manfix.patch @@ -0,0 +1,33 @@ +From e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 7 Aug 2019 18:13:57 +0200 +Subject: [PATCH] pam_tty_audit: Manual page clarification about password + logging + +* modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords +can be sometimes logged even when the option is not set. +--- + modules/pam_tty_audit/pam_tty_audit.8.xml | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml +index 59a3406..e346c68 100644 +--- a/modules/pam_tty_audit/pam_tty_audit.8.xml ++++ b/modules/pam_tty_audit/pam_tty_audit.8.xml +@@ -149,6 +149,13 @@ + greater than or equal to min_uid will be + matched. + ++ ++ Please note that passwords in some circumstances may be logged by TTY auditing ++ even if the is not used. For example, all input to ++ an ssh session will be logged - even if there is a password being typed into ++ some software running at the remote host because only the local TTY state ++ affects the local TTY auditing. ++ + + + +-- +2.20.1 + diff --git a/pam-1.3.1-unix-improve-logging.patch b/pam-1.3.1-unix-improve-logging.patch new file mode 100644 index 0000000..682b4d5 --- /dev/null +++ b/pam-1.3.1-unix-improve-logging.patch @@ -0,0 +1,57 @@ +From a6845905869ccabb5eb802be37241eabec085dc7 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 14 Oct 2019 16:52:46 +0200 +Subject: [PATCH] pam_unix: Add logging useful for debugging problems + +Two messages added about obtaining the username are guarded +by the debug option as these should not be normally +logged - they can be useful for debugging but they do not +indicate any special condition. + +The message about authenticating user with blank password is +still just LOG_DEBUG priority but it is logged unconditionally +because it is somewhat extraordinary condition to have an user +with blank password. + +* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace + D() macro calls which are not enabled on production builds with + regular pam_syslog() calls. +--- + modules/pam_unix/pam_unix_auth.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c +index 681e49d..3fca945 100644 +--- a/modules/pam_unix/pam_unix_auth.c ++++ b/modules/pam_unix/pam_unix_auth.c +@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) + AUTH_RETURN; + } + if (on(UNIX_DEBUG, ctrl)) +- D(("username [%s] obtained", name)); ++ pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name); + } else { +- D(("trouble reading username")); + if (retval == PAM_CONV_AGAIN) { + D(("pam_get_user/conv() function is not ready yet")); + /* it is safe to resume this function so we translate this + * retval to the value that indicates we're happy to resume. + */ + retval = PAM_INCOMPLETE; ++ } else if (on(UNIX_DEBUG, ctrl)) { ++ pam_syslog(pamh, LOG_DEBUG, "could not obtain username"); + } + AUTH_RETURN; + } +@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) + /* if this user does not have a password... */ + + if (_unix_blankpasswd(pamh, ctrl, name)) { +- D(("user '%s' has blank passwd", name)); ++ pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name); + name = NULL; + retval = PAM_SUCCESS; + AUTH_RETURN; +-- +2.20.1 + diff --git a/pam.spec b/pam.spec index 91c18dd..27124b9 100644 --- a/pam.spec +++ b/pam.spec @@ -1,9 +1,9 @@ -%global pam_redhat_version 1.1.0 +%global pam_redhat_version 1.1.1 Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 19%{?dist} +Release: 20%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -53,6 +53,13 @@ Patch42: pam-1.3.1-motd-multiple-paths.patch Patch43: pam-1.3.1-unix-checksalt_syslog.patch # https://github.com/linux-pam/linux-pam/commit/d8d11db2cef65da5d2afa7acf21aa9c8cd88abed Patch44: pam-1.3.1-unix-fix_checksalt_syslog.patch +Patch45: pam-1.3.1-namespace-mntopts.patch +Patch46: pam-1.3.1-lastlog-no-showfailed.patch +Patch47: pam-1.3.1-lastlog-unlimited-fsize.patch +Patch48: pam-1.3.1-unix-improve-logging.patch +Patch49: pam-1.3.1-tty-audit-manfix.patch +Patch50: pam-1.3.1-fds-closing.patch +Patch51: pam-1.3.1-authtok-verify-fix.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -136,6 +143,13 @@ cp %{SOURCE18} . %patch42 -p1 -b .multiple-paths %patch43 -p1 -b .checksalt_syslog %patch44 -p1 -b .fix_checksalt_syslog +%patch45 -p1 -b .mntopts +%patch46 -p1 -b .no-showfailed +%patch47 -p1 -b .unlimited-fsize +%patch48 -p1 -b .improve-logging +%patch49 -p1 -b .tty-audit-manfix +%patch50 -p1 -b .fds-closing +%patch51 -p1 -b .authtok-verify-fix autoreconf -i @@ -162,6 +176,9 @@ for readme in modules/pam_*/README ; do cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` done +rm -rf doc/txts/README.pam_tally* +rm -rf doc/sag/html/*pam_tally* + # Install the binaries, libraries, and modules. make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=: @@ -186,7 +203,6 @@ install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd install -d -m 755 $RPM_BUILD_ROOT/var/log -install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/motd.d install -d -m 755 $RPM_BUILD_ROOT/usr/lib/motd.d @@ -364,7 +380,6 @@ done %config(noreplace) %{_secconfdir}/sepermit.conf %dir /var/run/sepermit %endif -%ghost %verify(not md5 size mtime) /var/log/tallylog %dir /var/run/faillock %dir %{_sysconfdir}/motd.d %dir /run/motd.d @@ -384,6 +399,17 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Wed Oct 16 2019 Tomáš Mráz 1.3.1-20 +- pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts +- Drop tallylog and pam_tally documentation +- pam_faillock: Support local_users_only option +- pam_lastlog: Do not display failed attempts with PAM_SILENT flag +- pam_lastlog: Support unlimited option to override fsize limit +- pam_unix: Log if user authenticated without password +- pam_tty_audit: Improve manual page +- Optimize closing fds when spawning helpers +- Fix duplicate password verification in pam_authtok_verify() + * Mon Sep 9 2019 Tomáš Mráz 1.3.1-19 - pam_faillock: Support configuration file /etc/security/faillock.conf diff --git a/sources b/sources index d1819e8..916efbf 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (Linux-PAM-1.3.1.tar.xz) = 6bc8e2a5b64686f0a23846221c5228c88418ba485b17c53b3a12f91262b5bb73566d6b6a5daa1f63bbae54310aee918b987e44a72ce809b4e7c668f0fadfe08e SHA512 (Linux-PAM-1.3.1.tar.xz.asc) = 8b3ad3f4f29fad663e375296dca00f736b3de764f11d7b7aa615d00efe1c702c9060f244967f2d84d8ef3a342c3a1f8eba6dd52847df427bb3ce0ff765a8108a -SHA512 (pam-redhat-1.1.0.tar.bz2) = deb3d07780dc908bb6284e5449c7a25dcfd173d0edcb2864a5400537714cb276bc7625ccf53a20027a95680e8dc180bf8899b9214bd67616de3087b1eecdad7c +SHA512 (pam-redhat-1.1.1.tar.bz2) = 45adff01e1a1370c5bcfa539e9eb98337301bf9b63446a433fb4d45b60cd631aae9d6afe0a92e8736836e44f6c7d099f97d26fcea06592ef769481908a82fc43