Multiple fixes and enhancements

pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts
Drop tallylog and pam_tally documentation
pam_faillock: Support local_users_only option
pam_lastlog: Do not display failed attempts with PAM_SILENT flag
pam_lastlog: Support unlimited option to override fsize limit
pam_unix: Log if user authenticated without password
pam_tty_audit: Improve manual page
Optimize closing fds when spawning helpers
Fix duplicate password verification in pam_authtok_verify()

pam-1.3.1-authtok-verify-fix.patch

@@ -0,0 +1,88 @@
+From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Wed, 7 Aug 2019 12:22:55 +0200
+Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification
+
+If password was already verified by previous modules in the stack
+it does not need to be verified by pam_get_authtok_verify either.
+
+* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
+  appropriately.
+  (pam_get_authtok_verify): Do not prompt if authtok_verified is set and
+  set it when the password is verified.
+* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
+* libpam/pam_start.c (pam_start): Initialize authtok_verified.
+---
+ libpam/pam_get_authtok.c | 10 ++++++++++
+ libpam/pam_private.h     |  1 +
+ libpam/pam_start.c       |  1 +
+ 3 files changed, 12 insertions(+)
+
+diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
+index 800c6e5..99eb25f 100644
+--- a/libpam/pam_get_authtok.c
++++ b/libpam/pam_get_authtok.c
+@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
+     }
+   else if (chpass)
+     {
++      pamh->authtok_verified = 0;
++
+       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
+ 			   PROMPT1, authtok_type,
+ 			   strlen (authtok_type) > 0?" ":"");
+@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
+   if (retval != PAM_SUCCESS)
+     return retval;
+ 
++  if (chpass > 1)
++    pamh->authtok_verified = 1;
++
+   return pam_get_item(pamh, item, (const void **)authtok);
+ }
+ 
+@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
+   if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
+     return PAM_SYSTEM_ERR;
+ 
++  if (pamh->authtok_verified)
++    return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
++
+   if (prompt != NULL)
+     {
+       retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
+@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
+   if (retval != PAM_SUCCESS)
+     return retval;
+ 
++  pamh->authtok_verified = 1;
++
+   return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
+ }
+diff --git a/libpam/pam_private.h b/libpam/pam_private.h
+index 7ff9f75..58a26f5 100644
+--- a/libpam/pam_private.h
++++ b/libpam/pam_private.h
+@@ -172,6 +172,7 @@ struct pam_handle {
+ #ifdef HAVE_LIBAUDIT
+     int audit_state;             /* keep track of reported audit messages */
+ #endif
++    int authtok_verified;
+ };
+ 
+ /* Values for select arg to _pam_dispatch() */
+diff --git a/libpam/pam_start.c b/libpam/pam_start.c
+index 328416d..e27c64b 100644
+--- a/libpam/pam_start.c
++++ b/libpam/pam_start.c
+@@ -94,6 +94,7 @@ int pam_start (
+ #endif
+     (*pamh)->xdisplay = NULL;
+     (*pamh)->authtok_type = NULL;
++    (*pamh)->authtok_verified = 0;
+     memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
+ 
+     if (((*pamh)->pam_conversation = (struct pam_conv *)
+-- 
+2.20.1
+

pam-1.3.1-fds-closing.patch

@@ -0,0 +1,70 @@
+diff -up Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c
+--- Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing	2017-02-10 11:10:15.000000000 +0100
++++ Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c	2019-10-16 16:07:31.259021159 +0200
+@@ -10,6 +10,7 @@
+ #include <fcntl.h>
+ #include <syslog.h>
+ #include <sys/resource.h>
++#include <dirent.h>
+ 
+ /*
+  * Creates a pipe, closes its write end, redirects fd to its read end.
+@@ -116,27 +117,45 @@ redirect_out(pam_handle_t *pamh, enum pa
+ static void
+ close_fds(void)
+ {
++	DIR *dir = NULL;
++	struct dirent *dent;
++	int dfd = -1;
++	int fd;
++	struct rlimit rlim;
++
+ 	/*
+ 	 * An arbitrary upper limit for the maximum file descriptor number
+ 	 * returned by RLIMIT_NOFILE.
+ 	 */
+-	const int MAX_FD_NO = 65535;
++	const unsigned int MAX_FD_NO = 65535;
+ 
+ 	/* The lower limit is the same as for _POSIX_OPEN_MAX. */
+-	const int MIN_FD_NO = 20;
++	const unsigned int MIN_FD_NO = 20;
+ 
+-	int fd;
+-	struct rlimit rlim;
+-
+-	if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
+-		fd = MAX_FD_NO;
+-	else if (rlim.rlim_max < MIN_FD_NO)
+-		fd = MIN_FD_NO;
+-	else
+-		fd = rlim.rlim_max - 1;
++	/* If /proc is mounted, we can optimize which fd can be closed. */
++	if ((dir = opendir("/proc/self/fd")) != NULL) {
++		if ((dfd = dirfd(dir)) >= 0) {
++			while ((dent = readdir(dir)) != NULL) {
++				fd = atoi(dent->d_name);
++				if (fd > STDERR_FILENO && fd != dfd)
++					close(fd);
++			}
++		}
++		closedir(dir);
++	}
++
++	/* If /proc isn't available, fallback to the previous behavior. */
++	if (dfd < 0) {
++		if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
++			fd = MAX_FD_NO;
++		else if (rlim.rlim_max < MIN_FD_NO)
++			fd = MIN_FD_NO;
++		else
++			fd = rlim.rlim_max - 1;
+ 
+-	for (; fd > STDERR_FILENO; --fd)
+-		close(fd);
++		for (; fd > STDERR_FILENO; --fd)
++			close(fd);
++	}
+ }
+ 
+ int

pam-1.3.1-lastlog-no-showfailed.patch

@@ -0,0 +1,82 @@
+From c426914fa166ffb0482b6f6ad659ddf17d5dfaa1 Mon Sep 17 00:00:00 2001
+From: Nir Soffer <nsoffer@redhat.com>
+Date: Wed, 9 Jan 2019 23:41:16 +0200
+Subject: [PATCH] pam_lastlog: Improve silent option documentation
+
+The silent option explicitly silents only the last login message and not
+bad logins. Add a note to the manual to make this clear.
+
+* modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"
+---
+ modules/pam_lastlog/pam_lastlog.8.xml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
+index c8f247e..bc2e1be 100644
+--- a/modules/pam_lastlog/pam_lastlog.8.xml
++++ b/modules/pam_lastlog/pam_lastlog.8.xml
+@@ -102,6 +102,7 @@
+           <para>
+             Don't inform the user about any previous login,
+             just update the <filename>/var/log/lastlog</filename> file.
++            This option does not affect display of bad login attempts.
+           </para>
+         </listitem>
+       </varlistentry>
+-- 
+2.20.1
+
+From 7d036249a9772c546ede1f38ad68b3f1575216d6 Mon Sep 17 00:00:00 2001
+From: Nir Soffer <nsoffer@redhat.com>
+Date: Sun, 6 Jan 2019 00:36:27 +0200
+Subject: [PATCH] pam_lastlog: Respect PAM_SILENT flag
+
+pam_lastlog module will not log info about failed login if the session
+was opened with PAM_SILENT flag.
+
+Example use case enabled by this change:
+
+    sudo --non-interactive program
+
+If this command is run by another program expecting specific output from
+the command run by sudo, the unexpected info about failed logins will
+break this program.
+
+* modules/pam_lastlog/pam_lastlog.c: Respect silent option.
+  (_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
+---
+ modules/pam_lastlog/pam_lastlog.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
+index 18bf7be..e980c04 100644
+--- a/modules/pam_lastlog/pam_lastlog.c
++++ b/modules/pam_lastlog/pam_lastlog.c
+@@ -135,11 +135,6 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ {
+     int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE);
+ 
+-    /* does the appliction require quiet? */
+-    if (flags & PAM_SILENT) {
+-	ctrl |= LASTLOG_QUIET;
+-    }
+-
+     /* step through arguments */
+     for (; argc-- > 0; ++argv) {
+ 
+@@ -168,6 +163,12 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 	}
+     }
+ 
++    /* does the appliction require quiet? */
++    if (flags & PAM_SILENT) {
++	ctrl |= LASTLOG_QUIET;
++	ctrl &= ~LASTLOG_BTMP;
++    }
++
+     D(("ctrl = %o", ctrl));
+     return ctrl;
+ }
+-- 
+2.20.1
+

pam-1.3.1-lastlog-unlimited-fsize.patch

@@ -0,0 +1,227 @@
+From 3a3e70739834cd5cbd17469907ef718c81ae40c0 Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@redhat.com>
+Date: Wed, 11 Sep 2019 11:50:28 -0300
+Subject: [PATCH] pam_lastlog: document the 'unlimited' option
+
+Signed-off-by: Carlos Santos <casantos@redhat.com>
+---
+ modules/pam_lastlog/pam_lastlog.8.xml | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
+index bc2e1be..f10e94a 100644
+--- a/modules/pam_lastlog/pam_lastlog.8.xml
++++ b/modules/pam_lastlog/pam_lastlog.8.xml
+@@ -48,6 +48,9 @@
+       <arg choice="opt">
+         inactive=&lt;days&gt;
+       </arg>
++      <arg choice="opt">
++        unlimited
++      </arg>
+     </cmdsynopsis>
+   </refsynopsisdiv>
+ 
+@@ -196,6 +199,18 @@
+           </para>
+         </listitem>
+       </varlistentry>
++      <varlistentry>
++        <term>
++          <option>unlimited</option>
++        </term>
++        <listitem>
++          <para>
++	    If the <emphasis>fsize</emphasis> limit is set, this option can be
++	    used to override it, preventing failures on systems with large UID
++	    values that lead lastlog to become a huge sparse file.
++          </para>
++        </listitem>
++      </varlistentry>
+     </variablelist>
+   </refsect1>
+ 
+@@ -300,6 +315,9 @@
+   <refsect1 id='pam_lastlog-see_also'>
+     <title>SEE ALSO</title>
+     <para>
++      <citerefentry>
++	<refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry>,
+       <citerefentry>
+ 	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>,
+-- 
+2.20.1
+
+From 9349333a9ae958205294cd25e97fd6b4805bd82b Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@redhat.com>
+Date: Tue, 10 Sep 2019 23:08:30 -0300
+Subject: [PATCH] pam_lastlog: prevent crash due to reduced 'fsize' limit
+
+It a reduced fsize limit is set in /etc/security/limits.conf and
+pam_limits is in use pam_lastlog may cause a crash, e.g.
+
+    ----- begin /etc/pam.d/su ----
+    auth        sufficient   pam_rootok.so
+    auth        required     pam_wheel.so use_uid
+    auth        required     pam_env.so
+    auth        required     pam_unix.so nullok
+    account     required     pam_unix.so
+    password    required     pam_unix.so nullok
+    session     required     pam_limits.so
+    session     required     pam_env.so
+    session     required     pam_unix.so
+    session     optional     pam_lastlog.so
+    ----- end /etc/pam.d/su -----
+
+    ----- begin /etc/security/limits.d/fsize.conf -----
+    * soft fsize 1710
+    * hard fsize 1710
+    ----- end /etc/security/limits.d/fsize.conf -----
+
+    # id user1
+    uid=1000(user1) gid=1000(user1) groups=1000(user1)
+    # su - user1
+    Last login: Wed Sep 11 01:52:44 UTC 2019 on console
+    $ exit
+    # id user2
+    uid=60000(user2) gid=60000(user2) groups=60000(user2)
+    # su - user2
+    File size limit exceeded
+
+This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
+attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
+
+In order to fix this, and an 'unlimited' option, which leads to saving
+the 'fsize' limit and set it to unlimited before writing lastlog. After
+that, restore the saved value. If 'fsize' is already unlimited nothing
+is done.
+
+Failing to set the 'fsize' limit is not a fatal error.  With luck the
+configured limit will suffice, so we try to write lastlog anyway, even
+under the risk of dying due to a SIGXFSZ.
+
+Failing to restore the 'fsize' limit is a fatal error, since we don't
+want to keep it unlimited.
+
+Signed-off-by: Carlos Santos <casantos@redhat.com>
+---
+ modules/pam_lastlog/pam_lastlog.c | 66 ++++++++++++++++++++++++++-----
+ 1 file changed, 57 insertions(+), 9 deletions(-)
+
+diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
+index e980c04..a135c9f 100644
+--- a/modules/pam_lastlog/pam_lastlog.c
++++ b/modules/pam_lastlog/pam_lastlog.c
+@@ -25,6 +25,8 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <sys/types.h>
++#include <sys/time.h>
++#include <sys/resource.h>
+ #include <syslog.h>
+ #include <unistd.h>
+ 
+@@ -82,15 +84,16 @@ struct lastlog {
+ 
+ /* argument parsing */
+ 
+-#define LASTLOG_DATE        01  /* display the date of the last login */
+-#define LASTLOG_HOST        02  /* display the last host used (if set) */
+-#define LASTLOG_LINE        04  /* display the last terminal used */
+-#define LASTLOG_NEVER      010  /* display a welcome message for first login */
+-#define LASTLOG_DEBUG      020  /* send info to syslog(3) */
+-#define LASTLOG_QUIET      040  /* keep quiet about things */
+-#define LASTLOG_WTMP      0100  /* log to wtmp as well as lastlog */
+-#define LASTLOG_BTMP      0200  /* display failed login info from btmp */
+-#define LASTLOG_UPDATE    0400  /* update the lastlog and wtmp files (default) */
++#define LASTLOG_DATE          01  /* display the date of the last login */
++#define LASTLOG_HOST          02  /* display the last host used (if set) */
++#define LASTLOG_LINE          04  /* display the last terminal used */
++#define LASTLOG_NEVER        010  /* display a welcome message for first login */
++#define LASTLOG_DEBUG        020  /* send info to syslog(3) */
++#define LASTLOG_QUIET        040  /* keep quiet about things */
++#define LASTLOG_WTMP        0100  /* log to wtmp as well as lastlog */
++#define LASTLOG_BTMP        0200  /* display failed login info from btmp */
++#define LASTLOG_UPDATE      0400  /* update the lastlog and wtmp files (default) */
++#define LASTLOG_UNLIMITED  01000  /* unlimited file size (ignore 'fsize' limit) */
+ 
+ static int
+ _pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
+@@ -158,6 +161,8 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 	    ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE);
+ 	} else if (!strcmp(*argv,"showfailed")) {
+ 	    ctrl |= LASTLOG_BTMP;
++	} else if (!strcmp(*argv,"unlimited")) {
++	    ctrl |= LASTLOG_UNLIMITED;
+ 	} else {
+ 	    pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
+ 	}
+@@ -373,6 +378,12 @@ static int
+ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
+ 		 uid_t uid, const char *user)
+ {
++    static struct rlimit no_limit = {
++	RLIM_INFINITY,
++	RLIM_INFINITY
++    };
++    struct rlimit old_limit;
++    int setrlimit_res;
+     struct flock last_lock;
+     struct lastlog last_login;
+     time_t ll_time;
+@@ -427,6 +438,31 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
+         sleep(LASTLOG_IGNORE_LOCK_TIME);
+     }
+ 
++    /*
++     * Failing to set the 'fsize' limit is not a fatal error. We try to write
++     * lastlog anyway, under the risk of dying due to a SIGXFSZ.
++     */
++    D(("setting limit for 'fsize'"));
++
++    if ((announce & LASTLOG_UNLIMITED) == 0) {    /* don't set to unlimted */
++	setrlimit_res = -1;
++    } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) {
++	if (old_limit.rlim_cur == RLIM_INFINITY) {    /* already unlimited */
++	    setrlimit_res = -1;
++	} else {
++	    setrlimit_res = setrlimit(RLIMIT_FSIZE, &no_limit);
++	    if (setrlimit_res != 0)
++		pam_syslog(pamh, LOG_WARNING, "Could not set limit for 'fsize': %m");
++	}
++    } else {
++	setrlimit_res = -1;
++	if (errno == EINVAL) {
++	    pam_syslog(pamh, LOG_INFO, "Limit for 'fsize' not supported: %m");
++	} else {
++	    pam_syslog(pamh, LOG_WARNING, "Could not get limit for 'fsize': %m");
++	}
++    }
++
+     D(("writing to the lastlog file"));
+     if (pam_modutil_write (last_fd, (char *) &last_login,
+ 			   sizeof (last_login)) != sizeof(last_login)) {
+@@ -434,6 +470,18 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
+ 	retval = PAM_SERVICE_ERR;
+     }
+ 
++    /*
++     * Failing to restore the 'fsize' limit is a fatal error.
++     */
++    D(("restoring limit for 'fsize'"));
++    if (setrlimit_res == 0) {
++	setrlimit_res = setrlimit(RLIMIT_FSIZE, &old_limit);
++	if (setrlimit_res != 0) {
++	    pam_syslog(pamh, LOG_ERR, "Could not restore limit for 'fsize': %m");
++	    retval = PAM_SERVICE_ERR;
++	}
++    }
++
+     last_lock.l_type = F_UNLCK;
+     (void) fcntl(last_fd, F_SETLK, &last_lock);        /* unlock */
+     D(("unlocked"));
+-- 
+2.20.1
+

pam-1.3.1-namespace-mntopts.patch

@@ -0,0 +1,136 @@
+diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml
+index c7698cb..a94b49e 100644
+--- a/modules/pam_namespace/namespace.conf.5.xml
++++ b/modules/pam_namespace/namespace.conf.5.xml
+@@ -122,9 +122,14 @@
+     <para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable>
+       - value of this flag is passed to the mount call when the tmpfs mount is
+       done. It allows for example the specification of the maximum size of the
+-      tmpfs instance that is created by the mount call. See <citerefentry>
+-      <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
+-      </citerefentry> for details.
++      tmpfs instance that is created by the mount call. In addition to
++      options specified in the <citerefentry>
++      <refentrytitle>tmpfs</refentrytitle><manvolnum>5</manvolnum>
++      </citerefentry> manual the <emphasis>nosuid</emphasis>,
++      <emphasis>noexec</emphasis>, and <emphasis>nodev</emphasis> flags
++      can be used to respectively disable setuid bit effect, disable running
++      executables, and disable devices to be interpreted on the mounted
++      tmpfs filesystem.
+     </para>
+ 
+     <para>
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index f541f89..0fd59fb 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -230,6 +230,78 @@ static int parse_iscript_params(char *params, struct polydir_s *poly)
+     return 0;
+ }
+ 
++struct mntflag {
++    const char *name;
++    size_t size;
++    unsigned long flag;
++};
++
++#define LITERAL_AND_SIZE(x) x, sizeof(x)
++
++static const struct mntflag mntflags[] = {
++	{ LITERAL_AND_SIZE("noexec"), MS_NOEXEC },
++	{ LITERAL_AND_SIZE("nosuid"), MS_NOSUID },
++	{ LITERAL_AND_SIZE("nodev"), MS_NODEV }
++    };
++
++static int filter_mntopts(const char *opts, char **filtered,
++		unsigned long *mountflags)
++{
++    size_t origlen = strlen(opts);
++    const char *end;
++    char *dest;
++
++    *filtered = NULL;
++    *mountflags = 0;
++
++    if (origlen == 0)
++	return 0;
++
++    dest = *filtered = calloc(1, origlen);
++    if (*filtered == NULL)
++	return -1;
++
++    do {
++	size_t len;
++	int i;
++
++	end = strchr(opts, ',');
++	if (end == NULL) {
++	    len = strlen(opts);
++	} else {
++	    len = end - opts;
++	}
++
++	for (i = 0; i < (int)(sizeof(mntflags)/sizeof(mntflags[0])); i++) {
++	    if (mntflags[i].size - 1 != len)
++		continue;
++	    if (strncmp(mntflags[i].name, opts, len) == 0) {
++		*mountflags |= mntflags[i].flag;
++		opts = end;
++		break;
++	    }
++	}
++
++	if (opts != end) {
++	    if (dest != *filtered) {
++		*dest = ',';
++		++dest;
++	    }
++	    strncpy(dest, opts, len);
++	    dest += len;
++	}
++
++	opts = end + 1;
++    } while (end != NULL);
++
++    if (dest == *filtered) {
++	/* nothing left */
++	free(dest);
++	*filtered = NULL;
++    }
++    return 0;
++}
++
+ static int parse_method(char *method, struct polydir_s *poly,
+ 		struct instance_data *idata)
+ {
+@@ -289,7 +361,8 @@ static int parse_method(char *method, struct polydir_s *poly,
+ 					break;
+ 				}
+ 				free(poly->mount_opts); /* if duplicate mntopts specified */
+-				if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) {
++				poly->mount_opts = NULL;
++				if (filter_mntopts(flag+namelen+1, &poly->mount_opts, &poly->mount_flags) != 0) {
+ 					pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
+ 					return -1;
+ 				}
+@@ -1484,7 +1557,7 @@ static int ns_setup(struct polydir_s *polyptr,
+     }
+ 
+     if (polyptr->method == TMPFS) {
+-	if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) {
++	if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) {
+ 	    pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
+ 		polyptr->dir);
+             return PAM_SESSION_ERR;
+diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h
+index 47ebcc3..1522386 100644
+--- a/modules/pam_namespace/pam_namespace.h
++++ b/modules/pam_namespace/pam_namespace.h
+@@ -166,6 +166,7 @@ struct polydir_s {
+     unsigned int flags;			/* polydir flags */
+     char *init_script;			/* path to init script */
+     char *mount_opts;			/* mount options for tmpfs mount */
++    unsigned long mount_flags;		/* mount flags for tmpfs mount */
+     uid_t owner;			/* user which should own the polydir */
+     gid_t group;			/* group which should own the polydir */
+     mode_t mode;			/* mode of the polydir */

pam-1.3.1-tty-audit-manfix.patch

@@ -0,0 +1,33 @@
+From e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Wed, 7 Aug 2019 18:13:57 +0200
+Subject: [PATCH] pam_tty_audit: Manual page clarification about password
+ logging
+
+* modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
+can be sometimes logged even when the option is not set.
+---
+ modules/pam_tty_audit/pam_tty_audit.8.xml | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
+index 59a3406..e346c68 100644
+--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
++++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
+@@ -149,6 +149,13 @@
+       greater than or equal to <replaceable>min_uid</replaceable> will be
+       matched.
+     </para>
++    <para>
++      Please note that passwords in some circumstances may be logged by TTY auditing
++      even if the <option>log_passwd</option> is not used. For example, all input to
++      an ssh session will be logged - even if there is a password being typed into
++      some software running at the remote host because only the local TTY state
++      affects the local TTY auditing.
++    </para>
+   </refsect1>
+ 
+   <refsect1 id='pam_tty_audit-examples'>
+-- 
+2.20.1
+

pam-1.3.1-unix-improve-logging.patch

@@ -0,0 +1,57 @@
+From a6845905869ccabb5eb802be37241eabec085dc7 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Mon, 14 Oct 2019 16:52:46 +0200
+Subject: [PATCH] pam_unix: Add logging useful for debugging problems
+
+Two messages added about obtaining the username are guarded
+by the debug option as these should not be normally
+logged - they can be useful for debugging but they do not
+indicate any special condition.
+
+The message about authenticating user with blank password is
+still just LOG_DEBUG priority but it is logged unconditionally
+because it is somewhat extraordinary condition to have an user
+with blank password.
+
+* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
+  D() macro calls which are not enabled on production builds with
+  regular pam_syslog() calls.
+---
+ modules/pam_unix/pam_unix_auth.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
+index 681e49d..3fca945 100644
+--- a/modules/pam_unix/pam_unix_auth.c
++++ b/modules/pam_unix/pam_unix_auth.c
+@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 			AUTH_RETURN;
+ 		}
+ 		if (on(UNIX_DEBUG, ctrl))
+-			D(("username [%s] obtained", name));
++			pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);
+ 	} else {
+-		D(("trouble reading username"));
+ 		if (retval == PAM_CONV_AGAIN) {
+ 			D(("pam_get_user/conv() function is not ready yet"));
+ 			/* it is safe to resume this function so we translate this
+ 			 * retval to the value that indicates we're happy to resume.
+ 			 */
+ 			retval = PAM_INCOMPLETE;
++		} else if (on(UNIX_DEBUG, ctrl)) {
++			pam_syslog(pamh, LOG_DEBUG, "could not obtain username");
+ 		}
+ 		AUTH_RETURN;
+ 	}
+@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 	/* if this user does not have a password... */
+ 
+ 	if (_unix_blankpasswd(pamh, ctrl, name)) {
+-		D(("user '%s' has blank passwd", name));
++		pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);
+ 		name = NULL;
+ 		retval = PAM_SUCCESS;
+ 		AUTH_RETURN;
+-- 
+2.20.1
+

pam.spec

@@ -1,9 +1,9 @@
-%global pam_redhat_version 1.1.0
+%global pam_redhat_version 1.1.1
 
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 19%{?dist}
+Release: 20%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -53,6 +53,13 @@ Patch42: pam-1.3.1-motd-multiple-paths.patch
 Patch43: pam-1.3.1-unix-checksalt_syslog.patch
 # https://github.com/linux-pam/linux-pam/commit/d8d11db2cef65da5d2afa7acf21aa9c8cd88abed
 Patch44: pam-1.3.1-unix-fix_checksalt_syslog.patch
+Patch45: pam-1.3.1-namespace-mntopts.patch
+Patch46: pam-1.3.1-lastlog-no-showfailed.patch
+Patch47: pam-1.3.1-lastlog-unlimited-fsize.patch
+Patch48: pam-1.3.1-unix-improve-logging.patch
+Patch49: pam-1.3.1-tty-audit-manfix.patch
+Patch50: pam-1.3.1-fds-closing.patch
+Patch51: pam-1.3.1-authtok-verify-fix.patch
 
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@@ -136,6 +143,13 @@ cp %{SOURCE18} .
 %patch42 -p1 -b .multiple-paths
 %patch43 -p1 -b .checksalt_syslog
 %patch44 -p1 -b .fix_checksalt_syslog
+%patch45 -p1 -b .mntopts
+%patch46 -p1 -b .no-showfailed
+%patch47 -p1 -b .unlimited-fsize
+%patch48 -p1 -b .improve-logging
+%patch49 -p1 -b .tty-audit-manfix
+%patch50 -p1 -b .fds-closing
+%patch51 -p1 -b .authtok-verify-fix
 
 autoreconf -i
 
@@ -162,6 +176,9 @@ for readme in modules/pam_*/README ; do
 	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
 done
 
+rm -rf doc/txts/README.pam_tally*
+rm -rf doc/sag/html/*pam_tally*
+
 # Install the binaries, libraries, and modules.
 make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
 
@@ -186,7 +203,6 @@ install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
 install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
 install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
 install -d -m 755 $RPM_BUILD_ROOT/var/log
-install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
 install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock
 install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/motd.d
 install -d -m 755 $RPM_BUILD_ROOT/usr/lib/motd.d
@@ -364,7 +380,6 @@ done
 %config(noreplace) %{_secconfdir}/sepermit.conf
 %dir /var/run/sepermit
 %endif
-%ghost %verify(not md5 size mtime) /var/log/tallylog
 %dir /var/run/faillock
 %dir %{_sysconfdir}/motd.d
 %dir /run/motd.d
@@ -384,6 +399,17 @@ done
 %doc doc/specs/rfc86.0.txt
 
 %changelog
+* Wed Oct 16 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-20
+- pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts
+- Drop tallylog and pam_tally documentation
+- pam_faillock: Support local_users_only option
+- pam_lastlog: Do not display failed attempts with PAM_SILENT flag
+- pam_lastlog: Support unlimited option to override fsize limit
+- pam_unix: Log if user authenticated without password
+- pam_tty_audit: Improve manual page
+- Optimize closing fds when spawning helpers
+- Fix duplicate password verification in pam_authtok_verify()
+
 * Mon Sep  9 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-19
 - pam_faillock: Support configuration file /etc/security/faillock.conf
 

sources

@@ -1,3 +1,3 @@
 SHA512 (Linux-PAM-1.3.1.tar.xz) = 6bc8e2a5b64686f0a23846221c5228c88418ba485b17c53b3a12f91262b5bb73566d6b6a5daa1f63bbae54310aee918b987e44a72ce809b4e7c668f0fadfe08e
 SHA512 (Linux-PAM-1.3.1.tar.xz.asc) = 8b3ad3f4f29fad663e375296dca00f736b3de764f11d7b7aa615d00efe1c702c9060f244967f2d84d8ef3a342c3a1f8eba6dd52847df427bb3ce0ff765a8108a
-SHA512 (pam-redhat-1.1.0.tar.bz2) = deb3d07780dc908bb6284e5449c7a25dcfd173d0edcb2864a5400537714cb276bc7625ccf53a20027a95680e8dc180bf8899b9214bd67616de3087b1eecdad7c
+SHA512 (pam-redhat-1.1.1.tar.bz2) = 45adff01e1a1370c5bcfa539e9eb98337301bf9b63446a433fb4d45b60cd631aae9d6afe0a92e8736836e44f6c7d099f97d26fcea06592ef769481908a82fc43