Multiple fixes and enhancements

pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts
Drop tallylog and pam_tally documentation
pam_faillock: Support local_users_only option
pam_lastlog: Do not display failed attempts with PAM_SILENT flag
pam_lastlog: Support unlimited option to override fsize limit
pam_unix: Log if user authenticated without password
pam_tty_audit: Improve manual page
Optimize closing fds when spawning helpers
Fix duplicate password verification in pam_authtok_verify()
This commit is contained in:
Tomas Mraz 2019-10-16 16:35:57 +02:00
parent b0eec480a1
commit a9ef7f8676
9 changed files with 724 additions and 5 deletions

View File

@ -0,0 +1,88 @@
From 27d04a849fd9f9cfd4b35eb80d687817830183df Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Wed, 7 Aug 2019 12:22:55 +0200
Subject: [PATCH] pam_get_authtok_verify: Avoid duplicate password verification
If password was already verified by previous modules in the stack
it does not need to be verified by pam_get_authtok_verify either.
* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
appropriately.
(pam_get_authtok_verify): Do not prompt if authtok_verified is set and
set it when the password is verified.
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
* libpam/pam_start.c (pam_start): Initialize authtok_verified.
---
libpam/pam_get_authtok.c | 10 ++++++++++
libpam/pam_private.h | 1 +
libpam/pam_start.c | 1 +
3 files changed, 12 insertions(+)
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 800c6e5..99eb25f 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
}
else if (chpass)
{
+ pamh->authtok_verified = 0;
+
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0],
PROMPT1, authtok_type,
strlen (authtok_type) > 0?" ":"");
@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item,
if (retval != PAM_SUCCESS)
return retval;
+ if (chpass > 1)
+ pamh->authtok_verified = 1;
+
return pam_get_item(pamh, item, (const void **)authtok);
}
@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK)
return PAM_SYSTEM_ERR;
+ if (pamh->authtok_verified)
+ return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok);
+
if (prompt != NULL)
{
retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp,
@@ -252,5 +260,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok,
if (retval != PAM_SUCCESS)
return retval;
+ pamh->authtok_verified = 1;
+
return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok);
}
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
index 7ff9f75..58a26f5 100644
--- a/libpam/pam_private.h
+++ b/libpam/pam_private.h
@@ -172,6 +172,7 @@ struct pam_handle {
#ifdef HAVE_LIBAUDIT
int audit_state; /* keep track of reported audit messages */
#endif
+ int authtok_verified;
};
/* Values for select arg to _pam_dispatch() */
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
index 328416d..e27c64b 100644
--- a/libpam/pam_start.c
+++ b/libpam/pam_start.c
@@ -94,6 +94,7 @@ int pam_start (
#endif
(*pamh)->xdisplay = NULL;
(*pamh)->authtok_type = NULL;
+ (*pamh)->authtok_verified = 0;
memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth));
if (((*pamh)->pam_conversation = (struct pam_conv *)
--
2.20.1

View File

@ -0,0 +1,70 @@
diff -up Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c
--- Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c.fds-closing 2017-02-10 11:10:15.000000000 +0100
+++ Linux-PAM-1.3.1/libpam/pam_modutil_sanitize.c 2019-10-16 16:07:31.259021159 +0200
@@ -10,6 +10,7 @@
#include <fcntl.h>
#include <syslog.h>
#include <sys/resource.h>
+#include <dirent.h>
/*
* Creates a pipe, closes its write end, redirects fd to its read end.
@@ -116,27 +117,45 @@ redirect_out(pam_handle_t *pamh, enum pa
static void
close_fds(void)
{
+ DIR *dir = NULL;
+ struct dirent *dent;
+ int dfd = -1;
+ int fd;
+ struct rlimit rlim;
+
/*
* An arbitrary upper limit for the maximum file descriptor number
* returned by RLIMIT_NOFILE.
*/
- const int MAX_FD_NO = 65535;
+ const unsigned int MAX_FD_NO = 65535;
/* The lower limit is the same as for _POSIX_OPEN_MAX. */
- const int MIN_FD_NO = 20;
+ const unsigned int MIN_FD_NO = 20;
- int fd;
- struct rlimit rlim;
-
- if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
- fd = MAX_FD_NO;
- else if (rlim.rlim_max < MIN_FD_NO)
- fd = MIN_FD_NO;
- else
- fd = rlim.rlim_max - 1;
+ /* If /proc is mounted, we can optimize which fd can be closed. */
+ if ((dir = opendir("/proc/self/fd")) != NULL) {
+ if ((dfd = dirfd(dir)) >= 0) {
+ while ((dent = readdir(dir)) != NULL) {
+ fd = atoi(dent->d_name);
+ if (fd > STDERR_FILENO && fd != dfd)
+ close(fd);
+ }
+ }
+ closedir(dir);
+ }
+
+ /* If /proc isn't available, fallback to the previous behavior. */
+ if (dfd < 0) {
+ if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
+ fd = MAX_FD_NO;
+ else if (rlim.rlim_max < MIN_FD_NO)
+ fd = MIN_FD_NO;
+ else
+ fd = rlim.rlim_max - 1;
- for (; fd > STDERR_FILENO; --fd)
- close(fd);
+ for (; fd > STDERR_FILENO; --fd)
+ close(fd);
+ }
}
int

View File

@ -0,0 +1,82 @@
From c426914fa166ffb0482b6f6ad659ddf17d5dfaa1 Mon Sep 17 00:00:00 2001
From: Nir Soffer <nsoffer@redhat.com>
Date: Wed, 9 Jan 2019 23:41:16 +0200
Subject: [PATCH] pam_lastlog: Improve silent option documentation
The silent option explicitly silents only the last login message and not
bad logins. Add a note to the manual to make this clear.
* modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"
---
modules/pam_lastlog/pam_lastlog.8.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
index c8f247e..bc2e1be 100644
--- a/modules/pam_lastlog/pam_lastlog.8.xml
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
@@ -102,6 +102,7 @@
<para>
Don't inform the user about any previous login,
just update the <filename>/var/log/lastlog</filename> file.
+ This option does not affect display of bad login attempts.
</para>
</listitem>
</varlistentry>
--
2.20.1
From 7d036249a9772c546ede1f38ad68b3f1575216d6 Mon Sep 17 00:00:00 2001
From: Nir Soffer <nsoffer@redhat.com>
Date: Sun, 6 Jan 2019 00:36:27 +0200
Subject: [PATCH] pam_lastlog: Respect PAM_SILENT flag
pam_lastlog module will not log info about failed login if the session
was opened with PAM_SILENT flag.
Example use case enabled by this change:
sudo --non-interactive program
If this command is run by another program expecting specific output from
the command run by sudo, the unexpected info about failed logins will
break this program.
* modules/pam_lastlog/pam_lastlog.c: Respect silent option.
(_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.
---
modules/pam_lastlog/pam_lastlog.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index 18bf7be..e980c04 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -135,11 +135,6 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE);
- /* does the appliction require quiet? */
- if (flags & PAM_SILENT) {
- ctrl |= LASTLOG_QUIET;
- }
-
/* step through arguments */
for (; argc-- > 0; ++argv) {
@@ -168,6 +163,12 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
}
}
+ /* does the appliction require quiet? */
+ if (flags & PAM_SILENT) {
+ ctrl |= LASTLOG_QUIET;
+ ctrl &= ~LASTLOG_BTMP;
+ }
+
D(("ctrl = %o", ctrl));
return ctrl;
}
--
2.20.1

View File

@ -0,0 +1,227 @@
From 3a3e70739834cd5cbd17469907ef718c81ae40c0 Mon Sep 17 00:00:00 2001
From: Carlos Santos <casantos@redhat.com>
Date: Wed, 11 Sep 2019 11:50:28 -0300
Subject: [PATCH] pam_lastlog: document the 'unlimited' option
Signed-off-by: Carlos Santos <casantos@redhat.com>
---
modules/pam_lastlog/pam_lastlog.8.xml | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
index bc2e1be..f10e94a 100644
--- a/modules/pam_lastlog/pam_lastlog.8.xml
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
@@ -48,6 +48,9 @@
<arg choice="opt">
inactive=&lt;days&gt;
</arg>
+ <arg choice="opt">
+ unlimited
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -196,6 +199,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>unlimited</option>
+ </term>
+ <listitem>
+ <para>
+ If the <emphasis>fsize</emphasis> limit is set, this option can be
+ used to override it, preventing failures on systems with large UID
+ values that lead lastlog to become a huge sparse file.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -300,6 +315,9 @@
<refsect1 id='pam_lastlog-see_also'>
<title>SEE ALSO</title>
<para>
+ <citerefentry>
+ <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
<citerefentry>
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
--
2.20.1
From 9349333a9ae958205294cd25e97fd6b4805bd82b Mon Sep 17 00:00:00 2001
From: Carlos Santos <casantos@redhat.com>
Date: Tue, 10 Sep 2019 23:08:30 -0300
Subject: [PATCH] pam_lastlog: prevent crash due to reduced 'fsize' limit
It a reduced fsize limit is set in /etc/security/limits.conf and
pam_limits is in use pam_lastlog may cause a crash, e.g.
----- begin /etc/pam.d/su ----
auth sufficient pam_rootok.so
auth required pam_wheel.so use_uid
auth required pam_env.so
auth required pam_unix.so nullok
account required pam_unix.so
password required pam_unix.so nullok
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_lastlog.so
----- end /etc/pam.d/su -----
----- begin /etc/security/limits.d/fsize.conf -----
* soft fsize 1710
* hard fsize 1710
----- end /etc/security/limits.d/fsize.conf -----
# id user1
uid=1000(user1) gid=1000(user1) groups=1000(user1)
# su - user1
Last login: Wed Sep 11 01:52:44 UTC 2019 on console
$ exit
# id user2
uid=60000(user2) gid=60000(user2) groups=60000(user2)
# su - user2
File size limit exceeded
This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.
In order to fix this, and an 'unlimited' option, which leads to saving
the 'fsize' limit and set it to unlimited before writing lastlog. After
that, restore the saved value. If 'fsize' is already unlimited nothing
is done.
Failing to set the 'fsize' limit is not a fatal error. With luck the
configured limit will suffice, so we try to write lastlog anyway, even
under the risk of dying due to a SIGXFSZ.
Failing to restore the 'fsize' limit is a fatal error, since we don't
want to keep it unlimited.
Signed-off-by: Carlos Santos <casantos@redhat.com>
---
modules/pam_lastlog/pam_lastlog.c | 66 ++++++++++++++++++++++++++-----
1 file changed, 57 insertions(+), 9 deletions(-)
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index e980c04..a135c9f 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -25,6 +25,8 @@
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
#include <syslog.h>
#include <unistd.h>
@@ -82,15 +84,16 @@ struct lastlog {
/* argument parsing */
-#define LASTLOG_DATE 01 /* display the date of the last login */
-#define LASTLOG_HOST 02 /* display the last host used (if set) */
-#define LASTLOG_LINE 04 /* display the last terminal used */
-#define LASTLOG_NEVER 010 /* display a welcome message for first login */
-#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
-#define LASTLOG_QUIET 040 /* keep quiet about things */
-#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
-#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
-#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
+#define LASTLOG_DATE 01 /* display the date of the last login */
+#define LASTLOG_HOST 02 /* display the last host used (if set) */
+#define LASTLOG_LINE 04 /* display the last terminal used */
+#define LASTLOG_NEVER 010 /* display a welcome message for first login */
+#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
+#define LASTLOG_QUIET 040 /* keep quiet about things */
+#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
+#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
+#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
+#define LASTLOG_UNLIMITED 01000 /* unlimited file size (ignore 'fsize' limit) */
static int
_pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
@@ -158,6 +161,8 @@ _pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE);
} else if (!strcmp(*argv,"showfailed")) {
ctrl |= LASTLOG_BTMP;
+ } else if (!strcmp(*argv,"unlimited")) {
+ ctrl |= LASTLOG_UNLIMITED;
} else {
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
}
@@ -373,6 +378,12 @@ static int
last_login_write(pam_handle_t *pamh, int announce, int last_fd,
uid_t uid, const char *user)
{
+ static struct rlimit no_limit = {
+ RLIM_INFINITY,
+ RLIM_INFINITY
+ };
+ struct rlimit old_limit;
+ int setrlimit_res;
struct flock last_lock;
struct lastlog last_login;
time_t ll_time;
@@ -427,6 +438,31 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
sleep(LASTLOG_IGNORE_LOCK_TIME);
}
+ /*
+ * Failing to set the 'fsize' limit is not a fatal error. We try to write
+ * lastlog anyway, under the risk of dying due to a SIGXFSZ.
+ */
+ D(("setting limit for 'fsize'"));
+
+ if ((announce & LASTLOG_UNLIMITED) == 0) { /* don't set to unlimted */
+ setrlimit_res = -1;
+ } else if (getrlimit(RLIMIT_FSIZE, &old_limit) == 0) {
+ if (old_limit.rlim_cur == RLIM_INFINITY) { /* already unlimited */
+ setrlimit_res = -1;
+ } else {
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &no_limit);
+ if (setrlimit_res != 0)
+ pam_syslog(pamh, LOG_WARNING, "Could not set limit for 'fsize': %m");
+ }
+ } else {
+ setrlimit_res = -1;
+ if (errno == EINVAL) {
+ pam_syslog(pamh, LOG_INFO, "Limit for 'fsize' not supported: %m");
+ } else {
+ pam_syslog(pamh, LOG_WARNING, "Could not get limit for 'fsize': %m");
+ }
+ }
+
D(("writing to the lastlog file"));
if (pam_modutil_write (last_fd, (char *) &last_login,
sizeof (last_login)) != sizeof(last_login)) {
@@ -434,6 +470,18 @@ last_login_write(pam_handle_t *pamh, int announce, int last_fd,
retval = PAM_SERVICE_ERR;
}
+ /*
+ * Failing to restore the 'fsize' limit is a fatal error.
+ */
+ D(("restoring limit for 'fsize'"));
+ if (setrlimit_res == 0) {
+ setrlimit_res = setrlimit(RLIMIT_FSIZE, &old_limit);
+ if (setrlimit_res != 0) {
+ pam_syslog(pamh, LOG_ERR, "Could not restore limit for 'fsize': %m");
+ retval = PAM_SERVICE_ERR;
+ }
+ }
+
last_lock.l_type = F_UNLCK;
(void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
D(("unlocked"));
--
2.20.1

View File

@ -0,0 +1,136 @@
diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml
index c7698cb..a94b49e 100644
--- a/modules/pam_namespace/namespace.conf.5.xml
+++ b/modules/pam_namespace/namespace.conf.5.xml
@@ -122,9 +122,14 @@
<para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable>
- value of this flag is passed to the mount call when the tmpfs mount is
done. It allows for example the specification of the maximum size of the
- tmpfs instance that is created by the mount call. See <citerefentry>
- <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry> for details.
+ tmpfs instance that is created by the mount call. In addition to
+ options specified in the <citerefentry>
+ <refentrytitle>tmpfs</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry> manual the <emphasis>nosuid</emphasis>,
+ <emphasis>noexec</emphasis>, and <emphasis>nodev</emphasis> flags
+ can be used to respectively disable setuid bit effect, disable running
+ executables, and disable devices to be interpreted on the mounted
+ tmpfs filesystem.
</para>
<para>
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index f541f89..0fd59fb 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -230,6 +230,78 @@ static int parse_iscript_params(char *params, struct polydir_s *poly)
return 0;
}
+struct mntflag {
+ const char *name;
+ size_t size;
+ unsigned long flag;
+};
+
+#define LITERAL_AND_SIZE(x) x, sizeof(x)
+
+static const struct mntflag mntflags[] = {
+ { LITERAL_AND_SIZE("noexec"), MS_NOEXEC },
+ { LITERAL_AND_SIZE("nosuid"), MS_NOSUID },
+ { LITERAL_AND_SIZE("nodev"), MS_NODEV }
+ };
+
+static int filter_mntopts(const char *opts, char **filtered,
+ unsigned long *mountflags)
+{
+ size_t origlen = strlen(opts);
+ const char *end;
+ char *dest;
+
+ *filtered = NULL;
+ *mountflags = 0;
+
+ if (origlen == 0)
+ return 0;
+
+ dest = *filtered = calloc(1, origlen);
+ if (*filtered == NULL)
+ return -1;
+
+ do {
+ size_t len;
+ int i;
+
+ end = strchr(opts, ',');
+ if (end == NULL) {
+ len = strlen(opts);
+ } else {
+ len = end - opts;
+ }
+
+ for (i = 0; i < (int)(sizeof(mntflags)/sizeof(mntflags[0])); i++) {
+ if (mntflags[i].size - 1 != len)
+ continue;
+ if (strncmp(mntflags[i].name, opts, len) == 0) {
+ *mountflags |= mntflags[i].flag;
+ opts = end;
+ break;
+ }
+ }
+
+ if (opts != end) {
+ if (dest != *filtered) {
+ *dest = ',';
+ ++dest;
+ }
+ strncpy(dest, opts, len);
+ dest += len;
+ }
+
+ opts = end + 1;
+ } while (end != NULL);
+
+ if (dest == *filtered) {
+ /* nothing left */
+ free(dest);
+ *filtered = NULL;
+ }
+ return 0;
+}
+
static int parse_method(char *method, struct polydir_s *poly,
struct instance_data *idata)
{
@@ -289,7 +361,8 @@ static int parse_method(char *method, struct polydir_s *poly,
break;
}
free(poly->mount_opts); /* if duplicate mntopts specified */
- if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) {
+ poly->mount_opts = NULL;
+ if (filter_mntopts(flag+namelen+1, &poly->mount_opts, &poly->mount_flags) != 0) {
pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
return -1;
}
@@ -1484,7 +1557,7 @@ static int ns_setup(struct polydir_s *polyptr,
}
if (polyptr->method == TMPFS) {
- if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) {
+ if (mount("tmpfs", polyptr->dir, "tmpfs", polyptr->mount_flags, polyptr->mount_opts) < 0) {
pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
polyptr->dir);
return PAM_SESSION_ERR;
diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h
index 47ebcc3..1522386 100644
--- a/modules/pam_namespace/pam_namespace.h
+++ b/modules/pam_namespace/pam_namespace.h
@@ -166,6 +166,7 @@ struct polydir_s {
unsigned int flags; /* polydir flags */
char *init_script; /* path to init script */
char *mount_opts; /* mount options for tmpfs mount */
+ unsigned long mount_flags; /* mount flags for tmpfs mount */
uid_t owner; /* user which should own the polydir */
gid_t group; /* group which should own the polydir */
mode_t mode; /* mode of the polydir */

View File

@ -0,0 +1,33 @@
From e31dd6c7d0faa7a06d3ebd50a0b6957b9f822d15 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Wed, 7 Aug 2019 18:13:57 +0200
Subject: [PATCH] pam_tty_audit: Manual page clarification about password
logging
* modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
can be sometimes logged even when the option is not set.
---
modules/pam_tty_audit/pam_tty_audit.8.xml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/modules/pam_tty_audit/pam_tty_audit.8.xml b/modules/pam_tty_audit/pam_tty_audit.8.xml
index 59a3406..e346c68 100644
--- a/modules/pam_tty_audit/pam_tty_audit.8.xml
+++ b/modules/pam_tty_audit/pam_tty_audit.8.xml
@@ -149,6 +149,13 @@
greater than or equal to <replaceable>min_uid</replaceable> will be
matched.
</para>
+ <para>
+ Please note that passwords in some circumstances may be logged by TTY auditing
+ even if the <option>log_passwd</option> is not used. For example, all input to
+ an ssh session will be logged - even if there is a password being typed into
+ some software running at the remote host because only the local TTY state
+ affects the local TTY auditing.
+ </para>
</refsect1>
<refsect1 id='pam_tty_audit-examples'>
--
2.20.1

View File

@ -0,0 +1,57 @@
From a6845905869ccabb5eb802be37241eabec085dc7 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 14 Oct 2019 16:52:46 +0200
Subject: [PATCH] pam_unix: Add logging useful for debugging problems
Two messages added about obtaining the username are guarded
by the debug option as these should not be normally
logged - they can be useful for debugging but they do not
indicate any special condition.
The message about authenticating user with blank password is
still just LOG_DEBUG priority but it is logged unconditionally
because it is somewhat extraordinary condition to have an user
with blank password.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
D() macro calls which are not enabled on production builds with
regular pam_syslog() calls.
---
modules/pam_unix/pam_unix_auth.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index 681e49d..3fca945 100644
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
AUTH_RETURN;
}
if (on(UNIX_DEBUG, ctrl))
- D(("username [%s] obtained", name));
+ pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);
} else {
- D(("trouble reading username"));
if (retval == PAM_CONV_AGAIN) {
D(("pam_get_user/conv() function is not ready yet"));
/* it is safe to resume this function so we translate this
* retval to the value that indicates we're happy to resume.
*/
retval = PAM_INCOMPLETE;
+ } else if (on(UNIX_DEBUG, ctrl)) {
+ pam_syslog(pamh, LOG_DEBUG, "could not obtain username");
}
AUTH_RETURN;
}
@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
/* if this user does not have a password... */
if (_unix_blankpasswd(pamh, ctrl, name)) {
- D(("user '%s' has blank passwd", name));
+ pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);
name = NULL;
retval = PAM_SUCCESS;
AUTH_RETURN;
--
2.20.1

View File

@ -1,9 +1,9 @@
%global pam_redhat_version 1.1.0
%global pam_redhat_version 1.1.1
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.3.1
Release: 19%{?dist}
Release: 20%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -53,6 +53,13 @@ Patch42: pam-1.3.1-motd-multiple-paths.patch
Patch43: pam-1.3.1-unix-checksalt_syslog.patch
# https://github.com/linux-pam/linux-pam/commit/d8d11db2cef65da5d2afa7acf21aa9c8cd88abed
Patch44: pam-1.3.1-unix-fix_checksalt_syslog.patch
Patch45: pam-1.3.1-namespace-mntopts.patch
Patch46: pam-1.3.1-lastlog-no-showfailed.patch
Patch47: pam-1.3.1-lastlog-unlimited-fsize.patch
Patch48: pam-1.3.1-unix-improve-logging.patch
Patch49: pam-1.3.1-tty-audit-manfix.patch
Patch50: pam-1.3.1-fds-closing.patch
Patch51: pam-1.3.1-authtok-verify-fix.patch
%global _pamlibdir %{_libdir}
%global _moduledir %{_libdir}/security
@ -136,6 +143,13 @@ cp %{SOURCE18} .
%patch42 -p1 -b .multiple-paths
%patch43 -p1 -b .checksalt_syslog
%patch44 -p1 -b .fix_checksalt_syslog
%patch45 -p1 -b .mntopts
%patch46 -p1 -b .no-showfailed
%patch47 -p1 -b .unlimited-fsize
%patch48 -p1 -b .improve-logging
%patch49 -p1 -b .tty-audit-manfix
%patch50 -p1 -b .fds-closing
%patch51 -p1 -b .authtok-verify-fix
autoreconf -i
@ -162,6 +176,9 @@ for readme in modules/pam_*/README ; do
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
done
rm -rf doc/txts/README.pam_tally*
rm -rf doc/sag/html/*pam_tally*
# Install the binaries, libraries, and modules.
make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
@ -186,7 +203,6 @@ install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
install -d -m 755 $RPM_BUILD_ROOT/var/log
install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/motd.d
install -d -m 755 $RPM_BUILD_ROOT/usr/lib/motd.d
@ -364,7 +380,6 @@ done
%config(noreplace) %{_secconfdir}/sepermit.conf
%dir /var/run/sepermit
%endif
%ghost %verify(not md5 size mtime) /var/log/tallylog
%dir /var/run/faillock
%dir %{_sysconfdir}/motd.d
%dir /run/motd.d
@ -384,6 +399,17 @@ done
%doc doc/specs/rfc86.0.txt
%changelog
* Wed Oct 16 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-20
- pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts
- Drop tallylog and pam_tally documentation
- pam_faillock: Support local_users_only option
- pam_lastlog: Do not display failed attempts with PAM_SILENT flag
- pam_lastlog: Support unlimited option to override fsize limit
- pam_unix: Log if user authenticated without password
- pam_tty_audit: Improve manual page
- Optimize closing fds when spawning helpers
- Fix duplicate password verification in pam_authtok_verify()
* Mon Sep 9 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-19
- pam_faillock: Support configuration file /etc/security/faillock.conf

View File

@ -1,3 +1,3 @@
SHA512 (Linux-PAM-1.3.1.tar.xz) = 6bc8e2a5b64686f0a23846221c5228c88418ba485b17c53b3a12f91262b5bb73566d6b6a5daa1f63bbae54310aee918b987e44a72ce809b4e7c668f0fadfe08e
SHA512 (Linux-PAM-1.3.1.tar.xz.asc) = 8b3ad3f4f29fad663e375296dca00f736b3de764f11d7b7aa615d00efe1c702c9060f244967f2d84d8ef3a342c3a1f8eba6dd52847df427bb3ce0ff765a8108a
SHA512 (pam-redhat-1.1.0.tar.bz2) = deb3d07780dc908bb6284e5449c7a25dcfd173d0edcb2864a5400537714cb276bc7625ccf53a20027a95680e8dc180bf8899b9214bd67616de3087b1eecdad7c
SHA512 (pam-redhat-1.1.1.tar.bz2) = 45adff01e1a1370c5bcfa539e9eb98337301bf9b63446a433fb4d45b60cd631aae9d6afe0a92e8736836e44f6c7d099f97d26fcea06592ef769481908a82fc43