import pam-1.3.1-4.el8
This commit is contained in:
commit
bb5b2b7f4b
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
SOURCES/Linux-PAM-1.3.1.tar.xz
|
||||
SOURCES/pam-redhat-0.99.11.tar.bz2
|
2
.pam.metadata
Normal file
2
.pam.metadata
Normal file
@ -0,0 +1,2 @@
|
||||
e89b6d279c9bf8cb495dfc0b3f3931eb50f818e9 SOURCES/Linux-PAM-1.3.1.tar.xz
|
||||
42206fe8319723ef23ab646b2eab496c86de3f5b SOURCES/pam-redhat-0.99.11.tar.bz2
|
7
SOURCES/Linux-PAM-1.3.1.tar.xz.asc
Normal file
7
SOURCES/Linux-PAM-1.3.1.tar.xz.asc
Normal file
@ -0,0 +1,7 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v2
|
||||
|
||||
iD8DBQBa/r62bRp/BS5ZJLsRArnKAJ9pGaJHpsEsbOVa5dBQLHYC4DhPuACeJNrg
|
||||
+DaNc8W13E4Z2ZEUSsgUGe4=
|
||||
=aSTW
|
||||
-----END PGP SIGNATURE-----
|
36
SOURCES/config-util.5
Normal file
36
SOURCES/config-util.5
Normal file
@ -0,0 +1,36 @@
|
||||
.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
|
||||
config-util \- Common PAM configuration file for configuration utilities
|
||||
|
||||
.SH SYNOPSIS
|
||||
.B /etc/pam.d/config-util
|
||||
.sp 2
|
||||
.SH DESCRIPTION
|
||||
|
||||
The purpose of this configuration file is to provide common
|
||||
configuration file for all configuration utilities which must be run
|
||||
from the supervisor account and use the userhelper wrapper application.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR config-util
|
||||
configuration file is included from all individual configuration
|
||||
files of such utilities with the help of the
|
||||
.BR include
|
||||
directive.
|
||||
There are not usually any other modules in the individual configuration
|
||||
files of these utilities.
|
||||
|
||||
.sp
|
||||
It is possible for example to modify duration of the validity of the
|
||||
authentication timestamp there. See
|
||||
.BR pam_timestamp(8)
|
||||
for details.
|
||||
|
||||
.SH BUGS
|
||||
.sp 2
|
||||
None known.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
pam(8), config-util(5), pam_timestamp(8)
|
8
SOURCES/config-util.pamd
Normal file
8
SOURCES/config-util.pamd
Normal file
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth sufficient pam_timestamp.so
|
||||
auth include system-auth
|
||||
account required pam_permit.so
|
||||
session required pam_permit.so
|
||||
session optional pam_xauth.so
|
||||
session optional pam_timestamp.so
|
75
SOURCES/dlopen.sh
Executable file
75
SOURCES/dlopen.sh
Executable file
@ -0,0 +1,75 @@
|
||||
#!/bin/sh
|
||||
|
||||
tempdir=`mktemp -d /tmp/dlopenXXXXXX`
|
||||
test -n "$tempdir" || exit 1
|
||||
cat >> $tempdir/dlopen.c << _EOF
|
||||
#include <dlfcn.h>
|
||||
#include <stdio.h>
|
||||
#include <limits.h>
|
||||
#include <sys/stat.h>
|
||||
/* Simple program to see if dlopen() would succeed. */
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int i;
|
||||
struct stat st;
|
||||
char buf[PATH_MAX];
|
||||
for (i = 1; i < argc; i++) {
|
||||
if (dlopen(argv[i], RTLD_NOW)) {
|
||||
fprintf(stdout, "dlopen() of \"%s\" succeeded.\n",
|
||||
argv[i]);
|
||||
} else {
|
||||
snprintf(buf, sizeof(buf), "./%s", argv[i]);
|
||||
if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) {
|
||||
fprintf(stdout, "dlopen() of \"./%s\" "
|
||||
"succeeded.\n", argv[i]);
|
||||
} else {
|
||||
fprintf(stdout, "dlopen() of \"%s\" failed: "
|
||||
"%s\n", argv[i], dlerror());
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
_EOF
|
||||
|
||||
for arg in $@ ; do
|
||||
case "$arg" in
|
||||
"")
|
||||
;;
|
||||
-I*|-D*|-f*|-m*|-g*|-O*|-W*)
|
||||
cflags="$cflags $arg"
|
||||
;;
|
||||
-l*|-L*)
|
||||
ldflags="$ldflags $arg"
|
||||
;;
|
||||
/*)
|
||||
modules="$modules $arg"
|
||||
;;
|
||||
*)
|
||||
modules="$modules $arg"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl
|
||||
|
||||
retval=0
|
||||
for module in $modules ; do
|
||||
case "$module" in
|
||||
"")
|
||||
;;
|
||||
/*)
|
||||
$tempdir/dlopen "$module"
|
||||
retval=$?
|
||||
;;
|
||||
*)
|
||||
$tempdir/dlopen ./"$module"
|
||||
retval=$?
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
rm -f $tempdir/dlopen $tempdir/dlopen.c
|
||||
rmdir $tempdir
|
||||
exit $retval
|
19
SOURCES/fingerprint-auth.pamd
Normal file
19
SOURCES/fingerprint-auth.pamd
Normal file
@ -0,0 +1,19 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_fprintd.so
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
339
SOURCES/gpl-2.0.txt
Normal file
339
SOURCES/gpl-2.0.txt
Normal file
@ -0,0 +1,339 @@
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 2, June 1991
|
||||
|
||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The licenses for most software are designed to take away your
|
||||
freedom to share and change it. By contrast, the GNU General Public
|
||||
License is intended to guarantee your freedom to share and change free
|
||||
software--to make sure the software is free for all its users. This
|
||||
General Public License applies to most of the Free Software
|
||||
Foundation's software and to any other program whose authors commit to
|
||||
using it. (Some other Free Software Foundation software is covered by
|
||||
the GNU Lesser General Public License instead.) You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
this service if you wish), that you receive source code or can get it
|
||||
if you want it, that you can change the software or use pieces of it
|
||||
in new free programs; and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to make restrictions that forbid
|
||||
anyone to deny you these rights or to ask you to surrender the rights.
|
||||
These restrictions translate to certain responsibilities for you if you
|
||||
distribute copies of the software, or if you modify it.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must give the recipients all the rights that
|
||||
you have. You must make sure that they, too, receive or can get the
|
||||
source code. And you must show them these terms so they know their
|
||||
rights.
|
||||
|
||||
We protect your rights with two steps: (1) copyright the software, and
|
||||
(2) offer you this license which gives you legal permission to copy,
|
||||
distribute and/or modify the software.
|
||||
|
||||
Also, for each author's protection and ours, we want to make certain
|
||||
that everyone understands that there is no warranty for this free
|
||||
software. If the software is modified by someone else and passed on, we
|
||||
want its recipients to know that what they have is not the original, so
|
||||
that any problems introduced by others will not reflect on the original
|
||||
authors' reputations.
|
||||
|
||||
Finally, any free program is threatened constantly by software
|
||||
patents. We wish to avoid the danger that redistributors of a free
|
||||
program will individually obtain patent licenses, in effect making the
|
||||
program proprietary. To prevent this, we have made it clear that any
|
||||
patent must be licensed for everyone's free use or not licensed at all.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||
|
||||
0. This License applies to any program or other work which contains
|
||||
a notice placed by the copyright holder saying it may be distributed
|
||||
under the terms of this General Public License. The "Program", below,
|
||||
refers to any such program or work, and a "work based on the Program"
|
||||
means either the Program or any derivative work under copyright law:
|
||||
that is to say, a work containing the Program or a portion of it,
|
||||
either verbatim or with modifications and/or translated into another
|
||||
language. (Hereinafter, translation is included without limitation in
|
||||
the term "modification".) Each licensee is addressed as "you".
|
||||
|
||||
Activities other than copying, distribution and modification are not
|
||||
covered by this License; they are outside its scope. The act of
|
||||
running the Program is not restricted, and the output from the Program
|
||||
is covered only if its contents constitute a work based on the
|
||||
Program (independent of having been made by running the Program).
|
||||
Whether that is true depends on what the Program does.
|
||||
|
||||
1. You may copy and distribute verbatim copies of the Program's
|
||||
source code as you receive it, in any medium, provided that you
|
||||
conspicuously and appropriately publish on each copy an appropriate
|
||||
copyright notice and disclaimer of warranty; keep intact all the
|
||||
notices that refer to this License and to the absence of any warranty;
|
||||
and give any other recipients of the Program a copy of this License
|
||||
along with the Program.
|
||||
|
||||
You may charge a fee for the physical act of transferring a copy, and
|
||||
you may at your option offer warranty protection in exchange for a fee.
|
||||
|
||||
2. You may modify your copy or copies of the Program or any portion
|
||||
of it, thus forming a work based on the Program, and copy and
|
||||
distribute such modifications or work under the terms of Section 1
|
||||
above, provided that you also meet all of these conditions:
|
||||
|
||||
a) You must cause the modified files to carry prominent notices
|
||||
stating that you changed the files and the date of any change.
|
||||
|
||||
b) You must cause any work that you distribute or publish, that in
|
||||
whole or in part contains or is derived from the Program or any
|
||||
part thereof, to be licensed as a whole at no charge to all third
|
||||
parties under the terms of this License.
|
||||
|
||||
c) If the modified program normally reads commands interactively
|
||||
when run, you must cause it, when started running for such
|
||||
interactive use in the most ordinary way, to print or display an
|
||||
announcement including an appropriate copyright notice and a
|
||||
notice that there is no warranty (or else, saying that you provide
|
||||
a warranty) and that users may redistribute the program under
|
||||
these conditions, and telling the user how to view a copy of this
|
||||
License. (Exception: if the Program itself is interactive but
|
||||
does not normally print such an announcement, your work based on
|
||||
the Program is not required to print an announcement.)
|
||||
|
||||
These requirements apply to the modified work as a whole. If
|
||||
identifiable sections of that work are not derived from the Program,
|
||||
and can be reasonably considered independent and separate works in
|
||||
themselves, then this License, and its terms, do not apply to those
|
||||
sections when you distribute them as separate works. But when you
|
||||
distribute the same sections as part of a whole which is a work based
|
||||
on the Program, the distribution of the whole must be on the terms of
|
||||
this License, whose permissions for other licensees extend to the
|
||||
entire whole, and thus to each and every part regardless of who wrote it.
|
||||
|
||||
Thus, it is not the intent of this section to claim rights or contest
|
||||
your rights to work written entirely by you; rather, the intent is to
|
||||
exercise the right to control the distribution of derivative or
|
||||
collective works based on the Program.
|
||||
|
||||
In addition, mere aggregation of another work not based on the Program
|
||||
with the Program (or with a work based on the Program) on a volume of
|
||||
a storage or distribution medium does not bring the other work under
|
||||
the scope of this License.
|
||||
|
||||
3. You may copy and distribute the Program (or a work based on it,
|
||||
under Section 2) in object code or executable form under the terms of
|
||||
Sections 1 and 2 above provided that you also do one of the following:
|
||||
|
||||
a) Accompany it with the complete corresponding machine-readable
|
||||
source code, which must be distributed under the terms of Sections
|
||||
1 and 2 above on a medium customarily used for software interchange; or,
|
||||
|
||||
b) Accompany it with a written offer, valid for at least three
|
||||
years, to give any third party, for a charge no more than your
|
||||
cost of physically performing source distribution, a complete
|
||||
machine-readable copy of the corresponding source code, to be
|
||||
distributed under the terms of Sections 1 and 2 above on a medium
|
||||
customarily used for software interchange; or,
|
||||
|
||||
c) Accompany it with the information you received as to the offer
|
||||
to distribute corresponding source code. (This alternative is
|
||||
allowed only for noncommercial distribution and only if you
|
||||
received the program in object code or executable form with such
|
||||
an offer, in accord with Subsection b above.)
|
||||
|
||||
The source code for a work means the preferred form of the work for
|
||||
making modifications to it. For an executable work, complete source
|
||||
code means all the source code for all modules it contains, plus any
|
||||
associated interface definition files, plus the scripts used to
|
||||
control compilation and installation of the executable. However, as a
|
||||
special exception, the source code distributed need not include
|
||||
anything that is normally distributed (in either source or binary
|
||||
form) with the major components (compiler, kernel, and so on) of the
|
||||
operating system on which the executable runs, unless that component
|
||||
itself accompanies the executable.
|
||||
|
||||
If distribution of executable or object code is made by offering
|
||||
access to copy from a designated place, then offering equivalent
|
||||
access to copy the source code from the same place counts as
|
||||
distribution of the source code, even though third parties are not
|
||||
compelled to copy the source along with the object code.
|
||||
|
||||
4. You may not copy, modify, sublicense, or distribute the Program
|
||||
except as expressly provided under this License. Any attempt
|
||||
otherwise to copy, modify, sublicense or distribute the Program is
|
||||
void, and will automatically terminate your rights under this License.
|
||||
However, parties who have received copies, or rights, from you under
|
||||
this License will not have their licenses terminated so long as such
|
||||
parties remain in full compliance.
|
||||
|
||||
5. You are not required to accept this License, since you have not
|
||||
signed it. However, nothing else grants you permission to modify or
|
||||
distribute the Program or its derivative works. These actions are
|
||||
prohibited by law if you do not accept this License. Therefore, by
|
||||
modifying or distributing the Program (or any work based on the
|
||||
Program), you indicate your acceptance of this License to do so, and
|
||||
all its terms and conditions for copying, distributing or modifying
|
||||
the Program or works based on it.
|
||||
|
||||
6. Each time you redistribute the Program (or any work based on the
|
||||
Program), the recipient automatically receives a license from the
|
||||
original licensor to copy, distribute or modify the Program subject to
|
||||
these terms and conditions. You may not impose any further
|
||||
restrictions on the recipients' exercise of the rights granted herein.
|
||||
You are not responsible for enforcing compliance by third parties to
|
||||
this License.
|
||||
|
||||
7. If, as a consequence of a court judgment or allegation of patent
|
||||
infringement or for any other reason (not limited to patent issues),
|
||||
conditions are imposed on you (whether by court order, agreement or
|
||||
otherwise) that contradict the conditions of this License, they do not
|
||||
excuse you from the conditions of this License. If you cannot
|
||||
distribute so as to satisfy simultaneously your obligations under this
|
||||
License and any other pertinent obligations, then as a consequence you
|
||||
may not distribute the Program at all. For example, if a patent
|
||||
license would not permit royalty-free redistribution of the Program by
|
||||
all those who receive copies directly or indirectly through you, then
|
||||
the only way you could satisfy both it and this License would be to
|
||||
refrain entirely from distribution of the Program.
|
||||
|
||||
If any portion of this section is held invalid or unenforceable under
|
||||
any particular circumstance, the balance of the section is intended to
|
||||
apply and the section as a whole is intended to apply in other
|
||||
circumstances.
|
||||
|
||||
It is not the purpose of this section to induce you to infringe any
|
||||
patents or other property right claims or to contest validity of any
|
||||
such claims; this section has the sole purpose of protecting the
|
||||
integrity of the free software distribution system, which is
|
||||
implemented by public license practices. Many people have made
|
||||
generous contributions to the wide range of software distributed
|
||||
through that system in reliance on consistent application of that
|
||||
system; it is up to the author/donor to decide if he or she is willing
|
||||
to distribute software through any other system and a licensee cannot
|
||||
impose that choice.
|
||||
|
||||
This section is intended to make thoroughly clear what is believed to
|
||||
be a consequence of the rest of this License.
|
||||
|
||||
8. If the distribution and/or use of the Program is restricted in
|
||||
certain countries either by patents or by copyrighted interfaces, the
|
||||
original copyright holder who places the Program under this License
|
||||
may add an explicit geographical distribution limitation excluding
|
||||
those countries, so that distribution is permitted only in or among
|
||||
countries not thus excluded. In such case, this License incorporates
|
||||
the limitation as if written in the body of this License.
|
||||
|
||||
9. The Free Software Foundation may publish revised and/or new versions
|
||||
of the General Public License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
address new problems or concerns.
|
||||
|
||||
Each version is given a distinguishing version number. If the Program
|
||||
specifies a version number of this License which applies to it and "any
|
||||
later version", you have the option of following the terms and conditions
|
||||
either of that version or of any later version published by the Free
|
||||
Software Foundation. If the Program does not specify a version number of
|
||||
this License, you may choose any version ever published by the Free Software
|
||||
Foundation.
|
||||
|
||||
10. If you wish to incorporate parts of the Program into other free
|
||||
programs whose distribution conditions are different, write to the author
|
||||
to ask for permission. For software which is copyrighted by the Free
|
||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||
make exceptions for this. Our decision will be guided by the two goals
|
||||
of preserving the free status of all derivatives of our free software and
|
||||
of promoting the sharing and reuse of software generally.
|
||||
|
||||
NO WARRANTY
|
||||
|
||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||
REPAIR OR CORRECTION.
|
||||
|
||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGES.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
How to Apply These Terms to Your New Programs
|
||||
|
||||
If you develop a new program, and you want it to be of the greatest
|
||||
possible use to the public, the best way to achieve this is to make it
|
||||
free software which everyone can redistribute and change under these terms.
|
||||
|
||||
To do so, attach the following notices to the program. It is safest
|
||||
to attach them to the start of each source file to most effectively
|
||||
convey the exclusion of warranty; and each file should have at least
|
||||
the "copyright" line and a pointer to where the full notice is found.
|
||||
|
||||
<one line to give the program's name and a brief idea of what it does.>
|
||||
Copyright (C) <year> <name of author>
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
Also add information on how to contact you by electronic and paper mail.
|
||||
|
||||
If the program is interactive, make it output a short notice like this
|
||||
when it starts in an interactive mode:
|
||||
|
||||
Gnomovision version 69, Copyright (C) year name of author
|
||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||
This is free software, and you are welcome to redistribute it
|
||||
under certain conditions; type `show c' for details.
|
||||
|
||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||
parts of the General Public License. Of course, the commands you use may
|
||||
be called something other than `show w' and `show c'; they could even be
|
||||
mouse-clicks or menu items--whatever suits your program.
|
||||
|
||||
You should also get your employer (if you work as a programmer) or your
|
||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||
necessary. Here is a sample; alter the names:
|
||||
|
||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||
|
||||
<signature of Ty Coon>, 1 April 1989
|
||||
Ty Coon, President of Vice
|
||||
|
||||
This General Public License does not permit incorporating your program into
|
||||
proprietary programs. If your program is a subroutine library, you may
|
||||
consider it more useful to permit linking proprietary applications with the
|
||||
library. If this is what you want to do, use the GNU Lesser General
|
||||
Public License instead of this License.
|
5
SOURCES/other.pamd
Normal file
5
SOURCES/other.pamd
Normal file
@ -0,0 +1,5 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_deny.so
|
||||
account required pam_deny.so
|
||||
password required pam_deny.so
|
||||
session required pam_deny.so
|
26
SOURCES/pam-1.1.0-console-nochmod.patch
Normal file
26
SOURCES/pam-1.1.0-console-nochmod.patch
Normal file
@ -0,0 +1,26 @@
|
||||
diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers
|
||||
--- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod 2008-12-16 13:37:52.000000000 +0100
|
||||
+++ Linux-PAM-1.1.0/modules/pam_console/console.handlers 2009-09-01 17:20:08.000000000 +0200
|
||||
@@ -15,5 +15,3 @@
|
||||
# touch unlock wait /var/run/console-unlocked
|
||||
|
||||
console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
|
||||
-/sbin/pam_console_apply lock logfail wait -t tty -s
|
||||
-/sbin/pam_console_apply unlock logfail wait -r -t tty -s
|
||||
diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am
|
||||
--- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod 2008-12-16 13:37:52.000000000 +0100
|
||||
+++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am 2009-09-01 17:42:47.000000000 +0200
|
||||
@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply
|
||||
|
||||
|
||||
secureconf_DATA = console.perms console.handlers
|
||||
-permsd_DATA = 50-default.perms
|
||||
|
||||
FLEX_OPTS = -Cr
|
||||
BISON_OPTS = -d
|
||||
@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil
|
||||
|
||||
install-data-local:
|
||||
mkdir -p $(DESTDIR)$(secureconfdir)/console.apps
|
||||
+ mkdir -p $(DESTDIR)$(permsddir)
|
||||
mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR)
|
12
SOURCES/pam-1.1.0-notally.patch
Normal file
12
SOURCES/pam-1.1.0-notally.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am
|
||||
--- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200
|
||||
+++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200
|
||||
@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de
|
||||
pam_mkhomedir pam_motd pam_namespace pam_nologin \
|
||||
pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
|
||||
pam_selinux pam_sepermit pam_shells pam_stress \
|
||||
- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
|
||||
+ pam_succeed_if pam_time pam_timestamp \
|
||||
pam_tty_audit pam_umask \
|
||||
pam_unix pam_userdb pam_warn pam_wheel pam_xauth
|
||||
|
12
SOURCES/pam-1.1.1-console-errmsg.patch
Normal file
12
SOURCES/pam-1.1.1-console-errmsg.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c
|
||||
--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg 2008-12-16 13:37:52.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c 2014-06-19 13:23:28.948343737 +0200
|
||||
@@ -65,7 +65,7 @@ parse_files(void)
|
||||
on system locale */
|
||||
oldlocale = setlocale(LC_COLLATE, "C");
|
||||
|
||||
- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf);
|
||||
+ rc = glob(PERMS_GLOB, 0, NULL, &globbuf);
|
||||
setlocale(LC_COLLATE, oldlocale);
|
||||
if (rc)
|
||||
return;
|
27
SOURCES/pam-1.1.3-nouserenv.patch
Normal file
27
SOURCES/pam-1.1.3-nouserenv.patch
Normal file
@ -0,0 +1,27 @@
|
||||
diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c
|
||||
--- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200
|
||||
+++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100
|
||||
@@ -10,7 +10,7 @@
|
||||
#define DEFAULT_READ_ENVFILE 1
|
||||
|
||||
#define DEFAULT_USER_ENVFILE ".pam_environment"
|
||||
-#define DEFAULT_USER_READ_ENVFILE 1
|
||||
+#define DEFAULT_USER_READ_ENVFILE 0
|
||||
|
||||
#include "config.h"
|
||||
|
||||
diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml
|
||||
--- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200
|
||||
+++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100
|
||||
@@ -147,7 +147,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
Turns on or off the reading of the user specific environment
|
||||
- file. 0 is off, 1 is on. By default this option is on.
|
||||
+ file. 0 is off, 1 is on. By default this option is off as user
|
||||
+ supplied environment variables in the PAM environment could affect
|
||||
+ behavior of subsequent modules in the stack without the consent
|
||||
+ of the system administrator.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
20
SOURCES/pam-1.1.6-limits-user.patch
Normal file
20
SOURCES/pam-1.1.6-limits-user.patch
Normal file
@ -0,0 +1,20 @@
|
||||
diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf
|
||||
--- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200
|
||||
+++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100
|
||||
@@ -1,5 +1,16 @@
|
||||
# /etc/security/limits.conf
|
||||
#
|
||||
+#This file sets the resource limits for the users logged in via PAM.
|
||||
+#It does not affect resource limits of the system services.
|
||||
+#
|
||||
+#Also note that configuration files in /etc/security/limits.d directory,
|
||||
+#which are read in alphabetical order, override the settings in this
|
||||
+#file in case the domain is the same or more specific.
|
||||
+#That means for example that setting a limit for wildcard domain here
|
||||
+#can be overriden with a wildcard setting in a config file in the
|
||||
+#subdirectory, but a user specific setting here can be overriden only
|
||||
+#with a user specific setting in the subdirectory.
|
||||
+#
|
||||
#Each line describes a limit for a user in the form:
|
||||
#
|
||||
#<domain> <type> <item> <value>
|
31
SOURCES/pam-1.1.8-audit-user-mgmt.patch
Normal file
31
SOURCES/pam-1.1.8-audit-user-mgmt.patch
Normal file
@ -0,0 +1,31 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c
|
||||
--- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200
|
||||
@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv )
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
char buf[64];
|
||||
int audit_fd = audit_open();
|
||||
- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
|
||||
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
||||
+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset);
|
||||
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
|
||||
+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
||||
if (audit_fd >=0)
|
||||
close(audit_fd);
|
||||
#endif
|
||||
@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv )
|
||||
}
|
||||
else if ( !cline_reset ) {
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
- char buf[64];
|
||||
int audit_fd = audit_open();
|
||||
- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
|
||||
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
||||
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
|
||||
+ "pam_tally2-reset-all-accts reset=0", "*", -1,
|
||||
+ NULL, NULL, ttyname(STDIN_FILENO), 1);
|
||||
if (audit_fd >=0)
|
||||
close(audit_fd);
|
||||
#endif
|
88
SOURCES/pam-1.1.8-full-relro.patch
Normal file
88
SOURCES/pam-1.1.8-full-relro.patch
Normal file
@ -0,0 +1,88 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200
|
||||
@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir
|
||||
|
||||
pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam
|
||||
|
||||
+pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
+
|
||||
securelib_LTLIBRARIES = pam_console.la
|
||||
sbin_PROGRAMS = pam_console_apply
|
||||
|
||||
@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_
|
||||
configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h
|
||||
|
||||
pam_console_la_CFLAGS = $(AM_CFLAGS)
|
||||
-pam_console_apply_CFLAGS = $(AM_CFLAGS)
|
||||
+pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
|
||||
configfile.tab.c: configfile.y
|
||||
$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200
|
||||
@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
|
||||
|
||||
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
||||
-I$(srcdir)/.. @PIE_CFLAGS@
|
||||
-AM_LDFLAGS = @PIE_LDFLAGS@
|
||||
+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
LDADD = $(top_builddir)/libpam/libpam.la
|
||||
|
||||
securelibfilter_PROGRAMS = upperLOWER
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200
|
||||
@@ -30,6 +30,8 @@ endif
|
||||
|
||||
sbin_PROGRAMS = mkhomedir_helper
|
||||
mkhomedir_helper_SOURCES = mkhomedir_helper.c
|
||||
+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
|
||||
if ENABLE_REGENERATE_MAN
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200
|
||||
@@ -26,6 +26,8 @@ if HAVE_VERSIONING
|
||||
pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
|
||||
+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
|
||||
|
||||
securelib_LTLIBRARIES = pam_tally2.la
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200
|
||||
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
|
||||
pam_timestamp_check_SOURCES = pam_timestamp_check.c
|
||||
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
|
||||
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
|
||||
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
|
||||
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200
|
||||
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
|
||||
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
|
||||
passverify.c
|
||||
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
|
||||
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
|
||||
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
|
||||
|
||||
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
|
||||
passverify.c
|
||||
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
|
||||
-unix_update_LDFLAGS = @PIE_LDFLAGS@
|
||||
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
|
||||
|
||||
if ENABLE_REGENERATE_MAN
|
23
SOURCES/pam-1.2.0-redhat-modules.patch
Normal file
23
SOURCES/pam-1.2.0-redhat-modules.patch
Normal file
@ -0,0 +1,23 @@
|
||||
diff -up Linux-PAM-1.2.0/configure.ac.redhat-modules Linux-PAM-1.2.0/configure.ac
|
||||
--- Linux-PAM-1.2.0/configure.ac.redhat-modules 2015-03-25 16:50:10.000000000 +0100
|
||||
+++ Linux-PAM-1.2.0/configure.ac 2015-05-15 15:46:50.996074677 +0200
|
||||
@@ -616,6 +616,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
|
||||
po/Makefile.in \
|
||||
modules/Makefile \
|
||||
+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
|
||||
+ modules/pam_postgresok/Makefile \
|
||||
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
||||
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
||||
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
||||
diff -up Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules Linux-PAM-1.2.0/modules/Makefile.am
|
||||
--- Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules 2015-03-24 13:02:32.000000000 +0100
|
||||
+++ Linux-PAM-1.2.0/modules/Makefile.am 2015-05-15 15:46:50.995074654 +0200
|
||||
@@ -3,6 +3,7 @@
|
||||
#
|
||||
|
||||
SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
|
||||
+ pam_chroot pam_console pam_postgresok \
|
||||
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
|
||||
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
||||
pam_listfile pam_localuser pam_loginuid pam_mail \
|
73
SOURCES/pam-1.2.0-unix-no-fallback.patch
Normal file
73
SOURCES/pam-1.2.0-unix-no-fallback.patch
Normal file
@ -0,0 +1,73 @@
|
||||
diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml
|
||||
--- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback 2015-04-27 16:38:03.000000000 +0200
|
||||
+++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml 2015-05-15 15:54:21.524440864 +0200
|
||||
@@ -284,11 +284,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
When a user changes their password next,
|
||||
- encrypt it with the SHA256 algorithm. If the
|
||||
- SHA256 algorithm is not known to the <citerefentry>
|
||||
+ encrypt it with the SHA256 algorithm. The
|
||||
+ SHA256 algorithm must be supported by the <citerefentry>
|
||||
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
||||
- </citerefentry> function,
|
||||
- fall back to MD5.
|
||||
+ </citerefentry> function.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -299,11 +298,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
When a user changes their password next,
|
||||
- encrypt it with the SHA512 algorithm. If the
|
||||
- SHA512 algorithm is not known to the <citerefentry>
|
||||
+ encrypt it with the SHA512 algorithm. The
|
||||
+ SHA512 algorithm must be supported by the <citerefentry>
|
||||
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
||||
- </citerefentry> function,
|
||||
- fall back to MD5.
|
||||
+ </citerefentry> function.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -314,11 +312,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
When a user changes their password next,
|
||||
- encrypt it with the blowfish algorithm. If the
|
||||
- blowfish algorithm is not known to the <citerefentry>
|
||||
+ encrypt it with the blowfish algorithm. The
|
||||
+ blowfish algorithm must be supported by the <citerefentry>
|
||||
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
|
||||
- </citerefentry> function,
|
||||
- fall back to MD5.
|
||||
+ </citerefentry> function.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c
|
||||
--- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback 2015-05-15 15:54:21.525440887 +0200
|
||||
+++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c 2015-05-15 15:57:23.138613273 +0200
|
||||
@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has
|
||||
sp = crypt(password, salt);
|
||||
#endif
|
||||
if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
|
||||
- /* libxcrypt/libc doesn't know the algorithm, use MD5 */
|
||||
+ /* libxcrypt/libc doesn't know the algorithm, error out */
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
- "Algo %s not supported by the crypto backend, "
|
||||
- "falling back to MD5\n",
|
||||
+ "Algo %s not supported by the crypto backend.\n",
|
||||
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
|
||||
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
|
||||
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
|
||||
@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has
|
||||
#ifdef HAVE_CRYPT_R
|
||||
free(cdata);
|
||||
#endif
|
||||
- return crypt_md5_wrapper(password);
|
||||
+ return NULL;
|
||||
}
|
||||
sp = x_strdup(sp);
|
||||
#ifdef HAVE_CRYPT_R
|
9
SOURCES/pam-1.2.1-console-devname.patch
Normal file
9
SOURCES/pam-1.2.1-console-devname.patch
Normal file
@ -0,0 +1,9 @@
|
||||
diff -up Linux-PAM-1.2.1/modules/pam_console/console.handlers.devname Linux-PAM-1.2.1/modules/pam_console/console.handlers
|
||||
--- Linux-PAM-1.2.1/modules/pam_console/console.handlers.devname 2015-10-16 14:15:48.000000000 +0200
|
||||
+++ Linux-PAM-1.2.1/modules/pam_console/console.handlers 2016-02-05 17:47:26.056787517 +0100
|
||||
@@ -14,4 +14,4 @@
|
||||
# echo lock wait Locking console for user on tty
|
||||
# touch unlock wait /var/run/console-unlocked
|
||||
|
||||
-console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
|
||||
+console consoledevs /dev/tty[0-9][0-9]* tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
|
133
SOURCES/pam-1.2.1-faillock-admin-group.patch
Normal file
133
SOURCES/pam-1.2.1-faillock-admin-group.patch
Normal file
@ -0,0 +1,133 @@
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-04 16:37:38.696260359 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c 2017-08-21 16:40:01.624706864 +0200
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||
+ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -78,9 +78,11 @@ struct options {
|
||||
unsigned int root_unlock_time;
|
||||
const char *dir;
|
||||
const char *user;
|
||||
+ const char *admin_group;
|
||||
int failures;
|
||||
uint64_t latest_time;
|
||||
uid_t uid;
|
||||
+ int is_admin;
|
||||
uint64_t now;
|
||||
};
|
||||
|
||||
@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
|
||||
opts->root_unlock_time = temp;
|
||||
}
|
||||
}
|
||||
+ else if (strncmp(argv[i], "admin_group=", 12) == 0) {
|
||||
+ opts->admin_group = argv[i] + 12;
|
||||
+ }
|
||||
else if (strcmp(argv[i], "preauth") == 0) {
|
||||
opts->action = FAILLOCK_ACTION_PREAUTH;
|
||||
}
|
||||
@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
|
||||
}
|
||||
opts->user = user;
|
||||
opts->uid = pwd->pw_uid;
|
||||
+
|
||||
+ if (pwd->pw_uid == 0) {
|
||||
+ opts->is_admin = 1;
|
||||
+ return PAM_SUCCESS;
|
||||
+ }
|
||||
+
|
||||
+ if (opts->admin_group && *opts->admin_group) {
|
||||
+ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
|
||||
+ pwd->pw_uid, opts->admin_group);
|
||||
+ }
|
||||
+
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
|
||||
return PAM_SYSTEM_ERR;
|
||||
}
|
||||
|
||||
- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
+ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o
|
||||
|
||||
opts->failures = failures;
|
||||
|
||||
- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
- return PAM_SUCCESS;
|
||||
- }
|
||||
-
|
||||
if (opts->deny && failures >= opts->deny) {
|
||||
- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
|
||||
- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
|
||||
+ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
|
||||
+ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
|
||||
char buf[64];
|
||||
@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
|
||||
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
|
||||
NULL, NULL, NULL, 1);
|
||||
|
||||
- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
+ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
|
||||
NULL, NULL, NULL, 1);
|
||||
}
|
||||
@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
|
||||
int64_t left;
|
||||
|
||||
if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
|
||||
- if (opts->uid) {
|
||||
- left = opts->latest_time + opts->unlock_time - opts->now;
|
||||
+ if (opts->is_admin) {
|
||||
+ left = opts->latest_time + opts->root_unlock_time - opts->now;
|
||||
}
|
||||
else {
|
||||
- left = opts->latest_time + opts->root_unlock_time - opts->now;
|
||||
+ left = opts->latest_time + opts->unlock_time - opts->now;
|
||||
}
|
||||
|
||||
if (left > 0) {
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml
|
||||
--- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-05-06 15:24:10.328281818 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml 2017-08-21 16:16:09.448033843 +0200
|
||||
@@ -40,6 +40,9 @@
|
||||
root_unlock_time=<replaceable>n</replaceable>
|
||||
</arg>
|
||||
<arg choice="opt">
|
||||
+ admin_group=<replaceable>name</replaceable>
|
||||
+ </arg>
|
||||
+ <arg choice="opt">
|
||||
audit
|
||||
</arg>
|
||||
<arg choice="opt">
|
||||
@@ -243,6 +246,20 @@
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>
|
||||
+ <option>admin_group=<replaceable>name</replaceable></option>
|
||||
+ </term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ If a group name is specified with this option, members
|
||||
+ of the group will be handled by this module the same as
|
||||
+ the root account (the options <option>even_deny_root></option>
|
||||
+ and <option>root_unlock_time</option> will apply to them.
|
||||
+ By default the option is not set.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
1759
SOURCES/pam-1.2.1-faillock.patch
Normal file
1759
SOURCES/pam-1.2.1-faillock.patch
Normal file
File diff suppressed because it is too large
Load Diff
806
SOURCES/pam-1.3.0-pwhistory-helper.patch
Normal file
806
SOURCES/pam-1.3.0-pwhistory-helper.patch
Normal file
@ -0,0 +1,806 @@
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am 2016-05-06 15:18:42.307637933 +0200
|
||||
@@ -1,5 +1,6 @@
|
||||
#
|
||||
# Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
|
||||
+# Copyright (c) 2013 Red Hat, Inc.
|
||||
#
|
||||
|
||||
CLEANFILES = *~
|
||||
@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-
|
||||
|
||||
TESTS = tst-pam_pwhistory
|
||||
|
||||
-man_MANS = pam_pwhistory.8
|
||||
+man_MANS = pam_pwhistory.8 pwhistory_helper.8
|
||||
|
||||
-XMLS = README.xml pam_pwhistory.8.xml
|
||||
+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
|
||||
|
||||
securelibdir = $(SECUREDIR)
|
||||
secureconfdir = $(SCONFIGDIR)
|
||||
|
||||
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
|
||||
-AM_LDFLAGS = -no-undefined -avoid-version -module
|
||||
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
||||
+ -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\"
|
||||
+
|
||||
+pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module
|
||||
if HAVE_VERSIONING
|
||||
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
+ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
|
||||
noinst_HEADERS = opasswd.h
|
||||
|
||||
securelib_LTLIBRARIES = pam_pwhistory.la
|
||||
-pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
|
||||
+pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
|
||||
+pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
|
||||
pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
|
||||
|
||||
+sbin_PROGRAMS = pwhistory_helper
|
||||
+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
|
||||
+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c
|
||||
+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
|
||||
+
|
||||
if ENABLE_REGENERATE_MAN
|
||||
noinst_DATA = README
|
||||
README: pam_pwhistory.8.xml
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c 2016-05-06 15:18:42.307637933 +0200
|
||||
@@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -38,6 +39,7 @@
|
||||
#endif
|
||||
|
||||
#include <pwd.h>
|
||||
+#include <shadow.h>
|
||||
#include <time.h>
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
@@ -47,6 +49,7 @@
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <syslog.h>
|
||||
+#include <stdarg.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#if defined (HAVE_XCRYPT_H)
|
||||
@@ -55,7 +58,14 @@
|
||||
#include <crypt.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HELPER_COMPILE
|
||||
+#define pam_modutil_getpwnam(h,n) getpwnam(n)
|
||||
+#define pam_modutil_getspnam(h,n) getspnam(n)
|
||||
+#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__)
|
||||
+#else
|
||||
+#include <security/pam_modutil.h>
|
||||
#include <security/pam_ext.h>
|
||||
+#endif
|
||||
#include <security/pam_modules.h>
|
||||
|
||||
#include "opasswd.h"
|
||||
@@ -76,6 +86,19 @@ typedef struct {
|
||||
char *old_passwords;
|
||||
} opwd;
|
||||
|
||||
+#ifdef HELPER_COMPILE
|
||||
+void
|
||||
+helper_log_err(int err, const char *format, ...)
|
||||
+{
|
||||
+ va_list args;
|
||||
+
|
||||
+ va_start(args, format);
|
||||
+ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
|
||||
+ vsyslog(err, format, args);
|
||||
+ va_end(args);
|
||||
+ closelog();
|
||||
+}
|
||||
+#endif
|
||||
|
||||
static int
|
||||
parse_entry (char *line, opwd *data)
|
||||
@@ -117,8 +140,8 @@ compare_password(const char *newpass, co
|
||||
}
|
||||
|
||||
/* Check, if the new password is already in the opasswd file. */
|
||||
-int
|
||||
-check_old_pass (pam_handle_t *pamh, const char *user,
|
||||
+PAMH_ARG_DECL(int
|
||||
+check_old_pass, const char *user,
|
||||
const char *newpass, int debug)
|
||||
{
|
||||
int retval = PAM_SUCCESS;
|
||||
@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons
|
||||
opwd entry;
|
||||
int found = 0;
|
||||
|
||||
+#ifndef HELPER_COMPILE
|
||||
+ if (SELINUX_ENABLED)
|
||||
+ return PAM_PWHISTORY_RUN_HELPER;
|
||||
+#endif
|
||||
+
|
||||
if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
|
||||
{
|
||||
if (errno != ENOENT)
|
||||
@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons
|
||||
return retval;
|
||||
}
|
||||
|
||||
-int
|
||||
-save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
||||
- const char *oldpass, int howmany, int debug UNUSED)
|
||||
+PAMH_ARG_DECL(int
|
||||
+save_old_pass, const char *user,
|
||||
+ int howmany, int debug UNUSED)
|
||||
{
|
||||
char opasswd_tmp[] = TMP_PASSWORDS_FILE;
|
||||
struct stat opasswd_stat;
|
||||
@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const
|
||||
char *buf = NULL;
|
||||
size_t buflen = 0;
|
||||
int found = 0;
|
||||
+ struct passwd *pwd;
|
||||
+ const char *oldpass;
|
||||
+
|
||||
+ pwd = pam_modutil_getpwnam (pamh, user);
|
||||
+ if (pwd == NULL)
|
||||
+ return PAM_USER_UNKNOWN;
|
||||
|
||||
if (howmany <= 0)
|
||||
return PAM_SUCCESS;
|
||||
|
||||
+#ifndef HELPER_COMPILE
|
||||
+ if (SELINUX_ENABLED)
|
||||
+ return PAM_PWHISTORY_RUN_HELPER;
|
||||
+#endif
|
||||
+
|
||||
+ if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
||||
+ ((pwd->pw_passwd[0] == '#') &&
|
||||
+ (pwd->pw_passwd[1] == '#') &&
|
||||
+ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
|
||||
+ {
|
||||
+ struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
||||
+
|
||||
+ if (spw == NULL)
|
||||
+ return PAM_USER_UNKNOWN;
|
||||
+ oldpass = spw->sp_pwdp;
|
||||
+ }
|
||||
+ else
|
||||
+ oldpass = pwd->pw_passwd;
|
||||
+
|
||||
if (oldpass == NULL || *oldpass == '\0')
|
||||
return PAM_SUCCESS;
|
||||
|
||||
@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const
|
||||
{
|
||||
char *out;
|
||||
|
||||
- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0)
|
||||
+ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0)
|
||||
{
|
||||
retval = PAM_AUTHTOK_ERR;
|
||||
if (oldpf)
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2016-03-24 12:45:42.000000000 +0100
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h 2016-05-06 15:18:42.307637933 +0200
|
||||
@@ -1,5 +1,6 @@
|
||||
/*
|
||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -36,10 +37,32 @@
|
||||
#ifndef __OPASSWD_H__
|
||||
#define __OPASSWD_H__
|
||||
|
||||
-extern int check_old_pass (pam_handle_t *pamh, const char *user,
|
||||
- const char *newpass, int debug);
|
||||
-extern int save_old_pass (pam_handle_t *pamh, const char *user,
|
||||
- uid_t uid, const char *oldpass,
|
||||
- int howmany, int debug);
|
||||
+#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#define SELINUX_ENABLED is_selinux_enabled()>0
|
||||
+#else
|
||||
+#define SELINUX_ENABLED 0
|
||||
+#endif
|
||||
+
|
||||
+#ifdef HELPER_COMPILE
|
||||
+#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__)
|
||||
+#define PAMH_ARG(...) __VA_ARGS__
|
||||
+#else
|
||||
+#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__)
|
||||
+#define PAMH_ARG(...) pamh, __VA_ARGS__
|
||||
+#endif
|
||||
+
|
||||
+#ifdef HELPER_COMPILE
|
||||
+void
|
||||
+helper_log_err(int err, const char *format, ...);
|
||||
+#endif
|
||||
+
|
||||
+PAMH_ARG_DECL(int
|
||||
+check_old_pass, const char *user, const char *newpass, int debug);
|
||||
+
|
||||
+PAMH_ARG_DECL(int
|
||||
+save_old_pass, const char *user, int howmany, int debug);
|
||||
|
||||
#endif /* __OPASSWD_H__ */
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2016-04-04 11:22:28.000000000 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c 2016-05-06 15:19:31.610785512 +0200
|
||||
@@ -1,6 +1,7 @@
|
||||
/*
|
||||
* Copyright (c) 2008, 2012 Thorsten Kukuk
|
||||
* Author: Thorsten Kukuk <kukuk@thkukuk.de>
|
||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -46,10 +47,14 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
-#include <shadow.h>
|
||||
#include <syslog.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
+#include <sys/time.h>
|
||||
+#include <sys/resource.h>
|
||||
+#include <sys/wait.h>
|
||||
+#include <signal.h>
|
||||
+#include <fcntl.h>
|
||||
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_modutil.h>
|
||||
@@ -59,6 +64,7 @@
|
||||
#include "opasswd.h"
|
||||
|
||||
#define DEFAULT_BUFLEN 2048
|
||||
+#define MAX_FD_NO 20000
|
||||
|
||||
struct options_t {
|
||||
int debug;
|
||||
@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const
|
||||
pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
|
||||
}
|
||||
|
||||
+static int
|
||||
+run_save_helper(pam_handle_t *pamh, const char *user,
|
||||
+ int howmany, int debug)
|
||||
+{
|
||||
+ int retval, child;
|
||||
+ struct sigaction newsa, oldsa;
|
||||
+
|
||||
+ memset(&newsa, '\0', sizeof(newsa));
|
||||
+ newsa.sa_handler = SIG_DFL;
|
||||
+ sigaction(SIGCHLD, &newsa, &oldsa);
|
||||
+
|
||||
+ child = fork();
|
||||
+ if (child == 0)
|
||||
+ {
|
||||
+ int i = 0;
|
||||
+ struct rlimit rlim;
|
||||
+ int dummyfds[2];
|
||||
+ static char *envp[] = { NULL };
|
||||
+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
|
||||
+
|
||||
+ /* replace std file descriptors with a dummy pipe */
|
||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
|
||||
+ {
|
||||
+ dup2(dummyfds[0], STDIN_FILENO);
|
||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
||||
+ }
|
||||
+
|
||||
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
|
||||
+ {
|
||||
+ if (rlim.rlim_max >= MAX_FD_NO)
|
||||
+ rlim.rlim_max = MAX_FD_NO;
|
||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
|
||||
+ {
|
||||
+ if (i != dummyfds[0])
|
||||
+ close(i);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* exec binary helper */
|
||||
+ args[0] = strdup(PWHISTORY_HELPER);
|
||||
+ args[1] = strdup("save");
|
||||
+ args[2] = x_strdup(user);
|
||||
+ asprintf(&args[3], "%d", howmany);
|
||||
+ asprintf(&args[4], "%d", debug);
|
||||
+
|
||||
+ execve(args[0], args, envp);
|
||||
+
|
||||
+ _exit(PAM_SYSTEM_ERR);
|
||||
+ }
|
||||
+ else if (child > 0)
|
||||
+ {
|
||||
+ /* wait for child */
|
||||
+ int rc = 0;
|
||||
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
|
||||
+ if (rc < 0)
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ else if (!WIFEXITED(retval))
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ retval = WEXITSTATUS(retval);
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+run_check_helper(pam_handle_t *pamh, const char *user,
|
||||
+ const char *newpass, int debug)
|
||||
+{
|
||||
+ int retval, child, fds[2];
|
||||
+ struct sigaction newsa, oldsa;
|
||||
+
|
||||
+ /* create a pipe for the password */
|
||||
+ if (pipe(fds) != 0)
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+
|
||||
+ memset(&newsa, '\0', sizeof(newsa));
|
||||
+ newsa.sa_handler = SIG_DFL;
|
||||
+ sigaction(SIGCHLD, &newsa, &oldsa);
|
||||
+
|
||||
+ child = fork();
|
||||
+ if (child == 0)
|
||||
+ {
|
||||
+ int i = 0;
|
||||
+ struct rlimit rlim;
|
||||
+ int dummyfds[2];
|
||||
+ static char *envp[] = { NULL };
|
||||
+ char *args[] = { NULL, NULL, NULL, NULL, NULL };
|
||||
+
|
||||
+ /* reopen stdin as pipe */
|
||||
+ dup2(fds[0], STDIN_FILENO);
|
||||
+
|
||||
+ /* replace std file descriptors with a dummy pipe */
|
||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
|
||||
+ {
|
||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
||||
+ }
|
||||
+
|
||||
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
|
||||
+ {
|
||||
+ if (rlim.rlim_max >= MAX_FD_NO)
|
||||
+ rlim.rlim_max = MAX_FD_NO;
|
||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
|
||||
+ {
|
||||
+ if (i != dummyfds[0])
|
||||
+ close(i);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* exec binary helper */
|
||||
+ args[0] = strdup(PWHISTORY_HELPER);
|
||||
+ args[1] = strdup("check");
|
||||
+ args[2] = x_strdup(user);
|
||||
+ asprintf(&args[3], "%d", debug);
|
||||
+
|
||||
+ execve(args[0], args, envp);
|
||||
+
|
||||
+ _exit(PAM_SYSTEM_ERR);
|
||||
+ }
|
||||
+ else if (child > 0)
|
||||
+ {
|
||||
+ /* wait for child */
|
||||
+ int rc = 0;
|
||||
+ if (newpass == NULL)
|
||||
+ newpass = "";
|
||||
+
|
||||
+ /* send the password to the child */
|
||||
+ if (write(fds[1], newpass, strlen(newpass)+1) == -1)
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m");
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ newpass = NULL;
|
||||
+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
|
||||
+ close(fds[1]);
|
||||
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
|
||||
+ if (rc < 0)
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ else if (!WIFEXITED(retval))
|
||||
+ {
|
||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ retval = WEXITSTATUS(retval);
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ close(fds[0]);
|
||||
+ close(fds[1]);
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
|
||||
/* This module saves the current crypted password in /etc/security/opasswd
|
||||
and then compares the new password with all entries in this file. */
|
||||
@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const
|
||||
int
|
||||
pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
- struct passwd *pwd;
|
||||
const char *newpass;
|
||||
const char *user;
|
||||
int retval, tries;
|
||||
@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
- pwd = pam_modutil_getpwnam (pamh, user);
|
||||
- if (pwd == NULL)
|
||||
- return PAM_USER_UNKNOWN;
|
||||
-
|
||||
- if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
||||
- ((pwd->pw_passwd[0] == '#') &&
|
||||
- (pwd->pw_passwd[1] == '#') &&
|
||||
- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
|
||||
- {
|
||||
- struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
||||
- if (spw == NULL)
|
||||
- return PAM_USER_UNKNOWN;
|
||||
+ retval = save_old_pass (pamh, user, options.remember, options.debug);
|
||||
|
||||
- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
|
||||
- options.remember, options.debug);
|
||||
- if (retval != PAM_SUCCESS)
|
||||
- return retval;
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd,
|
||||
- options.remember, options.debug);
|
||||
- if (retval != PAM_SUCCESS)
|
||||
- return retval;
|
||||
- }
|
||||
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
||||
+ retval = run_save_helper(pamh, user, options.remember, options.debug);
|
||||
+
|
||||
+ if (retval != PAM_SUCCESS)
|
||||
+ return retval;
|
||||
|
||||
newpass = NULL;
|
||||
tries = 0;
|
||||
@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
||||
if (options.debug)
|
||||
pam_syslog (pamh, LOG_DEBUG, "check against old password file");
|
||||
|
||||
- if (check_old_pass (pamh, user, newpass,
|
||||
- options.debug) != PAM_SUCCESS)
|
||||
+ retval = check_old_pass (pamh, user, newpass, options.debug);
|
||||
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
||||
+ retval = run_check_helper(pamh, user, newpass, options.debug);
|
||||
+
|
||||
+ if (retval != PAM_SUCCESS)
|
||||
{
|
||||
if (getuid() || options.enforce_for_root ||
|
||||
(flags & PAM_CHANGE_EXPIRED_AUTHTOK))
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2016-05-06 15:18:42.308637957 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c 2016-05-06 15:18:42.308637957 +0200
|
||||
@@ -0,0 +1,209 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
||||
+ * Author: Tomas Mraz <tmraz@redhat.com>
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ * 1. Redistributions of source code must retain the above copyright
|
||||
+ * notice, and the entire permission notice in its entirety,
|
||||
+ * including the disclaimer of warranties.
|
||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the distribution.
|
||||
+ * 3. The name of the author may not be used to endorse or promote
|
||||
+ * products derived from this software without specific prior
|
||||
+ * written permission.
|
||||
+ *
|
||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
||||
+ * necessary due to a potential bad interaction between the GPL and
|
||||
+ * the restrictions contained in a BSD-style copyright.)
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ */
|
||||
+
|
||||
+#include "config.h"
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <syslog.h>
|
||||
+#include <errno.h>
|
||||
+#include <unistd.h>
|
||||
+#include <signal.h>
|
||||
+#include <security/_pam_types.h>
|
||||
+#include <security/_pam_macros.h>
|
||||
+#include "opasswd.h"
|
||||
+
|
||||
+#define MAXPASS 200
|
||||
+
|
||||
+static void
|
||||
+su_sighandler(int sig)
|
||||
+{
|
||||
+#ifndef SA_RESETHAND
|
||||
+ /* emulate the behaviour of the SA_RESETHAND flag */
|
||||
+ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) {
|
||||
+ struct sigaction sa;
|
||||
+ memset(&sa, '\0', sizeof(sa));
|
||||
+ sa.sa_handler = SIG_DFL;
|
||||
+ sigaction(sig, &sa, NULL);
|
||||
+ }
|
||||
+#endif
|
||||
+ if (sig > 0) {
|
||||
+ _exit(sig);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+setup_signals(void)
|
||||
+{
|
||||
+ struct sigaction action; /* posix signal structure */
|
||||
+
|
||||
+ /*
|
||||
+ * Setup signal handlers
|
||||
+ */
|
||||
+ (void) memset((void *) &action, 0, sizeof(action));
|
||||
+ action.sa_handler = su_sighandler;
|
||||
+#ifdef SA_RESETHAND
|
||||
+ action.sa_flags = SA_RESETHAND;
|
||||
+#endif
|
||||
+ (void) sigaction(SIGILL, &action, NULL);
|
||||
+ (void) sigaction(SIGTRAP, &action, NULL);
|
||||
+ (void) sigaction(SIGBUS, &action, NULL);
|
||||
+ (void) sigaction(SIGSEGV, &action, NULL);
|
||||
+ action.sa_handler = SIG_IGN;
|
||||
+ action.sa_flags = 0;
|
||||
+ (void) sigaction(SIGTERM, &action, NULL);
|
||||
+ (void) sigaction(SIGHUP, &action, NULL);
|
||||
+ (void) sigaction(SIGINT, &action, NULL);
|
||||
+ (void) sigaction(SIGQUIT, &action, NULL);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+read_passwords(int fd, int npass, char **passwords)
|
||||
+{
|
||||
+ int rbytes = 0;
|
||||
+ int offset = 0;
|
||||
+ int i = 0;
|
||||
+ char *pptr;
|
||||
+ while (npass > 0)
|
||||
+ {
|
||||
+ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
|
||||
+
|
||||
+ if (rbytes < 0)
|
||||
+ {
|
||||
+ if (errno == EINTR) continue;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (rbytes == 0)
|
||||
+ break;
|
||||
+
|
||||
+ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes))
|
||||
+ != NULL)
|
||||
+ {
|
||||
+ rbytes -= pptr - (passwords[i]+offset) + 1;
|
||||
+ i++;
|
||||
+ offset = 0;
|
||||
+ npass--;
|
||||
+ if (rbytes > 0)
|
||||
+ {
|
||||
+ if (npass > 0)
|
||||
+ memcpy(passwords[i], pptr+1, rbytes);
|
||||
+ memset(pptr+1, '\0', rbytes);
|
||||
+ }
|
||||
+ }
|
||||
+ offset += rbytes;
|
||||
+ }
|
||||
+
|
||||
+ /* clear up */
|
||||
+ if (offset > 0 && npass > 0)
|
||||
+ memset(passwords[i], '\0', offset);
|
||||
+
|
||||
+ return i;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static int
|
||||
+check_history(const char *user, const char *debug)
|
||||
+{
|
||||
+ char pass[MAXPASS + 1];
|
||||
+ char *passwords[] = { pass };
|
||||
+ int npass;
|
||||
+ int dbg = atoi(debug); /* no need to be too fancy here */
|
||||
+ int retval;
|
||||
+
|
||||
+ /* read the password from stdin (a pipe from the pam_pwhistory module) */
|
||||
+ npass = read_passwords(STDIN_FILENO, 1, passwords);
|
||||
+
|
||||
+ if (npass != 1)
|
||||
+ { /* is it a valid password? */
|
||||
+ helper_log_err(LOG_DEBUG, "no password supplied");
|
||||
+ return PAM_AUTHTOK_ERR;
|
||||
+ }
|
||||
+
|
||||
+ retval = check_old_pass(user, pass, dbg);
|
||||
+
|
||||
+ memset(pass, '\0', MAXPASS); /* clear memory of the password */
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+save_history(const char *user, const char *howmany, const char *debug)
|
||||
+{
|
||||
+ int num = atoi(howmany);
|
||||
+ int dbg = atoi(debug); /* no need to be too fancy here */
|
||||
+ int retval;
|
||||
+
|
||||
+ retval = save_old_pass(user, num, dbg);
|
||||
+
|
||||
+ return retval;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+main(int argc, char *argv[])
|
||||
+{
|
||||
+ const char *option;
|
||||
+ const char *user;
|
||||
+
|
||||
+ /*
|
||||
+ * Catch or ignore as many signal as possible.
|
||||
+ */
|
||||
+ setup_signals();
|
||||
+
|
||||
+ /*
|
||||
+ * we establish that this program is running with non-tty stdin.
|
||||
+ * this is to discourage casual use.
|
||||
+ */
|
||||
+
|
||||
+ if (isatty(STDIN_FILENO) || argc < 4)
|
||||
+ {
|
||||
+ fprintf(stderr,
|
||||
+ "This binary is not designed for running in this way.\n");
|
||||
+ sleep(10); /* this should discourage/annoy the user */
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ option = argv[1];
|
||||
+ user = argv[2];
|
||||
+
|
||||
+ if (strcmp(option, "check") == 0 && argc == 4)
|
||||
+ return check_history(user, argv[3]);
|
||||
+ else if (strcmp(option, "save") == 0 && argc == 5)
|
||||
+ return save_history(user, argv[3], argv[4]);
|
||||
+
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+}
|
||||
+
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml
|
||||
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2016-05-06 15:18:42.308637957 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2016-05-06 15:18:42.308637957 +0200
|
||||
@@ -0,0 +1,68 @@
|
||||
+<?xml version="1.0" encoding='UTF-8'?>
|
||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||
+
|
||||
+<refentry id="pwhistory_helper">
|
||||
+
|
||||
+ <refmeta>
|
||||
+ <refentrytitle>pwhistory_helper</refentrytitle>
|
||||
+ <manvolnum>8</manvolnum>
|
||||
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
||||
+ </refmeta>
|
||||
+
|
||||
+ <refnamediv id="pwhistory_helper-name">
|
||||
+ <refname>pwhistory_helper</refname>
|
||||
+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
|
||||
+ </refnamediv>
|
||||
+
|
||||
+ <refsynopsisdiv>
|
||||
+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
|
||||
+ <command>pwhistory_helper</command>
|
||||
+ <arg choice="opt">
|
||||
+ ...
|
||||
+ </arg>
|
||||
+ </cmdsynopsis>
|
||||
+ </refsynopsisdiv>
|
||||
+
|
||||
+ <refsect1 id="pwhistory_helper-description">
|
||||
+
|
||||
+ <title>DESCRIPTION</title>
|
||||
+
|
||||
+ <para>
|
||||
+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
|
||||
+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
|
||||
+ from passwd or shadow file to the opasswd file and checks a password
|
||||
+ supplied by user against the existing hashes in the opasswd file.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ The purpose of the helper is to enable tighter confinement of
|
||||
+ login and password changing services. The helper is thus called only
|
||||
+ when SELinux is enabled on the system.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ The interface of the helper - command line options, and input/output
|
||||
+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
|
||||
+ module and it should not be called directly from applications.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory_helper-see_also'>
|
||||
+ <title>SEE ALSO</title>
|
||||
+ <para>
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+ <refsect1 id='pwhistory_helper-author'>
|
||||
+ <title>AUTHOR</title>
|
||||
+ <para>
|
||||
+ Written by Tomas Mraz based on the code originally in
|
||||
+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
|
||||
+ </para>
|
||||
+ </refsect1>
|
||||
+
|
||||
+</refentry>
|
16
SOURCES/pam-1.3.0-unix-nomsg.patch
Normal file
16
SOURCES/pam-1.3.0-unix-nomsg.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff -up Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c
|
||||
--- Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg 2016-04-11 13:08:47.000000000 +0200
|
||||
+++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c 2017-04-20 16:51:24.853106709 +0200
|
||||
@@ -687,12 +687,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
||||
return PAM_SUCCESS;
|
||||
} else if (off(UNIX__IAMROOT, ctrl) ||
|
||||
(on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
|
||||
- /* instruct user what is happening */
|
||||
- if (off(UNIX__QUIET, ctrl)) {
|
||||
- retval = pam_info(pamh, _("Changing password for %s."), user);
|
||||
- if (retval != PAM_SUCCESS)
|
||||
- return retval;
|
||||
- }
|
||||
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL);
|
||||
|
||||
if (retval != PAM_SUCCESS) {
|
11
SOURCES/pam-1.3.1-console-build.patch
Normal file
11
SOURCES/pam-1.3.1-console-build.patch
Normal file
@ -0,0 +1,11 @@
|
||||
diff -up Linux-PAM-1.3.1/modules/pam_console/sed-static.console-build Linux-PAM-1.3.1/modules/pam_console/sed-static
|
||||
--- Linux-PAM-1.3.1/modules/pam_console/sed-static.console-build 2014-01-31 14:17:53.000000000 +0100
|
||||
+++ Linux-PAM-1.3.1/modules/pam_console/sed-static 2018-09-10 15:06:04.115302315 +0200
|
||||
@@ -13,6 +13,7 @@ sed '
|
||||
/^YY_BUFFER_STATE yy_scan_buffer/s/^/STATIC /
|
||||
/^YY_BUFFER_STATE yy_scan_string/s/^/STATIC /
|
||||
/^void yy_switch_to_buffer/s/^/STATIC /
|
||||
+/^extern int yylex/s/^extern /STATIC /
|
||||
/define YY_DECL int yylex/s/YY_DECL /YY_DECL STATIC /
|
||||
/^int yyparse/s/^/STATIC /
|
||||
/^void yyrestart/s/^/STATIC /
|
185
SOURCES/pam-1.3.1-coverity.patch
Normal file
185
SOURCES/pam-1.3.1-coverity.patch
Normal file
@ -0,0 +1,185 @@
|
||||
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
|
||||
index 106ef7c..b2e94c7 100644
|
||||
--- a/libpam/pam_handlers.c
|
||||
+++ b/libpam/pam_handlers.c
|
||||
@@ -282,7 +282,6 @@ _pam_open_config_file(pam_handle_t *pamh
|
||||
{
|
||||
char *p;
|
||||
FILE *f;
|
||||
- int err = 0;
|
||||
|
||||
/* Absolute path */
|
||||
if (service[0] == '/') {
|
||||
diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
|
||||
index be53f34..07dce36 100644
|
||||
--- a/libpam_misc/misc_conv.c
|
||||
+++ b/libpam_misc/misc_conv.c
|
||||
@@ -211,7 +211,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
|
||||
line[nc] = '\0';
|
||||
}
|
||||
*retstr = strdup(line);
|
||||
- _pam_overwrite(line);
|
||||
+ _pam_overwrite_n(line, sizeof(line));
|
||||
if (!*retstr) {
|
||||
D(("no memory for response string"));
|
||||
nc = -1;
|
||||
@@ -244,7 +244,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
|
||||
D(("the timer appears to have expired"));
|
||||
|
||||
*retstr = NULL;
|
||||
- _pam_overwrite(line);
|
||||
+ _pam_overwrite_n(line, sizeof(line));
|
||||
|
||||
cleanexit:
|
||||
|
||||
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
|
||||
index 80d885d..3801862 100644
|
||||
--- a/modules/pam_access/pam_access.c
|
||||
+++ b/modules/pam_access/pam_access.c
|
||||
@@ -806,7 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
|
||||
const char *user=NULL;
|
||||
const void *void_from=NULL;
|
||||
const char *from;
|
||||
- const char const *default_config = PAM_ACCESS_CONFIG;
|
||||
+ const char * const default_config = PAM_ACCESS_CONFIG;
|
||||
struct passwd *user_pw;
|
||||
char hostname[MAXHOSTNAMELEN + 1];
|
||||
int rv;
|
||||
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
|
||||
index 4bc4ae7..f8476b4 100644
|
||||
--- a/modules/pam_limits/pam_limits.c
|
||||
+++ b/modules/pam_limits/pam_limits.c
|
||||
@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS] = {
|
||||
#endif
|
||||
};
|
||||
|
||||
-static int str2rlimit(char *name) {
|
||||
+static int str2rlimit(const char *name) {
|
||||
int i;
|
||||
if (!name || *name == '\0')
|
||||
return -1;
|
||||
@@ -352,7 +352,7 @@ static int str2rlimit(char *name) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
-static rlim_t str2rlim_t(char *value) {
|
||||
+static rlim_t str2rlim_t(const char *value) {
|
||||
unsigned long long rlimit = 0;
|
||||
|
||||
if (!value) return (rlim_t)rlimit;
|
||||
@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int
|
||||
FILE *limitsfile;
|
||||
const char *proclimits = "/proc/1/limits";
|
||||
char line[256];
|
||||
- char *units, *hard, *soft, *name;
|
||||
+ const char *units, *hard, *soft, *name;
|
||||
|
||||
if (!(limitsfile = fopen(proclimits, "r"))) {
|
||||
pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
|
||||
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
|
||||
index 96bfd98..66d202c 100644
|
||||
--- a/modules/pam_loginuid/pam_loginuid.c
|
||||
+++ b/modules/pam_loginuid/pam_loginuid.c
|
||||
@@ -64,7 +64,7 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
|
||||
fd = open("/proc/self/uid_map", O_RDONLY);
|
||||
if (fd >= 0) {
|
||||
count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
|
||||
- if (strncmp(uid_map, host_uid_map, count) != 0)
|
||||
+ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0)
|
||||
rc = PAM_IGNORE;
|
||||
close(fd);
|
||||
}
|
||||
diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c
|
||||
index 9e204c1..4b8d6b7 100644
|
||||
--- a/modules/pam_mkhomedir/mkhomedir_helper.c
|
||||
+++ b/modules/pam_mkhomedir/mkhomedir_helper.c
|
||||
@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd,
|
||||
{
|
||||
pam_syslog(NULL, LOG_DEBUG,
|
||||
"unable to open or stat src file %s: %m", newsource);
|
||||
+ if (srcfd >= 0)
|
||||
+ close(srcfd);
|
||||
closedir(d);
|
||||
|
||||
#ifndef PATH_MAX
|
||||
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
||||
index f541f89..85f5efa 100644
|
||||
--- a/modules/pam_namespace/pam_namespace.c
|
||||
+++ b/modules/pam_namespace/pam_namespace.c
|
||||
@@ -1418,6 +1418,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *
|
||||
if (fstat(fd, &newstatbuf) < 0) {
|
||||
pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
|
||||
ipath);
|
||||
+ close(fd);
|
||||
rmdir(ipath);
|
||||
return PAM_SESSION_ERR;
|
||||
}
|
||||
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
|
||||
index e6cf346..813f579 100644
|
||||
--- a/modules/pam_pwhistory/opasswd.c
|
||||
+++ b/modules/pam_pwhistory/opasswd.c
|
||||
@@ -326,6 +326,9 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
||||
n = strlen (buf);
|
||||
#endif /* HAVE_GETLINE / HAVE_GETDELIM */
|
||||
|
||||
+ if (n < 1)
|
||||
+ break;
|
||||
+
|
||||
cp = buf;
|
||||
save = strdup (buf); /* Copy to write the original data back. */
|
||||
if (save == NULL)
|
||||
@@ -336,9 +339,6 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
||||
goto error_opasswd;
|
||||
}
|
||||
|
||||
- if (n < 1)
|
||||
- break;
|
||||
-
|
||||
tmp = strchr (cp, '#'); /* remove comments */
|
||||
if (tmp)
|
||||
*tmp = '\0';
|
||||
diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
|
||||
index 17baabe..a9d9140 100644
|
||||
--- a/modules/pam_rootok/pam_rootok.c
|
||||
+++ b/modules/pam_rootok/pam_rootok.c
|
||||
@@ -66,14 +66,17 @@ log_callback (int type, const char *fmt, ...)
|
||||
int audit_fd;
|
||||
va_list ap;
|
||||
|
||||
- va_start(ap, fmt);
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
audit_fd = audit_open();
|
||||
|
||||
if (audit_fd >= 0) {
|
||||
char *buf;
|
||||
+ int ret;
|
||||
|
||||
- if (vasprintf (&buf, fmt, ap) < 0)
|
||||
+ va_start(ap, fmt);
|
||||
+ ret = vasprintf (&buf, fmt, ap);
|
||||
+ va_end(ap);
|
||||
+ if (ret < 0)
|
||||
return 0;
|
||||
audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||
NULL, 0);
|
||||
@@ -83,6 +86,7 @@ log_callback (int type, const char *fmt, ...)
|
||||
}
|
||||
|
||||
#endif
|
||||
+ va_start(ap, fmt);
|
||||
vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||
va_end(ap);
|
||||
return 0;
|
||||
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
|
||||
index c653290..f37af0f 100644
|
||||
--- a/modules/pam_sepermit/pam_sepermit.c
|
||||
+++ b/modules/pam_sepermit/pam_sepermit.c
|
||||
@@ -353,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
|
||||
if (*sense == PAM_SUCCESS) {
|
||||
if (ignore)
|
||||
*sense = PAM_IGNORE;
|
||||
- if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1)
|
||||
+ if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1)
|
||||
if (sepermit_lock(pamh, user, debug) < 0)
|
||||
*sense = PAM_AUTH_ERR;
|
||||
}
|
24
SOURCES/pam-1.3.1-noflex.patch
Normal file
24
SOURCES/pam-1.3.1-noflex.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up Linux-PAM-1.3.1/doc/Makefile.am.noflex Linux-PAM-1.3.1/doc/Makefile.am
|
||||
--- Linux-PAM-1.3.1/doc/Makefile.am.noflex 2017-02-10 11:10:15.000000000 +0100
|
||||
+++ Linux-PAM-1.3.1/doc/Makefile.am 2018-05-18 14:53:50.300997606 +0200
|
||||
@@ -2,7 +2,7 @@
|
||||
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
|
||||
#
|
||||
|
||||
-SUBDIRS = man specs sag adg mwg
|
||||
+SUBDIRS = man sag adg mwg
|
||||
|
||||
CLEANFILES = *~
|
||||
|
||||
diff -up Linux-PAM-1.3.1/Makefile.am.noflex Linux-PAM-1.3.1/Makefile.am
|
||||
--- Linux-PAM-1.3.1/Makefile.am.noflex 2018-05-18 14:53:50.301997629 +0200
|
||||
+++ Linux-PAM-1.3.1/Makefile.am 2018-05-18 14:55:31.576353800 +0200
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news
|
||||
|
||||
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
|
||||
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
|
||||
|
||||
CLEANFILES = *~
|
||||
|
3
SOURCES/pamtmp.conf
Normal file
3
SOURCES/pamtmp.conf
Normal file
@ -0,0 +1,3 @@
|
||||
d /run/console 0755 root root -
|
||||
d /run/faillock 0755 root root -
|
||||
d /run/sepermit 0755 root root -
|
18
SOURCES/password-auth.pamd
Normal file
18
SOURCES/password-auth.pamd
Normal file
@ -0,0 +1,18 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_unix.so try_first_pass nullok
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
|
||||
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
||||
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
46
SOURCES/postlogin.5
Normal file
46
SOURCES/postlogin.5
Normal file
@ -0,0 +1,46 @@
|
||||
.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
|
||||
postlogin \- Common configuration file for PAMified services
|
||||
|
||||
.SH SYNOPSIS
|
||||
.B /etc/pam.d/postlogin
|
||||
.sp 2
|
||||
.SH DESCRIPTION
|
||||
|
||||
The purpose of this PAM configuration file is to provide a common
|
||||
place for all PAM modules which should be called after the stack
|
||||
configured in
|
||||
.BR system-auth
|
||||
or the other common PAM configuration files.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR postlogin
|
||||
configuration file is included from all individual service configuration
|
||||
files that provide login service with shell or file access.
|
||||
|
||||
.SH NOTES
|
||||
The modules in the postlogin configuration file are executed regardless
|
||||
of the success or failure of the modules in the
|
||||
.BR system-auth
|
||||
configuration file.
|
||||
|
||||
.SH BUGS
|
||||
.sp 2
|
||||
Sometimes it would be useful to be able to skip the postlogin modules in
|
||||
case the substack of the
|
||||
.BR system-auth
|
||||
modules failed. Unfortunately the current Linux-PAM library does not
|
||||
provide any way how to achieve this.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
pam(8), config-util(5), system-auth(5)
|
||||
|
||||
The three
|
||||
.BR Linux-PAM
|
||||
Guides, for
|
||||
.BR "system administrators" ", "
|
||||
.BR "module developers" ", "
|
||||
and
|
||||
.BR "application developers" ". "
|
8
SOURCES/postlogin.pamd
Normal file
8
SOURCES/postlogin.pamd
Normal file
@ -0,0 +1,8 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
|
||||
session optional pam_umask.so silent
|
||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
||||
session [default=1] pam_lastlog.so nowtmp showfailed
|
||||
session optional pam_lastlog.so silent noupdate showfailed
|
19
SOURCES/smartcard-auth.pamd
Normal file
19
SOURCES/smartcard-auth.pamd
Normal file
@ -0,0 +1,19 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
account sufficient pam_localuser.so
|
||||
account sufficient pam_succeed_if.so uid < 500 quiet
|
||||
account required pam_permit.so
|
||||
|
||||
password optional pam_pkcs11.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
58
SOURCES/system-auth.5
Normal file
58
SOURCES/system-auth.5
Normal file
@ -0,0 +1,58 @@
|
||||
.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
|
||||
.SH NAME
|
||||
|
||||
system-auth \- Common configuration file for PAMified services
|
||||
|
||||
.SH SYNOPSIS
|
||||
.B /etc/pam.d/system-auth
|
||||
.B /etc/pam.d/password-auth
|
||||
.B /etc/pam.d/fingerprint-auth
|
||||
.B /etc/pam.d/smartcard-auth
|
||||
.sp 2
|
||||
.SH DESCRIPTION
|
||||
|
||||
The purpose of these configuration files are to provide a common
|
||||
interface for all applications and service daemons calling into
|
||||
the PAM library.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR system-auth
|
||||
configuration file is included from nearly all individual service configuration
|
||||
files with the help of the
|
||||
.BR substack
|
||||
directive.
|
||||
|
||||
.sp
|
||||
The
|
||||
.BR password-auth
|
||||
.BR fingerprint-auth
|
||||
.BR smartcard-auth
|
||||
configuration files are for applications which handle authentication from
|
||||
different types of devices via simultaneously running individual conversations
|
||||
instead of one aggregate conversation.
|
||||
|
||||
.SH NOTES
|
||||
Previously these common configuration files were included with the help
|
||||
of the
|
||||
.BR include
|
||||
directive. This limited the use of the different action types of modules.
|
||||
With the use of
|
||||
.BR substack
|
||||
directive to include these common configuration files this limitation
|
||||
no longer applies.
|
||||
|
||||
.SH BUGS
|
||||
.sp 2
|
||||
None known.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
pam(8), config-util(5), postlogin(5)
|
||||
|
||||
The three
|
||||
.BR Linux-PAM
|
||||
Guides, for
|
||||
.BR "system administrators" ", "
|
||||
.BR "module developers" ", "
|
||||
and
|
||||
.BR "application developers" ". "
|
18
SOURCES/system-auth.pamd
Normal file
18
SOURCES/system-auth.pamd
Normal file
@ -0,0 +1,18 @@
|
||||
#%PAM-1.0
|
||||
# This file is auto-generated.
|
||||
# User changes will be destroyed the next time authselect is run.
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_unix.so try_first_pass nullok
|
||||
auth required pam_deny.so
|
||||
|
||||
account required pam_unix.so
|
||||
|
||||
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
|
||||
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
|
||||
password required pam_deny.so
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session required pam_limits.so
|
||||
-session optional pam_systemd.so
|
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
||||
session required pam_unix.so
|
2116
SPECS/pam.spec
Normal file
2116
SPECS/pam.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user