- Rebase to release 1.5.0
- Rebase to pam-redhat-1.1.4 - Remove pam_cracklib, pam_tally and pam_tally2 - spec file cleanup
This commit is contained in:
parent
f35e0f9f10
commit
bcd73c678e
2
.gitignore
vendored
2
.gitignore
vendored
@ -4,3 +4,5 @@
|
|||||||
/Linux-PAM-1.3.1.tar.xz.asc
|
/Linux-PAM-1.3.1.tar.xz.asc
|
||||||
/Linux-PAM-1.4.0.tar.xz
|
/Linux-PAM-1.4.0.tar.xz
|
||||||
/Linux-PAM-1.4.0.tar.xz.asc
|
/Linux-PAM-1.4.0.tar.xz.asc
|
||||||
|
/Linux-PAM-1.5.0.tar.xz
|
||||||
|
/Linux-PAM-1.5.0.tar.xz.asc
|
||||||
|
@ -1,20 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf
|
|
||||||
--- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100
|
|
||||||
@@ -1,5 +1,16 @@
|
|
||||||
# /etc/security/limits.conf
|
|
||||||
#
|
|
||||||
+#This file sets the resource limits for the users logged in via PAM.
|
|
||||||
+#It does not affect resource limits of the system services.
|
|
||||||
+#
|
|
||||||
+#Also note that configuration files in /etc/security/limits.d directory,
|
|
||||||
+#which are read in alphabetical order, override the settings in this
|
|
||||||
+#file in case the domain is the same or more specific.
|
|
||||||
+#That means for example that setting a limit for wildcard domain here
|
|
||||||
+#can be overriden with a wildcard setting in a config file in the
|
|
||||||
+#subdirectory, but a user specific setting here can be overriden only
|
|
||||||
+#with a user specific setting in the subdirectory.
|
|
||||||
+#
|
|
||||||
#Each line describes a limit for a user in the form:
|
|
||||||
#
|
|
||||||
#<domain> <type> <item> <value>
|
|
@ -1,31 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200
|
|
||||||
@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv )
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
char buf[64];
|
|
||||||
int audit_fd = audit_open();
|
|
||||||
- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
|
|
||||||
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
|
||||||
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
|
||||||
+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset);
|
|
||||||
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
|
|
||||||
+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
|
||||||
if (audit_fd >=0)
|
|
||||||
close(audit_fd);
|
|
||||||
#endif
|
|
||||||
@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv )
|
|
||||||
}
|
|
||||||
else if ( !cline_reset ) {
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
- char buf[64];
|
|
||||||
int audit_fd = audit_open();
|
|
||||||
- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
|
|
||||||
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
|
||||||
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
|
|
||||||
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
|
|
||||||
+ "pam_tally2-reset-all-accts reset=0", "*", -1,
|
|
||||||
+ NULL, NULL, ttyname(STDIN_FILENO), 1);
|
|
||||||
if (audit_fd >=0)
|
|
||||||
close(audit_fd);
|
|
||||||
#endif
|
|
@ -1,50 +0,0 @@
|
|||||||
From 395915dae1571e10e2766c999974de864655ea3a Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Mon, 15 Jun 2020 09:52:11 +0200
|
|
||||||
Subject: [PATCH] pam_faillock: change /run/faillock/$USER permissions to 0660
|
|
||||||
|
|
||||||
Nowadays, /run/faillock/$USER files have user:root ownership and 0600
|
|
||||||
permissions. This forces the process that writes to these files to have
|
|
||||||
CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660
|
|
||||||
the capability can be removed, which leads to a more secure system.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822
|
|
||||||
---
|
|
||||||
modules/pam_faillock/faillock.c | 14 +++++++++++++-
|
|
||||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c
|
|
||||||
index e492f5f9..4ea94cbe 100644
|
|
||||||
--- a/modules/pam_faillock/faillock.c
|
|
||||||
+++ b/modules/pam_faillock/faillock.c
|
|
||||||
@@ -76,7 +76,7 @@ open_tally (const char *dir, const char *user, uid_t uid, int create)
|
|
||||||
flags |= O_CREAT;
|
|
||||||
}
|
|
||||||
|
|
||||||
- fd = open(path, flags, 0600);
|
|
||||||
+ fd = open(path, flags, 0660);
|
|
||||||
|
|
||||||
free(path);
|
|
||||||
|
|
||||||
@@ -88,6 +88,18 @@ open_tally (const char *dir, const char *user, uid_t uid, int create)
|
|
||||||
if (st.st_uid != uid) {
|
|
||||||
ignore_return(fchown(fd, uid, -1));
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * If umask is set to 022, as will probably in most systems, then the
|
|
||||||
+ * group will not be able to write to the file. So, change the file
|
|
||||||
+ * permissions just in case.
|
|
||||||
+ * Note: owners of this file are user:root, so if the permissions are
|
|
||||||
+ * not changed the root process writing to this file will require
|
|
||||||
+ * CAP_DAC_OVERRIDE.
|
|
||||||
+ */
|
|
||||||
+ if (!(st.st_mode & S_IWGRP)) {
|
|
||||||
+ ignore_return(fchmod(fd, 0660));
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,131 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.4.0/libpam_misc/misc_conv.c.coverity Linux-PAM-1.4.0/libpam_misc/misc_conv.c
|
|
||||||
--- Linux-PAM-1.4.0/libpam_misc/misc_conv.c.coverity 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/libpam_misc/misc_conv.c 2020-06-23 10:19:32.999827223 +0200
|
|
||||||
@@ -211,7 +211,7 @@ static int read_string(int echo, const c
|
|
||||||
line[nc] = '\0';
|
|
||||||
}
|
|
||||||
*retstr = strdup(line);
|
|
||||||
- _pam_overwrite(line);
|
|
||||||
+ _pam_overwrite_n(line, sizeof(line));
|
|
||||||
if (!*retstr) {
|
|
||||||
D(("no memory for response string"));
|
|
||||||
nc = -1;
|
|
||||||
@@ -244,7 +244,7 @@ static int read_string(int echo, const c
|
|
||||||
D(("the timer appears to have expired"));
|
|
||||||
|
|
||||||
*retstr = NULL;
|
|
||||||
- _pam_overwrite(line);
|
|
||||||
+ _pam_overwrite_n(line, sizeof(line));
|
|
||||||
|
|
||||||
cleanexit:
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.4.0/libpam/pam_handlers.c.coverity Linux-PAM-1.4.0/libpam/pam_handlers.c
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_access/pam_access.c.coverity Linux-PAM-1.4.0/modules/pam_access/pam_access.c
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_access/pam_access.c.coverity 2020-06-23 10:19:32.999827223 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_access/pam_access.c 2020-06-23 10:21:17.113398827 +0200
|
|
||||||
@@ -811,7 +811,7 @@ pam_sm_authenticate (pam_handle_t *pamh,
|
|
||||||
const char *user=NULL;
|
|
||||||
const void *void_from=NULL;
|
|
||||||
const char *from;
|
|
||||||
- const char *default_config = PAM_ACCESS_CONFIG;
|
|
||||||
+ const char * const default_config = PAM_ACCESS_CONFIG;
|
|
||||||
struct passwd *user_pw;
|
|
||||||
char hostname[MAXHOSTNAMELEN + 1];
|
|
||||||
int rv;
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c.coverity Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c.coverity 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_limits/pam_limits.c 2020-06-23 10:22:40.357855843 +0200
|
|
||||||
@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS]
|
|
||||||
#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
-static int str2rlimit(char *name) {
|
|
||||||
+static int str2rlimit(const char *name) {
|
|
||||||
int i;
|
|
||||||
if (!name || *name == '\0')
|
|
||||||
return -1;
|
|
||||||
@@ -352,7 +352,7 @@ static int str2rlimit(char *name) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static rlim_t str2rlim_t(char *value) {
|
|
||||||
+static rlim_t str2rlim_t(const char *value) {
|
|
||||||
unsigned long long rlimit = 0;
|
|
||||||
|
|
||||||
if (!value) return (rlim_t)rlimit;
|
|
||||||
@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_hand
|
|
||||||
FILE *limitsfile;
|
|
||||||
const char *proclimits = "/proc/1/limits";
|
|
||||||
char line[256];
|
|
||||||
- char *hard, *soft, *name;
|
|
||||||
+ const char *hard, *soft, *name;
|
|
||||||
|
|
||||||
if (!(limitsfile = fopen(proclimits, "r"))) {
|
|
||||||
pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c.coverity Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c.coverity 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_loginuid/pam_loginuid.c 2020-06-23 10:19:32.999827223 +0200
|
|
||||||
@@ -65,7 +65,7 @@ static int set_loginuid(pam_handle_t *pa
|
|
||||||
fd = open("/proc/self/uid_map", O_RDONLY);
|
|
||||||
if (fd >= 0) {
|
|
||||||
count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
|
|
||||||
- if (strncmp(uid_map, host_uid_map, count) != 0)
|
|
||||||
+ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0)
|
|
||||||
rc = PAM_IGNORE;
|
|
||||||
close(fd);
|
|
||||||
}
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c.coverity Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c.coverity 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_mkhomedir/mkhomedir_helper.c 2020-06-23 10:19:33.000827228 +0200
|
|
||||||
@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd,
|
|
||||||
{
|
|
||||||
pam_syslog(NULL, LOG_DEBUG,
|
|
||||||
"unable to open or stat src file %s: %m", newsource);
|
|
||||||
+ if (srcfd >= 0)
|
|
||||||
+ close(srcfd);
|
|
||||||
closedir(d);
|
|
||||||
|
|
||||||
#ifndef PATH_MAX
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c.coverity Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c.coverity 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_namespace/pam_namespace.c 2020-06-23 10:19:33.000827228 +0200
|
|
||||||
@@ -1488,6 +1488,7 @@ static int create_instance(struct polydi
|
|
||||||
if (fstat(fd, &newstatbuf) < 0) {
|
|
||||||
pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
|
|
||||||
ipath);
|
|
||||||
+ close(fd);
|
|
||||||
rmdir(ipath);
|
|
||||||
return PAM_SESSION_ERR;
|
|
||||||
}
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c.coverity Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c.coverity 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_rootok/pam_rootok.c 2020-06-23 10:26:21.405069413 +0200
|
|
||||||
@@ -55,15 +55,17 @@ log_callback (int type UNUSED, const cha
|
|
||||||
int audit_fd;
|
|
||||||
va_list ap;
|
|
||||||
|
|
||||||
- va_start(ap, fmt);
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
audit_fd = audit_open();
|
|
||||||
|
|
||||||
if (audit_fd >= 0) {
|
|
||||||
char *buf;
|
|
||||||
+ int ret;
|
|
||||||
|
|
||||||
- if (vasprintf (&buf, fmt, ap) < 0) {
|
|
||||||
- va_end(ap);
|
|
||||||
+ va_start(ap, fmt);
|
|
||||||
+ ret = vasprintf (&buf, fmt, ap);
|
|
||||||
+ va_end(ap);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
|
||||||
@@ -75,6 +77,7 @@ log_callback (int type UNUSED, const cha
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif
|
|
||||||
+ va_start(ap, fmt);
|
|
||||||
vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
|
||||||
va_end(ap);
|
|
||||||
return 0;
|
|
@ -1,123 +0,0 @@
|
|||||||
From af0faf666c5008e54dfe43684f210e3581ff1bca Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Tue, 16 Jun 2020 14:32:36 +0200
|
|
||||||
Subject: [PATCH 1/2] pam_unix: avoid determining if user exists
|
|
||||||
|
|
||||||
Taking a look at the time for the password prompt to appear it was
|
|
||||||
possible to determine if a user existed in a system. Solved it by
|
|
||||||
matching the runtime until the password prompt was shown by always
|
|
||||||
checking the password hash for an existing and a non-existing user.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
|
|
||||||
---
|
|
||||||
modules/pam_unix/passverify.c | 6 ++++++
|
|
||||||
modules/pam_unix/support.c | 33 ++++++++++++++++++++++++++-------
|
|
||||||
2 files changed, 32 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
||||||
index a571b4f7..7455eae6 100644
|
|
||||||
--- a/modules/pam_unix/passverify.c
|
|
||||||
+++ b/modules/pam_unix/passverify.c
|
|
||||||
@@ -1096,6 +1096,12 @@ helper_verify_password(const char *name, const char *p, int nullok)
|
|
||||||
if (pwd == NULL || hash == NULL) {
|
|
||||||
helper_log_err(LOG_NOTICE, "check pass; user unknown");
|
|
||||||
retval = PAM_USER_UNKNOWN;
|
|
||||||
+ } else if (p[0] == '\0' && nullok) {
|
|
||||||
+ if (hash[0] == '\0') {
|
|
||||||
+ retval = PAM_SUCCESS;
|
|
||||||
+ } else {
|
|
||||||
+ retval = PAM_AUTH_ERR;
|
|
||||||
+ }
|
|
||||||
} else {
|
|
||||||
retval = verify_pwd_hash(p, hash, nullok);
|
|
||||||
}
|
|
||||||
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
|
||||||
index 41db1f04..dc67238c 100644
|
|
||||||
--- a/modules/pam_unix/support.c
|
|
||||||
+++ b/modules/pam_unix/support.c
|
|
||||||
@@ -601,6 +601,8 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
|
|
||||||
char *salt = NULL;
|
|
||||||
int daysleft;
|
|
||||||
int retval;
|
|
||||||
+ int execloop = 1;
|
|
||||||
+ int nonexistent = 1;
|
|
||||||
|
|
||||||
D(("called"));
|
|
||||||
|
|
||||||
@@ -624,14 +626,31 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
|
|
||||||
|
|
||||||
/* UNIX passwords area */
|
|
||||||
|
|
||||||
- retval = get_pwd_hash(pamh, name, &pwd, &salt);
|
|
||||||
+ /*
|
|
||||||
+ * Execute this loop twice: one checking the password hash of an existing
|
|
||||||
+ * user and another one for a non-existing user. This way the runtimes
|
|
||||||
+ * are equal, making it more difficult to differentiate existing from
|
|
||||||
+ * non-existing users.
|
|
||||||
+ */
|
|
||||||
+ while (execloop) {
|
|
||||||
+ retval = get_pwd_hash(pamh, name, &pwd, &salt);
|
|
||||||
|
|
||||||
- if (retval == PAM_UNIX_RUN_HELPER) {
|
|
||||||
- /* salt will not be set here so we can return immediately */
|
|
||||||
- if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
|
|
||||||
- return 1;
|
|
||||||
- else
|
|
||||||
- return 0;
|
|
||||||
+ if (retval == PAM_UNIX_RUN_HELPER) {
|
|
||||||
+ execloop = 0;
|
|
||||||
+ if(nonexistent) {
|
|
||||||
+ get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt);
|
|
||||||
+ }
|
|
||||||
+ /* salt will not be set here so we can return immediately */
|
|
||||||
+ if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
|
|
||||||
+ return 1;
|
|
||||||
+ else
|
|
||||||
+ return 0;
|
|
||||||
+ } else if (retval == PAM_USER_UNKNOWN) {
|
|
||||||
+ name = "root";
|
|
||||||
+ nonexistent = 0;
|
|
||||||
+ } else {
|
|
||||||
+ execloop = 0;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Does this user have a password? */
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
|
|
||||||
From 0e9b286afe1224b91ff00936058b084ad4b776e4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Tue, 16 Jun 2020 14:44:04 +0200
|
|
||||||
Subject: [PATCH 2/2] pam_usertype: avoid determining if user exists
|
|
||||||
|
|
||||||
Taking a look at the time for the password prompt to appear it was
|
|
||||||
possible to determine if a user existed in a system. Solved it by
|
|
||||||
matching the runtime until the password prompt was shown by always
|
|
||||||
checking the password hash for an existing and a non-existing user.
|
|
||||||
|
|
||||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
|
|
||||||
---
|
|
||||||
modules/pam_usertype/pam_usertype.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c
|
|
||||||
index 2807c306..d03b73b5 100644
|
|
||||||
--- a/modules/pam_usertype/pam_usertype.c
|
|
||||||
+++ b/modules/pam_usertype/pam_usertype.c
|
|
||||||
@@ -139,8 +139,11 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts,
|
|
||||||
"error retrieving information about user %s", username);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ pam_modutil_getpwnam(pamh, "root");
|
|
||||||
+
|
|
||||||
return PAM_USER_UNKNOWN;
|
|
||||||
}
|
|
||||||
+ pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:");
|
|
||||||
|
|
||||||
*_uid = pwd->pw_uid;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,67 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am.relro 2020-06-22 13:06:45.397887922 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_filter/upperLOWER/Makefile.am 2020-06-22 13:11:50.898150263 +0200
|
|
||||||
@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
|
|
||||||
|
|
||||||
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
|
||||||
-I$(srcdir)/.. @PIE_CFLAGS@ $(WARN_CFLAGS)
|
|
||||||
-AM_LDFLAGS = @PIE_LDFLAGS@
|
|
||||||
+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
LDADD = $(top_builddir)/libpam/libpam.la
|
|
||||||
|
|
||||||
securelibfilter_PROGRAMS = upperLOWER
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am.relro 2020-06-22 13:06:45.397887922 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_mkhomedir/Makefile.am 2020-06-22 13:11:57.015235608 +0200
|
|
||||||
@@ -31,6 +31,8 @@ endif
|
|
||||||
|
|
||||||
sbin_PROGRAMS = mkhomedir_helper
|
|
||||||
mkhomedir_helper_SOURCES = mkhomedir_helper.c
|
|
||||||
+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
|
||||||
+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
|
|
||||||
|
|
||||||
check_PROGRAMS = tst-pam_mkhomedir-retval
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am.relro 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_tally2/Makefile.am 2020-06-22 13:06:45.398887936 +0200
|
|
||||||
@@ -29,6 +29,8 @@ if HAVE_VERSIONING
|
|
||||||
pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
|
||||||
endif
|
|
||||||
|
|
||||||
+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
|
||||||
+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
|
|
||||||
|
|
||||||
securelib_LTLIBRARIES = pam_tally2.la
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am.relro 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_timestamp/Makefile.am 2020-06-22 13:06:45.398887936 +0200
|
|
||||||
@@ -38,7 +38,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
|
|
||||||
pam_timestamp_check_SOURCES = pam_timestamp_check.c
|
|
||||||
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
|
||||||
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
|
|
||||||
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
|
|
||||||
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
|
|
||||||
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
|
|
||||||
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_unix/Makefile.am.relro Linux-PAM-1.4.0/modules/pam_unix/Makefile.am
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_unix/Makefile.am.relro 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_unix/Makefile.am 2020-06-22 13:06:45.398887936 +0200
|
|
||||||
@@ -48,13 +48,13 @@ bigcrypt_LDADD = @LIBCRYPT@
|
|
||||||
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
|
|
||||||
passverify.c
|
|
||||||
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
|
|
||||||
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
|
|
||||||
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
|
|
||||||
|
|
||||||
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
|
|
||||||
passverify.c
|
|
||||||
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
|
|
||||||
-unix_update_LDFLAGS = @PIE_LDFLAGS@
|
|
||||||
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
|
|
||||||
|
|
||||||
if ENABLE_REGENERATE_MAN
|
|
@ -1,84 +0,0 @@
|
|||||||
From 50ab1eda259ff039922b2774895f09bf0a57e078 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@cryptomilk.org>
|
|
||||||
Date: Wed, 4 Nov 2020 17:21:47 +0100
|
|
||||||
Subject: [PATCH 1/2] libpam: Fix memory leak with pam_start_confdir()
|
|
||||||
|
|
||||||
Found with AddressSanitzer in pam_wrapper tests.
|
|
||||||
|
|
||||||
==985738== 44 bytes in 4 blocks are definitely lost in loss record 18 of 18
|
|
||||||
==985738== at 0x4839809: malloc (vg_replace_malloc.c:307)
|
|
||||||
==985738== by 0x48957E1: _pam_strdup (pam_misc.c:129)
|
|
||||||
==985738== by 0x489851B: _pam_start_internal (pam_start.c:85)
|
|
||||||
==985738== by 0x4849C8C: libpam_pam_start_confdir (pam_wrapper.c:418)
|
|
||||||
==985738== by 0x484AF94: pwrap_pam_start (pam_wrapper.c:1461)
|
|
||||||
==985738== by 0x484AFEE: pam_start (pam_wrapper.c:1483)
|
|
||||||
==985738== by 0x401723: setup_noconv (test_pam_wrapper.c:189)
|
|
||||||
==985738== by 0x4889E82: ??? (in /usr/lib64/libcmocka.so.0.7.0)
|
|
||||||
==985738== by 0x488A444: _cmocka_run_group_tests (in /usr/lib64/libcmocka.so.0.7.0)
|
|
||||||
==985738== by 0x403EE5: main (test_pam_wrapper.c:1059)
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
|
|
||||||
---
|
|
||||||
libpam/pam_end.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/libpam/pam_end.c b/libpam/pam_end.c
|
|
||||||
index 942253d8..406b1478 100644
|
|
||||||
--- a/libpam/pam_end.c
|
|
||||||
+++ b/libpam/pam_end.c
|
|
||||||
@@ -56,6 +56,9 @@ int pam_end(pam_handle_t *pamh, int pam_status)
|
|
||||||
_pam_overwrite(pamh->user);
|
|
||||||
_pam_drop(pamh->user);
|
|
||||||
|
|
||||||
+ _pam_overwrite(pamh->confdir);
|
|
||||||
+ _pam_drop(pamh->confdir);
|
|
||||||
+
|
|
||||||
_pam_overwrite(pamh->prompt);
|
|
||||||
_pam_drop(pamh->prompt); /* prompt for pam_get_user() */
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
|
|
||||||
From 51318fd423a8ab4456a278ef0aff6ad449aab916 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@cryptomilk.org>
|
|
||||||
Date: Wed, 4 Nov 2020 17:23:09 +0100
|
|
||||||
Subject: [PATCH 2/2] libpam: Fix memory leak on error path in
|
|
||||||
_pam_start_internal()
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
|
|
||||||
---
|
|
||||||
libpam/pam_start.c | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
|
|
||||||
index 59d06224..99dd0389 100644
|
|
||||||
--- a/libpam/pam_start.c
|
|
||||||
+++ b/libpam/pam_start.c
|
|
||||||
@@ -115,6 +115,7 @@ static int _pam_start_internal (
|
|
||||||
pam_syslog(*pamh, LOG_CRIT, "pam_start: malloc failed for pam_conv");
|
|
||||||
_pam_drop((*pamh)->service_name);
|
|
||||||
_pam_drop((*pamh)->user);
|
|
||||||
+ _pam_drop((*pamh)->confdir);
|
|
||||||
_pam_drop(*pamh);
|
|
||||||
return (PAM_BUF_ERR);
|
|
||||||
} else {
|
|
||||||
@@ -128,6 +129,7 @@ static int _pam_start_internal (
|
|
||||||
_pam_drop((*pamh)->pam_conversation);
|
|
||||||
_pam_drop((*pamh)->service_name);
|
|
||||||
_pam_drop((*pamh)->user);
|
|
||||||
+ _pam_drop((*pamh)->confdir);
|
|
||||||
_pam_drop(*pamh);
|
|
||||||
return PAM_ABORT;
|
|
||||||
}
|
|
||||||
@@ -145,6 +147,7 @@ static int _pam_start_internal (
|
|
||||||
_pam_drop((*pamh)->pam_conversation);
|
|
||||||
_pam_drop((*pamh)->service_name);
|
|
||||||
_pam_drop((*pamh)->user);
|
|
||||||
+ _pam_drop((*pamh)->confdir);
|
|
||||||
_pam_drop(*pamh);
|
|
||||||
return PAM_ABORT;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,186 +0,0 @@
|
|||||||
From 16cebfeb30a8bd7c7dc269190a054c25b0f8d044 Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Tue, 15 Sep 2020 15:54:10 +0200
|
|
||||||
Subject: [PATCH 1/2] pam_motd: filter motd by user and group
|
|
||||||
|
|
||||||
modules/pam_motd/pam_motd.c: filter motd by user and group owning the
|
|
||||||
proper files. This is achieved by changing the ids of the process
|
|
||||||
reading the files from root to the target user.
|
|
||||||
|
|
||||||
Resolves:
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=1861640
|
|
||||||
---
|
|
||||||
modules/pam_motd/pam_motd.c | 97 ++++++++++++++++++++++++++++---------
|
|
||||||
1 file changed, 75 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
|
||||||
index 46f4fe61..a4fd0e59 100644
|
|
||||||
--- a/modules/pam_motd/pam_motd.c
|
|
||||||
+++ b/modules/pam_motd/pam_motd.c
|
|
||||||
@@ -282,6 +282,72 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
||||||
_pam_drop(dirscans);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs)
|
|
||||||
+{
|
|
||||||
+ struct passwd *pw;
|
|
||||||
+ const char *username;
|
|
||||||
+ int retval;
|
|
||||||
+
|
|
||||||
+ retval = pam_get_user(pamh, &username, "key user");
|
|
||||||
+
|
|
||||||
+ if (retval == PAM_SUCCESS) {
|
|
||||||
+ pw = pam_modutil_getpwnam (pamh, username);
|
|
||||||
+ } else {
|
|
||||||
+ return PAM_SESSION_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (pw == NULL || pam_modutil_drop_priv(pamh, privs, pw)) {
|
|
||||||
+ return PAM_SESSION_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int try_to_display(pam_handle_t *pamh, char **motd_path_split,
|
|
||||||
+ unsigned int num_motd_paths,
|
|
||||||
+ char **motd_dir_path_split,
|
|
||||||
+ unsigned int num_motd_dir_paths, int report_missing)
|
|
||||||
+{
|
|
||||||
+ PAM_MODUTIL_DEF_PRIVS(privs);
|
|
||||||
+
|
|
||||||
+ if (drop_privileges(pamh, &privs) != PAM_SUCCESS) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Unable to drop privileges");
|
|
||||||
+ return PAM_SESSION_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (motd_path_split != NULL) {
|
|
||||||
+ unsigned int i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < num_motd_paths; i++) {
|
|
||||||
+ int fd = open(motd_path_split[i], O_RDONLY, 0);
|
|
||||||
+
|
|
||||||
+ if (fd >= 0) {
|
|
||||||
+ try_to_display_fd(pamh, fd);
|
|
||||||
+ close(fd);
|
|
||||||
+
|
|
||||||
+ /* We found and displayed a file,
|
|
||||||
+ * move onto next filename.
|
|
||||||
+ */
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (motd_dir_path_split != NULL) {
|
|
||||||
+ try_to_display_directories_with_overrides(pamh,
|
|
||||||
+ motd_dir_path_split,
|
|
||||||
+ num_motd_dir_paths,
|
|
||||||
+ report_missing);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (pam_modutil_regain_priv(pamh, &privs)) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Unable to regain privileges");
|
|
||||||
+ return PAM_SESSION_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return PAM_SUCCESS;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
||||||
int argc, const char **argv)
|
|
||||||
{
|
|
||||||
@@ -358,25 +424,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (motd_path_split != NULL) {
|
|
||||||
- unsigned int i;
|
|
||||||
-
|
|
||||||
- for (i = 0; i < num_motd_paths; i++) {
|
|
||||||
- int fd = open(motd_path_split[i], O_RDONLY, 0);
|
|
||||||
-
|
|
||||||
- if (fd >= 0) {
|
|
||||||
- try_to_display_fd(pamh, fd);
|
|
||||||
- close(fd);
|
|
||||||
-
|
|
||||||
- /* We found and displayed a file, move onto next filename. */
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (motd_dir_path_split != NULL)
|
|
||||||
- try_to_display_directories_with_overrides(pamh, motd_dir_path_split,
|
|
||||||
- num_motd_dir_paths, report_missing);
|
|
||||||
+ retval = try_to_display(pamh, motd_path_split, num_motd_paths,
|
|
||||||
+ motd_dir_path_split, num_motd_dir_paths,
|
|
||||||
+ report_missing);
|
|
||||||
|
|
||||||
out:
|
|
||||||
_pam_drop(motd_path_copy);
|
|
||||||
@@ -384,9 +434,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
||||||
_pam_drop(motd_dir_path_copy);
|
|
||||||
_pam_drop(motd_dir_path_split);
|
|
||||||
|
|
||||||
- retval = pam_putenv(pamh, "MOTD_SHOWN=pam");
|
|
||||||
-
|
|
||||||
- return retval == PAM_SUCCESS ? PAM_IGNORE : retval;
|
|
||||||
+ if (retval == PAM_SUCCESS) {
|
|
||||||
+ retval = pam_putenv(pamh, "MOTD_SHOWN=pam");
|
|
||||||
+ return retval == PAM_SUCCESS ? PAM_IGNORE : retval;
|
|
||||||
+ } else {
|
|
||||||
+ return retval;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* end of module definition */
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
||||||
|
|
||||||
From ad8b6feaf8ea989368676acaea905998a807986e Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Wed, 14 Oct 2020 11:30:00 +0200
|
|
||||||
Subject: [PATCH 2/2] pam_motd: document file filtering
|
|
||||||
|
|
||||||
modules/pam_motd/pam_motd.8.xml: document file filtering of motd
|
|
||||||
messages.
|
|
||||||
NEWS: annotate change.
|
|
||||||
---
|
|
||||||
NEWS | 3 +++
|
|
||||||
modules/pam_motd/pam_motd.8.xml | 5 +++--
|
|
||||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/NEWS b/NEWS
|
|
||||||
index e8c0de87..c3b338e2 100644
|
|
||||||
--- a/NEWS
|
|
||||||
+++ b/NEWS
|
|
||||||
@@ -1,5 +1,8 @@
|
|
||||||
Linux-PAM NEWS -- history of user-visible changes.
|
|
||||||
|
|
||||||
+Release 1.5.0
|
|
||||||
+* pam_motd: read motd files with target user credentials skipping unreadable ones.
|
|
||||||
+
|
|
||||||
Release 1.4.0
|
|
||||||
* Multiple minor bug fixes and documentation improvements
|
|
||||||
* Fixed grammar of messages printed via pam_prompt
|
|
||||||
diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml
|
|
||||||
index b533530b..0afd4c99 100644
|
|
||||||
--- a/modules/pam_motd/pam_motd.8.xml
|
|
||||||
+++ b/modules/pam_motd/pam_motd.8.xml
|
|
||||||
@@ -64,8 +64,9 @@
|
|
||||||
override files with the same name in <filename>/usr/lib/motd.d/</filename>.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
- Files the in the directories listed above are displayed in
|
|
||||||
- lexicographic order by name.
|
|
||||||
+ Files in the directories listed above are displayed in lexicographic
|
|
||||||
+ order by name. Moreover, the files are filtered by reading them with the
|
|
||||||
+ credentials of the target user authenticating on the system.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
To silence a message,
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
From 9f24bbeeb4fe04bc396898cd9825478ad52c5ac7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: ikerexxe <ipedrosa@redhat.com>
|
|
||||||
Date: Wed, 21 Oct 2020 09:47:20 +0200
|
|
||||||
Subject: [PATCH] pam_motd: unset prompt value to drop privileges
|
|
||||||
|
|
||||||
modules/pam_motd/pam_motd.c: set NULL value instead of "key user" for the
|
|
||||||
prompt when dropping privileges.
|
|
||||||
---
|
|
||||||
modules/pam_motd/pam_motd.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
|
||||||
index a4fd0e59..6ac8cba2 100644
|
|
||||||
--- a/modules/pam_motd/pam_motd.c
|
|
||||||
+++ b/modules/pam_motd/pam_motd.c
|
|
||||||
@@ -288,7 +288,7 @@ static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs)
|
|
||||||
const char *username;
|
|
||||||
int retval;
|
|
||||||
|
|
||||||
- retval = pam_get_user(pamh, &username, "key user");
|
|
||||||
+ retval = pam_get_user(pamh, &username, NULL);
|
|
||||||
|
|
||||||
if (retval == PAM_SUCCESS) {
|
|
||||||
pw = pam_modutil_getpwnam (pamh, username);
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.4.0/doc/Makefile.am.noflex Linux-PAM-1.4.0/doc/Makefile.am
|
|
||||||
--- Linux-PAM-1.4.0/doc/Makefile.am.noflex 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/doc/Makefile.am 2020-06-22 12:32:01.994741087 +0200
|
|
||||||
@@ -2,7 +2,7 @@
|
|
||||||
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
|
|
||||||
#
|
|
||||||
|
|
||||||
-SUBDIRS = man specs sag adg mwg
|
|
||||||
+SUBDIRS = man sag adg mwg
|
|
||||||
|
|
||||||
CLEANFILES = *~
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.4.0/Makefile.am.noflex Linux-PAM-1.4.0/Makefile.am
|
|
||||||
--- Linux-PAM-1.4.0/Makefile.am.noflex 2020-06-22 12:32:01.994741087 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/Makefile.am 2020-06-22 12:39:36.932129391 +0200
|
|
||||||
@@ -4,7 +4,7 @@
|
|
||||||
|
|
||||||
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news
|
|
||||||
|
|
||||||
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
|
|
||||||
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
|
|
||||||
|
|
||||||
if HAVE_DOC
|
|
||||||
SUBDIRS += doc
|
|
@ -1,15 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml.nouserenv Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml.nouserenv 2020-06-22 13:00:37.480755648 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_env/pam_env.8.xml 2020-06-22 13:05:06.038501660 +0200
|
|
||||||
@@ -158,7 +158,10 @@
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
Turns on or off the reading of the user specific environment
|
|
||||||
- file. 0 is off, 1 is on. By default this option is off.
|
|
||||||
+ file. 0 is off, 1 is on. By default this option is off as user
|
|
||||||
+ supplied environment variables in the PAM environment could affect
|
|
||||||
+ behavior of subsequent modules in the stack without the consent
|
|
||||||
+ of the system administrator.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
@ -1,808 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/Makefile.am 2020-06-22 13:22:13.740840867 +0200
|
|
||||||
@@ -1,5 +1,6 @@
|
|
||||||
#
|
|
||||||
# Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
|
|
||||||
+# Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
#
|
|
||||||
|
|
||||||
CLEANFILES = *~
|
|
||||||
@@ -8,9 +9,9 @@ MAINTAINERCLEANFILES = $(MANS) README
|
|
||||||
EXTRA_DIST = $(XMLS)
|
|
||||||
|
|
||||||
if HAVE_DOC
|
|
||||||
-dist_man_MANS = pam_pwhistory.8
|
|
||||||
+dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8
|
|
||||||
endif
|
|
||||||
-XMLS = README.xml pam_pwhistory.8.xml
|
|
||||||
+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
|
|
||||||
dist_check_SCRIPTS = tst-pam_pwhistory
|
|
||||||
TESTS = $(dist_check_SCRIPTS)
|
|
||||||
|
|
||||||
@@ -18,18 +19,26 @@ securelibdir = $(SECUREDIR)
|
|
||||||
secureconfdir = $(SCONFIGDIR)
|
|
||||||
|
|
||||||
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
|
||||||
- $(WARN_CFLAGS)
|
|
||||||
-AM_LDFLAGS = -no-undefined -avoid-version -module
|
|
||||||
+ $(WARN_CFLAGS) -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\"
|
|
||||||
+
|
|
||||||
+pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module
|
|
||||||
if HAVE_VERSIONING
|
|
||||||
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
|
||||||
+ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
|
||||||
endif
|
|
||||||
|
|
||||||
noinst_HEADERS = opasswd.h
|
|
||||||
|
|
||||||
securelib_LTLIBRARIES = pam_pwhistory.la
|
|
||||||
-pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
|
|
||||||
+pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
|
|
||||||
+pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
|
|
||||||
pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
|
|
||||||
|
|
||||||
+sbin_PROGRAMS = pwhistory_helper
|
|
||||||
+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
|
|
||||||
+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c
|
|
||||||
+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
||||||
+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
|
|
||||||
+
|
|
||||||
if ENABLE_REGENERATE_MAN
|
|
||||||
dist_noinst_DATA = README
|
|
||||||
-include $(top_srcdir)/Make.xml.rules
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.c 2020-06-22 13:24:02.424365617 +0200
|
|
||||||
@@ -1,5 +1,6 @@
|
|
||||||
/*
|
|
||||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
|
||||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
@@ -38,6 +39,7 @@
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include <pwd.h>
|
|
||||||
+#include <shadow.h>
|
|
||||||
#include <time.h>
|
|
||||||
#include <ctype.h>
|
|
||||||
#include <errno.h>
|
|
||||||
@@ -47,6 +49,7 @@
|
|
||||||
#include <string.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
|
|
||||||
#if defined HAVE_LIBXCRYPT
|
|
||||||
@@ -55,7 +58,14 @@
|
|
||||||
#include <crypt.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef HELPER_COMPILE
|
|
||||||
+#define pam_modutil_getpwnam(h,n) getpwnam(n)
|
|
||||||
+#define pam_modutil_getspnam(h,n) getspnam(n)
|
|
||||||
+#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__)
|
|
||||||
+#else
|
|
||||||
+#include <security/pam_modutil.h>
|
|
||||||
#include <security/pam_ext.h>
|
|
||||||
+#endif
|
|
||||||
#include <security/pam_modules.h>
|
|
||||||
|
|
||||||
#include "opasswd.h"
|
|
||||||
@@ -76,6 +86,19 @@ typedef struct {
|
|
||||||
char *old_passwords;
|
|
||||||
} opwd;
|
|
||||||
|
|
||||||
+#ifdef HELPER_COMPILE
|
|
||||||
+void
|
|
||||||
+helper_log_err(int err, const char *format, ...)
|
|
||||||
+{
|
|
||||||
+ va_list args;
|
|
||||||
+
|
|
||||||
+ va_start(args, format);
|
|
||||||
+ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
|
|
||||||
+ vsyslog(err, format, args);
|
|
||||||
+ va_end(args);
|
|
||||||
+ closelog();
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
static int
|
|
||||||
parse_entry (char *line, opwd *data)
|
|
||||||
@@ -117,8 +140,8 @@ compare_password(const char *newpass, co
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check, if the new password is already in the opasswd file. */
|
|
||||||
-int
|
|
||||||
-check_old_pass (pam_handle_t *pamh, const char *user,
|
|
||||||
+PAMH_ARG_DECL(int
|
|
||||||
+check_old_pass, const char *user,
|
|
||||||
const char *newpass, int debug)
|
|
||||||
{
|
|
||||||
int retval = PAM_SUCCESS;
|
|
||||||
@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons
|
|
||||||
opwd entry;
|
|
||||||
int found = 0;
|
|
||||||
|
|
||||||
+#ifndef HELPER_COMPILE
|
|
||||||
+ if (SELINUX_ENABLED)
|
|
||||||
+ return PAM_PWHISTORY_RUN_HELPER;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
|
|
||||||
{
|
|
||||||
if (errno != ENOENT)
|
|
||||||
@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
-int
|
|
||||||
-save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
|
||||||
- const char *oldpass, int howmany, int debug UNUSED)
|
|
||||||
+PAMH_ARG_DECL(int
|
|
||||||
+save_old_pass, const char *user,
|
|
||||||
+ int howmany, int debug UNUSED)
|
|
||||||
{
|
|
||||||
char opasswd_tmp[] = TMP_PASSWORDS_FILE;
|
|
||||||
struct stat opasswd_stat;
|
|
||||||
@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const
|
|
||||||
char *buf = NULL;
|
|
||||||
size_t buflen = 0;
|
|
||||||
int found = 0;
|
|
||||||
+ struct passwd *pwd;
|
|
||||||
+ const char *oldpass;
|
|
||||||
+
|
|
||||||
+ pwd = pam_modutil_getpwnam (pamh, user);
|
|
||||||
+ if (pwd == NULL)
|
|
||||||
+ return PAM_USER_UNKNOWN;
|
|
||||||
|
|
||||||
if (howmany <= 0)
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
|
|
||||||
+#ifndef HELPER_COMPILE
|
|
||||||
+ if (SELINUX_ENABLED)
|
|
||||||
+ return PAM_PWHISTORY_RUN_HELPER;
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
|
||||||
+ ((pwd->pw_passwd[0] == '#') &&
|
|
||||||
+ (pwd->pw_passwd[1] == '#') &&
|
|
||||||
+ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
|
|
||||||
+ {
|
|
||||||
+ struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
|
||||||
+
|
|
||||||
+ if (spw == NULL)
|
|
||||||
+ return PAM_USER_UNKNOWN;
|
|
||||||
+ oldpass = spw->sp_pwdp;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ oldpass = pwd->pw_passwd;
|
|
||||||
+
|
|
||||||
if (oldpass == NULL || *oldpass == '\0')
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
|
|
||||||
@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const
|
|
||||||
{
|
|
||||||
char *out;
|
|
||||||
|
|
||||||
- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0)
|
|
||||||
+ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0)
|
|
||||||
{
|
|
||||||
retval = PAM_AUTHTOK_ERR;
|
|
||||||
if (oldpf)
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/opasswd.h 2020-06-22 13:13:23.722445347 +0200
|
|
||||||
@@ -1,5 +1,6 @@
|
|
||||||
/*
|
|
||||||
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
|
|
||||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
@@ -36,10 +37,32 @@
|
|
||||||
#ifndef __OPASSWD_H__
|
|
||||||
#define __OPASSWD_H__
|
|
||||||
|
|
||||||
-extern int check_old_pass (pam_handle_t *pamh, const char *user,
|
|
||||||
- const char *newpass, int debug);
|
|
||||||
-extern int save_old_pass (pam_handle_t *pamh, const char *user,
|
|
||||||
- uid_t uid, const char *oldpass,
|
|
||||||
- int howmany, int debug);
|
|
||||||
+#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT
|
|
||||||
+
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+#include <selinux/selinux.h>
|
|
||||||
+#define SELINUX_ENABLED is_selinux_enabled()>0
|
|
||||||
+#else
|
|
||||||
+#define SELINUX_ENABLED 0
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifdef HELPER_COMPILE
|
|
||||||
+#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__)
|
|
||||||
+#define PAMH_ARG(...) __VA_ARGS__
|
|
||||||
+#else
|
|
||||||
+#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__)
|
|
||||||
+#define PAMH_ARG(...) pamh, __VA_ARGS__
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifdef HELPER_COMPILE
|
|
||||||
+void
|
|
||||||
+helper_log_err(int err, const char *format, ...);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+PAMH_ARG_DECL(int
|
|
||||||
+check_old_pass, const char *user, const char *newpass, int debug);
|
|
||||||
+
|
|
||||||
+PAMH_ARG_DECL(int
|
|
||||||
+save_old_pass, const char *user, int howmany, int debug);
|
|
||||||
|
|
||||||
#endif /* __OPASSWD_H__ */
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/pam_pwhistory.c 2020-06-22 13:25:23.107497539 +0200
|
|
||||||
@@ -3,6 +3,7 @@
|
|
||||||
*
|
|
||||||
* Copyright (c) 2008, 2012 Thorsten Kukuk
|
|
||||||
* Author: Thorsten Kukuk <kukuk@thkukuk.de>
|
|
||||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
@@ -46,10 +47,14 @@
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
-#include <shadow.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
+#include <sys/time.h>
|
|
||||||
+#include <sys/resource.h>
|
|
||||||
+#include <sys/wait.h>
|
|
||||||
+#include <signal.h>
|
|
||||||
+#include <fcntl.h>
|
|
||||||
|
|
||||||
#include <security/pam_modules.h>
|
|
||||||
#include <security/pam_modutil.h>
|
|
||||||
@@ -60,6 +65,7 @@
|
|
||||||
#include "pam_inline.h"
|
|
||||||
|
|
||||||
#define DEFAULT_BUFLEN 2048
|
|
||||||
+#define MAX_FD_NO 20000
|
|
||||||
|
|
||||||
struct options_t {
|
|
||||||
int debug;
|
|
||||||
@@ -105,6 +111,184 @@ parse_option (pam_handle_t *pamh, const
|
|
||||||
pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+run_save_helper(pam_handle_t *pamh, const char *user,
|
|
||||||
+ int howmany, int debug)
|
|
||||||
+{
|
|
||||||
+ int retval, child;
|
|
||||||
+ struct sigaction newsa, oldsa;
|
|
||||||
+
|
|
||||||
+ memset(&newsa, '\0', sizeof(newsa));
|
|
||||||
+ newsa.sa_handler = SIG_DFL;
|
|
||||||
+ sigaction(SIGCHLD, &newsa, &oldsa);
|
|
||||||
+
|
|
||||||
+ child = fork();
|
|
||||||
+ if (child == 0)
|
|
||||||
+ {
|
|
||||||
+ int i = 0;
|
|
||||||
+ struct rlimit rlim;
|
|
||||||
+ int dummyfds[2];
|
|
||||||
+ static char *envp[] = { NULL };
|
|
||||||
+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
|
|
||||||
+
|
|
||||||
+ /* replace std file descriptors with a dummy pipe */
|
|
||||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
|
|
||||||
+ {
|
|
||||||
+ dup2(dummyfds[0], STDIN_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
|
|
||||||
+ {
|
|
||||||
+ if (rlim.rlim_max >= MAX_FD_NO)
|
|
||||||
+ rlim.rlim_max = MAX_FD_NO;
|
|
||||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
|
|
||||||
+ {
|
|
||||||
+ if (i != dummyfds[0])
|
|
||||||
+ close(i);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* exec binary helper */
|
|
||||||
+ args[0] = strdup(PWHISTORY_HELPER);
|
|
||||||
+ args[1] = strdup("save");
|
|
||||||
+ args[2] = x_strdup(user);
|
|
||||||
+ asprintf(&args[3], "%d", howmany);
|
|
||||||
+ asprintf(&args[4], "%d", debug);
|
|
||||||
+
|
|
||||||
+ execve(args[0], args, envp);
|
|
||||||
+
|
|
||||||
+ _exit(PAM_SYSTEM_ERR);
|
|
||||||
+ }
|
|
||||||
+ else if (child > 0)
|
|
||||||
+ {
|
|
||||||
+ /* wait for child */
|
|
||||||
+ int rc = 0;
|
|
||||||
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
|
|
||||||
+ if (rc < 0)
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ else if (!WIFEXITED(retval))
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ retval = WEXITSTATUS(retval);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+run_check_helper(pam_handle_t *pamh, const char *user,
|
|
||||||
+ const char *newpass, int debug)
|
|
||||||
+{
|
|
||||||
+ int retval, child, fds[2];
|
|
||||||
+ struct sigaction newsa, oldsa;
|
|
||||||
+
|
|
||||||
+ /* create a pipe for the password */
|
|
||||||
+ if (pipe(fds) != 0)
|
|
||||||
+ return PAM_SYSTEM_ERR;
|
|
||||||
+
|
|
||||||
+ memset(&newsa, '\0', sizeof(newsa));
|
|
||||||
+ newsa.sa_handler = SIG_DFL;
|
|
||||||
+ sigaction(SIGCHLD, &newsa, &oldsa);
|
|
||||||
+
|
|
||||||
+ child = fork();
|
|
||||||
+ if (child == 0)
|
|
||||||
+ {
|
|
||||||
+ int i = 0;
|
|
||||||
+ struct rlimit rlim;
|
|
||||||
+ int dummyfds[2];
|
|
||||||
+ static char *envp[] = { NULL };
|
|
||||||
+ char *args[] = { NULL, NULL, NULL, NULL, NULL };
|
|
||||||
+
|
|
||||||
+ /* reopen stdin as pipe */
|
|
||||||
+ dup2(fds[0], STDIN_FILENO);
|
|
||||||
+
|
|
||||||
+ /* replace std file descriptors with a dummy pipe */
|
|
||||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0)
|
|
||||||
+ {
|
|
||||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
|
|
||||||
+ {
|
|
||||||
+ if (rlim.rlim_max >= MAX_FD_NO)
|
|
||||||
+ rlim.rlim_max = MAX_FD_NO;
|
|
||||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
|
|
||||||
+ {
|
|
||||||
+ if (i != dummyfds[0])
|
|
||||||
+ close(i);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* exec binary helper */
|
|
||||||
+ args[0] = strdup(PWHISTORY_HELPER);
|
|
||||||
+ args[1] = strdup("check");
|
|
||||||
+ args[2] = x_strdup(user);
|
|
||||||
+ asprintf(&args[3], "%d", debug);
|
|
||||||
+
|
|
||||||
+ execve(args[0], args, envp);
|
|
||||||
+
|
|
||||||
+ _exit(PAM_SYSTEM_ERR);
|
|
||||||
+ }
|
|
||||||
+ else if (child > 0)
|
|
||||||
+ {
|
|
||||||
+ /* wait for child */
|
|
||||||
+ int rc = 0;
|
|
||||||
+ if (newpass == NULL)
|
|
||||||
+ newpass = "";
|
|
||||||
+
|
|
||||||
+ /* send the password to the child */
|
|
||||||
+ if (write(fds[1], newpass, strlen(newpass)+1) == -1)
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m");
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ newpass = NULL;
|
|
||||||
+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
|
|
||||||
+ close(fds[1]);
|
|
||||||
+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
|
|
||||||
+ if (rc < 0)
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ else if (!WIFEXITED(retval))
|
|
||||||
+ {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ retval = WEXITSTATUS(retval);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ close(fds[0]);
|
|
||||||
+ close(fds[1]);
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
|
|
||||||
/* This module saves the current crypted password in /etc/security/opasswd
|
|
||||||
and then compares the new password with all entries in this file. */
|
|
||||||
@@ -112,7 +296,6 @@ parse_option (pam_handle_t *pamh, const
|
|
||||||
int
|
|
||||||
pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
{
|
|
||||||
- struct passwd *pwd;
|
|
||||||
const char *newpass;
|
|
||||||
const char *user;
|
|
||||||
int retval, tries;
|
|
||||||
@@ -148,31 +331,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
|
||||||
return PAM_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
- pwd = pam_modutil_getpwnam (pamh, user);
|
|
||||||
- if (pwd == NULL)
|
|
||||||
- return PAM_USER_UNKNOWN;
|
|
||||||
-
|
|
||||||
- if ((strcmp(pwd->pw_passwd, "x") == 0) ||
|
|
||||||
- ((pwd->pw_passwd[0] == '#') &&
|
|
||||||
- (pwd->pw_passwd[1] == '#') &&
|
|
||||||
- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
|
|
||||||
- {
|
|
||||||
- struct spwd *spw = pam_modutil_getspnam (pamh, user);
|
|
||||||
- if (spw == NULL)
|
|
||||||
- return PAM_USER_UNKNOWN;
|
|
||||||
+ retval = save_old_pass (pamh, user, options.remember, options.debug);
|
|
||||||
|
|
||||||
- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
|
|
||||||
- options.remember, options.debug);
|
|
||||||
- if (retval != PAM_SUCCESS)
|
|
||||||
- return retval;
|
|
||||||
- }
|
|
||||||
- else
|
|
||||||
- {
|
|
||||||
- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd,
|
|
||||||
- options.remember, options.debug);
|
|
||||||
- if (retval != PAM_SUCCESS)
|
|
||||||
- return retval;
|
|
||||||
- }
|
|
||||||
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
|
||||||
+ retval = run_save_helper(pamh, user, options.remember, options.debug);
|
|
||||||
+
|
|
||||||
+ if (retval != PAM_SUCCESS)
|
|
||||||
+ return retval;
|
|
||||||
|
|
||||||
newpass = NULL;
|
|
||||||
tries = 0;
|
|
||||||
@@ -201,8 +366,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
|
|
||||||
if (options.debug)
|
|
||||||
pam_syslog (pamh, LOG_DEBUG, "check against old password file");
|
|
||||||
|
|
||||||
- if (check_old_pass (pamh, user, newpass,
|
|
||||||
- options.debug) != PAM_SUCCESS)
|
|
||||||
+ retval = check_old_pass (pamh, user, newpass, options.debug);
|
|
||||||
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
|
|
||||||
+ retval = run_check_helper(pamh, user, newpass, options.debug);
|
|
||||||
+
|
|
||||||
+ if (retval != PAM_SUCCESS)
|
|
||||||
{
|
|
||||||
if (getuid() || options.enforce_for_root ||
|
|
||||||
(flags & PAM_CHANGE_EXPIRED_AUTHTOK))
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2020-06-22 13:13:23.723445361 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2020-06-22 13:13:23.723445361 +0200
|
|
||||||
@@ -0,0 +1,68 @@
|
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
|
||||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
||||||
+
|
|
||||||
+<refentry id="pwhistory_helper">
|
|
||||||
+
|
|
||||||
+ <refmeta>
|
|
||||||
+ <refentrytitle>pwhistory_helper</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum>
|
|
||||||
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
|
||||||
+ </refmeta>
|
|
||||||
+
|
|
||||||
+ <refnamediv id="pwhistory_helper-name">
|
|
||||||
+ <refname>pwhistory_helper</refname>
|
|
||||||
+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
|
|
||||||
+ </refnamediv>
|
|
||||||
+
|
|
||||||
+ <refsynopsisdiv>
|
|
||||||
+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
|
|
||||||
+ <command>pwhistory_helper</command>
|
|
||||||
+ <arg choice="opt">
|
|
||||||
+ ...
|
|
||||||
+ </arg>
|
|
||||||
+ </cmdsynopsis>
|
|
||||||
+ </refsynopsisdiv>
|
|
||||||
+
|
|
||||||
+ <refsect1 id="pwhistory_helper-description">
|
|
||||||
+
|
|
||||||
+ <title>DESCRIPTION</title>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
|
|
||||||
+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
|
|
||||||
+ from passwd or shadow file to the opasswd file and checks a password
|
|
||||||
+ supplied by user against the existing hashes in the opasswd file.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The purpose of the helper is to enable tighter confinement of
|
|
||||||
+ login and password changing services. The helper is thus called only
|
|
||||||
+ when SELinux is enabled on the system.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The interface of the helper - command line options, and input/output
|
|
||||||
+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
|
|
||||||
+ module and it should not be called directly from applications.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pwhistory_helper-see_also'>
|
|
||||||
+ <title>SEE ALSO</title>
|
|
||||||
+ <para>
|
|
||||||
+ <citerefentry>
|
|
||||||
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
|
|
||||||
+ </citerefentry>
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+ <refsect1 id='pwhistory_helper-author'>
|
|
||||||
+ <title>AUTHOR</title>
|
|
||||||
+ <para>
|
|
||||||
+ Written by Tomas Mraz based on the code originally in
|
|
||||||
+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
|
|
||||||
+ </para>
|
|
||||||
+ </refsect1>
|
|
||||||
+
|
|
||||||
+</refentry>
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c
|
|
||||||
--- Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2020-06-22 13:13:23.723445361 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/pam_pwhistory/pwhistory_helper.c 2020-06-22 13:13:23.723445361 +0200
|
|
||||||
@@ -0,0 +1,209 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2013 Red Hat, Inc.
|
|
||||||
+ * Author: Tomas Mraz <tmraz@redhat.com>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU Public License, in which case the provisions of the GPL are
|
|
||||||
+ * required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
||||||
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
|
||||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
||||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
||||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
||||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
||||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "config.h"
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <unistd.h>
|
|
||||||
+#include <signal.h>
|
|
||||||
+#include <security/_pam_types.h>
|
|
||||||
+#include <security/_pam_macros.h>
|
|
||||||
+#include "opasswd.h"
|
|
||||||
+
|
|
||||||
+#define MAXPASS 200
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+su_sighandler(int sig)
|
|
||||||
+{
|
|
||||||
+#ifndef SA_RESETHAND
|
|
||||||
+ /* emulate the behaviour of the SA_RESETHAND flag */
|
|
||||||
+ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) {
|
|
||||||
+ struct sigaction sa;
|
|
||||||
+ memset(&sa, '\0', sizeof(sa));
|
|
||||||
+ sa.sa_handler = SIG_DFL;
|
|
||||||
+ sigaction(sig, &sa, NULL);
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+ if (sig > 0) {
|
|
||||||
+ _exit(sig);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+setup_signals(void)
|
|
||||||
+{
|
|
||||||
+ struct sigaction action; /* posix signal structure */
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Setup signal handlers
|
|
||||||
+ */
|
|
||||||
+ (void) memset((void *) &action, 0, sizeof(action));
|
|
||||||
+ action.sa_handler = su_sighandler;
|
|
||||||
+#ifdef SA_RESETHAND
|
|
||||||
+ action.sa_flags = SA_RESETHAND;
|
|
||||||
+#endif
|
|
||||||
+ (void) sigaction(SIGILL, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGTRAP, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGBUS, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGSEGV, &action, NULL);
|
|
||||||
+ action.sa_handler = SIG_IGN;
|
|
||||||
+ action.sa_flags = 0;
|
|
||||||
+ (void) sigaction(SIGTERM, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGHUP, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGINT, &action, NULL);
|
|
||||||
+ (void) sigaction(SIGQUIT, &action, NULL);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+read_passwords(int fd, int npass, char **passwords)
|
|
||||||
+{
|
|
||||||
+ int rbytes = 0;
|
|
||||||
+ int offset = 0;
|
|
||||||
+ int i = 0;
|
|
||||||
+ char *pptr;
|
|
||||||
+ while (npass > 0)
|
|
||||||
+ {
|
|
||||||
+ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
|
|
||||||
+
|
|
||||||
+ if (rbytes < 0)
|
|
||||||
+ {
|
|
||||||
+ if (errno == EINTR) continue;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ if (rbytes == 0)
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes))
|
|
||||||
+ != NULL)
|
|
||||||
+ {
|
|
||||||
+ rbytes -= pptr - (passwords[i]+offset) + 1;
|
|
||||||
+ i++;
|
|
||||||
+ offset = 0;
|
|
||||||
+ npass--;
|
|
||||||
+ if (rbytes > 0)
|
|
||||||
+ {
|
|
||||||
+ if (npass > 0)
|
|
||||||
+ memcpy(passwords[i], pptr+1, rbytes);
|
|
||||||
+ memset(pptr+1, '\0', rbytes);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ offset += rbytes;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* clear up */
|
|
||||||
+ if (offset > 0 && npass > 0)
|
|
||||||
+ memset(passwords[i], '\0', offset);
|
|
||||||
+
|
|
||||||
+ return i;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+check_history(const char *user, const char *debug)
|
|
||||||
+{
|
|
||||||
+ char pass[MAXPASS + 1];
|
|
||||||
+ char *passwords[] = { pass };
|
|
||||||
+ int npass;
|
|
||||||
+ int dbg = atoi(debug); /* no need to be too fancy here */
|
|
||||||
+ int retval;
|
|
||||||
+
|
|
||||||
+ /* read the password from stdin (a pipe from the pam_pwhistory module) */
|
|
||||||
+ npass = read_passwords(STDIN_FILENO, 1, passwords);
|
|
||||||
+
|
|
||||||
+ if (npass != 1)
|
|
||||||
+ { /* is it a valid password? */
|
|
||||||
+ helper_log_err(LOG_DEBUG, "no password supplied");
|
|
||||||
+ return PAM_AUTHTOK_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ retval = check_old_pass(user, pass, dbg);
|
|
||||||
+
|
|
||||||
+ memset(pass, '\0', MAXPASS); /* clear memory of the password */
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int
|
|
||||||
+save_history(const char *user, const char *howmany, const char *debug)
|
|
||||||
+{
|
|
||||||
+ int num = atoi(howmany);
|
|
||||||
+ int dbg = atoi(debug); /* no need to be too fancy here */
|
|
||||||
+ int retval;
|
|
||||||
+
|
|
||||||
+ retval = save_old_pass(user, num, dbg);
|
|
||||||
+
|
|
||||||
+ return retval;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+main(int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+ const char *option;
|
|
||||||
+ const char *user;
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Catch or ignore as many signal as possible.
|
|
||||||
+ */
|
|
||||||
+ setup_signals();
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * we establish that this program is running with non-tty stdin.
|
|
||||||
+ * this is to discourage casual use.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+ if (isatty(STDIN_FILENO) || argc < 4)
|
|
||||||
+ {
|
|
||||||
+ fprintf(stderr,
|
|
||||||
+ "This binary is not designed for running in this way.\n");
|
|
||||||
+ sleep(10); /* this should discourage/annoy the user */
|
|
||||||
+ return PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ option = argv[1];
|
|
||||||
+ user = argv[2];
|
|
||||||
+
|
|
||||||
+ if (strcmp(option, "check") == 0 && argc == 4)
|
|
||||||
+ return check_history(user, argv[3]);
|
|
||||||
+ else if (strcmp(option, "save") == 0 && argc == 5)
|
|
||||||
+ return save_history(user, argv[3], argv[4]);
|
|
||||||
+
|
|
||||||
+ return PAM_SYSTEM_ERR;
|
|
||||||
+}
|
|
||||||
+
|
|
@ -1,25 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.4.0/configure.ac.redhat-modules Linux-PAM-1.4.0/configure.ac
|
|
||||||
--- Linux-PAM-1.4.0/configure.ac.redhat-modules 2020-06-08 12:17:27.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/configure.ac 2020-06-22 12:55:55.889827909 +0200
|
|
||||||
@@ -712,6 +712,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
|
||||||
po/Makefile.in \
|
|
||||||
Make.xml.rules \
|
|
||||||
modules/Makefile \
|
|
||||||
+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
|
|
||||||
+ modules/pam_postgresok/Makefile \
|
|
||||||
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
|
||||||
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
|
||||||
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
|
||||||
diff -up Linux-PAM-1.4.0/modules/Makefile.am.redhat-modules Linux-PAM-1.4.0/modules/Makefile.am
|
|
||||||
--- Linux-PAM-1.4.0/modules/Makefile.am.redhat-modules 2020-06-22 12:55:55.889827909 +0200
|
|
||||||
+++ Linux-PAM-1.4.0/modules/Makefile.am 2020-06-22 12:59:19.718670992 +0200
|
|
||||||
@@ -56,6 +56,9 @@ SUBDIRS := \
|
|
||||||
pam_debug \
|
|
||||||
pam_deny \
|
|
||||||
pam_echo \
|
|
||||||
+ pam_chroot \
|
|
||||||
+ pam_console \
|
|
||||||
+ pam_postgresok \
|
|
||||||
pam_env \
|
|
||||||
pam_exec \
|
|
||||||
pam_faildelay \
|
|
@ -1,32 +0,0 @@
|
|||||||
From db6b293046aee4735f3aa2d1713742ed4b533219 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Wed, 22 Jul 2020 11:47:55 +0200
|
|
||||||
Subject: [PATCH] Fix missing initialization of daysleft
|
|
||||||
|
|
||||||
The daysleft otherwise stays uninitialized if there is no shadow entry.
|
|
||||||
|
|
||||||
Regression from commit f5adefa.
|
|
||||||
|
|
||||||
Fixes #255
|
|
||||||
|
|
||||||
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft.
|
|
||||||
---
|
|
||||||
modules/pam_unix/pam_unix_acct.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
|
|
||||||
index de8d65c1..f46f2308 100644
|
|
||||||
--- a/modules/pam_unix/pam_unix_acct.c
|
|
||||||
+++ b/modules/pam_unix/pam_unix_acct.c
|
|
||||||
@@ -189,7 +189,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
||||||
unsigned long long ctrl;
|
|
||||||
const void *void_uname;
|
|
||||||
const char *uname;
|
|
||||||
- int retval, daysleft;
|
|
||||||
+ int retval, daysleft = -1;
|
|
||||||
char buf[256];
|
|
||||||
|
|
||||||
D(("called."));
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
24
pam-1.5.0-noflex.patch
Normal file
24
pam-1.5.0-noflex.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
diff -up Linux-PAM-1.5.0/doc/Makefile.am.noflex Linux-PAM-1.5.0/doc/Makefile.am
|
||||||
|
--- Linux-PAM-1.5.0/doc/Makefile.am.noflex 2020-11-10 16:46:13.000000000 +0100
|
||||||
|
+++ Linux-PAM-1.5.0/doc/Makefile.am 2020-11-11 11:39:00.980421433 +0100
|
||||||
|
@@ -2,7 +2,7 @@
|
||||||
|
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
|
||||||
|
#
|
||||||
|
|
||||||
|
-SUBDIRS = man specs sag adg mwg
|
||||||
|
+SUBDIRS = man sag adg mwg
|
||||||
|
|
||||||
|
CLEANFILES = *~
|
||||||
|
|
||||||
|
diff -up Linux-PAM-1.5.0/Makefile.am.noflex Linux-PAM-1.5.0/Makefile.am
|
||||||
|
--- Linux-PAM-1.5.0/Makefile.am.noflex 2020-11-11 11:39:00.980421433 +0100
|
||||||
|
+++ Linux-PAM-1.5.0/Makefile.am 2020-11-11 11:39:15.887625418 +0100
|
||||||
|
@@ -4,7 +4,7 @@
|
||||||
|
|
||||||
|
AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news
|
||||||
|
|
||||||
|
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
|
||||||
|
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
|
||||||
|
|
||||||
|
if HAVE_DOC
|
||||||
|
SUBDIRS += doc
|
25
pam-1.5.0-redhat-modules.patch
Normal file
25
pam-1.5.0-redhat-modules.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
diff -up Linux-PAM-1.5.0/configure.ac.redhat-modules Linux-PAM-1.5.0/configure.ac
|
||||||
|
--- Linux-PAM-1.5.0/configure.ac.redhat-modules 2020-11-11 11:21:21.947857371 +0100
|
||||||
|
+++ Linux-PAM-1.5.0/configure.ac 2020-11-11 11:22:58.638193747 +0100
|
||||||
|
@@ -639,6 +639,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||||
|
po/Makefile.in \
|
||||||
|
Make.xml.rules \
|
||||||
|
modules/Makefile \
|
||||||
|
+ modules/pam_chroot/Makefile modules/pam_console/Makefile \
|
||||||
|
+ modules/pam_postgresok/Makefile \
|
||||||
|
modules/pam_access/Makefile \
|
||||||
|
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
||||||
|
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
||||||
|
diff -up Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules Linux-PAM-1.5.0/modules/Makefile.am
|
||||||
|
--- Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules 2020-11-10 16:46:13.000000000 +0100
|
||||||
|
+++ Linux-PAM-1.5.0/modules/Makefile.am 2020-11-11 11:21:21.947857371 +0100
|
||||||
|
@@ -47,6 +47,9 @@ SUBDIRS := \
|
||||||
|
pam_debug \
|
||||||
|
pam_deny \
|
||||||
|
pam_echo \
|
||||||
|
+ pam_chroot \
|
||||||
|
+ pam_console \
|
||||||
|
+ pam_postgresok \
|
||||||
|
pam_env \
|
||||||
|
pam_exec \
|
||||||
|
pam_faildelay \
|
69
pam.spec
69
pam.spec
@ -1,9 +1,9 @@
|
|||||||
%global pam_redhat_version 1.1.3
|
%global pam_redhat_version 1.1.4
|
||||||
|
|
||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.4.0
|
Version: 1.5.0
|
||||||
Release: 7%{?dist}
|
Release: 1%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -24,37 +24,9 @@ Source15: pamtmp.conf
|
|||||||
Source16: postlogin.pamd
|
Source16: postlogin.pamd
|
||||||
Source17: postlogin.5
|
Source17: postlogin.5
|
||||||
Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||||
Patch1: pam-1.4.0-redhat-modules.patch
|
Patch1: pam-1.5.0-redhat-modules.patch
|
||||||
Patch9: pam-1.4.0-noflex.patch
|
Patch2: pam-1.5.0-noflex.patch
|
||||||
# https://github.com/linux-pam/linux-pam/commit/cbdef051ab5d4031656d14ac6cdb1f6c2d8d6595
|
Patch3: pam-1.3.0-unix-nomsg.patch
|
||||||
Patch10: pam-1.4.0-nouserenv.patch
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/adc037167ad293242d9c69c4d427da1001f26706
|
|
||||||
Patch13: pam-1.1.6-limits-user.patch
|
|
||||||
Patch15: pam-1.4.0-full-relro.patch
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/f787845843da96cc29ea1f864e29fb17379b36b7
|
|
||||||
Patch29: pam-1.4.0-pwhistory-helper.patch
|
|
||||||
Patch31: pam-1.1.8-audit-user-mgmt.patch
|
|
||||||
Patch33: pam-1.3.0-unix-nomsg.patch
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/655b5e3cf32cb2bd6606cb8ab696b8f00f87051e
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/a6a1b9f788a79b2a09827c72a755f471c2e05100
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/2bae5daf16d4466185fac89539d653b269a3ea01
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/276ad5b8e48aa77c24ef25e18d2e97f66c83d68c
|
|
||||||
Patch34: pam-1.4.0-coverity.patch
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/af0faf666c5008e54dfe43684f210e3581ff1bca
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/0e9b286afe1224b91ff00936058b084ad4b776e4
|
|
||||||
Patch57: pam-1.4.0-determine-user-exists.patch
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/395915dae1571e10e2766c999974de864655ea3a
|
|
||||||
Patch58: pam-1.3.1-faillock-change-file-permissions.patch
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/16cebfeb30a8bd7c7dc269190a054c25b0f8d044
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/ad8b6feaf8ea989368676acaea905998a807986e
|
|
||||||
Patch59: pam-1.4.0-motd-filter-files.patch
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/db6b293046aee4735f3aa2d1713742ed4b533219
|
|
||||||
Patch60: pam-1.4.0-unix-init-daysleft.patch
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/9f24bbeeb4fe04bc396898cd9825478ad52c5ac7
|
|
||||||
Patch61: pam-1.4.0-motd-privilege-message.patch
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/50ab1eda259ff039922b2774895f09bf0a57e078
|
|
||||||
# https://github.com/linux-pam/linux-pam/commit/51318fd423a8ab4456a278ef0aff6ad449aab916
|
|
||||||
Patch62: pam-1.4.0-libpam-start-leak.patch
|
|
||||||
|
|
||||||
%global _pamlibdir %{_libdir}
|
%global _pamlibdir %{_libdir}
|
||||||
%global _moduledir %{_libdir}/security
|
%global _moduledir %{_libdir}/security
|
||||||
@ -135,20 +107,8 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
|||||||
cp %{SOURCE18} .
|
cp %{SOURCE18} .
|
||||||
|
|
||||||
%patch1 -p1 -b .redhat-modules
|
%patch1 -p1 -b .redhat-modules
|
||||||
%patch9 -p1 -b .noflex
|
%patch2 -p1 -b .noflex
|
||||||
%patch10 -p1 -b .nouserenv
|
%patch3 -p1 -b .nomsg
|
||||||
%patch13 -p1 -b .limits
|
|
||||||
%patch15 -p1 -b .relro
|
|
||||||
%patch29 -p1 -b .pwhhelper
|
|
||||||
%patch31 -p1 -b .audit-user-mgmt
|
|
||||||
%patch33 -p1 -b .nomsg
|
|
||||||
%patch34 -p1 -b .coverity
|
|
||||||
%patch57 -p1 -b .determine-user-exists
|
|
||||||
%patch58 -p1 -b .faillock-change-file-permissions
|
|
||||||
%patch59 -p1 -b .motd-filter-files
|
|
||||||
%patch60 -p1 -b .unix-init-daysleft
|
|
||||||
%patch61 -p1 -b .motd-privilege-message
|
|
||||||
%patch62 -p1 -b .libpam-start-leak
|
|
||||||
|
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
|
|
||||||
@ -176,9 +136,6 @@ for readme in modules/pam_*/README ; do
|
|||||||
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
|
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
|
||||||
done
|
done
|
||||||
|
|
||||||
rm -rf doc/txts/README.pam_tally*
|
|
||||||
rm -rf doc/sag/html/*pam_tally*
|
|
||||||
|
|
||||||
# Install the binaries, libraries, and modules.
|
# Install the binaries, libraries, and modules.
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
|
make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
|
||||||
|
|
||||||
@ -256,10 +213,6 @@ if [ -d ${dir} ] ; then
|
|||||||
%if ! %{WITH_AUDIT}
|
%if ! %{WITH_AUDIT}
|
||||||
[ ${dir} = "modules/pam_tty_audit" ] && continue
|
[ ${dir} = "modules/pam_tty_audit" ] && continue
|
||||||
%endif
|
%endif
|
||||||
# pam_tally, pam_tally2 and pam_cracklib have been deprecated and will be removed in next upstream release. So, they have been removed downstream
|
|
||||||
[ ${dir} = "modules/pam_tally" ] && continue
|
|
||||||
[ ${dir} = "modules/pam_tally2" ] && continue
|
|
||||||
[ ${dir} = "modules/pam_cracklib" ] && continue
|
|
||||||
if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then
|
if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then
|
||||||
echo ERROR `basename ${dir}` did not build a module.
|
echo ERROR `basename ${dir}` did not build a module.
|
||||||
exit 1
|
exit 1
|
||||||
@ -408,6 +361,12 @@ done
|
|||||||
%doc doc/sag/*.txt doc/sag/html
|
%doc doc/sag/*.txt doc/sag/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 11 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.0-1
|
||||||
|
- Rebase to release 1.5.0
|
||||||
|
- Rebase to pam-redhat-1.1.4
|
||||||
|
- Remove pam_cracklib, pam_tally and pam_tally2
|
||||||
|
- spec file cleanup
|
||||||
|
|
||||||
* Fri Nov 6 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-7
|
* Fri Nov 6 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-7
|
||||||
- libpam: fix memory leak in pam_start (#1894630)
|
- libpam: fix memory leak in pam_start (#1894630)
|
||||||
|
|
||||||
|
6
sources
6
sources
@ -1,3 +1,3 @@
|
|||||||
SHA512 (Linux-PAM-1.4.0.tar.xz) = 26eda95c45598a500bc142da4d1abf93d03b3bbb0f2390fa87c72dcbffa208dbfa115c0b411095c31ee9955e36422ccf3e2df3bd486818fafffef8c4310798c4
|
SHA512 (Linux-PAM-1.5.0.tar.xz) = 27be57465371f86c101f93c15f4475e63867c02f8f5af40d3f83b2106bfc8a46b8079302214e17f198ef903dc35b72d00b0e9bdff63ed2ecd8c69543e278f4bf
|
||||||
SHA512 (Linux-PAM-1.4.0.tar.xz.asc) = df8d35840838854b2cd6fdb5763e6b3a713dda839c1bc36e752243e76ea0414e99351b32691a6e08f2ee07013c6c4142f21e469374ec06be66887384207933b4
|
SHA512 (Linux-PAM-1.5.0.tar.xz.asc) = be90e6ebcc01933c109cb1715bcb303f29b56cb1e00b684bada804fa9d2390cec09551fefaf3529f3f12ba0f57bc83976021a0c16a42f5a3067d87dec94e5ad0
|
||||||
SHA512 (pam-redhat-1.1.3.tar.bz2) = 5f048e55c51342c3eaecc1c150e9643e6b226b413ac3e6f095fc983293ea7a6bd68e27d663a3c90be0d86b8277d15a1565ee5d7831fb49950144f6391091e8f9
|
SHA512 (pam-redhat-1.1.4.tar.bz2) = ad3b53744505faf7c93b1f0c1ef4434c2567b97e292859963401b0c117e824704713c69f7a661cccd3aecd1208facb39c433703c1f3cdea1dbda2c380006bfc4
|
||||||
|
Loading…
Reference in New Issue
Block a user