use links instead of w3m to create txt documentation
- recognize login session in pam_sepermit to prevent gdm from locking (#969174) - add support for disabling password logging in pam_tty_audit
This commit is contained in:
parent
aeefedee72
commit
c8a6aadf10
58
pam-1.1.6-sepermit-user.patch
Normal file
58
pam-1.1.6-sepermit-user.patch
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit 2013-07-24 12:55:08.822987098 -0400
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am 2013-07-24 12:55:11.653004214 -0400
|
||||||
|
@@ -24,7 +24,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/inclu
|
||||||
|
-D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \
|
||||||
|
-D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\"
|
||||||
|
|
||||||
|
-pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@
|
||||||
|
+pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -lsystemd-login
|
||||||
|
pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module
|
||||||
|
if HAVE_VERSIONING
|
||||||
|
pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit 2012-08-15 07:08:43.000000000 -0400
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c 2013-07-24 13:17:24.088061506 -0400
|
||||||
|
@@ -65,6 +65,7 @@
|
||||||
|
#include <security/pam_ext.h>
|
||||||
|
|
||||||
|
#include <selinux/selinux.h>
|
||||||
|
+#include <systemd/sd-login.h>
|
||||||
|
|
||||||
|
#define MODULE "pam_sepermit"
|
||||||
|
#define OPT_DELIM ":"
|
||||||
|
@@ -187,6 +188,25 @@ sepermit_unlock(pam_handle_t *pamh, void
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
+check_user_session(pam_handle_t *pamh) {
|
||||||
|
+ char *session = NULL;
|
||||||
|
+ char *class = NULL;
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ if (sd_pid_get_session(0, &session))
|
||||||
|
+ return -1;
|
||||||
|
+ rc = sd_session_get_class(session, &class);
|
||||||
|
+ pam_syslog(pamh, LOG_ERR, "Session %s", session);
|
||||||
|
+ if (rc == 0) {
|
||||||
|
+ rc = strcmp(class, "user");
|
||||||
|
+ pam_syslog(pamh, LOG_ERR, "Class %s", class);
|
||||||
|
+ }
|
||||||
|
+ free(session);
|
||||||
|
+ free(class);
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
sepermit_lock(pam_handle_t *pamh, const char *user, int debug)
|
||||||
|
{
|
||||||
|
char buf[PATH_MAX];
|
||||||
|
@@ -319,7 +339,7 @@ sepermit_match(pam_handle_t *pamh, const
|
||||||
|
if (*sense == PAM_SUCCESS) {
|
||||||
|
if (ignore)
|
||||||
|
*sense = PAM_IGNORE;
|
||||||
|
- if (geteuid() == 0 && exclusive)
|
||||||
|
+ if (geteuid() == 0 && exclusive && check_user_session(pamh) != 0)
|
||||||
|
if (sepermit_lock(pamh, user, debug) < 0)
|
||||||
|
*sense = PAM_AUTH_ERR;
|
||||||
|
}
|
100
pam-1.1.6-tty-audit-echo.patch
Normal file
100
pam-1.1.6-tty-audit-echo.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
diff -up Linux-PAM-1.1.6/configure.in.tty-audit-echo Linux-PAM-1.1.6/configure.in
|
||||||
|
--- Linux-PAM-1.1.6/configure.in.tty-audit-echo 2013-08-07 15:41:08.245745447 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/configure.in 2013-08-07 18:13:04.358958936 +0200
|
||||||
|
@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then
|
||||||
|
fi
|
||||||
|
if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
|
||||||
|
AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
|
||||||
|
+
|
||||||
|
+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
|
||||||
|
+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
|
||||||
|
+ [[#include <libaudit.h>]])
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
LIBAUDIT=""
|
||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml 2013-08-07 18:08:55.310028229 +0200
|
||||||
|
@@ -77,6 +77,19 @@
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term>
|
||||||
|
+ <option>log_passwd</option>
|
||||||
|
+ </term>
|
||||||
|
+ <listitem>
|
||||||
|
+ <para>
|
||||||
|
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
|
||||||
|
+ This is the mode in which the tty is placed during password entry.
|
||||||
|
+ By default, passwords are not logged. This option may not be
|
||||||
|
+ available on older kernels (3.9?).
|
||||||
|
+ </para>
|
||||||
|
+ </listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
@@ -161,6 +174,8 @@ session required pam_tty_audit.so disabl
|
||||||
|
<para>
|
||||||
|
pam_tty_audit was written by Miloslav Trmač
|
||||||
|
<mitr@redhat.com>.
|
||||||
|
+ The log_passwd option was added by Richard Guy Briggs
|
||||||
|
+ <rgb@redhat.com>.
|
||||||
|
</para>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c 2013-08-07 18:09:29.428694493 +0200
|
||||||
|
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
struct audit_tty_status *old_status, new_status;
|
||||||
|
const char *user;
|
||||||
|
int i, fd, open_only;
|
||||||
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
||||||
|
+ int log_passwd;
|
||||||
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
||||||
|
|
||||||
|
(void)flags;
|
||||||
|
|
||||||
|
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
|
||||||
|
command = CMD_NONE;
|
||||||
|
open_only = 0;
|
||||||
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
||||||
|
+ log_passwd = 0;
|
||||||
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
||||||
|
for (i = 0; i < argc; i++)
|
||||||
|
{
|
||||||
|
if (strncmp (argv[i], "enable=", 7) == 0
|
||||||
|
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
}
|
||||||
|
else if (strcmp (argv[i], "open_only") == 0)
|
||||||
|
open_only = 1;
|
||||||
|
+ else if (strcmp (argv[i], "log_passwd") == 0)
|
||||||
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
||||||
|
+ log_passwd = 1;
|
||||||
|
+#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
||||||
|
+ pam_syslog (pamh, LOG_WARNING,
|
||||||
|
+ "The log_passwd option was not available at compile time.");
|
||||||
|
+#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel."
|
||||||
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
||||||
|
else
|
||||||
|
{
|
||||||
|
pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
|
||||||
|
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||||
|
}
|
||||||
|
|
||||||
|
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
|
||||||
|
- if (old_status->enabled == new_status.enabled)
|
||||||
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
||||||
|
+ new_status.log_passwd = log_passwd;
|
||||||
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
||||||
|
+ if (old_status->enabled == new_status.enabled
|
||||||
|
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
||||||
|
+ && old_status->log_passwd == new_status.log_passwd
|
||||||
|
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
|
||||||
|
+ )
|
||||||
|
{
|
||||||
|
open_only = 1; /* to clean up old_status */
|
||||||
|
goto ok_fd;
|
15
pam-1.1.6-use-links.patch
Normal file
15
pam-1.1.6-use-links.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
diff -up Linux-PAM-1.1.6/configure.in.links Linux-PAM-1.1.6/configure.in
|
||||||
|
--- Linux-PAM-1.1.6/configure.in.links 2013-04-24 13:13:36.000000000 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/configure.in 2013-08-07 14:08:03.818055990 +0200
|
||||||
|
@@ -548,9 +548,9 @@ JH_CHECK_XML_CATALOG([-//OASIS//DTD DocB
|
||||||
|
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
|
||||||
|
[DocBook XSL Stylesheets], [], enable_docu=no)
|
||||||
|
|
||||||
|
-AC_PATH_PROG([BROWSER], [w3m])
|
||||||
|
+AC_PATH_PROG([BROWSER], [links])
|
||||||
|
if test ! -z "$BROWSER"; then
|
||||||
|
- BROWSER="$BROWSER -T text/html -dump"
|
||||||
|
+ BROWSER="$BROWSER -no-numbering -no-references -dump"
|
||||||
|
else
|
||||||
|
enable_docu=no
|
||||||
|
fi
|
16
pam.spec
16
pam.spec
@ -3,7 +3,7 @@
|
|||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.1.6
|
Version: 1.1.6
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -60,6 +60,9 @@ Patch27: pam-1.1.6-strict-aliasing.patch
|
|||||||
Patch28: pam-1.1.6-selinux-manualctx.patch
|
Patch28: pam-1.1.6-selinux-manualctx.patch
|
||||||
Patch29: pam-1.1.6-pwhistory-helper.patch
|
Patch29: pam-1.1.6-pwhistory-helper.patch
|
||||||
Patch30: pam-1.1.6-rootok-audit.patch
|
Patch30: pam-1.1.6-rootok-audit.patch
|
||||||
|
Patch31: pam-1.1.6-use-links.patch
|
||||||
|
Patch32: pam-1.1.6-sepermit-user.patch
|
||||||
|
Patch33: pam-1.1.6-tty-audit-echo.patch
|
||||||
|
|
||||||
%define _pamlibdir %{_libdir}
|
%define _pamlibdir %{_libdir}
|
||||||
%define _moduledir %{_libdir}/security
|
%define _moduledir %{_libdir}/security
|
||||||
@ -91,8 +94,9 @@ Requires: libselinux >= 1.33.2
|
|||||||
%endif
|
%endif
|
||||||
Requires: glibc >= 2.3.90-37
|
Requires: glibc >= 2.3.90-37
|
||||||
BuildRequires: libdb-devel
|
BuildRequires: libdb-devel
|
||||||
|
BuildRequires: systemd-devel
|
||||||
# Following deps are necessary only to build the pam library documentation.
|
# Following deps are necessary only to build the pam library documentation.
|
||||||
BuildRequires: linuxdoc-tools, w3m, libxslt
|
BuildRequires: linuxdoc-tools, elinks, libxslt
|
||||||
BuildRequires: docbook-style-xsl, docbook-dtds
|
BuildRequires: docbook-style-xsl, docbook-dtds
|
||||||
|
|
||||||
URL: http://www.linux-pam.org/
|
URL: http://www.linux-pam.org/
|
||||||
@ -145,6 +149,9 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
|||||||
%patch28 -p1 -b .manualctx
|
%patch28 -p1 -b .manualctx
|
||||||
%patch29 -p1 -b .pwhhelper
|
%patch29 -p1 -b .pwhhelper
|
||||||
%patch30 -p1 -b .audit
|
%patch30 -p1 -b .audit
|
||||||
|
%patch31 -p1 -b .links
|
||||||
|
%patch32 -p1 -b .sepermit-user
|
||||||
|
%patch33 -p1 -b .tty-audit-echo
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -393,6 +400,11 @@ fi
|
|||||||
%doc doc/adg/*.txt doc/adg/html
|
%doc doc/adg/*.txt doc/adg/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 7 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-14
|
||||||
|
- use links instead of w3m to create txt documentation
|
||||||
|
- recognize login session in pam_sepermit to prevent gdm from locking (#969174)
|
||||||
|
- add support for disabling password logging in pam_tty_audit
|
||||||
|
|
||||||
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.6-13
|
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.6-13
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user