From cd929cb3b73ee8cbf56962fd812fa972b7ce41ed Mon Sep 17 00:00:00 2001 From: cvsdist Date: Thu, 9 Sep 2004 09:48:16 +0000 Subject: [PATCH] auto-import changelog data from pam-0.75-16.src.rpm Wed Oct 24 2001 Nalin Dahyabhai 0.75-16 - pam_xauth: always return PAM_SUCCESS or PAM_SESSION_ERR instead of PAM_IGNORE, matching the previous behavior (libpam treats PAM_IGNORE from a single module in a stack as a session error, leading to false error messages if we just return PAM_IGNORE for all cases) Mon Oct 22 2001 Nalin Dahyabhai 0.75-15 - reorder patches so that the reentrancy patch is applied last -- we never came to a consensus on how to guard against the bugs in calling applications which this sort of change addresses, and having them last allows for dropping in a better strategy for addressing this later on Mon Oct 15 2001 Nalin Dahyabhai - pam_rhosts: allow "+hostname" as a synonym for "hostname" to jive better with the hosts.equiv(5) man page - use the automake install-sh instead of the autoconf install-sh, which disappeared somewhere between 2.50 and now Mon Oct 08 2001 Nalin Dahyabhai - add pwdb as a buildprereq Fri Oct 05 2001 Nalin Dahyabhai - pam_tally: don't try to read past the end of faillog -- it probably contains garbage, which if written into the file later on will confuse /usr/bin/faillog Thu Oct 04 2001 Nalin Dahyabhai - pam_limits: don't just return if the user is root -- we'll want to set the priority (it could be negative to elevate root's sessions) - pam_issue: fix off-by-one error allocating space for the prompt string Wed Oct 03 2001 Nalin Dahyabhai - pam_mkhomedir: recurse into subdirectories properly - pam_mkhomedir: handle symlinks - pam_mkhomedir: skip over special items in the skeleton directory Tue Oct 02 2001 Nalin Dahyabhai - add cracklib as a buildprereq - pam_wheel: don't ignore out if the user is attempting to switch to a unprivileged user (this lets pam_wheel do its thing when users attempt to get to system accounts or accounts of other unprivileged users) Fri Sep 28 2001 Nalin Dahyabhai - pam_xauth: close a possible DoS due to use of dotlock-style locking in world-writable directories by relocating the temporary file to the target user's home directory - general: include headers local to this tree using relative paths so that system headers for PAM won't be pulled in, in case include paths don't take care of it Thu Sep 27 2001 Nalin Dahyabhai - pam_xauth: rewrite to skip refcounting and just use a temporary file created using mkstemp() in /tmp Tue Sep 25 2001 Nalin Dahyabhai - pam_userdb: fix the key_only flag so that the null-terminator of the user-password string isn't expected to be part of the key in the db file, matching the behavior of db_load 3.2.9 --- .cvsignore | 3 +- pam.spec | 367 +++++++++++++++++++++++++++++++++++------------ sources | 3 +- system-auth.pamd | 15 ++ 4 files changed, 293 insertions(+), 95 deletions(-) create mode 100644 system-auth.pamd diff --git a/.cvsignore b/.cvsignore index 837c096..5b8b88e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,2 @@ -pam-redhat-0.75-14.tar.gz +Linux-PAM-0.75.tar.bz2 +pam-redhat-0.75-16.tar.gz diff --git a/pam.spec b/pam.spec index 4347797..3634609 100644 --- a/pam.spec +++ b/pam.spec @@ -1,17 +1,76 @@ %define build6x 0 + +%define _libdir /lib +%define _sbindir /sbin +%define _sysconfdir /etc + Summary: A security tool which provides authentication for applications. Name: pam Version: 0.75 -Release: 14 +Release: 16 License: GPL or BSD Group: System Environment/Base -Source0: pam-redhat-%{version}-%{release}.tar.gz -Source1: other.pamd +Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 +Source1: pam-redhat-%{version}-%{release}.tar.gz +Source2: other.pamd +Source3: system-auth.pamd +Patch1: pam-0.75-headers.patch +Patch2: pam-0.75-accessdoc.patch +Patch3: pam-0.75-build.patch +Patch4: pam-0.75-cached.patch +Patch5: pam-0.75-const.patch +Patch6: pam-0.75-linkage.patch +Patch7: pam-0.75-mandir.patch +Patch8: pam-0.75-primary.patch +Patch9: pam-0.75-prompt.patch +Patch11: pam-0.75-return.patch +Patch12: pam-0.75-security.patch +Patch13: pam-0.75-string.patch +Patch14: pam-0.75-typo.patch +Patch15: pam-0.75-trust.patch +Patch16: pam-0.75-userdb.patch +Patch17: pam-0.75-wheeldoc.patch +Patch18: pam-0.75-wrap.patch +Patch19: pam-0.75-cracklib-distance.patch +Patch20: pam-0.75-group-reinit.patch +Patch21: pam-0.75-lastlog-utmp.patch +Patch22: pam-0.75-limits-locks.patch +Patch23: pam-0.75-null.patch +Patch24: pam-0.75-sigchld.patch +Patch25: pam-0.75-pwdb-compare.patch +Patch26: pam-0.75-securetty-pts.patch +Patch27: pam-0.75-securetty-fail.patch +Patch28: pam-0.75-syntax.patch +Patch29: pam-0.75-time.patch +Patch30: pam-0.75-issue.patch +Patch31: pam-0.75-doc-rhl.patch +Patch32: pam-0.75-bigcrypt-main.patch +Patch33: pam-0.75-cracklib-init.patch +Patch34: pam-0.75-filter-comments.patch +Patch35: pam-0.75-unixdoc.patch +Patch36: pam-0.75-unix-loop.patch +Patch37: pam-0.75-unix-preserve.patch +Patch38: pam-0.75-unix-retval.patch +Patch39: pam-0.75-unix-brokenshadow.patch +Patch40: pam-0.75-unix-nis.patch +Patch41: pam-0.75-unix-nullok.patch +Patch42: pam-0.75-wheel-usertouser.patch +Patch43: pam-0.75-mkhomedir-recurse.patch +Patch44: pam-0.75-limits-root.patch +Patch45: pam-0.75-issue-seg.patch +Patch46: pam-0.75-listfile-tty.patch +Patch47: pam-0.75-tally-init.patch +Patch48: pam-0.75-rhosts-plus.patch +Patch49: pam-0.75-limits-retval.patch +Patch50: pam-0.75-reentrant.patch +Patch51: pam-0.75-macros.patch + BuildRoot: %{_tmppath}/%{name}-root Requires: cracklib, cracklib-dicts, glib, pwdb >= 0.54-2, initscripts >= 3.94 Obsoletes: pamconfig Prereq: grep, mktemp, sed, fileutils, textutils, /sbin/ldconfig -BuildPrereq: bison, glib-devel, sed, fileutils, autoconf +BuildPrereq: autoconf, automake, bison, glib-devel, sed, fileutils, cracklib +BuildPrereq: pwdb %if ! %{build6x} BuildPrereq: db3-devel %endif @@ -35,52 +94,102 @@ contains header files and static libraries used for building both PAM-aware applications and modules for use with PAM. %prep -%setup -q +%setup -q -n Linux-PAM-%{version} -a 1 +cp $RPM_SOURCE_DIR/other.pamd . +cp $RPM_SOURCE_DIR/system-auth.pamd . +cp %{_datadir}/automake/install-sh . +%patch1 -p1 -b .headers +%patch2 -p1 -b .accessdoc +%patch3 -p1 -b .build +%patch4 -p1 -b .cached +%patch5 -p1 -b .const +%patch6 -p1 -b .linkage +%patch7 -p1 -b .mandir +%patch8 -p1 -b .primary +%patch9 -p1 -b .prompt +%patch11 -p1 -b .return +%patch12 -p1 -b .security +%patch13 -p1 -b .string +%patch14 -p1 -b .typo +%patch15 -p1 -b .trust +%patch16 -p1 -b .userdb +%patch17 -p1 -b .wheeldoc +%patch18 -p1 -b .wrap +%patch19 -p1 -b .cracklib-distance +%patch20 -p1 -b .group-reinit +%patch21 -p1 -b .lastlog-utmp +%patch22 -p1 -b .limits-locks +%patch23 -p1 -b .null +%patch24 -p1 -b .sigchld +%patch25 -p1 -b .pwdb-compare +%patch26 -p1 -b .securetty-pts +%patch27 -p1 -b .securetty-fail +%patch28 -p1 -b .syntax +%patch29 -p1 -b .time +%patch30 -p1 -b .issue +%patch31 -p1 -b .doc-rhl +%patch32 -p1 -b .bigcrypt-main +%patch33 -p1 -b .cracklib-init +%patch34 -p1 -b .filter-comments +%patch35 -p1 -b .unix-doc +%patch36 -p1 -b .unix-loop +%patch37 -p1 -b .unix-preserve +%patch38 -p1 -b .unix-retval +%patch39 -p1 -b .unix-brokenshadow +%patch40 -p1 -b .unix-nis +%patch41 -p1 -b .unix-nullok +%patch42 -p1 -b .wheel-usertouser +%patch43 -p1 -b .mkhomedir-recurse +%patch44 -p1 -b .limits-root +%patch45 -p1 -b .issue-seg +%patch46 -p1 -b .listfile-tty +%patch47 -p1 -b .tally-init +%patch48 -p1 -b .rhosts-plus +%patch49 -p1 -b .limits-retval +%patch50 -p1 -b .reentrant +%patch51 -p1 -b .macros for readme in modules/pam_*/README ; do - cp -fv ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` + cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` done autoconf %build -CFLAGS="$RPM_OPT_FLAGS -fPIC" \ -./configure \ - --prefix=/ \ - --infodir=%{_infodir} \ - --mandir=%{_mandir} \ - --enable-static-libpam \ - --enable-fakeroot=$RPM_BUILD_ROOT +CFLAGS="-fPIC $RPM_OPT_FLAGS" ; export CFLAGS +%configure --enable-static-libpam --enable-fakeroot=$RPM_BUILD_ROOT make %install [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT +# Install the binaries, libraries, and modules. make install -install -d -m 755 $RPM_BUILD_ROOT/etc/pam.d -install -d -m 755 $RPM_BUILD_ROOT%{_libdir} -install -m 644 other.pamd $RPM_BUILD_ROOT/etc/pam.d/other -install -m 644 system-auth.pamd $RPM_BUILD_ROOT/etc/pam.d/system-auth -# move the static libraries -mv $RPM_BUILD_ROOT/lib/*.a $RPM_BUILD_ROOT%{_libdir}/ +# Install default configuration files. +install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/pam.d +install -m 644 other.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/other +install -m 644 system-auth.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/system-auth -# make new .so links -pushd $RPM_BUILD_ROOT%{_libdir} -for lib in ../../lib/*.so.%{version} ; do - ln -s ${lib} `basename ${lib} .%{version}` -done -popd - -# forcibly strip the helpers -strip $RPM_BUILD_ROOT/sbin/* ||: +# Forcibly strip binaries. +strip $RPM_BUILD_ROOT%{_sbindir}/* ||: # Install man pages. +install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man{3,5,8} install -m 644 doc/man/*.3 $RPM_BUILD_ROOT%{_mandir}/man3/ install -m 644 doc/man/*.8 $RPM_BUILD_ROOT%{_mandir}/man8/ -# Make sure every module built. Yes, this is hackish. +# Move static libraries and make new .so links -- this depends on the value +# of _libdir not changing, and *not* being /usr/lib. +install -d -m 755 $RPM_BUILD_ROOT/usr/lib +for lib in libpam libpamc libpam_misc ; do +ln -sf ../..%{_libdir}/${lib}.so.%{version} $RPM_BUILD_ROOT/usr/lib/${lib}.so +ln -sf ${lib}.so.%{version} $RPM_BUILD_ROOT%{_libdir}/${lib}.so +mv $RPM_BUILD_ROOT%{_libdir}/${lib}.a $RPM_BUILD_ROOT/usr/lib/ +done + +# Make sure every module subdirectory gave us a module. Yes, this is hackish. for dir in modules/pam_* ; do if [ -d ${dir} ] ; then - if ! ls -1 $RPM_BUILD_ROOT/lib/security/`basename ${dir}`*.so ; then - echo ERROR `basename ${dir}` module did not build. + if ! ls -1 $RPM_BUILD_ROOT%{_libdir}/security/`basename ${dir}`*.so ; then + echo ERROR `basename ${dir}` did not build a module. exit 1 fi fi @@ -92,7 +201,7 @@ done %if ! %{build6x} %pre # Figure whether or not we're using shadow/md5 passwords if we're upgrading. -if [ -f /etc/pam.d/other ] ; then +if [ -f %{_sysconfdir}/pam.d/other ] ; then USEMD5= if [ -f /etc/sysconfig/authconfig ] ; then . /etc/sysconfig/authconfig @@ -151,76 +260,149 @@ fi %doc Copyright %doc doc/html doc/ps doc/txts %doc doc/specs/rfc86.0.txt -/lib/libpam.so.* -/lib/libpam_misc.so.* -/sbin/*_chkpwd -/sbin/pam_console_apply -/sbin/pam_tally -%dir /lib/security -/lib/security/pam_access.so -/lib/security/pam_chroot.so -/lib/security/pam_console.so -/lib/security/pam_cracklib.so -/lib/security/pam_deny.so -/lib/security/pam_env.so -/lib/security/pam_filter.so -/lib/security/pam_ftp.so -/lib/security/pam_group.so -/lib/security/pam_issue.so -/lib/security/pam_lastlog.so -/lib/security/pam_limits.so -/lib/security/pam_listfile.so -/lib/security/pam_localuser.so -/lib/security/pam_mail.so -/lib/security/pam_mkhomedir.so -/lib/security/pam_motd.so -/lib/security/pam_nologin.so -/lib/security/pam_permit.so -/lib/security/pam_pwdb.so -/lib/security/pam_rhosts_auth.so -/lib/security/pam_rootok.so -/lib/security/pam_securetty.so -/lib/security/pam_shells.so -/lib/security/pam_stack.so -/lib/security/pam_stress.so -/lib/security/pam_tally.so -/lib/security/pam_time.so -/lib/security/pam_unix.so -/lib/security/pam_unix_acct.so -/lib/security/pam_unix_auth.so -/lib/security/pam_unix_passwd.so -/lib/security/pam_unix_session.so -/lib/security/pam_userdb.so -/lib/security/pam_warn.so -/lib/security/pam_wheel.so -/lib/security/pam_xauth.so -/lib/security/pam_filter -%dir /etc/security -%config(noreplace) /etc/security/access.conf -%config(noreplace) /etc/security/time.conf -%config(noreplace) /etc/security/group.conf -%config(noreplace) /etc/security/limits.conf -%config(noreplace) /etc/security/pam_env.conf -%config(noreplace) /etc/security/console.perms -%dir /etc/security/console.apps +%{_libdir}/libpam.so.* +%{_libdir}/libpam_misc.so.* +%{_sbindir}/pam_console_apply +%{_sbindir}/pam_tally +%{_sbindir}/pwdb_chkpwd +%{_sbindir}/unix_chkpwd +%dir %{_libdir}/security +%{_libdir}/security/pam_access.so +%{_libdir}/security/pam_chroot.so +%{_libdir}/security/pam_console.so +%{_libdir}/security/pam_cracklib.so +%{_libdir}/security/pam_deny.so +%{_libdir}/security/pam_env.so +%{_libdir}/security/pam_filter.so +%{_libdir}/security/pam_ftp.so +%{_libdir}/security/pam_group.so +%{_libdir}/security/pam_issue.so +%{_libdir}/security/pam_lastlog.so +%{_libdir}/security/pam_limits.so +%{_libdir}/security/pam_listfile.so +%{_libdir}/security/pam_localuser.so +%{_libdir}/security/pam_mail.so +%{_libdir}/security/pam_mkhomedir.so +%{_libdir}/security/pam_motd.so +%{_libdir}/security/pam_nologin.so +%{_libdir}/security/pam_permit.so +%{_libdir}/security/pam_pwdb.so +%{_libdir}/security/pam_rhosts_auth.so +%{_libdir}/security/pam_rootok.so +%{_libdir}/security/pam_securetty.so +%{_libdir}/security/pam_shells.so +%{_libdir}/security/pam_stack.so +%{_libdir}/security/pam_stress.so +%{_libdir}/security/pam_tally.so +%{_libdir}/security/pam_time.so +%{_libdir}/security/pam_unix.so +%{_libdir}/security/pam_unix_acct.so +%{_libdir}/security/pam_unix_auth.so +%{_libdir}/security/pam_unix_passwd.so +%{_libdir}/security/pam_unix_session.so +%{_libdir}/security/pam_userdb.so +%{_libdir}/security/pam_warn.so +%{_libdir}/security/pam_wheel.so +%{_libdir}/security/pam_xauth.so +%{_libdir}/security/pam_filter +%dir %{_sysconfdir}/security +%config(noreplace) %{_sysconfdir}/security/access.conf +%config(noreplace) %{_sysconfdir}/security/time.conf +%config(noreplace) %{_sysconfdir}/security/group.conf +%config(noreplace) %{_sysconfdir}/security/limits.conf +%config(noreplace) %{_sysconfdir}/security/pam_env.conf +%config(noreplace) %{_sysconfdir}/security/console.perms +%dir %{_sysconfdir}/security/console.apps %dir /var/run/console %{_mandir}/man5/* %{_mandir}/man8/* %files devel %defattr(-,root,root) -/lib/libpam.so -/lib/libpam_misc.so -%{_libdir}/libpam.so -%{_libdir}/libpam.a -%{_libdir}/libpam_misc.so -%{_libdir}/libpam_misc.a -/usr/include/security/ +%{_includedir}/security/ %{_mandir}/man3/* +/usr/lib/libpam.a +/usr/lib/libpam.so +/usr/lib/libpamc.a +/usr/lib/libpamc.so +/usr/lib/libpam_misc.a +/usr/lib/libpam_misc.so +# At some point these will (and should) go away. +%{_libdir}/libpam.so +%{_libdir}/libpamc.so +%{_libdir}/libpam_misc.so %changelog +* Wed Oct 24 2001 Nalin Dahyabhai 0.75-16 +- pam_xauth: always return PAM_SUCCESS or PAM_SESSION_ERR instead of PAM_IGNORE, + matching the previous behavior (libpam treats PAM_IGNORE from a single module + in a stack as a session error, leading to false error messages if we just + return PAM_IGNORE for all cases) + +* Mon Oct 22 2001 Nalin Dahyabhai 0.75-15 +- reorder patches so that the reentrancy patch is applied last -- we never + came to a consensus on how to guard against the bugs in calling applications + which this sort of change addresses, and having them last allows for dropping + in a better strategy for addressing this later on + +* Mon Oct 15 2001 Nalin Dahyabhai +- pam_rhosts: allow "+hostname" as a synonym for "hostname" to jive better + with the hosts.equiv(5) man page +- use the automake install-sh instead of the autoconf install-sh, which + disappeared somewhere between 2.50 and now + +* Mon Oct 8 2001 Nalin Dahyabhai +- add pwdb as a buildprereq + +* Fri Oct 5 2001 Nalin Dahyabhai +- pam_tally: don't try to read past the end of faillog -- it probably contains + garbage, which if written into the file later on will confuse /usr/bin/faillog + +* Thu Oct 4 2001 Nalin Dahyabhai +- pam_limits: don't just return if the user is root -- we'll want to set the + priority (it could be negative to elevate root's sessions) +- pam_issue: fix off-by-one error allocating space for the prompt string + +* Wed Oct 3 2001 Nalin Dahyabhai +- pam_mkhomedir: recurse into subdirectories properly +- pam_mkhomedir: handle symlinks +- pam_mkhomedir: skip over special items in the skeleton directory + +* Tue Oct 2 2001 Nalin Dahyabhai +- add cracklib as a buildprereq +- pam_wheel: don't ignore out if the user is attempting to switch to a + unprivileged user (this lets pam_wheel do its thing when users attempt + to get to system accounts or accounts of other unprivileged users) + +* Fri Sep 28 2001 Nalin Dahyabhai +- pam_xauth: close a possible DoS due to use of dotlock-style locking in + world-writable directories by relocating the temporary file to the target + user's home directory +- general: include headers local to this tree using relative paths so that + system headers for PAM won't be pulled in, in case include paths don't + take care of it + +* Thu Sep 27 2001 Nalin Dahyabhai +- pam_xauth: rewrite to skip refcounting and just use a temporary file + created using mkstemp() in /tmp + +* Tue Sep 25 2001 Nalin Dahyabhai +- pam_userdb: fix the key_only flag so that the null-terminator of the + user-password string isn't expected to be part of the key in the db file, + matching the behavior of db_load 3.2.9 + +* Mon Sep 24 2001 Nalin Dahyabhai +- pam_unix: use crypt() instead of bigcrypt() when salted field is less than + the critical size which lets us know it was generated with bigcrypt() +- use a wrapper to handle ERANGE errors when calling get....._r functions: + defining PAM_GETPWNAM_R and such (for getpwnam, getpwuid, getgrnam, + getgrgid, and getspnam) before including _pam_macros.h will cause them + to be implemented as static functions, similar to how defining PAM_SM_xxx + is used to control whether or not PAM declares prototypes for certain + functions + * Mon Sep 24 2001 Nalin Dahyabhai 0.75-14 -- argh, compare entire salt, always +- pam_unix: argh, compare entire pruned salt string with crypted result, always * Sat Sep 8 2001 Bill Nottingham 0.75-13 - ship /lib/lib{pam,pam_misc}.so for legacy package builds @@ -677,4 +859,3 @@ fi * Fri Dec 18 1998 Cristian Gafton - upgrade to ver 0.65 - build the package out of internal CVS server - diff --git a/sources b/sources index 76b7ae7..b156a89 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -6fce773333c3daf4b3fb6633e8b5fa41 pam-redhat-0.75-14.tar.gz +2f19d6f6908e46d8b4d115e9f842d147 Linux-PAM-0.75.tar.bz2 +d72d309425adaa6a75d1acae14559537 pam-redhat-0.75-16.tar.gz diff --git a/system-auth.pamd b/system-auth.pamd new file mode 100644 index 0000000..261064e --- /dev/null +++ b/system-auth.pamd @@ -0,0 +1,15 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required /lib/security/pam_env.so +auth sufficient /lib/security/pam_unix.so likeauth nullok +auth required /lib/security/pam_deny.so + +account required /lib/security/pam_unix.so + +password required /lib/security/pam_cracklib.so retry=3 +password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow +password required /lib/security/pam_deny.so + +session required /lib/security/pam_limits.so +session required /lib/security/pam_unix.so