From d82342266ed3de9ea1182ed549b6de080c4c3545 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sun, 25 Nov 2018 07:35:03 +0100 Subject: [PATCH] Fix passphraseless sudo with crypt_checksalt (#1653023) Upstream commit 4da9feb introduced a regression that made passphraseless sudo fail when it was invoked from a user with a locked passphrase. Thus we should check for such a scenario when evaluating the return value of crypt_checksalt(3). --- ...ix-fix-checksalt-passphraseless-sudo.patch | 31 +++++++++++++++++++ pam.spec | 9 +++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch diff --git a/pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch b/pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch new file mode 100644 index 0000000..c4926c9 --- /dev/null +++ b/pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch @@ -0,0 +1,31 @@ +commit 3374f53d96aeea7760fb689f4acc89e9ac727428 +Author: Björn Esser +Date: Sun Nov 25 07:11:23 2018 +0100 + + pam_unix: Do not fail passphraseless sudo on locked accounts. + + Commit 4da9febc39b9 introduced a regression that made passphraseless + sudo fail when it was invoked from a user with a locked passphrase. + Thus we should check for such a scenario when evaluating the return + value of crypt_checksalt(3). + + * modules/pam_unix/passverify.c (check_shadow_expiry): Do not return + PAM_AUTHTOK_EXPIRED on locked user accounts. + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index 39e2bfa..7c0be8d 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -266,8 +266,10 @@ PAMH_ARG_DECL(int check_shadow_expiry, + && (curdays - spent->sp_lstchg > spent->sp_inact) + && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) + && (spent->sp_max != -1) && (spent->sp_inact != -1)) +- || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED) +- || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) { ++ || (((crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED) ++ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) ++ && ((spent->sp_pwdp != NULL) ++ && !((spent->sp_pwdp[0] == '!') || (spent->sp_pwdp[0] == '*'))))) { + #else + if ((curdays - spent->sp_lstchg > spent->sp_max) + && (curdays - spent->sp_lstchg > spent->sp_inact) diff --git a/pam.spec b/pam.spec index 26627b2..139d5aa 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 9%{?dist} +Release: 10%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -54,6 +54,9 @@ Patch39: pam-1.3.1-unix-crypt_checksalt.patch Patch40: pam-1.3.1-unix-yescrypt.patch # To be upstreamed soon. Patch41: pam-1.3.1-unix-no-fallback.patch +# https://github.com/linux-pam/linux-pam/pull/80 +# Fixes rhbz#1653023 +Patch42: pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -142,6 +145,7 @@ cp %{SOURCE18} . %patch39 -p1 -b .crypt_checksalt %patch40 -p1 -b .yescrypt %patch41 -p1 -b .no-fallback +%patch42 -p1 -b .checksalt-passphraseless-sudo autoreconf -i @@ -384,6 +388,9 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Sun Nov 25 2018 Björn Esser - 1.3.1-10 +- Fix passphraseless sudo with crypt_checksalt (#1653023) + * Fri Nov 23 2018 Björn Esser - 1.3.1-9 - Backport upstream commit removing an obsolete prototype - Backport upstream commit preferring bcrypt_b ($2b$) for blowfish