Fix passphraseless sudo with crypt_checksalt (#1653023)
Upstream commit 4da9feb introduced a regression that made passphraseless sudo fail when it was invoked from a user with a locked passphrase. Thus we should check for such a scenario when evaluating the return value of crypt_checksalt(3).
This commit is contained in:
parent
ae8e396328
commit
d82342266e
31
pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch
Normal file
31
pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
commit 3374f53d96aeea7760fb689f4acc89e9ac727428
|
||||||
|
Author: Björn Esser <besser82@fedoraproject.org>
|
||||||
|
Date: Sun Nov 25 07:11:23 2018 +0100
|
||||||
|
|
||||||
|
pam_unix: Do not fail passphraseless sudo on locked accounts.
|
||||||
|
|
||||||
|
Commit 4da9febc39b9 introduced a regression that made passphraseless
|
||||||
|
sudo fail when it was invoked from a user with a locked passphrase.
|
||||||
|
Thus we should check for such a scenario when evaluating the return
|
||||||
|
value of crypt_checksalt(3).
|
||||||
|
|
||||||
|
* modules/pam_unix/passverify.c (check_shadow_expiry): Do not return
|
||||||
|
PAM_AUTHTOK_EXPIRED on locked user accounts.
|
||||||
|
|
||||||
|
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
||||||
|
index 39e2bfa..7c0be8d 100644
|
||||||
|
--- a/modules/pam_unix/passverify.c
|
||||||
|
+++ b/modules/pam_unix/passverify.c
|
||||||
|
@@ -266,8 +266,10 @@ PAMH_ARG_DECL(int check_shadow_expiry,
|
||||||
|
&& (curdays - spent->sp_lstchg > spent->sp_inact)
|
||||||
|
&& (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact)
|
||||||
|
&& (spent->sp_max != -1) && (spent->sp_inact != -1))
|
||||||
|
- || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
|
||||||
|
- || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) {
|
||||||
|
+ || (((crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED)
|
||||||
|
+ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID))
|
||||||
|
+ && ((spent->sp_pwdp != NULL)
|
||||||
|
+ && !((spent->sp_pwdp[0] == '!') || (spent->sp_pwdp[0] == '*'))))) {
|
||||||
|
#else
|
||||||
|
if ((curdays - spent->sp_lstchg > spent->sp_max)
|
||||||
|
&& (curdays - spent->sp_lstchg > spent->sp_inact)
|
9
pam.spec
9
pam.spec
@ -3,7 +3,7 @@
|
|||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.3.1
|
Version: 1.3.1
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -54,6 +54,9 @@ Patch39: pam-1.3.1-unix-crypt_checksalt.patch
|
|||||||
Patch40: pam-1.3.1-unix-yescrypt.patch
|
Patch40: pam-1.3.1-unix-yescrypt.patch
|
||||||
# To be upstreamed soon.
|
# To be upstreamed soon.
|
||||||
Patch41: pam-1.3.1-unix-no-fallback.patch
|
Patch41: pam-1.3.1-unix-no-fallback.patch
|
||||||
|
# https://github.com/linux-pam/linux-pam/pull/80
|
||||||
|
# Fixes rhbz#1653023
|
||||||
|
Patch42: pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch
|
||||||
|
|
||||||
%global _pamlibdir %{_libdir}
|
%global _pamlibdir %{_libdir}
|
||||||
%global _moduledir %{_libdir}/security
|
%global _moduledir %{_libdir}/security
|
||||||
@ -142,6 +145,7 @@ cp %{SOURCE18} .
|
|||||||
%patch39 -p1 -b .crypt_checksalt
|
%patch39 -p1 -b .crypt_checksalt
|
||||||
%patch40 -p1 -b .yescrypt
|
%patch40 -p1 -b .yescrypt
|
||||||
%patch41 -p1 -b .no-fallback
|
%patch41 -p1 -b .no-fallback
|
||||||
|
%patch42 -p1 -b .checksalt-passphraseless-sudo
|
||||||
|
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
|
|
||||||
@ -384,6 +388,9 @@ done
|
|||||||
%doc doc/specs/rfc86.0.txt
|
%doc doc/specs/rfc86.0.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sun Nov 25 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-10
|
||||||
|
- Fix passphraseless sudo with crypt_checksalt (#1653023)
|
||||||
|
|
||||||
* Fri Nov 23 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-9
|
* Fri Nov 23 2018 Björn Esser <besser82@fedoraproject.org> - 1.3.1-9
|
||||||
- Backport upstream commit removing an obsolete prototype
|
- Backport upstream commit removing an obsolete prototype
|
||||||
- Backport upstream commit preferring bcrypt_b ($2b$) for blowfish
|
- Backport upstream commit preferring bcrypt_b ($2b$) for blowfish
|
||||||
|
Loading…
Reference in New Issue
Block a user