From eb01a2d4d86e2861ff3f58fabf3e1c76ff737cee Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 26 Nov 2018 12:58:54 +0100 Subject: [PATCH] Completely drop the check of invalid or disabled salt via crypt_checksalt --- pam-1.3.1-unix-crypt_checksalt.patch | 20 ------------ ...ix-fix-checksalt-passphraseless-sudo.patch | 31 ------------------- pam.spec | 9 +++--- 3 files changed, 4 insertions(+), 56 deletions(-) delete mode 100644 pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch diff --git a/pam-1.3.1-unix-crypt_checksalt.patch b/pam-1.3.1-unix-crypt_checksalt.patch index 535cf37..0a74e94 100644 --- a/pam-1.3.1-unix-crypt_checksalt.patch +++ b/pam-1.3.1-unix-crypt_checksalt.patch @@ -38,23 +38,3 @@ index 1f433b3a..6132130a 100644 D(("need a new password")); *daysleft = 0; return PAM_NEW_AUTHTOK_REQD; -@@ -255,10 +261,19 @@ PAMH_ARG_DECL(int check_shadow_expiry, - spent->sp_namp); - return PAM_SUCCESS; - } -+#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE -+ if (((curdays - spent->sp_lstchg > spent->sp_max) -+ && (curdays - spent->sp_lstchg > spent->sp_inact) -+ && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) -+ && (spent->sp_max != -1) && (spent->sp_inact != -1)) -+ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED) -+ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) { -+#else - if ((curdays - spent->sp_lstchg > spent->sp_max) - && (curdays - spent->sp_lstchg > spent->sp_inact) - && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) - && (spent->sp_max != -1) && (spent->sp_inact != -1)) { -+#endif - *daysleft = (int)((spent->sp_lstchg + spent->sp_max) - curdays); - D(("authtok expired")); - return PAM_AUTHTOK_EXPIRED; diff --git a/pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch b/pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch deleted file mode 100644 index c4926c9..0000000 --- a/pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 3374f53d96aeea7760fb689f4acc89e9ac727428 -Author: Björn Esser -Date: Sun Nov 25 07:11:23 2018 +0100 - - pam_unix: Do not fail passphraseless sudo on locked accounts. - - Commit 4da9febc39b9 introduced a regression that made passphraseless - sudo fail when it was invoked from a user with a locked passphrase. - Thus we should check for such a scenario when evaluating the return - value of crypt_checksalt(3). - - * modules/pam_unix/passverify.c (check_shadow_expiry): Do not return - PAM_AUTHTOK_EXPIRED on locked user accounts. - -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index 39e2bfa..7c0be8d 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -266,8 +266,10 @@ PAMH_ARG_DECL(int check_shadow_expiry, - && (curdays - spent->sp_lstchg > spent->sp_inact) - && (curdays - spent->sp_lstchg > spent->sp_max + spent->sp_inact) - && (spent->sp_max != -1) && (spent->sp_inact != -1)) -- || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED) -- || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) { -+ || (((crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_DISABLED) -+ || (crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_INVALID)) -+ && ((spent->sp_pwdp != NULL) -+ && !((spent->sp_pwdp[0] == '!') || (spent->sp_pwdp[0] == '*'))))) { - #else - if ((curdays - spent->sp_lstchg > spent->sp_max) - && (curdays - spent->sp_lstchg > spent->sp_inact) diff --git a/pam.spec b/pam.spec index 139d5aa..29dd4cd 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 10%{?dist} +Release: 11%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -54,9 +54,6 @@ Patch39: pam-1.3.1-unix-crypt_checksalt.patch Patch40: pam-1.3.1-unix-yescrypt.patch # To be upstreamed soon. Patch41: pam-1.3.1-unix-no-fallback.patch -# https://github.com/linux-pam/linux-pam/pull/80 -# Fixes rhbz#1653023 -Patch42: pam-1.3.1-unix-fix-checksalt-passphraseless-sudo.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -145,7 +142,6 @@ cp %{SOURCE18} . %patch39 -p1 -b .crypt_checksalt %patch40 -p1 -b .yescrypt %patch41 -p1 -b .no-fallback -%patch42 -p1 -b .checksalt-passphraseless-sudo autoreconf -i @@ -388,6 +384,9 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Mon Nov 26 2018 Tomáš Mráz 1.3.1-11 +- Completely drop the check of invalid or disabled salt via crypt_checksalt + * Sun Nov 25 2018 Björn Esser - 1.3.1-10 - Fix passphraseless sudo with crypt_checksalt (#1653023)