import pam-1.3.1-14.el8

SOURCES/pam-1.3.1-namespace-gdm-doc.patch

@@ -0,0 +1,68 @@
+From 491e5500b6b3913f531574208274358a2df88659 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Mon, 5 Oct 2020 10:41:29 +0200
+Subject: [PATCH] pam_namespace: polyinstantiation refer to gdm doc
+
+modules/pam_namespace/pam_namespace.8.xml: delete obsolete information
+about polyinstantiation and refer to gdm's documentation.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861841
+---
+ modules/pam_namespace/pam_namespace.8.xml | 41 ++---------------------
+ 1 file changed, 2 insertions(+), 39 deletions(-)
+
+diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
+index f0f80d33..57c44c4b 100644
+--- a/modules/pam_namespace/pam_namespace.8.xml
++++ b/modules/pam_namespace/pam_namespace.8.xml
+@@ -343,45 +343,8 @@
+     </para>
+ 
+     <para>
+-      To use polyinstantiation with graphical display manager gdm, insert the
+-      following line, before exit 0, in /etc/gdm/PostSession/Default:
+-    </para>
+-
+-    <para>
+-      /usr/sbin/gdm-safe-restart
+-    </para>
+-
+-    <para>
+-      This allows gdm to restart after each session and appropriately adjust
+-      namespaces of display manager and the X server. If polyinstantiation
+-      of /tmp is desired along with the graphical environment, then additional
+-      configuration changes are needed to address the interaction of X server
+-      and font server namespaces with their use of /tmp to create
+-      communication sockets. Please use the initialization script
+-      <filename>/etc/security/namespace.init</filename> to ensure that
+-      the X server and its clients can appropriately access the
+-      communication socket X0. Please refer to the sample instructions
+-      provided in the comment section of the instance initialization script
+-      <filename>/etc/security/namespace.init</filename>. In addition,
+-      perform the following changes to use graphical environment with
+-      polyinstantiation of /tmp:
+-    </para>
+-
+-    <para>
+-    <literallayout>
+-      1. Disable the use of font server by commenting out "FontPath"
+-         line in /etc/X11/xorg.conf. If you do want to use the font server
+-         then you will have to augment the instance initialization
+-         script to appropriately provide /tmp/.font-unix from the
+-         polyinstantiated /tmp.
+-      2. Ensure that the gdm service is setup to use pam_namespace,
+-         as described above, by modifying /etc/pam.d/gdm.
+-      3. Ensure that the display manager is configured to restart X server
+-         with each new session. This default setup can be verified by
+-         making sure that /usr/share/gdm/defaults.conf contains
+-         "AlwaysRestartServer=true", and it is not overridden by
+-         /etc/gdm/custom.conf.
+-    </literallayout>
++      To use polyinstantiation with graphical display manager gdm, please refer
++      to gdm's documentation.
+     </para>
+ 
+   </refsect1>
+-- 
+2.26.2
+

SOURCES/pam-1.3.1-wheel-pam_ruser-fallback.patch

@@ -0,0 +1,134 @@
+From 6bf9b454eb971083f0cce49faa2aa1cde329ff5d Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Wed, 26 Aug 2020 14:44:23 +0200
+Subject: [PATCH 1/3] pam_wheel: improve coding style
+
+modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state
+condition statements
+---
+ modules/pam_wheel/pam_wheel.c | 36 ++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
+index a025ebaf..94cb7d89 100644
+--- a/modules/pam_wheel/pam_wheel.c
++++ b/modules/pam_wheel/pam_wheel.c
+@@ -130,25 +130,27 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
+     }
+ 
+     if (ctrl & PAM_USE_UID_ARG) {
+-	tpwd = pam_modutil_getpwuid (pamh, getuid());
+-	if (!tpwd) {
+-	    if (ctrl & PAM_DEBUG_ARG) {
++        tpwd = pam_modutil_getpwuid (pamh, getuid());
++        if (tpwd == NULL) {
++            if (ctrl & PAM_DEBUG_ARG) {
+                 pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+-	    }
+-	    return PAM_SERVICE_ERR;
+-	}
+-	fromsu = tpwd->pw_name;
++            }
++            return PAM_SERVICE_ERR;
++        }
++        fromsu = tpwd->pw_name;
+     } else {
+-	fromsu = pam_modutil_getlogin(pamh);
+-	if (fromsu) {
+-	    tpwd = pam_modutil_getpwnam (pamh, fromsu);
+-	}
+-	if (!fromsu || !tpwd) {
+-	    if (ctrl & PAM_DEBUG_ARG) {
+-		pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+-	    }
+-	    return PAM_SERVICE_ERR;
+-	}
++        fromsu = pam_modutil_getlogin(pamh);
++
++        if (fromsu != NULL) {
++            tpwd = pam_modutil_getpwnam (pamh, fromsu);
++        }
++
++        if (fromsu == NULL || tpwd == NULL) {
++            if (ctrl & PAM_DEBUG_ARG) {
++                pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
++            }
++            return PAM_SERVICE_ERR;
++        }
+     }
+ 
+     /*
+-- 
+2.26.2
+
+
+From 9091ea1d81e85f49a221b0325d27b22ce69e444a Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Thu, 27 Aug 2020 09:16:15 +0200
+Subject: [PATCH 2/3] pam_wheel: if getlogin fails fallback to PAM_RUSER
+
+modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user
+ID, then try with PAM_RUSER.
+
+Resolves:
+https://bugzilla.redhat.com/show_bug.cgi?id=1866866
+---
+ modules/pam_wheel/pam_wheel.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
+index 94cb7d89..7fa3cfa9 100644
+--- a/modules/pam_wheel/pam_wheel.c
++++ b/modules/pam_wheel/pam_wheel.c
+@@ -141,6 +141,16 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
+     } else {
+         fromsu = pam_modutil_getlogin(pamh);
+ 
++        /* if getlogin fails try a fallback to PAM_RUSER */
++        if (fromsu == NULL) {
++            const char *rhostname;
++
++            retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname);
++            if (retval != PAM_SUCCESS || rhostname == NULL) {
++                retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu);
++            }
++        }
++
+         if (fromsu != NULL) {
+             tpwd = pam_modutil_getpwnam (pamh, fromsu);
+         }
+-- 
+2.26.2
+
+
+From a3a5cbf86083c43026b558e2023f597530626267 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Wed, 9 Sep 2020 10:32:03 +0200
+Subject: [PATCH 3/3] pam_wheel: clarify use_uid option in man page
+
+modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the
+real uid of the calling process.
+---
+ modules/pam_wheel/pam_wheel.8.xml | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
+index b32f5e2b..ee8c7d26 100644
+--- a/modules/pam_wheel/pam_wheel.8.xml
++++ b/modules/pam_wheel/pam_wheel.8.xml
+@@ -122,9 +122,9 @@
+         </term>
+         <listitem>
+           <para>
+-            The check for wheel membership will be done against
+-            the current uid instead of the original one (useful when
+-            jumping with su from one account to another for example).
++            The check will be done against the real uid of the calling process,
++            instead of trying to obtain the user from the login session
++            associated with the terminal in use.
+           </para>
+         </listitem>
+       </varlistentry>
+-- 
+2.26.2
+

SPECS/pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 11%{?dist}
+Release: 14%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -59,6 +59,12 @@ Patch45: pam-1.3.1-pam-usertype.patch
 Patch46: pam-1.3.1-audit-error.patch
 # Upstreamed
 Patch47: pam-1.3.1-pam-modutil-close-write.patch
+# https://github.com/linux-pam/linux-pam/commit/6bf9b454eb971083f0cce49faa2aa1cde329ff5d
+# https://github.com/linux-pam/linux-pam/commit/9091ea1d81e85f49a221b0325d27b22ce69e444a
+# https://github.com/linux-pam/linux-pam/commit/a3a5cbf86083c43026b558e2023f597530626267
+Patch48: pam-1.3.1-wheel-pam_ruser-fallback.patch
+# https://github.com/linux-pam/linux-pam/commit/491e5500b6b3913f531574208274358a2df88659
+Patch49: pam-1.3.1-namespace-gdm-doc.patch
 
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@@ -154,6 +160,8 @@ cp %{SOURCE18} .
 %patch45 -p1 -b .pam-usertype
 %patch46 -p1 -b .audit-error
 %patch47 -p1 -b .pam-modutil-close-write
+%patch48 -p1 -b .wheel-pam_ruser-fallback
+%patch49 -p1 -b .namespace-gdm-doc
 autoreconf -i
 
 %build
@@ -399,6 +407,17 @@ done
 %doc doc/specs/rfc86.0.txt
 
 %changelog
+* Thu Nov  5 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-14
+- Revert 1.3.1-12
+
+* Fri Oct 30 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-13
+- pam_wheel: if getlogin fails fallback to PAM_RUSER: fixed malformed patch (#1866866)
+- pam_namespace: polyinstantiation refer to gdm doc (#1861841)
+
+* Thu Jul 16 2020 Peter Robinson <pbrobinson@redhat.com> - 1.3.1-12
+- Add the motd.d directories (empty) to silence warnings and to
+  provide proper ownership for them (#1847501)
+
 * Fri May 15 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-11
 - pam_usertype: fixed malformed patch