commit 72266820943a6d7c26f1a08a67ba1db44268f283 Author: CentOS Sources Date: Tue Mar 28 09:21:12 2023 +0000 import pam-1.5.1-14.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..075599b --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/Linux-PAM-1.5.1.tar.xz +SOURCES/pam-redhat-1.1.4.tar.bz2 diff --git a/.pam.metadata b/.pam.metadata new file mode 100644 index 0000000..842e488 --- /dev/null +++ b/.pam.metadata @@ -0,0 +1,2 @@ +ad43b7fbdfdd38886fdf27e098b49f2db1c2a13d SOURCES/Linux-PAM-1.5.1.tar.xz +bf661c44f34c2d4d34eaee695b36e638f4d44ba8 SOURCES/pam-redhat-1.1.4.tar.bz2 diff --git a/SOURCES/Linux-PAM-1.5.1.tar.xz.asc b/SOURCES/Linux-PAM-1.5.1.tar.xz.asc new file mode 100644 index 0000000..01d6a46 --- /dev/null +++ b/SOURCES/Linux-PAM-1.5.1.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCAAGBQJfvo0CAAoJEKgEH6g54W42L+0P/19bgVH4cRd7ONZLwYvWvWlQ +NXkjwn26MEXElWESlKnQQz08W5QASWCz3vgAn9NGDmS+lJ38i4Li4aGpn3COPE2g +BAN9LEaAErK60b3ZkWwDEARDs1JntA1vUuuHx0EoLEMtFEeU20h5PPMrsDwu7LGF +sD6KYdM6TWLMXcRybqGOeWmWxfp8S8MVNwVN3C3q0aVIOMxky0i4rzCL7zRTJztQ +q7FaX2xrTGfUiAI7smT/KGoK7pbQTzZtoR67uE/2WZ4bSyWMZcuDkt16WP/L6x9v +c5DnVaLazM9xYUAOn4tlPiG8LLmfXo1MjD+KOS9byAx+uTij3avxaC/vv0BDcATH +jywxH8iTPkvYXP0uJIa4Gbs1qi3vNZn+gaQt/T+rCVNo3dfFZZxBvLbTQ8AN1hKr +MnoQbIQh0buuSuwmAxF0EDIefX3bDCurKOTQrRajK7huFm0w2NgBqL8WR8f1Wmm9 +mGSdKuVpWSk5uEygCUFOfwviYbi1I1K2Dmo3TsLBgNPKvAF3LAGJC7KzD+Q+Nmos +XBOljilcAfdJ7t2P8W7xTSMEnXu7nI1TM+Er80ukfu0fipJEP0xyi+XWh+2n0Bx+ +3wwt8fSL7rmI4I4l6GRb3Jk/Gq1bKy956tgm3TE6gXTXVGZqNs0E28rNRURXDqZu +XrjVwhlpsH/Auk17hU65 +=E0ev +-----END PGP SIGNATURE----- diff --git a/SOURCES/config-util.5 b/SOURCES/config-util.5 new file mode 100644 index 0000000..17d7f8a --- /dev/null +++ b/SOURCES/config-util.5 @@ -0,0 +1,36 @@ +.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual" +.SH NAME + +config-util \- Common PAM configuration file for configuration utilities + +.SH SYNOPSIS +.B /etc/pam.d/config-util +.sp 2 +.SH DESCRIPTION + +The purpose of this configuration file is to provide common +configuration file for all configuration utilities which must be run +from the supervisor account and use the userhelper wrapper application. + +.sp +The +.BR config-util +configuration file is included from all individual configuration +files of such utilities with the help of the +.BR include +directive. +There are not usually any other modules in the individual configuration +files of these utilities. + +.sp +It is possible for example to modify duration of the validity of the +authentication timestamp there. See +.BR pam_timestamp(8) +for details. + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" +pam(8), config-util(5), pam_timestamp(8) diff --git a/SOURCES/config-util.pamd b/SOURCES/config-util.pamd new file mode 100644 index 0000000..8e70d9a --- /dev/null +++ b/SOURCES/config-util.pamd @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +auth sufficient pam_timestamp.so +auth include system-auth +account required pam_permit.so +session required pam_permit.so +session optional pam_xauth.so +session optional pam_timestamp.so diff --git a/SOURCES/dlopen.sh b/SOURCES/dlopen.sh new file mode 100755 index 0000000..053289a --- /dev/null +++ b/SOURCES/dlopen.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +tempdir=`mktemp -d /tmp/dlopenXXXXXX` +test -n "$tempdir" || exit 1 +cat >> $tempdir/dlopen.c << _EOF +#include +#include +#include +#include +/* Simple program to see if dlopen() would succeed. */ +int main(int argc, char **argv) +{ + int i; + struct stat st; + char buf[PATH_MAX]; + for (i = 1; i < argc; i++) { + if (dlopen(argv[i], RTLD_NOW)) { + fprintf(stdout, "dlopen() of \"%s\" succeeded.\n", + argv[i]); + } else { + snprintf(buf, sizeof(buf), "./%s", argv[i]); + if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) { + fprintf(stdout, "dlopen() of \"./%s\" " + "succeeded.\n", argv[i]); + } else { + fprintf(stdout, "dlopen() of \"%s\" failed: " + "%s\n", argv[i], dlerror()); + return 1; + } + } + } + return 0; +} +_EOF + +for arg in $@ ; do + case "$arg" in + "") + ;; + -I*|-D*|-f*|-m*|-g*|-O*|-W*) + cflags="$cflags $arg" + ;; + -l*|-L*) + ldflags="$ldflags $arg" + ;; + /*) + modules="$modules $arg" + ;; + *) + modules="$modules $arg" + ;; + esac +done + +${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl + +retval=0 +for module in $modules ; do + case "$module" in + "") + ;; + /*) + $tempdir/dlopen "$module" + retval=$? + ;; + *) + $tempdir/dlopen ./"$module" + retval=$? + ;; + esac +done + +rm -f $tempdir/dlopen $tempdir/dlopen.c +rmdir $tempdir +exit $retval diff --git a/SOURCES/fingerprint-auth.pamd b/SOURCES/fingerprint-auth.pamd new file mode 100644 index 0000000..aae6ecc --- /dev/null +++ b/SOURCES/fingerprint-auth.pamd @@ -0,0 +1,19 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authselect is run. +auth required pam_env.so +auth sufficient pam_fprintd.so +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/SOURCES/gpl-2.0.txt b/SOURCES/gpl-2.0.txt new file mode 100644 index 0000000..d159169 --- /dev/null +++ b/SOURCES/gpl-2.0.txt @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/SOURCES/other.pamd b/SOURCES/other.pamd new file mode 100644 index 0000000..c286c82 --- /dev/null +++ b/SOURCES/other.pamd @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required pam_deny.so +account required pam_deny.so +password required pam_deny.so +session required pam_deny.so diff --git a/SOURCES/pam-1.3.0-unix-nomsg.patch b/SOURCES/pam-1.3.0-unix-nomsg.patch new file mode 100644 index 0000000..33c2267 --- /dev/null +++ b/SOURCES/pam-1.3.0-unix-nomsg.patch @@ -0,0 +1,16 @@ +diff -up Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg 2016-04-11 13:08:47.000000000 +0200 ++++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c 2017-04-20 16:51:24.853106709 +0200 +@@ -687,12 +687,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int + return PAM_SUCCESS; + } else if (off(UNIX__IAMROOT, ctrl) || + (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) { +- /* instruct user what is happening */ +- if (off(UNIX__QUIET, ctrl)) { +- retval = pam_info(pamh, _("Changing password for %s."), user); +- if (retval != PAM_SUCCESS) +- return retval; +- } + retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL); + + if (retval != PAM_SUCCESS) { diff --git a/SOURCES/pam-1.5.0-noflex.patch b/SOURCES/pam-1.5.0-noflex.patch new file mode 100644 index 0000000..282b482 --- /dev/null +++ b/SOURCES/pam-1.5.0-noflex.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.5.0/doc/Makefile.am.noflex Linux-PAM-1.5.0/doc/Makefile.am +--- Linux-PAM-1.5.0/doc/Makefile.am.noflex 2020-11-10 16:46:13.000000000 +0100 ++++ Linux-PAM-1.5.0/doc/Makefile.am 2020-11-11 11:39:00.980421433 +0100 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + +diff -up Linux-PAM-1.5.0/Makefile.am.noflex Linux-PAM-1.5.0/Makefile.am +--- Linux-PAM-1.5.0/Makefile.am.noflex 2020-11-11 11:39:00.980421433 +0100 ++++ Linux-PAM-1.5.0/Makefile.am 2020-11-11 11:39:15.887625418 +0100 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-xz no-dist-gzip check-news + +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests + + if HAVE_DOC + SUBDIRS += doc diff --git a/SOURCES/pam-1.5.0-redhat-modules.patch b/SOURCES/pam-1.5.0-redhat-modules.patch new file mode 100644 index 0000000..92d04da --- /dev/null +++ b/SOURCES/pam-1.5.0-redhat-modules.patch @@ -0,0 +1,25 @@ +diff -up Linux-PAM-1.5.0/configure.ac.redhat-modules Linux-PAM-1.5.0/configure.ac +--- Linux-PAM-1.5.0/configure.ac.redhat-modules 2020-11-11 11:21:21.947857371 +0100 ++++ Linux-PAM-1.5.0/configure.ac 2020-11-11 11:22:58.638193747 +0100 +@@ -639,6 +639,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + po/Makefile.in \ + Make.xml.rules \ + modules/Makefile \ ++ modules/pam_chroot/Makefile modules/pam_console/Makefile \ ++ modules/pam_postgresok/Makefile \ + modules/pam_access/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ +diff -up Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules Linux-PAM-1.5.0/modules/Makefile.am +--- Linux-PAM-1.5.0/modules/Makefile.am.redhat-modules 2020-11-10 16:46:13.000000000 +0100 ++++ Linux-PAM-1.5.0/modules/Makefile.am 2020-11-11 11:21:21.947857371 +0100 +@@ -47,6 +47,9 @@ SUBDIRS := \ + pam_debug \ + pam_deny \ + pam_echo \ ++ pam_chroot \ ++ pam_console \ ++ pam_postgresok \ + pam_env \ + pam_exec \ + pam_faildelay \ diff --git a/SOURCES/pam-1.5.1-faillock-load-conf-from-file.patch b/SOURCES/pam-1.5.1-faillock-load-conf-from-file.patch new file mode 100644 index 0000000..dbfa3d8 --- /dev/null +++ b/SOURCES/pam-1.5.1-faillock-load-conf-from-file.patch @@ -0,0 +1,848 @@ +diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml +--- Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_faillock/faillock.8.xml 2022-05-25 15:30:33.700518571 +0200 +@@ -57,12 +57,29 @@ + + + ++ ++ ++ ++ ++ The file where the configuration is located. The default is ++ /etc/security/faillock.conf. ++ ++ ++ ++ ++ + + + + +- The directory where the user files with the failure records are kept. The +- default is /var/run/faillock. ++ The directory where the user files with the failure records are kept. ++ ++ ++ The priority to set this option is to use the value provided ++ from the command line. If this isn't provided, then the value ++ from the configuration file is used. Finally, if neither of ++ them has been provided, then ++ /var/run/faillock is used. + + + +diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c +--- Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c.faillock-load-conf-from-file 2022-05-25 15:30:33.699518564 +0200 ++++ Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.c 2022-05-25 15:30:33.700518571 +0200 +@@ -0,0 +1,263 @@ ++/* ++ * Copyright (c) 2022 Tomas Mraz ++ * Copyright (c) 2022 Iker Pedrosa ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "faillock_config.h" ++#include "faillock.h" ++ ++#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf" ++ ++static void PAM_FORMAT((printf, 3, 4)) PAM_NONNULL((3)) ++config_log(const pam_handle_t *pamh, int priority, const char *fmt, ...) ++{ ++ va_list args; ++ ++ va_start(args, fmt); ++ if (pamh) { ++ pam_vsyslog(pamh, priority, fmt, args); ++ } else { ++ char *buf = NULL; ++ ++ if (vasprintf(&buf, fmt, args) < 0) { ++ fprintf(stderr, "vasprintf: %m"); ++ va_end(args); ++ return; ++ } ++ fprintf(stderr, "%s\n", buf); ++ free(buf); ++ } ++ va_end(args); ++} ++ ++/* parse a single configuration file */ ++int ++read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile) ++{ ++ char linebuf[FAILLOCK_CONF_MAX_LINELEN+1]; ++ const char *fname = (cfgfile != NULL) ? cfgfile : FAILLOCK_DEFAULT_CONF; ++ FILE *f = fopen(fname, "r"); ++ ++#ifdef VENDOR_FAILLOCK_DEFAULT_CONF ++ if (f == NULL && errno == ENOENT && cfgfile == NULL) { ++ /* ++ * If the default configuration file in /etc does not exist, ++ * try the vendor configuration file as fallback. ++ */ ++ f = fopen(VENDOR_FAILLOCK_DEFAULT_CONF, "r"); ++ } ++#endif /* VENDOR_FAILLOCK_DEFAULT_CONF */ ++ ++ if (f == NULL) { ++ /* ignore non-existent default config file */ ++ if (errno == ENOENT && cfgfile == NULL) ++ return PAM_SUCCESS; ++ return PAM_SERVICE_ERR; ++ } ++ ++ while (fgets(linebuf, sizeof(linebuf), f) != NULL) { ++ size_t len; ++ char *ptr; ++ char *name; ++ int eq; ++ ++ len = strlen(linebuf); ++ /* len cannot be 0 unless there is a bug in fgets */ ++ if (len && linebuf[len - 1] != '\n' && !feof(f)) { ++ (void) fclose(f); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if ((ptr=strchr(linebuf, '#')) != NULL) { ++ *ptr = '\0'; ++ } else { ++ ptr = linebuf + len; ++ } ++ ++ /* drop terminating whitespace including the \n */ ++ while (ptr > linebuf) { ++ if (!isspace(*(ptr-1))) { ++ *ptr = '\0'; ++ break; ++ } ++ --ptr; ++ } ++ ++ /* skip initial whitespace */ ++ for (ptr = linebuf; isspace(*ptr); ptr++); ++ if (*ptr == '\0') ++ continue; ++ ++ /* grab the key name */ ++ eq = 0; ++ name = ptr; ++ while (*ptr != '\0') { ++ if (isspace(*ptr) || *ptr == '=') { ++ eq = *ptr == '='; ++ *ptr = '\0'; ++ ++ptr; ++ break; ++ } ++ ++ptr; ++ } ++ ++ /* grab the key value */ ++ while (*ptr != '\0') { ++ if (*ptr != '=' || eq) { ++ if (!isspace(*ptr)) { ++ break; ++ } ++ } else { ++ eq = 1; ++ } ++ ++ptr; ++ } ++ ++ /* set the key:value pair on opts */ ++ set_conf_opt(pamh, opts, name, ptr); ++ } ++ ++ (void)fclose(f); ++ return PAM_SUCCESS; ++} ++ ++void ++set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, ++ const char *value) ++{ ++ if (strcmp(name, "dir") == 0) { ++ if (value[0] != '/') { ++ config_log(pamh, LOG_ERR, ++ "Tally directory is not absolute path (%s); keeping value", ++ value); ++ } else { ++ free(opts->dir); ++ opts->dir = strdup(value); ++ if (opts->dir == NULL) { ++ opts->fatal_error = 1; ++ config_log(pamh, LOG_CRIT, "Error allocating memory: %m"); ++ } ++ } ++ } ++ else if (strcmp(name, "deny") == 0) { ++ if (sscanf(value, "%hu", &opts->deny) != 1) { ++ config_log(pamh, LOG_ERR, ++ "Bad number supplied for deny argument"); ++ } ++ } ++ else if (strcmp(name, "fail_interval") == 0) { ++ unsigned int temp; ++ if (sscanf(value, "%u", &temp) != 1 || ++ temp > MAX_TIME_INTERVAL) { ++ config_log(pamh, LOG_ERR, ++ "Bad number supplied for fail_interval argument"); ++ } else { ++ opts->fail_interval = temp; ++ } ++ } ++ else if (strcmp(name, "unlock_time") == 0) { ++ unsigned int temp; ++ ++ if (strcmp(value, "never") == 0) { ++ opts->unlock_time = 0; ++ } ++ else if (sscanf(value, "%u", &temp) != 1 || ++ temp > MAX_TIME_INTERVAL) { ++ config_log(pamh, LOG_ERR, ++ "Bad number supplied for unlock_time argument"); ++ } ++ else { ++ opts->unlock_time = temp; ++ } ++ } ++ else if (strcmp(name, "root_unlock_time") == 0) { ++ unsigned int temp; ++ ++ if (strcmp(value, "never") == 0) { ++ opts->root_unlock_time = 0; ++ } ++ else if (sscanf(value, "%u", &temp) != 1 || ++ temp > MAX_TIME_INTERVAL) { ++ config_log(pamh, LOG_ERR, ++ "Bad number supplied for root_unlock_time argument"); ++ } else { ++ opts->root_unlock_time = temp; ++ } ++ } ++ else if (strcmp(name, "admin_group") == 0) { ++ free(opts->admin_group); ++ opts->admin_group = strdup(value); ++ if (opts->admin_group == NULL) { ++ opts->fatal_error = 1; ++ config_log(pamh, LOG_CRIT, "Error allocating memory: %m"); ++ } ++ } ++ else if (strcmp(name, "even_deny_root") == 0) { ++ opts->flags |= FAILLOCK_FLAG_DENY_ROOT; ++ } ++ else if (strcmp(name, "audit") == 0) { ++ opts->flags |= FAILLOCK_FLAG_AUDIT; ++ } ++ else if (strcmp(name, "silent") == 0) { ++ opts->flags |= FAILLOCK_FLAG_SILENT; ++ } ++ else if (strcmp(name, "no_log_info") == 0) { ++ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; ++ } ++ else if (strcmp(name, "local_users_only") == 0) { ++ opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY; ++ } ++ else if (strcmp(name, "nodelay") == 0) { ++ opts->flags |= FAILLOCK_FLAG_NO_DELAY; ++ } ++ else { ++ config_log(pamh, LOG_ERR, "Unknown option: %s", name); ++ } ++} ++ ++const char *get_tally_dir(const struct options *opts) ++{ ++ return (opts->dir != NULL) ? opts->dir : FAILLOCK_DEFAULT_TALLYDIR; ++} +diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h +--- Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h.faillock-load-conf-from-file 2022-05-25 15:30:33.699518564 +0200 ++++ Linux-PAM-1.5.1/modules/pam_faillock/faillock_config.h 2022-05-25 15:30:33.700518571 +0200 +@@ -0,0 +1,89 @@ ++/* ++ * Copyright (c) 2022 Tomas Mraz ++ * Copyright (c) 2022 Iker Pedrosa ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++/* ++ * faillock_config.h - load configuration options from file ++ * ++ */ ++ ++#ifndef _FAILLOCK_CONFIG_H ++#define _FAILLOCK_CONFIG_H ++ ++#include ++#include ++#include ++ ++#include ++ ++#define FAILLOCK_FLAG_DENY_ROOT 0x1 ++#define FAILLOCK_FLAG_AUDIT 0x2 ++#define FAILLOCK_FLAG_SILENT 0x4 ++#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 ++#define FAILLOCK_FLAG_UNLOCKED 0x10 ++#define FAILLOCK_FLAG_LOCAL_ONLY 0x20 ++#define FAILLOCK_FLAG_NO_DELAY 0x40 ++ ++#define FAILLOCK_CONF_MAX_LINELEN 1023 ++#define MAX_TIME_INTERVAL 604800 /* 7 days */ ++ ++struct options { ++ unsigned int action; ++ unsigned int flags; ++ unsigned short deny; ++ unsigned int fail_interval; ++ unsigned int unlock_time; ++ unsigned int root_unlock_time; ++ char *dir; ++ const char *user; ++ char *admin_group; ++ int failures; ++ uint64_t latest_time; ++ uid_t uid; ++ int is_admin; ++ uint64_t now; ++ int fatal_error; ++ ++ unsigned int reset; ++ const char *progname; ++}; ++ ++int read_config_file(pam_handle_t *pamh, struct options *opts, ++ const char *cfgfile); ++void set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, ++ const char *value); ++const char *get_tally_dir(const struct options *opts); ++ ++#endif /* _FAILLOCK_CONFIG_H */ +diff -up Linux-PAM-1.5.1/modules/pam_faillock/main.c.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/main.c +--- Linux-PAM-1.5.1/modules/pam_faillock/main.c.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_faillock/main.c 2022-05-25 15:37:05.801216176 +0200 +@@ -51,33 +51,40 @@ + #define AUDIT_NO_ID ((unsigned int) -1) + #endif + ++#include "pam_inline.h" + #include "faillock.h" +- +-struct options { +- unsigned int reset; +- const char *dir; +- const char *user; +- const char *progname; +-}; ++#include "faillock_config.h" + + static int + args_parse(int argc, char **argv, struct options *opts) + { + int i; ++ int rv; ++ const char *dir = NULL; ++ const char *conf = NULL; ++ + memset(opts, 0, sizeof(*opts)); + +- opts->dir = FAILLOCK_DEFAULT_TALLYDIR; + opts->progname = argv[0]; + + for (i = 1; i < argc; ++i) { +- +- if (strcmp(argv[i], "--dir") == 0) { ++ if (strcmp(argv[i], "--conf") == 0) { ++ ++i; ++ if (i >= argc || strlen(argv[i]) == 0) { ++ fprintf(stderr, "%s: No configuration file supplied.\n", ++ argv[0]); ++ return -1; ++ } ++ conf = argv[i]; ++ } ++ else if (strcmp(argv[i], "--dir") == 0) { + ++i; + if (i >= argc || strlen(argv[i]) == 0) { +- fprintf(stderr, "%s: No directory supplied.\n", argv[0]); ++ fprintf(stderr, "%s: No records directory supplied.\n", ++ argv[0]); + return -1; + } +- opts->dir = argv[i]; ++ dir = argv[i]; + } + else if (strcmp(argv[i], "--user") == 0) { + ++i; +@@ -85,7 +92,7 @@ args_parse(int argc, char **argv, struct + fprintf(stderr, "%s: No user name supplied.\n", argv[0]); + return -1; + } +- opts->user = argv[i]; ++ opts->user = argv[i]; + } + else if (strcmp(argv[i], "--reset") == 0) { + opts->reset = 1; +@@ -95,6 +102,21 @@ args_parse(int argc, char **argv, struct + return -1; + } + } ++ ++ if ((rv = read_config_file(NULL, opts, conf)) != PAM_SUCCESS) { ++ fprintf(stderr, "Configuration file missing or broken"); ++ return rv; ++ } ++ ++ if (dir != NULL) { ++ free(opts->dir); ++ opts->dir = strdup(dir); ++ if (opts->dir == NULL) { ++ fprintf(stderr, "Error allocating memory: %m"); ++ return -1; ++ } ++ } ++ + return 0; + } + +@@ -112,10 +134,11 @@ do_user(struct options *opts, const char + int rv; + struct tally_data tallies; + struct passwd *pwd; ++ const char *dir = get_tally_dir(opts); + + pwd = getpwnam(user); + +- fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); ++ fd = open_tally(dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); + + if (fd == -1) { + if (errno == ENOENT) { +@@ -191,8 +214,9 @@ do_allusers(struct options *opts) + { + struct dirent **userlist; + int rv, i; ++ const char *dir = get_tally_dir(opts); + +- rv = scandir(opts->dir, &userlist, NULL, alphasort); ++ rv = scandir(dir, &userlist, NULL, alphasort); + if (rv < 0) { + fprintf(stderr, "%s: Error reading tally directory: %m\n", opts->progname); + return 2; +diff -up Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am +--- Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_faillock/Makefile.am 2022-05-25 15:30:33.700518571 +0200 +@@ -20,7 +20,7 @@ TESTS = $(dist_check_SCRIPTS) + securelibdir = $(SECUREDIR) + secureconfdir = $(SCONFIGDIR) + +-noinst_HEADERS = faillock.h ++noinst_HEADERS = faillock.h faillock_config.h + + AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) +@@ -41,8 +41,8 @@ dist_secureconf_DATA = faillock.conf + securelib_LTLIBRARIES = pam_faillock.la + sbin_PROGRAMS = faillock + +-pam_faillock_la_SOURCES = pam_faillock.c faillock.c +-faillock_SOURCES = main.c faillock.c ++pam_faillock_la_SOURCES = pam_faillock.c faillock.c faillock_config.c ++faillock_SOURCES = main.c faillock.c faillock_config.c + + if ENABLE_REGENERATE_MAN + dist_noinst_DATA = README +diff -up Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_faillock/pam_faillock.c 2022-05-25 15:33:03.885551825 +0200 +@@ -38,7 +38,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -56,55 +55,12 @@ + + #include "pam_inline.h" + #include "faillock.h" ++#include "faillock_config.h" + + #define FAILLOCK_ACTION_PREAUTH 0 + #define FAILLOCK_ACTION_AUTHSUCC 1 + #define FAILLOCK_ACTION_AUTHFAIL 2 + +-#define FAILLOCK_FLAG_DENY_ROOT 0x1 +-#define FAILLOCK_FLAG_AUDIT 0x2 +-#define FAILLOCK_FLAG_SILENT 0x4 +-#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 +-#define FAILLOCK_FLAG_UNLOCKED 0x10 +-#define FAILLOCK_FLAG_LOCAL_ONLY 0x20 +-#define FAILLOCK_FLAG_NO_DELAY 0x40 +- +-#define MAX_TIME_INTERVAL 604800 /* 7 days */ +-#define FAILLOCK_CONF_MAX_LINELEN 1023 +- +-static const char default_faillock_conf[] = FAILLOCK_DEFAULT_CONF; +- +-struct options { +- unsigned int action; +- unsigned int flags; +- unsigned short deny; +- unsigned int fail_interval; +- unsigned int unlock_time; +- unsigned int root_unlock_time; +- char *dir; +- const char *user; +- char *admin_group; +- int failures; +- uint64_t latest_time; +- uid_t uid; +- int is_admin; +- uint64_t now; +- int fatal_error; +-}; +- +-static int read_config_file( +- pam_handle_t *pamh, +- struct options *opts, +- const char *cfgfile +-); +- +-static void set_conf_opt( +- pam_handle_t *pamh, +- struct options *opts, +- const char *name, +- const char *value +-); +- + static int + args_parse(pam_handle_t *pamh, int argc, const char **argv, + int flags, struct options *opts) +@@ -112,11 +68,10 @@ args_parse(pam_handle_t *pamh, int argc, + int i; + int config_arg_index = -1; + int rv; +- const char *conf = default_faillock_conf; ++ const char *conf = NULL; + + memset(opts, 0, sizeof(*opts)); + +- opts->dir = strdup(FAILLOCK_DEFAULT_TALLYDIR); + opts->deny = 3; + opts->fail_interval = 900; + opts->unlock_time = 600; +@@ -174,185 +129,11 @@ args_parse(pam_handle_t *pamh, int argc, + if (flags & PAM_SILENT) + opts->flags |= FAILLOCK_FLAG_SILENT; + +- if (opts->dir == NULL) { +- pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m"); +- opts->fatal_error = 1; +- } +- + if (opts->fatal_error) + return PAM_BUF_ERR; + return PAM_SUCCESS; + } + +-/* parse a single configuration file */ +-static int +-read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile) +-{ +- FILE *f; +- char linebuf[FAILLOCK_CONF_MAX_LINELEN+1]; +- +- f = fopen(cfgfile, "r"); +- if (f == NULL) { +- /* ignore non-existent default config file */ +- if (errno == ENOENT && cfgfile == default_faillock_conf) +- return PAM_SUCCESS; +- return PAM_SERVICE_ERR; +- } +- +- while (fgets(linebuf, sizeof(linebuf), f) != NULL) { +- size_t len; +- char *ptr; +- char *name; +- int eq; +- +- len = strlen(linebuf); +- /* len cannot be 0 unless there is a bug in fgets */ +- if (len && linebuf[len - 1] != '\n' && !feof(f)) { +- (void) fclose(f); +- return PAM_SERVICE_ERR; +- } +- +- if ((ptr=strchr(linebuf, '#')) != NULL) { +- *ptr = '\0'; +- } else { +- ptr = linebuf + len; +- } +- +- /* drop terminating whitespace including the \n */ +- while (ptr > linebuf) { +- if (!isspace(*(ptr-1))) { +- *ptr = '\0'; +- break; +- } +- --ptr; +- } +- +- /* skip initial whitespace */ +- for (ptr = linebuf; isspace(*ptr); ptr++); +- if (*ptr == '\0') +- continue; +- +- /* grab the key name */ +- eq = 0; +- name = ptr; +- while (*ptr != '\0') { +- if (isspace(*ptr) || *ptr == '=') { +- eq = *ptr == '='; +- *ptr = '\0'; +- ++ptr; +- break; +- } +- ++ptr; +- } +- +- /* grab the key value */ +- while (*ptr != '\0') { +- if (*ptr != '=' || eq) { +- if (!isspace(*ptr)) { +- break; +- } +- } else { +- eq = 1; +- } +- ++ptr; +- } +- +- /* set the key:value pair on opts */ +- set_conf_opt(pamh, opts, name, ptr); +- } +- +- (void)fclose(f); +- return PAM_SUCCESS; +-} +- +-static void +-set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const char *value) +-{ +- if (strcmp(name, "dir") == 0) { +- if (value[0] != '/') { +- pam_syslog(pamh, LOG_ERR, +- "Tally directory is not absolute path (%s); keeping default", value); +- } else { +- free(opts->dir); +- opts->dir = strdup(value); +- } +- } +- else if (strcmp(name, "deny") == 0) { +- if (sscanf(value, "%hu", &opts->deny) != 1) { +- pam_syslog(pamh, LOG_ERR, +- "Bad number supplied for deny argument"); +- } +- } +- else if (strcmp(name, "fail_interval") == 0) { +- unsigned int temp; +- if (sscanf(value, "%u", &temp) != 1 || +- temp > MAX_TIME_INTERVAL) { +- pam_syslog(pamh, LOG_ERR, +- "Bad number supplied for fail_interval argument"); +- } else { +- opts->fail_interval = temp; +- } +- } +- else if (strcmp(name, "unlock_time") == 0) { +- unsigned int temp; +- +- if (strcmp(value, "never") == 0) { +- opts->unlock_time = 0; +- } +- else if (sscanf(value, "%u", &temp) != 1 || +- temp > MAX_TIME_INTERVAL) { +- pam_syslog(pamh, LOG_ERR, +- "Bad number supplied for unlock_time argument"); +- } +- else { +- opts->unlock_time = temp; +- } +- } +- else if (strcmp(name, "root_unlock_time") == 0) { +- unsigned int temp; +- +- if (strcmp(value, "never") == 0) { +- opts->root_unlock_time = 0; +- } +- else if (sscanf(value, "%u", &temp) != 1 || +- temp > MAX_TIME_INTERVAL) { +- pam_syslog(pamh, LOG_ERR, +- "Bad number supplied for root_unlock_time argument"); +- } else { +- opts->root_unlock_time = temp; +- } +- } +- else if (strcmp(name, "admin_group") == 0) { +- free(opts->admin_group); +- opts->admin_group = strdup(value); +- if (opts->admin_group == NULL) { +- opts->fatal_error = 1; +- pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m"); +- } +- } +- else if (strcmp(name, "even_deny_root") == 0) { +- opts->flags |= FAILLOCK_FLAG_DENY_ROOT; +- } +- else if (strcmp(name, "audit") == 0) { +- opts->flags |= FAILLOCK_FLAG_AUDIT; +- } +- else if (strcmp(name, "silent") == 0) { +- opts->flags |= FAILLOCK_FLAG_SILENT; +- } +- else if (strcmp(name, "no_log_info") == 0) { +- opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; +- } +- else if (strcmp(name, "local_users_only") == 0) { +- opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY; +- } +- else if (strcmp(name, "nodelay") == 0) { +- opts->flags |= FAILLOCK_FLAG_NO_DELAY; +- } +- else { +- pam_syslog(pamh, LOG_ERR, "Unknown option: %s", name); +- } +-} +- + static int + check_local_user (pam_handle_t *pamh, const char *user) + { +@@ -406,10 +187,11 @@ check_tally(pam_handle_t *pamh, struct o + unsigned int i; + uint64_t latest_time; + int failures; ++ const char *dir = get_tally_dir(opts); + + opts->now = time(NULL); + +- tfd = open_tally(opts->dir, opts->user, opts->uid, 0); ++ tfd = open_tally(dir, opts->user, opts->uid, 0); + + *fd = tfd; + +@@ -483,9 +265,10 @@ static void + reset_tally(pam_handle_t *pamh, struct options *opts, int *fd) + { + int rv; ++ const char *dir = get_tally_dir(opts); + + if (*fd == -1) { +- *fd = open_tally(opts->dir, opts->user, opts->uid, 1); ++ *fd = open_tally(dir, opts->user, opts->uid, 1); + } + else { + while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); +@@ -504,9 +287,10 @@ write_tally(pam_handle_t *pamh, struct o + unsigned int oldest; + uint64_t oldtime; + const void *source = NULL; ++ const char *dir = get_tally_dir(opts); + + if (*fd == -1) { +- *fd = open_tally(opts->dir, opts->user, opts->uid, 1); ++ *fd = open_tally(dir, opts->user, opts->uid, 1); + } + if (*fd == -1) { + if (errno == EACCES) { +diff --git a/modules/pam_faillock/faillock.h b/modules/pam_faillock/faillock.h +index b22a9dfb..0ea0ffba 100644 +--- a/modules/pam_faillock/faillock.h ++++ b/modules/pam_faillock/faillock.h +diff -up Linux-PAM-1.5.1/modules/pam_faillock/faillock.h.faillock-load-conf-from-file Linux-PAM-1.5.1/modules/pam_faillock/faillock.h +--- Linux-PAM-1.5.1/modules/pam_faillock/faillock.h.faillock-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_faillock/faillock.h 2022-05-25 15:33:03.885551825 +0200 +@@ -67,7 +67,6 @@ struct tally_data { + }; + + #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" +-#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf" + + int open_tally(const char *dir, const char *user, uid_t uid, int create); + int read_tally(int fd, struct tally_data *tallies); diff --git a/SOURCES/pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch b/SOURCES/pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch new file mode 100644 index 0000000..016bb15 --- /dev/null +++ b/SOURCES/pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch @@ -0,0 +1,37 @@ +From 10086bc69663fa819277af244eeb5b629a2403b8 Mon Sep 17 00:00:00 2001 +From: Deepak Das +Date: Mon, 10 Oct 2022 21:21:35 +0530 +Subject: [PATCH] pam_faillock: avoid logging an erroneous consecutive login + failure message + +* modules/pam_faillock/pam_faillock.c (write_tally): Avoid logging +a consecutive login failure message for the root user in case when +even_deny_root is not set. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2082442 +--- + modules/pam_faillock/pam_faillock.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c +index ddbb90e7..ca1c7035 100644 +--- a/modules/pam_faillock/pam_faillock.c ++++ b/modules/pam_faillock/pam_faillock.c +@@ -374,9 +374,11 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies + } + close(audit_fd); + #endif +- if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) { +- pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked", +- opts->user); ++ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO) && ++ ((opts->flags & FAILLOCK_FLAG_DENY_ROOT) || (opts->uid != 0))) { ++ pam_syslog(pamh, LOG_INFO, ++ "Consecutive login failures for user %s account temporarily locked", ++ opts->user); + } + } + +-- +2.38.1 + diff --git a/SOURCES/pam-1.5.1-pam-faillock-clarify-missing-user.patch b/SOURCES/pam-1.5.1-pam-faillock-clarify-missing-user.patch new file mode 100644 index 0000000..3f15eb8 --- /dev/null +++ b/SOURCES/pam-1.5.1-pam-faillock-clarify-missing-user.patch @@ -0,0 +1,53 @@ +From bcbf145ce925934214e48200c27c9ff736452549 Mon Sep 17 00:00:00 2001 +From: Deepak Das +Date: Mon, 10 Oct 2022 17:55:53 +0530 +Subject: [PATCH] pam_faillock: Clarify missing user faillock files after + reboot + +* modules/pam_faillock/faillock.conf.5.xml: Adding note related to missing +user specific faillock files after reboot. + +* modules/pam_faillock/pam_faillock.8.xml: Adding note related to missing +user specific faillock files after reboot. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2062512 +--- + modules/pam_faillock/faillock.conf.5.xml | 4 ++++ + modules/pam_faillock/pam_faillock.8.xml | 6 ++++++ + 2 files changed, 10 insertions(+) + +diff --git a/modules/pam_faillock/faillock.conf.5.xml b/modules/pam_faillock/faillock.conf.5.xml +index 04a84107..8faa5915 100644 +--- a/modules/pam_faillock/faillock.conf.5.xml ++++ b/modules/pam_faillock/faillock.conf.5.xml +@@ -44,6 +44,10 @@ + The directory where the user files with the failure records are kept. The + default is /var/run/faillock. + ++ ++ Note: These files will disappear after reboot on systems configured with ++ directory /var/run/faillock mounted on virtual memory. ++ + + + +diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml +index 79bcbbd0..b7b7b0db 100644 +--- a/modules/pam_faillock/pam_faillock.8.xml ++++ b/modules/pam_faillock/pam_faillock.8.xml +@@ -327,6 +327,12 @@ session required pam_selinux.so open + /var/run/faillock/* + + the files logging the authentication failures for users ++ ++ Note: These files will disappear after reboot on systems configured with ++ directory /var/run/faillock mounted on virtual memory. ++ For persistent storage use the option dir= in ++ file /etc/security/faillock.conf. ++ + + + +-- +2.38.1 + diff --git a/SOURCES/pam-1.5.1-pam-keyinit-thread-safe.patch b/SOURCES/pam-1.5.1-pam-keyinit-thread-safe.patch new file mode 100644 index 0000000..f898b0b --- /dev/null +++ b/SOURCES/pam-1.5.1-pam-keyinit-thread-safe.patch @@ -0,0 +1,150 @@ +From a35e092e24ee7632346a0e1b4a203c04d4cd2c62 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Mon, 24 Jan 2022 15:43:23 +0100 +Subject: [PATCH] pam_keyinit: thread-safe implementation + +* modules/pam_keyinit/pam_keyinit.c: Bypass setre*id() C library calls +with kernel calls and change global variables definitions to be +thread-safe. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1997969 +Signed-off-by: Iker Pedrosa +Co-Authored-By: Andreas Schneider +--- + modules/pam_keyinit/pam_keyinit.c | 60 ++++++++++++++++++++++--------- + 1 file changed, 44 insertions(+), 16 deletions(-) + +diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c +index 92e4953b..df9804b9 100644 +--- a/modules/pam_keyinit/pam_keyinit.c ++++ b/modules/pam_keyinit/pam_keyinit.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #define KEY_SPEC_SESSION_KEYRING -3 /* ID for session keyring */ + #define KEY_SPEC_USER_KEYRING -4 /* ID for UID-specific keyring */ +@@ -31,12 +32,12 @@ + #define KEYCTL_REVOKE 3 /* revoke a key */ + #define KEYCTL_LINK 8 /* link a key into a keyring */ + +-static int my_session_keyring = 0; +-static int session_counter = 0; +-static int do_revoke = 0; +-static uid_t revoke_as_uid; +-static gid_t revoke_as_gid; +-static int xdebug = 0; ++static _Thread_local int my_session_keyring = 0; ++static _Atomic int session_counter = 0; ++static _Thread_local int do_revoke = 0; ++static _Thread_local uid_t revoke_as_uid; ++static _Thread_local gid_t revoke_as_gid; ++static _Thread_local int xdebug = 0; + + static void debug(pam_handle_t *pamh, const char *fmt, ...) + __attribute__((format(printf, 2, 3))); +@@ -64,6 +65,33 @@ static void error(pam_handle_t *pamh, const char *fmt, ...) + va_end(va); + } + ++static int pam_setreuid(uid_t ruid, uid_t euid) ++{ ++#if defined(SYS_setreuid32) ++ return syscall(SYS_setreuid32, ruid, euid); ++#else ++ return syscall(SYS_setreuid, ruid, euid); ++#endif ++} ++ ++static int pam_setregid(gid_t rgid, gid_t egid) ++{ ++#if defined(SYS_setregid32) ++ return syscall(SYS_setregid32, rgid, egid); ++#else ++ return syscall(SYS_setregid, rgid, egid); ++#endif ++} ++ ++static int pam_setresuid(uid_t ruid, uid_t euid, uid_t suid) ++{ ++#if defined(SYS_setresuid32) ++ return syscall(SYS_setresuid32, ruid, euid, suid); ++#else ++ return syscall(SYS_setresuid, ruid, euid, suid); ++#endif ++} ++ + /* + * initialise the session keyring for this process + */ +@@ -140,14 +168,14 @@ static int kill_keyrings(pam_handle_t *pamh, int error_ret) + + /* switch to the real UID and GID so that we have permission to + * revoke the key */ +- if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0) { ++ if (revoke_as_gid != old_gid && pam_setregid(-1, revoke_as_gid) < 0) { + error(pamh, "Unable to change GID to %d temporarily\n", revoke_as_gid); + return error_ret; + } + +- if (revoke_as_uid != old_uid && setresuid(-1, revoke_as_uid, old_uid) < 0) { ++ if (revoke_as_uid != old_uid && pam_setresuid(-1, revoke_as_uid, old_uid) < 0) { + error(pamh, "Unable to change UID to %d temporarily\n", revoke_as_uid); +- if (getegid() != old_gid && setregid(-1, old_gid) < 0) ++ if (getegid() != old_gid && pam_setregid(-1, old_gid) < 0) + error(pamh, "Unable to change GID back to %d\n", old_gid); + return error_ret; + } +@@ -157,12 +185,12 @@ static int kill_keyrings(pam_handle_t *pamh, int error_ret) + } + + /* return to the original UID and GID (probably root) */ +- if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0) { ++ if (revoke_as_uid != old_uid && pam_setreuid(-1, old_uid) < 0) { + error(pamh, "Unable to change UID back to %d\n", old_uid); + ret = error_ret; + } + +- if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0) { ++ if (revoke_as_gid != old_gid && pam_setregid(-1, old_gid) < 0) { + error(pamh, "Unable to change GID back to %d\n", old_gid); + ret = error_ret; + } +@@ -215,14 +243,14 @@ static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error + + /* switch to the real UID and GID so that the keyring ends up owned by + * the right user */ +- if (gid != old_gid && setregid(gid, -1) < 0) { ++ if (gid != old_gid && pam_setregid(gid, -1) < 0) { + error(pamh, "Unable to change GID to %d temporarily\n", gid); + return error_ret; + } + +- if (uid != old_uid && setreuid(uid, -1) < 0) { ++ if (uid != old_uid && pam_setreuid(uid, -1) < 0) { + error(pamh, "Unable to change UID to %d temporarily\n", uid); +- if (setregid(old_gid, -1) < 0) ++ if (pam_setregid(old_gid, -1) < 0) + error(pamh, "Unable to change GID back to %d\n", old_gid); + return error_ret; + } +@@ -230,12 +258,12 @@ static int do_keyinit(pam_handle_t *pamh, int argc, const char **argv, int error + ret = init_keyrings(pamh, force, error_ret); + + /* return to the original UID and GID (probably root) */ +- if (uid != old_uid && setreuid(old_uid, -1) < 0) { ++ if (uid != old_uid && pam_setreuid(old_uid, -1) < 0) { + error(pamh, "Unable to change UID back to %d\n", old_uid); + ret = error_ret; + } + +- if (gid != old_gid && setregid(old_gid, -1) < 0) { ++ if (gid != old_gid && pam_setregid(old_gid, -1) < 0) { + error(pamh, "Unable to change GID back to %d\n", old_gid); + ret = error_ret; + } +-- +2.35.1 + diff --git a/SOURCES/pam-1.5.1-pam-lastlog-check-localtime_r-return-value.patch b/SOURCES/pam-1.5.1-pam-lastlog-check-localtime_r-return-value.patch new file mode 100644 index 0000000..80ad508 --- /dev/null +++ b/SOURCES/pam-1.5.1-pam-lastlog-check-localtime_r-return-value.patch @@ -0,0 +1,41 @@ +From 40c271164dbcebfc5304d0537a42fb42e6b6803c Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Mon, 26 Sep 2022 12:16:53 +0200 +Subject: [PATCH] pam_lastlog: check localtime_r() return value + +Check the return value of localtime_r() before calling strftime(). This +function crashes if the argument is NULL. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2012871 + +Signed-off-by: Iker Pedrosa +--- + modules/pam_lastlog/pam_lastlog.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c +index abd048df..121e7560 100644 +--- a/modules/pam_lastlog/pam_lastlog.c ++++ b/modules/pam_lastlog/pam_lastlog.c +@@ -573,12 +573,12 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt + time_t lf_time; + + lf_time = utuser.ut_tv.tv_sec; +- tm = localtime_r (&lf_time, &tm_buf); +- strftime (the_time, sizeof (the_time), +- /* TRANSLATORS: "strftime options for date of last login" */ +- _(" %a %b %e %H:%M:%S %Z %Y"), tm); +- +- date = the_time; ++ if ((tm = localtime_r (&lf_time, &tm_buf)) != NULL) { ++ strftime (the_time, sizeof (the_time), ++ /* TRANSLATORS: "strftime options for date of last login" */ ++ _(" %a %b %e %H:%M:%S %Z %Y"), tm); ++ date = the_time; ++ } + } + + /* we want & have the host? */ +-- +2.38.1 + diff --git a/SOURCES/pam-1.5.1-pam-limits-unlimited-value.patch b/SOURCES/pam-1.5.1-pam-limits-unlimited-value.patch new file mode 100644 index 0000000..a025c45 --- /dev/null +++ b/SOURCES/pam-1.5.1-pam-limits-unlimited-value.patch @@ -0,0 +1,99 @@ +From 3234488f2c52a021eec87df1990d256314c21bff Mon Sep 17 00:00:00 2001 +From: Josef Moellers +Date: Wed, 14 Apr 2021 16:39:28 +0200 +Subject: [PATCH] pam_limits: "Unlimited" is not a valid value for + RLIMIT_NOFILE. + +Replace it with a value obtained from /proc/sys/fs/nr_open + +* modules/pam_limits/limits.conf.5.xml: Document the replacement. +* modules/pam_limits/pam_limits.c: Replace unlimited RLIMIT_NOFILE + value with a value obtained from /proc/sys/fs/nr_open +--- + modules/pam_limits/limits.conf.5.xml | 2 ++ + modules/pam_limits/pam_limits.c | 49 ++++++++++++++++++++++++++++ + 2 files changed, 51 insertions(+) + +diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml +index cd64ac90..c5bd6768 100644 +--- a/modules/pam_limits/limits.conf.5.xml ++++ b/modules/pam_limits/limits.conf.5.xml +@@ -283,6 +283,8 @@ + unlimited or infinity indicating no limit, + except for priority, nice, + and nonewprivs. ++ If nofile is to be set to one of these values, ++ it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)). + + + If a hard limit or soft limit of a resource is set to a valid value, +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 10049973..7cc45d77 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -487,6 +487,41 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) + return retval; + } + ++/* ++ * Read the contents of and return it in *valuep ++ * return 1 if conversion succeeds, result is in *valuep ++ * return 0 if conversion fails, *valuep is untouched. ++ */ ++static int ++value_from_file(const char *pathname, rlim_t *valuep) ++{ ++ char buf[128]; ++ FILE *fp; ++ int retval; ++ ++ retval = 0; ++ ++ if ((fp = fopen(pathname, "r")) != NULL) { ++ if (fgets(buf, sizeof(buf), fp) != NULL) { ++ char *endptr; ++ unsigned long long value; ++ ++ errno = 0; ++ value = strtoull(buf, &endptr, 10); ++ if (endptr != buf && ++ (value != ULLONG_MAX || errno == 0) && ++ (unsigned long long) (rlim_t) value == value) { ++ *valuep = (rlim_t) value; ++ retval = 1; ++ } ++ } ++ ++ fclose(fp); ++ } ++ ++ return retval; ++} ++ + static void + process_limit (const pam_handle_t *pamh, int source, const char *lim_type, + const char *lim_item, const char *lim_value, +@@ -666,6 +701,20 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, + rlimit_value = 20 - int_value; + break; + #endif ++ case RLIMIT_NOFILE: ++ /* ++ * If nofile is to be set to "unlimited", try to set it to ++ * the value in /proc/sys/fs/nr_open instead. ++ */ ++ if (rlimit_value == RLIM_INFINITY) { ++ if (!value_from_file("/proc/sys/fs/nr_open", &rlimit_value)) ++ pam_syslog(pamh, LOG_WARNING, ++ "Cannot set \"nofile\" to a sensible value"); ++ else if (ctrl & PAM_DEBUG_ARG) ++ pam_syslog(pamh, LOG_DEBUG, "Setting \"nofile\" limit to %llu", ++ (unsigned long long) rlimit_value); ++ } ++ break; + } + + if ( (limit_item != LIMIT_LOGIN) +-- +2.33.1 + diff --git a/SOURCES/pam-1.5.1-pam-pwhistory-load-conf-from-file.patch b/SOURCES/pam-1.5.1-pam-pwhistory-load-conf-from-file.patch new file mode 100644 index 0000000..4320292 --- /dev/null +++ b/SOURCES/pam-1.5.1-pam-pwhistory-load-conf-from-file.patch @@ -0,0 +1,489 @@ +diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am +--- Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am.pam-pwhistory-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_pwhistory/Makefile.am 2022-08-22 09:08:48.916487811 +0200 +@@ -9,9 +9,10 @@ MAINTAINERCLEANFILES = $(MANS) README + EXTRA_DIST = $(XMLS) + + if HAVE_DOC +-dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 ++dist_man_MANS = pam_pwhistory.8 pwhistory_helper.8 pwhistory.conf.5 + endif +-XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml ++XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml \ ++ pwhistory.conf.5.xml + dist_check_SCRIPTS = tst-pam_pwhistory + TESTS = $(dist_check_SCRIPTS) + +@@ -26,12 +27,14 @@ if HAVE_VERSIONING + pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + +-noinst_HEADERS = opasswd.h ++noinst_HEADERS = opasswd.h pwhistory_config.h ++ ++dist_secureconf_DATA = pwhistory.conf + + securelib_LTLIBRARIES = pam_pwhistory.la + pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) + pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ +-pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c ++pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pwhistory_config.c + + sbin_PROGRAMS = pwhistory_helper + pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @EXE_CFLAGS@ +diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml +--- Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml.pam-pwhistory-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.8.xml 2022-08-22 09:13:08.715628372 +0200 +@@ -36,6 +36,9 @@ + + authtok_type=STRING + ++ ++ conf=/path/to/config-file ++ + + + +@@ -104,7 +107,7 @@ + + + The last N passwords for each +- user are saved in /etc/security/opasswd. ++ user are saved. + The default is 10. Value of + 0 makes the module to keep the existing + contents of the opasswd file unchanged. +@@ -137,7 +140,26 @@ + + + ++ ++ ++ ++ ++ ++ ++ Use another configuration file instead of the default ++ /etc/security/pwhistory.conf. ++ ++ ++ ++ + ++ ++ The options for configuring the module behavior are described in the ++ pwhistory.conf ++ 5 manual page. The options ++ specified on the module command line override the values from the ++ configuration file. ++ + + + +@@ -223,6 +245,9 @@ password required pam_unix.so + SEE ALSO + + ++ pwhistory.conf5 ++ , ++ + pam.conf5 + , + +diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c +--- Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c.pam-pwhistory-load-conf-from-file 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pam_pwhistory.c 2022-08-22 09:11:34.949855242 +0200 +@@ -63,14 +63,8 @@ + + #include "opasswd.h" + #include "pam_inline.h" ++#include "pwhistory_config.h" + +-struct options_t { +- int debug; +- int enforce_for_root; +- int remember; +- int tries; +-}; +-typedef struct options_t options_t; + + + static void +@@ -299,6 +293,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in + options.remember = 10; + options.tries = 1; + ++ parse_config_file(pamh, argc, argv, &options); ++ + /* Parse parameters for module */ + for ( ; argc-- > 0; argv++) + parse_option (pamh, *argv, &options); +@@ -306,7 +302,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in + if (options.debug) + pam_syslog (pamh, LOG_DEBUG, "pam_sm_chauthtok entered"); + +- + if (options.remember == 0) + return PAM_IGNORE; + +diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml +--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml.pam-pwhistory-load-conf-from-file 2022-08-22 09:08:48.916487811 +0200 ++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.5.xml 2022-08-22 09:08:48.916487811 +0200 +@@ -0,0 +1,155 @@ ++ ++ ++ ++ ++ ++ ++ pwhistory.conf ++ 5 ++ Linux-PAM Manual ++ ++ ++ ++ pwhistory.conf ++ pam_pwhistory configuration file ++ ++ ++ ++ ++ DESCRIPTION ++ ++ pwhistory.conf provides a way to configure the ++ default settings for saving the last passwords for each user. ++ This file is read by the pam_pwhistory module and is the ++ preferred method over configuring pam_pwhistory directly. ++ ++ ++ The file has a very simple name = value format with possible comments ++ starting with # character. The whitespace at the beginning of line, end ++ of line, and around the = sign is ignored. ++ ++ ++ ++ ++ ++ OPTIONS ++ ++ ++ ++ ++ ++ ++ ++ Turns on debugging via ++ ++ syslog3 ++ . ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ If this option is set, the check is enforced for root, too. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The last N passwords for each ++ user are saved. ++ The default is 10. Value of ++ 0 makes the module to keep the existing ++ contents of the opasswd file unchanged. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Prompt user at most N times ++ before returning with error. The default is 1. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Store password history in file ++ /path/filename rather than the default ++ location. The default location is ++ /etc/security/opasswd. ++ ++ ++ ++ ++ ++ ++ ++ EXAMPLES ++ ++ /etc/security/pwhistory.conf file example: ++ ++ ++debug ++remember=5 ++file=/tmp/opasswd ++ ++ ++ ++ ++ FILES ++ ++ ++ /etc/security/pwhistory.conf ++ ++ the config file for custom options ++ ++ ++ ++ ++ ++ ++ SEE ALSO ++ ++ ++ pwhistory8 ++ , ++ ++ pam_pwhistory8 ++ , ++ ++ pam.conf5 ++ , ++ ++ pam.d5 ++ , ++ ++ pam8 ++ ++ ++ ++ ++ ++ AUTHOR ++ ++ pam_pwhistory was written by Thorsten Kukuk. The support for ++ pwhistory.conf was written by Iker Pedrosa. ++ ++ ++ ++ +diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c +--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c.pam-pwhistory-load-conf-from-file 2022-08-22 09:08:48.916487811 +0200 ++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.c 2022-08-22 09:08:48.916487811 +0200 +@@ -0,0 +1,115 @@ ++/* ++ * Copyright (c) 2022 Iker Pedrosa ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "pam_inline.h" ++#include "pwhistory_config.h" ++ ++#define PWHISTORY_DEFAULT_CONF "/etc/security/pwhistory.conf" ++ ++void ++parse_config_file(pam_handle_t *pamh, int argc, const char **argv, ++ struct options_t *options) ++{ ++ const char *fname = NULL; ++ int i; ++ char *val; ++ ++ for (i = 0; i < argc; ++i) { ++ const char *str = pam_str_skip_prefix(argv[i], "conf="); ++ ++ if (str != NULL) { ++ fname = str; ++ } ++ } ++ ++ if (fname == NULL) { ++ fname = PWHISTORY_DEFAULT_CONF; ++ } ++ ++ val = pam_modutil_search_key (pamh, fname, "debug"); ++ if (val != NULL) { ++ options->debug = 1; ++ free(val); ++ } ++ ++ val = pam_modutil_search_key (pamh, fname, "enforce_for_root"); ++ if (val != NULL) { ++ options->enforce_for_root = 1; ++ free(val); ++ } ++ ++ val = pam_modutil_search_key (pamh, fname, "remember"); ++ if (val != NULL) { ++ unsigned int temp; ++ if (sscanf(val, "%u", &temp) != 1) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for remember argument"); ++ } else { ++ options->remember = temp; ++ } ++ free(val); ++ } ++ ++ val = pam_modutil_search_key (pamh, fname, "retry"); ++ if (val != NULL) { ++ unsigned int temp; ++ if (sscanf(val, "%u", &temp) != 1) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for retry argument"); ++ } else { ++ options->tries = temp; ++ } ++ free(val); ++ } ++ ++ val = pam_modutil_search_key (pamh, fname, "file"); ++ if (val != NULL) { ++ if (*val != '/') { ++ pam_syslog (pamh, LOG_ERR, ++ "File path should be absolute: %s", val); ++ } else { ++ options->filename = val; ++ } ++ } ++} +diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h +--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h.pam-pwhistory-load-conf-from-file 2022-08-22 09:08:48.916487811 +0200 ++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory_config.h 2022-08-22 09:08:48.916487811 +0200 +@@ -0,0 +1,54 @@ ++/* ++ * Copyright (c) 2022 Iker Pedrosa ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#ifndef _PWHISTORY_CONFIG_H ++#define _PWHISTORY_CONFIG_H ++ ++#include ++ ++struct options_t { ++ int debug; ++ int enforce_for_root; ++ int remember; ++ int tries; ++ const char *filename; ++}; ++typedef struct options_t options_t; ++ ++void ++parse_config_file(pam_handle_t *pamh, int argc, const char **argv, ++ struct options_t *options); ++ ++#endif /* _PWHISTORY_CONFIG_H */ +diff -up Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf +--- Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf.pam-pwhistory-load-conf-from-file 2022-08-22 09:08:48.916487811 +0200 ++++ Linux-PAM-1.5.1/modules/pam_pwhistory/pwhistory.conf 2022-08-22 09:08:48.916487811 +0200 +@@ -0,0 +1,21 @@ ++# Configuration for remembering the last passwords used by a user. ++# ++# Enable the debugging logs. ++# Enabled if option is present. ++# debug ++# ++# root account's passwords are also remembered. ++# Enabled if option is present. ++# enforce_for_root ++# ++# Number of passwords to remember. ++# The default is 10. ++# remember = 10 ++# ++# Number of times to prompt for the password. ++# The default is 1. ++# retry = 1 ++# ++# The directory where the last passwords are kept. ++# The default is /etc/security/opasswd. ++# file = /etc/security/opasswd diff --git a/SOURCES/pam-1.5.1-pam-usertype-SYS_UID_MAX.patch b/SOURCES/pam-1.5.1-pam-usertype-SYS_UID_MAX.patch new file mode 100644 index 0000000..df0ac35 --- /dev/null +++ b/SOURCES/pam-1.5.1-pam-usertype-SYS_UID_MAX.patch @@ -0,0 +1,100 @@ +From 370064ef6f99581b08d473a42bb3417d5dda3e4e Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Thu, 17 Feb 2022 10:24:03 +0100 +Subject: [PATCH] pam_usertype: only use SYS_UID_MAX for system users + +* modules/pam_usertype/pam_usertype.c (pam_usertype_is_system): Stop +using SYS_UID_MIN to check if it is a system account, because all +accounts below the SYS_UID_MAX are system users. +* modules/pam_usertype/pam_usertype.8.xml: Remove reference to SYS_UID_MIN +as it is no longer used to calculate the system accounts. +* configure.ac: Remove PAM_USERTYPE_SYSUIDMIN. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949137 +Signed-off-by: Iker Pedrosa +--- + configure.ac | 5 ----- + modules/pam_usertype/pam_usertype.8.xml | 2 +- + modules/pam_usertype/pam_usertype.c | 15 ++++++--------- + 3 files changed, 7 insertions(+), 15 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 639fc1ad..79113ad1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -632,11 +632,6 @@ test -n "$opt_uidmin" || + opt_uidmin=1000 + AC_DEFINE_UNQUOTED(PAM_USERTYPE_UIDMIN, $opt_uidmin, [Minimum regular user uid.]) + +-AC_ARG_WITH([sysuidmin], AS_HELP_STRING([--with-sysuidmin=],[default value for system user min uid (101)]), opt_sysuidmin=$withval) +-test -n "$opt_sysuidmin" || +- opt_sysuidmin=101 +-AC_DEFINE_UNQUOTED(PAM_USERTYPE_SYSUIDMIN, $opt_sysuidmin, [Minimum system user uid.]) +- + AC_ARG_WITH([kernel-overflow-uid], AS_HELP_STRING([--with-kernel-overflow-uid=],[kernel overflow uid, default (uint16_t)-2=65534]), opt_kerneloverflowuid=$withval) + test -n "$opt_kerneloverflowuid" || + opt_kerneloverflowuid=65534 +diff --git a/modules/pam_usertype/pam_usertype.8.xml b/modules/pam_usertype/pam_usertype.8.xml +index 7651da6e..d9307ba3 100644 +--- a/modules/pam_usertype/pam_usertype.8.xml ++++ b/modules/pam_usertype/pam_usertype.8.xml +@@ -31,7 +31,7 @@ + pam_usertype.so is designed to succeed or fail authentication + based on type of the account of the authenticated user. + The type of the account is decided with help of +- SYS_UID_MIN and SYS_UID_MAX ++ SYS_UID_MAX + settings in /etc/login.defs. One use is to select + whether to load other modules based on this test. + +diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c +index d03b73b5..cfd9c8bb 100644 +--- a/modules/pam_usertype/pam_usertype.c ++++ b/modules/pam_usertype/pam_usertype.c +@@ -194,7 +194,6 @@ static int + pam_usertype_is_system(pam_handle_t *pamh, uid_t uid) + { + uid_t uid_min; +- uid_t sys_min; + uid_t sys_max; + + if (uid == (uid_t)-1) { +@@ -202,21 +201,19 @@ pam_usertype_is_system(pam_handle_t *pamh, uid_t uid) + return PAM_USER_UNKNOWN; + } + +- if (uid <= 99) { +- /* Reserved. */ +- return PAM_SUCCESS; +- } +- + if (uid == PAM_USERTYPE_OVERFLOW_UID) { + /* nobody */ + return PAM_SUCCESS; + } + + uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN); +- sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN); + sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1); + +- return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR; ++ if (uid <= sys_max && uid < uid_min) { ++ return PAM_SUCCESS; ++ } ++ ++ return PAM_AUTH_ERR; + } + + static int +@@ -253,7 +250,7 @@ pam_usertype_evaluate(struct pam_usertype_opts *opts, + + /** + * Arguments: +- * - issystem: uid in ++ * - issystem: uid less than SYS_UID_MAX + * - isregular: not issystem + * - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if) + * - audit: log unknown users to syslog +-- +2.36.1 + diff --git a/SOURCES/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch b/SOURCES/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch new file mode 100644 index 0000000..27af9c4 --- /dev/null +++ b/SOURCES/pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch @@ -0,0 +1,42 @@ +From ec0e724fe53188c5c762c34ca9db6681c0de01b8 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Thu, 1 Jul 2021 12:14:29 +0200 +Subject: [PATCH] pam_filter: Close file after controlling tty + +Failing to check the descriptor value meant that there was a bug in the +attempt to close the controlling tty. Moreover, this would lead to a +file descriptor leak as pointed out by the static analyzer tool: + +Error: RESOURCE_LEAK (CWE-772): [#def26] +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:356: var_assign: Assigning: "t" = handle returned from "open("/dev/tty", 2)". +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: off_by_one: Testing whether handle "t" is strictly greater than zero is suspicious. "t" leaks when it is zero. +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:357: remediation: Did you intend to include equality with zero? +Linux-PAM-1.5.1/modules/pam_filter/pam_filter.c:367: leaked_handle: Handle variable "t" going out of scope leaks the handle. + 365| pam_syslog(pamh, LOG_ERR, + 366| "child cannot become new session: %m"); + 367|-> return PAM_ABORT; + 368| } + 369| + +Signed-off-by: Iker Pedrosa +--- + modules/pam_filter/pam_filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/pam_filter/pam_filter.c b/modules/pam_filter/pam_filter.c +index 2f0af4fb..6e6def37 100644 +--- a/modules/pam_filter/pam_filter.c ++++ b/modules/pam_filter/pam_filter.c +@@ -354,7 +354,7 @@ set_filter (pam_handle_t *pamh, int flags UNUSED, int ctrl, + int t = open("/dev/tty", O_RDWR|O_NOCTTY); + #else + int t = open("/dev/tty",O_RDWR); +- if (t > 0) { ++ if (t >= 0) { + (void) ioctl(t, TIOCNOTTY, NULL); + close(t); + } +-- +2.31.1 + diff --git a/SOURCES/pam-1.5.1-timestamp-openssl-hmac-authentication.patch b/SOURCES/pam-1.5.1-timestamp-openssl-hmac-authentication.patch new file mode 100644 index 0000000..abea760 --- /dev/null +++ b/SOURCES/pam-1.5.1-timestamp-openssl-hmac-authentication.patch @@ -0,0 +1,738 @@ +From b3bb13e18a74e9ece825b7de1b81db97ebb107a0 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Thu, 25 Mar 2021 09:43:30 +0100 +Subject: [PATCH] pam_timestamp: replace hmac implementation + +sha1 is no longer recommended as a cryptographic algorithm for +authentication. Thus, the idea of this change is to replace the +implementation provided by hmacsha1 included in pam_timestamp module by +the one in the openssl library. This way, there's no need to maintain +the cryptographic algorithm implementation and it can be easily changed +with a single configuration change. + +modules/pam_timestamp/hmac_openssl_wrapper.c: implement wrapper +functions around openssl's hmac implementation. Moreover, manage the key +generation and its read and write in a file. Include an option to +configure the cryptographic algorithm in login.defs file. +modules/pam_timestamp/hmac_openssl_wrapper.h: likewise. +modules/pam_timestamp/pam_timestamp.c: replace calls to functions +provided by hmacsha1 by functions provided by openssl's wrapper. +configure.ac: include openssl dependecy if it is enabled. +modules/pam_timestamp/Makefile.am: include new files and openssl library +to compilation. +ci/install-dependencies.sh: include openssl library to dependencies. +NEWS: add new item to next release. +Make.xml.rules.in: add stringparam profiling for hmac +doc/custom-man.xsl: change import docbook to one with profiling +modules/pam_timestamp/pam_timestamp.8.xml: add conditional paragraph to +indicate the value in /etc/login.defs that holds the value for the +encryption algorithm + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1947294 +--- + Make.xml.rules.in | 2 +- + NEWS | 5 + + configure.ac | 16 + + doc/custom-man.xsl | 2 +- + modules/pam_timestamp/Makefile.am | 15 +- + modules/pam_timestamp/hmac_openssl_wrapper.c | 381 +++++++++++++++++++ + modules/pam_timestamp/hmac_openssl_wrapper.h | 57 +++ + modules/pam_timestamp/pam_timestamp.8.xml | 5 + + modules/pam_timestamp/pam_timestamp.c | 53 ++- + 10 files changed, 524 insertions(+), 13 deletions(-) + create mode 100644 modules/pam_timestamp/hmac_openssl_wrapper.c + create mode 100644 modules/pam_timestamp/hmac_openssl_wrapper.h + +diff --git a/Make.xml.rules.in b/Make.xml.rules.in +index daa1b97b..27bb510e 100644 +--- a/Make.xml.rules.in ++++ b/Make.xml.rules.in +@@ -21,6 +21,6 @@ README: README.xml + + %.8: %.8.xml + $(XMLLINT) --nonet --xinclude --postvalid --noout $< +- $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ --nonet $(top_srcdir)/doc/custom-man.xsl $< ++ $(XSLTPROC) -o $(srcdir)/$@ --path $(srcdir) --xinclude @STRINGPARAM_VENDORDIR@ @STRINGPARAM_HMAC@ --nonet $(top_srcdir)/doc/custom-man.xsl $< + + #CLEANFILES += $(man_MANS) README +diff --git a/NEWS b/NEWS +index 2d49ec39..f4d11303 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,5 +1,10 @@ + Linux-PAM NEWS -- history of user-visible changes. + ++Release next ++* pam_timestamp: change hmac algorithm to call openssl instead of the bundled ++ sha1 implementation if selected. Add option to select the hash ++ algorithm to use with HMAC. ++ + Release 1.5.1 + * pam_unix: fixed CVE-2020-27780 - authentication bypass when a user + doesn't exist and root password is blank +diff --git a/configure.ac b/configure.ac +index bd806473..9c92d0de 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -504,6 +504,22 @@ else + fi + AC_SUBST([STRINGPARAM_VENDORDIR]) + ++AC_ARG_ENABLE([openssl], ++ AS_HELP_STRING([--enable-openssl],[use OpenSSL crypto libraries]), ++ [OPENSSL_ENABLED=$enableval], OPENSSL_ENABLED=no) ++if test "$OPENSSL_ENABLED" = "yes" ; then ++ AC_CHECK_LIB([crypto], [EVP_MAC_CTX_new], ++ [CRYPTO_LIBS="-lcrypto" ++ use_openssl=yes ++ AC_DEFINE([WITH_OPENSSL], 1, [OpenSSL provides crypto algorithm for hmac]) ++ STRINGPARAM_HMAC="--stringparam profile.condition 'openssl_hmac'"], ++ [CRYPTO_LIBS="" ++ STRINGPARAM_HMAC="--stringparam profile.condition 'no_openssl_hmac'"]) ++fi ++AC_SUBST([CRYPTO_LIBS]) ++AC_SUBST([STRINGPARAM_HMAC]) ++AM_CONDITIONAL([COND_USE_OPENSSL], [test "x$use_openssl" = "xyes"]) ++ + dnl Checks for header files. + AC_HEADER_DIRENT + AC_HEADER_STDC +diff --git a/doc/custom-man.xsl b/doc/custom-man.xsl +index 4c35e839..a3408e6c 100644 +--- a/doc/custom-man.xsl ++++ b/doc/custom-man.xsl +@@ -1,6 +1,6 @@ + + +- ++ + + + +diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am +index 1faa324a..d290b85f 100644 +--- a/modules/pam_timestamp/Makefile.am ++++ b/modules/pam_timestamp/Makefile.am +@@ -18,12 +18,12 @@ TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) + securelibdir = $(SECUREDIR) + secureconfdir = $(SCONFIGDIR) + +-noinst_HEADERS = hmacsha1.h sha1.h ++noinst_HEADERS = hmacsha1.h sha1.h hmac_openssl_wrapper.h + + AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + $(WARN_CFLAGS) + +-pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) ++pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) $(CRYPTO_LIBS) + pam_timestamp_la_LIBADD = $(top_builddir)/libpam/libpam.la + if HAVE_VERSIONING + pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +@@ -32,7 +32,12 @@ endif + securelib_LTLIBRARIES = pam_timestamp.la + sbin_PROGRAMS = pam_timestamp_check + +-pam_timestamp_la_SOURCES = pam_timestamp.c hmacsha1.c sha1.c ++pam_timestamp_la_SOURCES = pam_timestamp.c ++if COND_USE_OPENSSL ++pam_timestamp_la_SOURCES += hmac_openssl_wrapper.c ++else ++pam_timestamp_la_SOURCES += hmacsha1.c sha1.c ++endif + pam_timestamp_la_CFLAGS = $(AM_CFLAGS) + + pam_timestamp_check_SOURCES = pam_timestamp_check.c +@@ -40,7 +45,11 @@ pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @EXE_CFLAGS@ + pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la + pam_timestamp_check_LDFLAGS = @EXE_LDFLAGS@ + ++if COND_USE_OPENSSL ++hmacfile_SOURCES = hmac_openssl_wrapper.c ++else + hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c ++endif + hmacfile_LDADD = $(top_builddir)/libpam/libpam.la + + check_PROGRAMS = hmacfile +diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.c b/modules/pam_timestamp/hmac_openssl_wrapper.c +new file mode 100644 +index 00000000..926c2fb9 +--- /dev/null ++++ b/modules/pam_timestamp/hmac_openssl_wrapper.c +@@ -0,0 +1,381 @@ ++/* Wrapper for hmac openssl implementation. ++ * ++ * Copyright (c) 2021 Red Hat, Inc. ++ * Written by Iker Pedrosa ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include "config.h" ++ ++#ifdef WITH_OPENSSL ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#include "hmac_openssl_wrapper.h" ++ ++#define LOGIN_DEFS "/etc/login.defs" ++#define CRYPTO_KEY "HMAC_CRYPTO_ALGO" ++#define DEFAULT_ALGORITHM "SHA512" ++#define MAX_HMAC_LENGTH 512 ++#define MAX_KEY_LENGTH EVP_MAX_KEY_LENGTH ++ ++static char * ++get_crypto_algorithm(pam_handle_t *pamh, int debug){ ++ char *config_value = NULL; ++ ++ config_value = pam_modutil_search_key(pamh, LOGIN_DEFS, CRYPTO_KEY); ++ ++ if (config_value == NULL) { ++ config_value = strdup(DEFAULT_ALGORITHM); ++ if (debug) { ++ pam_syslog(pamh, LOG_DEBUG, ++ "Key [%s] not found, falling back to default algorithm [%s]\n", ++ CRYPTO_KEY, DEFAULT_ALGORITHM); ++ } ++ } ++ ++ return config_value; ++} ++ ++static int ++generate_key(pam_handle_t *pamh, char **key, size_t key_size) ++{ ++ int fd = 0; ++ size_t bytes_read = 0; ++ char * tmp = NULL; ++ ++ fd = open("/dev/urandom", O_RDONLY); ++ if (fd == -1) { ++ pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m"); ++ return PAM_AUTH_ERR; ++ } ++ ++ tmp = malloc(key_size); ++ if (!tmp) { ++ pam_syslog(pamh, LOG_CRIT, "Not enough memory"); ++ close(fd); ++ return PAM_AUTH_ERR; ++ } ++ ++ bytes_read = pam_modutil_read(fd, tmp, key_size); ++ close(fd); ++ ++ if (bytes_read < key_size) { ++ pam_syslog(pamh, LOG_ERR, "Short read on random device"); ++ free(tmp); ++ return PAM_AUTH_ERR; ++ } ++ ++ *key = tmp; ++ ++ return PAM_SUCCESS; ++} ++ ++static int ++read_file(pam_handle_t *pamh, int fd, char **text, size_t *text_length) ++{ ++ struct stat st; ++ size_t bytes_read = 0; ++ char *tmp = NULL; ++ ++ if (fstat(fd, &st) == -1) { ++ pam_syslog(pamh, LOG_ERR, "Unable to stat file: %m"); ++ close(fd); ++ return PAM_AUTH_ERR; ++ } ++ ++ if (st.st_size == 0) { ++ pam_syslog(pamh, LOG_ERR, "Key file size cannot be 0"); ++ close(fd); ++ return PAM_AUTH_ERR; ++ } ++ ++ tmp = malloc(st.st_size); ++ if (!tmp) { ++ pam_syslog(pamh, LOG_CRIT, "Not enough memory"); ++ close(fd); ++ return PAM_AUTH_ERR; ++ } ++ ++ bytes_read = pam_modutil_read(fd, tmp, st.st_size); ++ close(fd); ++ ++ if (bytes_read < (size_t)st.st_size) { ++ pam_syslog(pamh, LOG_ERR, "Short read on key file"); ++ memset(tmp, 0, st.st_size); ++ free(tmp); ++ return PAM_AUTH_ERR; ++ } ++ ++ *text = tmp; ++ *text_length = st.st_size; ++ ++ return PAM_SUCCESS; ++} ++ ++static int ++write_file(pam_handle_t *pamh, const char *file_name, char *text, ++ size_t text_length, uid_t owner, gid_t group) ++{ ++ int fd = 0; ++ size_t bytes_written = 0; ++ ++ fd = open(file_name, ++ O_WRONLY | O_CREAT | O_TRUNC, ++ S_IRUSR | S_IWUSR); ++ if (fd == -1) { ++ pam_syslog(pamh, LOG_ERR, "Unable to open [%s]: %m", file_name); ++ memset(text, 0, text_length); ++ free(text); ++ return PAM_AUTH_ERR; ++ } ++ ++ if (fchown(fd, owner, group) == -1) { ++ pam_syslog(pamh, LOG_ERR, "Unable to change ownership [%s]: %m", file_name); ++ memset(text, 0, text_length); ++ free(text); ++ close(fd); ++ return PAM_AUTH_ERR; ++ } ++ ++ bytes_written = pam_modutil_write(fd, text, text_length); ++ close(fd); ++ ++ if (bytes_written < text_length) { ++ pam_syslog(pamh, LOG_ERR, "Short write on %s", file_name); ++ free(text); ++ return PAM_AUTH_ERR; ++ } ++ ++ return PAM_SUCCESS; ++} ++ ++static int ++key_management(pam_handle_t *pamh, const char *file_name, char **text, ++ size_t text_length, uid_t owner, gid_t group) ++{ ++ int fd = 0; ++ ++ fd = open(file_name, O_RDONLY | O_NOFOLLOW); ++ if (fd == -1) { ++ if (errno == ENOENT) { ++ if (generate_key(pamh, text, text_length)) { ++ pam_syslog(pamh, LOG_ERR, "Unable to generate key"); ++ return PAM_AUTH_ERR; ++ } ++ ++ if (write_file(pamh, file_name, *text, text_length, owner, group)) { ++ pam_syslog(pamh, LOG_ERR, "Unable to write key"); ++ return PAM_AUTH_ERR; ++ } ++ } else { ++ pam_syslog(pamh, LOG_ERR, "Unable to open %s: %m", file_name); ++ return PAM_AUTH_ERR; ++ } ++ } else { ++ if (read_file(pamh, fd, text, &text_length)) { ++ pam_syslog(pamh, LOG_ERR, "Error reading key file %s\n", file_name); ++ return PAM_AUTH_ERR; ++ } ++ } ++ ++ return PAM_SUCCESS; ++} ++ ++static int ++hmac_management(pam_handle_t *pamh, int debug, void **out, size_t *out_length, ++ char *key, size_t key_length, ++ const void *text, size_t text_length) ++{ ++ int ret = PAM_AUTH_ERR; ++ EVP_MAC *evp_mac = NULL; ++ EVP_MAC_CTX *ctx = NULL; ++ unsigned char *hmac_message = NULL; ++ size_t hmac_length; ++ char *algo = NULL; ++ OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END }; ++ ++ algo = get_crypto_algorithm(pamh, debug); ++ ++ subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, ++ algo, ++ 0); ++ ++ evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL); ++ if (evp_mac == NULL) { ++ pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation"); ++ goto done; ++ } ++ ++ ctx = EVP_MAC_CTX_new(evp_mac); ++ if (ctx == NULL) { ++ pam_syslog(pamh, LOG_ERR, "Unable to create hmac context"); ++ goto done; ++ } ++ ++ ret = EVP_MAC_init(ctx, (const unsigned char *)key, key_length, subalg_param); ++ if (ret == 0) { ++ pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context"); ++ goto done; ++ } ++ ++ ret = EVP_MAC_update(ctx, (const unsigned char *)text, text_length); ++ if (ret == 0) { ++ pam_syslog(pamh, LOG_ERR, "Unable to update hmac context"); ++ goto done; ++ } ++ ++ hmac_message = (unsigned char*)malloc(sizeof(unsigned char) * MAX_HMAC_LENGTH); ++ if (!hmac_message) { ++ pam_syslog(pamh, LOG_CRIT, "Not enough memory"); ++ goto done; ++ } ++ ++ ret = EVP_MAC_final(ctx, hmac_message, &hmac_length, MAX_HMAC_LENGTH); ++ if (ret == 0) { ++ pam_syslog(pamh, LOG_ERR, "Unable to calculate hmac message"); ++ goto done; ++ } ++ ++ *out_length = hmac_length; ++ *out = malloc(*out_length); ++ if (*out == NULL) { ++ pam_syslog(pamh, LOG_CRIT, "Not enough memory"); ++ goto done; ++ } ++ ++ memcpy(*out, hmac_message, *out_length); ++ ret = PAM_SUCCESS; ++ ++done: ++ if (hmac_message != NULL) { ++ free(hmac_message); ++ } ++ if (key != NULL) { ++ memset(key, 0, key_length); ++ free(key); ++ } ++ if (ctx != NULL) { ++ EVP_MAC_CTX_free(ctx); ++ } ++ if (evp_mac != NULL) { ++ EVP_MAC_free(evp_mac); ++ } ++ free(algo); ++ ++ return ret; ++} ++ ++int ++hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length) ++{ ++ int ret = PAM_AUTH_ERR; ++ EVP_MAC *evp_mac = NULL; ++ EVP_MAC_CTX *ctx = NULL; ++ const unsigned char key[] = "ThisIsJustAKey"; ++ size_t key_length = MAX_KEY_LENGTH; ++ char *algo = NULL; ++ OSSL_PARAM subalg_param[] = { OSSL_PARAM_END, OSSL_PARAM_END }; ++ ++ algo = get_crypto_algorithm(pamh, debug); ++ ++ subalg_param[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, ++ algo, ++ 0); ++ ++ evp_mac = EVP_MAC_fetch(NULL, "HMAC", NULL); ++ if (evp_mac == NULL) { ++ pam_syslog(pamh, LOG_ERR, "Unable to create hmac implementation"); ++ goto done; ++ } ++ ++ ctx = EVP_MAC_CTX_new(evp_mac); ++ if (ctx == NULL) { ++ pam_syslog(pamh, LOG_ERR, "Unable to create hmac context"); ++ goto done; ++ } ++ ++ ret = EVP_MAC_init(ctx, key, key_length, subalg_param); ++ if (ret == 0) { ++ pam_syslog(pamh, LOG_ERR, "Unable to initialize hmac context"); ++ goto done; ++ } ++ ++ *hmac_length = EVP_MAC_CTX_get_mac_size(ctx); ++ ret = PAM_SUCCESS; ++ ++done: ++ if (ctx != NULL) { ++ EVP_MAC_CTX_free(ctx); ++ } ++ if (evp_mac != NULL) { ++ EVP_MAC_free(evp_mac); ++ } ++ free(algo); ++ ++ return ret; ++} ++ ++int ++hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length, ++ const char *key_file, uid_t owner, gid_t group, ++ const void *text, size_t text_length) ++{ ++ char *key = NULL; ++ size_t key_length = MAX_KEY_LENGTH; ++ ++ if (key_management(pamh, key_file, &key, key_length, owner, group)) { ++ return PAM_AUTH_ERR; ++ } ++ ++ if (hmac_management(pamh, debug, mac, mac_length, key, key_length, ++ text, text_length)) { ++ return PAM_AUTH_ERR; ++ } ++ ++ return PAM_SUCCESS; ++} ++ ++#endif /* WITH_OPENSSL */ +diff --git a/modules/pam_timestamp/hmac_openssl_wrapper.h b/modules/pam_timestamp/hmac_openssl_wrapper.h +new file mode 100644 +index 00000000..cc27c811 +--- /dev/null ++++ b/modules/pam_timestamp/hmac_openssl_wrapper.h +@@ -0,0 +1,57 @@ ++/* Wrapper for hmac openssl implementation. ++ * ++ * Copyright (c) 2021 Red Hat, Inc. ++ * Written by Iker Pedrosa ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++#ifndef PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H ++#define PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H ++ ++#include "config.h" ++ ++#ifdef WITH_OPENSSL ++ ++#include ++#include ++ ++int ++hmac_size(pam_handle_t *pamh, int debug, size_t *hmac_length); ++ ++int ++hmac_generate(pam_handle_t *pamh, int debug, void **mac, size_t *mac_length, ++ const char *key_file, uid_t owner, gid_t group, ++ const void *text, size_t text_length); ++ ++#endif /* WITH_OPENSSL */ ++#endif /* PAM_TIMESTAMP_HMAC_OPENSSL_WRAPPER_H */ +diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml +index e19a0bcf..83e5aea8 100644 +--- a/modules/pam_timestamp/pam_timestamp.8.xml ++++ b/modules/pam_timestamp/pam_timestamp.8.xml +@@ -50,6 +50,11 @@ for the user. When an application attempts to authenticate the user, a + pam_timestamp will treat a sufficiently recent timestamp + file as grounds for succeeding. + ++ ++ The default encryption hash is taken from the ++ HMAC_CRYPTO_ALGO variable from ++ /etc/login.defs. ++ + + + +diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c +index 30be883c..01dd1385 100644 +--- a/modules/pam_timestamp/pam_timestamp.c ++++ b/modules/pam_timestamp/pam_timestamp.c +@@ -56,7 +56,11 @@ + #include + #include + #include ++#ifdef WITH_OPENSSL ++#include "hmac_openssl_wrapper.h" ++#else + #include "hmacsha1.h" ++#endif /* WITH_OPENSSL */ + + #include + #include +@@ -79,6 +83,9 @@ + #define BUFLEN PATH_MAX + #endif + ++#define ROOT_USER 0 ++#define ROOT_GROUP 0 ++ + /* Return PAM_SUCCESS if the given directory looks "safe". */ + static int + check_dir_perms(pam_handle_t *pamh, const char *tdir) +@@ -449,6 +456,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) + return PAM_AUTH_ERR; + } + ++#ifdef WITH_OPENSSL ++ if (hmac_size(pamh, debug, &maclen)) { ++ return PAM_AUTH_ERR; ++ } ++#else ++ maclen = hmac_sha1_size(); ++#endif /* WITH_OPENSSL */ + /* Check that the file is the expected size. */ + if (st.st_size == 0) { + /* Invalid, but may have been created by sudo. */ +@@ -456,7 +470,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) + return PAM_AUTH_ERR; + } + if (st.st_size != +- (off_t)(strlen(path) + 1 + sizeof(then) + hmac_sha1_size())) { ++ (off_t)(strlen(path) + 1 + sizeof(then) + maclen)) { + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' " + "appears to be corrupted", path); + close(fd); +@@ -487,8 +501,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) + message_end = message + strlen(path) + 1 + sizeof(then); + + /* Regenerate the MAC. */ +- hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, 0, 0, +- message, message_end - message); ++#ifdef WITH_OPENSSL ++ if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY, ++ ROOT_USER, ROOT_GROUP, message, message_end - message)) { ++ close(fd); ++ free(message); ++ return PAM_AUTH_ERR; ++ } ++#else ++ hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, ++ ROOT_USER, ROOT_GROUP, message, message_end - message); ++#endif /* WITH_OPENSSL */ + if ((mac == NULL) || + (memcmp(path, message, strlen(path)) != 0) || + (memcmp(mac, message_end, maclen) != 0)) { +@@ -605,8 +628,16 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char * + } + } + ++#ifdef WITH_OPENSSL ++ if (hmac_size(pamh, debug, &maclen)) { ++ return PAM_SESSION_ERR; ++ } ++#else ++ maclen = hmac_sha1_size(); ++#endif /* WITH_OPENSSL */ ++ + /* Generate the message. */ +- text = malloc(strlen(path) + 1 + sizeof(now) + hmac_sha1_size()); ++ text = malloc(strlen(path) + 1 + sizeof(now) + maclen); + if (text == NULL) { + pam_syslog(pamh, LOG_CRIT, "unable to allocate memory: %m"); + return PAM_SESSION_ERR; +@@ -621,15 +652,21 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char * + p += sizeof(now); + + /* Generate the MAC and append it to the plaintext. */ +- hmac_sha1_generate_file(pamh, &mac, &maclen, +- TIMESTAMPKEY, +- 0, 0, +- text, p - text); ++#ifdef WITH_OPENSSL ++ if (hmac_generate(pamh, debug, &mac, &maclen, TIMESTAMPKEY, ++ ROOT_USER, ROOT_GROUP, text, p - text)) { ++ free(text); ++ return PAM_SESSION_ERR; ++ } ++#else ++ hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, ++ ROOT_USER, ROOT_GROUP, text, p - text); + if (mac == NULL) { + pam_syslog(pamh, LOG_ERR, "failure generating MAC: %m"); + free(text); + return PAM_SESSION_ERR; + } ++#endif /* WITH_OPENSSL */ + memmove(p, mac, maclen); + p += maclen; + free(mac); +-- +2.31.1 + diff --git a/SOURCES/pamtmp.conf b/SOURCES/pamtmp.conf new file mode 100644 index 0000000..ab2237f --- /dev/null +++ b/SOURCES/pamtmp.conf @@ -0,0 +1,5 @@ +d /run/console 0755 root root - +d /run/faillock 0755 root root - +d /run/sepermit 0755 root root - +d /run/motd.d 0755 root root - +f /var/log/tallylog 0600 root root - diff --git a/SOURCES/password-auth.pamd b/SOURCES/password-auth.pamd new file mode 100644 index 0000000..5de6f4d --- /dev/null +++ b/SOURCES/password-auth.pamd @@ -0,0 +1,18 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authselect is run. +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass nullok +auth required pam_deny.so + +account required pam_unix.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/SOURCES/postlogin.5 b/SOURCES/postlogin.5 new file mode 100644 index 0000000..3a8abcf --- /dev/null +++ b/SOURCES/postlogin.5 @@ -0,0 +1,46 @@ +.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual" +.SH NAME + +postlogin \- Common configuration file for PAMified services + +.SH SYNOPSIS +.B /etc/pam.d/postlogin +.sp 2 +.SH DESCRIPTION + +The purpose of this PAM configuration file is to provide a common +place for all PAM modules which should be called after the stack +configured in +.BR system-auth +or the other common PAM configuration files. + +.sp +The +.BR postlogin +configuration file is included from all individual service configuration +files that provide login service with shell or file access. + +.SH NOTES +The modules in the postlogin configuration file are executed regardless +of the success or failure of the modules in the +.BR system-auth +configuration file. + +.SH BUGS +.sp 2 +Sometimes it would be useful to be able to skip the postlogin modules in +case the substack of the +.BR system-auth +modules failed. Unfortunately the current Linux-PAM library does not +provide any way how to achieve this. + +.SH "SEE ALSO" +pam(8), config-util(5), system-auth(5) + +The three +.BR Linux-PAM +Guides, for +.BR "system administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/SOURCES/postlogin.pamd b/SOURCES/postlogin.pamd new file mode 100644 index 0000000..2ce9af4 --- /dev/null +++ b/SOURCES/postlogin.pamd @@ -0,0 +1,8 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authselect is run. + +session optional pam_umask.so silent +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp showfailed +session optional pam_lastlog.so silent noupdate showfailed diff --git a/SOURCES/smartcard-auth.pamd b/SOURCES/smartcard-auth.pamd new file mode 100644 index 0000000..9572770 --- /dev/null +++ b/SOURCES/smartcard-auth.pamd @@ -0,0 +1,19 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authselect is run. +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password optional pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/SOURCES/system-auth.5 b/SOURCES/system-auth.5 new file mode 100644 index 0000000..c0ca80b --- /dev/null +++ b/SOURCES/system-auth.5 @@ -0,0 +1,58 @@ +.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual" +.SH NAME + +system-auth \- Common configuration file for PAMified services + +.SH SYNOPSIS +.B /etc/pam.d/system-auth +.B /etc/pam.d/password-auth +.B /etc/pam.d/fingerprint-auth +.B /etc/pam.d/smartcard-auth +.sp 2 +.SH DESCRIPTION + +The purpose of these configuration files are to provide a common +interface for all applications and service daemons calling into +the PAM library. + +.sp +The +.BR system-auth +configuration file is included from nearly all individual service configuration +files with the help of the +.BR substack +directive. + +.sp +The +.BR password-auth +.BR fingerprint-auth +.BR smartcard-auth +configuration files are for applications which handle authentication from +different types of devices via simultaneously running individual conversations +instead of one aggregate conversation. + +.SH NOTES +Previously these common configuration files were included with the help +of the +.BR include +directive. This limited the use of the different action types of modules. +With the use of +.BR substack +directive to include these common configuration files this limitation +no longer applies. + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" +pam(8), config-util(5), postlogin(5) + +The three +.BR Linux-PAM +Guides, for +.BR "system administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/SOURCES/system-auth.pamd b/SOURCES/system-auth.pamd new file mode 100644 index 0000000..5de6f4d --- /dev/null +++ b/SOURCES/system-auth.pamd @@ -0,0 +1,18 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authselect is run. +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass nullok +auth required pam_deny.so + +account required pam_unix.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/SPECS/pam.spec b/SPECS/pam.spec new file mode 100644 index 0000000..abdcb4f --- /dev/null +++ b/SPECS/pam.spec @@ -0,0 +1,2318 @@ +%global pam_redhat_version 1.1.4 + +Summary: An extensible library which provides authentication for applications +Name: pam +Version: 1.5.1 +Release: 14%{?dist} +# The library is BSD licensed with option to relicense as GPLv2+ +# - this option is redundant as the BSD license allows that anyway. +# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. +License: BSD and GPLv2+ +Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz +Source1: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz.asc +Source2: https://releases.pagure.org/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2 +Source5: other.pamd +Source6: system-auth.pamd +Source7: password-auth.pamd +Source8: fingerprint-auth.pamd +Source9: smartcard-auth.pamd +Source10: config-util.pamd +Source11: dlopen.sh +Source12: system-auth.5 +Source13: config-util.5 +Source15: pamtmp.conf +Source16: postlogin.pamd +Source17: postlogin.5 +Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt +Patch1: pam-1.5.0-redhat-modules.patch +Patch2: pam-1.5.0-noflex.patch +Patch3: pam-1.3.0-unix-nomsg.patch +Patch4: pam-1.5.1-timestamp-openssl-hmac-authentication.patch +# https://github.com/linux-pam/linux-pam/commit/ec0e724fe53188c5c762c34ca9db6681c0de01b8 +Patch5: pam-1.5.1-pam_filter_close_file_after_controlling_tty.patch +# https://github.com/linux-pam/linux-pam/commit/3234488f2c52a021eec87df1990d256314c21bff +Patch6: pam-1.5.1-pam-limits-unlimited-value.patch +# https://github.com/linux-pam/linux-pam/commit/a35e092e24ee7632346a0e1b4a203c04d4cd2c62 +Patch7: pam-1.5.1-pam-keyinit-thread-safe.patch +# https://github.com/linux-pam/linux-pam/commit/9bcbe96d9e82a23d983c0618178a8dc25596ac2d +# https://github.com/linux-pam/linux-pam/commit/fc867a9e22eac2c9a0ed0577776bba4df21c9aad +Patch8: pam-1.5.1-faillock-load-conf-from-file.patch +# https://github.com/linux-pam/linux-pam/commit/370064ef6f99581b08d473a42bb3417d5dda3e4e +Patch9: pam-1.5.1-pam-usertype-SYS_UID_MAX.patch +# https://github.com/linux-pam/linux-pam/commit/ba2f6dd8b81ea2a58262c1709bec906b6852591d +# https://github.com/linux-pam/linux-pam/commit/1180bde923a22605fe8075cd1fe7992ed7513411 +Patch10: pam-1.5.1-pam-pwhistory-load-conf-from-file.patch +# https://github.com/linux-pam/linux-pam/commit/40c271164dbcebfc5304d0537a42fb42e6b6803c +Patch11: pam-1.5.1-pam-lastlog-check-localtime_r-return-value.patch +# https://github.com/linux-pam/linux-pam/commit/bcbf145ce925934214e48200c27c9ff736452549 +Patch12: pam-1.5.1-pam-faillock-clarify-missing-user.patch +# https://github.com/linux-pam/linux-pam/commit/10086bc69663fa819277af244eeb5b629a2403b8 +Patch13: pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch + +%global _pamlibdir %{_libdir} +%global _moduledir %{_libdir}/security +%global _secconfdir %{_sysconfdir}/security +%global _pamconfdir %{_sysconfdir}/pam.d +%global _pamvendordir %{_datadir}/pam.d +%global _systemdlibdir /usr/lib/systemd/system + +%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} +%global WITH_SELINUX 1 +%endif +%if %{?WITH_AUDIT:0}%{!?WITH_AUDIT:1} +%global WITH_AUDIT 1 +%endif +%global _performance_build 1 + +Requires: libpwquality >= 0.9.9 +BuildRequires: make +BuildRequires: autoconf >= 2.60 +BuildRequires: automake, libtool +BuildRequires: bison, flex, sed +BuildRequires: perl-interpreter, pkgconfig, gettext-devel +BuildRequires: libtirpc-devel +%if %{WITH_AUDIT} +BuildRequires: audit-libs-devel >= 1.0.8 +Requires: audit-libs >= 1.0.8 +%endif +%if %{WITH_SELINUX} +BuildRequires: libselinux-devel >= 1.33.2 +Requires: libselinux >= 1.33.2 +%endif +BuildRequires: libeconf-devel >= 0.3.5 +Requires: libeconf >= 0.3.5 +Requires: glibc >= 2.3.90-37 +BuildRequires: libxcrypt-devel >= 4.3.3-2 +BuildRequires: libdb-devel +# Following deps are necessary only to build the pam library documentation. +BuildRequires: linuxdoc-tools, elinks, libxslt +BuildRequires: docbook-style-xsl, docbook-dtds +BuildRequires: gcc +BuildRequires: openssl-devel >= 3.0.0 +Requires: openssl >= 3.0.0 + +URL: http://www.linux-pam.org/ + +%description +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. + +%package devel +Summary: Files needed for developing PAM-aware applications and modules for PAM +Requires: pam%{?_isa} = %{version}-%{release} + +%description devel +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. This package +contains header files used for building both PAM-aware applications +and modules for use with the PAM system. + +%package docs +Summary: Extra documentation for PAM. +Requires: pam%{?_isa} = %{version}-%{release} + +%description docs +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. The pam-docs +contains extra documentation for PAM. Currently, this includes additional +documentation in txt and html format. + +%prep +%setup -q -n Linux-PAM-%{version} -a 2 +perl -pi -e "s/ppc64-\*/ppc64-\* \| ppc64p7-\*/" build-aux/config.sub +perl -pi -e "s/\/lib \/usr\/lib/\/lib \/usr\/lib \/lib64 \/usr\/lib64/" m4/libtool.m4 + +# Add custom modules. +mv pam-redhat-%{pam_redhat_version}/* modules + +cp %{SOURCE18} . + +%patch1 -p1 -b .redhat-modules +%patch2 -p1 -b .noflex +%patch3 -p1 -b .nomsg +%patch4 -p1 -b .timestamp-openssl-hmac-authentication +%patch5 -p1 -b .pam_filter_close_file_after_controlling_tty +%patch6 -p1 -b .pam-limits-unlimited-value +%patch7 -p1 -b .pam-keyinit-thread-safe +%patch8 -p1 -b .faillock-load-conf-from-file +%patch9 -p1 -b .pam-usertype-SYS_UID_MAX +%patch10 -p1 -b .pam-pwhistory-load-conf-from-file +%patch11 -p1 -b .pam-lastlog-check-localtime_r-return-value +%patch12 -p1 -b .pam-faillock-clarify-missing-user +%patch13 -p1 -b .pam-faillock-avoid-logging-erroneous + +autoreconf -i + +%build +%configure \ + --disable-rpath \ + --libdir=%{_pamlibdir} \ + --includedir=%{_includedir}/security \ + --enable-vendordir=%{_datadir} \ +%if ! %{WITH_SELINUX} + --disable-selinux \ +%endif +%if ! %{WITH_AUDIT} + --disable-audit \ +%endif + --disable-static \ + --disable-prelude \ + --disable-nis \ + --enable-openssl +make -C po update-gmo +make +# we do not use _smp_mflags because the build of sources in yacc/flex fails + +%install +mkdir -p doc/txts +for readme in modules/pam_*/README ; do + cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` +done + +# Install the binaries, libraries, and modules. +make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=: + +%if %{WITH_SELINUX} +# Temporary compat link +ln -sf pam_sepermit.so $RPM_BUILD_ROOT%{_moduledir}/pam_selinux_permit.so +%endif + +# RPM uses docs from source tree +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/Linux-PAM +# Included in setup package +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/environment + +# Install default configuration files. +install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir} +install -d -m 755 $RPM_BUILD_ROOT%{_pamvendordir} +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other +install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth +install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth +install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth +install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth +install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util +install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin +install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd +install -d -m 755 $RPM_BUILD_ROOT/var/log +install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock +install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/motd.d +install -d -m 755 $RPM_BUILD_ROOT/usr/lib/motd.d +install -d -m 755 $RPM_BUILD_ROOT/run/motd.d + +# Install man pages. +install -m 644 %{SOURCE12} %{SOURCE13} %{SOURCE17} $RPM_BUILD_ROOT%{_mandir}/man5/ +ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/password-auth.5 +ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/fingerprint-auth.5 +ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/smartcard-auth.5 + + +for phase in auth acct passwd session ; do + ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so +done + +# Remove .la files and make new .so links -- this depends on the value +# of _libdir not changing, and *not* being /usr/lib. +for lib in libpam libpamc libpam_misc ; do +rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.la +done +rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la + +%if "%{_pamlibdir}" != "%{_libdir}" +install -d -m 755 $RPM_BUILD_ROOT%{_libdir} +for lib in libpam libpamc libpam_misc ; do +pushd $RPM_BUILD_ROOT%{_libdir} +ln -sf %{_pamlibdir}/${lib}.so.*.* ${lib}.so +popd +rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.so +done +%endif + +# Duplicate doc file sets. +rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam + +# Install the file for autocreation of /var/run subdirectories on boot +install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf + +%find_lang Linux-PAM + +%check +# Make sure every module subdirectory gave us a module. Yes, this is hackish. +for dir in modules/pam_* ; do +if [ -d ${dir} ] ; then +%if ! %{WITH_SELINUX} + [ ${dir} = "modules/pam_selinux" ] && continue + [ ${dir} = "modules/pam_sepermit" ] && continue +%endif +%if ! %{WITH_AUDIT} + [ ${dir} = "modules/pam_tty_audit" ] && continue +%endif + if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then + echo ERROR `basename ${dir}` did not build a module. + exit 1 + fi +fi +done + +# Check for module problems. Specifically, check that every module we just +# installed can actually be loaded by a minimal PAM-aware application. +/sbin/ldconfig -n $RPM_BUILD_ROOT%{_pamlibdir} +for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do + if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pamlibdir} \ + %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT%{_libdir} ${module} ; then + echo ERROR module: ${module} cannot be loaded. + exit 1 + fi +done + +%ldconfig_scriptlets + +%files -f Linux-PAM.lang +%dir %{_pamconfdir} +%dir %{_pamvendordir} +%config(noreplace) %{_pamconfdir}/other +%config(noreplace) %{_pamconfdir}/system-auth +%config(noreplace) %{_pamconfdir}/password-auth +%config(noreplace) %{_pamconfdir}/fingerprint-auth +%config(noreplace) %{_pamconfdir}/smartcard-auth +%config(noreplace) %{_pamconfdir}/config-util +%config(noreplace) %{_pamconfdir}/postlogin +%{!?_licensedir:%global license %%doc} +%license Copyright +%license gpl-2.0.txt +%{_pamlibdir}/libpam.so.* +%{_pamlibdir}/libpamc.so.* +%{_pamlibdir}/libpam_misc.so.* +%{_sbindir}/pam_console_apply +%{_sbindir}/pam_namespace_helper +%{_sbindir}/faillock +%attr(4755,root,root) %{_sbindir}/pam_timestamp_check +%attr(4755,root,root) %{_sbindir}/unix_chkpwd +%attr(0700,root,root) %{_sbindir}/unix_update +%attr(0755,root,root) %{_sbindir}/mkhomedir_helper +%attr(0755,root,root) %{_sbindir}/pwhistory_helper +%dir %{_moduledir} +%{_moduledir}/pam_access.so +%{_moduledir}/pam_chroot.so +%{_moduledir}/pam_console.so +%{_moduledir}/pam_debug.so +%{_moduledir}/pam_deny.so +%{_moduledir}/pam_echo.so +%{_moduledir}/pam_env.so +%{_moduledir}/pam_exec.so +%{_moduledir}/pam_faildelay.so +%{_moduledir}/pam_faillock.so +%{_moduledir}/pam_filter.so +%{_moduledir}/pam_ftp.so +%{_moduledir}/pam_group.so +%{_moduledir}/pam_issue.so +%{_moduledir}/pam_keyinit.so +%{_moduledir}/pam_lastlog.so +%{_moduledir}/pam_limits.so +%{_moduledir}/pam_listfile.so +%{_moduledir}/pam_localuser.so +%{_moduledir}/pam_loginuid.so +%{_moduledir}/pam_mail.so +%{_moduledir}/pam_mkhomedir.so +%{_moduledir}/pam_motd.so +%{_moduledir}/pam_namespace.so +%{_moduledir}/pam_nologin.so +%{_moduledir}/pam_permit.so +%{_moduledir}/pam_postgresok.so +%{_moduledir}/pam_pwhistory.so +%{_moduledir}/pam_rhosts.so +%{_moduledir}/pam_rootok.so +%if %{WITH_SELINUX} +%{_moduledir}/pam_selinux.so +%{_moduledir}/pam_selinux_permit.so +%{_moduledir}/pam_sepermit.so +%endif +%{_moduledir}/pam_securetty.so +%{_moduledir}/pam_setquota.so +%{_moduledir}/pam_shells.so +%{_moduledir}/pam_stress.so +%{_moduledir}/pam_succeed_if.so +%{_moduledir}/pam_time.so +%{_moduledir}/pam_timestamp.so +%if %{WITH_AUDIT} +%{_moduledir}/pam_tty_audit.so +%endif +%{_moduledir}/pam_umask.so +%{_moduledir}/pam_unix.so +%{_moduledir}/pam_unix_acct.so +%{_moduledir}/pam_unix_auth.so +%{_moduledir}/pam_unix_passwd.so +%{_moduledir}/pam_unix_session.so +%{_moduledir}/pam_userdb.so +%{_moduledir}/pam_usertype.so +%{_moduledir}/pam_warn.so +%{_moduledir}/pam_wheel.so +%{_moduledir}/pam_xauth.so +%{_moduledir}/pam_filter +%{_systemdlibdir}/pam_namespace.service +%dir %{_secconfdir} +%config(noreplace) %{_secconfdir}/access.conf +%config(noreplace) %{_secconfdir}/chroot.conf +%config %{_secconfdir}/console.perms +%config(noreplace) %{_secconfdir}/console.handlers +%config(noreplace) %{_secconfdir}/faillock.conf +%config(noreplace) %{_secconfdir}/group.conf +%config(noreplace) %{_secconfdir}/limits.conf +%dir %{_secconfdir}/limits.d +%config(noreplace) %{_secconfdir}/namespace.conf +%dir %{_secconfdir}/namespace.d +%attr(755,root,root) %config(noreplace) %{_secconfdir}/namespace.init +%config(noreplace) %{_secconfdir}/pam_env.conf +%config(noreplace) %{_secconfdir}/pwhistory.conf +%config(noreplace) %{_secconfdir}/time.conf +%config(noreplace) %{_secconfdir}/opasswd +%dir %{_secconfdir}/console.apps +%dir %{_secconfdir}/console.perms.d +%dir /var/run/console +%if %{WITH_SELINUX} +%config(noreplace) %{_secconfdir}/sepermit.conf +%dir /var/run/sepermit +%endif +%dir /var/run/faillock +%dir %{_sysconfdir}/motd.d +%dir /run/motd.d +%dir /usr/lib/motd.d +%{_prefix}/lib/tmpfiles.d/pam.conf +%{_mandir}/man5/* +%{_mandir}/man8/* + +%files devel +%{_includedir}/security +%{_mandir}/man3/* +%{_libdir}/libpam.so +%{_libdir}/libpamc.so +%{_libdir}/libpam_misc.so +%doc doc/mwg/*.txt doc/mwg/html +%doc doc/adg/*.txt doc/adg/html +%doc doc/specs/rfc86.0.txt + +%files docs +%doc doc/txts +%doc doc/sag/*.txt doc/sag/html + +%changelog +* Tue Nov 29 2022 Iker Pedrosa - 1.5.1-14 +- pam_lastlog: check localtime_r() return value. Resolves: #2130124 +- pam_faillock: clarify missing user faillock files after reboot. Resolves: #2126632 +- pam_faillock: avoid logging an erroneous consecutive login failure message. Resolves: #2126648 + +* Wed Sep 28 2022 Iker Pedrosa - 1.5.1-13 +- pam_pwhistory: load configuration from file. Resolves: #2126640 + +* Thu Jun 23 2022 Iker Pedrosa - 1.5.1-12 +- pam_usertype: only use SYS_UID_MAX for system users. Resolves: #2078421 + +* Wed May 25 2022 Iker Pedrosa - 1.5.1-11 +- faillock: load configuration from file. Resolves: #2061698 + +* Tue May 17 2022 Iker Pedrosa - 1.5.1-10 +- pam_keyinit: thread-safe implementation. Resolves: #2061696 + +* Thu Dec 2 2021 Iker Pedrosa - 1.5.1-9 +- pam_limits: "Unlimited" is not a valid value for RLIMIT_NOFILE. Resolves: #1989900 + +* Mon Aug 09 2021 Mohan Boddu - 1.5.1-8 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 14 2021 Iker Pedrosa - 1.5.1-7 +- Fix issues detected by covscan tool + +* Fri Jul 2 2021 Iker Pedrosa - 1.5.1-6 +- pam_timestamp: openssl hmac authentication. Resolves: #1934975 + +* Mon Apr 19 2021 Iker Pedrosa - 1.5.1-5 +- Disable nis support. Resolves: #1942373 + +* Fri Apr 16 2021 Mohan Boddu - 1.5.1-4 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 1.5.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Nov 30 2020 Iker Pedrosa - 1.5.1-2 +- Add BuildRequires: make (#1902520) + +* Thu Nov 26 2020 Iker Pedrosa - 1.5.1-1 +- Rebase to release 1.5.1 +- fix CVE-2020-27780: authentication bypass when the user doesn't exist + and root password is blank (#1901173) + +* Wed Nov 11 2020 Iker Pedrosa - 1.5.0-1 +- Rebase to release 1.5.0 +- Rebase to pam-redhat-1.1.4 +- Remove pam_cracklib, pam_tally and pam_tally2 +- spec file cleanup + +* Fri Nov 6 2020 Iker Pedrosa - 1.4.0-7 +- libpam: fix memory leak in pam_start (#1894630) + +* Mon Oct 19 2020 Iker Pedrosa - 1.4.0-6 +- pam_unix: fix missing initialization of daysleft (#1887077) +- pam_motd: change privilege message prompt to default (#1861640) + +* Wed Oct 14 2020 Iker Pedrosa - 1.4.0-5 +- pam_motd: read motd files with target user credentials skipping unreadable ones (#1861640) +- Clarify upstreamed patches + +* Tue Aug 04 2020 Tom Stellard - 1.4.0-4 +- Add BuildRequires: gcc +- https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/#_packaging + +* Tue Jul 28 2020 Fedora Release Engineering - 1.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jul 2 2020 Iker Pedrosa - 1.4.0-2 +- Enable layered configuration with distribution configs in /usr/share/pam.d +- Added new pam-redhat tarball to lookaside cache + +* Wed Jun 24 2020 Iker Pedrosa - 1.4.0-1 +- Rebased to release 1.4.0 +- Rebased to pam-redhat-1.1.3 +- Removed pam_cracklib as it has been deprecated + +* Mon Jun 22 2020 Iker Pedrosa - 1.3.1-28 +- pam_faillock: change /run/faillock/$USER permissions to 0660 (#1661822) + +* Wed Jun 17 2020 Iker Pedrosa - 1.3.1-27 +- pam_unix and pam_usertype: avoid determining if user exists (#1629598) + +* Thu May 14 2020 Iker Pedrosa 1.3.1-26 +- pam_tty_audit: if kernel audit is disabled return PAM_IGNORE (#1775357) +- pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD (#1791970) + +* Thu Apr 23 2020 Iker Pedrosa - 1.3.1-25 +- docs: splitted documentation in subpackage -docs + +* Mon Mar 9 2020 Iker Pedrosa - 1.3.1-24 +- pam_selinux: check unknown object classes or permissions in current policy + +* Tue Feb 4 2020 Pavel Březina - 1.3.1-23 +- Add pam_usertype.so + +* Wed Jan 29 2020 Fedora Release Engineering - 1.3.1-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Dec 18 2019 Tomáš Mráz 1.3.1-21 +- pam_faillock: Fix regression in admin_group support + +* Wed Oct 16 2019 Tomáš Mráz 1.3.1-20 +- pam_namespace: Support noexec, nosuid and nodev flags for tmpfs mounts +- Drop tallylog and pam_tally documentation +- pam_faillock: Support local_users_only option +- pam_lastlog: Do not display failed attempts with PAM_SILENT flag +- pam_lastlog: Support unlimited option to override fsize limit +- pam_unix: Log if user authenticated without password +- pam_tty_audit: Improve manual page +- Optimize closing fds when spawning helpers +- Fix duplicate password verification in pam_authtok_verify() + +* Mon Sep 9 2019 Tomáš Mráz 1.3.1-19 +- pam_faillock: Support configuration file /etc/security/faillock.conf + +* Thu Jul 25 2019 Fedora Release Engineering - 1.3.1-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 1.3.1-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Björn Esser - 1.3.1-16 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Thu Dec 20 2018 Tomáš Mráz 1.3.1-15 +- Add the motd.d directories (empty) to silence warnings and to + provide proper ownership for them (#1660935) + +* Tue Dec 4 2018 Tomáš Mráz 1.3.1-14 +- Update Red Hat PAM modules to version 1.0.0 which includes pam_faillock +- Drop also pam_tally2 which was obsoleted and deprecated long time ago + +* Sun Dec 02 2018 Björn Esser - 1.3.1-13 +- Backport upstream commit reporting disabled or invalid hashes to syslog +- Backport upstream commit fixing syslog for disabled or invalid hashes + +* Wed Nov 28 2018 Robert Fairley 1.3.1-12 +- Backport upstream commit pam_motd: Support multiple motd paths specified, with filename overrides (#69) +- Backport upstream commit pam_motd: Fix segmentation fault when no motd_dir specified (#76) + +* Mon Nov 26 2018 Tomáš Mráz 1.3.1-11 +- Completely drop the check of invalid or disabled salt via crypt_checksalt + +* Sun Nov 25 2018 Björn Esser - 1.3.1-10 +- Fix passphraseless sudo with crypt_checksalt (#1653023) + +* Fri Nov 23 2018 Björn Esser - 1.3.1-9 +- Backport upstream commit removing an obsolete prototype +- Backport upstream commit preferring bcrypt_b ($2b$) for blowfish +- Backport upstream commit preferring gensalt with autoentropy +- Backport upstream commit using crypt_checksalt for password aging +- Backport upstream commit adding support for (gost-)yescrypt +- Update the no-MD5-fallback patch for alignment + +* Fri Nov 16 2018 Björn Esser - 1.3.1-8 +- Use %%ldconfig_scriptlets +- Drop Requires(post), not needed anymore +- Prefer %%global over %%define + +* Tue Nov 13 2018 Björn Esser - 1.3.1-7 +- when building against libxcrypt >= 4.3.3-2, we can avoid the explicit + dependency on libxcrypt >= 4.3.3-1 + +* Mon Nov 12 2018 Björn Esser - 1.3.1-6 +- add explicit (Build)Requires for libxcrypt >= 4.3.3-1 + +* Mon Nov 12 2018 Björn Esser - 1.3.1-5 +- rebuilt against libxcrypt-4.3.3 to enable the use of crypt_gensalt_r + +* Mon Sep 10 2018 Tomáš Mráz 1.3.1-4 +- add pam_umask to postlogin PAM configuration file +- fix some issues found by Coverity scan + +* Fri Jul 13 2018 Fedora Release Engineering - 1.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 8 2018 Tomáš Mráz 1.3.1-1 +- use /run instead of /var/run in pamtmp.conf (#1588612) + +* Fri May 18 2018 Tomáš Mráz 1.3.1-1 +- new upstream release 1.3.1 with multiple improvements + +* Thu Feb 08 2018 Fedora Release Engineering - 1.3.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 30 2018 Tomáš Mráz 1.3.0-9 +- and the NIS support now also requires libnsl2 + +* Sat Jan 20 2018 Björn Esser - 1.3.0-8 +- Rebuilt for switch to libxcrypt + +* Thu Jan 11 2018 Tomáš Mráz 1.3.0-7 +- the NIS support now requires libtirpc + +* Mon Aug 21 2017 Tomáš Mráz 1.3.0-6 +- add admin_group option to pam_faillock (#1285550) + +* Thu Aug 03 2017 Fedora Release Engineering - 1.3.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.3.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Apr 20 2017 Tomáš Mráz 1.3.0-3 +- drop superfluous 'Changing password' message from pam_unix (#658289) + +* Sat Feb 11 2017 Fedora Release Engineering - 1.3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri May 6 2016 Tomáš Mráz 1.3.0-1 +- new upstream release with multiple improvements + +* Mon Apr 11 2016 Tomáš Mráz 1.2.1-8 +- make cracklib-dicts dependency weak (#1323172) + +* Wed Apr 6 2016 Tomáš Mráz 1.2.1-7 +- do not drop PAM_OLDAUTHTOK if mismatched - can be used by further modules + +* Mon Apr 4 2016 Tomáš Mráz 1.2.1-6 +- pam_unix: use pam_get_authtok() and improve prompting + +* Fri Feb 5 2016 Tomáš Mráz 1.2.1-5 +- fix console device name in console.handlers (#1270224) + +* Thu Feb 04 2016 Fedora Release Engineering - 1.2.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Oct 16 2015 Tomáš Mráz 1.2.1-3 +- pam_faillock: add possibility to set unlock_time to never + +* Wed Aug 12 2015 Tomáš Mráz 1.2.1-2 +- drop the nproc limit setting, it is causing more harm than it solves + +* Fri Jun 26 2015 Tomáš Mráz 1.2.1-1 +- new upstream release fixing security issue with unlimited password length + +* Thu Jun 18 2015 Fedora Release Engineering - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri May 15 2015 Tomáš Mráz 1.2.0-1 +- new upstream release with multiple minor improvements + +* Fri Oct 17 2014 Tomáš Mráz 1.1.8-18 +- use USER_MGMT type for auditing in the pam_tally2 and faillock + apps (#1151576) + +* Thu Sep 11 2014 Tomáš Mráz 1.1.8-17 +- update the audit-grantor patch with the upstream changes +- pam_userdb: correct the example in man page (#1078784) +- pam_limits: check whether the utmp login entry is valid (#1080023) +- pam_console_apply: do not print error if console.perms.d is empty +- pam_limits: nofile refers to open file descriptors (#1111220) +- apply PIE and full RELRO to all binaries built + +* Sun Aug 17 2014 Fedora Release Engineering - 1.1.8-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Aug 13 2014 Tomáš Mráz 1.1.8-15 +- audit the module names that granted access +- pam_faillock: update to latest version + +* Wed Jul 30 2014 Tom Callaway - 1.1.8-14 +- fix license handling + +* Wed Jul 16 2014 Tomáš Mráz 1.1.8-13 +- be tolerant to corrupted opasswd file + +* Fri Jun 06 2014 Fedora Release Engineering - 1.1.8-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 22 2014 Tomáš Mráz 1.1.8-11 +- pam_loginuid: make it return PAM_IGNORE in containers + +* Mon Mar 31 2014 Tomáš Mráz 1.1.8-10 +- fix CVE-2014-2583: potential path traversal issue in pam_timestamp + +* Wed Mar 26 2014 Tomáš Mráz 1.1.8-9 +- pam_pwhistory: call the helper if SELinux enabled + +* Tue Mar 11 2014 Tomáš Mráz 1.1.8-8 +- fix CVE-2013-7041: use case sensitive comparison in pam_userdb + +* Mon Mar 10 2014 Tomáš Mráz 1.1.8-7 +- rename the 90-nproc.conf to 20-nproc.conf (#1071618) +- canonicalize user name in pam_selinux (#1071010) +- refresh the pam-redhat tarball + +* Mon Dec 16 2013 Tomáš Mráz 1.1.8-4 +- raise the default soft nproc limit to 4096 + +* Mon Dec 2 2013 Tomáš Mráz 1.1.8-3 +- updated translations + +* Mon Oct 21 2013 Tomáš Mráz 1.1.8-2 +- update lastlog with pam_lastlog also for su (#1021108) + +* Mon Oct 14 2013 Tomáš Mráz 1.1.8-1 +- new upstream release +- pam_tty_audit: allow the module to work with old kernels + +* Fri Oct 4 2013 Tomáš Mráz 1.1.7-3 +- pam_tty_audit: proper initialization of the tty_audit_status struct + +* Mon Sep 30 2013 Tomáš Mráz 1.1.7-2 +- add "local_users_only" to pam_pwquality in default configuration + +* Fri Sep 13 2013 Tomáš Mráz 1.1.7-1 +- new upstream release + +* Wed Aug 7 2013 Tomáš Mráz 1.1.6-14 +- use links instead of w3m to create txt documentation +- recognize login session in pam_sepermit to prevent gdm from locking (#969174) +- add support for disabling password logging in pam_tty_audit + +* Sat Aug 03 2013 Fedora Release Engineering - 1.1.6-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Jul 11 2013 Tomáš Mráz 1.1.6-12 +- add auditing of SELinux policy violation in pam_rootok (#965723) +- add SELinux helper to pam_pwhistory + +* Tue May 7 2013 Tomáš Mráz 1.1.6-11 +- the default isadir is more correct + +* Wed Apr 24 2013 Tomáš Mráz 1.1.6-10 +- pam_unix: do not fail with bad ld.so.preload + +* Fri Mar 22 2013 Tomáš Mráz 1.1.6-9 +- do not fail if btmp file is corrupted (#906852) +- fix strict aliasing warnings in build +- UsrMove +- use authtok_type with pam_pwquality in system-auth +- remove manual_context handling from pam_selinux (#876976) +- other minor specfile cleanups + +* Tue Mar 19 2013 Tomáš Mráz 1.1.6-8 +- check NULL return from crypt() calls (#915316) + +* Thu Mar 14 2013 Tomáš Mráz 1.1.6-7 +- add workaround for low nproc limit for confined root user (#432903) + +* Thu Feb 21 2013 Karsten Hopp 1.1.6-6 +- add support for ppc64p7 arch (Power7 optimized) + +* Thu Feb 14 2013 Fedora Release Engineering - 1.1.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 22 2013 Tomas Mraz 1.1.6-4 +- fix build with current autotools + +* Mon Oct 15 2012 Tomas Mraz 1.1.6-3 +- add support for tmpfs mount options in pam_namespace + +* Mon Sep 3 2012 Tomas Mraz 1.1.6-2 +- link setuid binaries with full relro (#853158) +- add rhost and tty to auditing data in modules (#677664) + +* Fri Aug 17 2012 Tomas Mraz - 1.1.6-1 +- new upstream release + +* Thu Aug 9 2012 Tomas Mraz - 1.1.5-9 +- make the pam_lastlog module in postlogin 'optional' (#846843) + +* Mon Aug 6 2012 Tomas Mraz - 1.1.5-8 +- fix build failure in pam_unix +- add display of previous bad login attempts to postlogin.pamd +- put the tmpfiles.d config to /usr/lib and rename it to pam.conf +- build against libdb-5 + +* Wed May 9 2012 Tomas Mraz 1.1.5-7 +- add inactive account lock out functionality to pam_lastlog +- fix pam_unix remember user name matching +- add gecoscheck and maxclassrepeat functionality to pam_cracklib +- correctly check for crypt() returning NULL in pam_unix +- pam_unix - do not fallback to MD5 on password change + if requested algorithm not supported by crypt() (#818741) +- install empty directories + +* Wed May 9 2012 Tomas Mraz 1.1.5-6 +- add pam_systemd to session modules + +* Tue Jan 31 2012 Tomas Mraz 1.1.5-5 +- fix pam_namespace leaking the protect mounts to parent namespace (#755216) + +* Fri Jan 13 2012 Fedora Release Engineering - 1.1.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Dec 21 2011 Tomas Mraz 1.1.5-3 +- add a note to limits.conf (#754285) + +* Thu Nov 24 2011 Tomas Mraz 1.1.5-2 +- use pam_pwquality instead of pam_cracklib + +* Thu Nov 24 2011 Tomas Mraz 1.1.5-1 +- upgrade to new upstream release + +* Thu Aug 25 2011 Tomas Mraz 1.1.4-4 +- fix dereference in pam_env +- fix wrong parse of user@host pattern in pam_access (#732081) + +* Sat Jul 23 2011 Ville Skyttä - 1.1.4-3 +- Rebuild to fix trailing slashes in provided dirs added by rpm 4.9.1. + +* Fri Jul 15 2011 Tomas Mraz 1.1.4-2 +- clear supplementary groups in pam_console handler execution + +* Mon Jun 27 2011 Tomas Mraz 1.1.4-1 +- upgrade to new upstream release + +* Tue Jun 7 2011 Tomas Mraz 1.1.3-10 +- detect the shared / and make the polydir mounts private based on that +- fix memory leak and other small errors in pam_namespace + +* Thu Jun 2 2011 Tomas Mraz 1.1.3-9 +- add support for explicit marking of the polydir mount private (#623522) + +* Tue Feb 08 2011 Fedora Release Engineering - 1.1.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 22 2010 Tomas Mraz 1.1.3-7 +- add postlogin common PAM configuration file (#665059) + +* Tue Dec 14 2010 Tomas Mraz 1.1.3-6 +- include patches recently submitted and applied to upstream CVS + +* Thu Nov 25 2010 Tomas Mraz 1.1.3-5 +- add config for autocreation of subdirectories in /var/run (#656655) +- automatically enable kernel console in pam_securetty + +* Wed Nov 10 2010 Tomas Mraz 1.1.3-4 +- fix memory leak in pam_faillock + +* Wed Nov 10 2010 Tomas Mraz 1.1.3-3 +- fix segfault in faillock utility +- remove some cases where the information of existence of + an user account could be leaked by the pam_faillock, + document the remaining case + +* Fri Nov 5 2010 Tomas Mraz 1.1.3-2 +- fix a mistake in the abstract X-socket connect +- make pam_faillock work with screensaver + +* Mon Nov 1 2010 Tomas Mraz 1.1.3-1 +- upgrade to new upstream release fixing CVE-2010-3316 CVE-2010-3435 + CVE-2010-3853 +- try to connect to an abstract X-socket first to verify we are + at real console (#647191) + +* Wed Sep 29 2010 jkeating - 1.1.2-2 +- Rebuilt for gcc bug 634757 + +* Mon Sep 20 2010 Tomas Mraz 1.1.2-1 +- add pam_faillock module implementing temporary account lock out based + on authentication failures during a specified interval +- do not build some auxiliary tools that are not installed that require + flex-static to build +- upgrade to new upstream release + +* Thu Jul 15 2010 Tomas Mraz 1.1.1-5 +- do not overwrite tallylog with empty file on upgrade + +* Mon Feb 15 2010 Tomas Mraz 1.1.1-4 +- change the default password hash to sha512 + +* Fri Jan 22 2010 Tomas Mraz 1.1.1-3 +- fix wrong prompt when pam_get_authtok is used for new password + +* Mon Jan 18 2010 Tomas Mraz 1.1.1-2 +- fix build with disabled audit and SELinux (#556211, #556212) + +* Thu Dec 17 2009 Tomas Mraz 1.1.1-1 +- new upstream version with minor changes + +* Mon Nov 2 2009 Tomas Mraz 1.1.0-7 +- pam_console: fix memory corruption when executing handlers (patch by + Stas Sergeev) and a few more fixes in the handler execution code (#532302) + +* Thu Oct 29 2009 Tomas Mraz 1.1.0-6 +- pam_xauth: set the approprate context when creating .xauth files (#531530) + +* Tue Sep 1 2009 Tomas Mraz 1.1.0-5 +- do not change permissions with pam_console_apply +- drop obsolete pam_tally module and the faillog file (#461258) + +* Wed Aug 19 2009 Tomas Mraz 1.1.0-4 +- rebuild with new libaudit + +* Mon Jul 27 2009 Tomas Mraz 1.1.0-3 +- fix for pam_cracklib from upstream + +* Sat Jul 25 2009 Fedora Release Engineering - 1.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jun 23 2009 Tomas Mraz 1.1.0-1 +- update to new upstream version + +* Wed May 13 2009 Tomas Mraz 1.0.92-1 +- update to new upstream version + +* Fri Apr 10 2009 Tomas Mraz 1.0.91-6 +- add password-auth, fingerprint-auth, and smartcard-auth + for applications which can use them namely gdm (#494874) + patch by Ray Strode + +* Thu Mar 26 2009 Tomas Mraz 1.0.91-5 +- replace also other std descriptors (#491471) + +* Tue Mar 17 2009 Tomas Mraz 1.0.91-3 +- we must replace the stdin when execing the helper (#490644) + +* Mon Mar 16 2009 Tomas Mraz 1.0.91-2 +- do not close stdout/err when execing the helpers (#488147) + +* Mon Mar 9 2009 Tomas Mraz 1.0.91-1 +- upgrade to new upstream release + +* Fri Feb 27 2009 Tomas Mraz 1.0.90-4 +- fix parsing of config files containing non-ASCII characters +- fix CVE-2009-0579 (mininimum days for password change ignored) (#487216) +- pam_access: improve handling of hostname resolution + +* Thu Feb 26 2009 Fedora Release Engineering - 1.0.90-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Jan 19 2009 Tomas Mraz 1.0.90-2 +- add helper to pam_mkhomedir for proper SELinux confinement (#476784) + +* Tue Dec 16 2008 Tomas Mraz 1.0.90-1 +- upgrade to new upstream release +- add --disable-prelude (#466242) + +* Tue Sep 23 2008 Tomas Mraz 1.0.2-2 +- new password quality checks in pam_cracklib +- report failed logins from btmp in pam_lastlog +- allow larger groups in modutil functions +- fix leaked file descriptor in pam_tally + +* Mon Sep 8 2008 Tomas Mraz 1.0.2-1 +- pam_loginuid: uids are unsigned (#460241) +- new minor upstream release +- use external db4 +- drop tests for not pulling in libpthread (as NPTL should + be safe) + +* Wed Jul 9 2008 Tomas Mraz 1.0.1-5 +- update internal db4 + +* Wed May 21 2008 Tomas Mraz 1.0.1-4 +- pam_namespace: allow safe creation of directories owned by user (#437116) +- pam_unix: fix multiple error prompts on password change (#443872) + +* Tue May 20 2008 Tomas Mraz 1.0.1-3 +- pam_selinux: add env_params option which will be used by OpenSSH +- fix build with new autoconf + +* Tue Apr 22 2008 Tomas Mraz 1.0.1-2 +- pam_selinux: restore execcon properly (#443667) + +* Fri Apr 18 2008 Tomas Mraz 1.0.1-1 +- upgrade to new upstream release (one bugfix only) +- fix pam_sepermit use in screensavers + +* Mon Apr 7 2008 Tomas Mraz 1.0.0-2 +- fix regression in pam_set_item + +* Fri Apr 4 2008 Tomas Mraz 1.0.0-1 +- upgrade to new upstream release (bugfix only) + +* Thu Mar 20 2008 Tomas Mraz 0.99.10.0-4 +- pam_namespace: fix problem with level polyinst (#438264) +- pam_namespace: improve override checking for umount +- pam_selinux: fix syslogging a context after free() (#438338) + +* Thu Feb 28 2008 Tomas Mraz 0.99.10.0-3 +- update pam-redhat module tarball +- update internal db4 + +* Fri Feb 22 2008 Tomas Mraz 0.99.10.0-2 +- if shadow is readable for an user do not prevent him from + authenticating any user with unix_chkpwd (#433459) +- call audit from unix_chkpwd when appropriate + +* Fri Feb 15 2008 Tomas Mraz 0.99.10.0-1 +- new upstream release +- add default soft limit for nproc of 1024 to prevent + accidental fork bombs (#432903) + +* Mon Feb 4 2008 Tomas Mraz 0.99.8.1-18 +- allow the package to build without SELinux and audit support (#431415) +- macro usage cleanup + +* Mon Jan 28 2008 Tomas Mraz 0.99.8.1-17 +- test for setkeycreatecon correctly +- add exclusive login mode of operation to pam_selinux_permit (original + patch by Dan Walsh) + +* Tue Jan 22 2008 Tomas Mraz 0.99.8.1-16 +- add auditing to pam_access, pam_limits, and pam_time +- moved sanity testing code to check script + +* Mon Jan 14 2008 Tomas Mraz 0.99.8.1-15 +- merge review fixes (#226228) + +* Tue Jan 8 2008 Tomas Mraz 0.99.8.1-14 +- support for sha256 and sha512 password hashes +- account expiry checks moved to unix_chkpwd helper + +* Wed Jan 2 2008 Tomas Mraz 0.99.8.1-13 +- wildcard match support in pam_tty_audit (by Miloslav Trmač) + +* Thu Nov 29 2007 Tomas Mraz 0.99.8.1-12 +- add pam_tty_audit module (#244352) - written by Miloslav Trmač + +* Wed Nov 7 2007 Tomas Mraz 0.99.8.1-11 +- add substack support + +* Tue Sep 25 2007 Tomas Mraz 0.99.8.1-10 +- update db4 to 4.6.19 (#274661) + +* Fri Sep 21 2007 Tomas Mraz 0.99.8.1-9 +- do not preserve contexts when copying skel and other namespace.init + fixes (#298941) +- do not free memory sent to putenv (#231698) + +* Wed Sep 19 2007 Tomas Mraz 0.99.8.1-8 +- add pam_selinux_permit module +- pam_succeed_if: fix in operator (#295151) + +* Tue Sep 18 2007 Tomas Mraz 0.99.8.1-7 +- when SELinux enabled always run the helper binary instead of + direct shadow access (#293181) + +* Fri Aug 24 2007 Tomas Mraz 0.99.8.1-6 +- do not ask for blank password when SELinux confined (#254044) +- initialize homedirs in namespace init script (original patch by dwalsh) + +* Wed Aug 22 2007 Tomas Mraz 0.99.8.1-5 +- most devices are now handled by HAL and not pam_console (patch by davidz) +- license tag fix +- multifunction scanner device support (#251468) + +* Mon Aug 13 2007 Tomas Mraz 0.99.8.1-4 +- fix auth regression when uid != 0 from previous build (#251804) + +* Mon Aug 6 2007 Tomas Mraz 0.99.8.1-3 +- updated db4 to 4.6.18 (#249740) +- added user and new instance parameters to namespace init +- document the new features of pam_namespace +- do not log an audit error when uid != 0 (#249870) + +* Wed Jul 25 2007 Jeremy Katz - 0.99.8.1-2 +- rebuild for toolchain bug + +* Mon Jul 23 2007 Tomas Mraz 0.99.8.1-1 +- upgrade to latest upstream version +- add some firewire devices to default console perms (#240770) + +* Thu Apr 26 2007 Tomas Mraz 0.99.7.1-6 +- pam_namespace: better document behavior on failure (#237249) +- pam_unix: split out passwd change to a new helper binary (#236316) +- pam_namespace: add support for temporary logons (#241226) + +* Fri Apr 13 2007 Tomas Mraz 0.99.7.1-5 +- pam_selinux: improve context change auditing (#234781) +- pam_namespace: fix parsing config file with unknown users (#234513) + +* Fri Mar 23 2007 Tomas Mraz 0.99.7.1-4 +- pam_console: always decrement use count (#230823) +- pam_namespace: use raw context for poly dir name (#227345) +- pam_namespace: truncate long poly dir name (append hash) (#230120) +- we don't patch any po files anymore + +* Wed Feb 21 2007 Tomas Mraz 0.99.7.1-3 +- correctly relabel tty in the default case (#229542) +- pam_unix: cleanup of bigcrypt support +- pam_unix: allow modification of '*' passwords to root + +* Tue Feb 6 2007 Tomas Mraz 0.99.7.1-2 +- more X displays as consoles (#227462) + +* Wed Jan 24 2007 Tomas Mraz 0.99.7.1-1 +- upgrade to new upstream version resolving CVE-2007-0003 +- pam_namespace: unmount poly dir for override users + +* Mon Jan 22 2007 Tomas Mraz 0.99.7.0-2 +- add back min salt length requirement which was erroneously removed + upstream (CVE-2007-0003) + +* Fri Jan 19 2007 Tomas Mraz 0.99.7.0-1 +- upgrade to new upstream version +- drop pam_stack module as it is obsolete +- some changes to silence rpmlint + +* Tue Jan 16 2007 Tomas Mraz 0.99.6.2-8 +- properly include /var/log/faillog and tallylog as ghosts + and create them in post script (#209646) +- update gmo files as we patch some po files (#218271) +- add use_current_range option to pam_selinux (#220487) +- improve the role selection in pam_selinux +- remove shortcut on Password: in ja locale (#218271) +- revert to old euid and not ruid when setting euid in pam_keyinit (#219486) +- rename selinux-namespace patch to namespace-level + +* Fri Dec 1 2006 Dan Walsh 0.99.6.2-7 +- fix selection of role + +* Fri Dec 1 2006 Dan Walsh 0.99.6.2-6 +- add possibility to pam_namespace to only change MLS component +- Resolves: Bug #216184 + +* Thu Nov 30 2006 Tomas Mraz 0.99.6.2-5 +- add select-context option to pam_selinux (#213812) +- autoreconf won't work with autoconf-2.61 as configure.in is not yet adjusted + for it + +* Mon Nov 13 2006 Tomas Mraz 0.99.6.2-4 +- update internal db4 to 4.5.20 version +- move setgid before setuid in pam_keyinit (#212329) +- make username check in pam_unix consistent with useradd (#212153) + +* Tue Oct 24 2006 Tomas Mraz 0.99.6.2-3.3 +- don't overflow a buffer in pam_namespace (#211989) + +* Mon Oct 16 2006 Tomas Mraz 0.99.6.2-3.2 +- /var/log/faillog and tallylog must be config(noreplace) + +* Fri Oct 13 2006 Tomas Mraz 0.99.6.2-3.1 +- preserve effective uid in namespace.init script (LSPP for newrole) +- include /var/log/faillog and tallylog to filelist (#209646) +- add ids to .xml docs so the generated html is always the same (#210569) + +* Thu Sep 28 2006 Tomas Mraz 0.99.6.2-3 +- add pam_namespace option no_unmount_on_close, required for newrole + +* Mon Sep 4 2006 Tomas Mraz 0.99.6.2-2 +- silence pam_succeed_if in default system-auth (#205067) +- round the pam_timestamp_check sleep up to wake up at the start of the + wallclock second (#205068) + +* Thu Aug 31 2006 Tomas Mraz 0.99.6.2-1 +- upgrade to new upstream version, as there are mostly bugfixes except + improved documentation +- add support for session and password service for pam_access and + pam_succeed_if +- system-auth: skip session pam_unix for crond service + +* Thu Aug 10 2006 Dan Walsh 0.99.5.0-8 +- Add new setkeycreatecon call to pam_selinux to make sure keyring has correct context + +* Thu Aug 10 2006 Tomas Mraz 0.99.5.0-7 +- revoke keyrings properly when pam_keyinit called as root (#201048) +- pam_succeed_if should return PAM_USER_UNKNOWN when getpwnam fails (#197748) + +* Wed Aug 2 2006 Tomas Mraz 0.99.5.0-6 +- revoke keyrings properly when pam_keyinit called more than once (#201048) + patch by David Howells + +* Fri Jul 21 2006 Tomas Mraz 0.99.5.0-5 +- don't log pam_keyinit debug messages by default (#199783) + +* Fri Jul 21 2006 Tomas Mraz 0.99.5.0-4 +- drop ainit from console.handlers (#199561) + +* Mon Jul 17 2006 Tomas Mraz 0.99.5.0-3 +- don't report error in pam_selinux for nonexistent tty (#188722) +- add pam_keyinit to the default system-auth file (#198623) + +* Wed Jul 12 2006 Jesse Keating - 0.99.5.0-2.1 +- rebuild + +* Mon Jul 3 2006 Tomas Mraz 0.99.5.0-2 +- fixed network match in pam_access (patch by Dan Yefimov) + +* Fri Jun 30 2006 Tomas Mraz 0.99.5.0-1 +- updated to a new upstream release +- added service as value to be matched and list matching to + pam_succeed_if +- namespace.init was missing from EXTRA_DIST + +* Thu Jun 8 2006 Tomas Mraz 0.99.4.0-5 +- updated pam_namespace with latest patch by Janak Desai +- merged pam_namespace patches +- added buildrequires libtool +- fixed a few rpmlint warnings + +* Wed May 24 2006 Tomas Mraz 0.99.4.0-4 +- actually don't link to libssl as it is not used (#191915) + +* Wed May 17 2006 Tomas Mraz 0.99.4.0-3 +- use md5 implementation from pam_unix in pam_namespace +- pam_namespace should call setexeccon only when selinux is enabled + +* Tue May 16 2006 Tomas Mraz 0.99.4.0-2 +- pam_console_apply shouldn't access /var when called with -r (#191401) +- actually apply the large-uid patch +- don't build hmactest in pam_timestamp so openssl-devel is not required +- add missing buildrequires (#191915) + +* Wed May 10 2006 Tomas Mraz 0.99.4.0-1 +- upgrade to new upstream version +- make pam_console_apply not dependent on glib +- support large uids in pam_tally, pam_tally2 + +* Thu May 4 2006 Tomas Mraz 0.99.3.0-5 +- the namespace instance init script is now in /etc/security (#190148) +- pam_namespace: added missing braces (#190026) +- pam_tally(2): never call fclose twice on the same FILE (from upstream) + +* Wed Apr 26 2006 Tomas Mraz 0.99.3.0-4 +- fixed console device class for irda (#189966) +- make pam_console_apply fail gracefully when a class is missing + +* Tue Apr 25 2006 Tomas Mraz 0.99.3.0-3 +- added pam_namespace module written by Janak Desai (per-user /tmp +support) +- new pam-redhat modules version + +* Fri Feb 24 2006 Tomas Mraz 0.99.3.0-2 +- added try_first_pass option to pam_cracklib +- use try_first_pass for pam_unix and pam_cracklib in + system-auth (#182350) + +* Fri Feb 10 2006 Jesse Keating - 0.99.3.0-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 0.99.3.0-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Feb 3 2006 Tomas Mraz 0.99.3.0-1 +- new upstream version +- updated db4 to 4.3.29 +- added module pam_tally2 with auditing support +- added manual pages for system-auth and config-util (#179584) + +* Tue Jan 3 2006 Tomas Mraz 0.99.2.1-3 +- remove 'initscripts' dependency (#176508) +- update pam-redhat modules, merged patches + +* Fri Dec 16 2005 Tomas Mraz 0.99.2.1-2 +- fix dangling symlinks in -devel (#175929) +- link libaudit only where necessary +- actually compile in audit support + +* Thu Dec 15 2005 Tomas Mraz 0.99.2.1-1 +- support netgroup matching in pam_succeed_if +- upgrade to new release +- drop pam_pwdb as it was obsolete long ago +- we don't build static libraries anymore + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Tue Nov 15 2005 Tomas Mraz 0.80-14 +- pam_stack is deprecated - log its usage + +* Wed Oct 26 2005 Tomas Mraz 0.80-13 +- fixed CAN-2005-2977 unix_chkpwd should skip user verification only if + run as root (#168181) +- link pam_loginuid to libaudit +- support no tty in pam_access (#170467) +- updated audit patch (by Steve Grubb) +- the previous pam_selinux change was not applied properly +- pam_xauth: look for the xauth binary in multiple directories (#171164) + +* Wed Oct 26 2005 Dan Walsh 0.80-12 +- Eliminate multiple in pam_selinux + +* Fri Oct 14 2005 Dan Walsh 0.80-11 +- Eliminate fail over for getseuserbyname call + +* Thu Oct 13 2005 Dan Walsh 0.80-10 +- Add getseuserbyname call for SELinux MCS/MLS policy + +* Tue Oct 4 2005 Tomas Mraz +- pam_console manpage fixes (#169373) + +* Fri Sep 30 2005 Tomas Mraz 0.80-9 +- don't include ps and pdf docs (#168823) +- new common config file for configuration utilities +- remove glib2 dependency (#166979) + +* Tue Sep 20 2005 Tomas Mraz 0.80-8 +- process limit values other than RLIMIT_NICE correctly (#168790) +- pam_unix: always honor nis flag on password change (by Aaron Hope) + +* Wed Aug 24 2005 Tomas Mraz 0.80-7 +- don't fail in audit code when audit is not compiled in + on the newest kernels (#166422) + +* Mon Aug 01 2005 Tomas Mraz 0.80-6 +- add option to pam_loginuid to require auditd + +* Fri Jul 29 2005 Tomas Mraz 0.80-5 +- fix NULL dereference in pam_userdb (#164418) + +* Tue Jul 26 2005 Tomas Mraz 0.80-4 +- fix 64bit bug in pam_pwdb +- don't crash in pam_unix if pam_get_data fail + +* Fri Jul 22 2005 Tomas Mraz 0.80-3 +- more pam_selinux permissive fixes (Dan Walsh) +- make binaries PIE (#158938) + +* Mon Jul 18 2005 Tomas Mraz 0.80-2 +- fixed module tests so the pam doesn't require itself to build (#163502) +- added buildprereq for building the documentation (#163503) +- relaxed permissions of binaries (u+w) + +* Thu Jul 14 2005 Tomas Mraz 0.80-1 +- upgrade to new upstream sources +- removed obsolete patches +- pam_selinux module shouldn't fail on broken configs unless + policy is set to enforcing (Dan Walsh) + +* Tue Jun 21 2005 Tomas Mraz 0.79-11 +- update pam audit patch +- add support for new limits in kernel-2.6.12 (#157050) + +* Thu Jun 9 2005 Tomas Mraz 0.79-10 +- add the Requires dependency on audit-libs (#159885) +- pam_loginuid shouldn't report error when /proc/self/loginuid + is missing (#159974) + +* Fri May 20 2005 Tomas Mraz 0.79-9 +- update the pam audit patch to support newest audit library, + audit also pam_setcred calls (Steve Grubb) +- don't use the audit_fd as global static variable +- don't unset the XAUTHORITY when target user is root + +* Mon May 2 2005 Tomas Mraz 0.79-8 +- pam_console: support loading .perms files in the console.perms.d (#156069) + +* Tue Apr 26 2005 Tomas Mraz 0.79-7 +- pam_xauth: unset the XAUTHORITY variable on error, fix + potential memory leaks +- modify path to IDE floppy devices in console.perms (#155560) + +* Sat Apr 16 2005 Steve Grubb 0.79-6 +- Adjusted pam audit patch to make exception for ECONNREFUSED + +* Tue Apr 12 2005 Tomas Mraz 0.79-5 +- added auditing patch by Steve Grubb +- added cleanup patches for bugs found by Steve Grubb +- don't clear the shadow option of pam_unix if nis option used + +* Fri Apr 8 2005 Tomas Mraz 0.79-4 +- #150537 - flush input first then write the prompt + +* Thu Apr 7 2005 Tomas Mraz 0.79-3 +- make pam_unix LSB 2.0 compliant even when SELinux enabled +- #88127 - change both local and NIS passwords to keep them in sync, + also fix a regression in passwd functionality on NIS master server + +* Tue Apr 5 2005 Tomas Mraz +- #153711 fix wrong logging in pam_selinux when restoring tty label + +* Sun Apr 3 2005 Tomas Mraz 0.79-2 +- fix NULL deref in pam_tally when it's used in account phase + +* Thu Mar 31 2005 Tomas Mraz 0.79-1 +- upgrade to the new upstream release +- moved pam_loginuid to pam-redhat repository + +* Wed Mar 23 2005 Tomas Mraz 0.78-9 +- fix wrong logging in pam_console handlers +- add executing ainit handler for alsa sound dmix +- #147879, #112777 - change permissions for dri devices + +* Fri Mar 18 2005 Tomas Mraz 0.78-8 +- remove ownership and permissions handling from pam_console call + pam_console_apply as a handler instead + +* Mon Mar 14 2005 Tomas Mraz 0.78-7 +- add pam_loginuid module for setting the the login uid for auditing purposes + (by Steve Grubb) + +* Thu Mar 10 2005 Tomas Mraz 0.78-6 +- add functionality for running handler executables from pam_console + when console lock was obtained/lost +- removed patches merged to pam-redhat + +* Tue Mar 1 2005 Tomas Mraz 0.78-5 +- echo why tests failed when rebuilding +- fixed some warnings and errors in pam_console for gcc4 build +- improved parsing pam_console config file + +* Mon Feb 21 2005 Tomas Mraz +- don't log garbage in pam_console_apply (#147879) + +* Tue Jan 18 2005 Tomas Mraz +- don't require exact db4 version only conflict with incompatible one + +* Wed Jan 12 2005 Tomas Mraz 0.78-4 +- updated pam-redhat from elvis CVS +- removed obsolete patches + +* Mon Jan 3 2005 Jeff Johnson 0.78-3 +- depend on db-4.3.27, not db-4.3.21. + +* Thu Nov 25 2004 Tomas Mraz 0.78-2 +- add argument to pam_console_apply to restrict its work to specified files + +* Tue Nov 23 2004 Tomas Mraz 0.78-1 +- update to Linux-PAM-0.78 +- #140451 parse passwd entries correctly and test for failure +- #137802 allow using pam_console for authentication + +* Fri Nov 12 2004 Jeff Johnson 0.77-67 +- rebuild against db-4.3.21. + +* Thu Nov 11 2004 Tomas Mraz 0.77-66 +- #77646 log failures when renaming the files when changing password +- Log failure on missing /etc/security/opasswd when remember option is present + +* Wed Nov 10 2004 Tomas Mraz +- #87628 pam_timestamp remembers authorization after logout +- #116956 fixed memory leaks in pam_stack + +* Wed Oct 20 2004 Tomas Mraz 0.77-65 +- #74062 modify the pwd-lock patch to remove NIS passwd changing deadlock + +* Wed Oct 20 2004 Tomas Mraz 0.77-64 +- #134941 pam_console should check X11 socket only on login + +* Tue Oct 19 2004 Tomas Mraz 0.77-63 +- Fix checking of group %%group syntax in pam_limits +- Drop fencepost patch as it was already fixed + by upstream change from 0.75 to 0.77 +- Fix brokenshadow patch + +* Mon Oct 11 2004 Tomas Mraz 0.77-62 +- Added bluetooth, raw1394 and flash to console.perms +- pam_console manpage fix + +* Mon Oct 11 2004 Tomas Mraz 0.77-61 +- #129328 pam_env shouldn't abort on missing /etc/environment +- #126985 pam_stack should always copy the conversation function +- #127524 add /etc/security/opasswd to files + +* Tue Sep 28 2004 Phil Knirsch 0.77-60 +- Drop last patch again, fixed now correctly elsewhere + +* Thu Sep 23 2004 Phil Knirsch 0.77-59 +- Fixed bug in pam_env where wrong initializer was used + +* Fri Sep 17 2004 Dan Walsh 0.77-58 +- rebuild selinux patch using checkPasswdAccess + +* Mon Sep 13 2004 Jindrich Novy +- rebuilt + +* Mon Sep 13 2004 Tomas Mraz 0.77-56 +- #75454 fixed locking when changing password +- #127054 +- #125653 removed unnecessary getgrouplist call +- #124979 added quiet option to pam_succeed_if + +* Mon Aug 30 2004 Warren Togami 0.77-55 +- #126024 /dev/pmu console perms + +* Wed Aug 4 2004 Dan Walsh 0.77-54 +- Move pam_console.lock to /var/run/console/ + +* Thu Jul 29 2004 Dan Walsh 0.77-53 +- Close fd[1] before pam_modutilread so that unix_verify will complete + +* Tue Jul 27 2004 Alan Cox 0.77-52 +- First chunk of Steve Grubb's resource leak and other fixes + +* Tue Jul 27 2004 Alan Cox 0.77-51 +- Fixed build testing of modules +- Fixed dependancies + +* Tue Jul 20 2004 Dan Walsh 0.77-50 +- Change unix_chkpwd to return pam error codes + +* Sat Jul 10 2004 Alan Cox +- Fixed the pam glib2 dependancy issue + +* Mon Jun 21 2004 Alan Cox +- Fixed the pam_limits fencepost error (#79989) since nobody seems to + be doing it + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Wed Jun 9 2004 Dan Walsh 0.77-45 +- Add requires libselinux > 1.8 + +* Thu Jun 3 2004 Dan Walsh 0.77-44 +- Add MLS Support to selinux patch + +* Wed Jun 2 2004 Dan Walsh 0.77-43 +- Modify pam_selinux to use open and close param + +* Fri May 28 2004 Dan Walsh 0.77-42 +- Split pam module into two parts open and close + +* Tue May 18 2004 Phil Knirsch 0.77-41 +- Fixed 64bit segfault in pam_succeed_if module. + +* Wed Apr 14 2004 Dan Walsh 0.77-40 +- Apply changes from audit. + +* Mon Apr 12 2004 Dan Walsh 0.77-39 +- Change to only report failure on relabel if debug + +* Wed Mar 3 2004 Dan Walsh 0.77-38 +- Fix error handling of pam_unix + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Thu Feb 26 2004 Dan Walsh 0.77-36 +- fix tty handling + +* Thu Feb 26 2004 Dan Walsh 0.77-35 +- remove tty closing and opening from pam_selinux, it does not work. + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Feb 12 2004 Nalin Dahyabhai +- pam_unix: also log successful password changes when using shadowed passwords + +* Tue Feb 10 2004 Dan Walsh 0.77-33 +- close and reopen terminal after changing context. + +* Thu Feb 5 2004 Dan Walsh 0.77-32 +- Check for valid tty + +* Tue Feb 3 2004 Dan Walsh 0.77-31 +- Check for multiple > 1 + +* Mon Feb 2 2004 Dan Walsh 0.77-30 +- fix is_selinux_enabled call for pam_rootok + +* Wed Jan 28 2004 Dan Walsh 0.77-29 +- More fixes to pam_selinux,pam_rootok + +* Wed Jan 28 2004 Dan Walsh 0.77-28 +- turn on selinux + +* Wed Jan 28 2004 Dan Walsh 0.77-27 +- Fix rootok check. + +* Mon Jan 26 2004 Dan Walsh 0.77-26 +- fix is_selinux_enabled call + +* Sun Jan 25 2004 Dan Walsh 0.77-25 +- Check if ROOTOK for SELinux + +* Thu Jan 15 2004 Dan Walsh 0.77-24 +- Fix tty handling for pts in pam_selinux + +* Thu Jan 15 2004 Dan Walsh 0.77-23 +- Need to add qualifier context for sudo situation + +* Thu Jan 15 2004 Dan Walsh 0.77-22 +- Fix pam_selinux to use prevcon instead of pam_user so it will work for su. + +* Fri Dec 12 2003 Bill Nottingham 0.77-21.sel +- add alsa devs to console.perms + +* Thu Dec 11 2003 Jeff Johnson 0.77-20.sel +- rebuild with db-4.2.52. +- build db4 in build_unix, not dist. + +* Wed Nov 26 2003 Dan Walsh 0.77-19.sel +- Change unix_chkpwd to handle unix_passwd and unix_acct +- This eliminates the need for pam modules to have read/write access to /etc/shadow. + +* Thu Nov 20 2003 Dan Walsh 0.77-18.sel +- Cleanup unix_chkpwd + +* Mon Nov 03 2003 Dan Walsh 0.77-17.sel +- Fix tty handling +- Add back multiple handling + +* Mon Oct 27 2003 Dan Walsh 0.77-16.sel +- Remove Multiple from man page of pam_selinux + +* Thu Oct 23 2003 Nalin Dahyabhai 0.77-15 +- don't install _pam_aconf.h -- apps don't use it, other PAM headers which + are installed don't use it, and its contents may be different for arches + on a multilib system +- check for linkage problems in modules at %%install-time (kill #107093 dead) +- add buildprereq on flex (#101563) + +* Wed Oct 22 2003 Nalin Dahyabhai +- make pam_pwdb.so link with libnsl again so that it loads (#107093) +- remove now-bogus buildprereq on db4-devel (we use a bundled copy for + pam_userdb to avoid symbol collisions with other db libraries in apps) + +* Mon Oct 20 2003 Dan Walsh 0.77-14.sel +- Add Russell Coker patch to handle /dev/pty + +* Fri Oct 17 2003 Dan Walsh 0.77-13.sel +- Turn on Selinux + +* Fri Oct 17 2003 Dan Walsh 0.77-12 +- Fix pam_timestamp to work when 0 seconds have elapsed + +* Mon Oct 6 2003 Dan Walsh 0.77-11 +- Turn off selinux + +* Thu Sep 25 2003 Dan Walsh 0.77-10.sel +- Turn on Selinux and remove multiple choice of context. + +* Wed Sep 24 2003 Dan Walsh 0.77-10 +- Turn off selinux + +* Wed Sep 24 2003 Dan Walsh 0.77-9.sel +- Add Russell's patch to check password + +* Wed Sep 17 2003 Dan Walsh 0.77-8.sel +- handle ttys correctly in pam_selinux + +* Fri Sep 05 2003 Dan Walsh 0.77-7.sel +- Clean up memory problems and fix tty handling. + +* Mon Jul 28 2003 Dan Walsh 0.77-6 +- Add manual context selection to pam_selinux + +* Mon Jul 28 2003 Dan Walsh 0.77-5 +- Add pam_selinux + +* Mon Jul 28 2003 Dan Walsh 0.77-4 +- Add SELinux support + +* Thu Jul 24 2003 Nalin Dahyabhai 0.77-3 +- pam_postgresok: add +- pam_xauth: add "targetuser" argument + +* Tue Jul 22 2003 Nalin Dahyabhai +- pam_succeed_if: fix thinko in argument parsing which would walk past the + end of the argument list + +* Wed Jul 9 2003 Nalin Dahyabhai 0.77-2 +- reapply: + - set handler for SIGCHLD to SIG_DFL around *_chkpwd, not SIG_IGN + +* Mon Jul 7 2003 Nalin Dahyabhai 0.77-1 +- pam_timestamp: fail if the key file doesn't contain enough data + +* Thu Jul 3 2003 Nalin Dahyabhai 0.77-0 +- update to 0.77 upstream release + - pam_limits: limits now affect root as well + - pam_nologin: returns PAM_IGNORE instead of PAM_SUCCESS unless "successok" + is given as an argument + - pam_userdb: correctly return PAM_AUTH_ERR instead of PAM_USER_UNKNOWN when + invoked with the "key_only" argument and the database has an entry of the + form "user-" +- use a bundled libdb for pam_userdb.so because the system copy uses threads, + and demand-loading a shared library which uses threads into an application + which doesn't is a Very Bad Idea + +* Thu Jul 3 2003 Nalin Dahyabhai +- pam_timestamp: use a message authentication code to validate timestamp files + +* Mon Jun 30 2003 Nalin Dahyabhai 0.75-48.1 +- rebuild + +* Mon Jun 9 2003 Nalin Dahyabhai 0.75-49 +- modify calls to getlogin() to check the directory of the current TTY before + searching for an entry in the utmp/utmpx file (#98020, #98826, CAN-2003-0388) + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Mon Feb 10 2003 Bill Nottingham 0.75-48 +- set handler for SIGCHLD to SIG_DFL around *_chkpwd, not SIG_IGN + +* Wed Jan 22 2003 Tim Powers 0.75-47 +- rebuilt + +* Tue Dec 17 2002 Nalin Dahyabhai 0.75-46 +- pam_xauth: reintroduce ACL support, per the original white paper +- pam_xauth: default root's export ACL to none instead of everyone + +* Mon Dec 2 2002 Nalin Dahyabhai 0.75-45 +- create /lib/security, even if it isn't /%%{_lib}/security, because we + can't locate /lib/security/$ISA without it (noted by Arnd Bergmann) +- clear out the duplicate docs directory created during %%install + +* Thu Nov 21 2002 Nalin Dahyabhai 0.75-44 +- fix syntax errors in pam_console's yacc parser which newer bison chokes on +- forcibly set FAKEROOT at make install time + +* Tue Oct 22 2002 Nalin Dahyabhai 0.75-43 +- patch to interpret $ISA in case the fist module load attempt fails +- use $ISA in default configs + +* Fri Oct 04 2002 Elliot Lee 0.75-42 +- Since cracklib-dicts location will not be correctly detected without + that package being installed, add buildreq for cracklib-dicts. +- Add patch57: makes configure use $LIBNAME when searching for cracklib + dicts, and error out if not found. + +* Thu Sep 12 2002 Than Ngo 0.75-41.1 +- Fixed pam config files + +* Wed Sep 11 2002 Than Ngo 0.75-41 +- Added fix to install libs in correct directory on 64bit machine + +* Fri Aug 2 2002 Nalin Dahyabhai 0.75-40 +- pam_timestamp_check: check that stdio descriptors are open before we're + invoked +- add missing chroot.conf + +* Mon Jul 29 2002 Nalin Dahyabhai 0.75-39 +- pam_timestamp: sundry fixes, use "unknown" as the tty when none is found + +* Thu Jun 27 2002 Nalin Dahyabhai 0.75-38 +- pam_timestamp_check: be as smart about figuring out the tty as the module is + +* Wed Jun 19 2002 Nalin Dahyabhai 0.75-37 +- pam_timestamp_check: remove extra unlink() call spotted by Havoc + +* Mon Jun 17 2002 Nalin Dahyabhai 0.75-36 +- pam_timestamp: chown intermediate directories when creating them +- pam_timestamp_check: add -d flag to poll + +* Thu May 23 2002 Nalin Dahyabhai 0.75-35 +- pam_timestamp: add some sanity checks +- pam_timestamp_check: add + +* Wed May 22 2002 Nalin Dahyabhai 0.75-34 +- pam_timestamp: add a 'verbose' option + +* Thu May 16 2002 Nalin Dahyabhai 0.75-33 +- rebuild with db4 +- just bundle install-sh into the source package + +* Tue Apr 9 2002 Nalin Dahyabhai 0.75-32 +- pam_unix: be more compatible with AIX-style shadowing (#19236) + +* Thu Mar 28 2002 Nalin Dahyabhai 0.75-31 +- libpam_misc: fix possible infinite loop in misc_conv (#62195) +- pam_xauth: fix cases where DISPLAY is "localhost:screen" and the xauth + key is actually stored using the system's hostname (#61524) + +* Mon Mar 25 2002 Nalin Dahyabhai 0.75-30 +- rebuild + +* Mon Mar 25 2002 Nalin Dahyabhai 0.75-29 +- rebuild + +* Mon Mar 11 2002 Nalin Dahyabhai 0.75-28 +- include the pwdb config file + +* Fri Mar 1 2002 Nalin Dahyabhai 0.75-27 +- adjust the pwdb-static patch to build pam_radius correctly (#59408) + +* Fri Mar 1 2002 Nalin Dahyabhai 0.75-26 +- change the db4-devel build dependency to db3-devel + +* Thu Feb 21 2002 Nalin Dahyabhai 0.75-25 +- rebuild + +* Fri Feb 8 2002 Nalin Dahyabhai 0.75-24 +- pam_unix: log successful password changes +- remove pam_timestamp + +* Thu Feb 7 2002 Nalin Dahyabhai 0.75-23 +- fix pwdb embedding +- add pam_timestamp + +* Thu Jan 31 2002 Nalin Dahyabhai 0.75-22 +- swallow up pwdb 0.61.1 for building pam_pwdb + +* Wed Jan 23 2002 Nalin Dahyabhai 0.75-21 +- pam_userdb: build with db4 instead of db3 + +* Thu Nov 22 2001 Nalin Dahyabhai 0.75-20 +- pam_stack: fix some memory leaks (reported by Fernando Trias) +- pam_chroot: integrate Owl patch to report the more common causes of failures + +* Fri Nov 9 2001 Nalin Dahyabhai 0.75-19 +- fix a bug in the getpwnam_r wrapper which sometimes resulted in false + positives for non-existent users + +* Wed Nov 7 2001 Nalin Dahyabhai 0.75-18 +- include libpamc in the pam package (#55651) + +* Fri Nov 2 2001 Nalin Dahyabhai 0.75-17 +- pam_xauth: don't free a string after passing it to putenv() + +* Wed Oct 24 2001 Nalin Dahyabhai 0.75-16 +- pam_xauth: always return PAM_SUCCESS or PAM_SESSION_ERR instead of PAM_IGNORE, + matching the previous behavior (libpam treats PAM_IGNORE from a single module + in a stack as a session error, leading to false error messages if we just + return PAM_IGNORE for all cases) + +* Mon Oct 22 2001 Nalin Dahyabhai 0.75-15 +- reorder patches so that the reentrancy patch is applied last -- we never + came to a consensus on how to guard against the bugs in calling applications + which this sort of change addresses, and having them last allows for dropping + in a better strategy for addressing this later on + +* Mon Oct 15 2001 Nalin Dahyabhai +- pam_rhosts: allow "+hostname" as a synonym for "hostname" to jive better + with the hosts.equiv(5) man page +- use the automake install-sh instead of the autoconf install-sh, which + disappeared somewhere between 2.50 and now + +* Mon Oct 8 2001 Nalin Dahyabhai +- add pwdb as a buildprereq + +* Fri Oct 5 2001 Nalin Dahyabhai +- pam_tally: don't try to read past the end of faillog -- it probably contains + garbage, which if written into the file later on will confuse /usr/bin/faillog + +* Thu Oct 4 2001 Nalin Dahyabhai +- pam_limits: don't just return if the user is root -- we'll want to set the + priority (it could be negative to elevate root's sessions) +- pam_issue: fix off-by-one error allocating space for the prompt string + +* Wed Oct 3 2001 Nalin Dahyabhai +- pam_mkhomedir: recurse into subdirectories properly +- pam_mkhomedir: handle symlinks +- pam_mkhomedir: skip over special items in the skeleton directory + +* Tue Oct 2 2001 Nalin Dahyabhai +- add cracklib as a buildprereq +- pam_wheel: don't ignore out if the user is attempting to switch to a + unprivileged user (this lets pam_wheel do its thing when users attempt + to get to system accounts or accounts of other unprivileged users) + +* Fri Sep 28 2001 Nalin Dahyabhai +- pam_xauth: close a possible DoS due to use of dotlock-style locking in + world-writable directories by relocating the temporary file to the target + user's home directory +- general: include headers local to this tree using relative paths so that + system headers for PAM won't be pulled in, in case include paths don't + take care of it + +* Thu Sep 27 2001 Nalin Dahyabhai +- pam_xauth: rewrite to skip refcounting and just use a temporary file + created using mkstemp() in /tmp + +* Tue Sep 25 2001 Nalin Dahyabhai +- pam_userdb: fix the key_only flag so that the null-terminator of the + user-password string isn't expected to be part of the key in the db file, + matching the behavior of db_load 3.2.9 + +* Mon Sep 24 2001 Nalin Dahyabhai +- pam_unix: use crypt() instead of bigcrypt() when salted field is less than + the critical size which lets us know it was generated with bigcrypt() +- use a wrapper to handle ERANGE errors when calling get....._r functions: + defining PAM_GETPWNAM_R and such (for getpwnam, getpwuid, getgrnam, + getgrgid, and getspnam) before including _pam_macros.h will cause them + to be implemented as static functions, similar to how defining PAM_SM_xxx + is used to control whether or not PAM declares prototypes for certain + functions + +* Mon Sep 24 2001 Nalin Dahyabhai 0.75-14 +- pam_unix: argh, compare entire pruned salt string with crypted result, always + +* Sat Sep 8 2001 Bill Nottingham 0.75-13 +- ship /lib/lib{pam,pam_misc}.so for legacy package builds + +* Thu Sep 6 2001 Nalin Dahyabhai 0.75-12 +- noreplace configuration files in /etc/security +- pam_console: update pam_console_apply and man pages to reflect + /var/lock -> /var/run move + +* Wed Sep 5 2001 Nalin Dahyabhai 0.75-11 +- pam_unix: fix the fix for #42394 + +* Tue Sep 4 2001 Nalin Dahyabhai +- modules: use getpwnam_r and friends instead of non-reentrant versions +- pam_console: clear generated .c and .h files in "clean" makefile target + +* Thu Aug 30 2001 Nalin Dahyabhai +- pam_stack: perform deep copy of conversation structures +- include the static libpam in the -devel subpackage (#52321) +- move development .so and .a files to %%{_libdir} +- pam_unix: don't barf on empty passwords (#51846) +- pam_unix: redo compatibility with "hash,age" data wrt bigcrypt (#42394) +- console.perms: add usb camera, scanner, and rio devices (#15528) +- pam_cracklib: initialize all options properly (#49613) + +* Wed Aug 22 2001 Nalin Dahyabhai +- pam_limits: don't rule out negative priorities + +* Mon Aug 13 2001 Nalin Dahyabhai 0.75-10 +- pam_xauth: fix errors due to uninitialized data structure (fix from Tse Huong + Choo) +- pam_xauth: random cleanups +- pam_console: use /var/run/console instead of /var/lock/console at install-time +- pam_unix: fix preserving of permissions on files which are manipulated + +* Fri Aug 10 2001 Bill Nottingham +- fix segfault in pam_securetty + +* Thu Aug 9 2001 Nalin Dahyabhai +- pam_console: use /var/run/console instead of /var/lock/console for lock files +- pam_issue: read the right number of bytes from the file + +* Mon Jul 9 2001 Nalin Dahyabhai +- pam_wheel: don't error out if the group has no members, but is the user's + primary GID (reported by David Vos) +- pam_unix: preserve permissions on files which are manipulated (#43706) +- pam_securetty: check if the user is the superuser before checking the tty, + thereby allowing regular users access to services which don't set the + PAM_TTY item (#39247) +- pam_access: define NIS and link with libnsl (#36864) + +* Thu Jul 5 2001 Nalin Dahyabhai +- link libpam_misc against libpam + +* Tue Jul 3 2001 Nalin Dahyabhai +- pam_chroot: chdir() before chroot() + +* Fri Jun 29 2001 Nalin Dahyabhai +- pam_console: fix logic bug when changing permissions on single + file and/or lists of files +- pam_console: return the proper error code (reported and patches + for both from Frederic Crozat) +- change deprecated Copyright: tag in .spec file to License: + +* Mon Jun 25 2001 Nalin Dahyabhai +- console.perms: change js* to js[0-9]* +- include pam_aconf.h in more modules (patches from Harald Welte) + +* Thu May 24 2001 Nalin Dahyabhai +- console.perms: add apm_bios to the list of devices the console owner can use +- console.perms: add beep to the list of sound devices + +* Mon May 7 2001 Nalin Dahyabhai +- link pam_console_apply statically with libglib (#38891) + +* Mon Apr 30 2001 Nalin Dahyabhai +- pam_access: compare IP addresses with the terminating ".", as documented + (patch from Carlo Marcelo Arenas Belon, I think) (#16505) + +* Mon Apr 23 2001 Nalin Dahyabhai +- merge up to 0.75 +- pam_unix: temporarily ignore SIGCHLD while running the helper +- pam_pwdb: temporarily ignore SIGCHLD while running the helper +- pam_dispatch: default to uncached behavior if the cached chain is empty + +* Fri Apr 6 2001 Nalin Dahyabhai +- correct speling errors in various debug messages and doc files (#33494) + +* Thu Apr 5 2001 Nalin Dahyabhai +- prereq sed, fileutils (used in %%post) + +* Wed Apr 4 2001 Nalin Dahyabhai +- remove /dev/dri from console.perms -- XFree86 munges it, so it's outside of + our control (reminder from Daryll Strauss) +- add /dev/3dfx to console.perms + +* Fri Mar 23 2001 Nalin Dahyabhai +- pam_wheel: make 'trust' and 'deny' work together correctly +- pam_wheel: also check the user's primary gid +- pam_group: also initialize groups when called with PAM_REINITIALIZE_CRED + +* Tue Mar 20 2001 Nalin Dahyabhai +- mention pam_console_apply in the see also section of the pam_console man pages + +* Fri Mar 16 2001 Nalin Dahyabhai +- console.perms: /dev/vc/* should be a regexp, not a glob (thanks to + Charles Lopes) + +* Mon Mar 12 2001 Nalin Dahyabhai +- console.perms: /dev/cdroms/* should belong to the user, from Douglas + Gilbert via Tim Waugh + +* Thu Mar 8 2001 Nalin Dahyabhai +- pam_console_apply: muck with devices even if the mount point doesn't exist + +* Wed Mar 7 2001 Nalin Dahyabhai +- pam_console: error out on undefined classes in pam_console config file +- console.perms: actually change the permissions on the new device classes +- pam_console: add an fstab= argument, and -f and -c flags to pam_console_apply +- pam_console: use g_log instead of g_critical when bailing out +- console.perms: logins on /dev/vc/* are also console logins, from Douglas + Gilbert via Tim Waugh + +* Tue Mar 6 2001 Nalin Dahyabhai +- add pam_console_apply +- /dev/pilot's usually a serial port (or a USB serial port), so revert its + group to 'uucp' instead of 'tty' in console.perms +- change pam_console's behavior wrt directories -- directories which are + mount points according to /etc/fstab are taken to be synonymous with + their device special nodes, and directories which are not mount points + are ignored + +* Tue Feb 27 2001 Nalin Dahyabhai +- handle errors fork()ing in pam_xauth +- make the "other" config noreplace + +* Mon Feb 26 2001 Nalin Dahyabhai +- user should own the /dev/video directory, not the non-existent /dev/v4l +- tweak pam_limits doc + +* Wed Feb 21 2001 Nalin Dahyabhai +- own /etc/security +- be more descriptive when logging messages from pam_limits +- pam_listfile: remove some debugging code (#28346) + +* Mon Feb 19 2001 Nalin Dahyabhai +- pam_lastlog: don't pass NULL to logwtmp() + +* Fri Feb 16 2001 Nalin Dahyabhai +- pam_listfile: fix argument parser (#27773) +- pam_lastlog: link to libutil + +* Tue Feb 13 2001 Nalin Dahyabhai +- pam_limits: change the documented default config file to reflect the defaults +- pam_limits: you should be able to log in a total of maxlogins times, not + (maxlogins - 1) +- handle group limits on maxlogins correctly (#25690) + +* Mon Feb 12 2001 Nalin Dahyabhai +- change the pam_xauth default maximum "system user" ID from 499 to 99 (#26343) + +* Wed Feb 7 2001 Nalin Dahyabhai +- refresh the default system-auth file, pam_access is out + +* Mon Feb 5 2001 Nalin Dahyabhai +- actually time out when attempting to lckpwdf() (#25889) +- include time.h in pam_issue (#25923) +- update the default system-auth to the one generated by authconfig 4.1.1 +- handle getpw??? and getgr??? failures more gracefully (#26115) +- get rid of some extraneous {set,end}{pw,gr}ent() calls + +* Tue Jan 30 2001 Nalin Dahyabhai +- overhaul pam_stack to account for abstraction libpam now provides + +* Tue Jan 23 2001 Nalin Dahyabhai +- remove pam_radius at request of author + +* Mon Jan 22 2001 Nalin Dahyabhai +- merge to 0.74 +- make console.perms match perms set by MAKEDEV, and add some devfs device names +- add 'sed' to the buildprereq list (#24666) + +* Sun Jan 21 2001 Matt Wilson +- added "exit 0" to the end of the pre script + +* Fri Jan 19 2001 Nalin Dahyabhai +- self-hosting fix from Guy Streeter + +* Wed Jan 17 2001 Nalin Dahyabhai +- use gcc for LD_L to pull in intrinsic stuff on ia64 + +* Fri Jan 12 2001 Nalin Dahyabhai +- take another whack at compatibility with "hash,age" data in pam_unix (#21603) + +* Wed Jan 10 2001 Nalin Dahyabhai +- make the -devel subpackage unconditional + +* Tue Jan 9 2001 Nalin Dahyabhai +- merge/update to 0.73 + +* Mon Dec 18 2000 Nalin Dahyabhai +- refresh from CVS -- some weird stuff crept into pam_unix + +* Tue Dec 12 2000 Nalin Dahyabhai +- fix handling of "nis" when changing passwords by adding the checks for the + data source to the password-updating module in pam_unix +- add the original copyright for pam_access (fix from Michael Gerdts) + +* Thu Nov 30 2000 Nalin Dahyabhai +- redo similar() using a distance algorithm and drop the default dif_ok to 5 +- readd -devel + +* Wed Nov 29 2000 Nalin Dahyabhai +- fix similar() function in pam_cracklib (#14740) +- fix example in access.conf (#21467) +- add conditional compilation for building for 6.2 (for pam_userdb) +- tweak post to not use USESHADOW any more + +* Tue Nov 28 2000 Nalin Dahyabhai +- make EINVAL setting lock limits in pam_limits non-fatal, because it's a 2.4ism + +* Tue Nov 21 2000 Nalin Dahyabhai +- revert to DB 3.1, which is what we were supposed to be using from the get-go + +* Mon Nov 20 2000 Nalin Dahyabhai +- add RLIMIT_LOCKS to pam_limits (patch from Jes Sorensen) (#20542) +- link pam_userdb to Berkeley DB 2.x to match 6.2's setup correctly + +* Mon Nov 6 2000 Matt Wilson +- remove prereq on sh-utils, test ([) is built in to bash + +* Thu Oct 19 2000 Nalin Dahyabhai +- fix the pam_userdb module breaking + +* Wed Oct 18 2000 Nalin Dahyabhai +- fix pam_unix likeauth argument for authenticate(),setcred(),setcred() + +* Tue Oct 17 2000 Nalin Dahyabhai +- tweak pre script to be called in all upgrade cases +- get pam_unix to only care about the significant pieces of passwords it checks +- add /usr/include/db1/db.h as a build prereq to pull in the right include + files, no matter whether they're in glibc-devel or db1-devel +- pam_userdb.c: include db1/db.h instead of db.h + +* Wed Oct 11 2000 Nalin Dahyabhai +- add BuildPrereq for bison (suggested by Bryan Stillwell) + +* Fri Oct 6 2000 Nalin Dahyabhai +- patch from Dmitry V. Levin to have pam_stack propagate the PAM fail_delay +- roll back the README for pam_xauth to actually be the right one +- tweak pam_stack to use the parent's service name when calling the substack + +* Wed Oct 4 2000 Nalin Dahyabhai +- create /etc/sysconfig/authconfig at install-time if upgrading + +* Mon Oct 2 2000 Nalin Dahyabhai +- modify the files list to make sure #16456 stays fixed +- make pam_stack track PAM_AUTHTOK and PAM_OLDAUTHTOK items +- add pam_chroot module +- self-hosting fixes from the -devel split +- update generated docs in the tree + +* Tue Sep 12 2000 Nalin Dahyabhai +- split off a -devel subpackage +- install the developer man pages + +* Sun Sep 10 2000 Bill Nottingham +- build libraries before modules + +* Wed Sep 6 2000 Nalin Dahyabhai +- fix problems when looking for headers in /usr/include (#17236) +- clean up a couple of compile warnings + +* Tue Aug 22 2000 Nalin Dahyabhai +- give users /dev/cdrom* instead of /dev/cdrom in console.perms (#16768) +- add nvidia control files to console.perms + +* Tue Aug 22 2000 Bill Nottingham +- add DRI devices to console.perms (#16731) + +* Thu Aug 17 2000 Nalin Dahyabhai +- move pam_filter modules to /lib/security/pam_filter (#16111) +- add pam_tally's application to allow counts to be reset (#16456) +- move README files to the txts subdirectory + +* Mon Aug 14 2000 Nalin Dahyabhai +- add a postun that runs ldconfig +- clean up logging in pam_xauth + +* Fri Aug 4 2000 Nalin Dahyabhai +- make the tarball include the release number in its name + +* Mon Jul 31 2000 Nalin Dahyabhai +- add a broken_shadow option to pam_unix +- add all module README files to the documentation list (#16456) + +* Tue Jul 25 2000 Nalin Dahyabhai +- fix pam_stack debug and losing-track-of-the-result bug + +* Mon Jul 24 2000 Nalin Dahyabhai +- rework pam_console's usage of syslog to actually be sane (#14646) + +* Sat Jul 22 2000 Nalin Dahyabhai +- take the LOG_ERR flag off of some of pam_console's new messages + +* Fri Jul 21 2000 Nalin Dahyabhai +- add pam_localuser + +* Wed Jul 12 2000 Nalin Dahyabhai +- need to make pam_console's checking a little stronger +- only pass data up from pam_stack if the parent didn't already define it + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Tue Jul 11 2000 Nalin Dahyabhai +- make pam_console's extra checks disableable +- simplify extra check to just check if the device owner is root +- add a debug log when pam_stack comes across a NULL item +- have pam_stack hand items up to the parent from the child + +* Mon Jul 3 2000 Nalin Dahyabhai +- fix installation of pam_xauth man pages (#12417) +- forcibly strip helpers (#12430) +- try to make pam_console a little more discriminating + +* Mon Jun 19 2000 Nalin Dahyabhai +- symlink libpam.so to libpam.so.%%{version}, and likewise for libpam_misc +- reverse order of checks in _unix_getpwnam for pam_unix + +* Wed Jun 14 2000 Preston Brown +- include gpmctl in pam_console + +* Mon Jun 05 2000 Nalin Dahyabhai +- add MANDIR definition and use it when installing man pages + +* Mon Jun 05 2000 Preston Brown +- handle scanner and cdwriter devices in pam_console + +* Sat Jun 3 2000 Nalin Dahyabhai +- add account management wrappers for pam_listfile, pam_nologin, pam_securetty, + pam_shells, and pam_wheel + +* Thu Jun 1 2000 Nalin Dahyabhai +- add system-auth control file +- let gethostname() call in pam_access.c be implicitly declared to avoid + conflicting types if unistd.c declares it + +* Mon May 15 2000 Nalin Dahyabhai +- fix problems compiling on Red Hat Linux 5.x (bug #11005) + +* Wed Apr 26 2000 Bill Nottingham +- fix size assumptions in pam_(pwdb|unix) md5 code + +* Mon Mar 20 2000 Nalin Dahyabhai +- Add new pam_stack module. +- Install pwdb_chkpwd and unix_chkpwd as the current user for non-root builds + +* Sat Feb 05 2000 Nalin Dahyabhai +- Fix pam_xauth bug #6191. + +* Thu Feb 03 2000 Elliot Lee +- Add a patch to accept 'pts/N' in /etc/securetty as a match for tty '5' + (which is what other pieces of the system think it is). Fixes bug #7641. + +* Mon Jan 31 2000 Nalin Dahyabhai +- argh, turn off gratuitous debugging + +* Wed Jan 19 2000 Nalin Dahyabhai +- update to 0.72 +- fix pam_unix password-changing bug +- fix pam_unix's cracklib support +- change package URL + +* Mon Jan 03 2000 Cristian Gafton +- don't allow '/' on service_name + +* Thu Oct 21 1999 Cristian Gafton +- enhance the pam_userdb module some more + +* Fri Sep 24 1999 Cristian Gafton +- add documenatation + +* Tue Sep 21 1999 Michael K. Johnson +- a tiny change to pam_console to make it not loose track of console users + +* Mon Sep 20 1999 Michael K. Johnson +- a few fixes to pam_xauth to make it more robust + +* Wed Jul 14 1999 Michael K. Johnson +- pam_console: added to manage /dev/console + +* Thu Jul 01 1999 Michael K. Johnson +- pam_xauth: New refcounting implementation based on idea from Stephen Tweedie + +* Sat Apr 17 1999 Michael K. Johnson +- added video4linux devices to /etc/security/console.perms + +* Fri Apr 16 1999 Michael K. Johnson +- added joystick lines to /etc/security/console.perms + +* Thu Apr 15 1999 Michael K. Johnson +- fixed a couple segfaults in pam_xauth uncovered by yesterday's fix... + +* Wed Apr 14 1999 Cristian Gafton +- use gcc -shared to link the shared libs + +* Wed Apr 14 1999 Michael K. Johnson +- many bug fixes in pam_xauth +- pam_console can now handle broken applications that do not set + the PAM_TTY item. + +* Tue Apr 13 1999 Michael K. Johnson +- fixed glob/regexp confusion in pam_console, added kbd and fixed fb devices +- added pam_xauth module + +* Sat Apr 10 1999 Cristian Gafton +- pam_lastlog does wtmp handling now + +* Thu Apr 08 1999 Michael K. Johnson +- added option parsing to pam_console +- added framebuffer devices to default console.perms settings + +* Wed Apr 07 1999 Cristian Gafton +- fixed empty passwd handling in pam_pwdb + +* Mon Mar 29 1999 Michael K. Johnson +- changed /dev/cdrom default user permissions back to 0600 in console.perms + because some cdrom players open O_RDWR. + +* Fri Mar 26 1999 Michael K. Johnson +- added /dev/jaz and /dev/zip to console.perms + +* Thu Mar 25 1999 Michael K. Johnson +- changed the default user permissions for /dev/cdrom to 0400 in console.perms + +* Fri Mar 19 1999 Michael K. Johnson +- fixed a few bugs in pam_console + +* Thu Mar 18 1999 Michael K. Johnson +- pam_console authentication working +- added /etc/security/console.apps directory + +* Mon Mar 15 1999 Michael K. Johnson +- added pam_console files to filelist + +* Fri Feb 12 1999 Cristian Gafton +- upgraded to 0.66, some source cleanups + +* Mon Dec 28 1998 Cristian Gafton +- add patch from Savochkin Andrey Vladimirovich for umask + security risk + +* Fri Dec 18 1998 Cristian Gafton +- upgrade to ver 0.65 +- build the package out of internal CVS server