diff --git a/.abf.yml b/.abf.yml index d20d18e..8fbc5b2 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,3 +1,3 @@ sources: - Linux-PAM-1.3.0.tar.bz2: e956252e81d824c35a60c9b50919ca0767f8a8ec - pam-redhat-0.99.11.tar.bz2: 42206fe8319723ef23ab646b2eab496c86de3f5b + Linux-PAM-1.3.1.tar.xz: e89b6d279c9bf8cb495dfc0b3f3931eb50f818e9 + pam-redhat-1.1.1.tar.bz2: c97c3e0a4f488453eda2683d30fe4d63e41538c9 diff --git a/Linux-PAM-0.99.11-pbuild-rh.patch b/Linux-PAM-0.99.11-pbuild-rh.patch deleted file mode 100644 index 2b1a072..0000000 --- a/Linux-PAM-0.99.11-pbuild-rh.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urN Linux-PAM-1.3.0/modules/pam_console/Makefile.am Linux-PAM-1.3.0-patched/modules/pam_console/Makefile.am ---- Linux-PAM-1.3.0/modules/pam_console/Makefile.am 2014-02-01 00:17:53.000000000 +1100 -+++ Linux-PAM-1.3.0-patched/modules/pam_console/Makefile.am 2016-09-19 17:27:50.713209337 +1000 -@@ -50,6 +50,8 @@ - pam_console_la_CFLAGS = $(AM_CFLAGS) - pam_console_apply_CFLAGS = $(AM_CFLAGS) - -+configfile.tab.h: configfile.tab.c -+ - configfile.tab.c: configfile.y - $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $< - sh $(srcdir)/sed-static $@ diff --git a/Linux-PAM-0.99.3.0-enable_rt.patch b/Linux-PAM-0.99.3.0-enable_rt.patch deleted file mode 100644 index 722aaf9..0000000 --- a/Linux-PAM-0.99.3.0-enable_rt.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- Linux-PAM-0.99.3.0/modules/pam_limits/limits.conf.enable_rt 2005-08-16 16:02:28.000000000 +0200 -+++ Linux-PAM-0.99.3.0/modules/pam_limits/limits.conf 2006-01-28 14:51:28.000000000 +0100 -@@ -47,4 +47,9 @@ - #ftp hard nproc 0 - #@student - maxlogins 4 - -+* - rtprio 0 -+* - nice 0 -+@audio - rtprio 50 -+@audio - nice -10 -+ - # End of file diff --git a/Linux-PAM-1.1.4-group_add_users.patch b/Linux-PAM-1.1.4-group_add_users.patch index cc65735..307307c 100644 --- a/Linux-PAM-1.1.4-group_add_users.patch +++ b/Linux-PAM-1.1.4-group_add_users.patch @@ -4,7 +4,7 @@ #xsh; tty* ;%admin;Al0000-2400;plugdev -+*;*;*;Al0000-2400;users, lp ++*;*;*;Al0000-2400;users + # # End of group.conf file diff --git a/pam-1.1.0-console-nochmod.patch b/pam-1.1.0-console-nochmod.patch deleted file mode 100644 index e41adad..0000000 --- a/pam-1.1.0-console-nochmod.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers ---- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod 2008-12-16 13:37:52.000000000 +0100 -+++ Linux-PAM-1.1.0/modules/pam_console/console.handlers 2009-09-01 17:20:08.000000000 +0200 -@@ -15,5 +15,3 @@ - # touch unlock wait /var/run/console-unlocked - - console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+ --/sbin/pam_console_apply lock logfail wait -t tty -s --/sbin/pam_console_apply unlock logfail wait -r -t tty -s -diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am ---- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod 2008-12-16 13:37:52.000000000 +0100 -+++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am 2009-09-01 17:42:47.000000000 +0200 -@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply - - - secureconf_DATA = console.perms console.handlers --permsd_DATA = 50-default.perms - - FLEX_OPTS = -Cr - BISON_OPTS = -d -@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil - - install-data-local: - mkdir -p $(DESTDIR)$(secureconfdir)/console.apps -+ mkdir -p $(DESTDIR)$(permsddir) - mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR) diff --git a/pam-1.1.0-console-nopermsd.patch b/pam-1.1.0-console-nopermsd.patch deleted file mode 100644 index 08fe9bf..0000000 --- a/pam-1.1.0-console-nopermsd.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Linux-PAM-1.1.0/modules/pam_console/pam_console_apply.c.error 2009-10-06 17:34:02.000000000 +0200 -+++ Linux-PAM-1.1.0/modules/pam_console/pam_console_apply.c 2009-10-06 17:39:14.000000000 +0200 -@@ -65,7 +65,7 @@ parse_files(void) - on system locale */ - oldlocale = setlocale(LC_COLLATE, "C"); - -- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf); -+ rc = glob(PERMS_GLOB, 0, NULL, &globbuf); - setlocale(LC_COLLATE, oldlocale); - if (rc) - return; diff --git a/pam-1.1.0-notally.patch b/pam-1.1.0-notally.patch deleted file mode 100644 index 9327eec..0000000 --- a/pam-1.1.0-notally.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am ---- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200 -+++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200 -@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de - pam_mkhomedir pam_motd pam_namespace pam_nologin \ - pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ -- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ -+ pam_succeed_if pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth - diff --git a/pam-1.1.5-limits-user.patch b/pam-1.1.5-limits-user.patch deleted file mode 100644 index 1890e4d..0000000 --- a/pam-1.1.5-limits-user.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.5/modules/pam_limits/limits.conf ---- Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits 2011-06-21 11:04:56.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_limits/limits.conf 2011-12-21 09:09:17.000000000 +0100 -@@ -1,5 +1,8 @@ - # /etc/security/limits.conf - # -+#This file sets the resource limits for the users logged in via PAM. -+#It does not affect resource limits of the system services. -+# - #Each line describes a limit for a user in the form: - # - # diff --git a/pam-1.1.6-noflex.patch b/pam-1.1.6-noflex.patch deleted file mode 100644 index 6410a8d..0000000 --- a/pam-1.1.6-noflex.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up Linux-PAM-1.1.6/doc/Makefile.am.noflex Linux-PAM-1.1.6/doc/Makefile.am ---- Linux-PAM-1.1.6/doc/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/doc/Makefile.am 2012-08-17 14:13:11.904949748 +0200 -@@ -2,7 +2,7 @@ - # Copyright (c) 2005, 2006 Thorsten Kukuk - # - --SUBDIRS = man specs sag adg mwg -+SUBDIRS = man sag adg mwg - - CLEANFILES = *~ - -diff -up Linux-PAM-1.1.6/Makefile.am.noflex Linux-PAM-1.1.6/Makefile.am ---- Linux-PAM-1.1.6/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/Makefile.am 2012-08-17 14:15:36.705359892 +0200 -@@ -4,7 +4,7 @@ - - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news - --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests - - CLEANFILES = *~ - diff --git a/pam-1.1.7-unix-build.patch b/pam-1.1.7-unix-build.patch deleted file mode 100644 index d1f30d0..0000000 --- a/pam-1.1.7-unix-build.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c ---- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build 2012-07-23 18:46:27.709804094 +0200 -+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c 2012-07-23 18:46:27.764805293 +0200 -@@ -47,6 +47,8 @@ - #include /* for time() */ - #include - #include -+#include -+#include - - #include - -diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build 2012-07-23 18:55:16.433314731 +0200 -+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c 2012-07-23 18:54:48.064697131 +0200 -@@ -53,6 +53,7 @@ - #include - #include - #include -+#include - #include - - #include -diff -up Linux-PAM-1.1.5/modules/pam_unix/support.c.build Linux-PAM-1.1.5/modules/pam_unix/support.c ---- Linux-PAM-1.1.5/modules/pam_unix/support.c.build 2012-07-23 18:46:27.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_unix/support.c 2012-07-23 18:54:23.645165507 +0200 -@@ -18,6 +18,7 @@ - #include - #include - #include -+#include - #include - #ifdef HAVE_RPCSVC_YPCLNT_H - #include diff --git a/pam-1.2.0-redhat-modules.patch b/pam-1.2.0-redhat-modules.patch deleted file mode 100644 index 8a66134..0000000 --- a/pam-1.2.0-redhat-modules.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up Linux-PAM-1.2.0/configure.ac.redhat-modules Linux-PAM-1.2.0/configure.ac ---- Linux-PAM-1.2.0/configure.ac.redhat-modules 2015-03-25 16:50:10.000000000 +0100 -+++ Linux-PAM-1.2.0/configure.ac 2015-05-15 15:46:50.996074677 +0200 -@@ -616,6 +616,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil - libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ - po/Makefile.in \ - modules/Makefile \ -+ modules/pam_chroot/Makefile modules/pam_console/Makefile \ -+ modules/pam_postgresok/Makefile \ - modules/pam_access/Makefile modules/pam_cracklib/Makefile \ - modules/pam_debug/Makefile modules/pam_deny/Makefile \ - modules/pam_echo/Makefile modules/pam_env/Makefile \ -diff -up Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules Linux-PAM-1.2.0/modules/Makefile.am ---- Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules 2015-03-24 13:02:32.000000000 +0100 -+++ Linux-PAM-1.2.0/modules/Makefile.am 2015-05-15 15:46:50.995074654 +0200 -@@ -3,6 +3,7 @@ - # - - SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ -+ pam_chroot pam_console pam_postgresok \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ diff --git a/pam-1.2.0-unix-no-fallback.patch b/pam-1.2.0-unix-no-fallback.patch deleted file mode 100644 index 6295da7..0000000 --- a/pam-1.2.0-unix-no-fallback.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml ---- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback 2015-04-27 16:38:03.000000000 +0200 -+++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml 2015-05-15 15:54:21.524440864 +0200 -@@ -284,11 +284,10 @@ - - - When a user changes their password next, -- encrypt it with the SHA256 algorithm. If the -- SHA256 algorithm is not known to the -+ encrypt it with the SHA256 algorithm. The -+ SHA256 algorithm must be supported by the - crypt3 -- function, -- fall back to MD5. -+ function. - - - -@@ -299,11 +298,10 @@ - - - When a user changes their password next, -- encrypt it with the SHA512 algorithm. If the -- SHA512 algorithm is not known to the -+ encrypt it with the SHA512 algorithm. The -+ SHA512 algorithm must be supported by the - crypt3 -- function, -- fall back to MD5. -+ function. - - - -@@ -314,11 +312,10 @@ - - - When a user changes their password next, -- encrypt it with the blowfish algorithm. If the -- blowfish algorithm is not known to the -+ encrypt it with the blowfish algorithm. The -+ blowfish algorithm must be supported by the - crypt3 -- function, -- fall back to MD5. -+ function. - - - -diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c ---- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback 2015-05-15 15:54:21.525440887 +0200 -+++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c 2015-05-15 15:57:23.138613273 +0200 -@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has - sp = crypt(password, salt); - #endif - if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { -- /* libxcrypt/libc doesn't know the algorithm, use MD5 */ -+ /* libxcrypt/libc doesn't know the algorithm, error out */ - pam_syslog(pamh, LOG_ERR, -- "Algo %s not supported by the crypto backend, " -- "falling back to MD5\n", -+ "Algo %s not supported by the crypto backend.\n", - on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : - on(UNIX_SHA256_PASS, ctrl) ? "sha256" : - on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); -@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has - #ifdef HAVE_CRYPT_R - free(cdata); - #endif -- return crypt_md5_wrapper(password); -+ return NULL; - } - sp = x_strdup(sp); - #ifdef HAVE_CRYPT_R diff --git a/pam-1.2.1-faillock.patch b/pam-1.2.1-faillock.patch deleted file mode 100644 index 7a4209c..0000000 --- a/pam-1.2.1-faillock.patch +++ /dev/null @@ -1,1759 +0,0 @@ -diff -up Linux-PAM-1.2.1/configure.ac.faillock Linux-PAM-1.2.1/configure.ac ---- Linux-PAM-1.2.1/configure.ac.faillock 2015-06-25 10:42:21.477374752 +0200 -+++ Linux-PAM-1.2.1/configure.ac 2015-06-25 10:42:21.501375246 +0200 -@@ -621,7 +621,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil - modules/pam_access/Makefile modules/pam_cracklib/Makefile \ - modules/pam_debug/Makefile modules/pam_deny/Makefile \ - modules/pam_echo/Makefile modules/pam_env/Makefile \ -- modules/pam_faildelay/Makefile \ -+ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \ - modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ - modules/pam_ftp/Makefile modules/pam_group/Makefile \ - modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ -diff -up Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.2.1/doc/sag/pam_faillock.xml ---- Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock 2015-06-25 10:42:21.482374855 +0200 -+++ Linux-PAM-1.2.1/doc/sag/pam_faillock.xml 2015-06-25 10:42:21.482374855 +0200 -@@ -0,0 +1,38 @@ -+ -+ -+
-+ pam_faillock - temporarily locking access based on failed authentication attempts during an interval -+ -+ -+ -+ -+ -+ -+
-+ -+
-+
-+ -+
-+
-+ -+
-+
-+ -+
-+
-+ -+
-+
-+ -+
-+
-diff -up Linux-PAM-1.2.1/modules/Makefile.am.faillock Linux-PAM-1.2.1/modules/Makefile.am ---- Linux-PAM-1.2.1/modules/Makefile.am.faillock 2015-06-25 10:42:21.480374814 +0200 -+++ Linux-PAM-1.2.1/modules/Makefile.am 2015-06-25 10:42:21.482374855 +0200 -@@ -3,7 +3,7 @@ - # - - SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ -- pam_chroot pam_console pam_postgresok \ -+ pam_chroot pam_console pam_postgresok pam_faillock \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ -diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.c ---- Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock 2015-06-25 10:42:21.482374855 +0200 -+++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.c 2015-06-25 10:42:21.482374855 +0200 -@@ -0,0 +1,158 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "faillock.h" -+ -+int -+open_tally (const char *dir, const char *user, uid_t uid, int create) -+{ -+ char *path; -+ int flags = O_RDWR; -+ int fd; -+ -+ if (strstr(user, "../") != NULL) -+ /* just a defensive programming as the user must be a -+ * valid user on the system anyway -+ */ -+ return -1; -+ path = malloc(strlen(dir) + strlen(user) + 2); -+ if (path == NULL) -+ return -1; -+ -+ strcpy(path, dir); -+ if (*dir && dir[strlen(dir) - 1] != '/') { -+ strcat(path, "/"); -+ } -+ strcat(path, user); -+ -+ if (create) { -+ flags |= O_CREAT; -+ } -+ -+ fd = open(path, flags, 0600); -+ -+ free(path); -+ -+ if (fd != -1) { -+ struct stat st; -+ -+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR); -+ if (fstat(fd, &st) == 0) { -+ if (st.st_uid != uid) { -+ fchown(fd, uid, -1); -+ } -+ } -+ } -+ -+ return fd; -+} -+ -+#define CHUNK_SIZE (64 * sizeof(struct tally)) -+#define MAX_RECORDS 1024 -+ -+int -+read_tally(int fd, struct tally_data *tallies) -+{ -+ void *data = NULL, *newdata; -+ unsigned int count = 0; -+ ssize_t chunk = 0; -+ -+ do { -+ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE); -+ if (newdata == NULL) { -+ free(data); -+ return -1; -+ } -+ -+ data = newdata; -+ -+ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE); -+ if (chunk < 0) { -+ free(data); -+ return -1; -+ } -+ -+ count += chunk/sizeof(struct tally); -+ -+ if (count >= MAX_RECORDS) -+ break; -+ } -+ while (chunk == CHUNK_SIZE); -+ -+ tallies->records = data; -+ tallies->count = count; -+ -+ return 0; -+} -+ -+int -+update_tally(int fd, struct tally_data *tallies) -+{ -+ void *data = tallies->records; -+ unsigned int count = tallies->count; -+ ssize_t chunk; -+ -+ if (tallies->count > MAX_RECORDS) { -+ data = tallies->records + (count - MAX_RECORDS); -+ count = MAX_RECORDS; -+ } -+ -+ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { -+ return -1; -+ } -+ -+ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally)); -+ -+ if (chunk != (ssize_t)(count * sizeof(struct tally))) { -+ return -1; -+ } -+ -+ if (ftruncate(fd, count * sizeof(struct tally)) == -1) -+ return -1; -+ -+ return 0; -+} -diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.h ---- Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock 2015-06-25 10:42:21.482374855 +0200 -+++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.h 2015-06-25 10:42:21.482374855 +0200 -@@ -0,0 +1,73 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * faillock.h - authentication failure data file record structure -+ * -+ * Each record in the file represents an instance of login failure of -+ * the user at the recorded time -+ */ -+ -+ -+#ifndef _FAILLOCK_H -+#define _FAILLOCK_H -+ -+#include -+#include -+ -+#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ -+#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ -+#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */ -+ -+struct tally { -+ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */ -+ uint16_t reserved; /* reserved for future use */ -+ uint16_t status; /* record status */ -+ uint64_t time; /* time of the login failure */ -+}; -+/* 64 bytes per entry */ -+ -+struct tally_data { -+ struct tally *records; /* array of tallies */ -+ unsigned int count; /* number of records */ -+}; -+ -+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" -+ -+int open_tally(const char *dir, const char *user, uid_t uid, int create); -+int read_tally(int fd, struct tally_data *tallies); -+int update_tally(int fd, struct tally_data *tallies); -+#endif -+ -diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml ---- Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock 2015-06-25 10:42:21.482374855 +0200 -+++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml 2015-06-25 10:42:21.482374855 +0200 -@@ -0,0 +1,123 @@ -+ -+ -+ -+ -+ -+ -+ faillock -+ 8 -+ Linux-PAM Manual -+ -+ -+ -+ faillock -+ Tool for displaying and modifying the authentication failure record files -+ -+ -+ -+ -+ faillock -+ -+ --dir /path/to/tally-directory -+ -+ -+ --user username -+ -+ -+ --reset -+ -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ The pam_faillock.so module maintains a list of -+ failed authentication attempts per user during a specified interval -+ and locks the account in case there were more than -+ deny consecutive failed authentications. -+ It stores the failure records into per-user files in the tally -+ directory. -+ -+ -+ The faillock command is an application which -+ can be used to examine and modify the contents of the -+ the tally files. It can display the recent failed authentication -+ attempts of the username or clear the tally -+ files of all or individual usernames. -+ -+ -+ -+ -+ -+ OPTIONS -+ -+ -+ -+ -+ -+ -+ -+ The directory where the user files with the failure records are kept. The -+ default is /var/run/faillock. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ The user whose failure records should be displayed or cleared. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Instead of displaying the user's failure records, clear them. -+ -+ -+ -+ -+ -+ -+ -+ FILES -+ -+ -+ /var/run/faillock/* -+ -+ the files logging the authentication failures for users -+ -+ -+ -+ -+ -+ -+ SEE ALSO -+ -+ -+ pam_faillock8 -+ , -+ -+ pam8 -+ -+ -+ -+ -+ -+ AUTHOR -+ -+ faillock was written by Tomas Mraz. -+ -+ -+ -+ -diff -up Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/main.c ---- Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock 2015-06-25 10:42:21.482374855 +0200 -+++ Linux-PAM-1.2.1/modules/pam_faillock/main.c 2015-06-25 10:42:21.503375287 +0200 -@@ -0,0 +1,232 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef HAVE_LIBAUDIT -+#include -+#endif -+ -+#include "faillock.h" -+ -+struct options { -+ unsigned int reset; -+ const char *dir; -+ const char *user; -+ const char *progname; -+}; -+ -+static int -+args_parse(int argc, char **argv, struct options *opts) -+{ -+ int i; -+ memset(opts, 0, sizeof(*opts)); -+ -+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; -+ opts->progname = argv[0]; -+ -+ for (i = 1; i < argc; ++i) { -+ -+ if (strcmp(argv[i], "--dir") == 0) { -+ ++i; -+ if (i >= argc || strlen(argv[i]) == 0) { -+ fprintf(stderr, "%s: No directory supplied.\n", argv[0]); -+ return -1; -+ } -+ opts->dir = argv[i]; -+ } -+ else if (strcmp(argv[i], "--user") == 0) { -+ ++i; -+ if (i >= argc || strlen(argv[i]) == 0) { -+ fprintf(stderr, "%s: No user name supplied.\n", argv[0]); -+ return -1; -+ } -+ opts->user = argv[i]; -+ } -+ else if (strcmp(argv[i], "--reset") == 0) { -+ opts->reset = 1; -+ } -+ else { -+ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]); -+ return -1; -+ } -+ } -+ return 0; -+} -+ -+static void -+usage(const char *progname) -+{ -+ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"), -+ progname); -+} -+ -+static int -+do_user(struct options *opts, const char *user) -+{ -+ int fd; -+ int rv; -+ struct tally_data tallies; -+ struct passwd *pwd; -+ -+ pwd = getpwnam(user); -+ -+ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); -+ -+ if (fd == -1) { -+ if (errno == ENOENT) { -+ return 0; -+ } -+ else { -+ fprintf(stderr, "%s: Error opening the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+ return 3; -+ } -+ } -+ if (opts->reset) { -+#ifdef HAVE_LIBAUDIT -+ int audit_fd; -+#endif -+ -+ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ fprintf(stderr, "%s: Error clearing the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+#ifdef HAVE_LIBAUDIT -+ } -+ if ((audit_fd=audit_open()) >= 0) { -+ -+ if (pwd != NULL) { -+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, -+ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0); -+ } -+ close(audit_fd); -+ } -+ if (rv == -1) { -+#endif -+ close(fd); -+ return 4; -+ } -+ } -+ else { -+ unsigned int i; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ if ((rv=read_tally(fd, &tallies)) == -1) { -+ fprintf(stderr, "%s: Error reading the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+ close(fd); -+ return 5; -+ } -+ -+ printf("%s:\n", user); -+ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid"); -+ -+ for (i = 0; i < tallies.count; i++) { -+ struct tm *tm; -+ char timebuf[80]; -+ uint16_t status = tallies.records[i].status; -+ time_t when = tallies.records[i].time; -+ -+ tm = localtime(&when); -+ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm); -+ printf("%-19s %-5s %-52.52s %s\n", timebuf, -+ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), -+ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); -+ } -+ free(tallies.records); -+ } -+ close(fd); -+ return 0; -+} -+ -+static int -+do_allusers(struct options *opts) -+{ -+ struct dirent **userlist; -+ int rv, i; -+ -+ rv = scandir(opts->dir, &userlist, NULL, alphasort); -+ if (rv < 0) { -+ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname); -+ perror(NULL); -+ return 2; -+ } -+ -+ for (i = 0; i < rv; i++) { -+ if (userlist[i]->d_name[0] == '.') { -+ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') || -+ userlist[i]->d_name[1] == '\0') -+ continue; -+ } -+ do_user(opts, userlist[i]->d_name); -+ free(userlist[i]); -+ } -+ free(userlist); -+ -+ return 0; -+} -+ -+ -+/*-----------------------------------------------------------------------*/ -+int -+main (int argc, char *argv[]) -+{ -+ struct options opts; -+ -+ if (args_parse(argc, argv, &opts)) { -+ usage(argv[0]); -+ return 1; -+ } -+ -+ if (opts.user == NULL) { -+ return do_allusers(&opts); -+ } -+ -+ return do_user(&opts, opts.user); -+} -+ -diff -up Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am ---- Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock 2015-06-25 10:42:21.482374855 +0200 -+++ Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am 2015-06-25 10:42:21.494375102 +0200 -@@ -0,0 +1,44 @@ -+# -+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk -+# Copyright (c) 2008 Red Hat, Inc. -+# Copyright (c) 2010 Tomas Mraz -+# -+ -+CLEANFILES = *~ -+MAINTAINERCLEANFILES = $(MANS) README -+ -+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock -+ -+man_MANS = pam_faillock.8 faillock.8 -+XMLS = README.xml pam_faillock.8.xml faillock.8.xml -+ -+TESTS = tst-pam_faillock -+ -+securelibdir = $(SECUREDIR) -+secureconfdir = $(SCONFIGDIR) -+ -+noinst_HEADERS = faillock.h -+ -+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@ -+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -+ -+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module -+pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) -+if HAVE_VERSIONING -+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -+endif -+ -+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ -+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) -+ -+securelib_LTLIBRARIES = pam_faillock.la -+sbin_PROGRAMS = faillock -+ -+pam_faillock_la_SOURCES = pam_faillock.c faillock.c -+faillock_SOURCES = main.c faillock.c -+ -+if ENABLE_REGENERATE_MAN -+noinst_DATA = README -+README: pam_faillock.8.xml -+-include $(top_srcdir)/Make.xml.rules -+endif -diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock 2015-06-25 10:42:21.483374875 +0200 -+++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c 2015-10-16 14:07:38.451616869 +0200 -@@ -0,0 +1,571 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef HAVE_LIBAUDIT -+#include -+#endif -+ -+#include -+#include -+#include -+ -+#include "faillock.h" -+ -+#define PAM_SM_AUTH -+#define PAM_SM_ACCOUNT -+ -+#define FAILLOCK_ACTION_PREAUTH 0 -+#define FAILLOCK_ACTION_AUTHSUCC 1 -+#define FAILLOCK_ACTION_AUTHFAIL 2 -+ -+#define FAILLOCK_FLAG_DENY_ROOT 0x1 -+#define FAILLOCK_FLAG_AUDIT 0x2 -+#define FAILLOCK_FLAG_SILENT 0x4 -+#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 -+#define FAILLOCK_FLAG_UNLOCKED 0x10 -+ -+#define MAX_TIME_INTERVAL 604800 /* 7 days */ -+ -+struct options { -+ unsigned int action; -+ unsigned int flags; -+ unsigned short deny; -+ unsigned int fail_interval; -+ unsigned int unlock_time; -+ unsigned int root_unlock_time; -+ const char *dir; -+ const char *user; -+ int failures; -+ uint64_t latest_time; -+ uid_t uid; -+ uint64_t now; -+}; -+ -+static void -+args_parse(pam_handle_t *pamh, int argc, const char **argv, -+ int flags, struct options *opts) -+{ -+ int i; -+ memset(opts, 0, sizeof(*opts)); -+ -+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; -+ opts->deny = 3; -+ opts->fail_interval = 900; -+ opts->unlock_time = 600; -+ opts->root_unlock_time = MAX_TIME_INTERVAL+1; -+ -+ for (i = 0; i < argc; ++i) { -+ -+ if (strncmp(argv[i], "dir=", 4) == 0) { -+ if (argv[i][4] != '/') { -+ pam_syslog(pamh, LOG_ERR, -+ "Tally directory is not absolute path (%s); keeping default", argv[i]); -+ } else { -+ opts->dir = argv[i]+4; -+ } -+ } -+ else if (strncmp(argv[i], "deny=", 5) == 0) { -+ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for deny argument"); -+ } -+ } -+ else if (strncmp(argv[i], "fail_interval=", 14) == 0) { -+ unsigned int temp; -+ if (sscanf(argv[i]+14, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for fail_interval argument"); -+ } else { -+ opts->fail_interval = temp; -+ } -+ } -+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) { -+ unsigned int temp; -+ -+ if (strcmp(argv[i]+12, "never") == 0) { -+ opts->unlock_time = 0; -+ } -+ else if (sscanf(argv[i]+12, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for unlock_time argument"); -+ } -+ else { -+ opts->unlock_time = temp; -+ } -+ } -+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { -+ unsigned int temp; -+ -+ if (strcmp(argv[i]+17, "never") == 0) { -+ opts->root_unlock_time = 0; -+ } -+ else if (sscanf(argv[i]+17, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for root_unlock_time argument"); -+ } else { -+ opts->root_unlock_time = temp; -+ } -+ } -+ else if (strcmp(argv[i], "preauth") == 0) { -+ opts->action = FAILLOCK_ACTION_PREAUTH; -+ } -+ else if (strcmp(argv[i], "authfail") == 0) { -+ opts->action = FAILLOCK_ACTION_AUTHFAIL; -+ } -+ else if (strcmp(argv[i], "authsucc") == 0) { -+ opts->action = FAILLOCK_ACTION_AUTHSUCC; -+ } -+ else if (strcmp(argv[i], "even_deny_root") == 0) { -+ opts->flags |= FAILLOCK_FLAG_DENY_ROOT; -+ } -+ else if (strcmp(argv[i], "audit") == 0) { -+ opts->flags |= FAILLOCK_FLAG_AUDIT; -+ } -+ else if (strcmp(argv[i], "silent") == 0) { -+ opts->flags |= FAILLOCK_FLAG_SILENT; -+ } -+ else if (strcmp(argv[i], "no_log_info") == 0) { -+ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; -+ } -+ else { -+ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]); -+ } -+ } -+ -+ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1) -+ opts->root_unlock_time = opts->unlock_time; -+ if (flags & PAM_SILENT) -+ opts->flags |= FAILLOCK_FLAG_SILENT; -+} -+ -+static int get_pam_user(pam_handle_t *pamh, struct options *opts) -+{ -+ const char *user; -+ int rv; -+ struct passwd *pwd; -+ -+ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ if (*user == '\0') { -+ return PAM_IGNORE; -+ } -+ -+ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) { -+ if (opts->flags & FAILLOCK_FLAG_AUDIT) { -+ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user); -+ } -+ else { -+ pam_syslog(pamh, LOG_ERR, "User unknown"); -+ } -+ return PAM_IGNORE; -+ } -+ opts->user = user; -+ opts->uid = pwd->pw_uid; -+ return PAM_SUCCESS; -+} -+ -+static int -+check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) -+{ -+ int tfd; -+ unsigned int i; -+ uint64_t latest_time; -+ int failures; -+ -+ opts->now = time(NULL); -+ -+ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); -+ -+ *fd = tfd; -+ -+ if (tfd == -1) { -+ if (errno == EACCES || errno == ENOENT) { -+ return PAM_SUCCESS; -+ } -+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ if (read_tally(tfd, tallies) != 0) { -+ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ return PAM_SUCCESS; -+ } -+ -+ latest_time = 0; -+ for(i = 0; i < tallies->count; i++) { -+ if ((tallies->records[i].status & TALLY_STATUS_VALID) && -+ tallies->records[i].time > latest_time) -+ latest_time = tallies->records[i].time; -+ } -+ -+ opts->latest_time = latest_time; -+ -+ failures = 0; -+ for(i = 0; i < tallies->count; i++) { -+ if ((tallies->records[i].status & TALLY_STATUS_VALID) && -+ latest_time - tallies->records[i].time < opts->fail_interval) { -+ ++failures; -+ } -+ } -+ -+ opts->failures = failures; -+ -+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ return PAM_SUCCESS; -+ } -+ -+ if (opts->deny && failures >= opts->deny) { -+ if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || -+ (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { -+#ifdef HAVE_LIBAUDIT -+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ -+ char buf[64]; -+ int audit_fd; -+ const void *rhost = NULL, *tty = NULL; -+ -+ audit_fd = audit_open(); -+ /* If there is an error & audit support is in the kernel report error */ -+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT)) -+ return PAM_SYSTEM_ERR; -+ -+ (void)pam_get_item(pamh, PAM_TTY, &tty); -+ (void)pam_get_item(pamh, PAM_RHOST, &rhost); -+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -+ rhost, NULL, tty, 1); -+ } -+#endif -+ opts->flags |= FAILLOCK_FLAG_UNLOCKED; -+ return PAM_SUCCESS; -+ } -+ return PAM_AUTH_ERR; -+ } -+ return PAM_SUCCESS; -+} -+ -+static void -+reset_tally(pam_handle_t *pamh, struct options *opts, int *fd) -+{ -+ int rv; -+ -+ if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); -+ } -+ else { -+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ } -+ } -+} -+ -+static int -+write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) -+{ -+ struct tally *records; -+ unsigned int i; -+ int failures; -+ unsigned int oldest; -+ uint64_t oldtime; -+ const void *source = NULL; -+ -+ if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); -+ } -+ if (*fd == -1) { -+ if (errno == EACCES) { -+ return PAM_SUCCESS; -+ } -+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ oldtime = 0; -+ oldest = 0; -+ failures = 0; -+ -+ for (i = 0; i < tallies->count; ++i) { -+ if (tallies->records[i].time < oldtime) { -+ oldtime = tallies->records[i].time; -+ oldest = i; -+ } -+ if (opts->flags & FAILLOCK_FLAG_UNLOCKED || -+ opts->now - tallies->records[i].time >= opts->fail_interval ) { -+ tallies->records[i].status &= ~TALLY_STATUS_VALID; -+ } else { -+ ++failures; -+ } -+ } -+ -+ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) { -+ oldest = tallies->count; -+ -+ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) { -+ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m"); -+ return PAM_BUF_ERR; -+ } -+ -+ ++tallies->count; -+ tallies->records = records; -+ } -+ -+ memset(&tallies->records[oldest], 0, sizeof (*tallies->records)); -+ -+ tallies->records[oldest].status = TALLY_STATUS_VALID; -+ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) { -+ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) { -+ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) { -+ source = ""; -+ } -+ } -+ else { -+ tallies->records[oldest].status |= TALLY_STATUS_TTY; -+ } -+ } -+ else { -+ tallies->records[oldest].status |= TALLY_STATUS_RHOST; -+ } -+ -+ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source)); -+ /* source does not have to be null terminated */ -+ -+ tallies->records[oldest].time = opts->now; -+ -+ ++failures; -+ -+ if (opts->deny && failures == opts->deny) { -+#ifdef HAVE_LIBAUDIT -+ char buf[64]; -+ int audit_fd; -+ -+ audit_fd = audit_open(); -+ /* If there is an error & audit support is in the kernel report error */ -+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT)) -+ return PAM_SYSTEM_ERR; -+ -+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); -+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, -+ NULL, NULL, NULL, 1); -+ -+ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, -+ NULL, NULL, NULL, 1); -+ } -+ close(audit_fd); -+#endif -+ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) { -+ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked", -+ opts->user); -+ } -+ } -+ -+ if (update_tally(*fd, tallies) == 0) -+ return PAM_SUCCESS; -+ -+ return PAM_SYSTEM_ERR; -+} -+ -+static void -+faillock_message(pam_handle_t *pamh, struct options *opts) -+{ -+ int64_t left; -+ -+ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { -+ if (opts->uid) { -+ left = opts->latest_time + opts->unlock_time - opts->now; -+ } -+ else { -+ left = opts->latest_time + opts->root_unlock_time - opts->now; -+ } -+ -+ if (left > 0) { -+ left = (left + 59)/60; /* minutes */ -+ -+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), -+ opts->failures); -+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); -+ } -+ else { -+ pam_info(pamh, _("Account locked due to %d failed logins"), -+ opts->failures); -+ } -+ } -+} -+ -+static void -+tally_cleanup(struct tally_data *tallies, int fd) -+{ -+ if (fd != -1) { -+ close(fd); -+ } -+ -+ free(tallies->records); -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_authenticate(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ struct options opts; -+ int rv, fd = -1; -+ struct tally_data tallies; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ -+ args_parse(pamh, argc, argv, flags, &opts); -+ -+ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */ -+ -+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ switch (opts.action) { -+ case FAILLOCK_ACTION_PREAUTH: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) { -+ faillock_message(pamh, &opts); -+ } -+ break; -+ -+ case FAILLOCK_ACTION_AUTHSUCC: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS) { -+ reset_tally(pamh, &opts, &fd); -+ } -+ break; -+ -+ case FAILLOCK_ACTION_AUTHFAIL: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS) { -+ rv = PAM_IGNORE; /* this return value should be ignored */ -+ write_tally(pamh, &opts, &tallies, &fd); -+ } -+ break; -+ } -+ -+ tally_cleanup(&tallies, fd); -+ -+ return rv; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, -+ int argc UNUSED, const char **argv UNUSED) -+{ -+ return PAM_SUCCESS; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ struct options opts; -+ int rv, fd = -1; -+ struct tally_data tallies; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ -+ args_parse(pamh, argc, argv, flags, &opts); -+ -+ opts.action = FAILLOCK_ACTION_AUTHSUCC; -+ -+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ -+ reset_tally(pamh, &opts, &fd); -+ -+ tally_cleanup(&tallies, fd); -+ -+ return PAM_SUCCESS; -+} -+ -+/*-----------------------------------------------------------------------*/ -+ -+#ifdef PAM_STATIC -+ -+/* static module data */ -+ -+struct pam_module _pam_faillock_modstruct = { -+ MODULE_NAME, -+#ifdef PAM_SM_AUTH -+ pam_sm_authenticate, -+ pam_sm_setcred, -+#else -+ NULL, -+ NULL, -+#endif -+#ifdef PAM_SM_ACCOUNT -+ pam_sm_acct_mgmt, -+#else -+ NULL, -+#endif -+ NULL, -+ NULL, -+ NULL, -+}; -+ -+#endif /* #ifdef PAM_STATIC */ -+ -diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2016-04-04 16:37:38.696260359 +0200 -+++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml 2016-04-28 17:09:04.679596165 +0200 -@@ -0,0 +1,408 @@ -+ -+ -+ -+ -+ -+ -+ pam_faillock -+ 8 -+ Linux-PAM Manual -+ -+ -+ -+ pam_faillock -+ Module counting authentication failures during a specified interval -+ -+ -+ -+ -+ auth ... pam_faillock.so -+ -+ preauth|authfail|authsucc -+ -+ -+ dir=/path/to/tally-directory -+ -+ -+ even_deny_root -+ -+ -+ deny=n -+ -+ -+ fail_interval=n -+ -+ -+ unlock_time=n -+ -+ -+ root_unlock_time=n -+ -+ -+ audit -+ -+ -+ silent -+ -+ -+ no_log_info -+ -+ -+ -+ account ... pam_faillock.so -+ -+ dir=/path/to/tally-directory -+ -+ -+ no_log_info -+ -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ This module maintains a list of failed authentication attempts per -+ user during a specified interval and locks the account in case -+ there were more than deny consecutive -+ failed authentications. -+ -+ -+ Normally, failed attempts to authenticate root will -+ not cause the root account to become -+ blocked, to prevent denial-of-service: if your users aren't given -+ shell accounts and root may only login via su or -+ at the machine console (not telnet/rsh, etc), this is safe. -+ -+ -+ -+ -+ -+ OPTIONS -+ -+ -+ -+ -+ -+ -+ -+ This argument must be set accordingly to the position of this module -+ instance in the PAM stack. -+ -+ -+ The preauth argument must be used when the module -+ is called before the modules which ask for the user credentials such -+ as the password. The module just examines whether the user should -+ be blocked from accessing the service in case there were anomalous -+ number of failed consecutive authentication attempts recently. This -+ call is optional if authsucc is used. -+ -+ -+ The authfail argument must be used when the module -+ is called after the modules which determine the authentication outcome, -+ failed. Unless the user is already blocked due to previous authentication -+ failures, the module will record the failure into the appropriate user -+ tally file. -+ -+ -+ The authsucc argument must be used when the module -+ is called after the modules which determine the authentication outcome, -+ succeded. Unless the user is already blocked due to previous authentication -+ failures, the module will then clear the record of the failures in the -+ respective user tally file. Otherwise it will return authentication error. -+ If this call is not done, the pam_faillock will not distinguish between -+ consecutive and non-consecutive failed authentication attempts. The -+ preauth call must be used in such case. Due to -+ complications in the way the PAM stack can be configured it is also -+ possible to call pam_faillock as an account module. -+ In such configuration the module must be also called in the -+ preauth stage. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ The directory where the user files with the failure records are kept. The -+ default is /var/run/faillock. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Will log the user name into the system log if the user is not found. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Don't print informative messages. This option is implicite -+ in the authfail and authsucc -+ functions. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Don't log informative messages via syslog3. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Deny access if the number of consecutive authentication failures -+ for this user during the recent interval exceeds -+ n. The default is 3. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ The length of the interval during which the consecutive -+ authentication failures must happen for the user account -+ lock out is n seconds. -+ The default is 900 (15 minutes). -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ The access will be reenabled after -+ n seconds after the lock out. -+ The value 0 has the same meaning as value -+ never - the access -+ will not be reenabled without resetting the faillock -+ entries by the faillock8 command. -+ The default is 600 (10 minutes). -+ -+ -+ Note that the default directory that pam_faillock -+ uses is usually cleared on system boot so the access will be also reenabled -+ after system reboot. If that is undesirable a different tally directory -+ must be set with the option. -+ -+ -+ Also note that it is usually undesirable to permanently lock -+ out the users as they can become easily a target of denial of service -+ attack unless the usernames are random and kept secret to potential -+ attackers. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Root account can become locked as well as regular accounts. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ This option implies option. -+ Allow access after n seconds -+ to root account after the account is locked. In case the -+ option is not specified the value is the same as of the -+ option. -+ -+ -+ -+ -+ -+ -+ -+ MODULE TYPES PROVIDED -+ -+ The and module types are -+ provided. -+ -+ -+ -+ -+ RETURN VALUES -+ -+ -+ PAM_AUTH_ERR -+ -+ -+ A invalid option was given, the module was not able -+ to retrieve the user name, no valid counter file -+ was found, or too many failed logins. -+ -+ -+ -+ -+ PAM_SUCCESS -+ -+ -+ Everything was successful. -+ -+ -+ -+ -+ PAM_IGNORE -+ -+ -+ User not present in passwd database. -+ -+ -+ -+ -+ -+ -+ -+ NOTES -+ -+ pam_faillock setup in the PAM stack is different -+ from the pam_tally2 module setup. -+ -+ -+ The individual files with the failure records are created as owned by -+ the user. This allows pam_faillock.so module -+ to work correctly when it is called from a screensaver. -+ -+ -+ Note that using the module in without the -+ option or with requisite -+ control field leaks an information about existence or -+ non-existence of an user account in the system because -+ the failures are not recorded for the unknown users. The message -+ about the user account being locked is never displayed for nonexisting -+ user accounts allowing the adversary to infer that a particular account -+ is not existing on a system. -+ -+ -+ -+ -+ EXAMPLES -+ -+ Here are two possible configuration examples for /etc/pam.d/login. -+ They make pam_faillock to lock the account after 4 consecutive -+ failed logins during the default interval of 15 minutes. Root account will be locked -+ as well. The accounts will be automatically unlocked after 20 minutes. -+ -+ -+ In the first example the module is called only in the auth -+ phase and the module does not print any information about the account blocking -+ by pam_faillock. The preauth call can -+ be added to tell the user that his login is blocked by the module and also to abort -+ the authentication without even asking for password in such case. -+ -+ -+auth required pam_securetty.so -+auth required pam_env.so -+auth required pam_nologin.so -+# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200 -+# to display the message about account being locked -+auth [success=1 default=bad] pam_unix.so -+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 -+auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200 -+auth required pam_deny.so -+account required pam_unix.so -+password required pam_unix.so shadow -+session required pam_selinux.so close -+session required pam_loginuid.so -+session required pam_unix.so -+session required pam_selinux.so open -+ -+ -+ In the second example the module is called both in the auth -+ and account phases and the module gives the authenticating -+ user message when the account is locked -+ -+ -+auth required pam_securetty.so -+auth required pam_env.so -+auth required pam_nologin.so -+auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200 -+# optionally use requisite above if you do not want to prompt for the password -+# on locked accounts, possibly with removing the silent option as well -+auth sufficient pam_unix.so -+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 -+auth required pam_deny.so -+account required pam_faillock.so -+# if you drop the above call to pam_faillock.so the lock will be done also -+# on non-consecutive authentication failures -+account required pam_unix.so -+password required pam_unix.so shadow -+session required pam_selinux.so close -+session required pam_loginuid.so -+session required pam_unix.so -+session required pam_selinux.so open -+ -+ -+ -+ -+ FILES -+ -+ -+ /var/run/faillock/* -+ -+ the files logging the authentication failures for users -+ -+ -+ -+ -+ -+ -+ SEE ALSO -+ -+ -+ faillock8 -+ , -+ -+ pam.conf5 -+ , -+ -+ pam.d5 -+ , -+ -+ pam8 -+ -+ -+ -+ -+ -+ AUTHOR -+ -+ pam_faillock was written by Tomas Mraz. -+ -+ -+ -+ -diff -up Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/README.xml ---- Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock 2015-06-25 10:42:21.483374875 +0200 -+++ Linux-PAM-1.2.1/modules/pam_faillock/README.xml 2015-06-25 10:42:21.483374875 +0200 -@@ -0,0 +1,46 @@ -+ -+ -+--> -+]> -+ -+
-+ -+ -+ -+ -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/> -+ -+ -+ -+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-diff -up Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock ---- Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock 2015-06-25 10:42:21.483374875 +0200 -+++ Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock 2015-06-25 10:42:21.483374875 +0200 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+../../tests/tst-dlopen .libs/pam_faillock.so diff --git a/pam-1.3.0-browser.patch b/pam-1.3.0-browser.patch index a3b56c4..4cdd442 100644 --- a/pam-1.3.0-browser.patch +++ b/pam-1.3.0-browser.patch @@ -1,6 +1,6 @@ -diff -urN Linux-PAM-1.3.0/configure.ac Linux-PAM-1.3.0-patched/configure.ac ---- Linux-PAM-1.3.0/configure.ac 2016-04-28 21:21:59.000000000 +1000 -+++ Linux-PAM-1.3.0-patched/configure.ac 2016-09-19 17:20:03.612168890 +1000 +diff -Naur Linux-PAM-1.3.1/configure.ac Linux-PAM-1.3.1.tpg/configure.ac +--- Linux-PAM-1.3.1/configure.ac 2018-05-23 16:50:06.256872000 +0000 ++++ Linux-PAM-1.3.1.tpg/configure.ac 2018-05-23 16:51:46.867112227 +0000 @@ -554,9 +554,9 @@ JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl], [DocBook XSL Stylesheets], [], enable_docu=no) @@ -11,5 +11,5 @@ diff -urN Linux-PAM-1.3.0/configure.ac Linux-PAM-1.3.0-patched/configure.ac - BROWSER="$BROWSER -T text/html -dump" + BROWSER="$BROWSER" else - AC_PATH_PROG([BROWSER], [links]) + AC_PATH_PROG([BROWSER], [elinks]) if test ! -z "$BROWSER"; then diff --git a/pam-1.3.0_ru.po b/pam-1.3.0_ru.po deleted file mode 100644 index 2c0cbcc..0000000 --- a/pam-1.3.0_ru.po +++ /dev/null @@ -1,590 +0,0 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR Linux-PAM Project -# This file is distributed under the same license as the PACKAGE package. -# -# Translators: -# Aleksandr Brezhnev , 2012 -# Andrew Martynov , 2008 -# Yulia , 2007,2009 -# Yulia , 2013 -# Tomáš Mráz , 2016. #zanata -# Victor Ryzhykh , 2019 -# Mikhail Novosyolov , 2019 -msgid "" -msgstr "" -"Project-Id-Version: Linux-PAM\n" -"Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" -"POT-Creation-Date: 2015-06-22 14:16+0200\n" -"PO-Revision-Date: 2013-04-08 09:12-0400\n" -"Last-Translator: Yulia \n" -"Language-Team: Russian \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" -"Language: ru\n" -"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" -"X-Generator: Zanata 3.8.3\n" - -#: libpam_misc/misc_conv.c:33 -msgid "...Time is running out...\n" -msgstr "...Время истекает...\n" - -#: libpam_misc/misc_conv.c:34 -msgid "...Sorry, your time is up!\n" -msgstr "...Извините, ваше время истекло!\n" - -#: libpam_misc/misc_conv.c:346 -#, c-format -msgid "erroneous conversation (%d)\n" -msgstr "ошибочный диалог (%d)\n" - -#: libpam/pam_get_authtok.c:39 modules/pam_exec/pam_exec.c:170 -#: modules/pam_userdb/pam_userdb.c:64 -msgid "Password: " -msgstr "Пароль: " - -#: libpam/pam_get_authtok.c:41 -msgid "Current %s%spassword: " -msgstr "Текущий %s%sпароль: " - -#: libpam/pam_get_authtok.c:43 modules/pam_cracklib/pam_cracklib.c:68 -#, c-format -msgid "New %s%spassword: " -msgstr "Новый %s%sпароль: " - -#: libpam/pam_get_authtok.c:45 modules/pam_cracklib/pam_cracklib.c:70 -#, c-format -msgid "Retype new %s%spassword: " -msgstr "Повторите ввод нового пароля %s%s: " - -#: libpam/pam_get_authtok.c:46 modules/pam_cracklib/pam_cracklib.c:71 -msgid "Sorry, passwords do not match." -msgstr "Извините, но пароли не совпадают." - -#: libpam/pam_get_authtok.c:139 libpam/pam_get_authtok.c:220 -#, c-format -msgid "Retype %s" -msgstr "Повторите ввод %s" - -#: libpam/pam_get_authtok.c:164 libpam/pam_get_authtok.c:236 -msgid "Password change aborted." -msgstr "Изменение пароля отменено." - -#: libpam/pam_item.c:311 -msgid "login:" -msgstr "учетная запись:" - -#: libpam/pam_strerror.c:40 -msgid "Success" -msgstr "Успех" - -#: libpam/pam_strerror.c:42 -msgid "Critical error - immediate abort" -msgstr "Критическая ошибка -- незамедлительное прерывание операции" - -#: libpam/pam_strerror.c:44 -msgid "Failed to load module" -msgstr "Не удалось загрузить модуль" - -#: libpam/pam_strerror.c:46 -msgid "Symbol not found" -msgstr "Символ не найден" - -#: libpam/pam_strerror.c:48 -msgid "Error in service module" -msgstr "Ошибка в модуле службы" - -#: libpam/pam_strerror.c:50 -msgid "System error" -msgstr "Системная ошибка" - -#: libpam/pam_strerror.c:52 -msgid "Memory buffer error" -msgstr "Ошибка буфера памяти" - -#: libpam/pam_strerror.c:54 -msgid "Permission denied" -msgstr "Доступ запрещен" - -#: libpam/pam_strerror.c:56 -msgid "Authentication failure" -msgstr "Сбой при проверке подлинности" - -#: libpam/pam_strerror.c:58 -msgid "Insufficient credentials to access authentication data" -msgstr "Недостаточно учетных данных для доступа к данным проверки подлинности" - -#: libpam/pam_strerror.c:60 -msgid "Authentication service cannot retrieve authentication info" -msgstr "" -"Службе проверки подлинности не удается загрузить сведения аутентификации" - -#: libpam/pam_strerror.c:62 -msgid "User not known to the underlying authentication module" -msgstr "Пользователь не известен базовому модулю проверки подлинности" - -#: libpam/pam_strerror.c:64 -msgid "Have exhausted maximum number of retries for service" -msgstr "Использовано максимальное число попыток, заданное для службы" - -#: libpam/pam_strerror.c:66 -msgid "Authentication token is no longer valid; new one required" -msgstr "Маркер проверки подлинности больше недействителен; требуется новый" - -#: libpam/pam_strerror.c:68 -msgid "User account has expired" -msgstr "Срок действия учетной записи пользователя истек" - -#: libpam/pam_strerror.c:70 -msgid "Cannot make/remove an entry for the specified session" -msgstr "Не удалось создать/удалить запись для указанного сеанса" - -#: libpam/pam_strerror.c:72 -msgid "Authentication service cannot retrieve user credentials" -msgstr "" -"Службе проверки подлинности не удается загрузить учетные данные пользователя" - -#: libpam/pam_strerror.c:74 -msgid "User credentials expired" -msgstr "Срок действия учетных данных пользователя истек" - -#: libpam/pam_strerror.c:76 -msgid "Failure setting user credentials" -msgstr "Сбой при настройке учетных данных пользователя" - -#: libpam/pam_strerror.c:78 -msgid "No module specific data is present" -msgstr "Отсутствуют данные, специфичные для модуля" - -#: libpam/pam_strerror.c:80 -msgid "Bad item passed to pam_*_item()" -msgstr "В pam_*_item() передан неверный элемент" - -#: libpam/pam_strerror.c:82 -msgid "Conversation error" -msgstr "Ошибка диалога" - -#: libpam/pam_strerror.c:84 -msgid "Authentication token manipulation error" -msgstr "Ошибка при операциях с маркером проверки подлинности" - -#: libpam/pam_strerror.c:86 -msgid "Authentication information cannot be recovered" -msgstr "Не удается восстановить сведения аутентификации" - -#: libpam/pam_strerror.c:88 -msgid "Authentication token lock busy" -msgstr "Блокировка маркера проверки подлинности занята" - -#: libpam/pam_strerror.c:90 -msgid "Authentication token aging disabled" -msgstr "Ограничение срока действия маркера проверки подлинности отключено" - -#: libpam/pam_strerror.c:92 -msgid "Failed preliminary check by password service" -msgstr "Службе паролей не удалось выполнить предварительную проверку" - -#: libpam/pam_strerror.c:94 -msgid "The return value should be ignored by PAM dispatch" -msgstr "Возвращенное значение не должно учитываться при передаче в PAM" - -#: libpam/pam_strerror.c:96 -msgid "Module is unknown" -msgstr "Неизвестный модуль" - -#: libpam/pam_strerror.c:98 -msgid "Authentication token expired" -msgstr "Срок действия маркера проверки подлинности истек" - -#: libpam/pam_strerror.c:100 -msgid "Conversation is waiting for event" -msgstr "Процесс диалога ожидает событие" - -#: libpam/pam_strerror.c:102 -msgid "Application needs to call libpam again" -msgstr "Приложение должно повторно вызвать libpam" - -#: libpam/pam_strerror.c:105 -msgid "Unknown PAM error" -msgstr "Неизвестная ошибка PAM" - -#: modules/pam_cracklib/pam_cracklib.c:618 -msgid "is the same as the old one" -msgstr "совпадает со старым" - -#: modules/pam_cracklib/pam_cracklib.c:624 -#: modules/pam_cracklib/pam_cracklib.c:628 -#: modules/pam_cracklib/pam_cracklib.c:638 -msgid "memory allocation error" -msgstr "ошибка выделения памяти" - -#: modules/pam_cracklib/pam_cracklib.c:643 -msgid "is a palindrome" -msgstr "является палиндромом" - -#: modules/pam_cracklib/pam_cracklib.c:646 -msgid "case changes only" -msgstr "изменения только в регистре" - -#: modules/pam_cracklib/pam_cracklib.c:649 -msgid "is too similar to the old one" -msgstr "слишком похож на старый" - -#: modules/pam_cracklib/pam_cracklib.c:652 -msgid "is too simple" -msgstr "слишком простой" - -#: modules/pam_cracklib/pam_cracklib.c:655 -msgid "is rotated" -msgstr "является результатом чередования" - -#: modules/pam_cracklib/pam_cracklib.c:658 -msgid "not enough character classes" -msgstr "слишком мало символов различных типов" - -#: modules/pam_cracklib/pam_cracklib.c:661 -msgid "contains too many same characters consecutively" -msgstr "содержит слишком длинную последовательность одинаковых символов" - -#: modules/pam_cracklib/pam_cracklib.c:664 -msgid "contains too long of a monotonic character sequence" -msgstr "содержит слишком много повторяющихся символов" - -#: modules/pam_cracklib/pam_cracklib.c:667 -msgid "contains the user name in some form" -msgstr "содержит имя пользователя" - -#: modules/pam_cracklib/pam_cracklib.c:701 -#: modules/pam_unix/pam_unix_passwd.c:568 -msgid "No password supplied" -msgstr "Пароль не указан" - -#: modules/pam_cracklib/pam_cracklib.c:701 -#: modules/pam_unix/pam_unix_passwd.c:568 -msgid "Password unchanged" -msgstr "Пароль не изменен" - -#: modules/pam_cracklib/pam_cracklib.c:721 -#: modules/pam_cracklib/pam_cracklib.c:803 -#, c-format -msgid "BAD PASSWORD: %s" -msgstr "НЕУДАЧНЫЙ ПАРОЛЬ: %s" - -#: modules/pam_exec/pam_exec.c:273 -#, c-format -msgid "%s failed: exit code %d" -msgstr "Сбой %s. Код выхода: %d" - -#: modules/pam_exec/pam_exec.c:282 -#, c-format -msgid "%s failed: caught signal %d%s" -msgstr "Сбой %s. Получен сигнал %d%s" - -#: modules/pam_exec/pam_exec.c:291 -#, c-format -msgid "%s failed: unknown status 0x%x" -msgstr "Сбой %s. Неизвестный статус 0x%x" - -#. TRANSLATORS: "strftime options for date of last login" -#: modules/pam_lastlog/pam_lastlog.c:282 modules/pam_lastlog/pam_lastlog.c:496 -msgid " %a %b %e %H:%M:%S %Z %Y" -msgstr " %a %b %e %H:%M:%S %Z %Y" - -#. TRANSLATORS: " from " -#: modules/pam_lastlog/pam_lastlog.c:291 modules/pam_lastlog/pam_lastlog.c:505 -#, c-format -msgid " from %.*s" -msgstr " с %.*s" - -#. TRANSLATORS: " on " -#: modules/pam_lastlog/pam_lastlog.c:303 modules/pam_lastlog/pam_lastlog.c:517 -#, c-format -msgid " on %.*s" -msgstr " на %.*s" - -#. TRANSLATORS: "Last login: from on " -#: modules/pam_lastlog/pam_lastlog.c:313 -#, c-format -msgid "Last login:%s%s%s" -msgstr "Последний вход в систему:%s%s%s" - -#: modules/pam_lastlog/pam_lastlog.c:319 -msgid "Welcome to your new account!" -msgstr "Добро пожаловать в новую учетную запись!" - -#. TRANSLATORS: "Last failed login: from on " -#: modules/pam_lastlog/pam_lastlog.c:527 -#, c-format -msgid "Last failed login:%s%s%s" -msgstr "Последняя неудачная попытка входа в систему:%s%s%s" - -#: modules/pam_lastlog/pam_lastlog.c:536 modules/pam_lastlog/pam_lastlog.c:543 -#, c-format -msgid "There was %d failed login attempt since the last successful login." -msgid_plural "" -"There were %d failed login attempts since the last successful login." -msgstr[0] "Со времени последнего входа была %d неудачная попытка." -msgstr[1] "Число неудачных попыток со времени последнего входа: %d." -msgstr[2] "Число неудачных попыток со времени последнего входа: %d." - -#. TRANSLATORS: only used if dngettext is not supported -#: modules/pam_lastlog/pam_lastlog.c:548 -#, c-format -msgid "There were %d failed login attempts since the last successful login." -msgstr "Число неудачных попыток со времени последнего входа: %d." - -#: modules/pam_limits/pam_limits.c:1091 -#, c-format -msgid "Too many logins for '%s'." -msgstr "Слишком много регистраций в системе для «%s»." - -#: modules/pam_mail/pam_mail.c:297 -msgid "No mail." -msgstr "Почты нет." - -#: modules/pam_mail/pam_mail.c:300 -msgid "You have new mail." -msgstr "Есть новая почта." - -#: modules/pam_mail/pam_mail.c:303 -msgid "You have old mail." -msgstr "Есть старая почта." - -#: modules/pam_mail/pam_mail.c:307 -msgid "You have mail." -msgstr "Есть почта." - -#: modules/pam_mail/pam_mail.c:314 -#, c-format -msgid "You have no mail in folder %s." -msgstr "Нет почты в папке %s." - -#: modules/pam_mail/pam_mail.c:318 -#, c-format -msgid "You have new mail in folder %s." -msgstr "Есть новая почта в папке %s." - -#: modules/pam_mail/pam_mail.c:322 -#, c-format -msgid "You have old mail in folder %s." -msgstr "Есть старая почта в папке %s." - -#: modules/pam_mail/pam_mail.c:327 -#, c-format -msgid "You have mail in folder %s." -msgstr "Есть почта в папке %s." - -#: modules/pam_mkhomedir/pam_mkhomedir.c:111 -#, c-format -msgid "Creating directory '%s'." -msgstr "Создание каталога %s." - -#: modules/pam_mkhomedir/pam_mkhomedir.c:176 -#, c-format -msgid "Unable to create and initialize directory '%s'." -msgstr "Не удалось создать и инициализировать каталог %s." - -#: modules/pam_pwhistory/pam_pwhistory.c:217 -#: modules/pam_unix/pam_unix_passwd.c:589 -msgid "Password has been already used. Choose another." -msgstr "Этот пароль уже был использован. Выберите другой." - -#: modules/pam_pwhistory/pam_pwhistory.c:224 -msgid "Password has been already used." -msgstr "Этот пароль уже использовался." - -#: modules/pam_selinux/pam_selinux.c:210 -#, c-format -msgid "Default Security Context %s\n" -msgstr "Контекст безопасности по умолчанию %s\n" - -#: modules/pam_selinux/pam_selinux.c:214 -msgid "Would you like to enter a different role or level?" -msgstr "Хотите ввести другую роль или уровень?" - -#: modules/pam_selinux/pam_selinux.c:227 -msgid "role:" -msgstr "роль:" - -#: modules/pam_selinux/pam_selinux.c:230 -#, c-format -msgid "No default type for role %s\n" -msgstr "Для роли %s нет типа по умолчанию\n" - -#: modules/pam_selinux/pam_selinux.c:262 -msgid "level:" -msgstr "уровень:" - -#: modules/pam_selinux/pam_selinux.c:295 -msgid "Not a valid security context" -msgstr "Неверный контекст безопасности" - -#: modules/pam_selinux/pam_selinux.c:544 -#, c-format -msgid "Unable to get valid context for %s" -msgstr "Не удалось получить корректный контекст для %s" - -#: modules/pam_selinux/pam_selinux.c:663 -#, c-format -msgid "Security Context %s Assigned" -msgstr "Контекст безопасности %s назначен" - -#: modules/pam_selinux/pam_selinux.c:679 -#, c-format -msgid "Key Creation Context %s Assigned" -msgstr "Контекст %s, используемый при создании ключей, назначен" - -#: modules/pam_selinux/pam_selinux_check.c:99 -#, c-format -msgid "failed to initialize PAM\n" -msgstr "не удалось инициировать PAM\n" - -#: modules/pam_selinux/pam_selinux_check.c:105 -#, c-format -msgid "failed to pam_set_item()\n" -msgstr "не удалось выполнить pam_set_item()\n" - -#: modules/pam_selinux/pam_selinux_check.c:133 -#, c-format -msgid "login: failure forking: %m" -msgstr "регистрация: сбой при создании нового процесса: %m" - -#: modules/pam_stress/pam_stress.c:470 -#, c-format -msgid "Changing STRESS password for %s." -msgstr "Смена пароля STRESS для %s." - -#: modules/pam_stress/pam_stress.c:484 -msgid "Enter new STRESS password: " -msgstr "Введите новый пароль STRESS: " - -#: modules/pam_stress/pam_stress.c:487 -msgid "Retype new STRESS password: " -msgstr "Повторите ввод нового пароля STRESS: " - -#: modules/pam_stress/pam_stress.c:516 -msgid "Verification mis-typed; password unchanged" -msgstr "Подтверждение введено неправильно; пароль не изменен" - -#: modules/pam_tally/pam_tally.c:541 modules/pam_tally2/pam_tally2.c:597 -#, c-format -msgid "Account temporary locked (%ld seconds left)" -msgstr "Учетная запись временно заблокирована (осталось %ld сек.)" - -#: modules/pam_tally/pam_tally.c:566 modules/pam_tally2/pam_tally2.c:580 -#, c-format -msgid "Account locked due to %u failed logins" -msgstr "" -"Учетная запись заблокирована как следствие неудачных попыток входа (всего --" -" %u)." - -#: modules/pam_tally/pam_tally.c:750 modules/pam_tally2/pam_tally2.c:863 -msgid "Authentication error" -msgstr "Ошибка при проверке подлинности" - -#: modules/pam_tally/pam_tally.c:751 modules/pam_tally2/pam_tally2.c:864 -msgid "Service error" -msgstr "Ошибка службы" - -#: modules/pam_tally/pam_tally.c:752 modules/pam_tally2/pam_tally2.c:865 -msgid "Unknown user" -msgstr "Неизвестный пользователь" - -#: modules/pam_tally/pam_tally.c:753 modules/pam_tally2/pam_tally2.c:866 -msgid "Unknown error" -msgstr "Неизвестная ошибка" - -#: modules/pam_tally/pam_tally.c:769 modules/pam_tally2/pam_tally2.c:885 -#, c-format -msgid "%s: Bad number given to --reset=\n" -msgstr "%s: указано неверное число для --reset=\n" - -#: modules/pam_tally/pam_tally.c:773 modules/pam_tally2/pam_tally2.c:889 -#, c-format -msgid "%s: Unrecognised option %s\n" -msgstr "%s: неопознанный параметр %s\n" - -#: modules/pam_tally/pam_tally.c:785 -#, c-format -msgid "" -"%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" -msgstr "" -"%s: [--file имя_корневого_файла] [--user имя_пользователя] [--reset[=n]] [--" -"quiet]\n" - -#: modules/pam_tally/pam_tally.c:859 modules/pam_tally2/pam_tally2.c:1016 -#, c-format -msgid "%s: Can't reset all users to non-zero\n" -msgstr "" -"%s: не удается выполнить сброс всех пользователей в ненулевое значение\n" - -#: modules/pam_tally2/pam_tally2.c:917 -#, c-format -msgid "Login Failures Latest failure From\n" -msgstr "Учетная запись Сбой Последний сбой С\n" - -#: modules/pam_tally2/pam_tally2.c:933 -#, c-format -msgid "" -"%s: [-f rooted-filename] [--file rooted-filename]\n" -" [-u username] [--user username]\n" -" [-r] [--reset[=n]] [--quiet]\n" -msgstr "" -"%s: [-f имя_корневого_файла] [--file имя_корневого_файла]\n" -" [-u имя_пользователя] [--user имя_пользователя]\n" -" [-r] [--reset[=n]] [--quiet]\n" - -#: modules/pam_timestamp/pam_timestamp.c:357 -#, c-format -msgid "Access granted (last access was %ld seconds ago)." -msgstr "Доступ предоставлен (последнее обращение было %ld сек. назад)." - -#: modules/pam_unix/pam_unix_acct.c:253 modules/pam_unix/pam_unix_acct.c:275 -msgid "Your account has expired; please contact your system administrator" -msgstr "" -"Срок действия учетной записи истек; обратитесь к системному администратору" - -#: modules/pam_unix/pam_unix_acct.c:261 -#, fuzzy -msgid "" -"You are required to change your password immediately (administrator " -"enforced)" -msgstr "" -"Вам необходимо немедленно сменить пароль (по требованию администратора)" - -#: modules/pam_unix/pam_unix_acct.c:267 -#, fuzzy -msgid "" -"You are required to change your password immediately (password expired)" -msgstr "Вам необходимо немедленно сменить пароль (срок действия пароля истек)" - -#: modules/pam_unix/pam_unix_acct.c:288 modules/pam_unix/pam_unix_acct.c:295 -#, c-format -msgid "Warning: your password will expire in %d day" -msgid_plural "Warning: your password will expire in %d days" -msgstr[0] "Предупреждение: срок действия пароля истекает через %d день" -msgstr[1] "Предупреждение: срок действия пароля истекает через %d дня" -msgstr[2] "Предупреждение: срок действия пароля истекает через %d дней" - -#. TRANSLATORS: only used if dngettext is not supported -#: modules/pam_unix/pam_unix_acct.c:300 -#, c-format -msgid "Warning: your password will expire in %d days" -msgstr "Предупреждение: срок действия пароля истекает через %d дн(я)(ей)" - -#: modules/pam_unix/pam_unix_passwd.c:470 -msgid "NIS password could not be changed." -msgstr "Пароль NIS изменить нельзя." - -#: modules/pam_unix/pam_unix_passwd.c:585 -msgid "You must choose a longer password" -msgstr "Выберите пароль большей длины" - -#: modules/pam_unix/pam_unix_passwd.c:692 -#, c-format -msgid "Changing password for %s." -msgstr "Смена пароля для %s." - -#: modules/pam_unix/pam_unix_passwd.c:722 -msgid "You must wait longer to change your password" -msgstr "До смены пароля должно пройти больше времени" diff --git a/pam.spec b/pam.spec index d3a9aaa..418815f 100644 --- a/pam.spec +++ b/pam.spec @@ -10,20 +10,20 @@ %bcond_without selinux -%define pam_redhat_version 0.99.11 +%define pam_redhat_version 1.1.1 Summary: A security tool which provides authentication for applications Name: pam -Version: 1.3.0 -Release: 10 +Version: 1.3.1 +Release: 1 Epoch: 1 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ Group: System/Libraries Url: http://www.kernel.org/pub/linux/libs/pam/index.html -Source0: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 -Source2: pam-redhat-%{pam_redhat_version}.tar.bz2 +Source0: https://github.com/linux-pam/linux-pam/releases/download/v%{version}/Linux-PAM-%{version}.tar.xz +Source2: https://releases.pagure.org/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2 Source5: other.pamd Source6: system-auth.pamd Source7: config-util.pamd @@ -39,43 +39,69 @@ Source16: smartcard-auth.pamd #add missing documentation Source501: pam_tty_audit.8 Source502: README -Source503: pam-%{version}_ru.po # RedHat patches -Patch1: pam-1.2.0-redhat-modules.patch -Patch2: pam-1.2.0-fix-running-in-containers.patch -Patch3: pam-1.2.0-unix-no-fallback.patch -Patch4: pam-1.1.0-console-nochmod.patch -Patch5: pam-1.1.0-notally.patch -Patch9: pam-1.1.6-noflex.patch -Patch10: pam-1.1.3-nouserenv.patch -Patch13: pam-1.1.5-limits-user.patch -Patch14: pam-1.2.1-faillock.patch -Patch22: pam-1.1.7-unix-build.patch -Patch43: pam-1.3.0-pwhistory-helper.patch +Patch1: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-redhat-modules.patch +Patch9: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-noflex.patch +Patch10: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.1.3-nouserenv.patch +Patch13: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.1.6-limits-user.patch +Patch15: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.1.8-full-relro.patch -# ROSA specific sources/patches +# Upstreamed partially +Patch29: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.0-pwhistory-helper.patch +Patch31: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.1.8-audit-user-mgmt.patch +Patch33: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.0-unix-nomsg.patch +Patch34: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-coverity.patch +# https://github.com/linux-pam/linux-pam/commit/a2b72aeb86f297d349bc9e6a8f059fedf97a499a +Patch36: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch +# https://github.com/linux-pam/linux-pam/commit/f7abb8c1ef3aa31e6c2564a8aaf69683a77c2016.patch +Patch37: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-unix-bcrypt_b.patch +# https://github.com/linux-pam/linux-pam/commit/dce80b3f11b3c3aa137d18f22699809094dd64b6 +Patch38: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-unix-gensalt-autoentropy.patch +# https://github.com/linux-pam/linux-pam/commit/4da9febc39b955892a30686e8396785b96bb8ba5 +Patch39: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-unix-crypt_checksalt.patch +# https://github.com/linux-pam/linux-pam/commit/16bd523f85ede9fa9115f80e826f2d803d7e61d4 +Patch40: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-unix-yescrypt.patch +# To be upstreamed soon. +Patch41: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-unix-no-fallback.patch +# https://github.com/linux-pam/linux-pam/commit/f9c9c72121eada731e010ab3620762bcf63db08f +# https://github.com/linux-pam/linux-pam/commit/8eaf5570cf011148a0b55c53570df5edaafebdb0 +Patch42: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-motd-multiple-paths.patch +# https://github.com/linux-pam/linux-pam/commit/86eed7ca01864b9fd17099e57f10f2b9b6b568a1 +Patch43: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-unix-checksalt_syslog.patch +# https://github.com/linux-pam/linux-pam/commit/d8d11db2cef65da5d2afa7acf21aa9c8cd88abed +Patch44: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-unix-fix_checksalt_syslog.patch +Patch45: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-namespace-mntopts.patch +Patch46: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-lastlog-no-showfailed.patch +Patch47: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-lastlog-unlimited-fsize.patch +Patch48: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-unix-improve-logging.patch +Patch49: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-tty-audit-manfix.patch +Patch50: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-fds-closing.patch +Patch51: https://src.fedoraproject.org/rpms/pam/raw/master/f/pam-1.3.1-authtok-verify-fix.patch + +# OpenMandriva specific sources/patches +# (bero) fix running in docker and systemd-nspawn +Patch500: pam-1.2.0-fix-running-in-containers.patch # (fl) fix infinite loop Patch507: pam-0.74-loop.patch # (fc) 0.75-29mdk don't complain when / is owned by root.adm Patch508: Linux-PAM-0.99.3.0-pamtimestampadm.patch -# (tv/blino) add defaults for nice/rtprio in /etc/security/limits.conf -Patch517: Linux-PAM-0.99.3.0-enable_rt.patch +Patch509: Linux-PAM-0.99.3.0-pbuild-rh.patch +# (fl) pam_xauth: set extra groups because in high security levels +# access to /usr/X11R6/bin dir is controlled by a group +Patch512: Linux-PAM-1.1.1-xauth-groups.patch Patch700: pam_fix_static_pam_console.patch -# (fc) do not output error when no file is in /etc/security/console.perms.d/ -Patch701: pam-1.1.0-console-nopermsd.patch # (proyvind): add missing constant that went with rpc removal from glibc 2.14 Patch702: Linux-PAM-1.1.4-add-now-missing-nis-constant.patch -Patch703: Linux-PAM-0.99.11-pbuild-rh.patch - -# (akdengi) add user to default group users which need for Samba +# (proyvind): move from /var/run/console to /run/console +Patch703: Linux-PAM-1.1.8-move-from-varrun-to-run.patch +# (akdengi> add user to default group users which need for Samba Patch801: Linux-PAM-1.1.4-group_add_users.patch +# use html2text instead of w3m +Patch802: pam-1.3.0-browser.patch -# (din) use html2text instead of w3m -Patch805: pam-1.3.0-browser.patch - %if %{with selinux} BuildRequires: selinux-devel >= 2.1.6-7 %endif @@ -127,7 +153,6 @@ having to recompile programs that handle authentication. %config %{_sysconfdir}/pam.d/password-auth %config %{_sysconfdir}/pam.d/smartcard-auth /sbin/pam_console_apply -/sbin/pam_tally2 /sbin/faillock %attr(4755,root,root) /sbin/pam_timestamp_check %attr(0755,root,root) /sbin/pwhistory_helper @@ -138,6 +163,7 @@ having to recompile programs that handle authentication. %config(noreplace) %{_sysconfdir}/security/chroot.conf %config(noreplace) %{_sysconfdir}/security/console.perms %config(noreplace) %{_sysconfdir}/security/console.handlers +%config(noreplace) %{_sysconfdir}/security/faillock.conf %config(noreplace) %{_sysconfdir}/security/group.conf %config(noreplace) %{_sysconfdir}/security/limits.conf %config(noreplace) %{_sysconfdir}/security/namespace.conf @@ -257,7 +283,7 @@ This package contains the development libraries for %{name}. # Add custom modules. mv pam-redhat-%{pam_redhat_version}/* modules -%apply_patches +%autopatch -p1 install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/ @@ -265,7 +291,11 @@ install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/ # Replace original po/ru.po with our fork. # Ported to upstream git master: # https://github.com/linux-pam/linux-pam/pull/152 -cp %{SOURCE503} po/ru.po +rm -rf doc/txts/README.pam_tally* +rm -rf doc/sag/html/*pam_tally* + +touch ChangeLog # to make autoreconf happy +autoreconf -fi -I m4 %build autoreconf -fi @@ -288,7 +318,8 @@ autoreconf -fi --disable-selinux \ %endif --enable-audit -%make + +%make_build %install mkdir -p doc/txts diff --git a/postlogin.pamd b/postlogin.pamd index f3bb224..eaebbfa 100644 --- a/postlogin.pamd +++ b/postlogin.pamd @@ -1,7 +1,5 @@ #%PAM-1.0 -# This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. - -session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* quiet -session [default=1] pam_lastlog.so nowtmp silent +session optional pam_umask.so silent +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed diff --git a/smartcard-auth.pamd b/smartcard-auth.pamd index e5b57e3..e8dc3c8 100644 --- a/smartcard-auth.pamd +++ b/smartcard-auth.pamd @@ -1,6 +1,4 @@ #%PAM-1.0 -# This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card auth required pam_deny.so diff --git a/system-auth.pamd b/system-auth.pamd index 2e01bf9..2b5a333 100644 --- a/system-auth.pamd +++ b/system-auth.pamd @@ -1,18 +1,19 @@ #%PAM-1.0 -# This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. auth required pam_env.so -auth sufficient pam_unix.so try_first_pass nullok +auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_deny.so account required pam_unix.so -password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= -password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow +# Make sure you use use_authtok below if and only if you +# want to stack a password checking tool like pam_pwquality +password sufficient pam_unix.so try_first_pass nullok sha512 shadow password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so --session optional pam_systemd.so +session optional pam_env.so +session optional pam_umask.so +session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so