diff --git a/.abf.yml b/.abf.yml index 0500b99..d20d18e 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,3 +1,3 @@ sources: - Linux-PAM-1.1.8.tar.bz2: f8ce53c67363f78d520392fa1c253c4978058be1 - pam-redhat-0.99.10-1.tar.bz2: 09e618edc5dcda9a6eb435a31db742afca673ae1 + Linux-PAM-1.3.0.tar.bz2: e956252e81d824c35a60c9b50919ca0767f8a8ec + pam-redhat-0.99.11.tar.bz2: 42206fe8319723ef23ab646b2eab496c86de3f5b diff --git a/Linux-PAM-0.99.11-pbuild-rh.patch b/Linux-PAM-0.99.11-pbuild-rh.patch new file mode 100644 index 0000000..2b1a072 --- /dev/null +++ b/Linux-PAM-0.99.11-pbuild-rh.patch @@ -0,0 +1,12 @@ +diff -urN Linux-PAM-1.3.0/modules/pam_console/Makefile.am Linux-PAM-1.3.0-patched/modules/pam_console/Makefile.am +--- Linux-PAM-1.3.0/modules/pam_console/Makefile.am 2014-02-01 00:17:53.000000000 +1100 ++++ Linux-PAM-1.3.0-patched/modules/pam_console/Makefile.am 2016-09-19 17:27:50.713209337 +1000 +@@ -50,6 +50,8 @@ + pam_console_la_CFLAGS = $(AM_CFLAGS) + pam_console_apply_CFLAGS = $(AM_CFLAGS) + ++configfile.tab.h: configfile.tab.c ++ + configfile.tab.c: configfile.y + $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $< + sh $(srcdir)/sed-static $@ diff --git a/Linux-PAM-1.1.1-xauth-groups.patch b/Linux-PAM-1.1.1-xauth-groups.patch deleted file mode 100644 index 6abc9c3..0000000 --- a/Linux-PAM-1.1.1-xauth-groups.patch +++ /dev/null @@ -1,67 +0,0 @@ ---- a/modules/pam_xauth/pam_xauth.c 2010-10-08 13:56:11.000000000 +0200 -+++ b/modules/pam_xauth/pam_xauth.c.oden 2010-11-03 11:23:06.714312576 +0100 -@@ -90,7 +90,7 @@ static const char * const xauthpaths[] = - * given input on stdin, and storing any output it generates. */ - static int - run_coprocess(pam_handle_t *pamh, const char *input, char **output, -- uid_t uid, gid_t gid, const char *command, ...) -+ uid_t uid, gid_t gid, const char *name, const char *command, ...) - { - int ipipe[2], opipe[2], i; - char buf[LINE_MAX]; -@@ -141,6 +141,12 @@ run_coprocess(pam_handle_t *pamh, const - pam_syslog (pamh, LOG_ERR, "setgroups() failed: %m"); - _exit (err); - } -+ -+ /* Mandriva Linux specific: -+ * we need to set the extra groups because in high security levels -+ * access to /usr/X11R6/bin dir is controlled by a group */ -+ initgroups(name, gid); -+ - if (setuid(uid) == -1) - { - int err = errno; -@@ -148,6 +154,7 @@ run_coprocess(pam_handle_t *pamh, const - (unsigned long) geteuid ()); - _exit (err); - } -+ - /* Initialize the argument list. */ - memset(args, 0, sizeof(args)); - /* Set the pipe descriptors up as stdin and stdout, and close -@@ -173,6 +180,7 @@ run_coprocess(pam_handle_t *pamh, const - } - /* Run the command. */ - execv(command, args); -+ syslog(LOG_ERR, "pam_xauth: execvp of %s failed: %m", command); - /* Never reached. */ - _exit(1); - } -@@ -508,7 +516,7 @@ pam_sm_open_session (pam_handle_t *pamh, - (unsigned long) getuid(), (unsigned long) getgid()); - } - if (run_coprocess(pamh, NULL, &cookie, -- getuid(), getgid(), -+ getuid(), getgid(), rpwd->pw_name, - xauth, "-f", cookiefile, "nlist", display, - NULL) == 0) { - #ifdef WITH_SELINUX -@@ -567,7 +575,7 @@ pam_sm_open_session (pam_handle_t *pamh, - (unsigned long) getgid()); - } - run_coprocess(pamh, NULL, &cookie, -- getuid(), getgid(), -+ getuid(), getgid(), rpwd->pw_name, - xauth, "-f", cookiefile, - "nlist", t, NULL); - } -@@ -709,7 +717,7 @@ pam_sm_open_session (pam_handle_t *pamh, - (unsigned long) tpwd->pw_gid); - } - run_coprocess(pamh, cookie, &tmp, -- tpwd->pw_uid, tpwd->pw_gid, -+ tpwd->pw_uid, tpwd->pw_gid, tpwd->pw_name, - xauth, "-f", cookiefile, "nmerge", "-", NULL); - - /* We don't need to keep a copy of these around any more. */ diff --git a/pam-1.1.0-console-fixes.patch b/pam-1.1.0-console-fixes.patch deleted file mode 100644 index 08cd4c6..0000000 --- a/pam-1.1.0-console-fixes.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c ---- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix 2009-11-02 08:45:24.000000000 +0100 -+++ Linux-PAM-1.1.0/modules/pam_console/handlers.c 2009-11-02 08:50:19.000000000 +0100 -@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle - const char *flagptr; - const char **argv; - int i = 0; -- argv = malloc(sizeof(*argv)*nparams+2); -- -+ argv = malloc(sizeof(*argv)*(nparams+2)); -+ - if (argv == NULL) - return; -- -+ - argv[i++] = handler->executable; -- -+ - for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) { - switch (testflag(flagptr)) { - case HF_LOGFAIL: -@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru - } - - sighandler = signal(SIGCHLD, SIG_DFL); -- -+ - child = fork(); - switch (child) { - case -1: -@@ -246,30 +246,31 @@ execute_handler(pam_handle_t *pamh, stru - if (!wait_exit) { - switch(fork()) { - case 0: -- exit(0); -+ if(setsid() == -1) { -+ _exit(255); -+ } -+ break; - case -1: -- exit(255); -+ _exit(255); - default: -- if(setsid() == -1) { -- exit(255); -- } -+ _exit(0); - } - } - if (set_uid) { - struct passwd *pw; - pw = getpwnam(user); - if (pw == NULL) -- exit(255); -+ _exit(255); - if (setgid(pw->pw_gid) == -1 || - setuid(pw->pw_uid) == -1) -- exit(255); -+ _exit(255); - } - call_exec(handler, nparams, user, tty); -- exit(255); -+ _exit(255); - default: - break; - } -- -+ - waitpid(child, &rv, 0); - - if (sighandler != SIG_ERR) diff --git a/pam-1.1.3-console-abstract.patch b/pam-1.1.3-console-abstract.patch deleted file mode 100644 index ed14ddd..0000000 --- a/pam-1.1.3-console-abstract.patch +++ /dev/null @@ -1,82 +0,0 @@ -diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c ---- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract 2008-12-16 13:37:52.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c 2010-11-01 17:01:55.000000000 +0100 -@@ -34,6 +34,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - #include -@@ -136,6 +138,32 @@ check_one_console_name(const char *name, - } - - static int -+try_xsocket(const char *path, size_t len) { -+ int fd; -+ union { -+ struct sockaddr sa; -+ struct sockaddr_un su; -+ } addr; -+ -+ fd = socket(AF_UNIX, SOCK_STREAM, 0); -+ if (fd < 0) -+ return 0; -+ -+ memset(&addr, 0, sizeof(addr)); -+ addr.su.sun_family = AF_UNIX; -+ -+ if (len > sizeof(addr.su.sun_path)) -+ return 0; -+ memcpy(addr.su.sun_path, path, len); -+ if (connect(fd, &addr.sa, sizeof(addr.su)) == 0) { -+ close(fd); -+ return 1; -+ } -+ close(fd); -+ return 0; -+} -+ -+static int - check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) { - int found = 0; - int statted = 0; -@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c - if (!statted && (consolename[0] == ':')) { - int l; - char *dot = NULL; -- strcpy(full_path, "/tmp/.X11-unix/X"); -- l = sizeof(full_path) - 1 - strlen(full_path); -+ char *path = full_path + 1; -+ -+ full_path[0] = '\0'; -+ strcpy(path, "/tmp/.X11-unix/X"); -+ l = sizeof(full_path) - 2 - strlen(path); - dot = strchr(consolename + 1, '.'); - if (dot != NULL) { - l = (l < dot - consolename - 1) ? l : dot - consolename - 1; - } -- strncat(full_path, consolename + 1, l); -+ strncat(path, consolename + 1, l); - full_path[sizeof(full_path) - 1] = '\0'; -- _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"", -- full_path); -- if (lstat(full_path, &st) != -1) { -+ _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"", -+ path); -+ -+ /* this will work because st.st_uid is 0 */ -+ if (try_xsocket(full_path, strlen(path)+1)) { -+ statted = 1; -+ } else if (try_xsocket(path, strlen(path))) { - statted = 1; - } - else if (!on_set) { /* there is no X11 socket in case of X11 crash */ - _pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename); -- statted = 1; /* this will work because st.st_uid is 0 */ -+ statted = 1; - } - } - diff --git a/pam-1.1.6-std-noclose.patch b/pam-1.1.6-std-noclose.patch deleted file mode 100644 index 5c8640f..0000000 --- a/pam-1.1.6-std-noclose.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c ---- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2012-08-17 13:25:20.684075361 +0200 -@@ -133,13 +133,21 @@ create_homedir (pam_handle_t *pamh, opti - if (child == 0) { - int i; - struct rlimit rlim; -+ int dummyfds[2]; - static char *envp[] = { NULL }; - char *args[] = { NULL, NULL, NULL, NULL, NULL }; - -+ /* replace std file descriptors with a dummy pipe */ -+ if (pipe(dummyfds) == 0) { -+ dup2(dummyfds[0], STDIN_FILENO); -+ dup2(dummyfds[1], STDOUT_FILENO); -+ dup2(dummyfds[1], STDERR_FILENO); -+ } -+ - if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { - close(i); - } - } -diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c ---- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2012-08-17 13:22:51.664560481 +0200 -@@ -105,16 +105,18 @@ int _unix_run_verify_binary(pam_handle_t - - /* reopen stdout as pipe */ - dup2(fds[1], STDOUT_FILENO); -+ /* and replace also the stdin, stderr so we do not exec the helper with -+ tty as stdin, it will not read anything from there anyway */ -+ dup2(fds[0], STDIN_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - /* XXX - should really tidy up PAM here too */ - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDOUT_FILENO) { -- close(i); -- } -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2012-08-17 14:10:38.917346789 +0200 -@@ -210,13 +210,16 @@ static int _unix_run_update_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c ---- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2012-08-17 14:12:10.833511475 +0200 -@@ -469,13 +469,16 @@ static int _unix_run_helper_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - diff --git a/pam-1.1.7-tty-audit-init.patch b/pam-1.1.7-tty-audit-init.patch deleted file mode 100644 index 065a650..0000000 --- a/pam-1.1.7-tty-audit-init.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c ---- Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init 2013-08-28 10:53:40.000000000 +0200 -+++ Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c 2013-10-04 14:51:19.944994905 +0200 -@@ -36,6 +36,7 @@ - USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - DAMAGE. */ - -+#include "config.h" - #include - #include - #include -@@ -108,7 +109,7 @@ nl_recv (int fd, unsigned type, void *bu - struct msghdr msg; - struct nlmsghdr nlm; - struct iovec iov[2]; -- ssize_t res; -+ ssize_t res, resdiff; - - again: - iov[0].iov_base = &nlm; -@@ -160,12 +161,17 @@ nl_recv (int fd, unsigned type, void *bu - res = recvmsg (fd, &msg, 0); - if (res == -1) - return -1; -- if ((size_t)res != NLMSG_LENGTH (size) -+ resdiff = NLMSG_LENGTH(size) - (size_t)res; -+ if (resdiff < 0 - || nlm.nlmsg_type != type) - { - errno = EIO; - return -1; - } -+ else if (resdiff > 0) -+ { -+ memset((char *)buf + res, 0, resdiff); -+ } - return 0; - } - -@@ -275,6 +281,8 @@ pam_sm_open_session (pam_handle_t *pamh, - return PAM_SESSION_ERR; - } - -+ memcpy(&new_status, old_status, sizeof(new_status)); -+ - new_status.enabled = (command == CMD_ENABLE ? 1 : 0); - #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD - new_status.log_passwd = log_passwd; diff --git a/pam-1.1.8-audit-grantor.patch b/pam-1.1.8-audit-grantor.patch deleted file mode 100644 index 451634b..0000000 --- a/pam-1.1.8-audit-grantor.patch +++ /dev/null @@ -1,435 +0,0 @@ -From 0d29e379601819c7f7ed8de18b54de803a9f4049 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 5 Sep 2014 09:09:37 +0200 -Subject: [PATCH] Add grantor field to audit records of libpam. - -The grantor field gives audit trail of PAM modules which granted access -for successful return from libpam calls. In case of failed return -the grantor field is set to '?'. -libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call. -libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise. -libpam/pam_password.c (pam_chauthtok): Likewise. -libpam/pam_session.c (pam_open_session, pam_close_session): Likewise. -libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter, -add grantor= field to the message if grantors is set. -(_pam_list_grantors): New function creating the string with grantors list. -(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors() -to list the grantors from the handler list. -(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call. -(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog(). -libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate. -(_pam_clear_grantors): New function to clear grantor field of handler. -(_pam_dispatch): Call _pam_clear_grantors() before executing the stack. -Call _pam_auditlog() when appropriate. -libpam/pam_handlers.c (extract_modulename): Do not allow empty module name -or just "?" to avoid confusing audit trail. -(_pam_add_handler): Test for NULL return from extract_modulename(). -Clear grantor field of handler. -libpam/pam_private.h: Add grantor field to struct handler, add handler pointer -parameter to _pam_auditlog(). ---- - libpam/pam_account.c | 4 --- - libpam/pam_audit.c | 84 +++++++++++++++++++++++++++++++++++++++++++-------- - libpam/pam_auth.c | 8 ----- - libpam/pam_dispatch.c | 41 ++++++++++++++++++++----- - libpam/pam_handlers.c | 14 +++++++-- - libpam/pam_password.c | 4 --- - libpam/pam_private.h | 3 +- - libpam/pam_session.c | 7 ----- - 8 files changed, 119 insertions(+), 46 deletions(-) - -diff --git a/libpam/pam_account.c b/libpam/pam_account.c -index 572acc4..3a4fb1f 100644 ---- a/libpam/pam_account.c -+++ b/libpam/pam_account.c -@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags) - - retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT); - --#ifdef HAVE_LIBAUDIT -- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags); --#endif -- - return retval; - } -diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c -index 531746a..24fb799 100644 ---- a/libpam/pam_audit.c -+++ b/libpam/pam_audit.c -@@ -6,12 +6,12 @@ - Authors: - Steve Grubb */ - --#include --#include - #include "pam_private.h" - #include "pam_modutil_private.h" - - #ifdef HAVE_LIBAUDIT -+#include -+#include - #include - #include - #include -@@ -25,17 +25,24 @@ - - static int - _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, -- const char *message, int retval) -+ const char *message, const char *grantors, int retval) - { - static int old_errno = -1; -- int rc; -- char buf[32]; -+ int rc = -ENOMEM; -+ char *buf; -+ const char *grantors_field = " grantors="; - -- snprintf(buf, sizeof(buf), "PAM:%s", message); -+ if (grantors == NULL) { -+ grantors = ""; -+ grantors_field = ""; -+ } - -- rc = audit_log_acct_message (audit_fd, type, NULL, buf, -- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", -- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS ); -+ if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) { -+ rc = audit_log_acct_message(audit_fd, type, NULL, buf, -+ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", -+ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS); -+ free(buf); -+ } - - /* libaudit sets errno to his own negative error code. This can be - an official errno number, but must not. It can also be a audit -@@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh) - return audit_fd; - } - -+static int -+_pam_list_grantors(struct handler *hlist, int retval, char **list) -+{ -+ *list = NULL; -+ -+ if (retval == PAM_SUCCESS) { -+ struct handler *h; -+ char *p = NULL; -+ size_t len = 0; -+ -+ for (h = hlist; h != NULL; h = h->next) { -+ if (h->grantor) { -+ len += strlen(h->mod_name) + 1; -+ } -+ } -+ -+ if (len == 0) { -+ return 0; -+ } -+ -+ *list = malloc(len); -+ if (*list == NULL) { -+ return -1; -+ } -+ -+ for (h = hlist; h != NULL; h = h->next) { -+ if (h->grantor) { -+ if (p == NULL) { -+ p = *list; -+ } else { -+ p = stpcpy(p, ","); -+ } -+ -+ p = stpcpy(p, h->mod_name); -+ } -+ } -+ } -+ -+ return 0; -+} -+ - int --_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) -+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h) - { - const char *message; - int type; - int audit_fd; -+ char *grantors; - - if ((audit_fd=_pam_audit_open(pamh)) == -1) { - return PAM_SYSTEM_ERR; -@@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) - retval = PAM_SYSTEM_ERR; - } - -- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0) -+ if (_pam_list_grantors(h, retval, &grantors) < 0) { -+ /* allocation failure */ -+ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m"); - retval = PAM_SYSTEM_ERR; -+ } -+ -+ if (_pam_audit_writelog(pamh, audit_fd, type, message, -+ grantors ? grantors : "?", retval) < 0) -+ retval = PAM_SYSTEM_ERR; -+ -+ free(grantors); - - audit_close(audit_fd); - return retval; -@@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED) - * stacks having been run. Assume that this is sshd faking - * things for an unknown user. - */ -- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0); -+ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL); - } - - return 0; -@@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type, - return retval; - } - -- rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval); -+ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval); - - audit_close(audit_fd); - -diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c -index 5984fa5..1e7bc6e 100644 ---- a/libpam/pam_auth.c -+++ b/libpam/pam_auth.c -@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags) - prelude_send_alert(pamh, retval); - #endif - --#ifdef HAVE_LIBAUDIT -- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags); --#endif -- - return retval; - } - -@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags) - - retval = _pam_dispatch(pamh, flags, PAM_SETCRED); - --#ifdef HAVE_LIBAUDIT -- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags); --#endif -- - D(("pam_setcred exit")); - - return retval; -diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c -index eb52c82..cf632e8 100644 ---- a/libpam/pam_dispatch.c -+++ b/libpam/pam_dispatch.c -@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, - status = retval; - } - } -- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) { -- goto decision_made; -+ if ( impression == _PAM_POSITIVE ) { -+ if ( retval == PAM_SUCCESS ) { -+ h->grantor = 1; -+ } -+ -+ if ( action == _PAM_ACTION_DONE ) { -+ goto decision_made; -+ } - } - break; - -@@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, - || (impression == _PAM_POSITIVE - && status == PAM_SUCCESS) ) { - if ( retval != PAM_IGNORE || cached_retval == retval ) { -+ if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) { -+ h->grantor = 1; -+ } - impression = _PAM_POSITIVE; - status = retval; - } -@@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */ - return status; - } - -+static void _pam_clear_grantors(struct handler *h) -+{ -+ for (; h != NULL; h = h->next) { -+ h->grantor = 0; -+ } -+} -+ - /* - * This function translates the module dispatch request into a pointer - * to the stack of modules that will actually be run. the -@@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */ - int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) - { - struct handler *h = NULL; -- int retval, use_cached_chain; -+ int retval = PAM_SYSTEM_ERR, use_cached_chain; - _pam_boolean resumed; - - IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR); - - if (__PAM_FROM_MODULE(pamh)) { - D(("called from a module!?")); -- return PAM_SYSTEM_ERR; -+ goto end; - } - - /* Load all modules, resolve all symbols */ - - if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) { - pam_syslog(pamh, LOG_ERR, "unable to dispatch function"); -- return retval; -+ goto end; - } - - use_cached_chain = _PAM_PLEASE_FREEZE; -@@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) - break; - default: - pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); -- return PAM_ABORT; -+ retval = PAM_ABORT; -+ goto end; - } - - if (h == NULL) { /* there was no handlers.conf... entry; will use -@@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) - pam_syslog(pamh, LOG_ERR, - "application failed to re-exec stack [%d:%d]", - pamh->former.choice, choice); -- return PAM_ABORT; -+ retval = PAM_ABORT; -+ goto end; - } - resumed = PAM_TRUE; - } else { - resumed = PAM_FALSE; -+ _pam_clear_grantors(h); - } - - __PAM_TO_MODULE(pamh); -@@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) - pamh->former.choice = PAM_NOT_STACKED; - } - -+end: -+ -+#ifdef HAVE_LIBAUDIT -+ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) { -+ retval = _pam_auditlog(pamh, choice, retval, flags, h); -+ } -+#endif -+ - return retval; - } -diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c -index 02714f7..df3a1d9 100644 ---- a/libpam/pam_handlers.c -+++ b/libpam/pam_handlers.c -@@ -611,6 +611,12 @@ extract_modulename(const char *mod_path) - if (dot) - *dot = '\0'; - -+ if (*retval == '\0' || strcmp(retval, "?") == 0) { -+ /* do not allow empty module name or "?" to avoid confusing audit trail */ -+ _pam_drop(retval); -+ return NULL; -+ } -+ - return retval; - } - -@@ -888,7 +894,9 @@ int _pam_add_handler(pam_handle_t *pamh - (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval); - (*handler_p)->argc = argc; - (*handler_p)->argv = argv; /* not a copy */ -- (*handler_p)->mod_name = extract_modulename(mod_path); -+ if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL) -+ return PAM_ABORT; -+ (*handler_p)->grantor = 0; - (*handler_p)->next = NULL; - - /* some of the modules have a second calling function */ -@@ -920,7 +928,9 @@ int _pam_add_handler(pam_handle_t *pamh - } else { - (*handler_p2)->argv = NULL; /* no arguments */ - } -- (*handler_p2)->mod_name = extract_modulename(mod_path); -+ if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL) -+ return PAM_ABORT; -+ (*handler_p2)->grantor = 0; - (*handler_p2)->next = NULL; - } - -diff --git a/libpam/pam_password.c b/libpam/pam_password.c -index 75db5e5..592e01f 100644 ---- a/libpam/pam_password.c -+++ b/libpam/pam_password.c -@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) - D(("will resume when ready", retval)); - } - --#ifdef HAVE_LIBAUDIT -- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags); --#endif -- - return retval; - } -diff --git a/libpam/pam_private.h b/libpam/pam_private.h -index 134dc72..d93283c 100644 ---- a/libpam/pam_private.h -+++ b/libpam/pam_private.h -@@ -55,6 +55,7 @@ struct handler { - struct handler *next; - char *mod_name; - int stack_level; -+ int grantor; - }; - - #define PAM_HT_MODULE 0 -@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \ - do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0) - - #ifdef HAVE_LIBAUDIT --extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags); -+extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h); - extern int _pam_audit_end(pam_handle_t *pamh, int pam_status); - #endif - -diff --git a/libpam/pam_session.c b/libpam/pam_session.c -index 512153f..cb393c1 100644 ---- a/libpam/pam_session.c -+++ b/libpam/pam_session.c -@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags) - } - retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION); - --#ifdef HAVE_LIBAUDIT -- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags); --#endif - return retval; - } - -@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags) - - retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); - --#ifdef HAVE_LIBAUDIT -- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags); --#endif -- - return retval; - - } --- -1.8.3.1 - diff --git a/pam-1.1.8-audit-user-mgmt.patch b/pam-1.1.8-audit-user-mgmt.patch deleted file mode 100644 index 990a1b1..0000000 --- a/pam-1.1.8-audit-user-mgmt.patch +++ /dev/null @@ -1,53 +0,0 @@ ---- a/modules/pam_faillock/main.c.audit-user-mgmt 2014-10-17 12:09:12.928490104 +0200 -+++ b/modules/pam_faillock/main.c 2014-10-17 12:09:43.001169008 +0200 -@@ -127,7 +127,6 @@ do_user(struct options *opts, const char - } - if (opts->reset) { - #ifdef HAVE_LIBAUDIT -- char buf[64]; - int audit_fd; - #endif - -@@ -141,10 +140,8 @@ do_user(struct options *opts, const char - if ((audit_fd=audit_open()) >= 0) { - - if (pwd != NULL) { -- snprintf(buf, sizeof(buf), "faillock reset uid=%u", -- pwd->pw_uid); -- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, NULL, rv == 0); -+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, -+ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0); - } - close(audit_fd); - } ---- a/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200 -+++ b/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200 -@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv ) - #ifdef HAVE_LIBAUDIT - char buf[64]; - int audit_fd = audit_open(); -- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); -- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); -+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset); -+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, -+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1); - if (audit_fd >=0) - close(audit_fd); - #endif -@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv ) - } - else if ( !cline_reset ) { - #ifdef HAVE_LIBAUDIT -- char buf[64]; - int audit_fd = audit_open(); -- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); -- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); -+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, -+ "pam_tally2-reset-all-accts reset=0", "*", -1, -+ NULL, NULL, ttyname(STDIN_FILENO), 1); - if (audit_fd >=0) - close(audit_fd); - #endif diff --git a/pam-1.1.8-canonicalize-username.patch b/pam-1.1.8-canonicalize-username.patch deleted file mode 100644 index a3786be..0000000 --- a/pam-1.1.8-canonicalize-username.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c ---- Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c 2014-03-06 12:03:54.429639972 +0100 -@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh, - char *level = NULL; - security_context_t *contextlist = NULL; - int num_contexts = 0; -+ const struct passwd *pwd; - - if (!(username = get_item(pamh, PAM_USER))) { - pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name"); - return PAM_USER_UNKNOWN; - } - -+ if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) { -+ username = pwd->pw_name; -+ } /* ignore error and keep using original username */ -+ - /* compute execute context */ - #ifdef HAVE_GETSEUSER - if (!(service = get_item(pamh, PAM_SERVICE))) { diff --git a/pam-1.1.8-full-relro.patch b/pam-1.1.8-full-relro.patch deleted file mode 100644 index e4eba78..0000000 --- a/pam-1.1.8-full-relro.patch +++ /dev/null @@ -1,108 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200 -@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir - - pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam - -+pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ -+ - securelib_LTLIBRARIES = pam_console.la - sbin_PROGRAMS = pam_console_apply - -@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_ - configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h - - pam_console_la_CFLAGS = $(AM_CFLAGS) --pam_console_apply_CFLAGS = $(AM_CFLAGS) -+pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ - - configfile.tab.c: configfile.y - $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $< -diff -up Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am 2014-09-10 17:16:11.102808189 +0200 -@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR) - - noinst_HEADERS = faillock.h - --faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@ - pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include - - pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module -@@ -28,6 +28,7 @@ if HAVE_VERSIONING - pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map - endif - -+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) - - securelib_LTLIBRARIES = pam_faillock.la -diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200 -+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200 -@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi - - AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -I$(srcdir)/.. @PIE_CFLAGS@ --AM_LDFLAGS = @PIE_LDFLAGS@ -+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - LDADD = $(top_builddir)/libpam/libpam.la - - securelibfilter_PROGRAMS = upperLOWER -diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200 -@@ -30,6 +30,8 @@ endif - - sbin_PROGRAMS = mkhomedir_helper - mkhomedir_helper_SOURCES = mkhomedir_helper.c -+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la - - if ENABLE_REGENERATE_MAN -diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200 -@@ -26,6 +26,8 @@ if HAVE_VERSIONING - pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map - endif - -+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) - - securelib_LTLIBRARIES = pam_tally2.la -diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200 -@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS) - pam_timestamp_check_SOURCES = pam_timestamp_check.c - pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ - pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la --pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ -+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - - hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c - hmacfile_LDADD = $(top_builddir)/libpam/libpam.la -diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200 -@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@ - unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ - passverify.c - unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" --unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ -+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ - - unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ - passverify.c - unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" --unix_update_LDFLAGS = @PIE_LDFLAGS@ -+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ - - if ENABLE_REGENERATE_MAN diff --git a/pam-1.1.8-lastlog-uninitialized.patch b/pam-1.1.8-lastlog-uninitialized.patch deleted file mode 100644 index 8c545d9..0000000 --- a/pam-1.1.8-lastlog-uninitialized.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c ---- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2014-08-25 16:44:24.365174752 +0200 -@@ -350,6 +350,8 @@ last_login_write(pam_handle_t *pamh, int - return PAM_SERVICE_ERR; - } - -+ memset(&last_login, 0, sizeof(last_login)); -+ - /* set this login date */ - D(("set the most recent login time")); - (void) time(&ll_time); /* set the time */ -@@ -364,14 +366,12 @@ last_login_write(pam_handle_t *pamh, int - } - - /* copy to last_login */ -- last_login.ll_host[0] = '\0'; - strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1); - - /* set the terminal line */ - terminal_line = get_tty(pamh); - - /* copy to last_login */ -- last_login.ll_line[0] = '\0'; - strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1); - terminal_line = NULL; - -@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh, - lltime = (time(NULL) - lltime) / (24*60*60); - - if (lltime > inactive_days) { -- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime); -+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied", -+ user, (long) lltime); - return PAM_AUTH_ERR; - } - diff --git a/pam-1.1.8-limits-check-process.patch b/pam-1.1.8-limits-check-process.patch deleted file mode 100644 index f37f799..0000000 --- a/pam-1.1.8-limits-check-process.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c ---- Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c 2014-09-10 16:39:36.263256066 +0200 -@@ -27,6 +27,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -269,16 +270,27 @@ check_logins (pam_handle_t *pamh, const - continue; - } - if (!pl->flag_numsyslogins) { -+ char user[sizeof(ut->UT_USER) + 1]; -+ user[0] = '\0'; -+ strncat(user, ut->UT_USER, sizeof(ut->UT_USER)); -+ - if (((pl->login_limit_def == LIMITS_DEF_USER) - || (pl->login_limit_def == LIMITS_DEF_GROUP) - || (pl->login_limit_def == LIMITS_DEF_DEFAULT)) -- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) { -+ && strcmp(name, user) != 0) { - continue; - } - if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP) -- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) { -+ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) { - continue; - } -+ if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) { -+ /* process does not exist anymore */ -+ pam_syslog(pamh, LOG_WARNING, -+ "Stale utmp entry (pid %d) for '%s' ignored", -+ ut->ut_pid, user); -+ continue; -+ } - } - if (++count > limit) { - break; diff --git a/pam-1.1.8-limits-docfix.patch b/pam-1.1.8-limits-docfix.patch deleted file mode 100644 index 37703e3..0000000 --- a/pam-1.1.8-limits-docfix.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf ---- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix 2014-07-14 14:58:05.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf 2014-09-10 16:42:51.254747161 +0200 -@@ -32,7 +32,7 @@ - # - data - max data size (KB) - # - fsize - maximum filesize (KB) - # - memlock - max locked-in-memory address space (KB) --# - nofile - max number of open files -+# - nofile - max number of open file descriptors - # - rss - max resident set size (KB) - # - stack - max stack size (KB) - # - cpu - max CPU time (MIN) -diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml ---- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml 2014-09-10 16:44:01.624367933 +0200 -@@ -178,7 +178,7 @@ - - - -- maximum number of open files -+ maximum number of open file descriptors - - - -@@ -214,14 +214,17 @@ - - - -- maximum number of logins for this user except -- for this with uid=0 -+ maximum number of logins for this user (this limit does -+ not apply to user with uid=0) - - - - - -- maximum number of all logins on system -+ maximum number of all logins on system; user is not -+ allowed to log-in if total number of all users' logins is -+ greater than specified number (this limit does not apply to -+ user with uid=0) - - - -@@ -292,7 +295,7 @@ - permanent; existing only for the duration of the session. - One exception is the maxlogin option, this one - is system wide. But there is a race, concurrent logins at the same -- time will not always be detect as such but only counted as one. -+ time will not always be detected as such but only counted as one. - - - In the limits configuration file, the diff --git a/pam-1.1.8-loginuid-container.patch b/pam-1.1.8-loginuid-container.patch deleted file mode 100644 index 278829a..0000000 --- a/pam-1.1.8-loginuid-container.patch +++ /dev/null @@ -1,151 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.container Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c ---- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.container 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c 2014-01-27 17:24:53.000000000 +0100 -@@ -47,25 +47,56 @@ - - /* - * This function writes the loginuid to the /proc system. It returns -- * 0 on success and 1 on failure. -+ * PAM_SUCCESS on success, -+ * PAM_IGNORE when /proc/self/loginuid does not exist, -+ * PAM_SESSION_ERR in case of any other error. - */ - static int set_loginuid(pam_handle_t *pamh, uid_t uid) - { -- int fd, count, rc = 0; -- char loginuid[24]; -+ int fd, count, rc = PAM_SESSION_ERR; -+ char loginuid[24], buf[24]; -+ static const char host_uid_map[] = " 0 0 4294967295\n"; -+ char uid_map[sizeof(host_uid_map)]; -+ -+ /* loginuid in user namespaces currently isn't writable and in some -+ case, not even readable, so consider any failure as ignorable (but try -+ anyway, in case we hit a kernel which supports it). */ -+ fd = open("/proc/self/uid_map", O_RDONLY); -+ if (fd >= 0) { -+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); -+ if (strncmp(uid_map, host_uid_map, count) != 0) -+ rc = PAM_IGNORE; -+ close(fd); -+ } - -- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); -- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); -+ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); - if (fd < 0) { -- if (errno != ENOENT) { -- rc = 1; -- pam_syslog(pamh, LOG_ERR, -- "Cannot open /proc/self/loginuid: %m"); -+ if (errno == ENOENT) { -+ rc = PAM_IGNORE; -+ } -+ if (rc != PAM_IGNORE) { -+ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", -+ "/proc/self/loginuid"); - } - return rc; - } -- if (pam_modutil_write(fd, loginuid, count) != count) -- rc = 1; -+ -+ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); -+ if (pam_modutil_read(fd, buf, sizeof(buf)) == count && -+ memcmp(buf, loginuid, count) == 0) { -+ rc = PAM_SUCCESS; -+ goto done; /* already correct */ -+ } -+ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 && -+ pam_modutil_write(fd, loginuid, count) == count) { -+ rc = PAM_SUCCESS; -+ } else { -+ if (rc != PAM_IGNORE) { -+ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m", -+ "/proc/self/loginuid"); -+ } -+ } -+ done: - close(fd); - return rc; - } -@@ -165,6 +196,7 @@ _pam_loginuid(pam_handle_t *pamh, int fl - { - const char *user = NULL; - struct passwd *pwd; -+ int ret; - #ifdef HAVE_LIBAUDIT - int require_auditd = 0; - #endif -@@ -183,9 +215,14 @@ _pam_loginuid(pam_handle_t *pamh, int fl - return PAM_SESSION_ERR; - } - -- if (set_loginuid(pamh, pwd->pw_uid)) { -- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n"); -- return PAM_SESSION_ERR; -+ ret = set_loginuid(pamh, pwd->pw_uid); -+ switch (ret) { -+ case PAM_SUCCESS: -+ case PAM_IGNORE: -+ break; -+ default: -+ pam_syslog(pamh, LOG_ERR, "set_loginuid failed"); -+ return ret; - } - - #ifdef HAVE_LIBAUDIT -@@ -195,11 +232,12 @@ _pam_loginuid(pam_handle_t *pamh, int fl - argv++; - } - -- if (require_auditd) -- return check_auditd(); -- else -+ if (require_auditd) { -+ int rc = check_auditd(); -+ return rc != PAM_SUCCESS ? rc : ret; -+ } else - #endif -- return PAM_SUCCESS; -+ return ret; - } - - /* -diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml.container Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml ---- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml.container 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml 2014-05-22 11:33:14.000000000 +0200 -@@ -69,14 +69,31 @@ - - - -+ PAM_SUCCESS -+ -+ -+ The loginuid value is set and auditd is running if check requested. -+ -+ -+ -+ -+ PAM_IGNORE -+ -+ -+ The /proc/self/loginuid file is not present on the system or the -+ login process runs inside uid namespace and kernel does not support -+ overwriting loginuid. -+ -+ -+ -+ - PAM_SESSION_ERR - - -- An error occurred during session management. -+ Any other error prevented setting loginuid or auditd is not running. - - - -- - - - diff --git a/pam-1.1.8-man-dbsuffix.patch b/pam-1.1.8-man-dbsuffix.patch deleted file mode 100644 index be2e231..0000000 --- a/pam-1.1.8-man-dbsuffix.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml ---- Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml 2014-09-10 16:28:19.916678273 +0200 -@@ -89,7 +89,8 @@ - Use the /path/database database for - performing lookup. There is no default; the module will - return PAM_IGNORE if no -- database is provided. -+ database is provided. Note that the path to the database file -+ should be specified without the .db suffix. - - - -@@ -260,7 +261,7 @@ - - EXAMPLES - --auth sufficient pam_userdb.so icase db=/etc/dbtest.db -+auth sufficient pam_userdb.so icase db=/etc/dbtest - - - diff --git a/pam-1.1.8-opasswd-tolerant.patch b/pam-1.1.8-opasswd-tolerant.patch deleted file mode 100644 index fb9b198..0000000 --- a/pam-1.1.8-opasswd-tolerant.patch +++ /dev/null @@ -1,50 +0,0 @@ -diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c -index 836d713..c36628e 100644 ---- a/modules/pam_pwhistory/opasswd.c -+++ b/modules/pam_pwhistory/opasswd.c -@@ -82,10 +82,15 @@ parse_entry (char *line, opwd *data) - { - const char delimiters[] = ":"; - char *endptr; -+ char *count; - - data->user = strsep (&line, delimiters); - data->uid = strsep (&line, delimiters); -- data->count = strtol (strsep (&line, delimiters), &endptr, 10); -+ count = strsep (&line, delimiters); -+ if (data->user == NULL || data->uid == NULL || count == NULL) -+ return 1; -+ -+ data->count = strtol (count, &endptr, 10); - if (endptr != NULL && *endptr != '\0') - return 1; - -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index 4840bb2..7f7bc49 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -639,11 +639,23 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, - continue; - buf[strlen(buf) - 1] = '\0'; - s_luser = strtok_r(buf, ":", &sptr); -+ if (s_luser == NULL) { -+ found = 0; -+ continue; -+ } - s_uid = strtok_r(NULL, ":", &sptr); -+ if (s_uid == NULL) { -+ found = 0; -+ continue; -+ } - s_npas = strtok_r(NULL, ":", &sptr); -+ if (s_npas == NULL) { -+ found = 0; -+ continue; -+ } - s_pas = strtok_r(NULL, ":", &sptr); - npas = strtol(s_npas, NULL, 10) + 1; -- while (npas > howmany) { -+ while (npas > howmany && s_pas != NULL) { - s_pas = strpbrk(s_pas, ","); - if (s_pas != NULL) - s_pas++; diff --git a/pam-1.1.8-pbuild.patch b/pam-1.1.8-pbuild.patch deleted file mode 100644 index db4d612..0000000 --- a/pam-1.1.8-pbuild.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -ur Linux-PAM-1.1.8.old/modules/pam_console/Makefile.am Linux-PAM-1.1.8/modules/pam_console/Makefile.am ---- Linux-PAM-1.1.8.old/modules/pam_console/Makefile.am 2015-01-21 13:49:13.000000000 +0300 -+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2015-01-21 13:54:33.000000000 +0300 -@@ -51,6 +51,7 @@ - pam_console_la_CFLAGS = $(AM_CFLAGS) - pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ - -+configfile.tab.h: configfile.tab.c - configfile.tab.c: configfile.y - $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $< - sh $(srcdir)/sed-static $@ diff --git a/pam-1.2.0-fix-running-in-containers.patch b/pam-1.2.0-fix-running-in-containers.patch new file mode 100644 index 0000000..c1c974a --- /dev/null +++ b/pam-1.2.0-fix-running-in-containers.patch @@ -0,0 +1,56 @@ +--- Linux-PAM-1_2_0/libpam/pam_audit.c.omv~ 2015-06-11 17:17:49.768740173 +0200 ++++ Linux-PAM-1_2_0/libpam/pam_audit.c 2015-06-11 17:18:27.654412940 +0200 +@@ -70,9 +70,10 @@ _pam_audit_open(pam_handle_t *pamh) + audit_fd = audit_open(); + if (audit_fd < 0) { + /* You get these error codes only when the kernel doesn't have +- * audit compiled in. */ ++ * audit compiled in. EPERM happens when running inside a container ++ * (e.g. systemd-nspawn, docker) */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || +- errno == EAFNOSUPPORT) ++ errno == EAFNOSUPPORT || errno == EPERM) + return -2; + + /* this should only fail in case of extreme resource shortage, +--- Linux-PAM-1_2_0/modules/pam_loginuid/pam_loginuid.c.omv~ 2015-06-11 17:19:12.543025498 +0200 ++++ Linux-PAM-1_2_0/modules/pam_loginuid/pam_loginuid.c 2015-06-11 17:19:44.274751787 +0200 +@@ -117,9 +117,10 @@ static int check_auditd(void) + /* This is here to let people that build their own kernel + and disable the audit system get in. You get these error + codes only when the kernel doesn't have audit +- compiled in. */ ++ compiled in. EPERM is when running inside systemd-nspawn ++ or docker. */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || +- errno == EAFNOSUPPORT) ++ errno == EAFNOSUPPORT || errno == EPERM) + return PAM_SUCCESS; + return PAM_SESSION_ERR; + } +--- Linux-PAM-1_2_0/modules/pam_tally2/pam_tally2.c.omv~ 2015-06-11 17:18:49.540224003 +0200 ++++ Linux-PAM-1_2_0/modules/pam_tally2/pam_tally2.c 2015-06-11 17:19:05.000090583 +0200 +@@ -517,7 +517,7 @@ tally_check (tally_t oldcnt, time_t oldt + audit_fd = audit_open(); + /* If there is an error & audit support is in the kernel report error */ + if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || +- errno == EAFNOSUPPORT)) ++ errno == EAFNOSUPPORT || errno == EPERM)) + return PAM_SYSTEM_ERR; + (void)pam_get_item(pamh, PAM_TTY, &tty); + (void)pam_get_item(pamh, PAM_RHOST, &rhost); +--- Linux-PAM-1_2_0/modules/pam_unix/unix_chkpwd.c.omv~ 2015-06-11 17:20:06.152563149 +0200 ++++ Linux-PAM-1_2_0/modules/pam_unix/unix_chkpwd.c 2015-06-11 17:20:29.964357904 +0200 +@@ -66,9 +66,10 @@ static int _audit_log(int type, const ch + audit_fd = audit_open(); + if (audit_fd < 0) { + /* You get these error codes only when the kernel doesn't have +- * audit compiled in. */ ++ * audit compiled in. EPERM is when running inside docker or ++ * systemd-nspawn. */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || +- errno == EAFNOSUPPORT) ++ errno == EAFNOSUPPORT || errno == EPERM) + return PAM_SUCCESS; + + helper_log_err(LOG_CRIT, "audit_open() failed: %m"); diff --git a/pam-1.0.90-redhat-modules.patch b/pam-1.2.0-redhat-modules.patch similarity index 54% rename from pam-1.0.90-redhat-modules.patch rename to pam-1.2.0-redhat-modules.patch index 3ad41cc..8a66134 100644 --- a/pam-1.0.90-redhat-modules.patch +++ b/pam-1.2.0-redhat-modules.patch @@ -1,18 +1,7 @@ -diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am ---- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100 -+++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100 -@@ -3,6 +3,7 @@ - # - - SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ -+ pam_chroot pam_console pam_postgresok \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ -diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in ---- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100 -+++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100 -@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil +diff -up Linux-PAM-1.2.0/configure.ac.redhat-modules Linux-PAM-1.2.0/configure.ac +--- Linux-PAM-1.2.0/configure.ac.redhat-modules 2015-03-25 16:50:10.000000000 +0100 ++++ Linux-PAM-1.2.0/configure.ac 2015-05-15 15:46:50.996074677 +0200 +@@ -616,6 +616,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ po/Makefile.in \ modules/Makefile \ @@ -21,3 +10,14 @@ diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure modules/pam_access/Makefile modules/pam_cracklib/Makefile \ modules/pam_debug/Makefile modules/pam_deny/Makefile \ modules/pam_echo/Makefile modules/pam_env/Makefile \ +diff -up Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules Linux-PAM-1.2.0/modules/Makefile.am +--- Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules 2015-03-24 13:02:32.000000000 +0100 ++++ Linux-PAM-1.2.0/modules/Makefile.am 2015-05-15 15:46:50.995074654 +0200 +@@ -3,6 +3,7 @@ + # + + SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ ++ pam_chroot pam_console pam_postgresok \ + pam_env pam_exec pam_faildelay pam_filter pam_ftp \ + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ diff --git a/pam-1.2.0-unix-no-fallback.patch b/pam-1.2.0-unix-no-fallback.patch new file mode 100644 index 0000000..6295da7 --- /dev/null +++ b/pam-1.2.0-unix-no-fallback.patch @@ -0,0 +1,73 @@ +diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml +--- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback 2015-04-27 16:38:03.000000000 +0200 ++++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml 2015-05-15 15:54:21.524440864 +0200 +@@ -284,11 +284,10 @@ + + + When a user changes their password next, +- encrypt it with the SHA256 algorithm. If the +- SHA256 algorithm is not known to the ++ encrypt it with the SHA256 algorithm. The ++ SHA256 algorithm must be supported by the + crypt3 +- function, +- fall back to MD5. ++ function. + + + +@@ -299,11 +298,10 @@ + + + When a user changes their password next, +- encrypt it with the SHA512 algorithm. If the +- SHA512 algorithm is not known to the ++ encrypt it with the SHA512 algorithm. The ++ SHA512 algorithm must be supported by the + crypt3 +- function, +- fall back to MD5. ++ function. + + + +@@ -314,11 +312,10 @@ + + + When a user changes their password next, +- encrypt it with the blowfish algorithm. If the +- blowfish algorithm is not known to the ++ encrypt it with the blowfish algorithm. The ++ blowfish algorithm must be supported by the + crypt3 +- function, +- fall back to MD5. ++ function. + + + +diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c +--- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback 2015-05-15 15:54:21.525440887 +0200 ++++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c 2015-05-15 15:57:23.138613273 +0200 +@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has + sp = crypt(password, salt); + #endif + if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { +- /* libxcrypt/libc doesn't know the algorithm, use MD5 */ ++ /* libxcrypt/libc doesn't know the algorithm, error out */ + pam_syslog(pamh, LOG_ERR, +- "Algo %s not supported by the crypto backend, " +- "falling back to MD5\n", ++ "Algo %s not supported by the crypto backend.\n", + on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : + on(UNIX_SHA256_PASS, ctrl) ? "sha256" : + on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); +@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has + #ifdef HAVE_CRYPT_R + free(cdata); + #endif +- return crypt_md5_wrapper(password); ++ return NULL; + } + sp = x_strdup(sp); + #ifdef HAVE_CRYPT_R diff --git a/pam-1.1.1-faillock.patch b/pam-1.2.1-faillock.patch similarity index 90% rename from pam-1.1.1-faillock.patch rename to pam-1.2.1-faillock.patch index 5f4bfc6..7a4209c 100644 --- a/pam-1.1.1-faillock.patch +++ b/pam-1.2.1-faillock.patch @@ -1,7 +1,7 @@ -diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in ---- Linux-PAM-1.1.1/configure.in.faillock 2010-10-20 15:46:34.000000000 +0200 -+++ Linux-PAM-1.1.1/configure.in 2011-01-25 18:24:43.000000000 +0100 -@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil +diff -up Linux-PAM-1.2.1/configure.ac.faillock Linux-PAM-1.2.1/configure.ac +--- Linux-PAM-1.2.1/configure.ac.faillock 2015-06-25 10:42:21.477374752 +0200 ++++ Linux-PAM-1.2.1/configure.ac 2015-06-25 10:42:21.501375246 +0200 +@@ -621,7 +621,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil modules/pam_access/Makefile modules/pam_cracklib/Makefile \ modules/pam_debug/Makefile modules/pam_deny/Makefile \ modules/pam_echo/Makefile modules/pam_env/Makefile \ @@ -10,9 +10,9 @@ diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ modules/pam_ftp/Makefile modules/pam_group/Makefile \ modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ -diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml ---- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2011-01-25 18:24:43.000000000 +0100 +diff -up Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.2.1/doc/sag/pam_faillock.xml +--- Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock 2015-06-25 10:42:21.482374855 +0200 ++++ Linux-PAM-1.2.1/doc/sag/pam_faillock.xml 2015-06-25 10:42:21.482374855 +0200 @@ -0,0 +1,38 @@ + + + + -diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am ---- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-10-20 15:46:34.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/Makefile.am 2011-01-25 18:24:43.000000000 +0100 +diff -up Linux-PAM-1.2.1/modules/Makefile.am.faillock Linux-PAM-1.2.1/modules/Makefile.am +--- Linux-PAM-1.2.1/modules/Makefile.am.faillock 2015-06-25 10:42:21.480374814 +0200 ++++ Linux-PAM-1.2.1/modules/Makefile.am 2015-06-25 10:42:21.482374855 +0200 @@ -3,7 +3,7 @@ # @@ -64,9 +64,9 @@ diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Ma pam_env pam_exec pam_faildelay pam_filter pam_ftp \ pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ pam_listfile pam_localuser pam_loginuid pam_mail \ -diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2011-01-25 18:24:56.000000000 +0100 +diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.c +--- Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock 2015-06-25 10:42:21.482374855 +0200 ++++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.c 2015-06-25 10:42:21.482374855 +0200 @@ -0,0 +1,158 @@ +/* + * Copyright (c) 2010 Tomas Mraz @@ -226,9 +226,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1. + + return 0; +} -diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2011-01-25 18:24:56.000000000 +0100 +diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.h +--- Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock 2015-06-25 10:42:21.482374855 +0200 ++++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.h 2015-06-25 10:42:21.482374855 +0200 @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2010 Tomas Mraz @@ -303,9 +303,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1. +int update_tally(int fd, struct tally_data *tallies); +#endif + -diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2011-01-25 18:24:43.000000000 +0100 +diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml +--- Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock 2015-06-25 10:42:21.482374855 +0200 ++++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml 2015-06-25 10:42:21.482374855 +0200 @@ -0,0 +1,123 @@ + + + + -diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c ---- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2011-01-25 18:24:56.000000000 +0100 -@@ -0,0 +1,235 @@ +diff -up Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/main.c +--- Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock 2015-06-25 10:42:21.482374855 +0200 ++++ Linux-PAM-1.2.1/modules/pam_faillock/main.c 2015-06-25 10:42:21.503375287 +0200 +@@ -0,0 +1,232 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -563,7 +563,6 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo + } + if (opts->reset) { +#ifdef HAVE_LIBAUDIT -+ char buf[64]; + int audit_fd; +#endif + @@ -577,10 +576,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo + if ((audit_fd=audit_open()) >= 0) { + + if (pwd != NULL) { -+ snprintf(buf, sizeof(buf), "faillock reset uid=%u", -+ pwd->pw_uid); -+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -+ buf, NULL, NULL, NULL, rv == 0); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0); + } + close(audit_fd); + } @@ -669,10 +666,10 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo + return do_user(&opts, opts.user); +} + -diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am ---- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2011-01-25 18:24:43.000000000 +0100 -@@ -0,0 +1,43 @@ +diff -up Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am +--- Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock 2015-06-25 10:42:21.482374855 +0200 ++++ Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am 2015-06-25 10:42:21.494375102 +0200 +@@ -0,0 +1,44 @@ +# +# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk +# Copyright (c) 2008 Red Hat, Inc. @@ -694,7 +691,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1 + +noinst_HEADERS = faillock.h + -+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include ++faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@ +pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include + +pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module @@ -703,6 +700,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1 + pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + ++faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ +faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) + +securelib_LTLIBRARIES = pam_faillock.la @@ -716,10 +714,10 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1 +README: pam_faillock.8.xml +-include $(top_srcdir)/Make.xml.rules +endif -diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2011-01-25 18:24:56.000000000 +0100 -@@ -0,0 +1,556 @@ +diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock 2015-06-25 10:42:21.483374875 +0200 ++++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c 2015-10-16 14:07:38.451616869 +0200 +@@ -0,0 +1,571 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -847,21 +845,30 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + } + else if (strncmp(argv[i], "unlock_time=", 12) == 0) { + unsigned int temp; -+ if (sscanf(argv[i]+12, "%u", &temp) != 1 || ++ ++ if (strcmp(argv[i]+12, "never") == 0) { ++ opts->unlock_time = 0; ++ } ++ else if (sscanf(argv[i]+12, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + pam_syslog(pamh, LOG_ERR, + "Bad number supplied for unlock_time argument"); -+ } else { ++ } ++ else { + opts->unlock_time = temp; + } + } + else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { + unsigned int temp; -+ if (sscanf(argv[i]+17, "%u", &temp) != 1 || ++ ++ if (strcmp(argv[i]+17, "never") == 0) { ++ opts->root_unlock_time = 0; ++ } ++ else if (sscanf(argv[i]+17, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + pam_syslog(pamh, LOG_ERR, + "Bad number supplied for root_unlock_time argument"); -+ } else { ++ } else { + opts->root_unlock_time = temp; + } + } @@ -980,8 +987,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + } + + if (opts->deny && failures >= opts->deny) { -+ if ((opts->uid && latest_time + opts->unlock_time < opts->now) || -+ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) { ++ if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || ++ (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { +#ifdef HAVE_LIBAUDIT + if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ + char buf[64]; @@ -1145,11 +1152,17 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + left = opts->latest_time + opts->root_unlock_time - opts->now; + } + -+ left /= 60; /* minutes */ ++ if (left > 0) { ++ left = (left + 59)/60; /* minutes */ + -+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), -+ opts->failures); -+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); ++ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), ++ opts->failures); ++ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); ++ } ++ else { ++ pam_info(pamh, _("Account locked due to %d failed logins"), ++ opts->failures); ++ } + } +} + @@ -1276,10 +1289,10 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + +#endif /* #ifdef PAM_STATIC */ + -diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2011-01-25 18:24:56.000000000 +0100 -@@ -0,0 +1,392 @@ +diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2016-04-04 16:37:38.696260359 +0200 ++++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml 2016-04-28 17:09:04.679596165 +0200 +@@ -0,0 +1,408 @@ + + @@ -1481,8 +1494,24 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- + + The access will be reenabled after + n seconds after the lock out. ++ The value 0 has the same meaning as value ++ never - the access ++ will not be reenabled without resetting the faillock ++ entries by the faillock8 command. + The default is 600 (10 minutes). + ++ ++ Note that the default directory that pam_faillock ++ uses is usually cleared on system boot so the access will be also reenabled ++ after system reboot. If that is undesirable a different tally directory ++ must be set with the option. ++ ++ ++ Also note that it is usually undesirable to permanently lock ++ out the users as they can become easily a target of denial of service ++ attack unless the usernames are random and kept secret to potential ++ attackers. ++ + + + @@ -1672,9 +1701,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- + + + -diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2011-01-25 18:24:43.000000000 +0100 +diff -up Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/README.xml +--- Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock 2015-06-25 10:42:21.483374875 +0200 ++++ Linux-PAM-1.2.1/modules/pam_faillock/README.xml 2015-06-25 10:42:21.483374875 +0200 @@ -0,0 +1,46 @@ + + + + -diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock ---- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2011-01-25 18:24:43.000000000 +0100 -+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2011-01-25 18:24:43.000000000 +0100 +diff -up Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock +--- Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock 2015-06-25 10:42:21.483374875 +0200 ++++ Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock 2015-06-25 10:42:21.483374875 +0200 @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_faillock.so diff --git a/pam-1.1.8-browser.patch b/pam-1.3.0-browser.patch similarity index 51% rename from pam-1.1.8-browser.patch rename to pam-1.3.0-browser.patch index 63e2756..a3b56c4 100644 --- a/pam-1.1.8-browser.patch +++ b/pam-1.3.0-browser.patch @@ -1,6 +1,7 @@ ---- a/configure.in.old 2013-09-18 16:30:13.000000000 +0400 -+++ b/configure.in 2015-01-21 19:36:59.000000000 +0300 -@@ -552,9 +552,9 @@ +diff -urN Linux-PAM-1.3.0/configure.ac Linux-PAM-1.3.0-patched/configure.ac +--- Linux-PAM-1.3.0/configure.ac 2016-04-28 21:21:59.000000000 +1000 ++++ Linux-PAM-1.3.0-patched/configure.ac 2016-09-19 17:20:03.612168890 +1000 +@@ -554,9 +554,9 @@ JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl], [DocBook XSL Stylesheets], [], enable_docu=no) @@ -10,5 +11,5 @@ - BROWSER="$BROWSER -T text/html -dump" + BROWSER="$BROWSER" else - enable_docu=no - fi + AC_PATH_PROG([BROWSER], [links]) + if test ! -z "$BROWSER"; then diff --git a/pam-1.1.8-pwhistory-helper.patch b/pam-1.3.0-pwhistory-helper.patch similarity index 89% rename from pam-1.1.8-pwhistory-helper.patch rename to pam-1.3.0-pwhistory-helper.patch index 505b75f..554e5c8 100644 --- a/pam-1.1.8-pwhistory-helper.patch +++ b/pam-1.3.0-pwhistory-helper.patch @@ -1,7 +1,6 @@ -diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am -index 4bb4d6d..9157b91 100644 ---- a/modules/pam_pwhistory/Makefile.am -+++ b/modules/pam_pwhistory/Makefile.am +diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am +--- Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2016-03-24 12:45:42.000000000 +0100 ++++ Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am 2016-05-06 15:18:42.307637933 +0200 @@ -1,5 +1,6 @@ # # Copyright (c) 2008, 2009 Thorsten Kukuk @@ -9,7 +8,7 @@ index 4bb4d6d..9157b91 100644 # CLEANFILES = *~ -@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory +@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst- TESTS = tst-pam_pwhistory @@ -50,10 +49,9 @@ index 4bb4d6d..9157b91 100644 if ENABLE_REGENERATE_MAN noinst_DATA = README README: pam_pwhistory.8.xml -diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c -index 836d713..e319ff3 100644 ---- a/modules/pam_pwhistory/opasswd.c -+++ b/modules/pam_pwhistory/opasswd.c +diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c +--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2016-03-24 12:45:42.000000000 +0100 ++++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c 2016-05-06 15:18:42.307637933 +0200 @@ -1,5 +1,6 @@ /* * Copyright (c) 2008 Thorsten Kukuk @@ -112,7 +110,7 @@ index 836d713..e319ff3 100644 static int parse_entry (char *line, opwd *data) -@@ -112,8 +135,8 @@ compare_password(const char *newpass, const char *oldpass) +@@ -117,8 +140,8 @@ compare_password(const char *newpass, co } /* Check, if the new password is already in the opasswd file. */ @@ -123,7 +121,7 @@ index 836d713..e319ff3 100644 const char *newpass, int debug) { int retval = PAM_SUCCESS; -@@ -123,6 +146,11 @@ check_old_pass (pam_handle_t *pamh, const char *user, +@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons opwd entry; int found = 0; @@ -135,7 +133,7 @@ index 836d713..e319ff3 100644 if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) { if (errno != ENOENT) -@@ -208,9 +236,9 @@ check_old_pass (pam_handle_t *pamh, const char *user, +@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons return retval; } @@ -148,7 +146,7 @@ index 836d713..e319ff3 100644 { char opasswd_tmp[] = TMP_PASSWORDS_FILE; struct stat opasswd_stat; -@@ -221,10 +249,35 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, +@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const char *buf = NULL; size_t buflen = 0; int found = 0; @@ -184,7 +182,7 @@ index 836d713..e319ff3 100644 if (oldpass == NULL || *oldpass == '\0') return PAM_SUCCESS; -@@ -447,7 +500,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, +@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const { char *out; @@ -193,10 +191,9 @@ index 836d713..e319ff3 100644 { retval = PAM_AUTHTOK_ERR; if (oldpf) -diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h -index db3e656..1b08699 100644 ---- a/modules/pam_pwhistory/opasswd.h -+++ b/modules/pam_pwhistory/opasswd.h +diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h +--- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2016-03-24 12:45:42.000000000 +0100 ++++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h 2016-05-06 15:18:42.307637933 +0200 @@ -1,5 +1,6 @@ /* * Copyright (c) 2008 Thorsten Kukuk @@ -242,10 +239,9 @@ index db3e656..1b08699 100644 +save_old_pass, const char *user, int howmany, int debug); #endif /* __OPASSWD_H__ */ -diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c -index 654edd3..d6c5c47 100644 ---- a/modules/pam_pwhistory/pam_pwhistory.c -+++ b/modules/pam_pwhistory/pam_pwhistory.c +diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c +--- Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2016-04-04 11:22:28.000000000 +0200 ++++ Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c 2016-05-06 15:19:31.610785512 +0200 @@ -1,6 +1,7 @@ /* * Copyright (c) 2008, 2012 Thorsten Kukuk @@ -278,7 +274,7 @@ index 654edd3..d6c5c47 100644 struct options_t { int debug; -@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) +@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); } @@ -463,23 +459,22 @@ index 654edd3..d6c5c47 100644 /* This module saves the current crypted password in /etc/security/opasswd and then compares the new password with all entries in this file. */ -@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) - PAM_EXTERN int +@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const + int pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) { - struct passwd *pwd; const char *newpass; const char *user; int retval, tries; -@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) +@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in return PAM_SUCCESS; } - pwd = pam_modutil_getpwnam (pamh, user); - if (pwd == NULL) - return PAM_USER_UNKNOWN; -+ retval = save_old_pass (pamh, user, options.remember, options.debug); - +- - if ((strcmp(pwd->pw_passwd, "x") == 0) || - ((pwd->pw_passwd[0] == '#') && - (pwd->pw_passwd[1] == '#') && @@ -488,8 +483,7 @@ index 654edd3..d6c5c47 100644 - struct spwd *spw = pam_modutil_getspnam (pamh, user); - if (spw == NULL) - return PAM_USER_UNKNOWN; -+ if (retval == PAM_PWHISTORY_RUN_HELPER) -+ retval = run_save_helper(pamh, user, options.remember, options.debug); ++ retval = save_old_pass (pamh, user, options.remember, options.debug); - retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, - options.remember, options.debug); @@ -503,12 +497,15 @@ index 654edd3..d6c5c47 100644 - if (retval != PAM_SUCCESS) - return retval; - } ++ if (retval == PAM_PWHISTORY_RUN_HELPER) ++ retval = run_save_helper(pamh, user, options.remember, options.debug); ++ + if (retval != PAM_SUCCESS) + return retval; newpass = NULL; tries = 0; -@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) +@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in if (options.debug) pam_syslog (pamh, LOG_DEBUG, "check against old password file"); @@ -522,85 +519,9 @@ index 654edd3..d6c5c47 100644 { if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) -diff --git a/modules/pam_pwhistory/pwhistory_helper.8.xml b/modules/pam_pwhistory/pwhistory_helper.8.xml -new file mode 100644 -index 0000000..a030176 ---- /dev/null -+++ b/modules/pam_pwhistory/pwhistory_helper.8.xml -@@ -0,0 +1,68 @@ -+ -+ -+ -+ -+ -+ -+ pwhistory_helper -+ 8 -+ Linux-PAM Manual -+ -+ -+ -+ pwhistory_helper -+ Helper binary that transfers password hashes from passwd or shadow to opasswd -+ -+ -+ -+ -+ pwhistory_helper -+ -+ ... -+ -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ pwhistory_helper is a helper program for the -+ pam_pwhistory module that transfers password hashes -+ from passwd or shadow file to the opasswd file and checks a password -+ supplied by user against the existing hashes in the opasswd file. -+ -+ -+ -+ The purpose of the helper is to enable tighter confinement of -+ login and password changing services. The helper is thus called only -+ when SELinux is enabled on the system. -+ -+ -+ -+ The interface of the helper - command line options, and input/output -+ data format are internal to the pam_pwhistory -+ module and it should not be called directly from applications. -+ -+ -+ -+ -+ SEE ALSO -+ -+ -+ pam_pwhistory8 -+ -+ -+ -+ -+ -+ AUTHOR -+ -+ Written by Tomas Mraz based on the code originally in -+ pam_pwhistory and pam_unix modules. -+ -+ -+ -+ -diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c -new file mode 100644 -index 0000000..b07ab81 ---- /dev/null -+++ b/modules/pam_pwhistory/pwhistory_helper.c +diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c +--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2016-05-06 15:18:42.308637957 +0200 ++++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c 2016-05-06 15:18:42.308637957 +0200 @@ -0,0 +1,209 @@ +/* + * Copyright (c) 2013 Red Hat, Inc. @@ -811,3 +732,75 @@ index 0000000..b07ab81 + return PAM_SYSTEM_ERR; +} + +diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml +--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2016-05-06 15:18:42.308637957 +0200 ++++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2016-05-06 15:18:42.308637957 +0200 +@@ -0,0 +1,68 @@ ++ ++ ++ ++ ++ ++ ++ pwhistory_helper ++ 8 ++ Linux-PAM Manual ++ ++ ++ ++ pwhistory_helper ++ Helper binary that transfers password hashes from passwd or shadow to opasswd ++ ++ ++ ++ ++ pwhistory_helper ++ ++ ... ++ ++ ++ ++ ++ ++ ++ DESCRIPTION ++ ++ ++ pwhistory_helper is a helper program for the ++ pam_pwhistory module that transfers password hashes ++ from passwd or shadow file to the opasswd file and checks a password ++ supplied by user against the existing hashes in the opasswd file. ++ ++ ++ ++ The purpose of the helper is to enable tighter confinement of ++ login and password changing services. The helper is thus called only ++ when SELinux is enabled on the system. ++ ++ ++ ++ The interface of the helper - command line options, and input/output ++ data format are internal to the pam_pwhistory ++ module and it should not be called directly from applications. ++ ++ ++ ++ ++ SEE ALSO ++ ++ ++ pam_pwhistory8 ++ ++ ++ ++ ++ ++ AUTHOR ++ ++ Written by Tomas Mraz based on the code originally in ++ pam_pwhistory and pam_unix modules. ++ ++ ++ ++ diff --git a/pam-CVE-2013-7041.patch b/pam-CVE-2013-7041.patch deleted file mode 100644 index 96fa916..0000000 --- a/pam-CVE-2013-7041.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Fri, 24 Jan 2014 22:18:32 +0000 -Subject: [PATCH] pam_userdb: fix password hash comparison - -Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed -passwords support in pam_userdb, hashes are compared case-insensitively. -This bug leads to accepting hashes for completely different passwords in -addition to those that should be accepted. - -Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for -modern password hashes with different lengths and settings, did not -update the hash comparison accordingly, which leads to accepting -computed hashes longer than stored hashes when the latter is a prefix -of the former. - -* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed -hash whose length differs from the stored hash length. -Compare computed and stored hashes case-sensitively. -Fixes CVE-2013-7041. - -Bug-Debian: http://bugs.debian.org/731368 ---- - modules/pam_userdb/pam_userdb.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c -index de8b5b1..ff040e6 100644 ---- a/modules/pam_userdb/pam_userdb.c -+++ b/modules/pam_userdb/pam_userdb.c -@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, - } else { - cryptpw = crypt (pass, data.dptr); - -- if (cryptpw) { -- compare = strncasecmp (data.dptr, cryptpw, data.dsize); -+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { -+ compare = memcmp(data.dptr, cryptpw, data.dsize); - } else { - compare = -2; - if (ctrl & PAM_DEBUG_ARG) { -- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); -+ if (cryptpw) -+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); -+ else -+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); - } - }; - --- -1.8.3.1 - diff --git a/pam-CVE-2014-2583.patch b/pam-CVE-2014-2583.patch deleted file mode 100644 index f2aa2de..0000000 --- a/pam-CVE-2014-2583.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Wed, 26 Mar 2014 22:17:23 +0000 -Subject: [PATCH] pam_timestamp: fix potential directory traversal issue - (ticket #27) - -pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of -the timestamp pathname it creates, so extra care should be taken to -avoid potential directory traversal issues. - -* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat -"." and ".." tty values as invalid. -(get_ruser): Treat "." and ".." ruser values, as well as any ruser -value containing '/', as invalid. - -Fixes CVE-2014-2583. - -Reported-by: Sebastian Krahmer ---- - modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c -index 5193733..b3f08b1 100644 ---- a/modules/pam_timestamp/pam_timestamp.c -+++ b/modules/pam_timestamp/pam_timestamp.c -@@ -158,7 +158,7 @@ check_tty(const char *tty) - tty = strrchr(tty, '/') + 1; - } - /* Make sure the tty wasn't actually a directory (no basename). */ -- if (strlen(tty) == 0) { -+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { - return NULL; - } - return tty; -@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) - if (pwd != NULL) { - ruser = pwd->pw_name; - } -+ } else { -+ /* -+ * This ruser is used by format_timestamp_name as a component -+ * of constructed timestamp pathname, so ".", "..", and '/' -+ * are disallowed to avoid potential path traversal issues. -+ */ -+ if (!strcmp(ruser, ".") || -+ !strcmp(ruser, "..") || -+ strchr(ruser, '/')) { -+ ruser = NULL; -+ } - } - if (ruser == NULL || strlen(ruser) >= ruserbuflen) { - *ruserbuf = '\0'; --- -1.8.3.1 - diff --git a/pam.spec b/pam.spec index 87bc538..0c127bf 100644 --- a/pam.spec +++ b/pam.spec @@ -10,12 +10,12 @@ %bcond_without selinux -%define pam_redhat_version 0.99.10-1 +%define pam_redhat_version 0.99.11 Summary: A security tool which provides authentication for applications Name: pam -Version: 1.1.8 -Release: 31 +Version: 1.3.0 +Release: 1 Epoch: 1 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, @@ -41,38 +41,23 @@ Source501: pam_tty_audit.8 Source502: README # RedHat patches -Patch1: pam-1.0.90-redhat-modules.patch -Patch2: pam-1.1.6-std-noclose.patch +Patch1: pam-1.2.0-redhat-modules.patch +Patch2: pam-1.2.0-fix-running-in-containers.patch +Patch3: pam-1.2.0-unix-no-fallback.patch Patch4: pam-1.1.0-console-nochmod.patch Patch5: pam-1.1.0-notally.patch -Patch7: pam-1.1.0-console-fixes.patch Patch9: pam-1.1.6-noflex.patch Patch10: pam-1.1.3-nouserenv.patch -Patch11: pam-1.1.3-console-abstract.patch Patch13: pam-1.1.5-limits-user.patch -Patch14: pam-1.1.1-faillock.patch +Patch14: pam-1.2.1-faillock.patch Patch22: pam-1.1.7-unix-build.patch -Patch32: pam-1.1.7-tty-audit-init.patch -Patch33: pam-1.1.8-audit-grantor.patch -Patch34: pam-1.1.8-audit-user-mgmt.patch -Patch35: pam-1.1.8-canonicalize-username.patch -Patch36: pam-1.1.8-full-relro.patch -Patch37: pam-1.1.8-lastlog-uninitialized.patch -Patch38: pam-1.1.8-limits-check-process.patch -Patch39: pam-1.1.8-limits-docfix.patch -Patch40: pam-1.1.8-loginuid-container.patch -Patch41: pam-1.1.8-man-dbsuffix.patch -Patch42: pam-1.1.8-opasswd-tolerant.patch -Patch43: pam-1.1.8-pwhistory-helper.patch +Patch43: pam-1.3.0-pwhistory-helper.patch # ROSA specific sources/patches # (fl) fix infinite loop Patch507: pam-0.74-loop.patch # (fc) 0.75-29mdk don't complain when / is owned by root.adm Patch508: Linux-PAM-0.99.3.0-pamtimestampadm.patch -# (fl) pam_xauth: set extra groups because in high security levels -# access to /usr/X11R6/bin dir is controlled by a group -##Patch512: Linux-PAM-1.1.1-xauth-groups.patch # (tv/blino) add defaults for nice/rtprio in /etc/security/limits.conf Patch517: Linux-PAM-0.99.3.0-enable_rt.patch @@ -81,15 +66,14 @@ Patch700: pam_fix_static_pam_console.patch Patch701: pam-1.1.0-console-nopermsd.patch # (proyvind): add missing constant that went with rpc removal from glibc 2.14 Patch702: Linux-PAM-1.1.4-add-now-missing-nis-constant.patch +Patch703: Linux-PAM-0.99.11-pbuild-rh.patch # (akdengi) add user to default group users which need for Samba Patch801: Linux-PAM-1.1.4-group_add_users.patch -Patch802: pam-CVE-2014-2583.patch -Patch803: pam-CVE-2013-7041.patch -Patch804: pam-1.1.8-pbuild.patch + # (din) use html2text instead of w3m -Patch805: pam-1.1.8-browser.patch +Patch805: pam-1.3.0-browser.patch %if %{with selinux} BuildRequires: selinux-devel >= 2.1.6-7 @@ -278,24 +262,24 @@ install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/ %build autoreconf -fi %configure2_5x \ - --sbindir=/sbin \ - --libdir=/%{_lib} \ - --includedir=%{_includedir}/security \ - --with-db-uniquename=_nss \ - --docdir=%{_docdir}/%{name} \ - --disable-static \ - --enable-cracklib \ + --sbindir=/sbin \ + --libdir=/%{_lib} \ + --includedir=%{_includedir}/security \ + --with-db-uniquename=_nss \ + --docdir=%{_docdir}/%{name} \ + --disable-static \ + --enable-cracklib \ %if %{with prelude} - --enable-prelude \ + --enable-prelude \ %else - --disable-prelude \ + --disable-prelude \ %endif %if %{with selinux} - --enable-selinux \ + --enable-selinux \ %else - --disable-selinux \ + --disable-selinux \ %endif - --enable-audit + --enable-audit %make %install