diff --git a/.abf.yml b/.abf.yml index 60eb8ed..03f2e9c 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,3 +1,5 @@ +removed_sources: + Linux-PAM-1.1.4.tar.bz2: 4634b09f9e059f384ce69dbaa4a67f88bef5cf7b sources: - "Linux-PAM-1.1.4.tar.bz2": 4634b09f9e059f384ce69dbaa4a67f88bef5cf7b - "pam-redhat-0.99.10-1.tar.bz2": 09e618edc5dcda9a6eb435a31db742afca673ae1 + Linux-PAM-1.1.8.tar.bz2: f8ce53c67363f78d520392fa1c253c4978058be1 + pam-redhat-0.99.10-1.tar.bz2: 09e618edc5dcda9a6eb435a31db742afca673ae1 diff --git a/90-nproc.conf b/90-nproc.conf new file mode 100644 index 0000000..104dffd --- /dev/null +++ b/90-nproc.conf @@ -0,0 +1,6 @@ +# Default limit for number of user's processes to prevent +# accidental fork bombs. +# See rhbz #432903 for reasoning. + +* soft nproc 1024 +root soft nproc unlimited diff --git a/Linux-PAM-1.1.1-xauth-groups.patch b/Linux-PAM-1.1.1-xauth-groups.patch index 2d9a59c..6abc9c3 100644 --- a/Linux-PAM-1.1.1-xauth-groups.patch +++ b/Linux-PAM-1.1.1-xauth-groups.patch @@ -1,5 +1,5 @@ ---- modules/pam_xauth/pam_xauth.c 2010-10-08 13:56:11.000000000 +0200 -+++ modules/pam_xauth/pam_xauth.c.oden 2010-11-03 11:23:06.714312576 +0100 +--- a/modules/pam_xauth/pam_xauth.c 2010-10-08 13:56:11.000000000 +0200 ++++ b/modules/pam_xauth/pam_xauth.c.oden 2010-11-03 11:23:06.714312576 +0100 @@ -90,7 +90,7 @@ static const char * const xauthpaths[] = * given input on stdin, and storing any output it generates. */ static int diff --git a/Linux-PAM-1.1.4.tar.bz2.sign b/Linux-PAM-1.1.4.tar.bz2.sign deleted file mode 100644 index ed4c6f2..0000000 --- a/Linux-PAM-1.1.4.tar.bz2.sign +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) -Comment: See http://www.kernel.org/signature.html for info - -iD8DBQBOBHzAyGugalF9Dw4RAvUUAJ0SfOT7ITyalk4JsmIe5tJSdIB5ygCfZ2ku -aHp5ptRfKYgWdlnFv+3F7H4= -=kqy6 ------END PGP SIGNATURE----- diff --git a/pam-0.99.3.0-README.update b/pam-0.99.3.0-README.update deleted file mode 100644 index bcc91bc..0000000 --- a/pam-0.99.3.0-README.update +++ /dev/null @@ -1,34 +0,0 @@ -PAM 0.99.3.0 update notes - -- pam_stack module depreciation - -The pam_stack module is now deprecated. It has to be replaced by -include directives in pam.d configuration files. pam_stack usage won't -make pam fail in this release, but it will be removed in a future -release, better avoid it. It's basically a matter of replacing -"required pam_stack.so service=" with "include ". - -This can't be automatically updated on system-edited configuration -files because it isn't always that simple. Some "sufficient" -directives in the included file may now occult directives that were -previously matched, in the same configuration phase -(auth/account/password/session). -So, the rules may have to be reordered, and the "include" directives -have often to be lowered at the bottom of each phase. - -See Fedora instructions and release notes for more details. -http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00050.html -http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00084.html -http://fedora.redhat.com/docs/release-notes/fc5/test2-latest-en/sn-package-notes.html - -- pam_pwdb dropped - -The pam_pwdb module has been obsolete for a couple of years now, it is -not anymore available in the pam package from Mandriva. -The pam_unix module has to be prefered. - -- services linked with pam - -Services linked with the old pam library have to be restarted once the -new pam package has been installed. -This includes services such as crond, xdm, gdm, kdm, samba. diff --git a/pam-0.99.8.1-11mdv2009.0-README.update b/pam-0.99.8.1-11mdv2009.0-README.update deleted file mode 100644 index 3bec023..0000000 --- a/pam-0.99.8.1-11mdv2009.0-README.update +++ /dev/null @@ -1,8 +0,0 @@ -PAM 0.99.8.1 update notes - -- pam_unix dropped - -The pam_unix module has been dropped in favour of the pam_tcb module and is -no longer available in the pam package from Mandriva. The pam_tcb module will -work with the TCB shadowing scheme or regular shadow passwords. It also provides -the ability to use blowfish passwords, rather than just md5 passwords. diff --git a/pam-1.1.2-noflex.patch b/pam-1.1.2-noflex.patch deleted file mode 100644 index fc96555..0000000 --- a/pam-1.1.2-noflex.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am ---- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100 -+++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200 -@@ -2,7 +2,7 @@ - # Copyright (c) 2005, 2006 Thorsten Kukuk - # - --SUBDIRS = man specs sag adg mwg -+SUBDIRS = man sag adg mwg - - CLEANFILES = *~ - -diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am ---- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200 -+++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200 -@@ -5,9 +5,9 @@ - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news - - if STATIC_MODULES --SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests -+SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests - else --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests - endif - - CLEANFILES = *~ diff --git a/pam-1.1.5-limits-user.patch b/pam-1.1.5-limits-user.patch new file mode 100644 index 0000000..1890e4d --- /dev/null +++ b/pam-1.1.5-limits-user.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.5/modules/pam_limits/limits.conf +--- Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits 2011-06-21 11:04:56.000000000 +0200 ++++ Linux-PAM-1.1.5/modules/pam_limits/limits.conf 2011-12-21 09:09:17.000000000 +0100 +@@ -1,5 +1,8 @@ + # /etc/security/limits.conf + # ++#This file sets the resource limits for the users logged in via PAM. ++#It does not affect resource limits of the system services. ++# + #Each line describes a limit for a user in the form: + # + # diff --git a/pam-1.1.6-noflex.patch b/pam-1.1.6-noflex.patch new file mode 100644 index 0000000..6410a8d --- /dev/null +++ b/pam-1.1.6-noflex.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.1.6/doc/Makefile.am.noflex Linux-PAM-1.1.6/doc/Makefile.am +--- Linux-PAM-1.1.6/doc/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/doc/Makefile.am 2012-08-17 14:13:11.904949748 +0200 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + +diff -up Linux-PAM-1.1.6/Makefile.am.noflex Linux-PAM-1.1.6/Makefile.am +--- Linux-PAM-1.1.6/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/Makefile.am 2012-08-17 14:15:36.705359892 +0200 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests + + CLEANFILES = *~ + diff --git a/pam-1.0.91-std-noclose.patch b/pam-1.1.6-std-noclose.patch similarity index 59% rename from pam-1.0.91-std-noclose.patch rename to pam-1.1.6-std-noclose.patch index 7359484..5c8640f 100644 --- a/pam-1.0.91-std-noclose.patch +++ b/pam-1.1.6-std-noclose.patch @@ -1,7 +1,7 @@ -diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c ---- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100 -@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int +diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c +--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2012-08-17 13:25:20.684075361 +0200 +@@ -133,13 +133,21 @@ create_homedir (pam_handle_t *pamh, opti if (child == 0) { int i; struct rlimit rlim; @@ -21,59 +21,13 @@ diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linu rlim.rlim_max = MAX_FD_NO; - for (i=0; i < (int)rlim.rlim_max; i++) { + for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { - close(i); + close(i); } } -diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c ---- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100 -@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100 -@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100 -@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t +diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2012-08-17 13:22:51.664560481 +0200 +@@ -105,16 +105,18 @@ int _unix_run_verify_binary(pam_handle_t /* reopen stdout as pipe */ dup2(fds[1], STDOUT_FILENO); @@ -96,3 +50,49 @@ diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM } } +diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2012-08-17 14:10:38.917346789 +0200 +@@ -210,13 +210,16 @@ static int _unix_run_update_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c +--- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2012-08-17 14:12:10.833511475 +0200 +@@ -469,13 +469,16 @@ static int _unix_run_helper_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + diff --git a/pam-1.1.7-tty-audit-init.patch b/pam-1.1.7-tty-audit-init.patch new file mode 100644 index 0000000..065a650 --- /dev/null +++ b/pam-1.1.7-tty-audit-init.patch @@ -0,0 +1,48 @@ +diff -up Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c +--- Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init 2013-08-28 10:53:40.000000000 +0200 ++++ Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c 2013-10-04 14:51:19.944994905 +0200 +@@ -36,6 +36,7 @@ + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. */ + ++#include "config.h" + #include + #include + #include +@@ -108,7 +109,7 @@ nl_recv (int fd, unsigned type, void *bu + struct msghdr msg; + struct nlmsghdr nlm; + struct iovec iov[2]; +- ssize_t res; ++ ssize_t res, resdiff; + + again: + iov[0].iov_base = &nlm; +@@ -160,12 +161,17 @@ nl_recv (int fd, unsigned type, void *bu + res = recvmsg (fd, &msg, 0); + if (res == -1) + return -1; +- if ((size_t)res != NLMSG_LENGTH (size) ++ resdiff = NLMSG_LENGTH(size) - (size_t)res; ++ if (resdiff < 0 + || nlm.nlmsg_type != type) + { + errno = EIO; + return -1; + } ++ else if (resdiff > 0) ++ { ++ memset((char *)buf + res, 0, resdiff); ++ } + return 0; + } + +@@ -275,6 +281,8 @@ pam_sm_open_session (pam_handle_t *pamh, + return PAM_SESSION_ERR; + } + ++ memcpy(&new_status, old_status, sizeof(new_status)); ++ + new_status.enabled = (command == CMD_ENABLE ? 1 : 0); + #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD + new_status.log_passwd = log_passwd; diff --git a/pam-1.1.7-unix-build.patch b/pam-1.1.7-unix-build.patch new file mode 100644 index 0000000..d1f30d0 --- /dev/null +++ b/pam-1.1.7-unix-build.patch @@ -0,0 +1,34 @@ +diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build 2012-07-23 18:46:27.709804094 +0200 ++++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c 2012-07-23 18:46:27.764805293 +0200 +@@ -47,6 +47,8 @@ + #include /* for time() */ + #include + #include ++#include ++#include + + #include + +diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build 2012-07-23 18:55:16.433314731 +0200 ++++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c 2012-07-23 18:54:48.064697131 +0200 +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + #include + + #include +diff -up Linux-PAM-1.1.5/modules/pam_unix/support.c.build Linux-PAM-1.1.5/modules/pam_unix/support.c +--- Linux-PAM-1.1.5/modules/pam_unix/support.c.build 2012-07-23 18:46:27.000000000 +0200 ++++ Linux-PAM-1.1.5/modules/pam_unix/support.c 2012-07-23 18:54:23.645165507 +0200 +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #ifdef HAVE_RPCSVC_YPCLNT_H + #include diff --git a/pam.spec b/pam.spec index 3cf6bbb..eecddb0 100644 --- a/pam.spec +++ b/pam.spec @@ -18,8 +18,8 @@ Epoch: 1 Summary: A security tool which provides authentication for applications Name: pam -Version: 1.1.4 -Release: 17 +Version: 1.1.8 +Release: 1 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ @@ -28,32 +28,34 @@ Url: http://www.kernel.org/pub/linux/libs/pam/index.html Source0: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 Source1: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign Source2: pam-redhat-%{pam_redhat_version}.tar.bz2 -Source3: pam-0.99.3.0-README.update -Source4: pam-0.99.8.1-11mdv2009.0-README.update Source5: other.pamd Source6: system-auth.pamd Source7: config-util.pamd Source8: dlopen.sh Source9: system-auth.5 Source10: config-util.5 -Source11: postlogin.pamd -Source12: postlogin.5 -Source13: pamtmp.conf +Source11: postlogin.pamd +Source12: postlogin.5 +Source13: pamtmp.conf +Source14: 90-nproc.conf #add missing documentation Source501: pam_tty_audit.8 Source502: README # RedHat patches -Patch1: pam-1.0.90-redhat-modules.patch -Patch2: pam-1.0.91-std-noclose.patch -Patch4: pam-1.1.0-console-nochmod.patch -Patch5: pam-1.1.0-notally.patch -Patch7: pam-1.1.0-console-fixes.patch -Patch9: pam-1.1.2-noflex.patch -Patch10: pam-1.1.3-nouserenv.patch -Patch11: pam-1.1.3-console-abstract.patch +Patch1: pam-1.0.90-redhat-modules.patch +Patch2: pam-1.1.6-std-noclose.patch +Patch4: pam-1.1.0-console-nochmod.patch +Patch5: pam-1.1.0-notally.patch +Patch7: pam-1.1.0-console-fixes.patch +Patch9: pam-1.1.6-noflex.patch +Patch10: pam-1.1.3-nouserenv.patch +Patch11: pam-1.1.3-console-abstract.patch +Patch13: pam-1.1.5-limits-user.patch +Patch22: pam-1.1.7-unix-build.patch +Patch32: pam-1.1.7-tty-audit-init.patch -# Mandriva specific sources/patches +# ROSA specific sources/patches # (fl) fix infinite loop Patch507: pam-0.74-loop.patch # (fc) 0.75-29mdk don't complain when / is owned by root.adm @@ -99,6 +101,8 @@ Requires(pre): rpm-helper Requires(post): coreutils Requires(post): tcb >= 1.0.2-16 Conflicts: %{_lib}pam0 < 1.1.4-5 +Requires: libpwquality >= 0.9.9 + %description PAM (Pluggable Authentication Modules) is a system security tool that @@ -158,35 +162,7 @@ This package contains the development libraries for %{name}. # Add custom modules. mv pam-redhat-%{pam_redhat_version}/* modules -# (RH) -%patch1 -p1 -b .redhat-modules -%patch2 -p1 -b .std-noclose -%patch4 -p1 -b .nochmod -%patch5 -p1 -b .notally -%patch7 -p1 -b .console-fixes -%patch9 -p1 -b .noflex -%patch10 -p1 -b .nouserenv -%patch11 -p1 -b .abstract - -# (Mandriva) -%patch507 -p1 -b .loop -%patch508 -p1 -b .pamtimestampadm -%patch512 -p0 -b .xauth-groups -%patch517 -p1 -b .enable_rt -%patch521 -p1 -b .pbuild-rh -%patch700 -p1 -b .static -%patch701 -p1 -b .nopermsd -%patch702 -p1 -b .nis_const~ -%patch801 -p1 -b .group_users - -# 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this -# just makes things easier but is not meant to be a permanent solution -## Remove unwanted modules; pam_tcb provides pam_unix now -#for d in pam_unix; do -# rm -rf modules/$d -# sed -i "s,modules/$d/Makefile,," configure.in -# sed -i "s/ $d / /" modules/Makefile.am -#done +%apply_patches install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/ @@ -195,8 +171,6 @@ for readme in modules/pam_*/README ; do cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` done -cp %{SOURCE4} README.0.99.8.1.update.urpmi - #libtoolize -cf autoreconf -ifs -I m4 @@ -209,7 +183,8 @@ CFLAGS="$RPM_OPT_FLAGS -fPIC -I%{_includedir}/db_nss -D_GNU_SOURCE" \ --includedir=%{_includedir}/security \ --with-db-uniquename=_nss \ --docdir=%{_docdir}/%{name} \ - --disable-selinux + --disable-selinux \ + --disable-prelude %make %install @@ -224,6 +199,7 @@ install -m 644 %{SOURCE11} %{buildroot}/etc/pam.d/postlogin install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd install -d -m 755 %{buildroot}/var/log install -m 600 /dev/null %{buildroot}/var/log/tallylog +install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/security/limits.d/90-nproc.conf # Install man pages. install -m 644 %{SOURCE9} %{SOURCE10} %{SOURCE12} %{buildroot}%{_mandir}/man5/ @@ -285,7 +261,7 @@ if [ -f /etc/login.defs ] && ! grep -q USE_TCB /etc/login.defs; then fi %files -f Linux-PAM.lang -%doc NEWS README.0.99.8.1.update.urpmi +%doc NEWS %docdir %{_docdir}/%{name} %dir /etc/pam.d %config(noreplace) /etc/environment @@ -310,6 +286,7 @@ fi %config(noreplace) %{_sysconfdir}/security/pam_env.conf %config(noreplace) %{_sysconfdir}/security/time.conf %config(noreplace) %{_sysconfdir}/security/opasswd +%config(noreplace) %{_sysconfdir}/security/limits.d/90-nproc.conf %dir %{_sysconfdir}/security/console.apps %dir %{_sysconfdir}/security/console.perms.d %dir /%{_lib}/security diff --git a/password-auth.pamd b/password-auth.pamd new file mode 100644 index 0000000..2e01bf9 --- /dev/null +++ b/password-auth.pamd @@ -0,0 +1,18 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass nullok +auth required pam_deny.so + +account required pam_unix.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/smartcard-auth.pamd b/smartcard-auth.pamd new file mode 100644 index 0000000..e5b57e3 --- /dev/null +++ b/smartcard-auth.pamd @@ -0,0 +1,19 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password optional pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/system-auth.5 b/system-auth.5 index 1300ec8..c0ca80b 100644 --- a/system-auth.5 +++ b/system-auth.5 @@ -1,39 +1,58 @@ -.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual" +.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual" .SH NAME system-auth \- Common configuration file for PAMified services .SH SYNOPSIS .B /etc/pam.d/system-auth +.B /etc/pam.d/password-auth +.B /etc/pam.d/fingerprint-auth +.B /etc/pam.d/smartcard-auth .sp 2 .SH DESCRIPTION -The purpose of this configuration file is to provide common -configuration file for all applications and service daemons -calling PAM library. +The purpose of these configuration files are to provide a common +interface for all applications and service daemons calling into +the PAM library. .sp -The \fBsystem-auth\fR configuration file is included from all individual service configuration -files with the help of the \fBinclude\fR directive. +The +.BR system-auth +configuration file is included from nearly all individual service configuration +files with the help of the +.BR substack +directive. + +.sp +The +.BR password-auth +.BR fingerprint-auth +.BR smartcard-auth +configuration files are for applications which handle authentication from +different types of devices via simultaneously running individual conversations +instead of one aggregate conversation. .SH NOTES -There should be no \fBsufficient\fR modules in the \fBsession\fR -part of \fBsystem-auth\fR file because individual services may add session modules after -\fBinclude\fR of the \fBsystem-auth\fR file. Execution of these modules would be skipped if there were sufficient -modules in \fBsystem-auth\fR file. - -.sp -Conversely there should not be any modules after -\fBinclude\fR directive in the individual service files in -\fBauth\fR, \fBaccount\fR and \fBpassword\fR -sections otherwise they could be bypassed. +Previously these common configuration files were included with the help +of the +.BR include +directive. This limited the use of the different action types of modules. +With the use of +.BR substack +directive to include these common configuration files this limitation +no longer applies. .SH BUGS .sp 2 None known. .SH "SEE ALSO" -\fBpam\fR(8), \fBconfig-util\fR(5) +pam(8), config-util(5), postlogin(5) -The three \fBLinux-PAM\fR Guides, for \fBsystem administrators\fR, -\fBmodule developers\fR, and \fBapplication developers\fR. +The three +.BR Linux-PAM +Guides, for +.BR "system administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/system-auth.pamd b/system-auth.pamd index 1621a47..2e01bf9 100644 --- a/system-auth.pamd +++ b/system-auth.pamd @@ -1,13 +1,14 @@ #%PAM-1.0 - +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so -#password required pam_cracklib.so try_first_pass retry=3 -password sufficient pam_unix.so try_first_pass nullok sha512 shadow +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so session optional pam_keyinit.so revoke