From 5490f0133da58f8facfdb803185e48781bee867d Mon Sep 17 00:00:00 2001 From: akdengi Date: Wed, 11 Dec 2013 12:07:07 +0400 Subject: [PATCH 1/3] SILENT clean spec --- pam.spec | 551 ------------------------------------------------------- 1 file changed, 551 deletions(-) diff --git a/pam.spec b/pam.spec index a61368e..3cf6bbb 100644 --- a/pam.spec +++ b/pam.spec @@ -340,554 +340,3 @@ fi %files doc %doc doc/txts doc/specs/rfc86.0.txt Copyright - - -%changelog -* Wed May 23 2012 Per Øyvind Karlsen 1.1.4-9 -+ Revision: 800224 -- add a versioned conflicts to deal with pam modules having been moved out of - library package, ensuring that the library package doesn't get upgraded - independent of the pam package which now ships the modules which would lead - to modules possibly missing and anything using pam left broken - -* Sun Apr 29 2012 Per Øyvind Karlsen 1.1.4-8 -+ Revision: 794382 -- pam files *really* shouldn't be config(noreplace) but rather %%config, otherwise - upgrades where these files has changed between releases will very easily turn - fugly (TODO: post RFC about this as a policy and implement rpmlint check to - enforce it) - -* Fri Mar 09 2012 Per Øyvind Karlsen 1.1.4-7 -+ Revision: 783687 -- rebuild to get rid of false devel() dependency in main package - -* Wed Mar 07 2012 Per Øyvind Karlsen 1.1.4-6 -+ Revision: 782601 -- fix module subdirectory test -- fix assumption of dlopen.sh being executable (which will no longer be true as - all files packaged with src.rpms are now always given 644 for attributes) -- rebuild with internal dependency generator - - + Matthew Dawkins - - rebuild for db_nss - - moved security modules to main pkg - - split up libs into individual pkgs - - cleaned up spec - -* Tue Dec 13 2011 Oden Eriksson 1.1.4-4 -+ Revision: 740745 -- delete the libtool *.la files -- attempt to relink against db_nss-devel 5.2.x - - + Per Øyvind Karlsen - - no need for removing .la files, it's done automatically by spec-helper now - - apply some cosmetics - - use %%{EVRD} macro - - drop obsolete obsoletes ;) - - ditch bogus provides - - fix broken check for USE_TCB in /etc/login.defs making script always run - -* Sat Sep 03 2011 Tomasz Pawel Gajc 1.1.4-2 -+ Revision: 698188 -- enable systemd pam suport (since udev-173 ther is no more udev_acl, and systemd takes over ACL) - -* Tue Jul 19 2011 Per Øyvind Karlsen 1.1.4-1 -+ Revision: 690602 -- new release - -* Tue Jul 19 2011 Per Øyvind Karlsen 1.1.3-4 -+ Revision: 690600 -- remove obsolete/deprecated rpm stuff -- check if /etc/login.defs exists before trying to open it in scriptlet - -* Wed May 04 2011 Oden Eriksson 1.1.3-3 -+ Revision: 666974 -- mass rebuild - - + Per Øyvind Karlsen - - work around ordering issue by moving %%post script to %%posttrans - -* Wed Nov 03 2010 Oden Eriksson 1.1.3-1mdv2011.0 -+ Revision: 592873 -- 1.1.3 -- sync patches with pam-1.1.3-1.fc15.src.rpm -- rediffed P512 - -* Mon Mar 15 2010 Oden Eriksson 1.1.1-2mdv2010.1 -+ Revision: 519980 -- rebuilt against audit-2 libs - -* Wed Dec 30 2009 Frederik Himpe 1.1.1-1mdv2010.1 -+ Revision: 484161 -- Update to new version 1.1.1 -- Remove authok patch: integrated upstream -- Rediff xauth groups patch -- Don't run libtoolize: it breaks build -- drop tests for not pulling in libpthread like in Fedora (as NPTL - should be safe and pam_userdb now links to libpthread on x86_64) - -* Tue Oct 06 2009 Frederic Crozat 1.1.0-6mdv2010.0 -+ Revision: 454902 -- Patch701: do not complain if there is no files in /etc/security/console.perms.d/ - -* Sun Sep 27 2009 Olivier Blin 1.1.0-5mdv2010.0 -+ Revision: 450211 -- fix crash on some archs, pam is building with static all functions - with is plain wrong, this tends to make pam_comsole_apply - unhappy/crashing (from Arnaud Patard) - -* Tue Sep 08 2009 Frederic Crozat 1.1.0-4mdv2010.0 -+ Revision: 433622 -- Patch4 (Fedora): do not chmod tty on login/login with pam_console anymore -- Patch5 (Fedora): drop pam_tally, use pam_tally2 instead - -* Thu Aug 27 2009 Frederic Crozat 1.1.0-3mdv2010.0 -+ Revision: 421690 -- Patch3 (Fedora): fix for pam_cracklib from upstream - -* Mon Jul 27 2009 Frederic Crozat 1.1.0-2mdv2010.0 -+ Revision: 400600 -- remove default rules for console.perms, device ownership should not change anymore - -* Mon Jul 27 2009 Frederic Crozat 1.1.0-1mdv2010.0 -+ Revision: 400582 -- Release 1.1.0 -- no longer change devices ownership based on console privilege, handled by consolekit now (remove source500, patches 500, 501) - -* Sun May 10 2009 Frederik Himpe 1.0.92-1mdv2010.0 -+ Revision: 374099 -- Remove verbose limits patch: a similar change was implemented upstream -- Update to new version Linux-PAM 1.0.92 and pam-redhat 0.99.10-1 -- Resync patches with Fedora -- Rediff xauth-groups patch -- Remove man page typo fix, noselinux and bid 34010 patches - (integrated upstream) -- Don't conflict with libselinux-devel and use --disable-selinux in - configure call -- Disable verbose call patch for now, upstream code has changed too - -* Thu Apr 16 2009 Frederik Himpe 0.99.8.1-20mdv2009.1 -+ Revision: 367795 -- Disable fork option for pam_tcb, to reflect the change made in set_tcb - -* Mon Mar 30 2009 Frederic Crozat 0.99.8.1-19mdv2009.1 -+ Revision: 362380 -- Add console for raw1394 (Mdv bug #47622) - -* Thu Mar 19 2009 Frederik Himpe 0.99.8.1-18mdv2009.1 -+ Revision: 358110 -- Add upstream patch fixing security issue (Bugtraq ID 34010) - -* Sun Mar 08 2009 Michael Scherer 0.99.8.1-17mdv2009.1 -+ Revision: 352736 -- fix build by updating libtool script -- update patch 32 -- rediff patch 31 - - + Antoine Ginies - - rebuild - -* Tue Aug 12 2008 Vincent Danen 0.99.8.1-16mdv2009.0 -+ Revision: 271144 -- call set_tcb in %%post and require tcb itself as a result - -* Tue Aug 12 2008 Olivier Blin 0.99.8.1-15mdv2009.0 -+ Revision: 271055 -- move pam_tcb conflict in the proper lib package (#42709) - -* Mon Aug 11 2008 Olivier Blin 0.99.8.1-14mdv2009.0 -+ Revision: 270658 -- conflict with old tcb package that contained pam_unix - -* Sat Aug 09 2008 Vincent Danen 0.99.8.1-13mdv2009.0 -+ Revision: 270079 -- require new pam_tcb release - require specific setup version for the shadow group - restore old pam_unix and its symlinks - ensure system-auth permissions and ownership - -* Thu Aug 07 2008 Thierry Vignaud 0.99.8.1-12mdv2009.0 -+ Revision: 265321 -- rebuild early 2009.0 package (before pixel changes) - - + Oden Eriksson - - unset BROWSER - - + Pixel - - do not call ldconfig in %%post/%%postun, it is now handled by filetriggers - -* Thu May 22 2008 Vincent Danen 0.99.8.1-11mdv2009.0 -+ Revision: 210056 -- libpam conflicts with pam < 0.99.8.1-10mdv -- dropped the system-auth migration as per blino -- restored the 0.99.3.1 README -- renamed and trimmed the 0.99.8.1-11mdv README - -* Tue May 20 2008 Vincent Danen 0.99.8.1-10mdv2009.0 -+ Revision: 209289 -- gracefully handle non-standard system-auth configurations to replace pam_unix with pam_tcb (for instances like using ldap for auth, etc.) which, if not done correctly or immediately, could result in local accounts being locked out - -* Mon May 19 2008 Vincent Danen 0.99.8.1-9mdv2009.0 -+ Revision: 209172 -- add -D_GNU_SOURCE to $CFLAGS in order to compile pam_console and pam_timestamp -- requires pam_tcb -- buildrequires glibc-crypt_blowfish-devel -- don't build pam_unix; pam_tcb provides it -- unix_chkpwd and unix_update are no longer required without pam_unix -- clean up system-auth(5) -- update system-auth to use pam_tcb -- updated the Mandriva-specific README - -* Fri Jan 18 2008 Frederic Crozat 0.99.8.1-8mdv2008.1 -+ Revision: 154727 -- Update license info based on fedora specfile -- Update patches 25, 44 with latest version from fedora -- Remove patch26, merged into patch25 -- Patch42, 43 (Fedora): don't use pam_console to change device ownership, rely on HAL ACL now -- Patch46 (Fedora): fix in operator (Fedora #295151) -- Patch47 (Fedora): fix invalid free on xauth module -- Patch48 (Fedora): add support for substack include -- Patch49, 50 (Fedora): add tty_audio module -- Patch523: fix build when SELinux is disabled -- Source501, 502 : add missing documentation from tarball -- Resync system-auth file with Fedora - -* Fri Dec 21 2007 Oden Eriksson 0.99.8.1-7mdv2008.1 -+ Revision: 136256 -- link against the bdb 4.6.x assembly-mutex-only db (buchan) - - + Thierry Vignaud - - kill re-definition of %%buildroot on Pixel's request - - + Marcelo Ricardo Leitner - - As Blino pointed out, we can do Requires(post): coreutils as coreutils - currently just "Requires: pam", with no specific order. - This also fix a bug in the previous "fix" that would make the /dev/null - device be copied instead of creating a blank file. - - Do not use the install utility on %%post section because we can't require - coreutils as coreutils already requires us. So replace install calls by - cp -a and chmod ones, fixing without introducing a circular dependency. - -* Thu Sep 20 2007 Frederic Crozat 0.99.8.1-6mdv2008.0 -+ Revision: 91448 -- Update patch24 with latest fedora version -- Patch25 (Fedora): do not ask for blank password when SELinux confined (Fedora #254044) - -* Wed Sep 12 2007 Anssi Hannula 0.99.8.1-5mdv2008.0 -+ Revision: 84662 -- show 0.99.3.0 notes only when upgrading from an older version - -* Mon Sep 10 2007 Olivier Blin 0.99.8.1-4mdv2008.0 -+ Revision: 84153 -- make evdev mouse devices owned by console user (fix synclient, #32955) - -* Mon Sep 03 2007 Frederic Crozat 0.99.8.1-3mdv2008.0 -+ Revision: 78627 -- Update patches 40 & 5 with latest version from RH (Fix Mdv bug #32741) -- Patch44 (RH): fix homedir init with namespace module - -* Mon Aug 13 2007 Olivier Blin 0.99.8.1-2mdv2008.0 -+ Revision: 62485 -- add scanner devices in the usb group (#29489, #29562) -- make sure devices are accessible by their group if specified in console.perms (#29489) -- remove mode definitions from mdvperms patch (will be done by a one-liner in the spec) -- restore console settings for lp class (wrongly removed in 0.99.6.0 rediff, #29562) -- move lp class in 50-mandriva.perms -- add compatibility symlinks for pam_unix_{auth,acct,passwd,session}.so -- add /etc/security/opasswd file -- add more module checks in check section (from Fedora) -- move checks in check section -- properly include /var/log/faillog and tallylog as ghosts and create them in post script (from Fedora) -- add user and new instance parameters to namespace init (from Fedora) -- fix typo in man pages -- enable libaudit -- rediff mdv perms patch -- do not log an audit error when uid != 0 (from Fedora) -- update to pam-redhat-0.99.8-1 -- adapt to new devel library policy -- add signature -- rename sources to match RH spec file -- remove useless chmod - -* Tue Jul 24 2007 Olivier Blin 0.99.8.1-1mdv2008.0 -+ Revision: 55033 -- 0.99.8.1 -- update RH patches -- package /sbin/unix_update -- remove old packaging hacks -- use new doc directory policy - -* Sat Jul 21 2007 David Walluck 0.99.7.1-3mdv2008.0 -+ Revision: 54187 -- add config-util.pamd - - -* Wed Feb 07 2007 Olivier Blin 0.99.7.1-2mdv2007.0 -+ Revision: 117173 -- mark doc dir as docdir -- fix doc installation -- update pam_redhat to 0.99.7-1 -- allow more X displays as consoles (RH #227462) - -* Wed Jan 24 2007 Olivier Blin 0.99.7.1-1mdv2007.1 -+ Revision: 112870 -- 0.99.7.1 - -* Tue Jan 23 2007 Olivier Blin 0.99.7.0-1mdv2007.1 -+ Revision: 112280 -- 0.99.7.0 - -* Fri Oct 20 2006 Olivier Blin 0.99.6.3-1mdv2007.1 -+ Revision: 71373 -- link pam_userdb with db4 (#26242 and #26572) -- pam_loginuid is now in upstream sources -- remove console reset patch, now handled upstream -- 0.99.6.3 - -* Sat Sep 16 2006 Olivier Blin 0.99.6.0-3mdv2007.0 -+ Revision: 61618 -- 0.99.6.0-3mdv -- chown IR remote controls devices to console user (Anssi Hannula, #24785) -- add /dev/scd* /dev/sg* /dev/cdrw* /dev/dvdrw* in burner devices list (#25371 and #24541) - -* Wed Aug 30 2006 Olivier Blin 0.99.6.0-2mdv2007.0 -+ Revision: 58719 -- bump release -- make cdrom devices owned by cdrom group - - + Anssi Hannula - - add /dev/input/by-path/*-joystick to class (fixes #23775) - - make class devices accessible by audio group (fixes #24300) - - make and class devices accessible by video group (fixes #24786) - -* Fri Aug 11 2006 Olivier Blin 0.99.6.0-1mdv2007.0 -+ Revision: 55258 -- use ndbm from db1 to build pam_userdb -- drop html, ps and pdf doc (pdf doc would require Apache's fop to be packaged) -- make doc/txts directory (not provided upstream anymore) -- namespace.init is now provided upstream -- drop more sgml hacks (sgml not used upstream anymore) -- remove pam-0.77-use_uid.patch (fixed upstream) -- remove pam_keyinit patches (merged upstream) -- remove pam-0.99.5.0-access-gai.patch (applied upstream) -- remove pam-0.99.4.0-succif-service.patch (merged upstream) -- remove sgml2latex patch, it doesn't apply anymore since xml is used instead of sgml in 0.99.6.0 -- 0.99.6.0 -- really use pam-redhat-0.99.6-1 -- remove patch merged in pam-redhat 0.99.6-1 -- revoke keyrings properly when pam_keyinit called more than once (RH) -- don't log pam_keyinit debug messages by default -- drop ainit from console.handlers (RH) -- add pam_keyinit to the default system-auth file (RH) -- fixed network match in pam_access (from Redhat) -- sync with pam-redhat 0.99.6-1 (and rediff mdvperms, RH merged a lot of our permissions) -- import pam-0.99.5.0-2mdv2007.0 - -* Tue Jul 04 2006 Olivier Blin 0.99.5.0-2mdv2007.0 -- Source500: add ttyACM* devices in the serial class (#23190) -- Patch83 (from Fedora): add service as value to be matched and list - matching to pam_succeed_if -- use upstream redhat-modules patch - -* Thu Jun 29 2006 Olivier Blin 0.99.5.0-1mdv2007.0 -- 0.99.5.0 -- Patch523: temporary patch to add namespace.init, which is missing from dist - (extracted from RH old namespace patch) -- package namespace files in /etc/security -- Patch84 (from RH): pam_console_apply shouldn't access /var when called with -r - -* Thu Jun 29 2006 Olivier Blin 0.99.4.0-1mdv2007.0 -- 0.99.4.0 -- from Fedora: - o pam-0.99.4.0-redhat-modules - o pam-redhat-0.99.5-1 - o add system-auth and config-util man pages -- drop Patch523 and all pwdb bits -- drop glib2-devel BuildRequires (pam_console_apply don't need it anymore) -- rediff Patch500 (mdv perms) -- drop Patch520 (merged upstream) -- don't check for userdb module, we don't built it - (it requires an internal libdb copy) -- package pam_tally2 - -* Thu Feb 02 2006 Olivier Blin 0.99.3.0-6mdk -- update instructions in the README.update.urpmi file (Source4) - -* Wed Feb 01 2006 Thierry Vignaud 0.99.3.0-5mdk -- patch 500: - o fix firewire perms (#20270) - o fix printer perms (#13013) - -* Mon Jan 30 2006 Olivier Blin 0.99.3.0-4mdk -- don't build prelude (#20896) -- Patch523: allow to disable pwdb -- disable pam_pwdb -- make unix_chkpwd setuid root again -- Source2: remove hardcoded /lib/security in source - (even if spec-helper fixes it later) -- don't add video group in %%pre, it's already in the setup package -- remove hardcoded workaround for a (more than) 2 years-old pam -- more BuildRequires fixes: drop autoconf2.1, use glib2-devel - (thanks to Stefan van der Eijk) -- rpmbuildupdatable -- Source4: README.update.urpmi - -* Sat Jan 28 2006 Olivier Blin 0.99.3.0-3mdk -- BuildRequires automake1.8 (Stefan van der Eijk) -- fix again Patch517 (use real patch name) -- fix typo in modules installation test - -* Sat Jan 28 2006 Olivier Blin 0.99.3.0-2mdk -- BuildConflicts with libselinux-devel (#20871) -- don't test if modules/pam_selinux is built, we don't want it -- Patch517: fix typo in limits.conf (Andrey Borzenkov, #20872) -- BuildRequires openssl-devel (#20874) -- Patch511: use pam_syslog instead of old _pam_log in pam_limits - (Andrey Borzenkov, #20876) -- BuildRequires prelude-devel - -* Sat Jan 28 2006 Olivier Blin 0.99.3.0-1mdk -- 0.99.3.0 -- sync with RH (all of their others patches are either merged upstream, - or useless in Mandriva, such as SE Linux): - o drop Patch39 (wasn't needed for 0.77) - o drop Patch[0,1,2,3,5,6,7,8,9,11,12,13,14,15,16,17,18,19,20], - Patch[22,23,24,25,26,27,30,31,32,33,35,36,37,40] and Source4 - (dropped during 0.78 upgrade) - o drop Patch29 (dropped during 0.79 upgrade) - o drop Patch4 (dropped during 0.80 upgrade) - o rediff Patch21 - o don't use fakeroot anymore - o don't enable static-pam - o drop Patch10 (dropped during 0.99.2.1 upgrade) - o rediff Patch34 - o fix descriptions -- rediff Patch500, and split out Mandriva-specific perms in Source500 - (installed as 50-mandriva.perms) -- remove devfs-style paths in Patch500/Source500 -- drop Patch502 (dead X problem fixed otherwise upstream) -- drop Patch503 (we don't need pam_console_apply_devfsd) -- rediff Patch504 (drop merged parts), Patch508, Patch512 -- drop Patch506 (not required anymore to detect cracklib dicts on x86_64) -- drop Patch507 (tty name not found fixed otherwise upstream) -- drop Patch509 (fixed upstream) -- drop Patch513 (fixed otherwise upstream, should still work with lsb-test-pam) -- drop Patch514 (kill pam_console_setowner, pam_console_apply should be used) -- drop Patch515 (/etc/environment test fixed upstream) -- drop Patch516 (RT now supported upstream) -- rediff Patch517 (apply on limits.conf, use new rtprio keyword instead of - previous rt_priority) -- drop Patch518 (build with gcc 4 works fine now) -- add comments about ghost patches -- Patch520 and Patch521: fix parallel build -- Patch522: ensure that sgml2txt worked -- package new security/console.handlers and security/console.perms.d/ -- package pam_filter/upperLOWER -- package libpamc -- package security/chroot.conf -- package lang files -- don't package pwdb_chkpwd -- more description fixes - -* Thu Jan 26 2006 Olivier Blin 0.77-37mdk -- handle permissions for /dev/bus/usb - -* Tue Jan 24 2006 Olivier Blin 0.77-36mdk -- fix permissions for more DVB devices (merge Patch520 in Patch500) - -* Mon Jan 23 2006 Olivier Blin 0.77-35mdk -- update Patch514 to handle multiple arguments in pam_console_setowner, - (from Andrey Borzenkov, #20269, it's about reimplementing recent - pam_console_apply in our weird pam_console_setowner) -- use requires instead of prereq for pam-doc - -* Tue Jan 10 2006 Thierry Vignaud 0.77-34mdk -- patch 520: set perms for DVB devices (#14688) - -* Fri Jan 06 2006 Oden Eriksson 0.77-33mdk -- drop selinux (P60) -- removed two hunks from P40 (required the selinux patch applied) -- dropped P62 (required the selinux patch applied) -- rebuilt against a non selinux enabled pwdb lib (thanks stefan) - -* Wed Oct 05 2005 Gwenole Beauchesne 0.77-32mdk -- fix build on ppc64 - -* Tue Sep 20 2005 Frederic Lepied 0.77-31mdk -- fix uninitialized variable user (aka fix crash on C3) - -* Sun Jul 31 2005 Couriousous 0.77-30mdk -- Don't apply 64bit patch ( fix #16961 ) - -* Wed Jun 22 2005 Frederic Lepied 0.77-29mdk -- fixed dependencies - -* Mon May 16 2005 Thierry Vignaud 0.77-28mdk -- patch 516: add support for RT/nice rlimit settings (kernel-2.6.12+) -- patch 517: enable new RT privileges for audio group in limits.conf -- patch 518: fix build with gcc-4.0 - -* Thu Apr 07 2005 Frederic Crozat 0.77-27mdk -- Update Patch500 to add /dev/zip* and /dev/jaz* as zip/jaz group for - console privilege - -* Thu Sep 30 2004 Frederic Lepied 0.77-26mdk -- give access to /dev/nvram in ro for console users -- handle /dev/dri* and /dev/nvidia the same way in startx and *dm modes. - -* Tue Sep 21 2004 Frederic Lepied 0.77-25mdk -- pam_env: don't abort if /etc/environment isn't present (Oded Arbel) -- fix BuildRequires (Oded Arbel) -- create an empty /etc/environment -- add USB joystick devices to console.perms (bug #11190) - -* Fri Sep 17 2004 Gwenole Beauchesne 0.77-24mdk -- really build pam_console_apply_devfs against glib-1.2 - -* Sat Sep 11 2004 Frederic Lepied 0.77-23mdk -- fixed debug code in pam_console_apply_devfsd -- added a way to debug pam_console_setowner by setting PAM_DEBUG env variable -- don't apply patch63 to have console.lock at the usual place - -* Fri Sep 10 2004 Frederic Lepied 0.77-22mdk -- implement pam_console_setowner for udev - -* Thu Sep 09 2004 Frederic Crozat 0.77-21mdk -- add sr* to cdrom group - -* Wed Sep 08 2004 Frederic Lepied 0.77-20mdk -- fixed lookup when a group or a user doesn't exist (bug #11256) -- fixed the group of audio devices when nobody is connected - -* Tue Aug 24 2004 Frederic Lepied 0.77-19mdk -- added /dev/rfcomm* /dev/ircomm* to serial group (Fred Crozat) - -* Tue Aug 24 2004 Frederic Lepied 0.77-18mdk -- put back group in console.perms - -* Tue Aug 24 2004 Frederic Lepied 0.77-17mdk -- manage dri files perm (bug #10876 ) -- manage perm of /dev/raw1394 (bug #9240) -- console.perms more group friendly (bug #3033) -- merged with rh 0.77-54 - -* Wed Jul 28 2004 Frederic Crozat 0.77-16mdk -- Update patch16 to give console permissions to rfcomm devices - -* Tue Jul 06 2004 Frederic Lepied 0.77-15mdk -- fixed typo in provides for devel package - -* Sat Jul 03 2004 Stew Benedict 0.77-14mdk -- patch for lsb2 lsb-test-pam compliance (patch513) - -* Mon Jun 14 2004 Per Øyvind Karlsen 0.77-13mdk -- fix buildrequires -- fix provides -- cosmetics - -* Tue Feb 24 2004 Frederic Lepied 0.77-12mdk -- console.perms: /proc/usb => /proc/bus/usb (Marcel Pol) [bug #8285] - -* Thu Feb 19 2004 Frederic Lepied 0.77-11mdk -- added a trigger to be able to upgrade - From f4bec3e6288c0fae7fd6a187a9a0ab0336a47225 Mon Sep 17 00:00:00 2001 From: akdengi Date: Tue, 21 Jan 2014 14:49:16 +0400 Subject: [PATCH 2/3] 1.8.0 --- .abf.yml | 6 +- 90-nproc.conf | 6 + Linux-PAM-1.1.1-xauth-groups.patch | 4 +- Linux-PAM-1.1.4.tar.bz2.sign | 8 -- pam-0.99.3.0-README.update | 34 ------ pam-0.99.8.1-11mdv2009.0-README.update | 8 -- pam-1.1.2-noflex.patch | 27 ----- pam-1.1.5-limits-user.patch | 12 ++ pam-1.1.6-noflex.patch | 24 ++++ ...close.patch => pam-1.1.6-std-noclose.patch | 110 +++++++++--------- pam-1.1.7-tty-audit-init.patch | 48 ++++++++ pam-1.1.7-unix-build.patch | 34 ++++++ pam.spec | 69 ++++------- password-auth.pamd | 18 +++ smartcard-auth.pamd | 19 +++ system-auth.5 | 57 ++++++--- system-auth.pamd | 7 +- 17 files changed, 286 insertions(+), 205 deletions(-) create mode 100644 90-nproc.conf delete mode 100644 Linux-PAM-1.1.4.tar.bz2.sign delete mode 100644 pam-0.99.3.0-README.update delete mode 100644 pam-0.99.8.1-11mdv2009.0-README.update delete mode 100644 pam-1.1.2-noflex.patch create mode 100644 pam-1.1.5-limits-user.patch create mode 100644 pam-1.1.6-noflex.patch rename pam-1.0.91-std-noclose.patch => pam-1.1.6-std-noclose.patch (59%) create mode 100644 pam-1.1.7-tty-audit-init.patch create mode 100644 pam-1.1.7-unix-build.patch create mode 100644 password-auth.pamd create mode 100644 smartcard-auth.pamd diff --git a/.abf.yml b/.abf.yml index 60eb8ed..03f2e9c 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,3 +1,5 @@ +removed_sources: + Linux-PAM-1.1.4.tar.bz2: 4634b09f9e059f384ce69dbaa4a67f88bef5cf7b sources: - "Linux-PAM-1.1.4.tar.bz2": 4634b09f9e059f384ce69dbaa4a67f88bef5cf7b - "pam-redhat-0.99.10-1.tar.bz2": 09e618edc5dcda9a6eb435a31db742afca673ae1 + Linux-PAM-1.1.8.tar.bz2: f8ce53c67363f78d520392fa1c253c4978058be1 + pam-redhat-0.99.10-1.tar.bz2: 09e618edc5dcda9a6eb435a31db742afca673ae1 diff --git a/90-nproc.conf b/90-nproc.conf new file mode 100644 index 0000000..104dffd --- /dev/null +++ b/90-nproc.conf @@ -0,0 +1,6 @@ +# Default limit for number of user's processes to prevent +# accidental fork bombs. +# See rhbz #432903 for reasoning. + +* soft nproc 1024 +root soft nproc unlimited diff --git a/Linux-PAM-1.1.1-xauth-groups.patch b/Linux-PAM-1.1.1-xauth-groups.patch index 2d9a59c..6abc9c3 100644 --- a/Linux-PAM-1.1.1-xauth-groups.patch +++ b/Linux-PAM-1.1.1-xauth-groups.patch @@ -1,5 +1,5 @@ ---- modules/pam_xauth/pam_xauth.c 2010-10-08 13:56:11.000000000 +0200 -+++ modules/pam_xauth/pam_xauth.c.oden 2010-11-03 11:23:06.714312576 +0100 +--- a/modules/pam_xauth/pam_xauth.c 2010-10-08 13:56:11.000000000 +0200 ++++ b/modules/pam_xauth/pam_xauth.c.oden 2010-11-03 11:23:06.714312576 +0100 @@ -90,7 +90,7 @@ static const char * const xauthpaths[] = * given input on stdin, and storing any output it generates. */ static int diff --git a/Linux-PAM-1.1.4.tar.bz2.sign b/Linux-PAM-1.1.4.tar.bz2.sign deleted file mode 100644 index ed4c6f2..0000000 --- a/Linux-PAM-1.1.4.tar.bz2.sign +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) -Comment: See http://www.kernel.org/signature.html for info - -iD8DBQBOBHzAyGugalF9Dw4RAvUUAJ0SfOT7ITyalk4JsmIe5tJSdIB5ygCfZ2ku -aHp5ptRfKYgWdlnFv+3F7H4= -=kqy6 ------END PGP SIGNATURE----- diff --git a/pam-0.99.3.0-README.update b/pam-0.99.3.0-README.update deleted file mode 100644 index bcc91bc..0000000 --- a/pam-0.99.3.0-README.update +++ /dev/null @@ -1,34 +0,0 @@ -PAM 0.99.3.0 update notes - -- pam_stack module depreciation - -The pam_stack module is now deprecated. It has to be replaced by -include directives in pam.d configuration files. pam_stack usage won't -make pam fail in this release, but it will be removed in a future -release, better avoid it. It's basically a matter of replacing -"required pam_stack.so service=" with "include ". - -This can't be automatically updated on system-edited configuration -files because it isn't always that simple. Some "sufficient" -directives in the included file may now occult directives that were -previously matched, in the same configuration phase -(auth/account/password/session). -So, the rules may have to be reordered, and the "include" directives -have often to be lowered at the bottom of each phase. - -See Fedora instructions and release notes for more details. -http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00050.html -http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00084.html -http://fedora.redhat.com/docs/release-notes/fc5/test2-latest-en/sn-package-notes.html - -- pam_pwdb dropped - -The pam_pwdb module has been obsolete for a couple of years now, it is -not anymore available in the pam package from Mandriva. -The pam_unix module has to be prefered. - -- services linked with pam - -Services linked with the old pam library have to be restarted once the -new pam package has been installed. -This includes services such as crond, xdm, gdm, kdm, samba. diff --git a/pam-0.99.8.1-11mdv2009.0-README.update b/pam-0.99.8.1-11mdv2009.0-README.update deleted file mode 100644 index 3bec023..0000000 --- a/pam-0.99.8.1-11mdv2009.0-README.update +++ /dev/null @@ -1,8 +0,0 @@ -PAM 0.99.8.1 update notes - -- pam_unix dropped - -The pam_unix module has been dropped in favour of the pam_tcb module and is -no longer available in the pam package from Mandriva. The pam_tcb module will -work with the TCB shadowing scheme or regular shadow passwords. It also provides -the ability to use blowfish passwords, rather than just md5 passwords. diff --git a/pam-1.1.2-noflex.patch b/pam-1.1.2-noflex.patch deleted file mode 100644 index fc96555..0000000 --- a/pam-1.1.2-noflex.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am ---- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100 -+++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200 -@@ -2,7 +2,7 @@ - # Copyright (c) 2005, 2006 Thorsten Kukuk - # - --SUBDIRS = man specs sag adg mwg -+SUBDIRS = man sag adg mwg - - CLEANFILES = *~ - -diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am ---- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200 -+++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200 -@@ -5,9 +5,9 @@ - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news - - if STATIC_MODULES --SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests -+SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests - else --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests - endif - - CLEANFILES = *~ diff --git a/pam-1.1.5-limits-user.patch b/pam-1.1.5-limits-user.patch new file mode 100644 index 0000000..1890e4d --- /dev/null +++ b/pam-1.1.5-limits-user.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.5/modules/pam_limits/limits.conf +--- Linux-PAM-1.1.5/modules/pam_limits/limits.conf.limits 2011-06-21 11:04:56.000000000 +0200 ++++ Linux-PAM-1.1.5/modules/pam_limits/limits.conf 2011-12-21 09:09:17.000000000 +0100 +@@ -1,5 +1,8 @@ + # /etc/security/limits.conf + # ++#This file sets the resource limits for the users logged in via PAM. ++#It does not affect resource limits of the system services. ++# + #Each line describes a limit for a user in the form: + # + # diff --git a/pam-1.1.6-noflex.patch b/pam-1.1.6-noflex.patch new file mode 100644 index 0000000..6410a8d --- /dev/null +++ b/pam-1.1.6-noflex.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.1.6/doc/Makefile.am.noflex Linux-PAM-1.1.6/doc/Makefile.am +--- Linux-PAM-1.1.6/doc/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/doc/Makefile.am 2012-08-17 14:13:11.904949748 +0200 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + +diff -up Linux-PAM-1.1.6/Makefile.am.noflex Linux-PAM-1.1.6/Makefile.am +--- Linux-PAM-1.1.6/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/Makefile.am 2012-08-17 14:15:36.705359892 +0200 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests + + CLEANFILES = *~ + diff --git a/pam-1.0.91-std-noclose.patch b/pam-1.1.6-std-noclose.patch similarity index 59% rename from pam-1.0.91-std-noclose.patch rename to pam-1.1.6-std-noclose.patch index 7359484..5c8640f 100644 --- a/pam-1.0.91-std-noclose.patch +++ b/pam-1.1.6-std-noclose.patch @@ -1,7 +1,7 @@ -diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c ---- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100 -@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int +diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c +--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2012-08-17 13:25:20.684075361 +0200 +@@ -133,13 +133,21 @@ create_homedir (pam_handle_t *pamh, opti if (child == 0) { int i; struct rlimit rlim; @@ -21,59 +21,13 @@ diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linu rlim.rlim_max = MAX_FD_NO; - for (i=0; i < (int)rlim.rlim_max; i++) { + for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { - close(i); + close(i); } } -diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c ---- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100 -@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100 -@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100 -@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t +diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2012-08-17 13:22:51.664560481 +0200 +@@ -105,16 +105,18 @@ int _unix_run_verify_binary(pam_handle_t /* reopen stdout as pipe */ dup2(fds[1], STDOUT_FILENO); @@ -96,3 +50,49 @@ diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM } } +diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2012-08-17 14:10:38.917346789 +0200 +@@ -210,13 +210,16 @@ static int _unix_run_update_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c +--- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2012-08-17 14:12:10.833511475 +0200 +@@ -469,13 +469,16 @@ static int _unix_run_helper_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + diff --git a/pam-1.1.7-tty-audit-init.patch b/pam-1.1.7-tty-audit-init.patch new file mode 100644 index 0000000..065a650 --- /dev/null +++ b/pam-1.1.7-tty-audit-init.patch @@ -0,0 +1,48 @@ +diff -up Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c +--- Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init 2013-08-28 10:53:40.000000000 +0200 ++++ Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c 2013-10-04 14:51:19.944994905 +0200 +@@ -36,6 +36,7 @@ + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. */ + ++#include "config.h" + #include + #include + #include +@@ -108,7 +109,7 @@ nl_recv (int fd, unsigned type, void *bu + struct msghdr msg; + struct nlmsghdr nlm; + struct iovec iov[2]; +- ssize_t res; ++ ssize_t res, resdiff; + + again: + iov[0].iov_base = &nlm; +@@ -160,12 +161,17 @@ nl_recv (int fd, unsigned type, void *bu + res = recvmsg (fd, &msg, 0); + if (res == -1) + return -1; +- if ((size_t)res != NLMSG_LENGTH (size) ++ resdiff = NLMSG_LENGTH(size) - (size_t)res; ++ if (resdiff < 0 + || nlm.nlmsg_type != type) + { + errno = EIO; + return -1; + } ++ else if (resdiff > 0) ++ { ++ memset((char *)buf + res, 0, resdiff); ++ } + return 0; + } + +@@ -275,6 +281,8 @@ pam_sm_open_session (pam_handle_t *pamh, + return PAM_SESSION_ERR; + } + ++ memcpy(&new_status, old_status, sizeof(new_status)); ++ + new_status.enabled = (command == CMD_ENABLE ? 1 : 0); + #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD + new_status.log_passwd = log_passwd; diff --git a/pam-1.1.7-unix-build.patch b/pam-1.1.7-unix-build.patch new file mode 100644 index 0000000..d1f30d0 --- /dev/null +++ b/pam-1.1.7-unix-build.patch @@ -0,0 +1,34 @@ +diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build 2012-07-23 18:46:27.709804094 +0200 ++++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c 2012-07-23 18:46:27.764805293 +0200 +@@ -47,6 +47,8 @@ + #include /* for time() */ + #include + #include ++#include ++#include + + #include + +diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build 2012-07-23 18:55:16.433314731 +0200 ++++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c 2012-07-23 18:54:48.064697131 +0200 +@@ -53,6 +53,7 @@ + #include + #include + #include ++#include + #include + + #include +diff -up Linux-PAM-1.1.5/modules/pam_unix/support.c.build Linux-PAM-1.1.5/modules/pam_unix/support.c +--- Linux-PAM-1.1.5/modules/pam_unix/support.c.build 2012-07-23 18:46:27.000000000 +0200 ++++ Linux-PAM-1.1.5/modules/pam_unix/support.c 2012-07-23 18:54:23.645165507 +0200 +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #ifdef HAVE_RPCSVC_YPCLNT_H + #include diff --git a/pam.spec b/pam.spec index 3cf6bbb..14e4a00 100644 --- a/pam.spec +++ b/pam.spec @@ -18,8 +18,8 @@ Epoch: 1 Summary: A security tool which provides authentication for applications Name: pam -Version: 1.1.4 -Release: 17 +Version: 1.1.8 +Release: 1 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ @@ -28,32 +28,34 @@ Url: http://www.kernel.org/pub/linux/libs/pam/index.html Source0: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 Source1: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign Source2: pam-redhat-%{pam_redhat_version}.tar.bz2 -Source3: pam-0.99.3.0-README.update -Source4: pam-0.99.8.1-11mdv2009.0-README.update Source5: other.pamd Source6: system-auth.pamd Source7: config-util.pamd Source8: dlopen.sh Source9: system-auth.5 Source10: config-util.5 -Source11: postlogin.pamd -Source12: postlogin.5 -Source13: pamtmp.conf +Source11: postlogin.pamd +Source12: postlogin.5 +Source13: pamtmp.conf +Source14: 90-nproc.conf #add missing documentation Source501: pam_tty_audit.8 Source502: README # RedHat patches -Patch1: pam-1.0.90-redhat-modules.patch -Patch2: pam-1.0.91-std-noclose.patch -Patch4: pam-1.1.0-console-nochmod.patch -Patch5: pam-1.1.0-notally.patch -Patch7: pam-1.1.0-console-fixes.patch -Patch9: pam-1.1.2-noflex.patch -Patch10: pam-1.1.3-nouserenv.patch -Patch11: pam-1.1.3-console-abstract.patch +Patch1: pam-1.0.90-redhat-modules.patch +Patch2: pam-1.1.6-std-noclose.patch +Patch4: pam-1.1.0-console-nochmod.patch +Patch5: pam-1.1.0-notally.patch +Patch7: pam-1.1.0-console-fixes.patch +Patch9: pam-1.1.6-noflex.patch +Patch10: pam-1.1.3-nouserenv.patch +Patch11: pam-1.1.3-console-abstract.patch +Patch13: pam-1.1.5-limits-user.patch +Patch22: pam-1.1.7-unix-build.patch +Patch32: pam-1.1.7-tty-audit-init.patch -# Mandriva specific sources/patches +# ROSA specific sources/patches # (fl) fix infinite loop Patch507: pam-0.74-loop.patch # (fc) 0.75-29mdk don't complain when / is owned by root.adm @@ -158,35 +160,7 @@ This package contains the development libraries for %{name}. # Add custom modules. mv pam-redhat-%{pam_redhat_version}/* modules -# (RH) -%patch1 -p1 -b .redhat-modules -%patch2 -p1 -b .std-noclose -%patch4 -p1 -b .nochmod -%patch5 -p1 -b .notally -%patch7 -p1 -b .console-fixes -%patch9 -p1 -b .noflex -%patch10 -p1 -b .nouserenv -%patch11 -p1 -b .abstract - -# (Mandriva) -%patch507 -p1 -b .loop -%patch508 -p1 -b .pamtimestampadm -%patch512 -p0 -b .xauth-groups -%patch517 -p1 -b .enable_rt -%patch521 -p1 -b .pbuild-rh -%patch700 -p1 -b .static -%patch701 -p1 -b .nopermsd -%patch702 -p1 -b .nis_const~ -%patch801 -p1 -b .group_users - -# 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this -# just makes things easier but is not meant to be a permanent solution -## Remove unwanted modules; pam_tcb provides pam_unix now -#for d in pam_unix; do -# rm -rf modules/$d -# sed -i "s,modules/$d/Makefile,," configure.in -# sed -i "s/ $d / /" modules/Makefile.am -#done +%apply_patches install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/ @@ -195,8 +169,6 @@ for readme in modules/pam_*/README ; do cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` done -cp %{SOURCE4} README.0.99.8.1.update.urpmi - #libtoolize -cf autoreconf -ifs -I m4 @@ -224,6 +196,7 @@ install -m 644 %{SOURCE11} %{buildroot}/etc/pam.d/postlogin install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd install -d -m 755 %{buildroot}/var/log install -m 600 /dev/null %{buildroot}/var/log/tallylog +install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/security/limits.d/90-nproc.conf # Install man pages. install -m 644 %{SOURCE9} %{SOURCE10} %{SOURCE12} %{buildroot}%{_mandir}/man5/ @@ -310,6 +283,7 @@ fi %config(noreplace) %{_sysconfdir}/security/pam_env.conf %config(noreplace) %{_sysconfdir}/security/time.conf %config(noreplace) %{_sysconfdir}/security/opasswd +%config(noreplace) %{_sysconfdir}/security/limits.d/90-nproc.conf %dir %{_sysconfdir}/security/console.apps %dir %{_sysconfdir}/security/console.perms.d %dir /%{_lib}/security @@ -340,3 +314,4 @@ fi %files doc %doc doc/txts doc/specs/rfc86.0.txt Copyright + diff --git a/password-auth.pamd b/password-auth.pamd new file mode 100644 index 0000000..2e01bf9 --- /dev/null +++ b/password-auth.pamd @@ -0,0 +1,18 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass nullok +auth required pam_deny.so + +account required pam_unix.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/smartcard-auth.pamd b/smartcard-auth.pamd new file mode 100644 index 0000000..e5b57e3 --- /dev/null +++ b/smartcard-auth.pamd @@ -0,0 +1,19 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password optional pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/system-auth.5 b/system-auth.5 index 1300ec8..c0ca80b 100644 --- a/system-auth.5 +++ b/system-auth.5 @@ -1,39 +1,58 @@ -.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual" +.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual" .SH NAME system-auth \- Common configuration file for PAMified services .SH SYNOPSIS .B /etc/pam.d/system-auth +.B /etc/pam.d/password-auth +.B /etc/pam.d/fingerprint-auth +.B /etc/pam.d/smartcard-auth .sp 2 .SH DESCRIPTION -The purpose of this configuration file is to provide common -configuration file for all applications and service daemons -calling PAM library. +The purpose of these configuration files are to provide a common +interface for all applications and service daemons calling into +the PAM library. .sp -The \fBsystem-auth\fR configuration file is included from all individual service configuration -files with the help of the \fBinclude\fR directive. +The +.BR system-auth +configuration file is included from nearly all individual service configuration +files with the help of the +.BR substack +directive. + +.sp +The +.BR password-auth +.BR fingerprint-auth +.BR smartcard-auth +configuration files are for applications which handle authentication from +different types of devices via simultaneously running individual conversations +instead of one aggregate conversation. .SH NOTES -There should be no \fBsufficient\fR modules in the \fBsession\fR -part of \fBsystem-auth\fR file because individual services may add session modules after -\fBinclude\fR of the \fBsystem-auth\fR file. Execution of these modules would be skipped if there were sufficient -modules in \fBsystem-auth\fR file. - -.sp -Conversely there should not be any modules after -\fBinclude\fR directive in the individual service files in -\fBauth\fR, \fBaccount\fR and \fBpassword\fR -sections otherwise they could be bypassed. +Previously these common configuration files were included with the help +of the +.BR include +directive. This limited the use of the different action types of modules. +With the use of +.BR substack +directive to include these common configuration files this limitation +no longer applies. .SH BUGS .sp 2 None known. .SH "SEE ALSO" -\fBpam\fR(8), \fBconfig-util\fR(5) +pam(8), config-util(5), postlogin(5) -The three \fBLinux-PAM\fR Guides, for \fBsystem administrators\fR, -\fBmodule developers\fR, and \fBapplication developers\fR. +The three +.BR Linux-PAM +Guides, for +.BR "system administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/system-auth.pamd b/system-auth.pamd index 1621a47..2e01bf9 100644 --- a/system-auth.pamd +++ b/system-auth.pamd @@ -1,13 +1,14 @@ #%PAM-1.0 - +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so -#password required pam_cracklib.so try_first_pass retry=3 -password sufficient pam_unix.so try_first_pass nullok sha512 shadow +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so session optional pam_keyinit.so revoke From 37111adfb840e6f978e1b4e5b9338f3584172427 Mon Sep 17 00:00:00 2001 From: akdengi Date: Tue, 21 Jan 2014 15:47:44 +0400 Subject: [PATCH 3/3] fix build --- pam.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pam.spec b/pam.spec index 14e4a00..1ebab6d 100644 --- a/pam.spec +++ b/pam.spec @@ -101,6 +101,8 @@ Requires(pre): rpm-helper Requires(post): coreutils Requires(post): tcb >= 1.0.2-16 Conflicts: %{_lib}pam0 < 1.1.4-5 +Requires: libpwquality >= 0.9.9 + %description PAM (Pluggable Authentication Modules) is a system security tool that @@ -181,7 +183,8 @@ CFLAGS="$RPM_OPT_FLAGS -fPIC -I%{_includedir}/db_nss -D_GNU_SOURCE" \ --includedir=%{_includedir}/security \ --with-db-uniquename=_nss \ --docdir=%{_docdir}/%{name} \ - --disable-selinux + --disable-selinux \ + --disable-prelude %make %install @@ -258,7 +261,7 @@ if [ -f /etc/login.defs ] && ! grep -q USE_TCB /etc/login.defs; then fi %files -f Linux-PAM.lang -%doc NEWS README.0.99.8.1.update.urpmi +%doc NEWS %docdir %{_docdir}/%{name} %dir /etc/pam.d %config(noreplace) /etc/environment