commit 914f48e19f279c797e871debb7fd1f8a23994017 Author: Rosa Date: Mon Sep 16 16:29:09 2013 +0400 Automatic import for version 1.1.4-9 diff --git a/.abf.yml b/.abf.yml new file mode 100644 index 0000000..60eb8ed --- /dev/null +++ b/.abf.yml @@ -0,0 +1,3 @@ +sources: + "Linux-PAM-1.1.4.tar.bz2": 4634b09f9e059f384ce69dbaa4a67f88bef5cf7b + "pam-redhat-0.99.10-1.tar.bz2": 09e618edc5dcda9a6eb435a31db742afca673ae1 diff --git a/Linux-PAM-0.99.3.0-enable_rt.patch b/Linux-PAM-0.99.3.0-enable_rt.patch new file mode 100644 index 0000000..722aaf9 --- /dev/null +++ b/Linux-PAM-0.99.3.0-enable_rt.patch @@ -0,0 +1,12 @@ +--- Linux-PAM-0.99.3.0/modules/pam_limits/limits.conf.enable_rt 2005-08-16 16:02:28.000000000 +0200 ++++ Linux-PAM-0.99.3.0/modules/pam_limits/limits.conf 2006-01-28 14:51:28.000000000 +0100 +@@ -47,4 +47,9 @@ + #ftp hard nproc 0 + #@student - maxlogins 4 + ++* - rtprio 0 ++* - nice 0 ++@audio - rtprio 50 ++@audio - nice -10 ++ + # End of file diff --git a/Linux-PAM-0.99.3.0-pamtimestampadm.patch b/Linux-PAM-0.99.3.0-pamtimestampadm.patch new file mode 100644 index 0000000..aafd9cd --- /dev/null +++ b/Linux-PAM-0.99.3.0-pamtimestampadm.patch @@ -0,0 +1,14 @@ +--- Linux-PAM-0.99.3.0/modules/pam_timestamp/pam_timestamp.c.pamtimestampadm 2006-01-03 16:35:07.000000000 +0100 ++++ Linux-PAM-0.99.3.0/modules/pam_timestamp/pam_timestamp.c 2006-01-27 22:31:39.000000000 +0100 +@@ -121,9 +121,9 @@ + scratch); + return PAM_AUTH_ERR; + } +- if (st.st_gid != 0) { ++ if ((st.st_gid != 0) && (st.st_gid != 4)) { + pam_syslog(pamh, LOG_ERR, +- "`%s' owner GID != 0", ++ "`%s' owner GID != 0 and != 4", + scratch); + return PAM_AUTH_ERR; + } diff --git a/Linux-PAM-0.99.3.0-pbuild-rh.patch b/Linux-PAM-0.99.3.0-pbuild-rh.patch new file mode 100644 index 0000000..123084e --- /dev/null +++ b/Linux-PAM-0.99.3.0-pbuild-rh.patch @@ -0,0 +1,11 @@ +--- Linux-PAM-0.99.3.0/modules/pam_console/Makefile.am.pbuild-rh 2005-12-15 23:07:37.000000000 +0100 ++++ Linux-PAM-0.99.3.0/modules/pam_console/Makefile.am 2006-01-28 00:26:20.000000000 +0100 +@@ -57,6 +57,8 @@ + pam_console_la_CFLAGS = $(AM_CFLAGS) + pam_console_apply_CFLAGS = $(AM_CFLAGS) + ++configfile.tab.h: configfile.tab.c ++ + configfile.tab.c: configfile.y + $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $< + sh $(srcdir)/sed-static $@ diff --git a/Linux-PAM-1.1.1-xauth-groups.patch b/Linux-PAM-1.1.1-xauth-groups.patch new file mode 100644 index 0000000..2d9a59c --- /dev/null +++ b/Linux-PAM-1.1.1-xauth-groups.patch @@ -0,0 +1,67 @@ +--- modules/pam_xauth/pam_xauth.c 2010-10-08 13:56:11.000000000 +0200 ++++ modules/pam_xauth/pam_xauth.c.oden 2010-11-03 11:23:06.714312576 +0100 +@@ -90,7 +90,7 @@ static const char * const xauthpaths[] = + * given input on stdin, and storing any output it generates. */ + static int + run_coprocess(pam_handle_t *pamh, const char *input, char **output, +- uid_t uid, gid_t gid, const char *command, ...) ++ uid_t uid, gid_t gid, const char *name, const char *command, ...) + { + int ipipe[2], opipe[2], i; + char buf[LINE_MAX]; +@@ -141,6 +141,12 @@ run_coprocess(pam_handle_t *pamh, const + pam_syslog (pamh, LOG_ERR, "setgroups() failed: %m"); + _exit (err); + } ++ ++ /* Mandriva Linux specific: ++ * we need to set the extra groups because in high security levels ++ * access to /usr/X11R6/bin dir is controlled by a group */ ++ initgroups(name, gid); ++ + if (setuid(uid) == -1) + { + int err = errno; +@@ -148,6 +154,7 @@ run_coprocess(pam_handle_t *pamh, const + (unsigned long) geteuid ()); + _exit (err); + } ++ + /* Initialize the argument list. */ + memset(args, 0, sizeof(args)); + /* Set the pipe descriptors up as stdin and stdout, and close +@@ -173,6 +180,7 @@ run_coprocess(pam_handle_t *pamh, const + } + /* Run the command. */ + execv(command, args); ++ syslog(LOG_ERR, "pam_xauth: execvp of %s failed: %m", command); + /* Never reached. */ + _exit(1); + } +@@ -508,7 +516,7 @@ pam_sm_open_session (pam_handle_t *pamh, + (unsigned long) getuid(), (unsigned long) getgid()); + } + if (run_coprocess(pamh, NULL, &cookie, +- getuid(), getgid(), ++ getuid(), getgid(), rpwd->pw_name, + xauth, "-f", cookiefile, "nlist", display, + NULL) == 0) { + #ifdef WITH_SELINUX +@@ -567,7 +575,7 @@ pam_sm_open_session (pam_handle_t *pamh, + (unsigned long) getgid()); + } + run_coprocess(pamh, NULL, &cookie, +- getuid(), getgid(), ++ getuid(), getgid(), rpwd->pw_name, + xauth, "-f", cookiefile, + "nlist", t, NULL); + } +@@ -709,7 +717,7 @@ pam_sm_open_session (pam_handle_t *pamh, + (unsigned long) tpwd->pw_gid); + } + run_coprocess(pamh, cookie, &tmp, +- tpwd->pw_uid, tpwd->pw_gid, ++ tpwd->pw_uid, tpwd->pw_gid, tpwd->pw_name, + xauth, "-f", cookiefile, "nmerge", "-", NULL); + + /* We don't need to keep a copy of these around any more. */ diff --git a/Linux-PAM-1.1.4-add-now-missing-nis-constant.patch b/Linux-PAM-1.1.4-add-now-missing-nis-constant.patch new file mode 100644 index 0000000..977a0b2 --- /dev/null +++ b/Linux-PAM-1.1.4-add-now-missing-nis-constant.patch @@ -0,0 +1,11 @@ +--- Linux-PAM-1.1.4/modules/pam_unix/support.c.yp_const~ 2011-07-19 14:31:36.081046306 +0200 ++++ Linux-PAM-1.1.4/modules/pam_unix/support.c 2011-07-19 14:31:38.058067705 +0200 +@@ -21,6 +21,8 @@ + #include + #ifdef HAVE_RPCSVC_YPCLNT_H + #include ++#else ++#define YPERR_SUCCESS 0 + #endif + + #include diff --git a/Linux-PAM-1.1.4-group_add_users.patch b/Linux-PAM-1.1.4-group_add_users.patch new file mode 100644 index 0000000..307307c --- /dev/null +++ b/Linux-PAM-1.1.4-group_add_users.patch @@ -0,0 +1,11 @@ +--- Linux-PAM-1.1.4.orig/modules/pam_group/group.conf 2011-06-21 13:04:56.000000000 +0400 ++++ Linux-PAM-1.1.4/modules/pam_group/group.conf 2012-04-20 15:45:10.000000000 +0400 +@@ -101,6 +101,8 @@ + + #xsh; tty* ;%admin;Al0000-2400;plugdev + ++*;*;*;Al0000-2400;users ++ + # + # End of group.conf file + # diff --git a/Linux-PAM-1.1.4.tar.bz2.sign b/Linux-PAM-1.1.4.tar.bz2.sign new file mode 100644 index 0000000..ed4c6f2 --- /dev/null +++ b/Linux-PAM-1.1.4.tar.bz2.sign @@ -0,0 +1,8 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) +Comment: See http://www.kernel.org/signature.html for info + +iD8DBQBOBHzAyGugalF9Dw4RAvUUAJ0SfOT7ITyalk4JsmIe5tJSdIB5ygCfZ2ku +aHp5ptRfKYgWdlnFv+3F7H4= +=kqy6 +-----END PGP SIGNATURE----- diff --git a/README b/README new file mode 100644 index 0000000..bbe9063 --- /dev/null +++ b/README @@ -0,0 +1,48 @@ +pam_tty_audit ? Enable or disable TTY auditing for specified users + +------------------------------------------------------------------------------- + +DESCRIPTION + +The pam_tty_audit PAM module is used to enable or disable TTY auditing. By +default, the kernel does not audit input on any TTY. + +OPTIONS + +disable=patterns + + For each user matching one of comma-separated glob patterns, disable TTY + auditing. This overrides any previous enable option matchin the same user + name on the command line. + +enable=patterns + + For each user matching one of comma-separated glob patterns, enable TTY + auditing. This overrides any previous disable option matching the same user + name on the command line. + +open_only + + Set the TTY audit flag when opening the session, but do not restore it when + closing the session. Using this option is necessary for some services that + don't fork() to run the authenticated session, such as sudo. + +NOTES + +When TTY auditing is enabled, it is inherited by all processes started by that +user. In particular, daemons restarted by an user will still have TTY auditing +enabled, and audit TTY input even by other users unless auditing for these +users is explicitly disabled. Therefore, it is recommended to use disable=* as +the first option for most daemons using PAM. + +EXAMPLES + +Audit all administrative actions. + +session required pam_tty_audit.so disable=* enable=root + + +AUTHOR + +pam_tty_audit was written by Miloslav Trma? . + diff --git a/config-util.5 b/config-util.5 new file mode 100644 index 0000000..17d7f8a --- /dev/null +++ b/config-util.5 @@ -0,0 +1,36 @@ +.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual" +.SH NAME + +config-util \- Common PAM configuration file for configuration utilities + +.SH SYNOPSIS +.B /etc/pam.d/config-util +.sp 2 +.SH DESCRIPTION + +The purpose of this configuration file is to provide common +configuration file for all configuration utilities which must be run +from the supervisor account and use the userhelper wrapper application. + +.sp +The +.BR config-util +configuration file is included from all individual configuration +files of such utilities with the help of the +.BR include +directive. +There are not usually any other modules in the individual configuration +files of these utilities. + +.sp +It is possible for example to modify duration of the validity of the +authentication timestamp there. See +.BR pam_timestamp(8) +for details. + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" +pam(8), config-util(5), pam_timestamp(8) diff --git a/config-util.pamd b/config-util.pamd new file mode 100644 index 0000000..8e70d9a --- /dev/null +++ b/config-util.pamd @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +auth sufficient pam_timestamp.so +auth include system-auth +account required pam_permit.so +session required pam_permit.so +session optional pam_xauth.so +session optional pam_timestamp.so diff --git a/dlopen.sh b/dlopen.sh new file mode 100755 index 0000000..053289a --- /dev/null +++ b/dlopen.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +tempdir=`mktemp -d /tmp/dlopenXXXXXX` +test -n "$tempdir" || exit 1 +cat >> $tempdir/dlopen.c << _EOF +#include +#include +#include +#include +/* Simple program to see if dlopen() would succeed. */ +int main(int argc, char **argv) +{ + int i; + struct stat st; + char buf[PATH_MAX]; + for (i = 1; i < argc; i++) { + if (dlopen(argv[i], RTLD_NOW)) { + fprintf(stdout, "dlopen() of \"%s\" succeeded.\n", + argv[i]); + } else { + snprintf(buf, sizeof(buf), "./%s", argv[i]); + if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) { + fprintf(stdout, "dlopen() of \"./%s\" " + "succeeded.\n", argv[i]); + } else { + fprintf(stdout, "dlopen() of \"%s\" failed: " + "%s\n", argv[i], dlerror()); + return 1; + } + } + } + return 0; +} +_EOF + +for arg in $@ ; do + case "$arg" in + "") + ;; + -I*|-D*|-f*|-m*|-g*|-O*|-W*) + cflags="$cflags $arg" + ;; + -l*|-L*) + ldflags="$ldflags $arg" + ;; + /*) + modules="$modules $arg" + ;; + *) + modules="$modules $arg" + ;; + esac +done + +${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl + +retval=0 +for module in $modules ; do + case "$module" in + "") + ;; + /*) + $tempdir/dlopen "$module" + retval=$? + ;; + *) + $tempdir/dlopen ./"$module" + retval=$? + ;; + esac +done + +rm -f $tempdir/dlopen $tempdir/dlopen.c +rmdir $tempdir +exit $retval diff --git a/other.pamd b/other.pamd new file mode 100644 index 0000000..c286c82 --- /dev/null +++ b/other.pamd @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required pam_deny.so +account required pam_deny.so +password required pam_deny.so +session required pam_deny.so diff --git a/pam-0.74-loop.patch b/pam-0.74-loop.patch new file mode 100644 index 0000000..a021a22 --- /dev/null +++ b/pam-0.74-loop.patch @@ -0,0 +1,12 @@ +--- pam-0.74/modules/pam_console/chmod.c.fred Fri Mar 9 02:00:21 2001 ++++ pam-0.74/modules/pam_console/chmod.c Thu Mar 15 16:54:27 2001 +@@ -161,7 +161,8 @@ + { + if(mntent->mnt_dir && + mntent->mnt_fsname && +- (fnmatch(dir, mntent->mnt_dir, 0) == 0)) ++ (fnmatch(dir, mntent->mnt_dir, 0) == 0) && ++ strcmp(dir, mntent->mnt_fsname)) + { + errors |= change_file(mntent->mnt_fsname, changes, TRUE, user, group); + } diff --git a/pam-0.99.3.0-README.update b/pam-0.99.3.0-README.update new file mode 100644 index 0000000..bcc91bc --- /dev/null +++ b/pam-0.99.3.0-README.update @@ -0,0 +1,34 @@ +PAM 0.99.3.0 update notes + +- pam_stack module depreciation + +The pam_stack module is now deprecated. It has to be replaced by +include directives in pam.d configuration files. pam_stack usage won't +make pam fail in this release, but it will be removed in a future +release, better avoid it. It's basically a matter of replacing +"required pam_stack.so service=" with "include ". + +This can't be automatically updated on system-edited configuration +files because it isn't always that simple. Some "sufficient" +directives in the included file may now occult directives that were +previously matched, in the same configuration phase +(auth/account/password/session). +So, the rules may have to be reordered, and the "include" directives +have often to be lowered at the bottom of each phase. + +See Fedora instructions and release notes for more details. +http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00050.html +http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00084.html +http://fedora.redhat.com/docs/release-notes/fc5/test2-latest-en/sn-package-notes.html + +- pam_pwdb dropped + +The pam_pwdb module has been obsolete for a couple of years now, it is +not anymore available in the pam package from Mandriva. +The pam_unix module has to be prefered. + +- services linked with pam + +Services linked with the old pam library have to be restarted once the +new pam package has been installed. +This includes services such as crond, xdm, gdm, kdm, samba. diff --git a/pam-0.99.8.1-11mdv2009.0-README.update b/pam-0.99.8.1-11mdv2009.0-README.update new file mode 100644 index 0000000..3bec023 --- /dev/null +++ b/pam-0.99.8.1-11mdv2009.0-README.update @@ -0,0 +1,8 @@ +PAM 0.99.8.1 update notes + +- pam_unix dropped + +The pam_unix module has been dropped in favour of the pam_tcb module and is +no longer available in the pam package from Mandriva. The pam_tcb module will +work with the TCB shadowing scheme or regular shadow passwords. It also provides +the ability to use blowfish passwords, rather than just md5 passwords. diff --git a/pam-1.0.90-redhat-modules.patch b/pam-1.0.90-redhat-modules.patch new file mode 100644 index 0000000..3ad41cc --- /dev/null +++ b/pam-1.0.90-redhat-modules.patch @@ -0,0 +1,23 @@ +diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am +--- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100 ++++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100 +@@ -3,6 +3,7 @@ + # + + SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ ++ pam_chroot pam_console pam_postgresok \ + pam_env pam_exec pam_faildelay pam_filter pam_ftp \ + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ +diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in +--- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100 ++++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100 +@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ + po/Makefile.in \ + modules/Makefile \ ++ modules/pam_chroot/Makefile modules/pam_console/Makefile \ ++ modules/pam_postgresok/Makefile \ + modules/pam_access/Makefile modules/pam_cracklib/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ diff --git a/pam-1.0.91-std-noclose.patch b/pam-1.0.91-std-noclose.patch new file mode 100644 index 0000000..7359484 --- /dev/null +++ b/pam-1.0.91-std-noclose.patch @@ -0,0 +1,98 @@ +diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c +--- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100 +@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int + if (child == 0) { + int i; + struct rlimit rlim; ++ int dummyfds[2]; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL }; + ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe(dummyfds) == 0) { ++ dup2(dummyfds[0], STDIN_FILENO); ++ dup2(dummyfds[1], STDOUT_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ + if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { + close(i); + } + } +diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c +--- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100 +@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100 +@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100 +@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t + + /* reopen stdout as pipe */ + dup2(fds[1], STDOUT_FILENO); ++ /* and replace also the stdin, stderr so we do not exec the helper with ++ tty as stdin, it will not read anything from there anyway */ ++ dup2(fds[0], STDIN_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + /* XXX - should really tidy up PAM here too */ + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDOUT_FILENO) { +- close(i); +- } ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + diff --git a/pam-1.1.0-console-fixes.patch b/pam-1.1.0-console-fixes.patch new file mode 100644 index 0000000..08cd4c6 --- /dev/null +++ b/pam-1.1.0-console-fixes.patch @@ -0,0 +1,71 @@ +diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c +--- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix 2009-11-02 08:45:24.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/handlers.c 2009-11-02 08:50:19.000000000 +0100 +@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle + const char *flagptr; + const char **argv; + int i = 0; +- argv = malloc(sizeof(*argv)*nparams+2); +- ++ argv = malloc(sizeof(*argv)*(nparams+2)); ++ + if (argv == NULL) + return; +- ++ + argv[i++] = handler->executable; +- ++ + for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) { + switch (testflag(flagptr)) { + case HF_LOGFAIL: +@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru + } + + sighandler = signal(SIGCHLD, SIG_DFL); +- ++ + child = fork(); + switch (child) { + case -1: +@@ -246,30 +246,31 @@ execute_handler(pam_handle_t *pamh, stru + if (!wait_exit) { + switch(fork()) { + case 0: +- exit(0); ++ if(setsid() == -1) { ++ _exit(255); ++ } ++ break; + case -1: +- exit(255); ++ _exit(255); + default: +- if(setsid() == -1) { +- exit(255); +- } ++ _exit(0); + } + } + if (set_uid) { + struct passwd *pw; + pw = getpwnam(user); + if (pw == NULL) +- exit(255); ++ _exit(255); + if (setgid(pw->pw_gid) == -1 || + setuid(pw->pw_uid) == -1) +- exit(255); ++ _exit(255); + } + call_exec(handler, nparams, user, tty); +- exit(255); ++ _exit(255); + default: + break; + } +- ++ + waitpid(child, &rv, 0); + + if (sighandler != SIG_ERR) diff --git a/pam-1.1.0-console-nochmod.patch b/pam-1.1.0-console-nochmod.patch new file mode 100644 index 0000000..e41adad --- /dev/null +++ b/pam-1.1.0-console-nochmod.patch @@ -0,0 +1,26 @@ +diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers +--- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/console.handlers 2009-09-01 17:20:08.000000000 +0200 +@@ -15,5 +15,3 @@ + # touch unlock wait /var/run/console-unlocked + + console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+ +-/sbin/pam_console_apply lock logfail wait -t tty -s +-/sbin/pam_console_apply unlock logfail wait -r -t tty -s +diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am +--- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am 2009-09-01 17:42:47.000000000 +0200 +@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply + + + secureconf_DATA = console.perms console.handlers +-permsd_DATA = 50-default.perms + + FLEX_OPTS = -Cr + BISON_OPTS = -d +@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil + + install-data-local: + mkdir -p $(DESTDIR)$(secureconfdir)/console.apps ++ mkdir -p $(DESTDIR)$(permsddir) + mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR) diff --git a/pam-1.1.0-console-nopermsd.patch b/pam-1.1.0-console-nopermsd.patch new file mode 100644 index 0000000..08fe9bf --- /dev/null +++ b/pam-1.1.0-console-nopermsd.patch @@ -0,0 +1,11 @@ +--- Linux-PAM-1.1.0/modules/pam_console/pam_console_apply.c.error 2009-10-06 17:34:02.000000000 +0200 ++++ Linux-PAM-1.1.0/modules/pam_console/pam_console_apply.c 2009-10-06 17:39:14.000000000 +0200 +@@ -65,7 +65,7 @@ parse_files(void) + on system locale */ + oldlocale = setlocale(LC_COLLATE, "C"); + +- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf); ++ rc = glob(PERMS_GLOB, 0, NULL, &globbuf); + setlocale(LC_COLLATE, oldlocale); + if (rc) + return; diff --git a/pam-1.1.0-notally.patch b/pam-1.1.0-notally.patch new file mode 100644 index 0000000..9327eec --- /dev/null +++ b/pam-1.1.0-notally.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am +--- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200 ++++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200 +@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de + pam_mkhomedir pam_motd pam_namespace pam_nologin \ + pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ + pam_selinux pam_sepermit pam_shells pam_stress \ +- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ ++ pam_succeed_if pam_tally2 pam_time pam_timestamp \ + pam_tty_audit pam_umask \ + pam_unix pam_userdb pam_warn pam_wheel pam_xauth + diff --git a/pam-1.1.2-noflex.patch b/pam-1.1.2-noflex.patch new file mode 100644 index 0000000..fc96555 --- /dev/null +++ b/pam-1.1.2-noflex.patch @@ -0,0 +1,27 @@ +diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am +--- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100 ++++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + +diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am +--- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200 ++++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200 +@@ -5,9 +5,9 @@ + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + + if STATIC_MODULES +-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests ++SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests + else +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests + endif + + CLEANFILES = *~ diff --git a/pam-1.1.3-console-abstract.patch b/pam-1.1.3-console-abstract.patch new file mode 100644 index 0000000..ed14ddd --- /dev/null +++ b/pam-1.1.3-console-abstract.patch @@ -0,0 +1,82 @@ +diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c +--- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c 2010-11-01 17:01:55.000000000 +0100 +@@ -34,6 +34,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -136,6 +138,32 @@ check_one_console_name(const char *name, + } + + static int ++try_xsocket(const char *path, size_t len) { ++ int fd; ++ union { ++ struct sockaddr sa; ++ struct sockaddr_un su; ++ } addr; ++ ++ fd = socket(AF_UNIX, SOCK_STREAM, 0); ++ if (fd < 0) ++ return 0; ++ ++ memset(&addr, 0, sizeof(addr)); ++ addr.su.sun_family = AF_UNIX; ++ ++ if (len > sizeof(addr.su.sun_path)) ++ return 0; ++ memcpy(addr.su.sun_path, path, len); ++ if (connect(fd, &addr.sa, sizeof(addr.su)) == 0) { ++ close(fd); ++ return 1; ++ } ++ close(fd); ++ return 0; ++} ++ ++static int + check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) { + int found = 0; + int statted = 0; +@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c + if (!statted && (consolename[0] == ':')) { + int l; + char *dot = NULL; +- strcpy(full_path, "/tmp/.X11-unix/X"); +- l = sizeof(full_path) - 1 - strlen(full_path); ++ char *path = full_path + 1; ++ ++ full_path[0] = '\0'; ++ strcpy(path, "/tmp/.X11-unix/X"); ++ l = sizeof(full_path) - 2 - strlen(path); + dot = strchr(consolename + 1, '.'); + if (dot != NULL) { + l = (l < dot - consolename - 1) ? l : dot - consolename - 1; + } +- strncat(full_path, consolename + 1, l); ++ strncat(path, consolename + 1, l); + full_path[sizeof(full_path) - 1] = '\0'; +- _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"", +- full_path); +- if (lstat(full_path, &st) != -1) { ++ _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"", ++ path); ++ ++ /* this will work because st.st_uid is 0 */ ++ if (try_xsocket(full_path, strlen(path)+1)) { ++ statted = 1; ++ } else if (try_xsocket(path, strlen(path))) { + statted = 1; + } + else if (!on_set) { /* there is no X11 socket in case of X11 crash */ + _pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename); +- statted = 1; /* this will work because st.st_uid is 0 */ ++ statted = 1; + } + } + diff --git a/pam-1.1.3-nouserenv.patch b/pam-1.1.3-nouserenv.patch new file mode 100644 index 0000000..f3a742c --- /dev/null +++ b/pam-1.1.3-nouserenv.patch @@ -0,0 +1,27 @@ +diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c +--- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200 ++++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100 +@@ -10,7 +10,7 @@ + #define DEFAULT_READ_ENVFILE 1 + + #define DEFAULT_USER_ENVFILE ".pam_environment" +-#define DEFAULT_USER_READ_ENVFILE 1 ++#define DEFAULT_USER_READ_ENVFILE 0 + + #include "config.h" + +diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml +--- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200 ++++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100 +@@ -147,7 +147,10 @@ + + + Turns on or off the reading of the user specific environment +- file. 0 is off, 1 is on. By default this option is on. ++ file. 0 is off, 1 is on. By default this option is off as user ++ supplied environment variables in the PAM environment could affect ++ behavior of subsequent modules in the stack without the consent ++ of the system administrator. + + + diff --git a/pam.spec b/pam.spec new file mode 100644 index 0000000..ae7ad62 --- /dev/null +++ b/pam.spec @@ -0,0 +1,337 @@ +%define major 0 +%define libname %mklibname %{name} %{major} +%define libnamec %mklibname %{name}c %{major} +%define libname_misc %mklibname %{name}_misc %{major} +%define develname %mklibname %{name} -d + +%define with_prelude 0 +%{?_without_prelude: %{expand: %%global with_prelude 0}} +%{?_with_prelude: %{expand: %%global with_prelude 1}} + +%define bootstrap 0 +%{?_without_bootstrap: %global bootstrap 0} +%{?_with_bootstrap: %global bootstrap 1} + +%define pam_redhat_version 0.99.10-1 + +Epoch: 1 + +Summary: A security tool which provides authentication for applications +Name: pam +Version: 1.1.4 +Release: 9 +# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant +# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, +License: BSD and GPLv2+ +Group: System/Libraries +Url: http://www.kernel.org/pub/linux/libs/pam/index.html +Source0: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 +Source1: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign +Source2: pam-redhat-%{pam_redhat_version}.tar.bz2 +Source3: pam-0.99.3.0-README.update +Source4: pam-0.99.8.1-11mdv2009.0-README.update +Source5: other.pamd +Source6: system-auth.pamd +Source7: config-util.pamd +Source8: dlopen.sh +Source9: system-auth.5 +Source10: config-util.5 +#add missing documentation +Source501: pam_tty_audit.8 +Source502: README + +# RedHat patches +Patch1: pam-1.0.90-redhat-modules.patch +Patch2: pam-1.0.91-std-noclose.patch +Patch4: pam-1.1.0-console-nochmod.patch +Patch5: pam-1.1.0-notally.patch +Patch7: pam-1.1.0-console-fixes.patch +Patch9: pam-1.1.2-noflex.patch +Patch10: pam-1.1.3-nouserenv.patch +Patch11: pam-1.1.3-console-abstract.patch + +# Mandriva specific sources/patches +# (fl) fix infinite loop +Patch507: pam-0.74-loop.patch +# (fc) 0.75-29mdk don't complain when / is owned by root.adm +Patch508: Linux-PAM-0.99.3.0-pamtimestampadm.patch +# (fl) pam_xauth: set extra groups because in high security levels +# access to /usr/X11R6/bin dir is controlled by a group +Patch512: Linux-PAM-1.1.1-xauth-groups.patch +# (tv/blino) add defaults for nice/rtprio in /etc/security/limits.conf +Patch517: Linux-PAM-0.99.3.0-enable_rt.patch +# (blino) fix parallel build (pam_console) +Patch521: Linux-PAM-0.99.3.0-pbuild-rh.patch + +Patch700: pam_fix_static_pam_console.patch +# (fc) do not output error when no file is in /etc/security/console.perms.d/ +Patch701: pam-1.1.0-console-nopermsd.patch +# (proyvind): add missing constant that went with rpc removal from glibc 2.14 +Patch702: Linux-PAM-1.1.4-add-now-missing-nis-constant.patch + +# (akdengi> add user to default group users which need for Samba +Patch801: Linux-PAM-1.1.4-group_add_users.patch + +BuildRequires: selinux-devel >= 2.1.6-7 +BuildRequires: bison +BuildRequires: cracklib-devel +BuildRequires: flex +%if !%{bootstrap} +# this pulls in the mega texlive load +BuildRequires: linuxdoc-tools +%endif +BuildRequires: db_nss-devel +BuildRequires: openssl-devel +BuildRequires: libaudit-devel +BuildRequires: glibc-crypt_blowfish-devel +%if %with_prelude +BuildRequires: prelude-devel >= 0.9.0 +%else +BuildConflicts: prelude-devel +%endif +Requires: cracklib-dicts +Requires: setup >= 2.7.12-2 +Requires: pam_tcb >= 1.0.2-16 +Requires(pre): rpm-helper +Requires(post): coreutils >= 8.12-7.2 +Requires(post): tcb >= 1.0.2-16 +Conflicts: %{_lib}pam0 < 1.1.4-5 + +%description +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. + +%package doc +Summary: Additional documentation for %{name} +Group: System/Libraries +Requires: %{name} = %{EVRD} + +%description doc +This is the documentation package of %{name}. + +%package -n %{libname} +Summary: Library for %{name} +Group: System/Libraries + +%description -n %{libname} +This package contains the library libpam for %{name}. + +%package -n %{libnamec} +Summary: Library for %{name} +Group: System/Libraries +Conflicts: %{_lib}pam0 < 1.1.4-5 + +%description -n %{libnamec} +This package contains the library libpamc for %{name}. + +%package -n %{libname_misc} +Summary: Library for %{name} +Group: System/Libraries +Conflicts: %{_lib}pam0 < 1.1.4-5 + +%description -n %{libname_misc} +This package contains the library libpam_misc for %{name}. + +%package -n %{develname} +Summary: Development headers and libraries for %{name} +Group: Development/Other +Requires: %{libname} = %{EVRD} +Requires: %{libnamec} = %{EVRD} +Requires: %{libname_misc} = %{EVRD} +Provides: %{name}-devel = %{EVRD} +Provides: lib%{name}-devel = %{EVRD} + +%description -n %{develname} +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. + +This package contains the development libraries for %{name}. + +%prep +%setup -q -n Linux-PAM-%{version} -a 2 + +# Add custom modules. +mv pam-redhat-%{pam_redhat_version}/* modules + +# (RH) +%patch1 -p1 -b .redhat-modules +%patch2 -p1 -b .std-noclose +%patch4 -p1 -b .nochmod +%patch5 -p1 -b .notally +%patch7 -p1 -b .console-fixes +%patch9 -p1 -b .noflex +%patch10 -p1 -b .nouserenv +%patch11 -p1 -b .abstract + +# (Mandriva) +%patch507 -p1 -b .loop +%patch508 -p1 -b .pamtimestampadm +%patch512 -p0 -b .xauth-groups +%patch517 -p1 -b .enable_rt +%patch521 -p1 -b .pbuild-rh +%patch700 -p1 -b .static +%patch701 -p1 -b .nopermsd +%patch702 -p1 -b .nis_const~ +%patch801 -p1 -b .group_users + +# 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this +# just makes things easier but is not meant to be a permanent solution +## Remove unwanted modules; pam_tcb provides pam_unix now +#for d in pam_unix; do +# rm -rf modules/$d +# sed -i "s,modules/$d/Makefile,," configure.in +# sed -i "s/ $d / /" modules/Makefile.am +#done + +install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/ + +mkdir -p doc/txts +for readme in modules/pam_*/README ; do + cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` +done + +cp %{SOURCE4} README.0.99.8.1.update.urpmi + +#libtoolize -cf +autoreconf -I m4 + +%build +export BROWSER="" +CFLAGS="$RPM_OPT_FLAGS -fPIC -I%{_includedir}/db_nss -D_GNU_SOURCE" \ +%configure2_5x \ + --sbindir=/sbin \ + --libdir=/%{_lib} \ + --includedir=%{_includedir}/security \ + --with-db-uniquename=_nss \ + --docdir=%{_docdir}/%{name} \ + --enable-selinux \ + --enable-audit +%make + +%install +mkdir -p %{buildroot}%{_includedir}/security +mkdir -p %{buildroot}/%{_lib}/security +%makeinstall_std LDCONFIG=: +install -d -m 755 %{buildroot}/etc/pam.d +install -m 644 %{SOURCE5} %{buildroot}/etc/pam.d/other +install -m 644 %{SOURCE6} %{buildroot}/etc/pam.d/system-auth +install -m 644 %{SOURCE7} %{buildroot}/etc/pam.d/config-util +install -m 600 /dev/null %{buildroot}%{_sysconfdir}/security/opasswd +install -d -m 755 %{buildroot}/var/log +install -m 600 /dev/null %{buildroot}/var/log/tallylog + +# Install man pages. +install -m 644 %{SOURCE9} %{SOURCE10} %{buildroot}%{_mandir}/man5/ + +# no longer needed, handled by ACL in udev +for phase in auth acct passwd session ; do + ln -sf pam_unix.so %{buildroot}/%{_lib}/security/pam_unix_${phase}.so +done + +# cleanup +rm -f %{buildroot}/%{_lib}/security/*.la +rm -f %{buildroot}/%{_lib}/*.la + +%find_lang Linux-PAM + +%check +# (blino) we don't want to test if SE Linux is built, it's disabled +# Make sure every module subdirectory gave us a module. Yes, this is hackish. +for dir in modules/pam_* ; do +#if [ -d ${dir} ] && [[ "${dir}" != "modules/pam_selinux" ]] && [[ "${dir}" != "modules/pam_sepermit" ]]; then +# [[ "${dir}" = "modules/pam_tally" ]] && continue + if ! ls -1 %{buildroot}/%{_lib}/security/`basename ${dir}`*.so ; then + echo ERROR `basename ${dir}` did not build a module. + exit 1 + fi +#fi +done + +# Check for module problems. Specifically, check that every module we just +# installed can actually be loaded by a minimal PAM-aware application. +/sbin/ldconfig -n %{buildroot}/%{_lib} +for module in %{buildroot}/%{_lib}/security/pam*.so ; do + if ! env LD_LIBRARY_PATH=%{buildroot}/%{_lib} \ + sh %{SOURCE8} -ldl -lpam -L%{buildroot}/%{_lib} ${module} ; then + echo ERROR module: ${module} cannot be loaded. + exit 1 + fi +done + +%posttrans +# (cg) Ensure that the pam_systemd.so is included for user ACLs under systemd +# Note: Only affects upgrades, but does no harm so always update if needed. +if ! grep -q "pam_systemd\.so" /etc/pam.d/system-auth; then + echo "-session optional pam_systemd.so" >>/etc/pam.d/system-auth +fi + +if [ ! -a /var/log/tallylog ] ; then + install -m 600 /dev/null /var/log/tallylog +fi +if [ -f /etc/login.defs ] && ! grep -q USE_TCB /etc/login.defs; then + /usr/sbin/set_tcb --auto --migrate +fi + +%files -f Linux-PAM.lang +%doc NEWS README.0.99.8.1.update.urpmi +%docdir %{_docdir}/%{name} +%dir /etc/pam.d +%config(noreplace) /etc/environment +%config(noreplace) /etc/pam.d/other +%attr(0644,root,shadow) %config(noreplace) /etc/pam.d/system-auth +%config(noreplace) /etc/pam.d/config-util +/sbin/mkhomedir_helper +/sbin/pam_console_apply +/sbin/pam_tally2 +/sbin/unix_chkpwd +/sbin/unix_update +%attr(4755,root,root) /sbin/pam_timestamp_check +%config(noreplace) %{_sysconfdir}/security/access.conf +%config(noreplace) %{_sysconfdir}/security/chroot.conf +%config(noreplace) %{_sysconfdir}/security/console.perms +%config(noreplace) %{_sysconfdir}/security/console.handlers +%config(noreplace) %{_sysconfdir}/security/group.conf +%config(noreplace) %{_sysconfdir}/security/limits.conf +%config(noreplace) %{_sysconfdir}/security/namespace.conf +%attr(755,root,root) %config(noreplace) %{_sysconfdir}/security/namespace.init +%config(noreplace) %{_sysconfdir}/security/pam_env.conf +%config(noreplace) %{_sysconfdir}/security/sepermit.conf +%config(noreplace) %{_sysconfdir}/security/time.conf +%config(noreplace) %{_sysconfdir}/security/opasswd +%dir %{_sysconfdir}/security/console.apps +%dir %{_sysconfdir}/security/console.perms.d +%dir /%{_lib}/security +/%{_lib}/security/*.so +/%{_lib}/security/pam_filter +%dir /var/run/console +%ghost %verify(not md5 size mtime) /var/log/tallylog +%{_mandir}/man5/* +%{_mandir}/man8/* + +%files -n %{libname} +/%{_lib}/libpam.so.%{major}* + +%files -n %{libnamec} +/%{_lib}/libpamc.so.%{major}* + +%files -n %{libname_misc} +/%{_lib}/libpam_misc.so.%{major}* + +%files -n %{develname} +%doc Copyright +/%{_lib}/libpam.so +/%{_lib}/libpam_misc.so +/%{_lib}/libpamc.so +%{_includedir}/security/*.h +%{_mandir}/man3/* + +%files doc +%doc doc/txts doc/specs/rfc86.0.txt Copyright + + +%changelog + +* Tue Feb 26 2013 Alexander Romanov +- Rosa initial commit diff --git a/pam_fix_static_pam_console.patch b/pam_fix_static_pam_console.patch new file mode 100644 index 0000000..cd29032 --- /dev/null +++ b/pam_fix_static_pam_console.patch @@ -0,0 +1,26 @@ +Index: Linux-PAM-0.99.7.1/modules/pam_console/configfile.h +=================================================================== +--- Linux-PAM-0.99.7.1.orig/modules/pam_console/configfile.h ++++ Linux-PAM-0.99.7.1/modules/pam_console/configfile.h +@@ -4,7 +4,7 @@ + */ + #ifndef _CONFIGFILE_H + #define _CONFIGFILE_H +-#define STATIC static ++#define STATIC + + #ifndef FALSE + #define FALSE 0 +Index: Linux-PAM-0.99.7.1/modules/pam_console/pam_console_apply.c +=================================================================== +--- Linux-PAM-0.99.7.1.orig/modules/pam_console/pam_console_apply.c ++++ Linux-PAM-0.99.7.1/modules/pam_console/pam_console_apply.c +@@ -17,7 +17,7 @@ + #include + #include + #include +-#define STATIC static ++#define STATIC + #include "configfile.h" + #include "chmod.h" + #include "pam_console.h" diff --git a/pam_tty_audit.8 b/pam_tty_audit.8 new file mode 100644 index 0000000..fdf6cbc --- /dev/null +++ b/pam_tty_audit.8 @@ -0,0 +1,80 @@ +.\" Title: pam_tty_audit +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.2 +.\" Date: 01/18/2008 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" +.TH "PAM_TTY_AUDIT" "8" "01/18/2008" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_tty_audit - Enable or disable TTY auditing for specified users +.SH "SYNOPSIS" +.HP 17 +\fBpam_tty_audit\.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR] +.SH "DESCRIPTION" +.PP +The pam_tty_audit PAM module is used to enable or disable TTY auditing\. By default, the kernel does not audit input on any TTY\. +.SH "OPTIONS" +.PP +\fBdisable=\fR\fB\fIpatterns\fR\fR +.RS 4 +For each user matching one of comma\-separated glob +\fB\fIpatterns\fR\fR, disable TTY auditing\. This overrides any previous +\fBenable\fR +option matchin the same user name on the command line\. +.RE +.PP +\fBenable=\fR\fB\fIpatterns\fR\fR +.RS 4 +For each user matching one of comma\-separated glob +\fB\fIpatterns\fR\fR, enable TTY auditing\. This overrides any previous +\fBdisable\fR +option matching the same user name on the command line\. +.RE +.PP +\fBopen_only\fR +.RS 4 +Set the TTY audit flag when opening the session, but do not restore it when closing the session\. Using this option is necessary for some services that don\'t +\fBfork()\fR +to run the authenticated session, such as +\fBsudo\fR\. +.RE +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBsession\fR +service is supported\. +.SH "RETURN VALUES" +.PP +PAM_SESSION_ERR +.RS 4 +Error reading or modifying the TTY audit flag\. See the system log for more details\. +.RE +.PP +PAM_SUCCESS +.RS 4 +Success\. +.RE +.SH "NOTES" +.PP +When TTY auditing is enabled, it is inherited by all processes started by that user\. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\. Therefore, it is recommended to use +\fBdisable=*\fR +as the first option for most daemons using PAM\. +.SH "EXAMPLES" +.PP +Audit all administrative actions\. +.sp +.RS 4 +.nf +session required pam_tty_audit\.so disable=* enable=root + +.fi +.RE +.sp +.SH "AUTHOR" +.PP +pam_tty_audit was written by Miloslav Trmač \. diff --git a/system-auth.5 b/system-auth.5 new file mode 100644 index 0000000..1300ec8 --- /dev/null +++ b/system-auth.5 @@ -0,0 +1,39 @@ +.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual" +.SH NAME + +system-auth \- Common configuration file for PAMified services + +.SH SYNOPSIS +.B /etc/pam.d/system-auth +.sp 2 +.SH DESCRIPTION + +The purpose of this configuration file is to provide common +configuration file for all applications and service daemons +calling PAM library. + +.sp +The \fBsystem-auth\fR configuration file is included from all individual service configuration +files with the help of the \fBinclude\fR directive. + +.SH NOTES +There should be no \fBsufficient\fR modules in the \fBsession\fR +part of \fBsystem-auth\fR file because individual services may add session modules after +\fBinclude\fR of the \fBsystem-auth\fR file. Execution of these modules would be skipped if there were sufficient +modules in \fBsystem-auth\fR file. + +.sp +Conversely there should not be any modules after +\fBinclude\fR directive in the individual service files in +\fBauth\fR, \fBaccount\fR and \fBpassword\fR +sections otherwise they could be bypassed. + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" +\fBpam\fR(8), \fBconfig-util\fR(5) + +The three \fBLinux-PAM\fR Guides, for \fBsystem administrators\fR, +\fBmodule developers\fR, and \fBapplication developers\fR. diff --git a/system-auth.pamd b/system-auth.pamd new file mode 100644 index 0000000..7b15fd6 --- /dev/null +++ b/system-auth.pamd @@ -0,0 +1,17 @@ +#%PAM-1.0 + +auth required pam_env.so +auth sufficient pam_tcb.so shadow nullok prefix=$2a$ count=8 +auth required pam_deny.so + +account required pam_tcb.so shadow + +password required pam_cracklib.so try_first_pass retry=3 +password sufficient pam_tcb.so use_authtok shadow write_to=shadow nullok prefix=$2a$ count=8 +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_tcb.so +-session optional pam_systemd.so