From c4f7006c26deb4bb8a102d4318da8a894128ac50 Mon Sep 17 00:00:00 2001 From: Rosa Date: Wed, 1 Feb 2012 15:16:30 +0400 Subject: [PATCH] Automatic import for version 1.1.3 --- .abf.yml | 3 + Linux-PAM-0.99.3.0-enable_rt.patch | 12 + Linux-PAM-0.99.3.0-pamtimestampadm.patch | 14 + Linux-PAM-0.99.3.0-pbuild-rh.patch | 11 + Linux-PAM-1.1.1-xauth-groups.patch | 67 ++ Linux-PAM-1.1.3.tar.bz2.sign | 8 + README | 48 ++ config-util.5 | 36 + config-util.pamd | 8 + dlopen.sh | 75 +++ other.pamd | 5 + pam-0.74-loop.patch | 12 + pam-0.99.3.0-README.update | 34 + pam-0.99.8.1-11mdv2009.0-README.update | 8 + pam-1.0.90-redhat-modules.patch | 23 + pam-1.0.91-std-noclose.patch | 98 +++ pam-1.1.0-console-fixes.patch | 71 ++ pam-1.1.0-console-nochmod.patch | 26 + pam-1.1.0-console-nopermsd.patch | 11 + pam-1.1.0-notally.patch | 12 + pam-1.1.2-noflex.patch | 27 + pam-1.1.3-console-abstract.patch | 82 +++ pam-1.1.3-nouserenv.patch | 27 + pam.spec | 796 +++++++++++++++++++++++ pam_fix_static_pam_console.patch | 26 + pam_tty_audit.8 | 80 +++ system-auth.5 | 39 ++ system-auth.pamd | 16 + 28 files changed, 1675 insertions(+) create mode 100644 .abf.yml create mode 100644 Linux-PAM-0.99.3.0-enable_rt.patch create mode 100644 Linux-PAM-0.99.3.0-pamtimestampadm.patch create mode 100644 Linux-PAM-0.99.3.0-pbuild-rh.patch create mode 100644 Linux-PAM-1.1.1-xauth-groups.patch create mode 100644 Linux-PAM-1.1.3.tar.bz2.sign create mode 100644 README create mode 100644 config-util.5 create mode 100644 config-util.pamd create mode 100755 dlopen.sh create mode 100644 other.pamd create mode 100644 pam-0.74-loop.patch create mode 100644 pam-0.99.3.0-README.update create mode 100644 pam-0.99.8.1-11mdv2009.0-README.update create mode 100644 pam-1.0.90-redhat-modules.patch create mode 100644 pam-1.0.91-std-noclose.patch create mode 100644 pam-1.1.0-console-fixes.patch create mode 100644 pam-1.1.0-console-nochmod.patch create mode 100644 pam-1.1.0-console-nopermsd.patch create mode 100644 pam-1.1.0-notally.patch create mode 100644 pam-1.1.2-noflex.patch create mode 100644 pam-1.1.3-console-abstract.patch create mode 100644 pam-1.1.3-nouserenv.patch create mode 100644 pam.spec create mode 100644 pam_fix_static_pam_console.patch create mode 100644 pam_tty_audit.8 create mode 100644 system-auth.5 create mode 100644 system-auth.pamd diff --git a/.abf.yml b/.abf.yml new file mode 100644 index 0000000..f20f568 --- /dev/null +++ b/.abf.yml @@ -0,0 +1,3 @@ +sources: + "Linux-PAM-1.1.3.tar.bz2": 97d36d2b9af3211b4818ea8e6fcc6893ca1b6722 + "pam-redhat-0.99.10-1.tar.bz2": 09e618edc5dcda9a6eb435a31db742afca673ae1 diff --git a/Linux-PAM-0.99.3.0-enable_rt.patch b/Linux-PAM-0.99.3.0-enable_rt.patch new file mode 100644 index 0000000..722aaf9 --- /dev/null +++ b/Linux-PAM-0.99.3.0-enable_rt.patch @@ -0,0 +1,12 @@ +--- Linux-PAM-0.99.3.0/modules/pam_limits/limits.conf.enable_rt 2005-08-16 16:02:28.000000000 +0200 ++++ Linux-PAM-0.99.3.0/modules/pam_limits/limits.conf 2006-01-28 14:51:28.000000000 +0100 +@@ -47,4 +47,9 @@ + #ftp hard nproc 0 + #@student - maxlogins 4 + ++* - rtprio 0 ++* - nice 0 ++@audio - rtprio 50 ++@audio - nice -10 ++ + # End of file diff --git a/Linux-PAM-0.99.3.0-pamtimestampadm.patch b/Linux-PAM-0.99.3.0-pamtimestampadm.patch new file mode 100644 index 0000000..aafd9cd --- /dev/null +++ b/Linux-PAM-0.99.3.0-pamtimestampadm.patch @@ -0,0 +1,14 @@ +--- Linux-PAM-0.99.3.0/modules/pam_timestamp/pam_timestamp.c.pamtimestampadm 2006-01-03 16:35:07.000000000 +0100 ++++ Linux-PAM-0.99.3.0/modules/pam_timestamp/pam_timestamp.c 2006-01-27 22:31:39.000000000 +0100 +@@ -121,9 +121,9 @@ + scratch); + return PAM_AUTH_ERR; + } +- if (st.st_gid != 0) { ++ if ((st.st_gid != 0) && (st.st_gid != 4)) { + pam_syslog(pamh, LOG_ERR, +- "`%s' owner GID != 0", ++ "`%s' owner GID != 0 and != 4", + scratch); + return PAM_AUTH_ERR; + } diff --git a/Linux-PAM-0.99.3.0-pbuild-rh.patch b/Linux-PAM-0.99.3.0-pbuild-rh.patch new file mode 100644 index 0000000..123084e --- /dev/null +++ b/Linux-PAM-0.99.3.0-pbuild-rh.patch @@ -0,0 +1,11 @@ +--- Linux-PAM-0.99.3.0/modules/pam_console/Makefile.am.pbuild-rh 2005-12-15 23:07:37.000000000 +0100 ++++ Linux-PAM-0.99.3.0/modules/pam_console/Makefile.am 2006-01-28 00:26:20.000000000 +0100 +@@ -57,6 +57,8 @@ + pam_console_la_CFLAGS = $(AM_CFLAGS) + pam_console_apply_CFLAGS = $(AM_CFLAGS) + ++configfile.tab.h: configfile.tab.c ++ + configfile.tab.c: configfile.y + $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $< + sh $(srcdir)/sed-static $@ diff --git a/Linux-PAM-1.1.1-xauth-groups.patch b/Linux-PAM-1.1.1-xauth-groups.patch new file mode 100644 index 0000000..2d9a59c --- /dev/null +++ b/Linux-PAM-1.1.1-xauth-groups.patch @@ -0,0 +1,67 @@ +--- modules/pam_xauth/pam_xauth.c 2010-10-08 13:56:11.000000000 +0200 ++++ modules/pam_xauth/pam_xauth.c.oden 2010-11-03 11:23:06.714312576 +0100 +@@ -90,7 +90,7 @@ static const char * const xauthpaths[] = + * given input on stdin, and storing any output it generates. */ + static int + run_coprocess(pam_handle_t *pamh, const char *input, char **output, +- uid_t uid, gid_t gid, const char *command, ...) ++ uid_t uid, gid_t gid, const char *name, const char *command, ...) + { + int ipipe[2], opipe[2], i; + char buf[LINE_MAX]; +@@ -141,6 +141,12 @@ run_coprocess(pam_handle_t *pamh, const + pam_syslog (pamh, LOG_ERR, "setgroups() failed: %m"); + _exit (err); + } ++ ++ /* Mandriva Linux specific: ++ * we need to set the extra groups because in high security levels ++ * access to /usr/X11R6/bin dir is controlled by a group */ ++ initgroups(name, gid); ++ + if (setuid(uid) == -1) + { + int err = errno; +@@ -148,6 +154,7 @@ run_coprocess(pam_handle_t *pamh, const + (unsigned long) geteuid ()); + _exit (err); + } ++ + /* Initialize the argument list. */ + memset(args, 0, sizeof(args)); + /* Set the pipe descriptors up as stdin and stdout, and close +@@ -173,6 +180,7 @@ run_coprocess(pam_handle_t *pamh, const + } + /* Run the command. */ + execv(command, args); ++ syslog(LOG_ERR, "pam_xauth: execvp of %s failed: %m", command); + /* Never reached. */ + _exit(1); + } +@@ -508,7 +516,7 @@ pam_sm_open_session (pam_handle_t *pamh, + (unsigned long) getuid(), (unsigned long) getgid()); + } + if (run_coprocess(pamh, NULL, &cookie, +- getuid(), getgid(), ++ getuid(), getgid(), rpwd->pw_name, + xauth, "-f", cookiefile, "nlist", display, + NULL) == 0) { + #ifdef WITH_SELINUX +@@ -567,7 +575,7 @@ pam_sm_open_session (pam_handle_t *pamh, + (unsigned long) getgid()); + } + run_coprocess(pamh, NULL, &cookie, +- getuid(), getgid(), ++ getuid(), getgid(), rpwd->pw_name, + xauth, "-f", cookiefile, + "nlist", t, NULL); + } +@@ -709,7 +717,7 @@ pam_sm_open_session (pam_handle_t *pamh, + (unsigned long) tpwd->pw_gid); + } + run_coprocess(pamh, cookie, &tmp, +- tpwd->pw_uid, tpwd->pw_gid, ++ tpwd->pw_uid, tpwd->pw_gid, tpwd->pw_name, + xauth, "-f", cookiefile, "nmerge", "-", NULL); + + /* We don't need to keep a copy of these around any more. */ diff --git a/Linux-PAM-1.1.3.tar.bz2.sign b/Linux-PAM-1.1.3.tar.bz2.sign new file mode 100644 index 0000000..10af18a --- /dev/null +++ b/Linux-PAM-1.1.3.tar.bz2.sign @@ -0,0 +1,8 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) +Comment: See http://www.kernel.org/signature.html for info + +iD8DBQBMyYZZyGugalF9Dw4RAtMkAJwIeAEXVkGZ3mL4YQKixP5zx3D6iACghePh +sG43bk6Idz0UGC24QRQPDYE= +=lJnB +-----END PGP SIGNATURE----- diff --git a/README b/README new file mode 100644 index 0000000..bbe9063 --- /dev/null +++ b/README @@ -0,0 +1,48 @@ +pam_tty_audit ? Enable or disable TTY auditing for specified users + +------------------------------------------------------------------------------- + +DESCRIPTION + +The pam_tty_audit PAM module is used to enable or disable TTY auditing. By +default, the kernel does not audit input on any TTY. + +OPTIONS + +disable=patterns + + For each user matching one of comma-separated glob patterns, disable TTY + auditing. This overrides any previous enable option matchin the same user + name on the command line. + +enable=patterns + + For each user matching one of comma-separated glob patterns, enable TTY + auditing. This overrides any previous disable option matching the same user + name on the command line. + +open_only + + Set the TTY audit flag when opening the session, but do not restore it when + closing the session. Using this option is necessary for some services that + don't fork() to run the authenticated session, such as sudo. + +NOTES + +When TTY auditing is enabled, it is inherited by all processes started by that +user. In particular, daemons restarted by an user will still have TTY auditing +enabled, and audit TTY input even by other users unless auditing for these +users is explicitly disabled. Therefore, it is recommended to use disable=* as +the first option for most daemons using PAM. + +EXAMPLES + +Audit all administrative actions. + +session required pam_tty_audit.so disable=* enable=root + + +AUTHOR + +pam_tty_audit was written by Miloslav Trma? . + diff --git a/config-util.5 b/config-util.5 new file mode 100644 index 0000000..17d7f8a --- /dev/null +++ b/config-util.5 @@ -0,0 +1,36 @@ +.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual" +.SH NAME + +config-util \- Common PAM configuration file for configuration utilities + +.SH SYNOPSIS +.B /etc/pam.d/config-util +.sp 2 +.SH DESCRIPTION + +The purpose of this configuration file is to provide common +configuration file for all configuration utilities which must be run +from the supervisor account and use the userhelper wrapper application. + +.sp +The +.BR config-util +configuration file is included from all individual configuration +files of such utilities with the help of the +.BR include +directive. +There are not usually any other modules in the individual configuration +files of these utilities. + +.sp +It is possible for example to modify duration of the validity of the +authentication timestamp there. See +.BR pam_timestamp(8) +for details. + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" +pam(8), config-util(5), pam_timestamp(8) diff --git a/config-util.pamd b/config-util.pamd new file mode 100644 index 0000000..8e70d9a --- /dev/null +++ b/config-util.pamd @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +auth sufficient pam_timestamp.so +auth include system-auth +account required pam_permit.so +session required pam_permit.so +session optional pam_xauth.so +session optional pam_timestamp.so diff --git a/dlopen.sh b/dlopen.sh new file mode 100755 index 0000000..053289a --- /dev/null +++ b/dlopen.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +tempdir=`mktemp -d /tmp/dlopenXXXXXX` +test -n "$tempdir" || exit 1 +cat >> $tempdir/dlopen.c << _EOF +#include +#include +#include +#include +/* Simple program to see if dlopen() would succeed. */ +int main(int argc, char **argv) +{ + int i; + struct stat st; + char buf[PATH_MAX]; + for (i = 1; i < argc; i++) { + if (dlopen(argv[i], RTLD_NOW)) { + fprintf(stdout, "dlopen() of \"%s\" succeeded.\n", + argv[i]); + } else { + snprintf(buf, sizeof(buf), "./%s", argv[i]); + if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) { + fprintf(stdout, "dlopen() of \"./%s\" " + "succeeded.\n", argv[i]); + } else { + fprintf(stdout, "dlopen() of \"%s\" failed: " + "%s\n", argv[i], dlerror()); + return 1; + } + } + } + return 0; +} +_EOF + +for arg in $@ ; do + case "$arg" in + "") + ;; + -I*|-D*|-f*|-m*|-g*|-O*|-W*) + cflags="$cflags $arg" + ;; + -l*|-L*) + ldflags="$ldflags $arg" + ;; + /*) + modules="$modules $arg" + ;; + *) + modules="$modules $arg" + ;; + esac +done + +${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl + +retval=0 +for module in $modules ; do + case "$module" in + "") + ;; + /*) + $tempdir/dlopen "$module" + retval=$? + ;; + *) + $tempdir/dlopen ./"$module" + retval=$? + ;; + esac +done + +rm -f $tempdir/dlopen $tempdir/dlopen.c +rmdir $tempdir +exit $retval diff --git a/other.pamd b/other.pamd new file mode 100644 index 0000000..c286c82 --- /dev/null +++ b/other.pamd @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required pam_deny.so +account required pam_deny.so +password required pam_deny.so +session required pam_deny.so diff --git a/pam-0.74-loop.patch b/pam-0.74-loop.patch new file mode 100644 index 0000000..a021a22 --- /dev/null +++ b/pam-0.74-loop.patch @@ -0,0 +1,12 @@ +--- pam-0.74/modules/pam_console/chmod.c.fred Fri Mar 9 02:00:21 2001 ++++ pam-0.74/modules/pam_console/chmod.c Thu Mar 15 16:54:27 2001 +@@ -161,7 +161,8 @@ + { + if(mntent->mnt_dir && + mntent->mnt_fsname && +- (fnmatch(dir, mntent->mnt_dir, 0) == 0)) ++ (fnmatch(dir, mntent->mnt_dir, 0) == 0) && ++ strcmp(dir, mntent->mnt_fsname)) + { + errors |= change_file(mntent->mnt_fsname, changes, TRUE, user, group); + } diff --git a/pam-0.99.3.0-README.update b/pam-0.99.3.0-README.update new file mode 100644 index 0000000..bcc91bc --- /dev/null +++ b/pam-0.99.3.0-README.update @@ -0,0 +1,34 @@ +PAM 0.99.3.0 update notes + +- pam_stack module depreciation + +The pam_stack module is now deprecated. It has to be replaced by +include directives in pam.d configuration files. pam_stack usage won't +make pam fail in this release, but it will be removed in a future +release, better avoid it. It's basically a matter of replacing +"required pam_stack.so service=" with "include ". + +This can't be automatically updated on system-edited configuration +files because it isn't always that simple. Some "sufficient" +directives in the included file may now occult directives that were +previously matched, in the same configuration phase +(auth/account/password/session). +So, the rules may have to be reordered, and the "include" directives +have often to be lowered at the bottom of each phase. + +See Fedora instructions and release notes for more details. +http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00050.html +http://www.redhat.com/archives/fedora-devel-list/2005-October/msg00084.html +http://fedora.redhat.com/docs/release-notes/fc5/test2-latest-en/sn-package-notes.html + +- pam_pwdb dropped + +The pam_pwdb module has been obsolete for a couple of years now, it is +not anymore available in the pam package from Mandriva. +The pam_unix module has to be prefered. + +- services linked with pam + +Services linked with the old pam library have to be restarted once the +new pam package has been installed. +This includes services such as crond, xdm, gdm, kdm, samba. diff --git a/pam-0.99.8.1-11mdv2009.0-README.update b/pam-0.99.8.1-11mdv2009.0-README.update new file mode 100644 index 0000000..3bec023 --- /dev/null +++ b/pam-0.99.8.1-11mdv2009.0-README.update @@ -0,0 +1,8 @@ +PAM 0.99.8.1 update notes + +- pam_unix dropped + +The pam_unix module has been dropped in favour of the pam_tcb module and is +no longer available in the pam package from Mandriva. The pam_tcb module will +work with the TCB shadowing scheme or regular shadow passwords. It also provides +the ability to use blowfish passwords, rather than just md5 passwords. diff --git a/pam-1.0.90-redhat-modules.patch b/pam-1.0.90-redhat-modules.patch new file mode 100644 index 0000000..3ad41cc --- /dev/null +++ b/pam-1.0.90-redhat-modules.patch @@ -0,0 +1,23 @@ +diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am +--- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100 ++++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100 +@@ -3,6 +3,7 @@ + # + + SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ ++ pam_chroot pam_console pam_postgresok \ + pam_env pam_exec pam_faildelay pam_filter pam_ftp \ + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ +diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in +--- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100 ++++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100 +@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ + po/Makefile.in \ + modules/Makefile \ ++ modules/pam_chroot/Makefile modules/pam_console/Makefile \ ++ modules/pam_postgresok/Makefile \ + modules/pam_access/Makefile modules/pam_cracklib/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ diff --git a/pam-1.0.91-std-noclose.patch b/pam-1.0.91-std-noclose.patch new file mode 100644 index 0000000..7359484 --- /dev/null +++ b/pam-1.0.91-std-noclose.patch @@ -0,0 +1,98 @@ +diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c +--- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100 +@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int + if (child == 0) { + int i; + struct rlimit rlim; ++ int dummyfds[2]; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL }; + ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe(dummyfds) == 0) { ++ dup2(dummyfds[0], STDIN_FILENO); ++ dup2(dummyfds[1], STDOUT_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ + if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { + close(i); + } + } +diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c +--- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100 +@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100 +@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 ++++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100 +@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t + + /* reopen stdout as pipe */ + dup2(fds[1], STDOUT_FILENO); ++ /* and replace also the stdin, stderr so we do not exec the helper with ++ tty as stdin, it will not read anything from there anyway */ ++ dup2(fds[0], STDIN_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + /* XXX - should really tidy up PAM here too */ + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDOUT_FILENO) { +- close(i); +- } ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + diff --git a/pam-1.1.0-console-fixes.patch b/pam-1.1.0-console-fixes.patch new file mode 100644 index 0000000..08cd4c6 --- /dev/null +++ b/pam-1.1.0-console-fixes.patch @@ -0,0 +1,71 @@ +diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c +--- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix 2009-11-02 08:45:24.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/handlers.c 2009-11-02 08:50:19.000000000 +0100 +@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle + const char *flagptr; + const char **argv; + int i = 0; +- argv = malloc(sizeof(*argv)*nparams+2); +- ++ argv = malloc(sizeof(*argv)*(nparams+2)); ++ + if (argv == NULL) + return; +- ++ + argv[i++] = handler->executable; +- ++ + for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) { + switch (testflag(flagptr)) { + case HF_LOGFAIL: +@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru + } + + sighandler = signal(SIGCHLD, SIG_DFL); +- ++ + child = fork(); + switch (child) { + case -1: +@@ -246,30 +246,31 @@ execute_handler(pam_handle_t *pamh, stru + if (!wait_exit) { + switch(fork()) { + case 0: +- exit(0); ++ if(setsid() == -1) { ++ _exit(255); ++ } ++ break; + case -1: +- exit(255); ++ _exit(255); + default: +- if(setsid() == -1) { +- exit(255); +- } ++ _exit(0); + } + } + if (set_uid) { + struct passwd *pw; + pw = getpwnam(user); + if (pw == NULL) +- exit(255); ++ _exit(255); + if (setgid(pw->pw_gid) == -1 || + setuid(pw->pw_uid) == -1) +- exit(255); ++ _exit(255); + } + call_exec(handler, nparams, user, tty); +- exit(255); ++ _exit(255); + default: + break; + } +- ++ + waitpid(child, &rv, 0); + + if (sighandler != SIG_ERR) diff --git a/pam-1.1.0-console-nochmod.patch b/pam-1.1.0-console-nochmod.patch new file mode 100644 index 0000000..e41adad --- /dev/null +++ b/pam-1.1.0-console-nochmod.patch @@ -0,0 +1,26 @@ +diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers +--- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/console.handlers 2009-09-01 17:20:08.000000000 +0200 +@@ -15,5 +15,3 @@ + # touch unlock wait /var/run/console-unlocked + + console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+ +-/sbin/pam_console_apply lock logfail wait -t tty -s +-/sbin/pam_console_apply unlock logfail wait -r -t tty -s +diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am +--- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am 2009-09-01 17:42:47.000000000 +0200 +@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply + + + secureconf_DATA = console.perms console.handlers +-permsd_DATA = 50-default.perms + + FLEX_OPTS = -Cr + BISON_OPTS = -d +@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil + + install-data-local: + mkdir -p $(DESTDIR)$(secureconfdir)/console.apps ++ mkdir -p $(DESTDIR)$(permsddir) + mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR) diff --git a/pam-1.1.0-console-nopermsd.patch b/pam-1.1.0-console-nopermsd.patch new file mode 100644 index 0000000..08fe9bf --- /dev/null +++ b/pam-1.1.0-console-nopermsd.patch @@ -0,0 +1,11 @@ +--- Linux-PAM-1.1.0/modules/pam_console/pam_console_apply.c.error 2009-10-06 17:34:02.000000000 +0200 ++++ Linux-PAM-1.1.0/modules/pam_console/pam_console_apply.c 2009-10-06 17:39:14.000000000 +0200 +@@ -65,7 +65,7 @@ parse_files(void) + on system locale */ + oldlocale = setlocale(LC_COLLATE, "C"); + +- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf); ++ rc = glob(PERMS_GLOB, 0, NULL, &globbuf); + setlocale(LC_COLLATE, oldlocale); + if (rc) + return; diff --git a/pam-1.1.0-notally.patch b/pam-1.1.0-notally.patch new file mode 100644 index 0000000..9327eec --- /dev/null +++ b/pam-1.1.0-notally.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am +--- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200 ++++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200 +@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de + pam_mkhomedir pam_motd pam_namespace pam_nologin \ + pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ + pam_selinux pam_sepermit pam_shells pam_stress \ +- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ ++ pam_succeed_if pam_tally2 pam_time pam_timestamp \ + pam_tty_audit pam_umask \ + pam_unix pam_userdb pam_warn pam_wheel pam_xauth + diff --git a/pam-1.1.2-noflex.patch b/pam-1.1.2-noflex.patch new file mode 100644 index 0000000..fc96555 --- /dev/null +++ b/pam-1.1.2-noflex.patch @@ -0,0 +1,27 @@ +diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am +--- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100 ++++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + +diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am +--- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200 ++++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200 +@@ -5,9 +5,9 @@ + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + + if STATIC_MODULES +-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests ++SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests + else +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests + endif + + CLEANFILES = *~ diff --git a/pam-1.1.3-console-abstract.patch b/pam-1.1.3-console-abstract.patch new file mode 100644 index 0000000..ed14ddd --- /dev/null +++ b/pam-1.1.3-console-abstract.patch @@ -0,0 +1,82 @@ +diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c +--- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c 2010-11-01 17:01:55.000000000 +0100 +@@ -34,6 +34,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -136,6 +138,32 @@ check_one_console_name(const char *name, + } + + static int ++try_xsocket(const char *path, size_t len) { ++ int fd; ++ union { ++ struct sockaddr sa; ++ struct sockaddr_un su; ++ } addr; ++ ++ fd = socket(AF_UNIX, SOCK_STREAM, 0); ++ if (fd < 0) ++ return 0; ++ ++ memset(&addr, 0, sizeof(addr)); ++ addr.su.sun_family = AF_UNIX; ++ ++ if (len > sizeof(addr.su.sun_path)) ++ return 0; ++ memcpy(addr.su.sun_path, path, len); ++ if (connect(fd, &addr.sa, sizeof(addr.su)) == 0) { ++ close(fd); ++ return 1; ++ } ++ close(fd); ++ return 0; ++} ++ ++static int + check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) { + int found = 0; + int statted = 0; +@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c + if (!statted && (consolename[0] == ':')) { + int l; + char *dot = NULL; +- strcpy(full_path, "/tmp/.X11-unix/X"); +- l = sizeof(full_path) - 1 - strlen(full_path); ++ char *path = full_path + 1; ++ ++ full_path[0] = '\0'; ++ strcpy(path, "/tmp/.X11-unix/X"); ++ l = sizeof(full_path) - 2 - strlen(path); + dot = strchr(consolename + 1, '.'); + if (dot != NULL) { + l = (l < dot - consolename - 1) ? l : dot - consolename - 1; + } +- strncat(full_path, consolename + 1, l); ++ strncat(path, consolename + 1, l); + full_path[sizeof(full_path) - 1] = '\0'; +- _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"", +- full_path); +- if (lstat(full_path, &st) != -1) { ++ _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"", ++ path); ++ ++ /* this will work because st.st_uid is 0 */ ++ if (try_xsocket(full_path, strlen(path)+1)) { ++ statted = 1; ++ } else if (try_xsocket(path, strlen(path))) { + statted = 1; + } + else if (!on_set) { /* there is no X11 socket in case of X11 crash */ + _pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename); +- statted = 1; /* this will work because st.st_uid is 0 */ ++ statted = 1; + } + } + diff --git a/pam-1.1.3-nouserenv.patch b/pam-1.1.3-nouserenv.patch new file mode 100644 index 0000000..f3a742c --- /dev/null +++ b/pam-1.1.3-nouserenv.patch @@ -0,0 +1,27 @@ +diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c +--- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200 ++++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100 +@@ -10,7 +10,7 @@ + #define DEFAULT_READ_ENVFILE 1 + + #define DEFAULT_USER_ENVFILE ".pam_environment" +-#define DEFAULT_USER_READ_ENVFILE 1 ++#define DEFAULT_USER_READ_ENVFILE 0 + + #include "config.h" + +diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml +--- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200 ++++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100 +@@ -147,7 +147,10 @@ + + + Turns on or off the reading of the user specific environment +- file. 0 is off, 1 is on. By default this option is on. ++ file. 0 is off, 1 is on. By default this option is off as user ++ supplied environment variables in the PAM environment could affect ++ behavior of subsequent modules in the stack without the consent ++ of the system administrator. + + + diff --git a/pam.spec b/pam.spec new file mode 100644 index 0000000..37b19cb --- /dev/null +++ b/pam.spec @@ -0,0 +1,796 @@ +%define libname %mklibname %name 0 +%define develname %mklibname %name -d + +%define with_prelude 0 +%{?_without_prelude: %{expand: %%global with_prelude 0}} +%{?_with_prelude: %{expand: %%global with_prelude 1}} + +%define pam_redhat_version 0.99.10-1 + +Summary: A security tool which provides authentication for applications +Name: pam +Version: 1.1.3 +Release: 4 +# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant +# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, +License: BSD and GPLv2+ +Group: System/Libraries +Source0: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 +Source1: ftp://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign +Source2: pam-redhat-%{pam_redhat_version}.tar.bz2 +Source3: pam-0.99.3.0-README.update +Source4: pam-0.99.8.1-11mdv2009.0-README.update +Source5: other.pamd +Source6: system-auth.pamd +Source7: config-util.pamd +Source8: dlopen.sh +Source9: system-auth.5 +Source10: config-util.5 + +# RedHat patches +Patch1: pam-1.0.90-redhat-modules.patch +Patch2: pam-1.0.91-std-noclose.patch +Patch4: pam-1.1.0-console-nochmod.patch +Patch5: pam-1.1.0-notally.patch +Patch7: pam-1.1.0-console-fixes.patch +Patch9: pam-1.1.2-noflex.patch +Patch10: pam-1.1.3-nouserenv.patch +Patch11: pam-1.1.3-console-abstract.patch + +# Mandriva specific sources/patches +# (fl) fix infinite loop +Patch507: pam-0.74-loop.patch +# (fc) 0.75-29mdk don't complain when / is owned by root.adm +Patch508: Linux-PAM-0.99.3.0-pamtimestampadm.patch +# (fl) pam_xauth: set extra groups because in high security levels +# access to /usr/X11R6/bin dir is controlled by a group +Patch512: Linux-PAM-1.1.1-xauth-groups.patch +# (tv/blino) add defaults for nice/rtprio in /etc/security/limits.conf +Patch517: Linux-PAM-0.99.3.0-enable_rt.patch +# (blino) fix parallel build (pam_console) +Patch521: Linux-PAM-0.99.3.0-pbuild-rh.patch + +Patch700: pam_fix_static_pam_console.patch +# (fc) do not output error when no file is in /etc/security/console.perms.d/ +Patch701: pam-1.1.0-console-nopermsd.patch + +#add missing documentation +Source501: pam_tty_audit.8 +Source502: README +Requires: cracklib-dicts +Requires: setup >= 2.7.12-2 +Requires: pam_tcb >= 1.0.2-16 +Conflicts: initscripts < 3.94 +Requires(pre): rpm-helper +Requires(post): coreutils +Requires(post): tcb >= 1.0.2-16 +BuildRequires: bison cracklib-devel flex +BuildRequires: linuxdoc-tools +BuildRequires: db_nss-devel >= 4.6 +BuildRequires: openssl-devel +BuildRequires: libaudit-devel +BuildRequires: glibc-crypt_blowfish-devel +%if %with_prelude +BuildRequires: prelude-devel >= 0.9.0 +%else +BuildConflicts: prelude-devel +%endif +Obsoletes: pamconfig +Provides: pamconfig +Url: http://www.kernel.org/pub/linux/libs/pam/index.html + +%description +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. + +%package doc +Summary: Additional documentation for %{name} +Group: System/Libraries +Requires: %{name} = %{version} + +%description doc +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. + +This is the documentation package of %{name} + +%package -n %{libname} +Summary: Libraries for %{name} +Group: System/Libraries +Conflicts: %{name} < 0.99.8.1-10mdv +Conflicts: pam_tcb < 1.0.2-16 + +%description -n %{libname} +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. + +This package contains the librairies for %{name} + +%package -n %{develname} +Summary: Development headers and libraries for %{name} +Group: Development/Other +Requires: %{libname} = %{version} +Provides: %{name}-devel = %{version}-%{release} +Provides: lib%{name}-devel = %{version}-%{release} +Obsoletes: %{name}-devel <= 0.77-9mdk +Obsoletes: %{mklibname %name 0 -d} <= 0.99.8.1 + +%description -n %{develname} +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. + +This package contains the development librairies for %{name} + +%prep +%setup -q -n Linux-PAM-%{version} -a 2 + +# Add custom modules. +mv pam-redhat-%{pam_redhat_version}/* modules + +# (RH) +%patch1 -p1 -b .redhat-modules +%patch2 -p1 -b .std-noclose +%patch4 -p1 -b .nochmod +%patch5 -p1 -b .notally +%patch7 -p1 -b .console-fixes +%patch9 -p1 -b .noflex +%patch10 -p1 -b .nouserenv +%patch11 -p1 -b .abstract + +# (Mandriva) +%patch507 -p1 -b .loop +%patch508 -p1 -b .pamtimestampadm +%patch512 -p0 -b .xauth-groups +%patch517 -p1 -b .enable_rt +%patch521 -p1 -b .pbuild-rh +%patch700 -p1 -b .static +%patch701 -p1 -b .nopermsd + +# 08/08/2008 - vdanen - make pam provide pam_unix until we can work out all the issues in pam_tcb; this +# just makes things easier but is not meant to be a permanent solution +## Remove unwanted modules; pam_tcb provides pam_unix now +#for d in pam_unix; do +# rm -rf modules/$d +# sed -i "s,modules/$d/Makefile,," configure.in +# sed -i "s/ $d / /" modules/Makefile.am +#done + + +install -m644 %{SOURCE501} %{SOURCE502} modules/pam_tty_audit/ + +mkdir -p doc/txts +for readme in modules/pam_*/README ; do + cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` +done + +cp %{SOURCE4} README.0.99.8.1.update.urpmi + +#libtoolize -cf +autoreconf -I m4 + +%build +export BROWSER="" +CFLAGS="$RPM_OPT_FLAGS -fPIC -I%{_includedir}/db_nss -D_GNU_SOURCE" \ +%configure2_5x \ + --sbindir=/sbin \ + --libdir=/%{_lib} \ + --includedir=%{_includedir}/security \ + --with-db-uniquename=_nss \ + --docdir=%{_docdir}/%{name} \ + --disable-selinux +%make + +%install +mkdir -p $RPM_BUILD_ROOT%{_includedir}/security +mkdir -p $RPM_BUILD_ROOT/%{_lib}/security +make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=: +install -d -m 755 $RPM_BUILD_ROOT/etc/pam.d +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/other +install -m 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/system-auth +install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/etc/pam.d/config-util +install -m 600 /dev/null $RPM_BUILD_ROOT%{_sysconfdir}/security/opasswd +install -d -m 755 $RPM_BUILD_ROOT/var/log +install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog + +# Install man pages. +install -m 644 %{SOURCE9} %{SOURCE10} $RPM_BUILD_ROOT%{_mandir}/man5/ + +# remove unpackaged .la files +rm -rf $RPM_BUILD_ROOT/%{_lib}/*.la $RPM_BUILD_ROOT/%{_lib}/security/*.la + +# no longer needed, handled by ACL in udev +for phase in auth acct passwd session ; do + ln -sf pam_unix.so $RPM_BUILD_ROOT/%{_lib}/security/pam_unix_${phase}.so +done + +%find_lang Linux-PAM + +%check +# (blino) we don't want to test if SE Linux is built, it's disabled +# Make sure every module subdirectory gave us a module. Yes, this is hackish. +for dir in modules/pam_* ; do +if [ -d ${dir} ] && [ ${dir} != "modules/pam_selinux" && [ ${dir} != "modules/pam_sepermit" ]; then + [ ${dir} = "modules/pam_tally" ] && continue + if ! ls -1 $RPM_BUILD_ROOT/%{_lib}/security/`basename ${dir}`*.so ; then + echo ERROR `basename ${dir}` did not build a module. + exit 1 + fi +fi +done + +# Check for module problems. Specifically, check that every module we just +# installed can actually be loaded by a minimal PAM-aware application. +/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib} +for module in $RPM_BUILD_ROOT/%{_lib}/security/pam*.so ; do + if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \ + %{SOURCE8} -ldl -lpam -L$RPM_BUILD_ROOT/%{_lib} ${module} ; then + echo ERROR module: ${module} cannot be loaded. + exit 1 + fi +done + +%posttrans +if [ ! -a /var/log/tallylog ] ; then + install -m 600 /dev/null /var/log/tallylog +fi +if [ -f /etc/login.defs -a ! "$(grep -q USE_TCB /etc/login.defs)" ]; then + /usr/sbin/set_tcb --auto --migrate +fi + + +%files -f Linux-PAM.lang +%doc NEWS README.0.99.8.1.update.urpmi +%docdir %{_docdir}/%{name} +%dir /etc/pam.d +%config(noreplace) /etc/environment +%config(noreplace) /etc/pam.d/other +%attr(0644,root,shadow) %config(noreplace) /etc/pam.d/system-auth +%config(noreplace) /etc/pam.d/config-util +/sbin/mkhomedir_helper +/sbin/pam_console_apply +/sbin/pam_tally2 +/sbin/unix_chkpwd +/sbin/unix_update +%attr(4755,root,root) /sbin/pam_timestamp_check +%config(noreplace) %{_sysconfdir}/security/access.conf +%config(noreplace) %{_sysconfdir}/security/chroot.conf +%config(noreplace) %{_sysconfdir}/security/console.perms +%config(noreplace) %{_sysconfdir}/security/console.handlers +%config(noreplace) %{_sysconfdir}/security/group.conf +%config(noreplace) %{_sysconfdir}/security/limits.conf +%config(noreplace) %{_sysconfdir}/security/namespace.conf +%attr(755,root,root) %config(noreplace) %{_sysconfdir}/security/namespace.init +%config(noreplace) %{_sysconfdir}/security/pam_env.conf +%config(noreplace) %{_sysconfdir}/security/time.conf +%config(noreplace) %{_sysconfdir}/security/opasswd +%dir %{_sysconfdir}/security/console.apps +%dir %{_sysconfdir}/security/console.perms.d +%dir /var/run/console +%ghost %verify(not md5 size mtime) /var/log/tallylog +%{_mandir}/man5/* +%{_mandir}/man8/* + +%files -n %{libname} +/%{_lib}/libpam.so.* +/%{_lib}/libpamc.so.* +/%{_lib}/libpam_misc.so.* +/%{_lib}/security/*.so +/%{_lib}/security/pam_filter +%dir /%{_lib}/security + +%files -n %{develname} +%doc Copyright +/%{_lib}/libpam.so +/%{_lib}/libpam_misc.so +/%{_lib}/libpamc.so +%{_includedir}/security/*.h +%{_mandir}/man3/* + +%files doc +%doc doc/txts doc/specs/rfc86.0.txt Copyright + + + + + +%changelog +* Tue Jul 19 2011 Per Øyvind Karlsen 1.1.3-4 ++ Revision: 690600 +- remove obsolete/deprecated rpm stuff +- check if /etc/login.defs exists before trying to open it in scriptlet + +* Wed May 04 2011 Oden Eriksson 1.1.3-3 ++ Revision: 666974 +- mass rebuild + + + Per Øyvind Karlsen + - work around ordering issue by moving %%post script to %%posttrans + +* Wed Nov 03 2010 Oden Eriksson 1.1.3-1mdv2011.0 ++ Revision: 592873 +- 1.1.3 +- sync patches with pam-1.1.3-1.fc15.src.rpm +- rediffed P512 + +* Mon Mar 15 2010 Oden Eriksson 1.1.1-2mdv2010.1 ++ Revision: 519980 +- rebuilt against audit-2 libs + +* Wed Dec 30 2009 Frederik Himpe 1.1.1-1mdv2010.1 ++ Revision: 484161 +- Update to new version 1.1.1 +- Remove authok patch: integrated upstream +- Rediff xauth groups patch +- Don't run libtoolize: it breaks build +- drop tests for not pulling in libpthread like in Fedora (as NPTL + should be safe and pam_userdb now links to libpthread on x86_64) + +* Tue Oct 06 2009 Frederic Crozat 1.1.0-6mdv2010.0 ++ Revision: 454902 +- Patch701: do not complain if there is no files in /etc/security/console.perms.d/ + +* Sun Sep 27 2009 Olivier Blin 1.1.0-5mdv2010.0 ++ Revision: 450211 +- fix crash on some archs, pam is building with static all functions + with is plain wrong, this tends to make pam_comsole_apply + unhappy/crashing (from Arnaud Patard) + +* Tue Sep 08 2009 Frederic Crozat 1.1.0-4mdv2010.0 ++ Revision: 433622 +- Patch4 (Fedora): do not chmod tty on login/login with pam_console anymore +- Patch5 (Fedora): drop pam_tally, use pam_tally2 instead + +* Thu Aug 27 2009 Frederic Crozat 1.1.0-3mdv2010.0 ++ Revision: 421690 +- Patch3 (Fedora): fix for pam_cracklib from upstream + +* Mon Jul 27 2009 Frederic Crozat 1.1.0-2mdv2010.0 ++ Revision: 400600 +- remove default rules for console.perms, device ownership should not change anymore + +* Mon Jul 27 2009 Frederic Crozat 1.1.0-1mdv2010.0 ++ Revision: 400582 +- Release 1.1.0 +- no longer change devices ownership based on console privilege, handled by consolekit now (remove source500, patches 500, 501) + +* Sun May 10 2009 Frederik Himpe 1.0.92-1mdv2010.0 ++ Revision: 374099 +- Remove verbose limits patch: a similar change was implemented upstream +- Update to new version Linux-PAM 1.0.92 and pam-redhat 0.99.10-1 +- Resync patches with Fedora +- Rediff xauth-groups patch +- Remove man page typo fix, noselinux and bid 34010 patches + (integrated upstream) +- Don't conflict with libselinux-devel and use --disable-selinux in + configure call +- Disable verbose call patch for now, upstream code has changed too + +* Thu Apr 16 2009 Frederik Himpe 0.99.8.1-20mdv2009.1 ++ Revision: 367795 +- Disable fork option for pam_tcb, to reflect the change made in set_tcb + +* Mon Mar 30 2009 Frederic Crozat 0.99.8.1-19mdv2009.1 ++ Revision: 362380 +- Add console for raw1394 (Mdv bug #47622) + +* Thu Mar 19 2009 Frederik Himpe 0.99.8.1-18mdv2009.1 ++ Revision: 358110 +- Add upstream patch fixing security issue (Bugtraq ID 34010) + +* Sun Mar 08 2009 Michael Scherer 0.99.8.1-17mdv2009.1 ++ Revision: 352736 +- fix build by updating libtool script +- update patch 32 +- rediff patch 31 + + + Antoine Ginies + - rebuild + +* Tue Aug 12 2008 Vincent Danen 0.99.8.1-16mdv2009.0 ++ Revision: 271144 +- call set_tcb in %%post and require tcb itself as a result + +* Tue Aug 12 2008 Olivier Blin 0.99.8.1-15mdv2009.0 ++ Revision: 271055 +- move pam_tcb conflict in the proper lib package (#42709) + +* Mon Aug 11 2008 Olivier Blin 0.99.8.1-14mdv2009.0 ++ Revision: 270658 +- conflict with old tcb package that contained pam_unix + +* Sat Aug 09 2008 Vincent Danen 0.99.8.1-13mdv2009.0 ++ Revision: 270079 +- require new pam_tcb release + require specific setup version for the shadow group + restore old pam_unix and its symlinks + ensure system-auth permissions and ownership + +* Thu Aug 07 2008 Thierry Vignaud 0.99.8.1-12mdv2009.0 ++ Revision: 265321 +- rebuild early 2009.0 package (before pixel changes) + + + Oden Eriksson + - unset BROWSER + + + Pixel + - do not call ldconfig in %%post/%%postun, it is now handled by filetriggers + +* Thu May 22 2008 Vincent Danen 0.99.8.1-11mdv2009.0 ++ Revision: 210056 +- libpam conflicts with pam < 0.99.8.1-10mdv +- dropped the system-auth migration as per blino +- restored the 0.99.3.1 README +- renamed and trimmed the 0.99.8.1-11mdv README + +* Tue May 20 2008 Vincent Danen 0.99.8.1-10mdv2009.0 ++ Revision: 209289 +- gracefully handle non-standard system-auth configurations to replace pam_unix with pam_tcb (for instances like using ldap for auth, etc.) which, if not done correctly or immediately, could result in local accounts being locked out + +* Mon May 19 2008 Vincent Danen 0.99.8.1-9mdv2009.0 ++ Revision: 209172 +- add -D_GNU_SOURCE to $CFLAGS in order to compile pam_console and pam_timestamp +- requires pam_tcb +- buildrequires glibc-crypt_blowfish-devel +- don't build pam_unix; pam_tcb provides it +- unix_chkpwd and unix_update are no longer required without pam_unix +- clean up system-auth(5) +- update system-auth to use pam_tcb +- updated the Mandriva-specific README + +* Fri Jan 18 2008 Frederic Crozat 0.99.8.1-8mdv2008.1 ++ Revision: 154727 +- Update license info based on fedora specfile +- Update patches 25, 44 with latest version from fedora +- Remove patch26, merged into patch25 +- Patch42, 43 (Fedora): don't use pam_console to change device ownership, rely on HAL ACL now +- Patch46 (Fedora): fix in operator (Fedora #295151) +- Patch47 (Fedora): fix invalid free on xauth module +- Patch48 (Fedora): add support for substack include +- Patch49, 50 (Fedora): add tty_audio module +- Patch523: fix build when SELinux is disabled +- Source501, 502 : add missing documentation from tarball +- Resync system-auth file with Fedora + +* Fri Dec 21 2007 Oden Eriksson 0.99.8.1-7mdv2008.1 ++ Revision: 136256 +- link against the bdb 4.6.x assembly-mutex-only db (buchan) + + + Thierry Vignaud + - kill re-definition of %%buildroot on Pixel's request + + + Marcelo Ricardo Leitner + - As Blino pointed out, we can do Requires(post): coreutils as coreutils + currently just "Requires: pam", with no specific order. + This also fix a bug in the previous "fix" that would make the /dev/null + device be copied instead of creating a blank file. + - Do not use the install utility on %%post section because we can't require + coreutils as coreutils already requires us. So replace install calls by + cp -a and chmod ones, fixing without introducing a circular dependency. + +* Thu Sep 20 2007 Frederic Crozat 0.99.8.1-6mdv2008.0 ++ Revision: 91448 +- Update patch24 with latest fedora version +- Patch25 (Fedora): do not ask for blank password when SELinux confined (Fedora #254044) + +* Wed Sep 12 2007 Anssi Hannula 0.99.8.1-5mdv2008.0 ++ Revision: 84662 +- show 0.99.3.0 notes only when upgrading from an older version + +* Mon Sep 10 2007 Olivier Blin 0.99.8.1-4mdv2008.0 ++ Revision: 84153 +- make evdev mouse devices owned by console user (fix synclient, #32955) + +* Mon Sep 03 2007 Frederic Crozat 0.99.8.1-3mdv2008.0 ++ Revision: 78627 +- Update patches 40 & 5 with latest version from RH (Fix Mdv bug #32741) +- Patch44 (RH): fix homedir init with namespace module + +* Mon Aug 13 2007 Olivier Blin 0.99.8.1-2mdv2008.0 ++ Revision: 62485 +- add scanner devices in the usb group (#29489, #29562) +- make sure devices are accessible by their group if specified in console.perms (#29489) +- remove mode definitions from mdvperms patch (will be done by a one-liner in the spec) +- restore console settings for lp class (wrongly removed in 0.99.6.0 rediff, #29562) +- move lp class in 50-mandriva.perms +- add compatibility symlinks for pam_unix_{auth,acct,passwd,session}.so +- add /etc/security/opasswd file +- add more module checks in check section (from Fedora) +- move checks in check section +- properly include /var/log/faillog and tallylog as ghosts and create them in post script (from Fedora) +- add user and new instance parameters to namespace init (from Fedora) +- fix typo in man pages +- enable libaudit +- rediff mdv perms patch +- do not log an audit error when uid != 0 (from Fedora) +- update to pam-redhat-0.99.8-1 +- adapt to new devel library policy +- add signature +- rename sources to match RH spec file +- remove useless chmod + +* Tue Jul 24 2007 Olivier Blin 0.99.8.1-1mdv2008.0 ++ Revision: 55033 +- 0.99.8.1 +- update RH patches +- package /sbin/unix_update +- remove old packaging hacks +- use new doc directory policy + +* Sat Jul 21 2007 David Walluck 0.99.7.1-3mdv2008.0 ++ Revision: 54187 +- add config-util.pamd + + +* Wed Feb 07 2007 Olivier Blin 0.99.7.1-2mdv2007.0 ++ Revision: 117173 +- mark doc dir as docdir +- fix doc installation +- update pam_redhat to 0.99.7-1 +- allow more X displays as consoles (RH #227462) + +* Wed Jan 24 2007 Olivier Blin 0.99.7.1-1mdv2007.1 ++ Revision: 112870 +- 0.99.7.1 + +* Tue Jan 23 2007 Olivier Blin 0.99.7.0-1mdv2007.1 ++ Revision: 112280 +- 0.99.7.0 + +* Fri Oct 20 2006 Olivier Blin 0.99.6.3-1mdv2007.1 ++ Revision: 71373 +- link pam_userdb with db4 (#26242 and #26572) +- pam_loginuid is now in upstream sources +- remove console reset patch, now handled upstream +- 0.99.6.3 + +* Sat Sep 16 2006 Olivier Blin 0.99.6.0-3mdv2007.0 ++ Revision: 61618 +- 0.99.6.0-3mdv +- chown IR remote controls devices to console user (Anssi Hannula, #24785) +- add /dev/scd* /dev/sg* /dev/cdrw* /dev/dvdrw* in burner devices list (#25371 and #24541) + +* Wed Aug 30 2006 Olivier Blin 0.99.6.0-2mdv2007.0 ++ Revision: 58719 +- bump release +- make cdrom devices owned by cdrom group + + + Anssi Hannula + - add /dev/input/by-path/*-joystick to class (fixes #23775) + - make class devices accessible by audio group (fixes #24300) + - make and class devices accessible by video group (fixes #24786) + +* Fri Aug 11 2006 Olivier Blin 0.99.6.0-1mdv2007.0 ++ Revision: 55258 +- use ndbm from db1 to build pam_userdb +- drop html, ps and pdf doc (pdf doc would require Apache's fop to be packaged) +- make doc/txts directory (not provided upstream anymore) +- namespace.init is now provided upstream +- drop more sgml hacks (sgml not used upstream anymore) +- remove pam-0.77-use_uid.patch (fixed upstream) +- remove pam_keyinit patches (merged upstream) +- remove pam-0.99.5.0-access-gai.patch (applied upstream) +- remove pam-0.99.4.0-succif-service.patch (merged upstream) +- remove sgml2latex patch, it doesn't apply anymore since xml is used instead of sgml in 0.99.6.0 +- 0.99.6.0 +- really use pam-redhat-0.99.6-1 +- remove patch merged in pam-redhat 0.99.6-1 +- revoke keyrings properly when pam_keyinit called more than once (RH) +- don't log pam_keyinit debug messages by default +- drop ainit from console.handlers (RH) +- add pam_keyinit to the default system-auth file (RH) +- fixed network match in pam_access (from Redhat) +- sync with pam-redhat 0.99.6-1 (and rediff mdvperms, RH merged a lot of our permissions) +- import pam-0.99.5.0-2mdv2007.0 + +* Tue Jul 04 2006 Olivier Blin 0.99.5.0-2mdv2007.0 +- Source500: add ttyACM* devices in the serial class (#23190) +- Patch83 (from Fedora): add service as value to be matched and list + matching to pam_succeed_if +- use upstream redhat-modules patch + +* Thu Jun 29 2006 Olivier Blin 0.99.5.0-1mdv2007.0 +- 0.99.5.0 +- Patch523: temporary patch to add namespace.init, which is missing from dist + (extracted from RH old namespace patch) +- package namespace files in /etc/security +- Patch84 (from RH): pam_console_apply shouldn't access /var when called with -r + +* Thu Jun 29 2006 Olivier Blin 0.99.4.0-1mdv2007.0 +- 0.99.4.0 +- from Fedora: + o pam-0.99.4.0-redhat-modules + o pam-redhat-0.99.5-1 + o add system-auth and config-util man pages +- drop Patch523 and all pwdb bits +- drop glib2-devel BuildRequires (pam_console_apply don't need it anymore) +- rediff Patch500 (mdv perms) +- drop Patch520 (merged upstream) +- don't check for userdb module, we don't built it + (it requires an internal libdb copy) +- package pam_tally2 + +* Thu Feb 02 2006 Olivier Blin 0.99.3.0-6mdk +- update instructions in the README.update.urpmi file (Source4) + +* Wed Feb 01 2006 Thierry Vignaud 0.99.3.0-5mdk +- patch 500: + o fix firewire perms (#20270) + o fix printer perms (#13013) + +* Mon Jan 30 2006 Olivier Blin 0.99.3.0-4mdk +- don't build prelude (#20896) +- Patch523: allow to disable pwdb +- disable pam_pwdb +- make unix_chkpwd setuid root again +- Source2: remove hardcoded /lib/security in source + (even if spec-helper fixes it later) +- don't add video group in %%pre, it's already in the setup package +- remove hardcoded workaround for a (more than) 2 years-old pam +- more BuildRequires fixes: drop autoconf2.1, use glib2-devel + (thanks to Stefan van der Eijk) +- rpmbuildupdatable +- Source4: README.update.urpmi + +* Sat Jan 28 2006 Olivier Blin 0.99.3.0-3mdk +- BuildRequires automake1.8 (Stefan van der Eijk) +- fix again Patch517 (use real patch name) +- fix typo in modules installation test + +* Sat Jan 28 2006 Olivier Blin 0.99.3.0-2mdk +- BuildConflicts with libselinux-devel (#20871) +- don't test if modules/pam_selinux is built, we don't want it +- Patch517: fix typo in limits.conf (Andrey Borzenkov, #20872) +- BuildRequires openssl-devel (#20874) +- Patch511: use pam_syslog instead of old _pam_log in pam_limits + (Andrey Borzenkov, #20876) +- BuildRequires prelude-devel + +* Sat Jan 28 2006 Olivier Blin 0.99.3.0-1mdk +- 0.99.3.0 +- sync with RH (all of their others patches are either merged upstream, + or useless in Mandriva, such as SE Linux): + o drop Patch39 (wasn't needed for 0.77) + o drop Patch[0,1,2,3,5,6,7,8,9,11,12,13,14,15,16,17,18,19,20], + Patch[22,23,24,25,26,27,30,31,32,33,35,36,37,40] and Source4 + (dropped during 0.78 upgrade) + o drop Patch29 (dropped during 0.79 upgrade) + o drop Patch4 (dropped during 0.80 upgrade) + o rediff Patch21 + o don't use fakeroot anymore + o don't enable static-pam + o drop Patch10 (dropped during 0.99.2.1 upgrade) + o rediff Patch34 + o fix descriptions +- rediff Patch500, and split out Mandriva-specific perms in Source500 + (installed as 50-mandriva.perms) +- remove devfs-style paths in Patch500/Source500 +- drop Patch502 (dead X problem fixed otherwise upstream) +- drop Patch503 (we don't need pam_console_apply_devfsd) +- rediff Patch504 (drop merged parts), Patch508, Patch512 +- drop Patch506 (not required anymore to detect cracklib dicts on x86_64) +- drop Patch507 (tty name not found fixed otherwise upstream) +- drop Patch509 (fixed upstream) +- drop Patch513 (fixed otherwise upstream, should still work with lsb-test-pam) +- drop Patch514 (kill pam_console_setowner, pam_console_apply should be used) +- drop Patch515 (/etc/environment test fixed upstream) +- drop Patch516 (RT now supported upstream) +- rediff Patch517 (apply on limits.conf, use new rtprio keyword instead of + previous rt_priority) +- drop Patch518 (build with gcc 4 works fine now) +- add comments about ghost patches +- Patch520 and Patch521: fix parallel build +- Patch522: ensure that sgml2txt worked +- package new security/console.handlers and security/console.perms.d/ +- package pam_filter/upperLOWER +- package libpamc +- package security/chroot.conf +- package lang files +- don't package pwdb_chkpwd +- more description fixes + +* Thu Jan 26 2006 Olivier Blin 0.77-37mdk +- handle permissions for /dev/bus/usb + +* Tue Jan 24 2006 Olivier Blin 0.77-36mdk +- fix permissions for more DVB devices (merge Patch520 in Patch500) + +* Mon Jan 23 2006 Olivier Blin 0.77-35mdk +- update Patch514 to handle multiple arguments in pam_console_setowner, + (from Andrey Borzenkov, #20269, it's about reimplementing recent + pam_console_apply in our weird pam_console_setowner) +- use requires instead of prereq for pam-doc + +* Tue Jan 10 2006 Thierry Vignaud 0.77-34mdk +- patch 520: set perms for DVB devices (#14688) + +* Fri Jan 06 2006 Oden Eriksson 0.77-33mdk +- drop selinux (P60) +- removed two hunks from P40 (required the selinux patch applied) +- dropped P62 (required the selinux patch applied) +- rebuilt against a non selinux enabled pwdb lib (thanks stefan) + +* Wed Oct 05 2005 Gwenole Beauchesne 0.77-32mdk +- fix build on ppc64 + +* Tue Sep 20 2005 Frederic Lepied 0.77-31mdk +- fix uninitialized variable user (aka fix crash on C3) + +* Sun Jul 31 2005 Couriousous 0.77-30mdk +- Don't apply 64bit patch ( fix #16961 ) + +* Wed Jun 22 2005 Frederic Lepied 0.77-29mdk +- fixed dependencies + +* Mon May 16 2005 Thierry Vignaud 0.77-28mdk +- patch 516: add support for RT/nice rlimit settings (kernel-2.6.12+) +- patch 517: enable new RT privileges for audio group in limits.conf +- patch 518: fix build with gcc-4.0 + +* Thu Apr 07 2005 Frederic Crozat 0.77-27mdk +- Update Patch500 to add /dev/zip* and /dev/jaz* as zip/jaz group for + console privilege + +* Thu Sep 30 2004 Frederic Lepied 0.77-26mdk +- give access to /dev/nvram in ro for console users +- handle /dev/dri* and /dev/nvidia the same way in startx and *dm modes. + +* Tue Sep 21 2004 Frederic Lepied 0.77-25mdk +- pam_env: don't abort if /etc/environment isn't present (Oded Arbel) +- fix BuildRequires (Oded Arbel) +- create an empty /etc/environment +- add USB joystick devices to console.perms (bug #11190) + +* Fri Sep 17 2004 Gwenole Beauchesne 0.77-24mdk +- really build pam_console_apply_devfs against glib-1.2 + +* Sat Sep 11 2004 Frederic Lepied 0.77-23mdk +- fixed debug code in pam_console_apply_devfsd +- added a way to debug pam_console_setowner by setting PAM_DEBUG env variable +- don't apply patch63 to have console.lock at the usual place + +* Fri Sep 10 2004 Frederic Lepied 0.77-22mdk +- implement pam_console_setowner for udev + +* Thu Sep 09 2004 Frederic Crozat 0.77-21mdk +- add sr* to cdrom group + +* Wed Sep 08 2004 Frederic Lepied 0.77-20mdk +- fixed lookup when a group or a user doesn't exist (bug #11256) +- fixed the group of audio devices when nobody is connected + +* Tue Aug 24 2004 Frederic Lepied 0.77-19mdk +- added /dev/rfcomm* /dev/ircomm* to serial group (Fred Crozat) + +* Tue Aug 24 2004 Frederic Lepied 0.77-18mdk +- put back group in console.perms + +* Tue Aug 24 2004 Frederic Lepied 0.77-17mdk +- manage dri files perm (bug #10876 ) +- manage perm of /dev/raw1394 (bug #9240) +- console.perms more group friendly (bug #3033) +- merged with rh 0.77-54 + +* Wed Jul 28 2004 Frederic Crozat 0.77-16mdk +- Update patch16 to give console permissions to rfcomm devices + +* Tue Jul 06 2004 Frederic Lepied 0.77-15mdk +- fixed typo in provides for devel package + +* Sat Jul 03 2004 Stew Benedict 0.77-14mdk +- patch for lsb2 lsb-test-pam compliance (patch513) + +* Mon Jun 14 2004 Per yvind Karlsen 0.77-13mdk +- fix buildrequires +- fix provides +- cosmetics + +* Tue Feb 24 2004 Frederic Lepied 0.77-12mdk +- console.perms: /proc/usb => /proc/bus/usb (Marcel Pol) [bug #8285] + +* Thu Feb 19 2004 Frederic Lepied 0.77-11mdk +- added a trigger to be able to upgrade + diff --git a/pam_fix_static_pam_console.patch b/pam_fix_static_pam_console.patch new file mode 100644 index 0000000..cd29032 --- /dev/null +++ b/pam_fix_static_pam_console.patch @@ -0,0 +1,26 @@ +Index: Linux-PAM-0.99.7.1/modules/pam_console/configfile.h +=================================================================== +--- Linux-PAM-0.99.7.1.orig/modules/pam_console/configfile.h ++++ Linux-PAM-0.99.7.1/modules/pam_console/configfile.h +@@ -4,7 +4,7 @@ + */ + #ifndef _CONFIGFILE_H + #define _CONFIGFILE_H +-#define STATIC static ++#define STATIC + + #ifndef FALSE + #define FALSE 0 +Index: Linux-PAM-0.99.7.1/modules/pam_console/pam_console_apply.c +=================================================================== +--- Linux-PAM-0.99.7.1.orig/modules/pam_console/pam_console_apply.c ++++ Linux-PAM-0.99.7.1/modules/pam_console/pam_console_apply.c +@@ -17,7 +17,7 @@ + #include + #include + #include +-#define STATIC static ++#define STATIC + #include "configfile.h" + #include "chmod.h" + #include "pam_console.h" diff --git a/pam_tty_audit.8 b/pam_tty_audit.8 new file mode 100644 index 0000000..fdf6cbc --- /dev/null +++ b/pam_tty_audit.8 @@ -0,0 +1,80 @@ +.\" Title: pam_tty_audit +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.2 +.\" Date: 01/18/2008 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" +.TH "PAM_TTY_AUDIT" "8" "01/18/2008" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_tty_audit - Enable or disable TTY auditing for specified users +.SH "SYNOPSIS" +.HP 17 +\fBpam_tty_audit\.so\fR [disable=\fIpatterns\fR] [enable=\fIpatterns\fR] +.SH "DESCRIPTION" +.PP +The pam_tty_audit PAM module is used to enable or disable TTY auditing\. By default, the kernel does not audit input on any TTY\. +.SH "OPTIONS" +.PP +\fBdisable=\fR\fB\fIpatterns\fR\fR +.RS 4 +For each user matching one of comma\-separated glob +\fB\fIpatterns\fR\fR, disable TTY auditing\. This overrides any previous +\fBenable\fR +option matchin the same user name on the command line\. +.RE +.PP +\fBenable=\fR\fB\fIpatterns\fR\fR +.RS 4 +For each user matching one of comma\-separated glob +\fB\fIpatterns\fR\fR, enable TTY auditing\. This overrides any previous +\fBdisable\fR +option matching the same user name on the command line\. +.RE +.PP +\fBopen_only\fR +.RS 4 +Set the TTY audit flag when opening the session, but do not restore it when closing the session\. Using this option is necessary for some services that don\'t +\fBfork()\fR +to run the authenticated session, such as +\fBsudo\fR\. +.RE +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBsession\fR +service is supported\. +.SH "RETURN VALUES" +.PP +PAM_SESSION_ERR +.RS 4 +Error reading or modifying the TTY audit flag\. See the system log for more details\. +.RE +.PP +PAM_SUCCESS +.RS 4 +Success\. +.RE +.SH "NOTES" +.PP +When TTY auditing is enabled, it is inherited by all processes started by that user\. In particular, daemons restarted by an user will still have TTY auditing enabled, and audit TTY input even by other users unless auditing for these users is explicitly disabled\. Therefore, it is recommended to use +\fBdisable=*\fR +as the first option for most daemons using PAM\. +.SH "EXAMPLES" +.PP +Audit all administrative actions\. +.sp +.RS 4 +.nf +session required pam_tty_audit\.so disable=* enable=root + +.fi +.RE +.sp +.SH "AUTHOR" +.PP +pam_tty_audit was written by Miloslav Trmač \. diff --git a/system-auth.5 b/system-auth.5 new file mode 100644 index 0000000..1300ec8 --- /dev/null +++ b/system-auth.5 @@ -0,0 +1,39 @@ +.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual" +.SH NAME + +system-auth \- Common configuration file for PAMified services + +.SH SYNOPSIS +.B /etc/pam.d/system-auth +.sp 2 +.SH DESCRIPTION + +The purpose of this configuration file is to provide common +configuration file for all applications and service daemons +calling PAM library. + +.sp +The \fBsystem-auth\fR configuration file is included from all individual service configuration +files with the help of the \fBinclude\fR directive. + +.SH NOTES +There should be no \fBsufficient\fR modules in the \fBsession\fR +part of \fBsystem-auth\fR file because individual services may add session modules after +\fBinclude\fR of the \fBsystem-auth\fR file. Execution of these modules would be skipped if there were sufficient +modules in \fBsystem-auth\fR file. + +.sp +Conversely there should not be any modules after +\fBinclude\fR directive in the individual service files in +\fBauth\fR, \fBaccount\fR and \fBpassword\fR +sections otherwise they could be bypassed. + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" +\fBpam\fR(8), \fBconfig-util\fR(5) + +The three \fBLinux-PAM\fR Guides, for \fBsystem administrators\fR, +\fBmodule developers\fR, and \fBapplication developers\fR. diff --git a/system-auth.pamd b/system-auth.pamd new file mode 100644 index 0000000..80a9d7c --- /dev/null +++ b/system-auth.pamd @@ -0,0 +1,16 @@ +#%PAM-1.0 + +auth required pam_env.so +auth sufficient pam_tcb.so shadow nullok prefix=$2a$ count=8 +auth required pam_deny.so + +account required pam_tcb.so shadow + +password required pam_cracklib.so try_first_pass retry=3 +password sufficient pam_tcb.so use_authtok shadow write_to=shadow nullok prefix=$2a$ count=8 +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_tcb.so