From 9d3d10cf3e4990ce47e17b06cdc6b2637da0077a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 30 2021 12:03:50 +0000 Subject: import pam-1.3.1-14.el8 --- diff --git a/SOURCES/pam-1.3.1-namespace-gdm-doc.patch b/SOURCES/pam-1.3.1-namespace-gdm-doc.patch new file mode 100644 index 0000000..48c4961 --- /dev/null +++ b/SOURCES/pam-1.3.1-namespace-gdm-doc.patch @@ -0,0 +1,68 @@ +From 491e5500b6b3913f531574208274358a2df88659 Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Mon, 5 Oct 2020 10:41:29 +0200 +Subject: [PATCH] pam_namespace: polyinstantiation refer to gdm doc + +modules/pam_namespace/pam_namespace.8.xml: delete obsolete information +about polyinstantiation and refer to gdm's documentation. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861841 +--- + modules/pam_namespace/pam_namespace.8.xml | 41 ++--------------------- + 1 file changed, 2 insertions(+), 39 deletions(-) + +diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml +index f0f80d33..57c44c4b 100644 +--- a/modules/pam_namespace/pam_namespace.8.xml ++++ b/modules/pam_namespace/pam_namespace.8.xml +@@ -343,45 +343,8 @@ + + + +- To use polyinstantiation with graphical display manager gdm, insert the +- following line, before exit 0, in /etc/gdm/PostSession/Default: +- +- +- +- /usr/sbin/gdm-safe-restart +- +- +- +- This allows gdm to restart after each session and appropriately adjust +- namespaces of display manager and the X server. If polyinstantiation +- of /tmp is desired along with the graphical environment, then additional +- configuration changes are needed to address the interaction of X server +- and font server namespaces with their use of /tmp to create +- communication sockets. Please use the initialization script +- /etc/security/namespace.init to ensure that +- the X server and its clients can appropriately access the +- communication socket X0. Please refer to the sample instructions +- provided in the comment section of the instance initialization script +- /etc/security/namespace.init. In addition, +- perform the following changes to use graphical environment with +- polyinstantiation of /tmp: +- +- +- +- +- 1. Disable the use of font server by commenting out "FontPath" +- line in /etc/X11/xorg.conf. If you do want to use the font server +- then you will have to augment the instance initialization +- script to appropriately provide /tmp/.font-unix from the +- polyinstantiated /tmp. +- 2. Ensure that the gdm service is setup to use pam_namespace, +- as described above, by modifying /etc/pam.d/gdm. +- 3. Ensure that the display manager is configured to restart X server +- with each new session. This default setup can be verified by +- making sure that /usr/share/gdm/defaults.conf contains +- "AlwaysRestartServer=true", and it is not overridden by +- /etc/gdm/custom.conf. +- ++ To use polyinstantiation with graphical display manager gdm, please refer ++ to gdm's documentation. + + + +-- +2.26.2 + diff --git a/SOURCES/pam-1.3.1-wheel-pam_ruser-fallback.patch b/SOURCES/pam-1.3.1-wheel-pam_ruser-fallback.patch new file mode 100644 index 0000000..a92f884 --- /dev/null +++ b/SOURCES/pam-1.3.1-wheel-pam_ruser-fallback.patch @@ -0,0 +1,134 @@ +From 6bf9b454eb971083f0cce49faa2aa1cde329ff5d Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Wed, 26 Aug 2020 14:44:23 +0200 +Subject: [PATCH 1/3] pam_wheel: improve coding style + +modules/pam_wheel/pam_wheel.c: improve indentation and explicitly state +condition statements +--- + modules/pam_wheel/pam_wheel.c | 36 ++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c +index a025ebaf..94cb7d89 100644 +--- a/modules/pam_wheel/pam_wheel.c ++++ b/modules/pam_wheel/pam_wheel.c +@@ -130,25 +130,27 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) + } + + if (ctrl & PAM_USE_UID_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (!tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { ++ tpwd = pam_modutil_getpwuid (pamh, getuid()); ++ if (tpwd == NULL) { ++ if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; ++ } ++ return PAM_SERVICE_ERR; ++ } ++ fromsu = tpwd->pw_name; + } else { +- fromsu = pam_modutil_getlogin(pamh); +- if (fromsu) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- if (!fromsu || !tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } ++ fromsu = pam_modutil_getlogin(pamh); ++ ++ if (fromsu != NULL) { ++ tpwd = pam_modutil_getpwnam (pamh, fromsu); ++ } ++ ++ if (fromsu == NULL || tpwd == NULL) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); ++ } ++ return PAM_SERVICE_ERR; ++ } + } + + /* +-- +2.26.2 + + +From 9091ea1d81e85f49a221b0325d27b22ce69e444a Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Thu, 27 Aug 2020 09:16:15 +0200 +Subject: [PATCH 2/3] pam_wheel: if getlogin fails fallback to PAM_RUSER + +modules/pam_wheel/pam_wheel.c: if getlogin fails to obtain the real user +ID, then try with PAM_RUSER. + +Resolves: +https://bugzilla.redhat.com/show_bug.cgi?id=1866866 +--- + modules/pam_wheel/pam_wheel.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c +index 94cb7d89..7fa3cfa9 100644 +--- a/modules/pam_wheel/pam_wheel.c ++++ b/modules/pam_wheel/pam_wheel.c +@@ -141,6 +141,16 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) + } else { + fromsu = pam_modutil_getlogin(pamh); + ++ /* if getlogin fails try a fallback to PAM_RUSER */ ++ if (fromsu == NULL) { ++ const char *rhostname; ++ ++ retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname); ++ if (retval != PAM_SUCCESS || rhostname == NULL) { ++ retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu); ++ } ++ } ++ + if (fromsu != NULL) { + tpwd = pam_modutil_getpwnam (pamh, fromsu); + } +-- +2.26.2 + + +From a3a5cbf86083c43026b558e2023f597530626267 Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Wed, 9 Sep 2020 10:32:03 +0200 +Subject: [PATCH 3/3] pam_wheel: clarify use_uid option in man page + +modules/pam_wheel/pam_wheel.8.xml: indicate that use_uid option uses the +real uid of the calling process. +--- + modules/pam_wheel/pam_wheel.8.xml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml +index b32f5e2b..ee8c7d26 100644 +--- a/modules/pam_wheel/pam_wheel.8.xml ++++ b/modules/pam_wheel/pam_wheel.8.xml +@@ -122,9 +122,9 @@ + + + +- The check for wheel membership will be done against +- the current uid instead of the original one (useful when +- jumping with su from one account to another for example). ++ The check will be done against the real uid of the calling process, ++ instead of trying to obtain the user from the login session ++ associated with the terminal in use. + + + +-- +2.26.2 + diff --git a/SPECS/pam.spec b/SPECS/pam.spec index af1f3e1..c6b8ed4 100644 --- a/SPECS/pam.spec +++ b/SPECS/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 11%{?dist} +Release: 14%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -59,6 +59,12 @@ Patch45: pam-1.3.1-pam-usertype.patch Patch46: pam-1.3.1-audit-error.patch # Upstreamed Patch47: pam-1.3.1-pam-modutil-close-write.patch +# https://github.com/linux-pam/linux-pam/commit/6bf9b454eb971083f0cce49faa2aa1cde329ff5d +# https://github.com/linux-pam/linux-pam/commit/9091ea1d81e85f49a221b0325d27b22ce69e444a +# https://github.com/linux-pam/linux-pam/commit/a3a5cbf86083c43026b558e2023f597530626267 +Patch48: pam-1.3.1-wheel-pam_ruser-fallback.patch +# https://github.com/linux-pam/linux-pam/commit/491e5500b6b3913f531574208274358a2df88659 +Patch49: pam-1.3.1-namespace-gdm-doc.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -154,6 +160,8 @@ cp %{SOURCE18} . %patch45 -p1 -b .pam-usertype %patch46 -p1 -b .audit-error %patch47 -p1 -b .pam-modutil-close-write +%patch48 -p1 -b .wheel-pam_ruser-fallback +%patch49 -p1 -b .namespace-gdm-doc autoreconf -i %build @@ -399,6 +407,17 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Thu Nov 5 2020 Iker Pedrosa 1.3.1-14 +- Revert 1.3.1-12 + +* Fri Oct 30 2020 Iker Pedrosa 1.3.1-13 +- pam_wheel: if getlogin fails fallback to PAM_RUSER: fixed malformed patch (#1866866) +- pam_namespace: polyinstantiation refer to gdm doc (#1861841) + +* Thu Jul 16 2020 Peter Robinson - 1.3.1-12 +- Add the motd.d directories (empty) to silence warnings and to + provide proper ownership for them (#1847501) + * Fri May 15 2020 Iker Pedrosa 1.3.1-11 - pam_usertype: fixed malformed patch