From c2a452c7d466e31843e3519e146cfd7fecf954b6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:21:32 +0000 Subject: import pam-1.1.8-22.el7 --- diff --git a/SOURCES/pam-1.1.8-access-update.patch b/SOURCES/pam-1.1.8-access-update.patch new file mode 100644 index 0000000..4a4b0a4 --- /dev/null +++ b/SOURCES/pam-1.1.8-access-update.patch @@ -0,0 +1,392 @@ +diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf +--- Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/access.conf 2017-09-08 14:06:16.420102221 +0200 +@@ -18,7 +18,7 @@ + # pam_access with X applications that provide PAM_TTY values that are + # the display variable like "host:0".] + # +-# permission : users : origins ++# permission:users:origins + # + # The first field should be a "+" (access granted) or "-" (access denied) + # character. +@@ -79,44 +79,44 @@ + ############################################################################## + # + # User "root" should be allowed to get access via cron .. tty5 tty6. +-#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 ++#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 + # + # User "root" should be allowed to get access from hosts with ip addresses. +-#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 +-#+ : root : 127.0.0.1 ++#+:root:192.168.200.1 192.168.200.4 192.168.200.9 ++#+:root:127.0.0.1 + # + # User "root" should get access from network 192.168.201. + # This term will be evaluated by string matching. + # comment: It might be better to use network/netmask instead. + # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 +-#+ : root : 192.168.201. ++#+:root:192.168.201. + # + # User "root" should be able to have access from domain. + # Uses string matching also. +-#+ : root : .foo.bar.org ++#+:root:.foo.bar.org + # + # User "root" should be denied to get access from all other sources. +-#- : root : ALL ++#-:root:ALL + # + # User "foo" and members of netgroup "nis_group" should be + # allowed to get access from all sources. + # This will only work if netgroup service is available. +-#+ : @nis_group foo : ALL ++#+:@nis_group foo:ALL + # + # User "john" should get access from ipv4 net/mask +-#+ : john : 127.0.0.0/24 ++#+:john:127.0.0.0/24 + # + # User "john" should get access from ipv4 as ipv6 net/mask +-#+ : john : ::ffff:127.0.0.0/127 ++#+:john:::ffff:127.0.0.0/127 + # + # User "john" should get access from ipv6 host address +-#+ : john : 2001:4ca0:0:101::1 ++#+:john:2001:4ca0:0:101::1 + # + # User "john" should get access from ipv6 host address (same as above) +-#+ : john : 2001:4ca0:0:101:0:0:0:1 ++#+:john:2001:4ca0:0:101:0:0:0:1 + # + # User "john" should get access from ipv6 net/mask +-#+ : john : 2001:4ca0:0:101::/64 ++#+:john:2001:4ca0:0:101::/64 + # + # All other users should be denied to get access from all sources. +-#- : ALL : ALL ++#-:ALL:ALL +diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml +--- Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml 2017-09-08 14:05:41.126320653 +0200 +@@ -21,8 +21,12 @@ + + The /etc/security/access.conf file specifies + (user/group, host), +- (user/group, network/netmask) or +- (user/group, tty) ++ (user/group, network/netmask), ++ (user/group, tty), ++ (user/group, ++ X-$DISPLAY-value), or ++ (user/group, ++ pam-service-name) + combinations for which a login will be either accepted or refused. + + +@@ -33,7 +37,14 @@ + combination, or, in case of non-networked logins, the first entry + that matches the + (user/group, tty) +- combination. The permissions field of that table entry determines ++ combination, or in the case of non-networked logins without a ++ tty, the first entry that matches the ++ (user/group, ++ X-$DISPLAY-value) or ++ (user/group, ++ pam-service-name/) ++ combination. The permissions field of that table entry ++ determines + whether the login will be accepted or refused. + + +@@ -65,14 +76,27 @@ + + The third field, the origins + field, should be a list of one or more tty names (for non-networked +- logins), host names, domain names (begin with "."), host addresses, ++ logins), X $DISPLAY values or PAM service ++ names (for non-networked logins without a tty), host names, ++ domain names (begin with "."), host addresses, + internet network numbers (end with "."), internet network addresses + with network mask (where network mask can be a decimal number or an + internet address also), ALL (which always matches) +- or LOCAL. LOCAL +- keyword matches if and only if the PAM_RHOST is +- not set and <origin> field is thus set from +- PAM_TTY or PAM_SERVICE". ++ or LOCAL. The LOCAL ++ keyword matches if and only if ++ pam_get_item3, ++ when called with an item_type of ++ PAM_RHOST, returns NULL or an ++ empty string (and therefore the ++ origins field is compared against the ++ return value of ++ pam_get_item3 ++ called with an item_type of ++ PAM_TTY or, absent that, ++ PAM_SERVICE). ++ ++ ++ + If supported by the system you can use + @netgroupname in host or user patterns. The + @@netgroupname syntax is supported in the user +@@ -115,7 +139,7 @@ + tty1, ..., tty5, + tty6. + +- + : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 ++ +:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6 + + + User root should be allowed to get access from +@@ -123,8 +147,8 @@ + connection have to be a IPv4 one, a IPv6 connection from a host with + one of this IPv4 addresses does work, too. + +- + : root : 192.168.200.1 192.168.200.4 192.168.200.9 +- + : root : 127.0.0.1 ++ +:root:192.168.200.1 192.168.200.4 192.168.200.9 ++ +:root:127.0.0.1 + + + User root should get access from network +@@ -134,44 +158,44 @@ + 192.168.201.0/24 or + 192.168.201.0/255.255.255.0. + +- + : root : 192.168.201. ++ +:root:192.168.201. + + + User root should be able to have access from hosts + foo1.bar.org and foo2.bar.org + (uses string matching also). + +- + : root : foo1.bar.org foo2.bar.org ++ +:root:foo1.bar.org foo2.bar.org + + + User root should be able to have access from + domain foo.bar.org (uses string matching also). + +- + : root : .foo.bar.org ++ +:root:.foo.bar.org + + + User root should be denied to get access + from all other sources. + +- - : root : ALL ++ -:root:ALL + + + User foo and members of netgroup + admins should be allowed to get access + from all sources. This will only work if netgroup service is available. + +- + : @admins foo : ALL ++ +:@admins foo:ALL + + + User john and foo + should get access from IPv6 host address. + +- + : john foo : 2001:db8:0:101::1 ++ +:john foo:2001:db8:0:101::1 + + + User john should get access from IPv6 net/mask. + +- + : john : 2001:db8:0:101::/64 ++ +:john:2001:db8:0:101::/64 + + + Disallow console logins to all but the shutdown, sync and all +@@ -182,10 +206,22 @@ + + All other users should be denied to get access from all sources. + +- - : ALL : ALL ++ -:ALL:ALL + + + ++ ++ NOTES ++ ++ The default separators of list items in a field are space, ',', and tabulator ++ characters. Thus conveniently if spaces are put at the beginning and the end of ++ the fields they are ignored. However if the list separator is changed with the ++ listsep option, the spaces will become part of the actual ++ item and the line will be most probably ignored. For this reason, it is not ++ recommended to put spaces around the ':' characters. ++ ++ ++ + + SEE ALSO + +diff -up Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update Linux-PAM-1.1.8/modules/pam_access/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/Makefile.am 2017-09-08 14:10:47.223163175 +0200 +@@ -15,7 +15,8 @@ securelibdir = $(SECUREDIR) + secureconfdir = $(SCONFIGDIR) + + AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ +- -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" $(NIS_CFLAGS) ++ -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \ ++ -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" $(NIS_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module + if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.c +--- Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/pam_access.c 2017-09-08 14:03:45.620762824 +0200 +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #ifdef HAVE_RPCSVC_YPCLNT_H + #include + #endif +@@ -90,6 +91,7 @@ + #define ALL 2 + #define YES 1 + #define NO 0 ++#define NOMATCH -1 + + /* + * A structure to bundle up all login-related information to keep the +@@ -412,13 +414,17 @@ login_access (pam_handle_t *pamh, struct + return NO; + } + #ifdef HAVE_LIBAUDIT +- if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL && +- nonall_match == YES))) { ++ if (!item->noaudit && (match == YES || (match == ALL && ++ nonall_match == YES)) && line[0] == '-') { + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION, + "pam_access", 0); + } + #endif +- return (match == NO || (line[0] == '+')); ++ if (match == NO) ++ return NOMATCH; ++ if (line[0] == '+') ++ return YES; ++ return NO; + } + + +@@ -524,7 +530,9 @@ user_match (pam_handle_t *pamh, char *to + /* Try to split on a pattern (@*[^@]+)(@+.*) */ + for (at = tok; *at == '@'; ++at); + +- if ((at = strchr(at, '@')) != NULL) { ++ if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') { ++ return (group_match (pamh, tok, string, item->debug)); ++ } else if ((at = strchr(at, '@')) != NULL) { + /* split user@host pattern */ + if (item->hostname == NULL) + return NO; +@@ -549,9 +557,7 @@ user_match (pam_handle_t *pamh, char *to + hostname = item->hostname; + } + return (netgroup_match (pamh, tok + 1, hostname, string, item->debug)); +- } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') +- return (group_match (pamh, tok, string, item->debug)); +- else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ ++ } else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ + return rv; + else if (item->only_new_group_syntax == NO && + pam_modutil_user_in_group_nam_nam (pamh, +@@ -573,7 +579,7 @@ group_match (pam_handle_t *pamh, const c + + if (debug) + pam_syslog (pamh, LOG_DEBUG, +- "group_match: grp=%s, user=%s", grptok, usr); ++ "group_match: grp=%s, user=%s", tok, usr); + + if (strlen(tok) < 3) + return NO; +@@ -808,6 +814,7 @@ pam_sm_authenticate (pam_handle_t *pamh, + const char *user=NULL; + const void *void_from=NULL; + const char *from; ++ const char const *default_config = PAM_ACCESS_CONFIG; + struct passwd *user_pw; + char hostname[MAXHOSTNAMELEN + 1]; + int rv; +@@ -829,7 +836,7 @@ pam_sm_authenticate (pam_handle_t *pamh, + */ + memset(&loginfo, '\0', sizeof(loginfo)); + loginfo.user = user_pw; +- loginfo.config_file = PAM_ACCESS_CONFIG; ++ loginfo.config_file = default_config; + + /* parse the argument list */ + +@@ -900,6 +907,26 @@ pam_sm_authenticate (pam_handle_t *pamh, + + rv = login_access(pamh, &loginfo); + ++ if (rv == NOMATCH && loginfo.config_file == default_config) { ++ glob_t globbuf; ++ int i, glob_rv; ++ ++ /* We do not manipulate locale as setlocale() is not ++ * thread safe. We could use uselocale() in future. ++ */ ++ glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf); ++ if (!glob_rv) { ++ /* Parse the *.conf files. */ ++ for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { ++ loginfo.config_file = globbuf.gl_pathv[i]; ++ rv = login_access(pamh, &loginfo); ++ if (rv != NOMATCH) ++ break; ++ } ++ globfree(&globbuf); ++ } ++ } ++ + if (loginfo.gai_rv == 0 && loginfo.res) + freeaddrinfo(loginfo.res); + +diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml +--- Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml 2017-09-08 14:04:25.365642960 +0200 +@@ -50,16 +50,25 @@ + The pam_access PAM module is mainly for access management. + It provides logdaemon style login access control based on login + names, host or domain names, internet addresses or network numbers, +- or on terminal line names in case of non-networked logins. ++ or on terminal line names, X $DISPLAY values, ++ or PAM service names in case of non-networked logins. + + + By default rules for access management are taken from config file + /etc/security/access.conf if you don't specify + another file. ++ Then individual *.conf files from the ++ /etc/security/access.d/ directory are read. ++ The files are parsed one after another in the order of the system locale. ++ The effect of the individual files is the same as if all the files were ++ concatenated together in the order of parsing. This means that once ++ a pattern is matched in some file no further files are parsed. ++ If a config file is explicitly specified with the ++ option the files in the above directory are not parsed. + + + If Linux PAM is compiled with audit support the module will report +- when it denies access based on origin (host or tty). ++ when it denies access based on origin (host, tty, etc.). + + + diff --git a/SOURCES/pam-1.1.8-faillock-admin-group.patch b/SOURCES/pam-1.1.8-faillock-admin-group.patch new file mode 100644 index 0000000..76be07a --- /dev/null +++ b/SOURCES/pam-1.1.8-faillock-admin-group.patch @@ -0,0 +1,151 @@ +diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-22 15:25:57.673445386 +0200 ++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c 2017-09-08 14:39:47.411306464 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2010 Tomas Mraz ++ * Copyright (c) 2010, 2017 Tomas Mraz + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -78,9 +78,11 @@ struct options { + unsigned int root_unlock_time; + const char *dir; + const char *user; ++ const char *admin_group; + int failures; + uint64_t latest_time; + uid_t uid; ++ int is_admin; + uint64_t now; + }; + +@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc, + opts->root_unlock_time = temp; + } + } ++ else if (strncmp(argv[i], "admin_group=", 12) == 0) { ++ opts->admin_group = argv[i] + 12; ++ } + else if (strcmp(argv[i], "preauth") == 0) { + opts->action = FAILLOCK_ACTION_PREAUTH; + } +@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa + } + opts->user = user; + opts->uid = pwd->pw_uid; ++ ++ if (pwd->pw_uid == 0) { ++ opts->is_admin = 1; ++ return PAM_SUCCESS; ++ } ++ ++ if (opts->admin_group && *opts->admin_group) { ++ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh, ++ pwd->pw_uid, opts->admin_group); ++ } ++ + return PAM_SUCCESS; + } + +@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o + return PAM_SYSTEM_ERR; + } + +- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { + return PAM_SUCCESS; + } + +@@ -262,17 +278,14 @@ check_tally(pam_handle_t *pamh, struct o + + opts->failures = failures; + +- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { +- return PAM_SUCCESS; +- } +- + if (opts->deny && failures >= opts->deny) { +- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || +- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { ++ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || ++ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { + #ifdef HAVE_LIBAUDIT + if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ + char buf[64]; + int audit_fd; ++ const void *rhost = NULL, *tty = NULL; + + audit_fd = audit_open(); + /* If there is an error & audit support is in the kernel report error */ +@@ -280,9 +293,11 @@ check_tally(pam_handle_t *pamh, struct o + errno == EAFNOSUPPORT)) + return PAM_SYSTEM_ERR; + ++ (void)pam_get_item(pamh, PAM_TTY, &tty); ++ (void)pam_get_item(pamh, PAM_RHOST, &rhost); + snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, +- NULL, NULL, NULL, 1); ++ rhost, NULL, tty, 1); + } + #endif + opts->flags |= FAILLOCK_FLAG_UNLOCKED; +@@ -398,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o + audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, + NULL, NULL, NULL, 1); + +- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, + NULL, NULL, NULL, 1); + } +@@ -422,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str + int64_t left; + + if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { +- if (opts->uid) { +- left = opts->latest_time + opts->unlock_time - opts->now; ++ if (opts->is_admin) { ++ left = opts->latest_time + opts->root_unlock_time - opts->now; + } + else { +- left = opts->latest_time + opts->root_unlock_time - opts->now; ++ left = opts->latest_time + opts->unlock_time - opts->now; + } + + if (left > 0) { +diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-04-28 16:43:14.109794294 +0200 ++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml 2017-09-08 14:37:33.535130222 +0200 +@@ -40,6 +40,9 @@ + root_unlock_time=n + + ++ admin_group=name ++ ++ + audit + + +@@ -242,6 +245,20 @@ + + + ++ ++ ++ ++ ++ ++ ++ If a group name is specified with this option, members ++ of the group will be handled by this module the same as ++ the root account (the options ++ and will apply to them. ++ By default the option is not set. ++ ++ ++ + + + diff --git a/SOURCES/pam-1.1.8-man-space.patch b/SOURCES/pam-1.1.8-man-space.patch new file mode 100644 index 0000000..774e834 --- /dev/null +++ b/SOURCES/pam-1.1.8-man-space.patch @@ -0,0 +1,13 @@ +diff -up Linux-PAM-1.1.8/doc/man/pam.8.xml.space Linux-PAM-1.1.8/doc/man/pam.8.xml +--- Linux-PAM-1.1.8/doc/man/pam.8.xml.space 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/doc/man/pam.8.xml 2017-09-08 14:22:58.878416174 +0200 +@@ -48,8 +48,7 @@ + can be set by individual configuration files located in the + /etc/pam.d/ directory. The presence of this + directory will cause Linux-PAM to +- ignore +- /etc/pam.conf. ++ ignore /etc/pam.conf. + + + diff --git a/SOURCES/pam-1.1.8-mkhomedir-inroot.patch b/SOURCES/pam-1.1.8-mkhomedir-inroot.patch new file mode 100644 index 0000000..3936de4 --- /dev/null +++ b/SOURCES/pam-1.1.8-mkhomedir-inroot.patch @@ -0,0 +1,29 @@ +diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c.mkhomedir-inroot Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c +--- Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c.mkhomedir-inroot 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c 2017-11-03 10:20:59.823998481 +0100 +@@ -352,16 +352,18 @@ make_parent_dirs(char *dir, int make) + char *cp = strrchr(dir, '/'); + struct stat st; + +- if (!cp || cp == dir) ++ if (!cp) + return rc; + +- *cp = '\0'; +- if (stat(dir, &st) && errno == ENOENT) +- rc = make_parent_dirs(dir, 1); +- *cp = '/'; ++ if (cp != dir) { ++ *cp = '\0'; ++ if (stat(dir, &st) && errno == ENOENT) ++ rc = make_parent_dirs(dir, 1); ++ *cp = '/'; + +- if (rc != PAM_SUCCESS) +- return rc; ++ if (rc != PAM_SUCCESS) ++ return rc; ++ } + + if (make && mkdir(dir, 0755) && errno != EEXIST) { + pam_syslog(NULL, LOG_ERR, "unable to create directory %s: %m", dir); diff --git a/SOURCES/pam-1.1.8-translation-updates.patch b/SOURCES/pam-1.1.8-translation-updates.patch index 4c0c7f8..a0ba9aa 100644 --- a/SOURCES/pam-1.1.8-translation-updates.patch +++ b/SOURCES/pam-1.1.8-translation-updates.patch @@ -762,10 +762,10 @@ diff -urN a/Linux-PAM-1.1.8/po/bn_IN.po b/Linux-PAM-1.1.8/po/bn_IN.po - -#~ msgid "Would you like to enter a security context? [N] " -#~ msgstr "নিরাপত্তা সংক্রান্ত context উল্লেখ করতে ইচ্ছুক কি? [N] " -diff -urN a/Linux-PAM-1.1.8/po/pt_BR.po b/Linux-PAM-1.1.8/po/pt_BR.po ---- a/Linux-PAM-1.1.8/po/pt_BR.po 2013-11-28 17:24:14.193596625 +0530 -+++ b/Linux-PAM-1.1.8/po/pt_BR.po 2013-11-28 17:27:02.137118305 +0530 -@@ -1,315 +1,335 @@ +diff -up a/Linux-PAM-1.1.8/po/pt_BR.po.translations b/Linux-PAM-1.1.8/po/pt_BR.po +--- a/Linux-PAM-1.1.8/po/pt_BR.po.translations 2013-09-19 10:02:24.000000000 +0200 ++++ b/Linux-PAM-1.1.8/po/pt_BR.po 2017-09-08 14:14:24.857295156 +0200 +@@ -1,516 +1,546 @@ # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR Linux-PAM Project # This file is distributed under the same license as the PACKAGE package. @@ -1181,15 +1181,18 @@ diff -urN a/Linux-PAM-1.1.8/po/pt_BR.po b/Linux-PAM-1.1.8/po/pt_BR.po #, c-format msgid "There was %d failed login attempt since the last successful login." msgid_plural "" -@@ -318,199 +338,209 @@ - msgstr[1] "Houveram %d falhas de login desde o último login bem sucedido." + "There were %d failed login attempts since the last successful login." + msgstr[0] "Houve %d falhas de login desde o último login bem sucedido." +-msgstr[1] "Houveram %d falhas de login desde o último login bem sucedido." ++msgstr[1] "Houve %d falhas de login desde o último login bem sucedido." #. TRANSLATORS: only used if dngettext is not supported -#: modules/pam_lastlog/pam_lastlog.c:548 +#: .././modules/pam_lastlog/pam_lastlog.c:548 #, c-format msgid "There were %d failed login attempts since the last successful login." - msgstr "Houveram %d falhas de login desde o último login bem sucedido." +-msgstr "Houveram %d falhas de login desde o último login bem sucedido." ++msgstr "Houve %d falhas de login desde o último login bem sucedido." -#: modules/pam_limits/pam_limits.c:1079 +#: .././modules/pam_limits/pam_limits.c:1079 diff --git a/SOURCES/pam-1.1.8-tty-audit-uid-range.patch b/SOURCES/pam-1.1.8-tty-audit-uid-range.patch new file mode 100644 index 0000000..4d5f63f --- /dev/null +++ b/SOURCES/pam-1.1.8-tty-audit-uid-range.patch @@ -0,0 +1,167 @@ +diff -up Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c.uid-range Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c +--- Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c.uid-range 2017-09-08 14:46:58.869496414 +0200 ++++ Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c 2017-10-09 17:42:13.947599041 +0200 +@@ -198,6 +198,54 @@ cleanup_old_status (pam_handle_t *pamh, + free (data); + } + ++enum uid_range { UID_RANGE_NONE, UID_RANGE_MM, UID_RANGE_MIN, ++ UID_RANGE_ONE, UID_RANGE_ERR }; ++ ++static enum uid_range ++parse_uid_range(pam_handle_t *pamh, const char *s, ++ uid_t *min_uid, uid_t *max_uid) ++{ ++ const char *range = s; ++ const char *pmax; ++ char *endptr; ++ enum uid_range rv = UID_RANGE_MM; ++ ++ if ((pmax=strchr(range, ':')) == NULL) ++ return UID_RANGE_NONE; ++ ++pmax; ++ ++ if (range[0] == ':') ++ rv = UID_RANGE_ONE; ++ else { ++ errno = 0; ++ *min_uid = strtoul (range, &endptr, 10); ++ if (errno != 0 || (range == endptr) || *endptr != ':') { ++ pam_syslog(pamh, LOG_DEBUG, ++ "wrong min_uid value in '%s'", s); ++ return UID_RANGE_ERR; ++ } ++ } ++ ++ if (*pmax == '\0') { ++ if (rv == UID_RANGE_ONE) ++ return UID_RANGE_ERR; ++ ++ return UID_RANGE_MIN; ++ } ++ ++ errno = 0; ++ *max_uid = strtoul (pmax, &endptr, 10); ++ if (errno != 0 || (pmax == endptr) || *endptr != '\0') { ++ pam_syslog(pamh, LOG_DEBUG, ++ "wrong max_uid value in '%s'", s); ++ return UID_RANGE_ERR; ++ } ++ ++ if (rv == UID_RANGE_ONE) ++ *min_uid = *max_uid; ++ return rv; ++} ++ + int + pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) + { +@@ -207,6 +255,7 @@ pam_sm_open_session (pam_handle_t *pamh, + struct audit_tty_status *old_status, new_status; + const char *user; + int i, fd, open_only; ++ struct passwd *pwd; + #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD + int log_passwd; + #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ +@@ -219,6 +268,14 @@ pam_sm_open_session (pam_handle_t *pamh, + return PAM_SESSION_ERR; + } + ++ pwd = pam_modutil_getpwnam(pamh, user); ++ if (pwd == NULL) ++ { ++ pam_syslog(pamh, LOG_WARNING, ++ "open_session unknown user '%s'", user); ++ return PAM_SESSION_ERR; ++ } ++ + command = CMD_NONE; + open_only = 0; + #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD +@@ -236,13 +293,31 @@ pam_sm_open_session (pam_handle_t *pamh, + copy = strdup (strchr (argv[i], '=') + 1); + if (copy == NULL) + return PAM_SESSION_ERR; +- for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; ++ for (tok = strtok_r (copy, ",", &tok_data); ++ tok != NULL && command != this_command; + tok = strtok_r (NULL, ",", &tok_data)) + { +- if (fnmatch (tok, user, 0) == 0) ++ uid_t min_uid = 0, max_uid = 0; ++ switch (parse_uid_range(pamh, tok, &min_uid, &max_uid)) + { +- command = this_command; +- break; ++ case UID_RANGE_NONE: ++ if (fnmatch (tok, user, 0) == 0) ++ command = this_command; ++ break; ++ case UID_RANGE_MM: ++ if (pwd->pw_uid >= min_uid && pwd->pw_uid <= max_uid) ++ command = this_command; ++ break; ++ case UID_RANGE_MIN: ++ if (pwd->pw_uid >= min_uid) ++ command = this_command; ++ break; ++ case UID_RANGE_ONE: ++ if (pwd->pw_uid == max_uid) ++ command = this_command; ++ break; ++ case UID_RANGE_ERR: ++ break; + } + } + free (copy); +diff -up Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.uid-range Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml +--- Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.uid-range 2013-08-28 10:53:40.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml 2017-09-08 14:46:58.895497022 +0200 +@@ -44,10 +44,10 @@ + + + +- For each user matching one of comma-separated glob +- , disable +- TTY auditing. This overrides any previous +- option matching the same user name on the command line. ++ For each user matching , ++ disable TTY auditing. This overrides any previous ++ option matching the same user name on the command line. See NOTES ++ for further description of . + + + +@@ -57,10 +57,10 @@ + + + +- For each user matching one of comma-separated glob +- , enable +- TTY auditing. This overrides any previous +- option matching the same user name on the command line. ++ For each user matching , ++ enable TTY auditing. This overrides any previous ++ option matching the same user name on the command line. See NOTES ++ for further description of . + + + +@@ -139,6 +139,16 @@ + To view the data that was logged by the kernel to audit use + the command aureport --tty. + ++ ++ The are comma separated ++ lists of glob patterns or ranges of uids. A range is specified as ++ min_uid:max_uid where ++ one of these values can be empty. If min_uid is ++ empty only user with the uid max_uid will be ++ matched. If max_uid is empty users with the uid ++ greater than or equal to min_uid will be ++ matched. ++ + + + diff --git a/SPECS/pam.spec b/SPECS/pam.spec index 0cbf153..0faa1d3 100644 --- a/SPECS/pam.spec +++ b/SPECS/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.8 -Release: 18%{?dist} +Release: 22%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -64,6 +64,11 @@ Patch49: pam-1.1.8-relax-audit.patch Patch50: pam-1.1.8-lastlog-localtime.patch Patch51: pam-1.1.8-man-delay.patch Patch52: pam-1.1.8-succeed-if-large-uid.patch +Patch53: pam-1.1.8-access-update.patch +Patch54: pam-1.1.8-man-space.patch +Patch55: pam-1.1.8-tty-audit-uid-range.patch +Patch56: pam-1.1.8-faillock-admin-group.patch +Patch57: pam-1.1.8-mkhomedir-inroot.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -161,6 +166,11 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch50 -p1 -b .localtime %patch51 -p1 -b .delay %patch52 -p1 -b .large-uid +%patch53 -p1 -b .access-update +%patch54 -p1 -b .space +%patch55 -p1 -b .uid-range +%patch56 -p1 -b .admin-group +%patch57 -p1 -b .mkhomedir-inroot %build autoreconf -i @@ -409,6 +419,23 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Nov 3 2017 Tomáš Mráz 1.1.8-22 +- pam_mkhomedir: do not fail creating parent dir if in / + +* Thu Nov 2 2017 Tomáš Mráz 1.1.8-21 +- pam(8) Manual page missing space fix (#1382302) + +* Mon Oct 9 2017 Tomáš Mráz 1.1.8-20 +- pam_tty_audit: add support for uid range matching + +* Fri Sep 8 2017 Tomáš Mráz 1.1.8-19 +- pam_access: (group) match syntax is prioritized over network@netgroup + match (#1358881), add support for additional /etc/security/access.d/*.conf + files, improve documentation (#1421735) +- pam_lastlog: fix pt_BR translation (#1185697) +- pam_faillock: support admin_group with users equivalent to root in + faillock handling (#1285550) + * Tue Jul 19 2016 Tomáš Mráz 1.1.8-18 - pam_succeed_if: fix handling of large uids, tty, and rhost