diff --git a/SOURCES/pam-1.1.1-console-errmsg.patch b/SOURCES/pam-1.1.1-console-errmsg.patch new file mode 100644 index 0000000..f2fe846 --- /dev/null +++ b/SOURCES/pam-1.1.1-console-errmsg.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c +--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c 2014-06-19 13:23:28.948343737 +0200 +@@ -65,7 +65,7 @@ parse_files(void) + on system locale */ + oldlocale = setlocale(LC_COLLATE, "C"); + +- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf); ++ rc = glob(PERMS_GLOB, 0, NULL, &globbuf); + setlocale(LC_COLLATE, oldlocale); + if (rc) + return; diff --git a/SOURCES/pam-1.1.6-full-relro.patch b/SOURCES/pam-1.1.6-full-relro.patch deleted file mode 100644 index 30cb79b..0000000 --- a/SOURCES/pam-1.1.6-full-relro.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am ---- Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am 2012-09-03 15:22:13.735307976 +0200 -@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS) - pam_timestamp_check_SOURCES = pam_timestamp_check.c - pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ - pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la --pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ -+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - - hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c - hmacfile_LDADD = $(top_builddir)/libpam/libpam.la -diff -up Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_unix/Makefile.am ---- Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_unix/Makefile.am 2012-09-03 15:21:31.464424910 +0200 -@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@ - unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ - passverify.c - unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" --unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ -+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ - - unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ - passverify.c - unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" --unix_update_LDFLAGS = @PIE_LDFLAGS@ -+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ - - if ENABLE_REGENERATE_MAN diff --git a/SOURCES/pam-1.1.8-audit-grantor.patch b/SOURCES/pam-1.1.8-audit-grantor.patch new file mode 100644 index 0000000..451634b --- /dev/null +++ b/SOURCES/pam-1.1.8-audit-grantor.patch @@ -0,0 +1,435 @@ +From 0d29e379601819c7f7ed8de18b54de803a9f4049 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 5 Sep 2014 09:09:37 +0200 +Subject: [PATCH] Add grantor field to audit records of libpam. + +The grantor field gives audit trail of PAM modules which granted access +for successful return from libpam calls. In case of failed return +the grantor field is set to '?'. +libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call. +libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise. +libpam/pam_password.c (pam_chauthtok): Likewise. +libpam/pam_session.c (pam_open_session, pam_close_session): Likewise. +libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter, +add grantor= field to the message if grantors is set. +(_pam_list_grantors): New function creating the string with grantors list. +(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors() +to list the grantors from the handler list. +(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call. +(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog(). +libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate. +(_pam_clear_grantors): New function to clear grantor field of handler. +(_pam_dispatch): Call _pam_clear_grantors() before executing the stack. +Call _pam_auditlog() when appropriate. +libpam/pam_handlers.c (extract_modulename): Do not allow empty module name +or just "?" to avoid confusing audit trail. +(_pam_add_handler): Test for NULL return from extract_modulename(). +Clear grantor field of handler. +libpam/pam_private.h: Add grantor field to struct handler, add handler pointer +parameter to _pam_auditlog(). +--- + libpam/pam_account.c | 4 --- + libpam/pam_audit.c | 84 +++++++++++++++++++++++++++++++++++++++++++-------- + libpam/pam_auth.c | 8 ----- + libpam/pam_dispatch.c | 41 ++++++++++++++++++++----- + libpam/pam_handlers.c | 14 +++++++-- + libpam/pam_password.c | 4 --- + libpam/pam_private.h | 3 +- + libpam/pam_session.c | 7 ----- + 8 files changed, 119 insertions(+), 46 deletions(-) + +diff --git a/libpam/pam_account.c b/libpam/pam_account.c +index 572acc4..3a4fb1f 100644 +--- a/libpam/pam_account.c ++++ b/libpam/pam_account.c +@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags); +-#endif +- + return retval; + } +diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c +index 531746a..24fb799 100644 +--- a/libpam/pam_audit.c ++++ b/libpam/pam_audit.c +@@ -6,12 +6,12 @@ + Authors: + Steve Grubb */ + +-#include +-#include + #include "pam_private.h" + #include "pam_modutil_private.h" + + #ifdef HAVE_LIBAUDIT ++#include ++#include + #include + #include + #include +@@ -25,17 +25,24 @@ + + static int + _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, +- const char *message, int retval) ++ const char *message, const char *grantors, int retval) + { + static int old_errno = -1; +- int rc; +- char buf[32]; ++ int rc = -ENOMEM; ++ char *buf; ++ const char *grantors_field = " grantors="; + +- snprintf(buf, sizeof(buf), "PAM:%s", message); ++ if (grantors == NULL) { ++ grantors = ""; ++ grantors_field = ""; ++ } + +- rc = audit_log_acct_message (audit_fd, type, NULL, buf, +- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", +- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS ); ++ if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) { ++ rc = audit_log_acct_message(audit_fd, type, NULL, buf, ++ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", ++ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS); ++ free(buf); ++ } + + /* libaudit sets errno to his own negative error code. This can be + an official errno number, but must not. It can also be a audit +@@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh) + return audit_fd; + } + ++static int ++_pam_list_grantors(struct handler *hlist, int retval, char **list) ++{ ++ *list = NULL; ++ ++ if (retval == PAM_SUCCESS) { ++ struct handler *h; ++ char *p = NULL; ++ size_t len = 0; ++ ++ for (h = hlist; h != NULL; h = h->next) { ++ if (h->grantor) { ++ len += strlen(h->mod_name) + 1; ++ } ++ } ++ ++ if (len == 0) { ++ return 0; ++ } ++ ++ *list = malloc(len); ++ if (*list == NULL) { ++ return -1; ++ } ++ ++ for (h = hlist; h != NULL; h = h->next) { ++ if (h->grantor) { ++ if (p == NULL) { ++ p = *list; ++ } else { ++ p = stpcpy(p, ","); ++ } ++ ++ p = stpcpy(p, h->mod_name); ++ } ++ } ++ } ++ ++ return 0; ++} ++ + int +-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) ++_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h) + { + const char *message; + int type; + int audit_fd; ++ char *grantors; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { + return PAM_SYSTEM_ERR; +@@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) + retval = PAM_SYSTEM_ERR; + } + +- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0) ++ if (_pam_list_grantors(h, retval, &grantors) < 0) { ++ /* allocation failure */ ++ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m"); + retval = PAM_SYSTEM_ERR; ++ } ++ ++ if (_pam_audit_writelog(pamh, audit_fd, type, message, ++ grantors ? grantors : "?", retval) < 0) ++ retval = PAM_SYSTEM_ERR; ++ ++ free(grantors); + + audit_close(audit_fd); + return retval; +@@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED) + * stacks having been run. Assume that this is sshd faking + * things for an unknown user. + */ +- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0); ++ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL); + } + + return 0; +@@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type, + return retval; + } + +- rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval); ++ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval); + + audit_close(audit_fd); + +diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c +index 5984fa5..1e7bc6e 100644 +--- a/libpam/pam_auth.c ++++ b/libpam/pam_auth.c +@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags) + prelude_send_alert(pamh, retval); + #endif + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags); +-#endif +- + return retval; + } + +@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_SETCRED); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags); +-#endif +- + D(("pam_setcred exit")); + + return retval; +diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c +index eb52c82..cf632e8 100644 +--- a/libpam/pam_dispatch.c ++++ b/libpam/pam_dispatch.c +@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, + status = retval; + } + } +- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) { +- goto decision_made; ++ if ( impression == _PAM_POSITIVE ) { ++ if ( retval == PAM_SUCCESS ) { ++ h->grantor = 1; ++ } ++ ++ if ( action == _PAM_ACTION_DONE ) { ++ goto decision_made; ++ } + } + break; + +@@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, + || (impression == _PAM_POSITIVE + && status == PAM_SUCCESS) ) { + if ( retval != PAM_IGNORE || cached_retval == retval ) { ++ if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) { ++ h->grantor = 1; ++ } + impression = _PAM_POSITIVE; + status = retval; + } +@@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */ + return status; + } + ++static void _pam_clear_grantors(struct handler *h) ++{ ++ for (; h != NULL; h = h->next) { ++ h->grantor = 0; ++ } ++} ++ + /* + * This function translates the module dispatch request into a pointer + * to the stack of modules that will actually be run. the +@@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */ + int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + { + struct handler *h = NULL; +- int retval, use_cached_chain; ++ int retval = PAM_SYSTEM_ERR, use_cached_chain; + _pam_boolean resumed; + + IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR); + + if (__PAM_FROM_MODULE(pamh)) { + D(("called from a module!?")); +- return PAM_SYSTEM_ERR; ++ goto end; + } + + /* Load all modules, resolve all symbols */ + + if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "unable to dispatch function"); +- return retval; ++ goto end; + } + + use_cached_chain = _PAM_PLEASE_FREEZE; +@@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + break; + default: + pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); +- return PAM_ABORT; ++ retval = PAM_ABORT; ++ goto end; + } + + if (h == NULL) { /* there was no handlers.conf... entry; will use +@@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + pam_syslog(pamh, LOG_ERR, + "application failed to re-exec stack [%d:%d]", + pamh->former.choice, choice); +- return PAM_ABORT; ++ retval = PAM_ABORT; ++ goto end; + } + resumed = PAM_TRUE; + } else { + resumed = PAM_FALSE; ++ _pam_clear_grantors(h); + } + + __PAM_TO_MODULE(pamh); +@@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + pamh->former.choice = PAM_NOT_STACKED; + } + ++end: ++ ++#ifdef HAVE_LIBAUDIT ++ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) { ++ retval = _pam_auditlog(pamh, choice, retval, flags, h); ++ } ++#endif ++ + return retval; + } +diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c +index 02714f7..df3a1d9 100644 +--- a/libpam/pam_handlers.c ++++ b/libpam/pam_handlers.c +@@ -611,6 +611,12 @@ extract_modulename(const char *mod_path) + if (dot) + *dot = '\0'; + ++ if (*retval == '\0' || strcmp(retval, "?") == 0) { ++ /* do not allow empty module name or "?" to avoid confusing audit trail */ ++ _pam_drop(retval); ++ return NULL; ++ } ++ + return retval; + } + +@@ -888,7 +894,9 @@ int _pam_add_handler(pam_handle_t *pamh + (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval); + (*handler_p)->argc = argc; + (*handler_p)->argv = argv; /* not a copy */ +- (*handler_p)->mod_name = extract_modulename(mod_path); ++ if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL) ++ return PAM_ABORT; ++ (*handler_p)->grantor = 0; + (*handler_p)->next = NULL; + + /* some of the modules have a second calling function */ +@@ -920,7 +928,9 @@ int _pam_add_handler(pam_handle_t *pamh + } else { + (*handler_p2)->argv = NULL; /* no arguments */ + } +- (*handler_p2)->mod_name = extract_modulename(mod_path); ++ if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL) ++ return PAM_ABORT; ++ (*handler_p2)->grantor = 0; + (*handler_p2)->next = NULL; + } + +diff --git a/libpam/pam_password.c b/libpam/pam_password.c +index 75db5e5..592e01f 100644 +--- a/libpam/pam_password.c ++++ b/libpam/pam_password.c +@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) + D(("will resume when ready", retval)); + } + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags); +-#endif +- + return retval; + } +diff --git a/libpam/pam_private.h b/libpam/pam_private.h +index 134dc72..d93283c 100644 +--- a/libpam/pam_private.h ++++ b/libpam/pam_private.h +@@ -55,6 +55,7 @@ struct handler { + struct handler *next; + char *mod_name; + int stack_level; ++ int grantor; + }; + + #define PAM_HT_MODULE 0 +@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \ + do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0) + + #ifdef HAVE_LIBAUDIT +-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags); ++extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h); + extern int _pam_audit_end(pam_handle_t *pamh, int pam_status); + #endif + +diff --git a/libpam/pam_session.c b/libpam/pam_session.c +index 512153f..cb393c1 100644 +--- a/libpam/pam_session.c ++++ b/libpam/pam_session.c +@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags) + } + retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags); +-#endif + return retval; + } + +@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags); +-#endif +- + return retval; + + } +-- +1.8.3.1 + diff --git a/SOURCES/pam-1.1.8-audit-user-mgmt.patch b/SOURCES/pam-1.1.8-audit-user-mgmt.patch new file mode 100644 index 0000000..8459997 --- /dev/null +++ b/SOURCES/pam-1.1.8-audit-user-mgmt.patch @@ -0,0 +1,47 @@ +diff -urp Linux-PAM-1.1.8.orig/modules/pam_faillock/main.c Linux-PAM-1.1.8/modules/pam_faillock/main.c +--- Linux-PAM-1.1.8.orig/modules/pam_faillock/main.c 2014-10-16 10:12:57.117554380 -0400 ++++ Linux-PAM-1.1.8/modules/pam_faillock/main.c 2014-10-16 10:38:00.199510093 -0400 +@@ -141,10 +141,8 @@ do_user(struct options *opts, const char + if ((audit_fd=audit_open()) >= 0) { + + if (pwd != NULL) { +- snprintf(buf, sizeof(buf), "faillock reset uid=%u", +- pwd->pw_uid); +- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +- buf, NULL, NULL, NULL, rv == 0); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0); + } + close(audit_fd); + } +diff -urp Linux-PAM-1.1.8.orig/modules/pam_tally2/pam_tally2.c Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c +--- Linux-PAM-1.1.8.orig/modules/pam_tally2/pam_tally2.c 2013-06-18 10:11:21.000000000 -0400 ++++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-16 10:37:05.072511717 -0400 +@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv ) + #ifdef HAVE_LIBAUDIT + char buf[64]; + int audit_fd = audit_open(); +- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); +- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); ++ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1); + if (audit_fd >=0) + close(audit_fd); + #endif +@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv ) + } + else if ( !cline_reset ) { + #ifdef HAVE_LIBAUDIT +- char buf[64]; + int audit_fd = audit_open(); +- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); +- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ "pam_tally2-reset-all-accts reset=0", "*", -1, ++ NULL, NULL, ttyname(STDIN_FILENO), 1); + if (audit_fd >=0) + close(audit_fd); + #endif diff --git a/SOURCES/pam-1.1.8-full-relro.patch b/SOURCES/pam-1.1.8-full-relro.patch new file mode 100644 index 0000000..0337062 --- /dev/null +++ b/SOURCES/pam-1.1.8-full-relro.patch @@ -0,0 +1,108 @@ +diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200 +@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir + + pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam + ++pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ ++ + securelib_LTLIBRARIES = pam_console.la + sbin_PROGRAMS = pam_console_apply + +@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_ + configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h + + pam_console_la_CFLAGS = $(AM_CFLAGS) +-pam_console_apply_CFLAGS = $(AM_CFLAGS) ++pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ + + configfile.tab.c: configfile.y + $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $< +diff -up Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am 2014-09-10 17:16:11.102808189 +0200 +@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR) + + noinst_HEADERS = faillock.h + +-faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include ++faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@ + pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include + + pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module +@@ -28,6 +28,7 @@ if HAVE_VERSIONING + pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + ++faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) + + securelib_LTLIBRARIES = pam_faillock.la +diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200 ++++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200 +@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi + + AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(srcdir)/.. @PIE_CFLAGS@ +-AM_LDFLAGS = @PIE_LDFLAGS@ ++AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + LDADD = $(top_builddir)/libpam/libpam.la + + securelibfilter_PROGRAMS = upperLOWER +diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200 +@@ -30,6 +30,8 @@ endif + + sbin_PROGRAMS = mkhomedir_helper + mkhomedir_helper_SOURCES = mkhomedir_helper.c ++mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ ++mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la + + if ENABLE_REGENERATE_MAN +diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200 +@@ -26,6 +26,8 @@ if HAVE_VERSIONING + pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + ++pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ ++pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) + + securelib_LTLIBRARIES = pam_tally2.la +diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200 +@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS) + pam_timestamp_check_SOURCES = pam_timestamp_check.c + pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ + pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la +-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ ++pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + + hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c + hmacfile_LDADD = $(top_builddir)/libpam/libpam.la +diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200 +@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@ + unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ + passverify.c + unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" +-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ ++unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ + + unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ + passverify.c + unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" +-unix_update_LDFLAGS = @PIE_LDFLAGS@ ++unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ + + if ENABLE_REGENERATE_MAN diff --git a/SOURCES/pam-1.1.8-lastlog-uninitialized.patch b/SOURCES/pam-1.1.8-lastlog-uninitialized.patch new file mode 100644 index 0000000..8c545d9 --- /dev/null +++ b/SOURCES/pam-1.1.8-lastlog-uninitialized.patch @@ -0,0 +1,37 @@ +diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c +--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2014-08-25 16:44:24.365174752 +0200 +@@ -350,6 +350,8 @@ last_login_write(pam_handle_t *pamh, int + return PAM_SERVICE_ERR; + } + ++ memset(&last_login, 0, sizeof(last_login)); ++ + /* set this login date */ + D(("set the most recent login time")); + (void) time(&ll_time); /* set the time */ +@@ -364,14 +366,12 @@ last_login_write(pam_handle_t *pamh, int + } + + /* copy to last_login */ +- last_login.ll_host[0] = '\0'; + strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1); + + /* set the terminal line */ + terminal_line = get_tty(pamh); + + /* copy to last_login */ +- last_login.ll_line[0] = '\0'; + strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1); + terminal_line = NULL; + +@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh, + lltime = (time(NULL) - lltime) / (24*60*60); + + if (lltime > inactive_days) { +- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime); ++ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied", ++ user, (long) lltime); + return PAM_AUTH_ERR; + } + diff --git a/SOURCES/pam-1.1.8-limits-check-process.patch b/SOURCES/pam-1.1.8-limits-check-process.patch new file mode 100644 index 0000000..f37f799 --- /dev/null +++ b/SOURCES/pam-1.1.8-limits-check-process.patch @@ -0,0 +1,41 @@ +diff -up Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c +--- Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c 2014-09-10 16:39:36.263256066 +0200 +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -269,16 +270,27 @@ check_logins (pam_handle_t *pamh, const + continue; + } + if (!pl->flag_numsyslogins) { ++ char user[sizeof(ut->UT_USER) + 1]; ++ user[0] = '\0'; ++ strncat(user, ut->UT_USER, sizeof(ut->UT_USER)); ++ + if (((pl->login_limit_def == LIMITS_DEF_USER) + || (pl->login_limit_def == LIMITS_DEF_GROUP) + || (pl->login_limit_def == LIMITS_DEF_DEFAULT)) +- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) { ++ && strcmp(name, user) != 0) { + continue; + } + if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP) +- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) { ++ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) { + continue; + } ++ if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) { ++ /* process does not exist anymore */ ++ pam_syslog(pamh, LOG_WARNING, ++ "Stale utmp entry (pid %d) for '%s' ignored", ++ ut->ut_pid, user); ++ continue; ++ } + } + if (++count > limit) { + break; diff --git a/SOURCES/pam-1.1.8-limits-docfix.patch b/SOURCES/pam-1.1.8-limits-docfix.patch new file mode 100644 index 0000000..37703e3 --- /dev/null +++ b/SOURCES/pam-1.1.8-limits-docfix.patch @@ -0,0 +1,54 @@ +diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf +--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix 2014-07-14 14:58:05.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf 2014-09-10 16:42:51.254747161 +0200 +@@ -32,7 +32,7 @@ + # - data - max data size (KB) + # - fsize - maximum filesize (KB) + # - memlock - max locked-in-memory address space (KB) +-# - nofile - max number of open files ++# - nofile - max number of open file descriptors + # - rss - max resident set size (KB) + # - stack - max stack size (KB) + # - cpu - max CPU time (MIN) +diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml +--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml 2014-09-10 16:44:01.624367933 +0200 +@@ -178,7 +178,7 @@ + + + +- maximum number of open files ++ maximum number of open file descriptors + + + +@@ -214,14 +214,17 @@ + + + +- maximum number of logins for this user except +- for this with uid=0 ++ maximum number of logins for this user (this limit does ++ not apply to user with uid=0) + + + + + +- maximum number of all logins on system ++ maximum number of all logins on system; user is not ++ allowed to log-in if total number of all users' logins is ++ greater than specified number (this limit does not apply to ++ user with uid=0) + + + +@@ -292,7 +295,7 @@ + permanent; existing only for the duration of the session. + One exception is the maxlogin option, this one + is system wide. But there is a race, concurrent logins at the same +- time will not always be detect as such but only counted as one. ++ time will not always be detected as such but only counted as one. + + + In the limits configuration file, the diff --git a/SOURCES/pam-1.1.8-man-dbsuffix.patch b/SOURCES/pam-1.1.8-man-dbsuffix.patch new file mode 100644 index 0000000..be2e231 --- /dev/null +++ b/SOURCES/pam-1.1.8-man-dbsuffix.patch @@ -0,0 +1,22 @@ +diff -up Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml +--- Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml 2014-09-10 16:28:19.916678273 +0200 +@@ -89,7 +89,8 @@ + Use the /path/database database for + performing lookup. There is no default; the module will + return PAM_IGNORE if no +- database is provided. ++ database is provided. Note that the path to the database file ++ should be specified without the .db suffix. + + + +@@ -260,7 +261,7 @@ + + EXAMPLES + +-auth sufficient pam_userdb.so icase db=/etc/dbtest.db ++auth sufficient pam_userdb.so icase db=/etc/dbtest + + + diff --git a/SOURCES/pam-1.1.8-opasswd-tolerant.patch b/SOURCES/pam-1.1.8-opasswd-tolerant.patch new file mode 100644 index 0000000..fb9b198 --- /dev/null +++ b/SOURCES/pam-1.1.8-opasswd-tolerant.patch @@ -0,0 +1,50 @@ +diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c +index 836d713..c36628e 100644 +--- a/modules/pam_pwhistory/opasswd.c ++++ b/modules/pam_pwhistory/opasswd.c +@@ -82,10 +82,15 @@ parse_entry (char *line, opwd *data) + { + const char delimiters[] = ":"; + char *endptr; ++ char *count; + + data->user = strsep (&line, delimiters); + data->uid = strsep (&line, delimiters); +- data->count = strtol (strsep (&line, delimiters), &endptr, 10); ++ count = strsep (&line, delimiters); ++ if (data->user == NULL || data->uid == NULL || count == NULL) ++ return 1; ++ ++ data->count = strtol (count, &endptr, 10); + if (endptr != NULL && *endptr != '\0') + return 1; + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index 4840bb2..7f7bc49 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -639,11 +639,23 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, + continue; + buf[strlen(buf) - 1] = '\0'; + s_luser = strtok_r(buf, ":", &sptr); ++ if (s_luser == NULL) { ++ found = 0; ++ continue; ++ } + s_uid = strtok_r(NULL, ":", &sptr); ++ if (s_uid == NULL) { ++ found = 0; ++ continue; ++ } + s_npas = strtok_r(NULL, ":", &sptr); ++ if (s_npas == NULL) { ++ found = 0; ++ continue; ++ } + s_pas = strtok_r(NULL, ":", &sptr); + npas = strtol(s_npas, NULL, 10) + 1; +- while (npas > howmany) { ++ while (npas > howmany && s_pas != NULL) { + s_pas = strpbrk(s_pas, ","); + if (s_pas != NULL) + s_pas++; diff --git a/SPECS/pam.spec b/SPECS/pam.spec index 4fd99ba..58f87b8 100644 --- a/SPECS/pam.spec +++ b/SPECS/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.8 -Release: 9%{?dist} +Release: 12%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -36,9 +36,10 @@ Patch9: pam-1.1.6-noflex.patch Patch10: pam-1.1.3-nouserenv.patch Patch12: pam-1.1.3-faillock-screensaver.patch Patch13: pam-1.1.6-limits-user.patch -Patch15: pam-1.1.6-full-relro.patch +Patch15: pam-1.1.8-full-relro.patch # FIPS related - non upstreamable Patch20: pam-1.1.5-unix-no-fallback.patch +Patch28: pam-1.1.1-console-errmsg.patch # Upstreamed partially Patch29: pam-1.1.8-pwhistory-helper.patch Patch31: pam-1.1.6-use-links.patch @@ -47,6 +48,13 @@ Patch33: pam-1.1.8-translation-updates.patch Patch34: pam-1.1.8-canonicalize-username.patch Patch35: pam-1.1.8-cve-2013-7041.patch Patch36: pam-1.1.8-cve-2014-2583.patch +Patch37: pam-1.1.8-lastlog-uninitialized.patch +Patch38: pam-1.1.8-opasswd-tolerant.patch +Patch39: pam-1.1.8-audit-grantor.patch +Patch40: pam-1.1.8-man-dbsuffix.patch +Patch41: pam-1.1.8-limits-check-process.patch +Patch42: pam-1.1.8-limits-docfix.patch +Patch43: pam-1.1.8-audit-user-mgmt.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -120,6 +128,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch13 -p1 -b .limits %patch15 -p1 -b .relro %patch20 -p1 -b .no-fallback +%patch28 -p1 -b .errmsg %patch29 -p1 -b .pwhhelper %patch31 -p1 -b .links %patch32 -p1 -b .tty-audit-init @@ -127,6 +136,13 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch34 -p1 -b .canonicalize %patch35 -p1 -b .case %patch36 -p1 -b .timestamp-ruser +%patch37 -p1 -b .uninitialized +%patch38 -p1 -b .opasswd-tolerant +%patch39 -p1 -b .grantor +%patch40 -p1 -b .dbsuffix +%patch41 -p1 -b .check-process +%patch42 -p1 -b .docfix +%patch43 -p1 -b .audit-user-mgmt %build autoreconf -i @@ -248,7 +264,7 @@ done %post /sbin/ldconfig if [ ! -e /var/log/tallylog ] ; then - install -m 600 /dev/null /var/log/tallylog + /usr/bin/install -m 600 /dev/null /var/log/tallylog fi %postun -p /sbin/ldconfig @@ -375,6 +391,22 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Oct 17 2014 Tomáš Mráz 1.1.8-12 +- use USER_MGMT type for auditing in the pam_tally2 and faillock + apps (#1151576) + +* Thu Sep 11 2014 Tomáš Mráz 1.1.8-11 +- be tolerant to corrupted opasswd file +- audit the module names that granted access +- pam_userdb: correct the example in man page (#1078784) +- pam_limits: check whether the utmp login entry is valid (#1080023) +- pam_console_apply: do not print error if console.perms.d is empty +- pam_limits: nofile refers to open file descriptors (#1111220) +- apply PIE and full RELRO to all binaries built + +* Mon Aug 25 2014 Tomáš Mráz 1.1.8-10 +- pam_lastlog: fix uninitialized access of parts of lastlog structure + * Mon Mar 31 2014 Tomáš Mráz 1.1.8-9 - fix CVE-2014-2583: potential path traversal issue in pam_timestamp - pam_pwhistory: call the helper if SELinux enabled