diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0b8fb32 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/Linux-PAM-1.1.8.tar.bz2 +SOURCES/pam-redhat-0.99.11.tar.bz2 diff --git a/.pam.metadata b/.pam.metadata new file mode 100644 index 0000000..201ea93 --- /dev/null +++ b/.pam.metadata @@ -0,0 +1,2 @@ +f8ce53c67363f78d520392fa1c253c4978058be1 SOURCES/Linux-PAM-1.1.8.tar.bz2 +42206fe8319723ef23ab646b2eab496c86de3f5b SOURCES/pam-redhat-0.99.11.tar.bz2 diff --git a/SOURCES/20-nproc.conf b/SOURCES/20-nproc.conf new file mode 100644 index 0000000..d6e2578 --- /dev/null +++ b/SOURCES/20-nproc.conf @@ -0,0 +1,6 @@ +# Default limit for number of user's processes to prevent +# accidental fork bombs. +# See rhbz #432903 for reasoning. + +* soft nproc 4096 +root soft nproc unlimited diff --git a/SOURCES/config-util.5 b/SOURCES/config-util.5 new file mode 100644 index 0000000..17d7f8a --- /dev/null +++ b/SOURCES/config-util.5 @@ -0,0 +1,36 @@ +.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual" +.SH NAME + +config-util \- Common PAM configuration file for configuration utilities + +.SH SYNOPSIS +.B /etc/pam.d/config-util +.sp 2 +.SH DESCRIPTION + +The purpose of this configuration file is to provide common +configuration file for all configuration utilities which must be run +from the supervisor account and use the userhelper wrapper application. + +.sp +The +.BR config-util +configuration file is included from all individual configuration +files of such utilities with the help of the +.BR include +directive. +There are not usually any other modules in the individual configuration +files of these utilities. + +.sp +It is possible for example to modify duration of the validity of the +authentication timestamp there. See +.BR pam_timestamp(8) +for details. + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" +pam(8), config-util(5), pam_timestamp(8) diff --git a/SOURCES/config-util.pamd b/SOURCES/config-util.pamd new file mode 100644 index 0000000..8e70d9a --- /dev/null +++ b/SOURCES/config-util.pamd @@ -0,0 +1,8 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +auth sufficient pam_timestamp.so +auth include system-auth +account required pam_permit.so +session required pam_permit.so +session optional pam_xauth.so +session optional pam_timestamp.so diff --git a/SOURCES/dlopen.sh b/SOURCES/dlopen.sh new file mode 100755 index 0000000..053289a --- /dev/null +++ b/SOURCES/dlopen.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +tempdir=`mktemp -d /tmp/dlopenXXXXXX` +test -n "$tempdir" || exit 1 +cat >> $tempdir/dlopen.c << _EOF +#include +#include +#include +#include +/* Simple program to see if dlopen() would succeed. */ +int main(int argc, char **argv) +{ + int i; + struct stat st; + char buf[PATH_MAX]; + for (i = 1; i < argc; i++) { + if (dlopen(argv[i], RTLD_NOW)) { + fprintf(stdout, "dlopen() of \"%s\" succeeded.\n", + argv[i]); + } else { + snprintf(buf, sizeof(buf), "./%s", argv[i]); + if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) { + fprintf(stdout, "dlopen() of \"./%s\" " + "succeeded.\n", argv[i]); + } else { + fprintf(stdout, "dlopen() of \"%s\" failed: " + "%s\n", argv[i], dlerror()); + return 1; + } + } + } + return 0; +} +_EOF + +for arg in $@ ; do + case "$arg" in + "") + ;; + -I*|-D*|-f*|-m*|-g*|-O*|-W*) + cflags="$cflags $arg" + ;; + -l*|-L*) + ldflags="$ldflags $arg" + ;; + /*) + modules="$modules $arg" + ;; + *) + modules="$modules $arg" + ;; + esac +done + +${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl + +retval=0 +for module in $modules ; do + case "$module" in + "") + ;; + /*) + $tempdir/dlopen "$module" + retval=$? + ;; + *) + $tempdir/dlopen ./"$module" + retval=$? + ;; + esac +done + +rm -f $tempdir/dlopen $tempdir/dlopen.c +rmdir $tempdir +exit $retval diff --git a/SOURCES/fingerprint-auth.pamd b/SOURCES/fingerprint-auth.pamd new file mode 100644 index 0000000..604b95f --- /dev/null +++ b/SOURCES/fingerprint-auth.pamd @@ -0,0 +1,19 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth sufficient pam_fprintd.so +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/SOURCES/other.pamd b/SOURCES/other.pamd new file mode 100644 index 0000000..c286c82 --- /dev/null +++ b/SOURCES/other.pamd @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth required pam_deny.so +account required pam_deny.so +password required pam_deny.so +session required pam_deny.so diff --git a/SOURCES/pam-1.0.90-redhat-modules.patch b/SOURCES/pam-1.0.90-redhat-modules.patch new file mode 100644 index 0000000..3ad41cc --- /dev/null +++ b/SOURCES/pam-1.0.90-redhat-modules.patch @@ -0,0 +1,23 @@ +diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am +--- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100 ++++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100 +@@ -3,6 +3,7 @@ + # + + SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ ++ pam_chroot pam_console pam_postgresok \ + pam_env pam_exec pam_faildelay pam_filter pam_ftp \ + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ +diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in +--- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100 ++++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100 +@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ + po/Makefile.in \ + modules/Makefile \ ++ modules/pam_chroot/Makefile modules/pam_console/Makefile \ ++ modules/pam_postgresok/Makefile \ + modules/pam_access/Makefile modules/pam_cracklib/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ diff --git a/SOURCES/pam-1.1.0-console-nochmod.patch b/SOURCES/pam-1.1.0-console-nochmod.patch new file mode 100644 index 0000000..e41adad --- /dev/null +++ b/SOURCES/pam-1.1.0-console-nochmod.patch @@ -0,0 +1,26 @@ +diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers +--- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/console.handlers 2009-09-01 17:20:08.000000000 +0200 +@@ -15,5 +15,3 @@ + # touch unlock wait /var/run/console-unlocked + + console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+ +-/sbin/pam_console_apply lock logfail wait -t tty -s +-/sbin/pam_console_apply unlock logfail wait -r -t tty -s +diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am +--- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am 2009-09-01 17:42:47.000000000 +0200 +@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply + + + secureconf_DATA = console.perms console.handlers +-permsd_DATA = 50-default.perms + + FLEX_OPTS = -Cr + BISON_OPTS = -d +@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil + + install-data-local: + mkdir -p $(DESTDIR)$(secureconfdir)/console.apps ++ mkdir -p $(DESTDIR)$(permsddir) + mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR) diff --git a/SOURCES/pam-1.1.0-notally.patch b/SOURCES/pam-1.1.0-notally.patch new file mode 100644 index 0000000..9327eec --- /dev/null +++ b/SOURCES/pam-1.1.0-notally.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am +--- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200 ++++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200 +@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de + pam_mkhomedir pam_motd pam_namespace pam_nologin \ + pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ + pam_selinux pam_sepermit pam_shells pam_stress \ +- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ ++ pam_succeed_if pam_tally2 pam_time pam_timestamp \ + pam_tty_audit pam_umask \ + pam_unix pam_userdb pam_warn pam_wheel pam_xauth + diff --git a/SOURCES/pam-1.1.1-console-errmsg.patch b/SOURCES/pam-1.1.1-console-errmsg.patch new file mode 100644 index 0000000..f2fe846 --- /dev/null +++ b/SOURCES/pam-1.1.1-console-errmsg.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c +--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg 2008-12-16 13:37:52.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c 2014-06-19 13:23:28.948343737 +0200 +@@ -65,7 +65,7 @@ parse_files(void) + on system locale */ + oldlocale = setlocale(LC_COLLATE, "C"); + +- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf); ++ rc = glob(PERMS_GLOB, 0, NULL, &globbuf); + setlocale(LC_COLLATE, oldlocale); + if (rc) + return; diff --git a/SOURCES/pam-1.1.1-faillock.patch b/SOURCES/pam-1.1.1-faillock.patch new file mode 100644 index 0000000..eaee896 --- /dev/null +++ b/SOURCES/pam-1.1.1-faillock.patch @@ -0,0 +1,1714 @@ +diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in +--- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200 +@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil + modules/pam_access/Makefile modules/pam_cracklib/Makefile \ + modules/pam_debug/Makefile modules/pam_deny/Makefile \ + modules/pam_echo/Makefile modules/pam_env/Makefile \ +- modules/pam_faildelay/Makefile \ ++ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \ + modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ + modules/pam_ftp/Makefile modules/pam_group/Makefile \ + modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ +diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml +--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200 ++++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200 +@@ -0,0 +1,38 @@ ++ ++ ++
++ pam_faillock - temporarily locking access based on failed authentication attempts during an interval ++ ++ ++ ++ ++ ++ ++
++ ++
++
++ ++
++
++ ++
++
++ ++
++
++ ++
++
++ ++
++
+diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am +--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200 +@@ -3,7 +3,7 @@ + # + + SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ +- pam_chroot pam_console pam_postgresok \ ++ pam_chroot pam_console pam_postgresok pam_faillock \ + pam_env pam_exec pam_faildelay pam_filter pam_ftp \ + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,147 @@ ++/* ++ * Copyright (c) 2010 Tomas Mraz ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "faillock.h" ++ ++int ++open_tally (const char *dir, const char *user, int create) ++{ ++ char *path; ++ int flags = O_RDWR; ++ int fd; ++ ++ if (strstr(user, "../") != NULL) ++ /* just a defensive programming as the user must be a ++ * valid user on the system anyway ++ */ ++ return -1; ++ path = malloc(strlen(dir) + strlen(user) + 2); ++ if (path == NULL) ++ return -1; ++ ++ strcpy(path, dir); ++ if (*dir && dir[strlen(dir) - 1] != '/') { ++ strcat(path, "/"); ++ } ++ strcat(path, user); ++ ++ if (create) { ++ flags |= O_CREAT; ++ } ++ ++ fd = open(path, flags, 0600); ++ ++ if (fd != -1) ++ while (flock(fd, LOCK_EX) == -1 && errno == EINTR); ++ ++ return fd; ++} ++ ++#define CHUNK_SIZE (64 * sizeof(struct tally)) ++#define MAX_RECORDS 1024 ++ ++int ++read_tally(int fd, struct tally_data *tallies) ++{ ++ void *data = NULL, *newdata; ++ unsigned int count = 0; ++ ssize_t chunk = 0; ++ ++ do { ++ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE); ++ if (newdata == NULL) { ++ free(data); ++ return -1; ++ } ++ ++ data = newdata; ++ ++ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE); ++ if (chunk < 0) { ++ free(data); ++ return -1; ++ } ++ ++ count += chunk/sizeof(struct tally); ++ ++ if (count >= MAX_RECORDS) ++ break; ++ } ++ while (chunk == CHUNK_SIZE); ++ ++ tallies->records = data; ++ tallies->count = count; ++ ++ return 0; ++} ++ ++int ++update_tally(int fd, struct tally_data *tallies) ++{ ++ void *data = tallies->records; ++ unsigned int count = tallies->count; ++ ssize_t chunk; ++ ++ if (tallies->count > MAX_RECORDS) { ++ data = tallies->records + (count - MAX_RECORDS); ++ count = MAX_RECORDS; ++ } ++ ++ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { ++ return -1; ++ } ++ ++ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally)); ++ ++ if (chunk != (ssize_t)(count * sizeof(struct tally))) { ++ return -1; ++ } ++ ++ if (ftruncate(fd, count * sizeof(struct tally)) == -1) ++ return -1; ++ ++ return 0; ++} +diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,72 @@ ++/* ++ * Copyright (c) 2010 Tomas Mraz ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++/* ++ * faillock.h - authentication failure data file record structure ++ * ++ * Each record in the file represents an instance of login failure of ++ * the user at the recorded time ++ */ ++ ++ ++#ifndef _FAILLOCK_H ++#define _FAILLOCK_H ++ ++#include ++ ++#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ ++#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ ++#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */ ++ ++struct tally { ++ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */ ++ uint16_t reserved; /* reserved for future use */ ++ uint16_t status; /* record status */ ++ uint64_t time; /* time of the login failure */ ++}; ++/* 64 bytes per entry */ ++ ++struct tally_data { ++ struct tally *records; /* array of tallies */ ++ unsigned int count; /* number of records */ ++}; ++ ++#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" ++ ++int open_tally(const char *dir, const char *user, int create); ++int read_tally(int fd, struct tally_data *tallies); ++int update_tally(int fd, struct tally_data *tallies); ++#endif ++ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,123 @@ ++ ++ ++ ++ ++ ++ ++ faillock ++ 8 ++ Linux-PAM Manual ++ ++ ++ ++ faillock ++ Tool for displaying and modifying the authentication failure record files ++ ++ ++ ++ ++ faillock ++ ++ --dir /path/to/tally-directory ++ ++ ++ --user username ++ ++ ++ --reset ++ ++ ++ ++ ++ ++ ++ DESCRIPTION ++ ++ ++ The pam_faillock.so module maintains a list of ++ failed authentication attempts per user during a specified interval ++ and locks the account in case there were more than ++ deny consecutive failed authentications. ++ It stores the failure records into per-user files in the tally ++ directory. ++ ++ ++ The faillock command is an application which ++ can be used to examine and modify the contents of the ++ the tally files. It can display the recent failed authentication ++ attempts of the username or clear the tally ++ files of all or individual usernames. ++ ++ ++ ++ ++ ++ OPTIONS ++ ++ ++ ++ ++ ++ ++ ++ The directory where the user files with the failure records are kept. The ++ default is /var/run/faillock. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The user whose failure records should be displayed or cleared. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Instead of displaying the user's failure records, clear them. ++ ++ ++ ++ ++ ++ ++ ++ FILES ++ ++ ++ /var/run/faillock/* ++ ++ the files logging the authentication failures for users ++ ++ ++ ++ ++ ++ ++ SEE ALSO ++ ++ ++ pam_faillock8 ++ , ++ ++ pam8 ++ ++ ++ ++ ++ ++ AUTHOR ++ ++ faillock was written by Tomas Mraz. ++ ++ ++ ++ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c +--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,233 @@ ++/* ++ * Copyright (c) 2010 Tomas Mraz ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#ifdef HAVE_LIBAUDIT ++#include ++#endif ++ ++#include "faillock.h" ++ ++struct options { ++ unsigned int reset; ++ const char *dir; ++ const char *user; ++ const char *progname; ++}; ++ ++static int ++args_parse(int argc, char **argv, struct options *opts) ++{ ++ int i; ++ memset(opts, 0, sizeof(*opts)); ++ ++ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; ++ opts->progname = argv[0]; ++ ++ for (i = 1; i < argc; ++i) { ++ ++ if (strcmp(argv[i], "--dir") == 0) { ++ ++i; ++ if (i >= argc || strlen(argv[i]) == 0) { ++ fprintf(stderr, "%s: No directory supplied.\n", argv[0]); ++ return -1; ++ } ++ opts->dir = argv[i]; ++ } ++ else if (strcmp(argv[i], "--user") == 0) { ++ ++i; ++ if (i >= argc || strlen(argv[i]) == 0) { ++ fprintf(stderr, "%s: No user name supplied.\n", argv[0]); ++ return -1; ++ } ++ opts->user = argv[i]; ++ } ++ else if (strcmp(argv[i], "--reset") == 0) { ++ opts->reset = 1; ++ } ++ else { ++ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]); ++ return -1; ++ } ++ } ++ return 0; ++} ++ ++static void ++usage(const char *progname) ++{ ++ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"), ++ progname); ++} ++ ++static int ++do_user(struct options *opts, const char *user) ++{ ++ int fd; ++ int rv; ++ struct tally_data tallies; ++ ++ fd = open_tally(opts->dir, user, 0); ++ ++ if (fd == -1) { ++ if (errno == ENOENT) { ++ return 0; ++ } ++ else { ++ fprintf(stderr, "%s: Error opening the tally file for %s:", ++ opts->progname, user); ++ perror(NULL); ++ return 3; ++ } ++ } ++ if (opts->reset) { ++#ifdef HAVE_LIBAUDIT ++ char buf[64]; ++ int audit_fd; ++#endif ++ ++ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR); ++ if (rv == -1) { ++ fprintf(stderr, "%s: Error clearing the tally file for %s:", ++ opts->progname, user); ++ perror(NULL); ++#ifdef HAVE_LIBAUDIT ++ } ++ if ((audit_fd=audit_open()) >= 0) { ++ struct passwd *pwd; ++ ++ if ((pwd=getpwnam(user)) != NULL) { ++ snprintf(buf, sizeof(buf), "faillock reset uid=%u", ++ pwd->pw_uid); ++ audit_log_user_message(audit_fd, AUDIT_USER_ACCT, ++ buf, NULL, NULL, NULL, rv == 0); ++ } ++ close(audit_fd); ++ } ++ if (rv == -1) { ++#endif ++ close(fd); ++ return 4; ++ } ++ } ++ else { ++ unsigned int i; ++ ++ memset(&tallies, 0, sizeof(tallies)); ++ if ((rv=read_tally(fd, &tallies)) == -1) { ++ fprintf(stderr, "%s: Error reading the tally file for %s:", ++ opts->progname, user); ++ perror(NULL); ++ close(fd); ++ return 5; ++ } ++ ++ printf("%s:\n", user); ++ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid"); ++ ++ for (i = 0; i < tallies.count; i++) { ++ struct tm *tm; ++ char timebuf[80]; ++ uint16_t status = tallies.records[i].status; ++ time_t when = tallies.records[i].time; ++ ++ tm = localtime(&when); ++ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm); ++ printf("%-19s %-5s %-52.52s %s\n", timebuf, ++ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), ++ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); ++ } ++ free(tallies.records); ++ } ++ close(fd); ++ return 0; ++} ++ ++static int ++do_allusers(struct options *opts) ++{ ++ struct dirent **userlist; ++ int rv, i; ++ ++ rv = scandir(opts->dir, &userlist, NULL, alphasort); ++ if (rv < 0) { ++ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname); ++ perror(NULL); ++ return 2; ++ } ++ ++ for (i = 0; i < rv; i++) { ++ if (userlist[i]->d_name[0] == '.') { ++ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') || ++ userlist[i]->d_name[1] == '\0') ++ continue; ++ } ++ do_user(opts, userlist[i]->d_name); ++ free(userlist[i]); ++ } ++ free(userlist); ++ ++ return 0; ++} ++ ++ ++/*-----------------------------------------------------------------------*/ ++int ++main (int argc, char *argv[]) ++{ ++ struct options opts; ++ ++ if (args_parse(argc, argv, &opts)) { ++ usage(argv[0]); ++ return 1; ++ } ++ ++ if (opts.user == NULL) { ++ return do_allusers(&opts); ++ } ++ ++ return do_user(&opts, opts.user); ++} ++ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am +--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,43 @@ ++# ++# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk ++# Copyright (c) 2008 Red Hat, Inc. ++# Copyright (c) 2010 Tomas Mraz ++# ++ ++CLEANFILES = *~ ++MAINTAINERCLEANFILES = $(MANS) README ++ ++EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock ++ ++man_MANS = pam_faillock.8 faillock.8 ++XMLS = README.xml pam_faillock.8.xml faillock.8.xml ++ ++TESTS = tst-pam_faillock ++ ++securelibdir = $(SECUREDIR) ++secureconfdir = $(SCONFIGDIR) ++ ++noinst_HEADERS = faillock.h ++ ++faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include ++pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include ++ ++pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module ++pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) ++if HAVE_VERSIONING ++ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map ++endif ++ ++faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) ++ ++securelib_LTLIBRARIES = pam_faillock.la ++sbin_PROGRAMS = faillock ++ ++pam_faillock_la_SOURCES = pam_faillock.c faillock.c ++faillock_SOURCES = main.c faillock.c ++ ++if ENABLE_REGENERATE_MAN ++noinst_DATA = README ++README: pam_faillock.8.xml ++-include $(top_srcdir)/Make.xml.rules ++endif +diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,550 @@ ++/* ++ * Copyright (c) 2010 Tomas Mraz ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef HAVE_LIBAUDIT ++#include ++#endif ++ ++#include ++#include ++#include ++ ++#include "faillock.h" ++ ++#define PAM_SM_AUTH ++#define PAM_SM_ACCOUNT ++ ++#define FAILLOCK_ACTION_PREAUTH 0 ++#define FAILLOCK_ACTION_AUTHSUCC 1 ++#define FAILLOCK_ACTION_AUTHFAIL 2 ++ ++#define FAILLOCK_FLAG_DENY_ROOT 0x1 ++#define FAILLOCK_FLAG_AUDIT 0x2 ++#define FAILLOCK_FLAG_SILENT 0x4 ++#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 ++#define FAILLOCK_FLAG_UNLOCKED 0x10 ++ ++#define MAX_TIME_INTERVAL 604800 /* 7 days */ ++ ++struct options { ++ unsigned int action; ++ unsigned int flags; ++ unsigned short deny; ++ unsigned int fail_interval; ++ unsigned int unlock_time; ++ unsigned int root_unlock_time; ++ const char *dir; ++ const char *user; ++ int failures; ++ uint64_t latest_time; ++ uid_t uid; ++ uint64_t now; ++}; ++ ++static void ++args_parse(pam_handle_t *pamh, int argc, const char **argv, ++ int flags, struct options *opts) ++{ ++ int i; ++ memset(opts, 0, sizeof(*opts)); ++ ++ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; ++ opts->deny = 3; ++ opts->fail_interval = 900; ++ opts->unlock_time = 600; ++ opts->root_unlock_time = MAX_TIME_INTERVAL+1; ++ ++ for (i = 0; i < argc; ++i) { ++ ++ if (strncmp(argv[i], "dir=", 4) == 0) { ++ if (argv[i][4] != '/') { ++ pam_syslog(pamh, LOG_ERR, ++ "Tally directory is not absolute path (%s); keeping default", argv[i]); ++ } else { ++ opts->dir = argv[i]+4; ++ } ++ } ++ else if (strncmp(argv[i], "deny=", 5) == 0) { ++ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for deny argument"); ++ } ++ } ++ else if (strncmp(argv[i], "fail_interval=", 14) == 0) { ++ unsigned int temp; ++ if (sscanf(argv[i]+14, "%u", &temp) != 1 || ++ temp > MAX_TIME_INTERVAL) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for fail_interval argument"); ++ } else { ++ opts->fail_interval = temp; ++ } ++ } ++ else if (strncmp(argv[i], "unlock_time=", 12) == 0) { ++ unsigned int temp; ++ if (sscanf(argv[i]+12, "%u", &temp) != 1 || ++ temp > MAX_TIME_INTERVAL) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for unlock_time argument"); ++ } else { ++ opts->unlock_time = temp; ++ } ++ } ++ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { ++ unsigned int temp; ++ if (sscanf(argv[i]+17, "%u", &temp) != 1 || ++ temp > MAX_TIME_INTERVAL) { ++ pam_syslog(pamh, LOG_ERR, ++ "Bad number supplied for root_unlock_time argument"); ++ } else { ++ opts->root_unlock_time = temp; ++ } ++ } ++ else if (strcmp(argv[i], "preauth") == 0) { ++ opts->action = FAILLOCK_ACTION_PREAUTH; ++ } ++ else if (strcmp(argv[i], "authfail") == 0) { ++ opts->action = FAILLOCK_ACTION_AUTHFAIL; ++ } ++ else if (strcmp(argv[i], "authsucc") == 0) { ++ opts->action = FAILLOCK_ACTION_AUTHSUCC; ++ } ++ else if (strcmp(argv[i], "even_deny_root") == 0) { ++ opts->flags |= FAILLOCK_FLAG_DENY_ROOT; ++ } ++ else if (strcmp(argv[i], "audit") == 0) { ++ opts->flags |= FAILLOCK_FLAG_AUDIT; ++ } ++ else if (strcmp(argv[i], "silent") == 0) { ++ opts->flags |= FAILLOCK_FLAG_SILENT; ++ } ++ else if (strcmp(argv[i], "no_log_info") == 0) { ++ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; ++ } ++ else { ++ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]); ++ } ++ } ++ ++ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1) ++ opts->root_unlock_time = opts->unlock_time; ++ if (flags & PAM_SILENT) ++ opts->flags |= FAILLOCK_FLAG_SILENT; ++} ++ ++static int get_pam_user(pam_handle_t *pamh, struct options *opts) ++{ ++ const char *user; ++ int rv; ++ struct passwd *pwd; ++ ++ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { ++ return rv; ++ } ++ ++ if (*user == '\0') { ++ return PAM_IGNORE; ++ } ++ ++ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) { ++ if (opts->flags & FAILLOCK_FLAG_AUDIT) { ++ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user); ++ } ++ else { ++ pam_syslog(pamh, LOG_ERR, "User unknown"); ++ } ++ return PAM_IGNORE; ++ } ++ opts->user = user; ++ opts->uid = pwd->pw_uid; ++ return PAM_SUCCESS; ++} ++ ++static int ++check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) ++{ ++ int tfd; ++ unsigned int i; ++ uint64_t latest_time; ++ int failures; ++ ++ opts->now = time(NULL); ++ ++ tfd = open_tally(opts->dir, opts->user, 0); ++ ++ *fd = tfd; ++ ++ if (tfd == -1) { ++ if (errno == EACCES || errno == ENOENT) { ++ return PAM_SUCCESS; ++ } ++ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); ++ return PAM_SYSTEM_ERR; ++ } ++ ++ if (read_tally(tfd, tallies) != 0) { ++ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user); ++ return PAM_SYSTEM_ERR; ++ } ++ ++ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ return PAM_SUCCESS; ++ } ++ ++ latest_time = 0; ++ for(i = 0; i < tallies->count; i++) { ++ if ((tallies->records[i].status & TALLY_STATUS_VALID) && ++ tallies->records[i].time > latest_time) ++ latest_time = tallies->records[i].time; ++ } ++ ++ opts->latest_time = latest_time; ++ ++ failures = 0; ++ for(i = 0; i < tallies->count; i++) { ++ if ((tallies->records[i].status & TALLY_STATUS_VALID) && ++ latest_time - tallies->records[i].time < opts->fail_interval) { ++ ++failures; ++ } ++ } ++ ++ opts->failures = failures; ++ ++ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ return PAM_SUCCESS; ++ } ++ ++ if (opts->deny && failures >= opts->deny) { ++ if ((opts->uid && latest_time + opts->unlock_time < opts->now) || ++ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) { ++#ifdef HAVE_LIBAUDIT ++ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ ++ char buf[64]; ++ int audit_fd; ++ ++ audit_fd = audit_open(); ++ /* If there is an error & audit support is in the kernel report error */ ++ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT)) ++ return PAM_SYSTEM_ERR; ++ ++ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); ++ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, ++ NULL, NULL, NULL, 1); ++ } ++#endif ++ opts->flags |= FAILLOCK_FLAG_UNLOCKED; ++ return PAM_SUCCESS; ++ } ++ return PAM_AUTH_ERR; ++ } ++ return PAM_SUCCESS; ++} ++ ++static void ++reset_tally(pam_handle_t *pamh, struct options *opts, int *fd) ++{ ++ int rv; ++ ++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); ++ if (rv == -1) { ++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ } ++} ++ ++static int ++write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) ++{ ++ struct tally *records; ++ unsigned int i; ++ int failures; ++ unsigned int oldest; ++ uint64_t oldtime; ++ const void *source = NULL; ++ ++ if (*fd == -1) { ++ *fd = open_tally(opts->dir, opts->user, 1); ++ } ++ if (*fd == -1) { ++ if (errno == EACCES) { ++ return PAM_SUCCESS; ++ } ++ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); ++ return PAM_SYSTEM_ERR; ++ } ++ ++ oldtime = 0; ++ oldest = 0; ++ failures = 0; ++ ++ for (i = 0; i < tallies->count; ++i) { ++ if (tallies->records[i].time < oldtime) { ++ oldtime = tallies->records[i].time; ++ oldest = i; ++ } ++ if (opts->flags & FAILLOCK_FLAG_UNLOCKED || ++ opts->now - tallies->records[i].time >= opts->fail_interval ) { ++ tallies->records[i].status &= ~TALLY_STATUS_VALID; ++ } else { ++ ++failures; ++ } ++ } ++ ++ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) { ++ oldest = tallies->count; ++ ++ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) { ++ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m"); ++ return PAM_BUF_ERR; ++ } ++ ++ ++tallies->count; ++ tallies->records = records; ++ } ++ ++ memset(&tallies->records[oldest], 0, sizeof (*tallies->records)); ++ ++ tallies->records[oldest].status = TALLY_STATUS_VALID; ++ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) { ++ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) { ++ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) { ++ source = ""; ++ } ++ } ++ else { ++ tallies->records[oldest].status |= TALLY_STATUS_TTY; ++ } ++ } ++ else { ++ tallies->records[oldest].status |= TALLY_STATUS_RHOST; ++ } ++ ++ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source)); ++ /* source does not have to be null terminated */ ++ ++ tallies->records[oldest].time = opts->now; ++ ++ ++failures; ++ ++ if (opts->deny && failures == opts->deny) { ++#ifdef HAVE_LIBAUDIT ++ char buf[64]; ++ int audit_fd; ++ ++ audit_fd = audit_open(); ++ /* If there is an error & audit support is in the kernel report error */ ++ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT)) ++ return PAM_SYSTEM_ERR; ++ ++ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); ++ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, ++ NULL, NULL, NULL, 1); ++ ++ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, ++ NULL, NULL, NULL, 1); ++ } ++ close(audit_fd); ++#endif ++ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) { ++ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked", ++ opts->user); ++ } ++ } ++ ++ if (update_tally(*fd, tallies) == 0) ++ return PAM_SUCCESS; ++ ++ return PAM_SYSTEM_ERR; ++} ++ ++static void ++faillock_message(pam_handle_t *pamh, struct options *opts) ++{ ++ int64_t left; ++ ++ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { ++ if (opts->uid) { ++ left = opts->latest_time + opts->unlock_time - opts->now; ++ } ++ else { ++ left = opts->latest_time + opts->root_unlock_time - opts->now; ++ } ++ ++ left /= 60; /* minutes */ ++ ++ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), ++ opts->failures); ++ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); ++ } ++} ++ ++static void ++tally_cleanup(struct tally_data *tallies, int fd) ++{ ++ if (fd != -1) { ++ close(fd); ++ } ++ ++ free(tallies->records); ++} ++ ++/*---------------------------------------------------------------------*/ ++ ++PAM_EXTERN int ++pam_sm_authenticate(pam_handle_t *pamh, int flags, ++ int argc, const char **argv) ++{ ++ struct options opts; ++ int rv, fd = -1; ++ struct tally_data tallies; ++ ++ memset(&tallies, 0, sizeof(tallies)); ++ ++ args_parse(pamh, argc, argv, flags, &opts); ++ ++ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */ ++ ++ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { ++ return rv; ++ } ++ ++ switch (opts.action) { ++ case FAILLOCK_ACTION_PREAUTH: ++ rv = check_tally(pamh, &opts, &tallies, &fd); ++ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) { ++ faillock_message(pamh, &opts); ++ } ++ break; ++ ++ case FAILLOCK_ACTION_AUTHSUCC: ++ rv = check_tally(pamh, &opts, &tallies, &fd); ++ if (rv == PAM_SUCCESS && fd != -1) { ++ reset_tally(pamh, &opts, &fd); ++ } ++ break; ++ ++ case FAILLOCK_ACTION_AUTHFAIL: ++ rv = check_tally(pamh, &opts, &tallies, &fd); ++ if (rv == PAM_SUCCESS) { ++ rv = PAM_IGNORE; /* this return value should be ignored */ ++ write_tally(pamh, &opts, &tallies, &fd); ++ } ++ break; ++ } ++ ++ tally_cleanup(&tallies, fd); ++ ++ return rv; ++} ++ ++/*---------------------------------------------------------------------*/ ++ ++PAM_EXTERN int ++pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, ++ int argc UNUSED, const char **argv UNUSED) ++{ ++ return PAM_SUCCESS; ++} ++ ++/*---------------------------------------------------------------------*/ ++ ++PAM_EXTERN int ++pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, ++ int argc, const char **argv) ++{ ++ struct options opts; ++ int rv, fd = -1; ++ struct tally_data tallies; ++ ++ memset(&tallies, 0, sizeof(tallies)); ++ ++ args_parse(pamh, argc, argv, flags, &opts); ++ ++ opts.action = FAILLOCK_ACTION_AUTHSUCC; ++ ++ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { ++ return rv; ++ } ++ ++ check_tally(pamh, &opts, &tallies, &fd); ++ if (fd != -1) { ++ reset_tally(pamh, &opts, &fd); ++ } ++ ++ tally_cleanup(&tallies, fd); ++ ++ return PAM_SUCCESS; ++} ++ ++/*-----------------------------------------------------------------------*/ ++ ++#ifdef PAM_STATIC ++ ++/* static module data */ ++ ++struct pam_module _pam_faillock_modstruct = { ++ MODULE_NAME, ++#ifdef PAM_SM_AUTH ++ pam_sm_authenticate, ++ pam_sm_setcred, ++#else ++ NULL, ++ NULL, ++#endif ++#ifdef PAM_SM_ACCOUNT ++ pam_sm_acct_mgmt, ++#else ++ NULL, ++#endif ++ NULL, ++ NULL, ++ NULL, ++}; ++ ++#endif /* #ifdef PAM_STATIC */ ++ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,396 @@ ++ ++ ++ ++ ++ ++ ++ pam_faillock ++ 8 ++ Linux-PAM Manual ++ ++ ++ ++ pam_faillock ++ Module counting authentication failures during a specified interval ++ ++ ++ ++ ++ auth ... pam_faillock.so ++ ++ preauth|authfail|authsucc ++ ++ ++ dir=/path/to/tally-directory ++ ++ ++ even_deny_root ++ ++ ++ deny=n ++ ++ ++ fail_interval=n ++ ++ ++ unlock_time=n ++ ++ ++ root_unlock_time=n ++ ++ ++ audit ++ ++ ++ silent ++ ++ ++ no_log_info ++ ++ ++ ++ account ... pam_faillock.so ++ ++ dir=/path/to/tally-directory ++ ++ ++ no_log_info ++ ++ ++ ++ ++ ++ ++ DESCRIPTION ++ ++ ++ This module maintains a list of failed authentication attempts per ++ user during a specified interval and locks the account in case ++ there were more than deny consecutive ++ failed authentications. ++ ++ ++ Normally, failed attempts to authenticate root will ++ not cause the root account to become ++ blocked, to prevent denial-of-service: if your users aren't given ++ shell accounts and root may only login via su or ++ at the machine console (not telnet/rsh, etc), this is safe. ++ ++ ++ ++ ++ ++ OPTIONS ++ ++ ++ ++ ++ ++ ++ ++ This argument must be set accordingly to the position of this module ++ instance in the PAM stack. ++ ++ ++ The preauth argument must be used when the module ++ is called before the modules which ask for the user credentials such ++ as the password. The module just examines whether the user should ++ be blocked from accessing the service in case there were anomalous ++ number of failed consecutive authentication attempts recently. This ++ call is optional if authsucc is used. ++ ++ ++ The authfail argument must be used when the module ++ is called after the modules which determine the authentication outcome, ++ failed. Unless the user is already blocked due to previous authentication ++ failures, the module will record the failure into the appropriate user ++ tally file. ++ ++ ++ The authsucc argument must be used when the module ++ is called after the modules which determine the authentication outcome, ++ succeded. Unless the user is already blocked due to previous authentication ++ failures, the module will then clear the record of the failures in the ++ respective user tally file. Otherwise it will return authentication error. ++ If this call is not done, the pam_faillock will not distinguish between ++ consecutive and non-consecutive failed authentication attempts. The ++ preauth call must be used in such case. Due to ++ complications in the way the PAM stack can be configured it is also ++ possible to call pam_faillock as an account module. ++ In such configuration the module must be also called in the ++ preauth stage. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The directory where the user files with the failure records are kept. The ++ default is /var/run/faillock. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Will log the user name into the system log if the user is not found. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Don't print informative messages. This option is implicite ++ in the authfail and authsucc ++ functions. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Don't log informative messages via syslog3. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Deny access if the number of consecutive authentication failures ++ for this user during the recent interval exceeds ++ n. The default is 3. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The length of the interval during which the consecutive ++ authentication failures must happen for the user account ++ lock out is n seconds. ++ The default is 900 (15 minutes). ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The access will be reenabled after ++ n seconds after the lock out. ++ The default is 600 (10 minutes). ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Root account can become locked as well as regular accounts. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ This option implies option. ++ Allow access after n seconds ++ to root account after the account is locked. In case the ++ option is not specified the value is the same as of the ++ option. ++ ++ ++ ++ ++ ++ ++ ++ MODULE TYPES PROVIDED ++ ++ The and module types are ++ provided. ++ ++ ++ ++ ++ RETURN VALUES ++ ++ ++ PAM_AUTH_ERR ++ ++ ++ A invalid option was given, the module was not able ++ to retrieve the user name, no valid counter file ++ was found, or too many failed logins. ++ ++ ++ ++ ++ PAM_SUCCESS ++ ++ ++ Everything was successful. ++ ++ ++ ++ ++ PAM_IGNORE ++ ++ ++ User not present in passwd database. ++ ++ ++ ++ ++ ++ ++ ++ NOTES ++ ++ pam_faillock setup in the PAM stack is different ++ from the pam_tally2 module setup. ++ ++ ++ There is no setuid wrapper for access to the data file such as when the ++ pam_faillock.so module is called from ++ a screensaver. As this would make it impossible to share PAM configuration ++ with such services the following workaround is used: If the data file ++ cannot be opened because of insufficient permissions ++ (EACCES) the module returns ++ PAM_SUCCESS. ++ ++ ++ Note that using the module in without the ++ option or with requisite ++ control field leaks an information about existence or ++ non-existence of an user account in the system because ++ the failures are not recorded for the unknown users. The message ++ about the user account being locked is never displayed for nonexisting ++ user accounts allowing the adversary to infer that a particular account ++ is not existing on a system. ++ ++ ++ ++ ++ EXAMPLES ++ ++ Here are two possible configuration examples for /etc/pam.d/login. ++ They make pam_faillock to lock the account after 4 consecutive ++ failed logins during the default interval of 15 minutes. Root account will be locked ++ as well. The accounts will be automatically unlocked after 20 minutes. ++ ++ ++ In the first example the module is called only in the auth ++ phase and the module does not print any information about the account blocking ++ by pam_faillock. The preauth call can ++ be added to tell the user that his login is blocked by the module and also to abort ++ the authentication without even asking for password in such case. ++ ++ ++auth required pam_securetty.so ++auth required pam_env.so ++auth required pam_nologin.so ++# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200 ++# to display the message about account being locked ++auth [success=1 default=bad] pam_unix.so ++auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 ++auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200 ++auth required pam_deny.so ++account required pam_unix.so ++password required pam_unix.so shadow ++session required pam_selinux.so close ++session required pam_loginuid.so ++session required pam_unix.so ++session required pam_selinux.so open ++ ++ ++ In the second example the module is called both in the auth ++ and account phases and the module gives the authenticating ++ user message when the account is locked ++ ++ ++auth required pam_securetty.so ++auth required pam_env.so ++auth required pam_nologin.so ++auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200 ++# optionally use requisite above if you do not want to prompt for the password ++# on locked accounts, possibly with removing the silent option as well ++auth sufficient pam_unix.so ++auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 ++auth required pam_deny.so ++account required pam_faillock.so ++# if you drop the above call to pam_faillock.so the lock will be done also ++# on non-consecutive authentication failures ++account required pam_unix.so ++password required pam_unix.so shadow ++session required pam_selinux.so close ++session required pam_loginuid.so ++session required pam_unix.so ++session required pam_selinux.so open ++ ++ ++ ++ ++ FILES ++ ++ ++ /var/run/faillock/* ++ ++ the files logging the authentication failures for users ++ ++ ++ ++ ++ ++ ++ SEE ALSO ++ ++ ++ faillock8 ++ , ++ ++ pam.conf5 ++ , ++ ++ pam.d5 ++ , ++ ++ pam8 ++ ++ ++ ++ ++ ++ AUTHOR ++ ++ pam_faillock was written by Tomas Mraz. ++ ++ ++ ++ +diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml +--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,46 @@ ++ ++ ++--> ++]> ++ ++
++ ++ ++ ++ ++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" ++ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/> ++ ++ ++ ++ ++
++ ++
++ ++
++ ++
++ ++
++ ++
++ ++
++ ++
++ ++
++ ++
++ ++
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock +--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200 +@@ -0,0 +1,2 @@ ++#!/bin/sh ++../../tests/tst-dlopen .libs/pam_faillock.so diff --git a/SOURCES/pam-1.1.3-faillock-screensaver.patch b/SOURCES/pam-1.1.3-faillock-screensaver.patch new file mode 100644 index 0000000..249d285 --- /dev/null +++ b/SOURCES/pam-1.1.3-faillock-screensaver.patch @@ -0,0 +1,167 @@ +diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c +--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100 +@@ -41,13 +41,14 @@ + #include + #include + #include ++#include + #include + #include + + #include "faillock.h" + + int +-open_tally (const char *dir, const char *user, int create) ++open_tally (const char *dir, const char *user, uid_t uid, int create) + { + char *path; + int flags = O_RDWR; +@@ -69,8 +70,18 @@ open_tally (const char *dir, const char + + fd = open(path, flags, 0600); + +- if (fd != -1) ++ free(path); ++ ++ if (fd != -1) { ++ struct stat st; ++ + while (flock(fd, LOCK_EX) == -1 && errno == EINTR); ++ if (fstat(fd, &st) == 0) { ++ if (st.st_uid != uid) { ++ fchown(fd, uid, -1); ++ } ++ } ++ } + + return fd; + } +diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h +--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100 +@@ -45,6 +45,7 @@ + #define _FAILLOCK_H + + #include ++#include + + #define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ + #define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ +@@ -65,7 +66,7 @@ struct tally_data { + + #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" + +-int open_tally(const char *dir, const char *user, int create); ++int open_tally(const char *dir, const char *user, uid_t uid, int create); + int read_tally(int fd, struct tally_data *tallies); + int update_tally(int fd, struct tally_data *tallies); + #endif +diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c +--- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100 +@@ -106,8 +106,11 @@ do_user(struct options *opts, const char + int fd; + int rv; + struct tally_data tallies; ++ struct passwd *pwd; + +- fd = open_tally(opts->dir, user, 0); ++ pwd = getpwnam(user); ++ ++ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); + + if (fd == -1) { + if (errno == ENOENT) { +@@ -134,9 +137,8 @@ do_user(struct options *opts, const char + #ifdef HAVE_LIBAUDIT + } + if ((audit_fd=audit_open()) >= 0) { +- struct passwd *pwd; + +- if ((pwd=getpwnam(user)) != NULL) { ++ if (pwd != NULL) { + snprintf(buf, sizeof(buf), "faillock reset uid=%u", + pwd->pw_uid); + audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100 +@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o + + opts->now = time(NULL); + +- tfd = open_tally(opts->dir, opts->user, 0); ++ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); + + *fd = tfd; + +@@ -289,9 +289,14 @@ reset_tally(pam_handle_t *pamh, struct o + { + int rv; + +- while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); +- if (rv == -1) { +- pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ if (*fd == -1) { ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); ++ } ++ else { ++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); ++ if (rv == -1) { ++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ } + } + } + +@@ -306,7 +311,7 @@ write_tally(pam_handle_t *pamh, struct o + const void *source = NULL; + + if (*fd == -1) { +- *fd = open_tally(opts->dir, opts->user, 1); ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); + } + if (*fd == -1) { + if (errno == EACCES) { +@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh, + + case FAILLOCK_ACTION_AUTHSUCC: + rv = check_tally(pamh, &opts, &tallies, &fd); +- if (rv == PAM_SUCCESS && fd != -1) { ++ if (rv == PAM_SUCCESS) { + reset_tally(pamh, &opts, &fd); + } + break; +@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int + return rv; + } + +- check_tally(pamh, &opts, &tallies, &fd); +- if (fd != -1) { +- reset_tally(pamh, &opts, &fd); +- } ++ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ ++ reset_tally(pamh, &opts, &fd); + + tally_cleanup(&tallies, fd); + +diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100 +@@ -277,13 +277,9 @@ + from the pam_tally2 module setup. + + +- There is no setuid wrapper for access to the data file such as when the +- pam_faillock.so module is called from +- a screensaver. As this would make it impossible to share PAM configuration +- with such services the following workaround is used: If the data file +- cannot be opened because of insufficient permissions +- (EACCES) the module returns +- PAM_SUCCESS. ++ The individual files with the failure records are created as owned by ++ the user. This allows pam_faillock.so module ++ to work correctly when it is called from a screensaver. + + + Note that using the module in without the diff --git a/SOURCES/pam-1.1.3-nouserenv.patch b/SOURCES/pam-1.1.3-nouserenv.patch new file mode 100644 index 0000000..f3a742c --- /dev/null +++ b/SOURCES/pam-1.1.3-nouserenv.patch @@ -0,0 +1,27 @@ +diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c +--- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200 ++++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100 +@@ -10,7 +10,7 @@ + #define DEFAULT_READ_ENVFILE 1 + + #define DEFAULT_USER_ENVFILE ".pam_environment" +-#define DEFAULT_USER_READ_ENVFILE 1 ++#define DEFAULT_USER_READ_ENVFILE 0 + + #include "config.h" + +diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml +--- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200 ++++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100 +@@ -147,7 +147,10 @@ + + + Turns on or off the reading of the user specific environment +- file. 0 is off, 1 is on. By default this option is on. ++ file. 0 is off, 1 is on. By default this option is off as user ++ supplied environment variables in the PAM environment could affect ++ behavior of subsequent modules in the stack without the consent ++ of the system administrator. + + + diff --git a/SOURCES/pam-1.1.5-unix-no-fallback.patch b/SOURCES/pam-1.1.5-unix-no-fallback.patch new file mode 100644 index 0000000..7857196 --- /dev/null +++ b/SOURCES/pam-1.1.5-unix-no-fallback.patch @@ -0,0 +1,69 @@ +diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml +--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback 2011-06-21 11:04:56.000000000 +0200 ++++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml 2012-05-09 11:54:34.442036404 +0200 +@@ -265,11 +265,10 @@ + + + When a user changes their password next, +- encrypt it with the SHA256 algorithm. If the +- SHA256 algorithm is not known to the ++ encrypt it with the SHA256 algorithm. The ++ SHA256 algorithm must be supported by the + crypt3 +- function, +- fall back to MD5. ++ function. + + + +@@ -280,11 +279,10 @@ + + + When a user changes their password next, +- encrypt it with the SHA512 algorithm. If the +- SHA512 algorithm is not known to the ++ encrypt it with the SHA512 algorithm. The ++ SHA512 algorithm must be supported by the + crypt3 +- function, +- fall back to MD5. ++ function. + + + +@@ -295,11 +293,10 @@ + + + When a user changes their password next, +- encrypt it with the blowfish algorithm. If the +- blowfish algorithm is not known to the ++ encrypt it with the blowfish algorithm. The ++ blowfish algorithm must be supported by the + crypt3 +- function, +- fall back to MD5. ++ function. + + + +diff -up Linux-PAM-1.1.5/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.1.5/modules/pam_unix/passverify.c +--- Linux-PAM-1.1.5/modules/pam_unix/passverify.c.no-fallback 2012-05-09 11:48:12.409632377 +0200 ++++ Linux-PAM-1.1.5/modules/pam_unix/passverify.c 2012-05-09 11:48:36.953172291 +0200 +@@ -427,15 +427,14 @@ PAMH_ARG_DECL(char * create_password_has + if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { + /* libxcrypt/libc doesn't know the algorithm, use MD5 */ + pam_syslog(pamh, LOG_ERR, +- "Algo %s not supported by the crypto backend, " +- "falling back to MD5\n", ++ "Algo %s not supported by the crypto backend.\n", + on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : + on(UNIX_SHA256_PASS, ctrl) ? "sha256" : + on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); + if(sp) { + memset(sp, '\0', strlen(sp)); + } +- return crypt_md5_wrapper(password); ++ return NULL; + } + + return x_strdup(sp); diff --git a/SOURCES/pam-1.1.6-limits-user.patch b/SOURCES/pam-1.1.6-limits-user.patch new file mode 100644 index 0000000..3c17b78 --- /dev/null +++ b/SOURCES/pam-1.1.6-limits-user.patch @@ -0,0 +1,20 @@ +diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf +--- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100 +@@ -1,5 +1,16 @@ + # /etc/security/limits.conf + # ++#This file sets the resource limits for the users logged in via PAM. ++#It does not affect resource limits of the system services. ++# ++#Also note that configuration files in /etc/security/limits.d directory, ++#which are read in alphabetical order, override the settings in this ++#file in case the domain is the same or more specific. ++#That means for example that setting a limit for wildcard domain here ++#can be overriden with a wildcard setting in a config file in the ++#subdirectory, but a user specific setting here can be overriden only ++#with a user specific setting in the subdirectory. ++# + #Each line describes a limit for a user in the form: + # + # diff --git a/SOURCES/pam-1.1.6-noflex.patch b/SOURCES/pam-1.1.6-noflex.patch new file mode 100644 index 0000000..6410a8d --- /dev/null +++ b/SOURCES/pam-1.1.6-noflex.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.1.6/doc/Makefile.am.noflex Linux-PAM-1.1.6/doc/Makefile.am +--- Linux-PAM-1.1.6/doc/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/doc/Makefile.am 2012-08-17 14:13:11.904949748 +0200 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + +diff -up Linux-PAM-1.1.6/Makefile.am.noflex Linux-PAM-1.1.6/Makefile.am +--- Linux-PAM-1.1.6/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/Makefile.am 2012-08-17 14:15:36.705359892 +0200 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests + + CLEANFILES = *~ + diff --git a/SOURCES/pam-1.1.6-std-noclose.patch b/SOURCES/pam-1.1.6-std-noclose.patch new file mode 100644 index 0000000..2c1331b --- /dev/null +++ b/SOURCES/pam-1.1.6-std-noclose.patch @@ -0,0 +1,146 @@ +diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c +--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2013-04-24 13:11:14.768817086 +0200 +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -133,13 +134,21 @@ create_homedir (pam_handle_t *pamh, opti + if (child == 0) { + int i; + struct rlimit rlim; ++ int dummyfds[2]; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL }; + ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe2(dummyfds, O_NONBLOCK) == 0) { ++ dup2(dummyfds[0], STDIN_FILENO); ++ dup2(dummyfds[1], STDOUT_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ + if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { + close(i); + } + } +diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2013-04-24 13:12:17.105990961 +0200 +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -100,21 +101,26 @@ int _unix_run_verify_binary(pam_handle_t + if (child == 0) { + int i=0; + struct rlimit rlim; ++ int dummyfds[2]; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL }; + + /* reopen stdout as pipe */ + dup2(fds[1], STDOUT_FILENO); + ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe2(dummyfds, O_NONBLOCK) == 0) { ++ dup2(dummyfds[0], STDIN_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ + /* XXX - should really tidy up PAM here too */ + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDOUT_FILENO) { +- close(i); +- } ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2013-04-23 17:13:49.047499806 +0200 +@@ -202,6 +202,7 @@ static int _unix_run_update_binary(pam_h + if (child == 0) { + int i=0; + struct rlimit rlim; ++ int dummyfds[2]; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; + char buffer[16]; +@@ -211,11 +212,17 @@ static int _unix_run_update_binary(pam_h + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); + ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe2(dummyfds, O_NONBLOCK) == 0) { ++ dup2(dummyfds[1], STDOUT_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ if (i != dummyfds[0]) + close(i); + } + } +diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c +--- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2013-04-24 13:12:42.893064361 +0200 +@@ -5,6 +5,7 @@ + #include "config.h" + + #include ++#include + #include + #include + #include +@@ -462,6 +463,7 @@ static int _unix_run_helper_binary(pam_h + if (child == 0) { + int i=0; + struct rlimit rlim; ++ int dummyfds[2]; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL }; + +@@ -470,11 +472,17 @@ static int _unix_run_helper_binary(pam_h + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); + ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe2(dummyfds, O_NONBLOCK) == 0) { ++ dup2(dummyfds[1], STDOUT_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ if (i != dummyfds[0]) + close(i); + } + } diff --git a/SOURCES/pam-1.1.6-use-links.patch b/SOURCES/pam-1.1.6-use-links.patch new file mode 100644 index 0000000..2c56c6f --- /dev/null +++ b/SOURCES/pam-1.1.6-use-links.patch @@ -0,0 +1,15 @@ +diff -up Linux-PAM-1.1.6/configure.in.links Linux-PAM-1.1.6/configure.in +--- Linux-PAM-1.1.6/configure.in.links 2013-04-24 13:13:36.000000000 +0200 ++++ Linux-PAM-1.1.6/configure.in 2013-08-07 14:08:03.818055990 +0200 +@@ -548,9 +548,9 @@ JH_CHECK_XML_CATALOG([-//OASIS//DTD DocB + JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl], + [DocBook XSL Stylesheets], [], enable_docu=no) + +-AC_PATH_PROG([BROWSER], [w3m]) ++AC_PATH_PROG([BROWSER], [links]) + if test ! -z "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="$BROWSER -no-numbering -no-references -dump" + else + enable_docu=no + fi diff --git a/SOURCES/pam-1.1.7-tty-audit-init.patch b/SOURCES/pam-1.1.7-tty-audit-init.patch new file mode 100644 index 0000000..5ddaebb --- /dev/null +++ b/SOURCES/pam-1.1.7-tty-audit-init.patch @@ -0,0 +1,48 @@ +diff -up Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c +--- Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init 2013-08-28 10:53:40.000000000 +0200 ++++ Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c 2013-10-04 14:51:19.944994905 +0200 +@@ -36,6 +36,7 @@ + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. */ + ++#include "config.h" + #include + #include + #include +@@ -108,7 +109,7 @@ nl_recv (int fd, unsigned type, void *bu + struct msghdr msg; + struct nlmsghdr nlm; + struct iovec iov[2]; +- ssize_t res; ++ ssize_t res, resdiff; + + again: + iov[0].iov_base = &nlm; +@@ -160,12 +161,17 @@ nl_recv (int fd, unsigned type, void *bu + res = recvmsg (fd, &msg, 0); + if (res == -1) + return -1; +- if ((size_t)res != NLMSG_LENGTH (size) ++ resdiff = NLMSG_LENGTH(size) - (size_t)res; ++ if (resdiff < 0 + || nlm.nlmsg_type != type) + { + errno = EIO; + return -1; + } ++ else if (resdiff > 0) ++ { ++ memset((char *)buf + size - resdiff, 0, resdiff); ++ } + return 0; + } + +@@ -275,6 +281,8 @@ pam_sm_open_session (pam_handle_t *pamh, + return PAM_SESSION_ERR; + } + ++ memcpy(&new_status, old_status, sizeof(new_status)); ++ + new_status.enabled = (command == CMD_ENABLE ? 1 : 0); + #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD + new_status.log_passwd = log_passwd; diff --git a/SOURCES/pam-1.1.8-access-update.patch b/SOURCES/pam-1.1.8-access-update.patch new file mode 100644 index 0000000..4a4b0a4 --- /dev/null +++ b/SOURCES/pam-1.1.8-access-update.patch @@ -0,0 +1,392 @@ +diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf +--- Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/access.conf 2017-09-08 14:06:16.420102221 +0200 +@@ -18,7 +18,7 @@ + # pam_access with X applications that provide PAM_TTY values that are + # the display variable like "host:0".] + # +-# permission : users : origins ++# permission:users:origins + # + # The first field should be a "+" (access granted) or "-" (access denied) + # character. +@@ -79,44 +79,44 @@ + ############################################################################## + # + # User "root" should be allowed to get access via cron .. tty5 tty6. +-#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 ++#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 + # + # User "root" should be allowed to get access from hosts with ip addresses. +-#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 +-#+ : root : 127.0.0.1 ++#+:root:192.168.200.1 192.168.200.4 192.168.200.9 ++#+:root:127.0.0.1 + # + # User "root" should get access from network 192.168.201. + # This term will be evaluated by string matching. + # comment: It might be better to use network/netmask instead. + # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 +-#+ : root : 192.168.201. ++#+:root:192.168.201. + # + # User "root" should be able to have access from domain. + # Uses string matching also. +-#+ : root : .foo.bar.org ++#+:root:.foo.bar.org + # + # User "root" should be denied to get access from all other sources. +-#- : root : ALL ++#-:root:ALL + # + # User "foo" and members of netgroup "nis_group" should be + # allowed to get access from all sources. + # This will only work if netgroup service is available. +-#+ : @nis_group foo : ALL ++#+:@nis_group foo:ALL + # + # User "john" should get access from ipv4 net/mask +-#+ : john : 127.0.0.0/24 ++#+:john:127.0.0.0/24 + # + # User "john" should get access from ipv4 as ipv6 net/mask +-#+ : john : ::ffff:127.0.0.0/127 ++#+:john:::ffff:127.0.0.0/127 + # + # User "john" should get access from ipv6 host address +-#+ : john : 2001:4ca0:0:101::1 ++#+:john:2001:4ca0:0:101::1 + # + # User "john" should get access from ipv6 host address (same as above) +-#+ : john : 2001:4ca0:0:101:0:0:0:1 ++#+:john:2001:4ca0:0:101:0:0:0:1 + # + # User "john" should get access from ipv6 net/mask +-#+ : john : 2001:4ca0:0:101::/64 ++#+:john:2001:4ca0:0:101::/64 + # + # All other users should be denied to get access from all sources. +-#- : ALL : ALL ++#-:ALL:ALL +diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml +--- Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml 2017-09-08 14:05:41.126320653 +0200 +@@ -21,8 +21,12 @@ + + The /etc/security/access.conf file specifies + (user/group, host), +- (user/group, network/netmask) or +- (user/group, tty) ++ (user/group, network/netmask), ++ (user/group, tty), ++ (user/group, ++ X-$DISPLAY-value), or ++ (user/group, ++ pam-service-name) + combinations for which a login will be either accepted or refused. + + +@@ -33,7 +37,14 @@ + combination, or, in case of non-networked logins, the first entry + that matches the + (user/group, tty) +- combination. The permissions field of that table entry determines ++ combination, or in the case of non-networked logins without a ++ tty, the first entry that matches the ++ (user/group, ++ X-$DISPLAY-value) or ++ (user/group, ++ pam-service-name/) ++ combination. The permissions field of that table entry ++ determines + whether the login will be accepted or refused. + + +@@ -65,14 +76,27 @@ + + The third field, the origins + field, should be a list of one or more tty names (for non-networked +- logins), host names, domain names (begin with "."), host addresses, ++ logins), X $DISPLAY values or PAM service ++ names (for non-networked logins without a tty), host names, ++ domain names (begin with "."), host addresses, + internet network numbers (end with "."), internet network addresses + with network mask (where network mask can be a decimal number or an + internet address also), ALL (which always matches) +- or LOCAL. LOCAL +- keyword matches if and only if the PAM_RHOST is +- not set and <origin> field is thus set from +- PAM_TTY or PAM_SERVICE". ++ or LOCAL. The LOCAL ++ keyword matches if and only if ++ pam_get_item3, ++ when called with an item_type of ++ PAM_RHOST, returns NULL or an ++ empty string (and therefore the ++ origins field is compared against the ++ return value of ++ pam_get_item3 ++ called with an item_type of ++ PAM_TTY or, absent that, ++ PAM_SERVICE). ++ ++ ++ + If supported by the system you can use + @netgroupname in host or user patterns. The + @@netgroupname syntax is supported in the user +@@ -115,7 +139,7 @@ + tty1, ..., tty5, + tty6. + +- + : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 ++ +:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6 + + + User root should be allowed to get access from +@@ -123,8 +147,8 @@ + connection have to be a IPv4 one, a IPv6 connection from a host with + one of this IPv4 addresses does work, too. + +- + : root : 192.168.200.1 192.168.200.4 192.168.200.9 +- + : root : 127.0.0.1 ++ +:root:192.168.200.1 192.168.200.4 192.168.200.9 ++ +:root:127.0.0.1 + + + User root should get access from network +@@ -134,44 +158,44 @@ + 192.168.201.0/24 or + 192.168.201.0/255.255.255.0. + +- + : root : 192.168.201. ++ +:root:192.168.201. + + + User root should be able to have access from hosts + foo1.bar.org and foo2.bar.org + (uses string matching also). + +- + : root : foo1.bar.org foo2.bar.org ++ +:root:foo1.bar.org foo2.bar.org + + + User root should be able to have access from + domain foo.bar.org (uses string matching also). + +- + : root : .foo.bar.org ++ +:root:.foo.bar.org + + + User root should be denied to get access + from all other sources. + +- - : root : ALL ++ -:root:ALL + + + User foo and members of netgroup + admins should be allowed to get access + from all sources. This will only work if netgroup service is available. + +- + : @admins foo : ALL ++ +:@admins foo:ALL + + + User john and foo + should get access from IPv6 host address. + +- + : john foo : 2001:db8:0:101::1 ++ +:john foo:2001:db8:0:101::1 + + + User john should get access from IPv6 net/mask. + +- + : john : 2001:db8:0:101::/64 ++ +:john:2001:db8:0:101::/64 + + + Disallow console logins to all but the shutdown, sync and all +@@ -182,10 +206,22 @@ + + All other users should be denied to get access from all sources. + +- - : ALL : ALL ++ -:ALL:ALL + + + ++ ++ NOTES ++ ++ The default separators of list items in a field are space, ',', and tabulator ++ characters. Thus conveniently if spaces are put at the beginning and the end of ++ the fields they are ignored. However if the list separator is changed with the ++ listsep option, the spaces will become part of the actual ++ item and the line will be most probably ignored. For this reason, it is not ++ recommended to put spaces around the ':' characters. ++ ++ ++ + + SEE ALSO + +diff -up Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update Linux-PAM-1.1.8/modules/pam_access/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/Makefile.am 2017-09-08 14:10:47.223163175 +0200 +@@ -15,7 +15,8 @@ securelibdir = $(SECUREDIR) + secureconfdir = $(SCONFIGDIR) + + AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ +- -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" $(NIS_CFLAGS) ++ -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \ ++ -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" $(NIS_CFLAGS) + AM_LDFLAGS = -no-undefined -avoid-version -module + if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.c +--- Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/pam_access.c 2017-09-08 14:03:45.620762824 +0200 +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #ifdef HAVE_RPCSVC_YPCLNT_H + #include + #endif +@@ -90,6 +91,7 @@ + #define ALL 2 + #define YES 1 + #define NO 0 ++#define NOMATCH -1 + + /* + * A structure to bundle up all login-related information to keep the +@@ -412,13 +414,17 @@ login_access (pam_handle_t *pamh, struct + return NO; + } + #ifdef HAVE_LIBAUDIT +- if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL && +- nonall_match == YES))) { ++ if (!item->noaudit && (match == YES || (match == ALL && ++ nonall_match == YES)) && line[0] == '-') { + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION, + "pam_access", 0); + } + #endif +- return (match == NO || (line[0] == '+')); ++ if (match == NO) ++ return NOMATCH; ++ if (line[0] == '+') ++ return YES; ++ return NO; + } + + +@@ -524,7 +530,9 @@ user_match (pam_handle_t *pamh, char *to + /* Try to split on a pattern (@*[^@]+)(@+.*) */ + for (at = tok; *at == '@'; ++at); + +- if ((at = strchr(at, '@')) != NULL) { ++ if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') { ++ return (group_match (pamh, tok, string, item->debug)); ++ } else if ((at = strchr(at, '@')) != NULL) { + /* split user@host pattern */ + if (item->hostname == NULL) + return NO; +@@ -549,9 +557,7 @@ user_match (pam_handle_t *pamh, char *to + hostname = item->hostname; + } + return (netgroup_match (pamh, tok + 1, hostname, string, item->debug)); +- } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') +- return (group_match (pamh, tok, string, item->debug)); +- else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ ++ } else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ + return rv; + else if (item->only_new_group_syntax == NO && + pam_modutil_user_in_group_nam_nam (pamh, +@@ -573,7 +579,7 @@ group_match (pam_handle_t *pamh, const c + + if (debug) + pam_syslog (pamh, LOG_DEBUG, +- "group_match: grp=%s, user=%s", grptok, usr); ++ "group_match: grp=%s, user=%s", tok, usr); + + if (strlen(tok) < 3) + return NO; +@@ -808,6 +814,7 @@ pam_sm_authenticate (pam_handle_t *pamh, + const char *user=NULL; + const void *void_from=NULL; + const char *from; ++ const char const *default_config = PAM_ACCESS_CONFIG; + struct passwd *user_pw; + char hostname[MAXHOSTNAMELEN + 1]; + int rv; +@@ -829,7 +836,7 @@ pam_sm_authenticate (pam_handle_t *pamh, + */ + memset(&loginfo, '\0', sizeof(loginfo)); + loginfo.user = user_pw; +- loginfo.config_file = PAM_ACCESS_CONFIG; ++ loginfo.config_file = default_config; + + /* parse the argument list */ + +@@ -900,6 +907,26 @@ pam_sm_authenticate (pam_handle_t *pamh, + + rv = login_access(pamh, &loginfo); + ++ if (rv == NOMATCH && loginfo.config_file == default_config) { ++ glob_t globbuf; ++ int i, glob_rv; ++ ++ /* We do not manipulate locale as setlocale() is not ++ * thread safe. We could use uselocale() in future. ++ */ ++ glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf); ++ if (!glob_rv) { ++ /* Parse the *.conf files. */ ++ for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { ++ loginfo.config_file = globbuf.gl_pathv[i]; ++ rv = login_access(pamh, &loginfo); ++ if (rv != NOMATCH) ++ break; ++ } ++ globfree(&globbuf); ++ } ++ } ++ + if (loginfo.gai_rv == 0 && loginfo.res) + freeaddrinfo(loginfo.res); + +diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml +--- Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml 2017-09-08 14:04:25.365642960 +0200 +@@ -50,16 +50,25 @@ + The pam_access PAM module is mainly for access management. + It provides logdaemon style login access control based on login + names, host or domain names, internet addresses or network numbers, +- or on terminal line names in case of non-networked logins. ++ or on terminal line names, X $DISPLAY values, ++ or PAM service names in case of non-networked logins. + + + By default rules for access management are taken from config file + /etc/security/access.conf if you don't specify + another file. ++ Then individual *.conf files from the ++ /etc/security/access.d/ directory are read. ++ The files are parsed one after another in the order of the system locale. ++ The effect of the individual files is the same as if all the files were ++ concatenated together in the order of parsing. This means that once ++ a pattern is matched in some file no further files are parsed. ++ If a config file is explicitly specified with the ++ option the files in the above directory are not parsed. + + + If Linux PAM is compiled with audit support the module will report +- when it denies access based on origin (host or tty). ++ when it denies access based on origin (host, tty, etc.). + + + diff --git a/SOURCES/pam-1.1.8-audit-grantor.patch b/SOURCES/pam-1.1.8-audit-grantor.patch new file mode 100644 index 0000000..451634b --- /dev/null +++ b/SOURCES/pam-1.1.8-audit-grantor.patch @@ -0,0 +1,435 @@ +From 0d29e379601819c7f7ed8de18b54de803a9f4049 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 5 Sep 2014 09:09:37 +0200 +Subject: [PATCH] Add grantor field to audit records of libpam. + +The grantor field gives audit trail of PAM modules which granted access +for successful return from libpam calls. In case of failed return +the grantor field is set to '?'. +libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call. +libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise. +libpam/pam_password.c (pam_chauthtok): Likewise. +libpam/pam_session.c (pam_open_session, pam_close_session): Likewise. +libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter, +add grantor= field to the message if grantors is set. +(_pam_list_grantors): New function creating the string with grantors list. +(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors() +to list the grantors from the handler list. +(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call. +(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog(). +libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate. +(_pam_clear_grantors): New function to clear grantor field of handler. +(_pam_dispatch): Call _pam_clear_grantors() before executing the stack. +Call _pam_auditlog() when appropriate. +libpam/pam_handlers.c (extract_modulename): Do not allow empty module name +or just "?" to avoid confusing audit trail. +(_pam_add_handler): Test for NULL return from extract_modulename(). +Clear grantor field of handler. +libpam/pam_private.h: Add grantor field to struct handler, add handler pointer +parameter to _pam_auditlog(). +--- + libpam/pam_account.c | 4 --- + libpam/pam_audit.c | 84 +++++++++++++++++++++++++++++++++++++++++++-------- + libpam/pam_auth.c | 8 ----- + libpam/pam_dispatch.c | 41 ++++++++++++++++++++----- + libpam/pam_handlers.c | 14 +++++++-- + libpam/pam_password.c | 4 --- + libpam/pam_private.h | 3 +- + libpam/pam_session.c | 7 ----- + 8 files changed, 119 insertions(+), 46 deletions(-) + +diff --git a/libpam/pam_account.c b/libpam/pam_account.c +index 572acc4..3a4fb1f 100644 +--- a/libpam/pam_account.c ++++ b/libpam/pam_account.c +@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags); +-#endif +- + return retval; + } +diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c +index 531746a..24fb799 100644 +--- a/libpam/pam_audit.c ++++ b/libpam/pam_audit.c +@@ -6,12 +6,12 @@ + Authors: + Steve Grubb */ + +-#include +-#include + #include "pam_private.h" + #include "pam_modutil_private.h" + + #ifdef HAVE_LIBAUDIT ++#include ++#include + #include + #include + #include +@@ -25,17 +25,24 @@ + + static int + _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, +- const char *message, int retval) ++ const char *message, const char *grantors, int retval) + { + static int old_errno = -1; +- int rc; +- char buf[32]; ++ int rc = -ENOMEM; ++ char *buf; ++ const char *grantors_field = " grantors="; + +- snprintf(buf, sizeof(buf), "PAM:%s", message); ++ if (grantors == NULL) { ++ grantors = ""; ++ grantors_field = ""; ++ } + +- rc = audit_log_acct_message (audit_fd, type, NULL, buf, +- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", +- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS ); ++ if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) { ++ rc = audit_log_acct_message(audit_fd, type, NULL, buf, ++ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", ++ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS); ++ free(buf); ++ } + + /* libaudit sets errno to his own negative error code. This can be + an official errno number, but must not. It can also be a audit +@@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh) + return audit_fd; + } + ++static int ++_pam_list_grantors(struct handler *hlist, int retval, char **list) ++{ ++ *list = NULL; ++ ++ if (retval == PAM_SUCCESS) { ++ struct handler *h; ++ char *p = NULL; ++ size_t len = 0; ++ ++ for (h = hlist; h != NULL; h = h->next) { ++ if (h->grantor) { ++ len += strlen(h->mod_name) + 1; ++ } ++ } ++ ++ if (len == 0) { ++ return 0; ++ } ++ ++ *list = malloc(len); ++ if (*list == NULL) { ++ return -1; ++ } ++ ++ for (h = hlist; h != NULL; h = h->next) { ++ if (h->grantor) { ++ if (p == NULL) { ++ p = *list; ++ } else { ++ p = stpcpy(p, ","); ++ } ++ ++ p = stpcpy(p, h->mod_name); ++ } ++ } ++ } ++ ++ return 0; ++} ++ + int +-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) ++_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h) + { + const char *message; + int type; + int audit_fd; ++ char *grantors; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { + return PAM_SYSTEM_ERR; +@@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) + retval = PAM_SYSTEM_ERR; + } + +- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0) ++ if (_pam_list_grantors(h, retval, &grantors) < 0) { ++ /* allocation failure */ ++ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m"); + retval = PAM_SYSTEM_ERR; ++ } ++ ++ if (_pam_audit_writelog(pamh, audit_fd, type, message, ++ grantors ? grantors : "?", retval) < 0) ++ retval = PAM_SYSTEM_ERR; ++ ++ free(grantors); + + audit_close(audit_fd); + return retval; +@@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED) + * stacks having been run. Assume that this is sshd faking + * things for an unknown user. + */ +- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0); ++ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL); + } + + return 0; +@@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type, + return retval; + } + +- rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval); ++ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval); + + audit_close(audit_fd); + +diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c +index 5984fa5..1e7bc6e 100644 +--- a/libpam/pam_auth.c ++++ b/libpam/pam_auth.c +@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags) + prelude_send_alert(pamh, retval); + #endif + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags); +-#endif +- + return retval; + } + +@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_SETCRED); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags); +-#endif +- + D(("pam_setcred exit")); + + return retval; +diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c +index eb52c82..cf632e8 100644 +--- a/libpam/pam_dispatch.c ++++ b/libpam/pam_dispatch.c +@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, + status = retval; + } + } +- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) { +- goto decision_made; ++ if ( impression == _PAM_POSITIVE ) { ++ if ( retval == PAM_SUCCESS ) { ++ h->grantor = 1; ++ } ++ ++ if ( action == _PAM_ACTION_DONE ) { ++ goto decision_made; ++ } + } + break; + +@@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, + || (impression == _PAM_POSITIVE + && status == PAM_SUCCESS) ) { + if ( retval != PAM_IGNORE || cached_retval == retval ) { ++ if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) { ++ h->grantor = 1; ++ } + impression = _PAM_POSITIVE; + status = retval; + } +@@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */ + return status; + } + ++static void _pam_clear_grantors(struct handler *h) ++{ ++ for (; h != NULL; h = h->next) { ++ h->grantor = 0; ++ } ++} ++ + /* + * This function translates the module dispatch request into a pointer + * to the stack of modules that will actually be run. the +@@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */ + int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + { + struct handler *h = NULL; +- int retval, use_cached_chain; ++ int retval = PAM_SYSTEM_ERR, use_cached_chain; + _pam_boolean resumed; + + IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR); + + if (__PAM_FROM_MODULE(pamh)) { + D(("called from a module!?")); +- return PAM_SYSTEM_ERR; ++ goto end; + } + + /* Load all modules, resolve all symbols */ + + if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "unable to dispatch function"); +- return retval; ++ goto end; + } + + use_cached_chain = _PAM_PLEASE_FREEZE; +@@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + break; + default: + pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); +- return PAM_ABORT; ++ retval = PAM_ABORT; ++ goto end; + } + + if (h == NULL) { /* there was no handlers.conf... entry; will use +@@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + pam_syslog(pamh, LOG_ERR, + "application failed to re-exec stack [%d:%d]", + pamh->former.choice, choice); +- return PAM_ABORT; ++ retval = PAM_ABORT; ++ goto end; + } + resumed = PAM_TRUE; + } else { + resumed = PAM_FALSE; ++ _pam_clear_grantors(h); + } + + __PAM_TO_MODULE(pamh); +@@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + pamh->former.choice = PAM_NOT_STACKED; + } + ++end: ++ ++#ifdef HAVE_LIBAUDIT ++ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) { ++ retval = _pam_auditlog(pamh, choice, retval, flags, h); ++ } ++#endif ++ + return retval; + } +diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c +index 02714f7..df3a1d9 100644 +--- a/libpam/pam_handlers.c ++++ b/libpam/pam_handlers.c +@@ -611,6 +611,12 @@ extract_modulename(const char *mod_path) + if (dot) + *dot = '\0'; + ++ if (*retval == '\0' || strcmp(retval, "?") == 0) { ++ /* do not allow empty module name or "?" to avoid confusing audit trail */ ++ _pam_drop(retval); ++ return NULL; ++ } ++ + return retval; + } + +@@ -888,7 +894,9 @@ int _pam_add_handler(pam_handle_t *pamh + (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval); + (*handler_p)->argc = argc; + (*handler_p)->argv = argv; /* not a copy */ +- (*handler_p)->mod_name = extract_modulename(mod_path); ++ if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL) ++ return PAM_ABORT; ++ (*handler_p)->grantor = 0; + (*handler_p)->next = NULL; + + /* some of the modules have a second calling function */ +@@ -920,7 +928,9 @@ int _pam_add_handler(pam_handle_t *pamh + } else { + (*handler_p2)->argv = NULL; /* no arguments */ + } +- (*handler_p2)->mod_name = extract_modulename(mod_path); ++ if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL) ++ return PAM_ABORT; ++ (*handler_p2)->grantor = 0; + (*handler_p2)->next = NULL; + } + +diff --git a/libpam/pam_password.c b/libpam/pam_password.c +index 75db5e5..592e01f 100644 +--- a/libpam/pam_password.c ++++ b/libpam/pam_password.c +@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) + D(("will resume when ready", retval)); + } + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags); +-#endif +- + return retval; + } +diff --git a/libpam/pam_private.h b/libpam/pam_private.h +index 134dc72..d93283c 100644 +--- a/libpam/pam_private.h ++++ b/libpam/pam_private.h +@@ -55,6 +55,7 @@ struct handler { + struct handler *next; + char *mod_name; + int stack_level; ++ int grantor; + }; + + #define PAM_HT_MODULE 0 +@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \ + do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0) + + #ifdef HAVE_LIBAUDIT +-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags); ++extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h); + extern int _pam_audit_end(pam_handle_t *pamh, int pam_status); + #endif + +diff --git a/libpam/pam_session.c b/libpam/pam_session.c +index 512153f..cb393c1 100644 +--- a/libpam/pam_session.c ++++ b/libpam/pam_session.c +@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags) + } + retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags); +-#endif + return retval; + } + +@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags); +-#endif +- + return retval; + + } +-- +1.8.3.1 + diff --git a/SOURCES/pam-1.1.8-audit-user-mgmt.patch b/SOURCES/pam-1.1.8-audit-user-mgmt.patch new file mode 100644 index 0000000..8459997 --- /dev/null +++ b/SOURCES/pam-1.1.8-audit-user-mgmt.patch @@ -0,0 +1,47 @@ +diff -urp Linux-PAM-1.1.8.orig/modules/pam_faillock/main.c Linux-PAM-1.1.8/modules/pam_faillock/main.c +--- Linux-PAM-1.1.8.orig/modules/pam_faillock/main.c 2014-10-16 10:12:57.117554380 -0400 ++++ Linux-PAM-1.1.8/modules/pam_faillock/main.c 2014-10-16 10:38:00.199510093 -0400 +@@ -141,10 +141,8 @@ do_user(struct options *opts, const char + if ((audit_fd=audit_open()) >= 0) { + + if (pwd != NULL) { +- snprintf(buf, sizeof(buf), "faillock reset uid=%u", +- pwd->pw_uid); +- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +- buf, NULL, NULL, NULL, rv == 0); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0); + } + close(audit_fd); + } +diff -urp Linux-PAM-1.1.8.orig/modules/pam_tally2/pam_tally2.c Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c +--- Linux-PAM-1.1.8.orig/modules/pam_tally2/pam_tally2.c 2013-06-18 10:11:21.000000000 -0400 ++++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-16 10:37:05.072511717 -0400 +@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv ) + #ifdef HAVE_LIBAUDIT + char buf[64]; + int audit_fd = audit_open(); +- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); +- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); ++ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1); + if (audit_fd >=0) + close(audit_fd); + #endif +@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv ) + } + else if ( !cline_reset ) { + #ifdef HAVE_LIBAUDIT +- char buf[64]; + int audit_fd = audit_open(); +- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); +- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); ++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, ++ "pam_tally2-reset-all-accts reset=0", "*", -1, ++ NULL, NULL, ttyname(STDIN_FILENO), 1); + if (audit_fd >=0) + close(audit_fd); + #endif diff --git a/SOURCES/pam-1.1.8-authtok-verified.patch b/SOURCES/pam-1.1.8-authtok-verified.patch new file mode 100644 index 0000000..a28e968 --- /dev/null +++ b/SOURCES/pam-1.1.8-authtok-verified.patch @@ -0,0 +1,73 @@ +diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c +index 800c6e5..3cdec5e 100644 +--- a/libpam/pam_get_authtok.c ++++ b/libpam/pam_get_authtok.c +@@ -140,6 +140,8 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, + } + else if (chpass) + { ++ pamh->authtok_verified = 0; ++ + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + PROMPT1, authtok_type, + strlen (authtok_type) > 0?" ":""); +@@ -184,6 +186,9 @@ pam_get_authtok_internal (pam_handle_t *pamh, int item, + if (retval != PAM_SUCCESS) + return retval; + ++ if (chpass > 1) ++ pamh->authtok_verified = 1; ++ + return pam_get_item(pamh, item, (const void **)authtok); + } + +@@ -214,6 +219,9 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, + if (authtok == NULL || pamh->choice != PAM_CHAUTHTOK) + return PAM_SYSTEM_ERR; + ++ if (pamh->authtok_verified) ++ return pam_get_item (pamh, PAM_AUTHTOK, (const void **)authtok); ++ + if (prompt != NULL) + { + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp, +@@ -239,6 +247,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, + + if (strcmp (*authtok, resp) != 0) + { ++ pamh->authtok_verified = 0; + pam_set_item (pamh, PAM_AUTHTOK, NULL); + pam_error (pamh, MISTYPED_PASS); + _pam_overwrite (resp); +@@ -252,5 +261,7 @@ pam_get_authtok_verify (pam_handle_t *pamh, const char **authtok, + if (retval != PAM_SUCCESS) + return retval; + ++ pamh->authtok_verified = 1; ++ + return pam_get_item(pamh, PAM_AUTHTOK, (const void **)authtok); + } +diff --git a/libpam/pam_private.h b/libpam/pam_private.h +index 7ff9f75..58a26f5 100644 +--- a/libpam/pam_private.h ++++ b/libpam/pam_private.h +@@ -172,6 +172,7 @@ struct pam_handle { + #ifdef HAVE_LIBAUDIT + int audit_state; /* keep track of reported audit messages */ + #endif ++ int authtok_verified; + }; + + /* Values for select arg to _pam_dispatch() */ +diff --git a/libpam/pam_start.c b/libpam/pam_start.c +index 328416d..e27c64b 100644 +--- a/libpam/pam_start.c ++++ b/libpam/pam_start.c +@@ -94,6 +94,7 @@ int pam_start ( + #endif + (*pamh)->xdisplay = NULL; + (*pamh)->authtok_type = NULL; ++ (*pamh)->authtok_verified = 0; + memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth)); + + if (((*pamh)->pam_conversation = (struct pam_conv *) diff --git a/SOURCES/pam-1.1.8-canonicalize-username.patch b/SOURCES/pam-1.1.8-canonicalize-username.patch new file mode 100644 index 0000000..a3786be --- /dev/null +++ b/SOURCES/pam-1.1.8-canonicalize-username.patch @@ -0,0 +1,21 @@ +diff -up Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c +--- Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c 2014-03-06 12:03:54.429639972 +0100 +@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh, + char *level = NULL; + security_context_t *contextlist = NULL; + int num_contexts = 0; ++ const struct passwd *pwd; + + if (!(username = get_item(pamh, PAM_USER))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name"); + return PAM_USER_UNKNOWN; + } + ++ if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) { ++ username = pwd->pw_name; ++ } /* ignore error and keep using original username */ ++ + /* compute execute context */ + #ifdef HAVE_GETSEUSER + if (!(service = get_item(pamh, PAM_SERVICE))) { diff --git a/SOURCES/pam-1.1.8-cve-2013-7041.patch b/SOURCES/pam-1.1.8-cve-2013-7041.patch new file mode 100644 index 0000000..96fa916 --- /dev/null +++ b/SOURCES/pam-1.1.8-cve-2013-7041.patch @@ -0,0 +1,52 @@ +From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Fri, 24 Jan 2014 22:18:32 +0000 +Subject: [PATCH] pam_userdb: fix password hash comparison + +Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed +passwords support in pam_userdb, hashes are compared case-insensitively. +This bug leads to accepting hashes for completely different passwords in +addition to those that should be accepted. + +Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for +modern password hashes with different lengths and settings, did not +update the hash comparison accordingly, which leads to accepting +computed hashes longer than stored hashes when the latter is a prefix +of the former. + +* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed +hash whose length differs from the stored hash length. +Compare computed and stored hashes case-sensitively. +Fixes CVE-2013-7041. + +Bug-Debian: http://bugs.debian.org/731368 +--- + modules/pam_userdb/pam_userdb.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c +index de8b5b1..ff040e6 100644 +--- a/modules/pam_userdb/pam_userdb.c ++++ b/modules/pam_userdb/pam_userdb.c +@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, + } else { + cryptpw = crypt (pass, data.dptr); + +- if (cryptpw) { +- compare = strncasecmp (data.dptr, cryptpw, data.dsize); ++ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) { ++ compare = memcmp(data.dptr, cryptpw, data.dsize); + } else { + compare = -2; + if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); ++ if (cryptpw) ++ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ"); ++ else ++ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); + } + }; + +-- +1.8.3.1 + diff --git a/SOURCES/pam-1.1.8-cve-2014-2583.patch b/SOURCES/pam-1.1.8-cve-2014-2583.patch new file mode 100644 index 0000000..f2aa2de --- /dev/null +++ b/SOURCES/pam-1.1.8-cve-2014-2583.patch @@ -0,0 +1,56 @@ +From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Wed, 26 Mar 2014 22:17:23 +0000 +Subject: [PATCH] pam_timestamp: fix potential directory traversal issue + (ticket #27) + +pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of +the timestamp pathname it creates, so extra care should be taken to +avoid potential directory traversal issues. + +* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat +"." and ".." tty values as invalid. +(get_ruser): Treat "." and ".." ruser values, as well as any ruser +value containing '/', as invalid. + +Fixes CVE-2014-2583. + +Reported-by: Sebastian Krahmer +--- + modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c +index 5193733..b3f08b1 100644 +--- a/modules/pam_timestamp/pam_timestamp.c ++++ b/modules/pam_timestamp/pam_timestamp.c +@@ -158,7 +158,7 @@ check_tty(const char *tty) + tty = strrchr(tty, '/') + 1; + } + /* Make sure the tty wasn't actually a directory (no basename). */ +- if (strlen(tty) == 0) { ++ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { + return NULL; + } + return tty; +@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) + if (pwd != NULL) { + ruser = pwd->pw_name; + } ++ } else { ++ /* ++ * This ruser is used by format_timestamp_name as a component ++ * of constructed timestamp pathname, so ".", "..", and '/' ++ * are disallowed to avoid potential path traversal issues. ++ */ ++ if (!strcmp(ruser, ".") || ++ !strcmp(ruser, "..") || ++ strchr(ruser, '/')) { ++ ruser = NULL; ++ } + } + if (ruser == NULL || strlen(ruser) >= ruserbuflen) { + *ruserbuf = '\0'; +-- +1.8.3.1 + diff --git a/SOURCES/pam-1.1.8-cve-2015-3238.patch b/SOURCES/pam-1.1.8-cve-2015-3238.patch new file mode 100644 index 0000000..24179d6 --- /dev/null +++ b/SOURCES/pam-1.1.8-cve-2015-3238.patch @@ -0,0 +1,130 @@ +diff -up linux-pam/modules/pam_exec/pam_exec.c.password-limit linux-pam/modules/pam_exec/pam_exec.c +--- linux-pam/modules/pam_exec/pam_exec.c.password-limit 2014-08-26 14:02:19.000000000 +0200 ++++ linux-pam/modules/pam_exec/pam_exec.c 2015-06-11 16:10:13.938035623 +0200 +@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_han + } + + pam_set_item (pamh, PAM_AUTHTOK, resp); +- authtok = strdupa (resp); ++ authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + _pam_drop (resp); + } + else +- authtok = void_pass; ++ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + + if (pipe(fds) != 0) + { +diff -up linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit linux-pam/modules/pam_exec/pam_exec.8.xml +--- linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit 2013-09-11 13:59:00.072175034 +0200 ++++ linux-pam/modules/pam_exec/pam_exec.8.xml 2015-06-11 16:09:06.446512718 +0200 +@@ -106,7 +106,8 @@ + During authentication the calling command can read + the password from + stdin3 +- . ++ . Only first PAM_MAX_RESP_SIZE ++ bytes of a password are provided to the command. + + + +diff -up linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit linux-pam/modules/pam_unix/pam_unix_passwd.c +--- linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit 2014-06-19 13:50:08.000000000 +0200 ++++ linux-pam/modules/pam_unix/pam_unix_passwd.c 2015-06-11 16:34:02.226260435 +0200 +@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_h + /* wait for child */ + /* if the stored password is NULL */ + int rc=0; +- if (fromwhat) +- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1); +- else +- pam_modutil_write(fds[1], "", 1); +- if (towhat) { +- pam_modutil_write(fds[1], towhat, strlen(towhat)+1); ++ if (fromwhat) { ++ int len = strlen(fromwhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], fromwhat, len); + } +- else +- pam_modutil_write(fds[1], "", 1); ++ pam_modutil_write(fds[1], "", 1); ++ if (towhat) { ++ int len = strlen(towhat); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ pam_modutil_write(fds[1], towhat, len); ++ } ++ pam_modutil_write(fds[1], "", 1); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); +diff -up linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit linux-pam/modules/pam_unix/pam_unix.8.xml +--- linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit 2015-06-11 15:46:55.000000000 +0200 ++++ linux-pam/modules/pam_unix/pam_unix.8.xml 2015-06-11 16:38:42.628587102 +0200 +@@ -80,6 +80,13 @@ + + + ++ The maximum length of a password supported by the pam_unix module ++ via the helper binary is PAM_MAX_RESP_SIZE ++ - currently 512 bytes. The rest of the password provided by the ++ conversation function to the module will be ignored. ++ ++ ++ + The password component of this module performs the task of updating + the user's password. The default encryption hash is taken from the + ENCRYPT_METHOD variable from +diff -up linux-pam/modules/pam_unix/passverify.c.password-limit linux-pam/modules/pam_unix/passverify.c +--- linux-pam/modules/pam_unix/passverify.c.password-limit 2015-04-07 10:23:50.000000000 +0200 ++++ linux-pam/modules/pam_unix/passverify.c 2015-06-15 10:53:32.903900010 +0200 +@@ -1115,12 +1115,15 @@ getuidname(uid_t uid) + int + read_passwords(int fd, int npass, char **passwords) + { ++ /* The passwords array must contain npass preallocated ++ * buffers of length MAXPASS + 1 ++ */ + int rbytes = 0; + int offset = 0; + int i = 0; + char *pptr; + while (npass > 0) { +- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); ++ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset); + + if (rbytes < 0) { + if (errno == EINTR) continue; +diff -up linux-pam/modules/pam_unix/passverify.h.password-limit linux-pam/modules/pam_unix/passverify.h +--- linux-pam/modules/pam_unix/passverify.h.password-limit 2011-03-21 21:59:22.000000000 +0100 ++++ linux-pam/modules/pam_unix/passverify.h 2015-06-11 16:26:27.184994387 +0200 +@@ -8,7 +8,7 @@ + + #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT + +-#define MAXPASS 200 /* the maximum length of a password */ ++#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */ + + #define OLD_PASSWORDS_FILE "/etc/security/opasswd" + +diff -up linux-pam/modules/pam_unix/support.c.password-limit linux-pam/modules/pam_unix/support.c +--- linux-pam/modules/pam_unix/support.c.password-limit 2014-01-27 18:08:28.000000000 +0100 ++++ linux-pam/modules/pam_unix/support.c 2015-06-11 16:30:35.452595477 +0200 +@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_h + /* if the stored password is NULL */ + int rc=0; + if (passwd != NULL) { /* send the password to the child */ +- if (write(fds[1], passwd, strlen(passwd)+1) == -1) { ++ int len = strlen(passwd); ++ ++ if (len > PAM_MAX_RESP_SIZE) ++ len = PAM_MAX_RESP_SIZE; ++ if (write(fds[1], passwd, len) == -1 || ++ write(fds[1], "", 1) == -1) { + pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); + retval = PAM_AUTH_ERR; + } diff --git a/SOURCES/pam-1.1.8-faillock-admin-group.patch b/SOURCES/pam-1.1.8-faillock-admin-group.patch new file mode 100644 index 0000000..76be07a --- /dev/null +++ b/SOURCES/pam-1.1.8-faillock-admin-group.patch @@ -0,0 +1,151 @@ +diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-22 15:25:57.673445386 +0200 ++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c 2017-09-08 14:39:47.411306464 +0200 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2010 Tomas Mraz ++ * Copyright (c) 2010, 2017 Tomas Mraz + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -78,9 +78,11 @@ struct options { + unsigned int root_unlock_time; + const char *dir; + const char *user; ++ const char *admin_group; + int failures; + uint64_t latest_time; + uid_t uid; ++ int is_admin; + uint64_t now; + }; + +@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc, + opts->root_unlock_time = temp; + } + } ++ else if (strncmp(argv[i], "admin_group=", 12) == 0) { ++ opts->admin_group = argv[i] + 12; ++ } + else if (strcmp(argv[i], "preauth") == 0) { + opts->action = FAILLOCK_ACTION_PREAUTH; + } +@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa + } + opts->user = user; + opts->uid = pwd->pw_uid; ++ ++ if (pwd->pw_uid == 0) { ++ opts->is_admin = 1; ++ return PAM_SUCCESS; ++ } ++ ++ if (opts->admin_group && *opts->admin_group) { ++ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh, ++ pwd->pw_uid, opts->admin_group); ++ } ++ + return PAM_SUCCESS; + } + +@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o + return PAM_SYSTEM_ERR; + } + +- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { + return PAM_SUCCESS; + } + +@@ -262,17 +278,14 @@ check_tally(pam_handle_t *pamh, struct o + + opts->failures = failures; + +- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { +- return PAM_SUCCESS; +- } +- + if (opts->deny && failures >= opts->deny) { +- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || +- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { ++ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || ++ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { + #ifdef HAVE_LIBAUDIT + if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ + char buf[64]; + int audit_fd; ++ const void *rhost = NULL, *tty = NULL; + + audit_fd = audit_open(); + /* If there is an error & audit support is in the kernel report error */ +@@ -280,9 +293,11 @@ check_tally(pam_handle_t *pamh, struct o + errno == EAFNOSUPPORT)) + return PAM_SYSTEM_ERR; + ++ (void)pam_get_item(pamh, PAM_TTY, &tty); ++ (void)pam_get_item(pamh, PAM_RHOST, &rhost); + snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, +- NULL, NULL, NULL, 1); ++ rhost, NULL, tty, 1); + } + #endif + opts->flags |= FAILLOCK_FLAG_UNLOCKED; +@@ -398,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o + audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, + NULL, NULL, NULL, 1); + +- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { ++ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, + NULL, NULL, NULL, 1); + } +@@ -422,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str + int64_t left; + + if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { +- if (opts->uid) { +- left = opts->latest_time + opts->unlock_time - opts->now; ++ if (opts->is_admin) { ++ left = opts->latest_time + opts->root_unlock_time - opts->now; + } + else { +- left = opts->latest_time + opts->root_unlock_time - opts->now; ++ left = opts->latest_time + opts->unlock_time - opts->now; + } + + if (left > 0) { +diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-04-28 16:43:14.109794294 +0200 ++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml 2017-09-08 14:37:33.535130222 +0200 +@@ -40,6 +40,9 @@ + root_unlock_time=n + + ++ admin_group=name ++ ++ + audit + + +@@ -242,6 +245,20 @@ + + + ++ ++ ++ ++ ++ ++ ++ If a group name is specified with this option, members ++ of the group will be handled by this module the same as ++ the root account (the options ++ and will apply to them. ++ By default the option is not set. ++ ++ ++ + + + diff --git a/SOURCES/pam-1.1.8-faillock-never.patch b/SOURCES/pam-1.1.8-faillock-never.patch new file mode 100644 index 0000000..be84329 --- /dev/null +++ b/SOURCES/pam-1.1.8-faillock-never.patch @@ -0,0 +1,91 @@ +diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never 2016-03-03 10:01:15.000000000 +0100 ++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c 2016-04-22 14:31:34.239752334 +0200 +@@ -125,17 +125,26 @@ args_parse(pam_handle_t *pamh, int argc, + } + else if (strncmp(argv[i], "unlock_time=", 12) == 0) { + unsigned int temp; +- if (sscanf(argv[i]+12, "%u", &temp) != 1 || ++ ++ if (strcmp(argv[i]+12, "never") == 0) { ++ opts->unlock_time = 0; ++ } ++ else if (sscanf(argv[i]+12, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + pam_syslog(pamh, LOG_ERR, + "Bad number supplied for unlock_time argument"); +- } else { ++ } ++ else { + opts->unlock_time = temp; + } + } + else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { + unsigned int temp; +- if (sscanf(argv[i]+17, "%u", &temp) != 1 || ++ ++ if (strcmp(argv[i]+17, "never") == 0) { ++ opts->root_unlock_time = 0; ++ } ++ else if (sscanf(argv[i]+17, "%u", &temp) != 1 || + temp > MAX_TIME_INTERVAL) { + pam_syslog(pamh, LOG_ERR, + "Bad number supplied for root_unlock_time argument"); +@@ -258,8 +267,8 @@ check_tally(pam_handle_t *pamh, struct o + } + + if (opts->deny && failures >= opts->deny) { +- if ((opts->uid && latest_time + opts->unlock_time < opts->now) || +- (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) { ++ if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || ++ (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { + #ifdef HAVE_LIBAUDIT + if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ + char buf[64]; +@@ -420,11 +429,17 @@ faillock_message(pam_handle_t *pamh, str + left = opts->latest_time + opts->root_unlock_time - opts->now; + } + +- left /= 60; /* minutes */ ++ if (left > 0) { ++ left = (left + 59)/60; /* minutes */ + +- pam_info(pamh, _("Account temporarily locked due to %d failed logins"), +- opts->failures); +- pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); ++ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), ++ opts->failures); ++ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); ++ } ++ else { ++ pam_info(pamh, _("Account locked due to %d failed logins"), ++ opts->failures); ++ } + } + } + +diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never 2016-04-22 15:25:57.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml 2016-04-28 16:43:14.109794294 +0200 +@@ -201,6 +201,21 @@ + n seconds after the lock out. + The default is 600 (10 minutes). + ++ ++ If the n is set to never or 0 ++ the access will not be reenabled at all until administrator ++ explicitly reenables it with the faillock command. ++ Note though that the default directory that pam_faillock ++ uses is usually cleared on system boot so the access will be also reenabled ++ after system reboot. If that is undesirable a different tally directory ++ must be set with the option. ++ ++ ++ Also note that it is usually undesirable to permanently lock ++ out the users as they can become easily a target of denial of service ++ attack unless the usernames are random and kept secret to potential ++ attackers. ++ + + + diff --git a/SOURCES/pam-1.1.8-full-relro.patch b/SOURCES/pam-1.1.8-full-relro.patch new file mode 100644 index 0000000..0337062 --- /dev/null +++ b/SOURCES/pam-1.1.8-full-relro.patch @@ -0,0 +1,108 @@ +diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200 +@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir + + pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam + ++pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ ++ + securelib_LTLIBRARIES = pam_console.la + sbin_PROGRAMS = pam_console_apply + +@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_ + configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h + + pam_console_la_CFLAGS = $(AM_CFLAGS) +-pam_console_apply_CFLAGS = $(AM_CFLAGS) ++pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ + + configfile.tab.c: configfile.y + $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $< +diff -up Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am 2014-09-10 17:16:11.102808189 +0200 +@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR) + + noinst_HEADERS = faillock.h + +-faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include ++faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@ + pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include + + pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module +@@ -28,6 +28,7 @@ if HAVE_VERSIONING + pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + ++faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) + + securelib_LTLIBRARIES = pam_faillock.la +diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200 ++++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200 +@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi + + AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(srcdir)/.. @PIE_CFLAGS@ +-AM_LDFLAGS = @PIE_LDFLAGS@ ++AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + LDADD = $(top_builddir)/libpam/libpam.la + + securelibfilter_PROGRAMS = upperLOWER +diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200 +@@ -30,6 +30,8 @@ endif + + sbin_PROGRAMS = mkhomedir_helper + mkhomedir_helper_SOURCES = mkhomedir_helper.c ++mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ ++mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la + + if ENABLE_REGENERATE_MAN +diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200 +@@ -26,6 +26,8 @@ if HAVE_VERSIONING + pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + ++pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ ++pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) + + securelib_LTLIBRARIES = pam_tally2.la +diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200 +@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS) + pam_timestamp_check_SOURCES = pam_timestamp_check.c + pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ + pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la +-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ ++pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + + hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c + hmacfile_LDADD = $(top_builddir)/libpam/libpam.la +diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200 +@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@ + unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ + passverify.c + unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" +-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ ++unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ + + unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ + passverify.c + unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" +-unix_update_LDFLAGS = @PIE_LDFLAGS@ ++unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ + unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ + + if ENABLE_REGENERATE_MAN diff --git a/SOURCES/pam-1.1.8-lastlog-localtime.patch b/SOURCES/pam-1.1.8-lastlog-localtime.patch new file mode 100644 index 0000000..8108ff2 --- /dev/null +++ b/SOURCES/pam-1.1.8-lastlog-localtime.patch @@ -0,0 +1,22 @@ +diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.localtime Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c +--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.localtime 2016-03-03 10:01:15.000000000 +0100 ++++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2016-04-22 15:24:10.085018141 +0200 +@@ -276,12 +276,12 @@ last_login_read(pam_handle_t *pamh, int + time_t ll_time; + + ll_time = last_login.ll_time; +- tm = localtime_r (&ll_time, &tm_buf); +- strftime (the_time, sizeof (the_time), +- /* TRANSLATORS: "strftime options for date of last login" */ +- _(" %a %b %e %H:%M:%S %Z %Y"), tm); +- +- date = the_time; ++ if ((tm = localtime_r (&ll_time, &tm_buf)) != NULL) { ++ strftime (the_time, sizeof (the_time), ++ /* TRANSLATORS: "strftime options for date of last login" */ ++ _(" %a %b %e %H:%M:%S %Z %Y"), tm); ++ date = the_time; ++ } + } + + /* we want & have the host? */ diff --git a/SOURCES/pam-1.1.8-lastlog-uninitialized.patch b/SOURCES/pam-1.1.8-lastlog-uninitialized.patch new file mode 100644 index 0000000..8c545d9 --- /dev/null +++ b/SOURCES/pam-1.1.8-lastlog-uninitialized.patch @@ -0,0 +1,37 @@ +diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c +--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2014-08-25 16:44:24.365174752 +0200 +@@ -350,6 +350,8 @@ last_login_write(pam_handle_t *pamh, int + return PAM_SERVICE_ERR; + } + ++ memset(&last_login, 0, sizeof(last_login)); ++ + /* set this login date */ + D(("set the most recent login time")); + (void) time(&ll_time); /* set the time */ +@@ -364,14 +366,12 @@ last_login_write(pam_handle_t *pamh, int + } + + /* copy to last_login */ +- last_login.ll_host[0] = '\0'; + strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1); + + /* set the terminal line */ + terminal_line = get_tty(pamh); + + /* copy to last_login */ +- last_login.ll_line[0] = '\0'; + strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1); + terminal_line = NULL; + +@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh, + lltime = (time(NULL) - lltime) / (24*60*60); + + if (lltime > inactive_days) { +- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime); ++ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied", ++ user, (long) lltime); + return PAM_AUTH_ERR; + } + diff --git a/SOURCES/pam-1.1.8-limits-check-process.patch b/SOURCES/pam-1.1.8-limits-check-process.patch new file mode 100644 index 0000000..f37f799 --- /dev/null +++ b/SOURCES/pam-1.1.8-limits-check-process.patch @@ -0,0 +1,41 @@ +diff -up Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c +--- Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c 2014-09-10 16:39:36.263256066 +0200 +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -269,16 +270,27 @@ check_logins (pam_handle_t *pamh, const + continue; + } + if (!pl->flag_numsyslogins) { ++ char user[sizeof(ut->UT_USER) + 1]; ++ user[0] = '\0'; ++ strncat(user, ut->UT_USER, sizeof(ut->UT_USER)); ++ + if (((pl->login_limit_def == LIMITS_DEF_USER) + || (pl->login_limit_def == LIMITS_DEF_GROUP) + || (pl->login_limit_def == LIMITS_DEF_DEFAULT)) +- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) { ++ && strcmp(name, user) != 0) { + continue; + } + if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP) +- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) { ++ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) { + continue; + } ++ if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) { ++ /* process does not exist anymore */ ++ pam_syslog(pamh, LOG_WARNING, ++ "Stale utmp entry (pid %d) for '%s' ignored", ++ ut->ut_pid, user); ++ continue; ++ } + } + if (++count > limit) { + break; diff --git a/SOURCES/pam-1.1.8-limits-docfix.patch b/SOURCES/pam-1.1.8-limits-docfix.patch new file mode 100644 index 0000000..37703e3 --- /dev/null +++ b/SOURCES/pam-1.1.8-limits-docfix.patch @@ -0,0 +1,54 @@ +diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf +--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix 2014-07-14 14:58:05.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf 2014-09-10 16:42:51.254747161 +0200 +@@ -32,7 +32,7 @@ + # - data - max data size (KB) + # - fsize - maximum filesize (KB) + # - memlock - max locked-in-memory address space (KB) +-# - nofile - max number of open files ++# - nofile - max number of open file descriptors + # - rss - max resident set size (KB) + # - stack - max stack size (KB) + # - cpu - max CPU time (MIN) +diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml +--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml 2014-09-10 16:44:01.624367933 +0200 +@@ -178,7 +178,7 @@ + + + +- maximum number of open files ++ maximum number of open file descriptors + + + +@@ -214,14 +214,17 @@ + + + +- maximum number of logins for this user except +- for this with uid=0 ++ maximum number of logins for this user (this limit does ++ not apply to user with uid=0) + + + + + +- maximum number of all logins on system ++ maximum number of all logins on system; user is not ++ allowed to log-in if total number of all users' logins is ++ greater than specified number (this limit does not apply to ++ user with uid=0) + + + +@@ -292,7 +295,7 @@ + permanent; existing only for the duration of the session. + One exception is the maxlogin option, this one + is system wide. But there is a race, concurrent logins at the same +- time will not always be detect as such but only counted as one. ++ time will not always be detected as such but only counted as one. + + + In the limits configuration file, the diff --git a/SOURCES/pam-1.1.8-loginuid-containers.patch b/SOURCES/pam-1.1.8-loginuid-containers.patch new file mode 100644 index 0000000..b27f237 --- /dev/null +++ b/SOURCES/pam-1.1.8-loginuid-containers.patch @@ -0,0 +1,147 @@ +diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml.containers Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml +--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml.containers 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml 2019-08-06 14:54:33.491053203 +0200 +@@ -69,14 +69,31 @@ + + + ++ PAM_SUCCESS ++ ++ ++ The loginuid value is set and auditd is running if check requested. ++ ++ ++ ++ ++ PAM_IGNORE ++ ++ ++ The /proc/self/loginuid file is not present on the system or the ++ login process runs inside uid namespace and kernel does not support ++ overwriting loginuid. ++ ++ ++ ++ + PAM_SESSION_ERR + + +- An error occurred during session management. ++ Any other error prevented setting loginuid or auditd is not running. + + + +- + + + +diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.containers Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c +--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.containers 2017-11-02 14:04:25.898425389 +0100 ++++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c 2019-08-06 14:51:31.905761192 +0200 +@@ -47,25 +47,56 @@ + + /* + * This function writes the loginuid to the /proc system. It returns +- * 0 on success and 1 on failure. ++ * PAM_SUCCESS on success, ++ * PAM_IGNORE when /proc/self/loginuid does not exist, ++ * PAM_SESSION_ERR in case of any other error. + */ + static int set_loginuid(pam_handle_t *pamh, uid_t uid) + { +- int fd, count, rc = 0; +- char loginuid[24]; ++ int fd, count, rc = PAM_SESSION_ERR; ++ char loginuid[24], buf[24]; ++ static const char host_uid_map[] = " 0 0 4294967295\n"; ++ char uid_map[sizeof(host_uid_map)]; ++ ++ /* loginuid in user namespaces currently isn't writable and in some ++ case, not even readable, so consider any failure as ignorable (but try ++ anyway, in case we hit a kernel which supports it). */ ++ fd = open("/proc/self/uid_map", O_RDONLY); ++ if (fd >= 0) { ++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); ++ if (strncmp(uid_map, host_uid_map, count) != 0) ++ rc = PAM_IGNORE; ++ close(fd); ++ } + +- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); +- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); ++ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); + if (fd < 0) { +- if (errno != ENOENT) { +- rc = 1; +- pam_syslog(pamh, LOG_ERR, +- "Cannot open /proc/self/loginuid: %m"); ++ if (errno == ENOENT) { ++ rc = PAM_IGNORE; ++ } ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", ++ "/proc/self/loginuid"); + } + return rc; + } +- if (pam_modutil_write(fd, loginuid, count) != count) +- rc = 1; ++ ++ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); ++ if (pam_modutil_read(fd, buf, sizeof(buf)) == count && ++ memcmp(buf, loginuid, count) == 0) { ++ rc = PAM_SUCCESS; ++ goto done; /* already correct */ ++ } ++ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 && ++ pam_modutil_write(fd, loginuid, count) == count) { ++ rc = PAM_SUCCESS; ++ } else { ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m", ++ "/proc/self/loginuid"); ++ } ++ } ++ done: + close(fd); + return rc; + } +@@ -165,6 +196,7 @@ _pam_loginuid(pam_handle_t *pamh, int fl + { + const char *user = NULL; + struct passwd *pwd; ++ int ret; + #ifdef HAVE_LIBAUDIT + int require_auditd = 0; + #endif +@@ -183,9 +215,14 @@ _pam_loginuid(pam_handle_t *pamh, int fl + return PAM_SESSION_ERR; + } + +- if (set_loginuid(pamh, pwd->pw_uid)) { +- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n"); +- return PAM_SESSION_ERR; ++ ret = set_loginuid(pamh, pwd->pw_uid); ++ switch (ret) { ++ case PAM_SUCCESS: ++ case PAM_IGNORE: ++ break; ++ default: ++ pam_syslog(pamh, LOG_ERR, "set_loginuid failed"); ++ return ret; + } + + #ifdef HAVE_LIBAUDIT +@@ -199,10 +236,10 @@ _pam_loginuid(pam_handle_t *pamh, int fl + int rc = check_auditd(); + if (rc != PAM_SUCCESS) + pam_syslog(pamh, LOG_ERR, "required running auditd not detected"); +- return rc; ++ return rc != PAM_SUCCESS ? rc : ret; + } else + #endif +- return PAM_SUCCESS; ++ return ret; + } + + /* diff --git a/SOURCES/pam-1.1.8-loginuid-log-auditd.patch b/SOURCES/pam-1.1.8-loginuid-log-auditd.patch new file mode 100644 index 0000000..6ccadc7 --- /dev/null +++ b/SOURCES/pam-1.1.8-loginuid-log-auditd.patch @@ -0,0 +1,19 @@ +diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.log-auditd Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c +--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.log-auditd 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c 2016-04-22 14:21:35.868204427 +0200 +@@ -195,9 +195,12 @@ _pam_loginuid(pam_handle_t *pamh, int fl + argv++; + } + +- if (require_auditd) +- return check_auditd(); +- else ++ if (require_auditd) { ++ int rc = check_auditd(); ++ if (rc != PAM_SUCCESS) ++ pam_syslog(pamh, LOG_ERR, "required running auditd not detected"); ++ return rc; ++ } else + #endif + return PAM_SUCCESS; + } diff --git a/SOURCES/pam-1.1.8-man-dbsuffix.patch b/SOURCES/pam-1.1.8-man-dbsuffix.patch new file mode 100644 index 0000000..be2e231 --- /dev/null +++ b/SOURCES/pam-1.1.8-man-dbsuffix.patch @@ -0,0 +1,22 @@ +diff -up Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml +--- Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml 2014-09-10 16:28:19.916678273 +0200 +@@ -89,7 +89,8 @@ + Use the /path/database database for + performing lookup. There is no default; the module will + return PAM_IGNORE if no +- database is provided. ++ database is provided. Note that the path to the database file ++ should be specified without the .db suffix. + + + +@@ -260,7 +261,7 @@ + + EXAMPLES + +-auth sufficient pam_userdb.so icase db=/etc/dbtest.db ++auth sufficient pam_userdb.so icase db=/etc/dbtest + + + diff --git a/SOURCES/pam-1.1.8-man-delay.patch b/SOURCES/pam-1.1.8-man-delay.patch new file mode 100644 index 0000000..5a4833a --- /dev/null +++ b/SOURCES/pam-1.1.8-man-delay.patch @@ -0,0 +1,30 @@ +diff -up Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml.delay Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml +--- Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml.delay 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml 2016-05-30 12:08:40.708053159 +0200 +@@ -39,7 +39,7 @@ + + pam_authenticate3 + fail, the failing return to the application is +- delayed by an amount of time randomly distributed (by up to 25%) ++ delayed by an amount of time randomly distributed (by up to 50%) + about this longest value. + + +@@ -135,7 +135,7 @@ void (*delay_fn)(int retval, unsigned us + + + if the modules do not request a delay, the failure delay will be +- between 2.25 and 3.75 seconds. ++ between 1.5 and 4.5 seconds. + + + +@@ -150,7 +150,7 @@ module #2: pam_fail_delay (pamh, 4000 + + + in this case, it is the largest requested value that is used to +- compute the actual failed delay: here between 3 and 5 seconds. ++ compute the actual failed delay: here between 2 and 6 seconds. + + + diff --git a/SOURCES/pam-1.1.8-man-environment.patch b/SOURCES/pam-1.1.8-man-environment.patch new file mode 100644 index 0000000..d869211 --- /dev/null +++ b/SOURCES/pam-1.1.8-man-environment.patch @@ -0,0 +1,78 @@ +diff -up Linux-PAM-1.1.8/modules/pam_env/Makefile.am.environment Linux-PAM-1.1.8/modules/pam_env/Makefile.am +--- Linux-PAM-1.1.8/modules/pam_env/Makefile.am.environment 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_env/Makefile.am 2016-04-22 14:10:49.921649262 +0200 +@@ -7,7 +7,7 @@ MAINTAINERCLEANFILES = $(MANS) README + + EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment + +-man_MANS = pam_env.conf.5 pam_env.8 ++man_MANS = pam_env.conf.5 pam_env.8 environment.5 + + XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml + +@@ -30,6 +30,7 @@ sysconf_DATA = environment + if ENABLE_REGENERATE_MAN + noinst_DATA = README + README: pam_env.8.xml pam_env.conf.5.xml ++environment.5: pam_env.conf.5.xml + -include $(top_srcdir)/Make.xml.rules + endif + +diff -up Linux-PAM-1.1.8/modules/pam_env/Makefile.in.environment Linux-PAM-1.1.8/modules/pam_env/Makefile.in +--- Linux-PAM-1.1.8/modules/pam_env/Makefile.in.environment 2016-04-22 14:14:41.475866891 +0200 ++++ Linux-PAM-1.1.8/modules/pam_env/Makefile.in 2016-04-22 14:13:58.239892651 +0200 +@@ -285,7 +285,7 @@ top_srcdir = @top_srcdir@ + CLEANFILES = *~ + MAINTAINERCLEANFILES = $(MANS) README + EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment +-man_MANS = pam_env.conf.5 pam_env.8 ++man_MANS = pam_env.conf.5 pam_env.8 environment.5 + XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml + securelibdir = $(SECUREDIR) + secureconfdir = $(SCONFIGDIR) +@@ -836,6 +836,7 @@ uninstall-man: uninstall-man5 uninstall- + uninstall-sysconfDATA + + @ENABLE_REGENERATE_MAN_TRUE@README: pam_env.8.xml pam_env.conf.5.xml ++@ENABLE_REGENERATE_MAN_TRUE@environment.5: pam_env.conf.5.xml + @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules + + # Tell versions [3.59,3.63) of GNU make to not export all variables. +diff -up Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml.environment Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml +--- Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml.environment 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml 2016-04-22 14:12:49.150335851 +0200 +@@ -12,7 +12,8 @@ + + + pam_env.conf +- the environment variables config file ++ environment ++ the environment variables config files + + + +@@ -58,6 +59,14 @@ + at front) can be used to mark this line as a comment line. + + ++ ++ The /etc/environment file specifies ++ the environment variables to be set. The file must consist of simple ++ NAME=VALUE pairs on separate lines. ++ The pam_env8 ++ module will read the file after the pam_env.conf ++ file. ++ + + + +@@ -110,7 +119,8 @@ + + pam_env8, + pam.d5, +- pam8 ++ pam8, ++ environ7 + + + diff --git a/SOURCES/pam-1.1.8-man-fixes.patch b/SOURCES/pam-1.1.8-man-fixes.patch new file mode 100644 index 0000000..5942d94 --- /dev/null +++ b/SOURCES/pam-1.1.8-man-fixes.patch @@ -0,0 +1,41 @@ +diff -up Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.manfix Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml +--- Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.manfix 2017-11-02 14:04:25.908425629 +0100 ++++ Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml 2019-08-06 14:38:58.826456399 +0200 +@@ -149,6 +149,13 @@ + greater than or equal to min_uid will be + matched. + ++ ++ Please note that passwords in some circumstances may be logged by TTY auditing ++ even if the is not used. For example all input to ++ a ssh session will be logged - even if there is a password being typed into ++ some software running at the remote host because only the local TTY state ++ affects the local TTY auditing. ++ + + + +diff -up Linux-PAM-1.1.8/modules/pam_wheel/pam_wheel.8.xml.manfix Linux-PAM-1.1.8/modules/pam_wheel/pam_wheel.8.xml +--- Linux-PAM-1.1.8/modules/pam_wheel/pam_wheel.8.xml.manfix 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_wheel/pam_wheel.8.xml 2019-08-06 14:38:01.938442949 +0200 +@@ -43,8 +43,8 @@ + DESCRIPTION + + The pam_wheel PAM module is used to enforce the so-called +- wheel group. By default it permits root +- access to the system if the applicant user is a member of the ++ wheel group. By default it permits ++ access to the target user if the applicant user is a member of the + wheel group. If no group with this name exist, + the module is using the group with the group-ID + 0. +@@ -97,7 +97,8 @@ + + + +- The check for wheel membership is done only. ++ The check for wheel membership is done only when the target user ++ UID is 0. + + + diff --git a/SOURCES/pam-1.1.8-man-space.patch b/SOURCES/pam-1.1.8-man-space.patch new file mode 100644 index 0000000..774e834 --- /dev/null +++ b/SOURCES/pam-1.1.8-man-space.patch @@ -0,0 +1,13 @@ +diff -up Linux-PAM-1.1.8/doc/man/pam.8.xml.space Linux-PAM-1.1.8/doc/man/pam.8.xml +--- Linux-PAM-1.1.8/doc/man/pam.8.xml.space 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/doc/man/pam.8.xml 2017-09-08 14:22:58.878416174 +0200 +@@ -48,8 +48,7 @@ + can be set by individual configuration files located in the + /etc/pam.d/ directory. The presence of this + directory will cause Linux-PAM to +- ignore +- /etc/pam.conf. ++ ignore /etc/pam.conf. + + + diff --git a/SOURCES/pam-1.1.8-mkhomedir-inroot.patch b/SOURCES/pam-1.1.8-mkhomedir-inroot.patch new file mode 100644 index 0000000..3936de4 --- /dev/null +++ b/SOURCES/pam-1.1.8-mkhomedir-inroot.patch @@ -0,0 +1,29 @@ +diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c.mkhomedir-inroot Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c +--- Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c.mkhomedir-inroot 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c 2017-11-03 10:20:59.823998481 +0100 +@@ -352,16 +352,18 @@ make_parent_dirs(char *dir, int make) + char *cp = strrchr(dir, '/'); + struct stat st; + +- if (!cp || cp == dir) ++ if (!cp) + return rc; + +- *cp = '\0'; +- if (stat(dir, &st) && errno == ENOENT) +- rc = make_parent_dirs(dir, 1); +- *cp = '/'; ++ if (cp != dir) { ++ *cp = '\0'; ++ if (stat(dir, &st) && errno == ENOENT) ++ rc = make_parent_dirs(dir, 1); ++ *cp = '/'; + +- if (rc != PAM_SUCCESS) +- return rc; ++ if (rc != PAM_SUCCESS) ++ return rc; ++ } + + if (make && mkdir(dir, 0755) && errno != EEXIST) { + pam_syslog(NULL, LOG_ERR, "unable to create directory %s: %m", dir); diff --git a/SOURCES/pam-1.1.8-opasswd-tolerant.patch b/SOURCES/pam-1.1.8-opasswd-tolerant.patch new file mode 100644 index 0000000..fb9b198 --- /dev/null +++ b/SOURCES/pam-1.1.8-opasswd-tolerant.patch @@ -0,0 +1,50 @@ +diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c +index 836d713..c36628e 100644 +--- a/modules/pam_pwhistory/opasswd.c ++++ b/modules/pam_pwhistory/opasswd.c +@@ -82,10 +82,15 @@ parse_entry (char *line, opwd *data) + { + const char delimiters[] = ":"; + char *endptr; ++ char *count; + + data->user = strsep (&line, delimiters); + data->uid = strsep (&line, delimiters); +- data->count = strtol (strsep (&line, delimiters), &endptr, 10); ++ count = strsep (&line, delimiters); ++ if (data->user == NULL || data->uid == NULL || count == NULL) ++ return 1; ++ ++ data->count = strtol (count, &endptr, 10); + if (endptr != NULL && *endptr != '\0') + return 1; + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index 4840bb2..7f7bc49 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -639,11 +639,23 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, + continue; + buf[strlen(buf) - 1] = '\0'; + s_luser = strtok_r(buf, ":", &sptr); ++ if (s_luser == NULL) { ++ found = 0; ++ continue; ++ } + s_uid = strtok_r(NULL, ":", &sptr); ++ if (s_uid == NULL) { ++ found = 0; ++ continue; ++ } + s_npas = strtok_r(NULL, ":", &sptr); ++ if (s_npas == NULL) { ++ found = 0; ++ continue; ++ } + s_pas = strtok_r(NULL, ":", &sptr); + npas = strtol(s_npas, NULL, 10) + 1; +- while (npas > howmany) { ++ while (npas > howmany && s_pas != NULL) { + s_pas = strpbrk(s_pas, ","); + if (s_pas != NULL) + s_pas++; diff --git a/SOURCES/pam-1.1.8-pwhistory-helper.patch b/SOURCES/pam-1.1.8-pwhistory-helper.patch new file mode 100644 index 0000000..8d08003 --- /dev/null +++ b/SOURCES/pam-1.1.8-pwhistory-helper.patch @@ -0,0 +1,812 @@ +diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am +index 4bb4d6d..9157b91 100644 +--- a/modules/pam_pwhistory/Makefile.am ++++ b/modules/pam_pwhistory/Makefile.am +@@ -1,5 +1,6 @@ + # + # Copyright (c) 2008, 2009 Thorsten Kukuk ++# Copyright (c) 2013 Red Hat, Inc. + # + + CLEANFILES = *~ +@@ -9,25 +10,33 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory + + TESTS = tst-pam_pwhistory + +-man_MANS = pam_pwhistory.8 ++man_MANS = pam_pwhistory.8 pwhistory_helper.8 + +-XMLS = README.xml pam_pwhistory.8.xml ++XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml + + securelibdir = $(SECUREDIR) + secureconfdir = $(SCONFIGDIR) + +-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +-AM_LDFLAGS = -no-undefined -avoid-version -module ++AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ ++ -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" ++ ++pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module + if HAVE_VERSIONING +- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map ++ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif + + noinst_HEADERS = opasswd.h + + securelib_LTLIBRARIES = pam_pwhistory.la +-pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ ++pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) ++pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ + pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c + ++sbin_PROGRAMS = pwhistory_helper ++pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" ++pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c ++pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ ++ + if ENABLE_REGENERATE_MAN + noinst_DATA = README + README: pam_pwhistory.8.xml +diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c +index 836d713..e319ff3 100644 +--- a/modules/pam_pwhistory/opasswd.c ++++ b/modules/pam_pwhistory/opasswd.c +@@ -1,5 +1,6 @@ + /* + * Copyright (c) 2008 Thorsten Kukuk ++ * Copyright (c) 2013 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -38,6 +39,7 @@ + #endif + + #include ++#include + #include + #include + #include +@@ -47,6 +49,7 @@ + #include + #include + #include ++#include + #include + + #if defined (HAVE_XCRYPT_H) +@@ -55,7 +58,14 @@ + #include + #endif + ++#ifdef HELPER_COMPILE ++#define pam_modutil_getpwnam(h,n) getpwnam(n) ++#define pam_modutil_getspnam(h,n) getspnam(n) ++#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__) ++#else ++#include + #include ++#endif + #include + + #include "opasswd.h" +@@ -76,6 +86,19 @@ typedef struct { + char *old_passwords; + } opwd; + ++#ifdef HELPER_COMPILE ++void ++helper_log_err(int err, const char *format, ...) ++{ ++ va_list args; ++ ++ va_start(args, format); ++ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV); ++ vsyslog(err, format, args); ++ va_end(args); ++ closelog(); ++} ++#endif + + static int + parse_entry (char *line, opwd *data) +@@ -112,8 +135,8 @@ compare_password(const char *newpass, const char *oldpass) + } + + /* Check, if the new password is already in the opasswd file. */ +-int +-check_old_pass (pam_handle_t *pamh, const char *user, ++PAMH_ARG_DECL(int ++check_old_pass, const char *user, + const char *newpass, int debug) + { + int retval = PAM_SUCCESS; +@@ -123,6 +146,11 @@ check_old_pass (pam_handle_t *pamh, const char *user, + opwd entry; + int found = 0; + ++#ifndef HELPER_COMPILE ++ if (SELINUX_ENABLED) ++ return PAM_PWHISTORY_RUN_HELPER; ++#endif ++ + if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) + { + if (errno != ENOENT) +@@ -208,9 +236,9 @@ check_old_pass (pam_handle_t *pamh, const char *user, + return retval; + } + +-int +-save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, +- const char *oldpass, int howmany, int debug UNUSED) ++PAMH_ARG_DECL(int ++save_old_pass, const char *user, ++ int howmany, int debug UNUSED) + { + char opasswd_tmp[] = TMP_PASSWORDS_FILE; + struct stat opasswd_stat; +@@ -221,10 +249,35 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, + char *buf = NULL; + size_t buflen = 0; + int found = 0; ++ struct passwd *pwd; ++ const char *oldpass; ++ ++ pwd = pam_modutil_getpwnam (pamh, user); ++ if (pwd == NULL) ++ return PAM_USER_UNKNOWN; + + if (howmany <= 0) + return PAM_SUCCESS; + ++#ifndef HELPER_COMPILE ++ if (SELINUX_ENABLED) ++ return PAM_PWHISTORY_RUN_HELPER; ++#endif ++ ++ if ((strcmp(pwd->pw_passwd, "x") == 0) || ++ ((pwd->pw_passwd[0] == '#') && ++ (pwd->pw_passwd[1] == '#') && ++ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) ++ { ++ struct spwd *spw = pam_modutil_getspnam (pamh, user); ++ ++ if (spw == NULL) ++ return PAM_USER_UNKNOWN; ++ oldpass = spw->sp_pwdp; ++ } ++ else ++ oldpass = pwd->pw_passwd; ++ + if (oldpass == NULL || *oldpass == '\0') + return PAM_SUCCESS; + +@@ -447,7 +500,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, + { + char *out; + +- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0) ++ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0) + { + retval = PAM_AUTHTOK_ERR; + if (oldpf) +diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h +index db3e656..1b08699 100644 +--- a/modules/pam_pwhistory/opasswd.h ++++ b/modules/pam_pwhistory/opasswd.h +@@ -1,5 +1,6 @@ + /* + * Copyright (c) 2008 Thorsten Kukuk ++ * Copyright (c) 2013 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -36,10 +37,32 @@ + #ifndef __OPASSWD_H__ + #define __OPASSWD_H__ + +-extern int check_old_pass (pam_handle_t *pamh, const char *user, +- const char *newpass, int debug); +-extern int save_old_pass (pam_handle_t *pamh, const char *user, +- uid_t uid, const char *oldpass, +- int howmany, int debug); ++#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT ++ ++#ifdef WITH_SELINUX ++#include ++#define SELINUX_ENABLED is_selinux_enabled()>0 ++#else ++#define SELINUX_ENABLED 0 ++#endif ++ ++#ifdef HELPER_COMPILE ++#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__) ++#define PAMH_ARG(...) __VA_ARGS__ ++#else ++#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__) ++#define PAMH_ARG(...) pamh, __VA_ARGS__ ++#endif ++ ++#ifdef HELPER_COMPILE ++void ++helper_log_err(int err, const char *format, ...); ++#endif ++ ++PAMH_ARG_DECL(int ++check_old_pass, const char *user, const char *newpass, int debug); ++ ++PAMH_ARG_DECL(int ++save_old_pass, const char *user, int howmany, int debug); + + #endif /* __OPASSWD_H__ */ +diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c +index 654edd3..d6c5c47 100644 +--- a/modules/pam_pwhistory/pam_pwhistory.c ++++ b/modules/pam_pwhistory/pam_pwhistory.c +@@ -1,6 +1,7 @@ + /* + * Copyright (c) 2008, 2012 Thorsten Kukuk + * Author: Thorsten Kukuk ++ * Copyright (c) 2013 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -46,10 +47,14 @@ + #include + #include + #include +-#include + #include + #include + #include ++#include ++#include ++#include ++#include ++#include + + #include + #include +@@ -59,6 +64,7 @@ + #include "opasswd.h" + + #define DEFAULT_BUFLEN 2048 ++#define MAX_FD_NO 20000 + + struct options_t { + int debug; +@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) + pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); + } + ++static int ++run_save_helper(pam_handle_t *pamh, const char *user, ++ int howmany, int debug) ++{ ++ int retval, child; ++ struct sigaction newsa, oldsa; ++ ++ memset(&newsa, '\0', sizeof(newsa)); ++ newsa.sa_handler = SIG_DFL; ++ sigaction(SIGCHLD, &newsa, &oldsa); ++ ++ child = fork(); ++ if (child == 0) ++ { ++ int i = 0; ++ struct rlimit rlim; ++ int dummyfds[2]; ++ static char *envp[] = { NULL }; ++ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; ++ ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe2(dummyfds, O_NONBLOCK) == 0) ++ { ++ dup2(dummyfds[0], STDIN_FILENO); ++ dup2(dummyfds[1], STDOUT_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ ++ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0) ++ { ++ if (rlim.rlim_max >= MAX_FD_NO) ++ rlim.rlim_max = MAX_FD_NO; ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) ++ { ++ if (i != dummyfds[0]) ++ close(i); ++ } ++ } ++ ++ /* exec binary helper */ ++ args[0] = strdup(PWHISTORY_HELPER); ++ args[1] = strdup("save"); ++ args[2] = x_strdup(user); ++ asprintf(&args[3], "%d", howmany); ++ asprintf(&args[4], "%d", debug); ++ ++ execve(args[0], args, envp); ++ ++ _exit(PAM_SYSTEM_ERR); ++ } ++ else if (child > 0) ++ { ++ /* wait for child */ ++ int rc = 0; ++ rc = waitpid(child, &retval, 0); /* wait for helper to complete */ ++ if (rc < 0) ++ { ++ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc); ++ retval = PAM_SYSTEM_ERR; ++ } ++ else if (!WIFEXITED(retval)) ++ { ++ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval); ++ retval = PAM_SYSTEM_ERR; ++ } ++ else ++ { ++ retval = WEXITSTATUS(retval); ++ } ++ } ++ else ++ { ++ retval = PAM_SYSTEM_ERR; ++ } ++ ++ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ ++ ++ return retval; ++} ++ ++static int ++run_check_helper(pam_handle_t *pamh, const char *user, ++ const char *newpass, int debug) ++{ ++ int retval, child, fds[2]; ++ struct sigaction newsa, oldsa; ++ ++ /* create a pipe for the password */ ++ if (pipe(fds) != 0) ++ return PAM_SYSTEM_ERR; ++ ++ memset(&newsa, '\0', sizeof(newsa)); ++ newsa.sa_handler = SIG_DFL; ++ sigaction(SIGCHLD, &newsa, &oldsa); ++ ++ child = fork(); ++ if (child == 0) ++ { ++ int i = 0; ++ struct rlimit rlim; ++ int dummyfds[2]; ++ static char *envp[] = { NULL }; ++ char *args[] = { NULL, NULL, NULL, NULL, NULL }; ++ ++ /* reopen stdin as pipe */ ++ dup2(fds[0], STDIN_FILENO); ++ ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe2(dummyfds, O_NONBLOCK) == 0) ++ { ++ dup2(dummyfds[1], STDOUT_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ ++ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0) ++ { ++ if (rlim.rlim_max >= MAX_FD_NO) ++ rlim.rlim_max = MAX_FD_NO; ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) ++ { ++ if (i != dummyfds[0]) ++ close(i); ++ } ++ } ++ ++ /* exec binary helper */ ++ args[0] = strdup(PWHISTORY_HELPER); ++ args[1] = strdup("check"); ++ args[2] = x_strdup(user); ++ asprintf(&args[3], "%d", debug); ++ ++ execve(args[0], args, envp); ++ ++ _exit(PAM_SYSTEM_ERR); ++ } ++ else if (child > 0) ++ { ++ /* wait for child */ ++ int rc = 0; ++ if (newpass == NULL) ++ newpass = ""; ++ ++ /* send the password to the child */ ++ if (write(fds[1], newpass, strlen(newpass)+1) == -1) ++ { ++ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m"); ++ retval = PAM_SYSTEM_ERR; ++ } ++ newpass = NULL; ++ close(fds[0]); /* close here to avoid possible SIGPIPE above */ ++ close(fds[1]); ++ rc = waitpid(child, &retval, 0); /* wait for helper to complete */ ++ if (rc < 0) ++ { ++ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc); ++ retval = PAM_SYSTEM_ERR; ++ } ++ else if (!WIFEXITED(retval)) ++ { ++ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval); ++ retval = PAM_SYSTEM_ERR; ++ } ++ else ++ { ++ retval = WEXITSTATUS(retval); ++ } ++ } ++ else ++ { ++ close(fds[0]); ++ close(fds[1]); ++ retval = PAM_SYSTEM_ERR; ++ } ++ ++ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ ++ ++ return retval; ++} + + /* This module saves the current crypted password in /etc/security/opasswd + and then compares the new password with all entries in this file. */ +@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) + PAM_EXTERN int + pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) + { +- struct passwd *pwd; + const char *newpass; + const char *user; + int retval, tries; +@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) + return PAM_SUCCESS; + } + +- pwd = pam_modutil_getpwnam (pamh, user); +- if (pwd == NULL) +- return PAM_USER_UNKNOWN; ++ retval = save_old_pass (pamh, user, options.remember, options.debug); + +- if ((strcmp(pwd->pw_passwd, "x") == 0) || +- ((pwd->pw_passwd[0] == '#') && +- (pwd->pw_passwd[1] == '#') && +- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) +- { +- struct spwd *spw = pam_modutil_getspnam (pamh, user); +- if (spw == NULL) +- return PAM_USER_UNKNOWN; ++ if (retval == PAM_PWHISTORY_RUN_HELPER) ++ retval = run_save_helper(pamh, user, options.remember, options.debug); + +- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, +- options.remember, options.debug); +- if (retval != PAM_SUCCESS) +- return retval; +- } +- else +- { +- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd, +- options.remember, options.debug); +- if (retval != PAM_SUCCESS) +- return retval; +- } ++ if (retval != PAM_SUCCESS) ++ return retval; + + newpass = NULL; + tries = 0; +@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) + if (options.debug) + pam_syslog (pamh, LOG_DEBUG, "check against old password file"); + +- if (check_old_pass (pamh, user, newpass, +- options.debug) != PAM_SUCCESS) ++ retval = check_old_pass (pamh, user, newpass, options.debug); ++ if (retval == PAM_PWHISTORY_RUN_HELPER) ++ retval = run_check_helper(pamh, user, newpass, options.debug); ++ ++ if (retval != PAM_SUCCESS) + { + if (getuid() || options.enforce_for_root || + (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) +diff --git a/modules/pam_pwhistory/pwhistory_helper.8.xml b/modules/pam_pwhistory/pwhistory_helper.8.xml +new file mode 100644 +index 0000000..a030176 +--- /dev/null ++++ b/modules/pam_pwhistory/pwhistory_helper.8.xml +@@ -0,0 +1,68 @@ ++ ++ ++ ++ ++ ++ ++ pwhistory_helper ++ 8 ++ Linux-PAM Manual ++ ++ ++ ++ pwhistory_helper ++ Helper binary that transfers password hashes from passwd or shadow to opasswd ++ ++ ++ ++ ++ pwhistory_helper ++ ++ ... ++ ++ ++ ++ ++ ++ ++ DESCRIPTION ++ ++ ++ pwhistory_helper is a helper program for the ++ pam_pwhistory module that transfers password hashes ++ from passwd or shadow file to the opasswd file and checks a password ++ supplied by user against the existing hashes in the opasswd file. ++ ++ ++ ++ The purpose of the helper is to enable tighter confinement of ++ login and password changing services. The helper is thus called only ++ when SELinux is enabled on the system. ++ ++ ++ ++ The interface of the helper - command line options, and input/output ++ data format are internal to the pam_pwhistory ++ module and it should not be called directly from applications. ++ ++ ++ ++ ++ SEE ALSO ++ ++ ++ pam_pwhistory8 ++ ++ ++ ++ ++ ++ AUTHOR ++ ++ Written by Tomas Mraz based on the code originally in ++ pam_pwhistory and pam_unix modules. ++ ++ ++ ++ +diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c +new file mode 100644 +index 0000000..b07ab81 +--- /dev/null ++++ b/modules/pam_pwhistory/pwhistory_helper.c +@@ -0,0 +1,209 @@ ++/* ++ * Copyright (c) 2013 Red Hat, Inc. ++ * Author: Tomas Mraz ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, and the entire permission notice in its entirety, ++ * including the disclaimer of warranties. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. The name of the author may not be used to endorse or promote ++ * products derived from this software without specific prior ++ * written permission. ++ * ++ * ALTERNATIVELY, this product may be distributed under the terms of ++ * the GNU Public License, in which case the provisions of the GPL are ++ * required INSTEAD OF the above restrictions. (This clause is ++ * necessary due to a potential bad interaction between the GPL and ++ * the restrictions contained in a BSD-style copyright.) ++ * ++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED ++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, ++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR ++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "config.h" ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "opasswd.h" ++ ++#define MAXPASS 200 ++ ++static void ++su_sighandler(int sig) ++{ ++#ifndef SA_RESETHAND ++ /* emulate the behaviour of the SA_RESETHAND flag */ ++ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) { ++ struct sigaction sa; ++ memset(&sa, '\0', sizeof(sa)); ++ sa.sa_handler = SIG_DFL; ++ sigaction(sig, &sa, NULL); ++ } ++#endif ++ if (sig > 0) { ++ _exit(sig); ++ } ++} ++ ++static void ++setup_signals(void) ++{ ++ struct sigaction action; /* posix signal structure */ ++ ++ /* ++ * Setup signal handlers ++ */ ++ (void) memset((void *) &action, 0, sizeof(action)); ++ action.sa_handler = su_sighandler; ++#ifdef SA_RESETHAND ++ action.sa_flags = SA_RESETHAND; ++#endif ++ (void) sigaction(SIGILL, &action, NULL); ++ (void) sigaction(SIGTRAP, &action, NULL); ++ (void) sigaction(SIGBUS, &action, NULL); ++ (void) sigaction(SIGSEGV, &action, NULL); ++ action.sa_handler = SIG_IGN; ++ action.sa_flags = 0; ++ (void) sigaction(SIGTERM, &action, NULL); ++ (void) sigaction(SIGHUP, &action, NULL); ++ (void) sigaction(SIGINT, &action, NULL); ++ (void) sigaction(SIGQUIT, &action, NULL); ++} ++ ++static int ++read_passwords(int fd, int npass, char **passwords) ++{ ++ int rbytes = 0; ++ int offset = 0; ++ int i = 0; ++ char *pptr; ++ while (npass > 0) ++ { ++ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); ++ ++ if (rbytes < 0) ++ { ++ if (errno == EINTR) continue; ++ break; ++ } ++ if (rbytes == 0) ++ break; ++ ++ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes)) ++ != NULL) ++ { ++ rbytes -= pptr - (passwords[i]+offset) + 1; ++ i++; ++ offset = 0; ++ npass--; ++ if (rbytes > 0) ++ { ++ if (npass > 0) ++ memcpy(passwords[i], pptr+1, rbytes); ++ memset(pptr+1, '\0', rbytes); ++ } ++ } ++ offset += rbytes; ++ } ++ ++ /* clear up */ ++ if (offset > 0 && npass > 0) ++ memset(passwords[i], '\0', offset); ++ ++ return i; ++} ++ ++ ++static int ++check_history(const char *user, const char *debug) ++{ ++ char pass[MAXPASS + 1]; ++ char *passwords[] = { pass }; ++ int npass; ++ int dbg = atoi(debug); /* no need to be too fancy here */ ++ int retval; ++ ++ /* read the password from stdin (a pipe from the pam_pwhistory module) */ ++ npass = read_passwords(STDIN_FILENO, 1, passwords); ++ ++ if (npass != 1) ++ { /* is it a valid password? */ ++ helper_log_err(LOG_DEBUG, "no password supplied"); ++ return PAM_AUTHTOK_ERR; ++ } ++ ++ retval = check_old_pass(user, pass, dbg); ++ ++ memset(pass, '\0', MAXPASS); /* clear memory of the password */ ++ ++ return retval; ++} ++ ++static int ++save_history(const char *user, const char *howmany, const char *debug) ++{ ++ int num = atoi(howmany); ++ int dbg = atoi(debug); /* no need to be too fancy here */ ++ int retval; ++ ++ retval = save_old_pass(user, num, dbg); ++ ++ return retval; ++} ++ ++int ++main(int argc, char *argv[]) ++{ ++ const char *option; ++ const char *user; ++ ++ /* ++ * Catch or ignore as many signal as possible. ++ */ ++ setup_signals(); ++ ++ /* ++ * we establish that this program is running with non-tty stdin. ++ * this is to discourage casual use. ++ */ ++ ++ if (isatty(STDIN_FILENO) || argc < 4) ++ { ++ fprintf(stderr, ++ "This binary is not designed for running in this way.\n"); ++ sleep(10); /* this should discourage/annoy the user */ ++ return PAM_SYSTEM_ERR; ++ } ++ ++ option = argv[1]; ++ user = argv[2]; ++ ++ if (strcmp(option, "check") == 0 && argc == 4) ++ return check_history(user, argv[3]); ++ else if (strcmp(option, "save") == 0 && argc == 5) ++ return save_history(user, argv[3], argv[4]); ++ ++ return PAM_SYSTEM_ERR; ++} ++ diff --git a/SOURCES/pam-1.1.8-relax-audit.patch b/SOURCES/pam-1.1.8-relax-audit.patch new file mode 100644 index 0000000..8355fa4 --- /dev/null +++ b/SOURCES/pam-1.1.8-relax-audit.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.8/libpam/pam_audit.c.relax-audit Linux-PAM-1.1.8/libpam/pam_audit.c +--- Linux-PAM-1.1.8/libpam/pam_audit.c.relax-audit 2016-03-03 10:01:15.000000000 +0100 ++++ Linux-PAM-1.1.8/libpam/pam_audit.c 2016-04-22 15:18:55.692925308 +0200 +@@ -53,7 +53,7 @@ _pam_audit_writelog(pam_handle_t *pamh, + pamh->audit_state |= PAMAUDIT_LOGGED; + + if (rc < 0) { +- if (rc == -EPERM && getuid() != 0) ++ if (rc == -EPERM) + return 0; + if (errno != old_errno) { + old_errno = errno; diff --git a/SOURCES/pam-1.1.8-succeed-if-large-uid.patch b/SOURCES/pam-1.1.8-succeed-if-large-uid.patch new file mode 100644 index 0000000..74ec3f3 --- /dev/null +++ b/SOURCES/pam-1.1.8-succeed-if-large-uid.patch @@ -0,0 +1,85 @@ +diff -up Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c.large-uid Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c +--- Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c.large-uid 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c 2016-07-19 15:00:57.366549150 +0200 +@@ -68,20 +68,20 @@ + * PAM_SERVICE_ERR if the arguments can't be parsed as numbers. */ + static int + evaluate_num(const pam_handle_t *pamh, const char *left, +- const char *right, int (*cmp)(int, int)) ++ const char *right, int (*cmp)(long long, long long)) + { +- long l, r; ++ long long l, r; + char *p; + int ret = PAM_SUCCESS; + + errno = 0; +- l = strtol(left, &p, 0); ++ l = strtoll(left, &p, 0); + if ((p == NULL) || (*p != '\0') || errno) { + pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", left); + ret = PAM_SERVICE_ERR; + } + +- r = strtol(right, &p, 0); ++ r = strtoll(right, &p, 0); + if ((p == NULL) || (*p != '\0') || errno) { + pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", right); + ret = PAM_SERVICE_ERR; +@@ -96,32 +96,32 @@ evaluate_num(const pam_handle_t *pamh, c + + /* Simple numeric comparison callbacks. */ + static int +-eq(int i, int j) ++eq(long long i, long long j) + { + return i == j; + } + static int +-ne(int i, int j) ++ne(long long i, long long j) + { + return i != j; + } + static int +-lt(int i, int j) ++lt(long long i, long long j) + { + return i < j; + } + static int +-le(int i, int j) ++le(long long i, long long j) + { + return lt(i, j) || eq(i, j); + } + static int +-gt(int i, int j) ++gt(long long i, long long j) + { + return i > j; + } + static int +-ge(int i, int j) ++ge(long long i, long long j) + { + return gt(i, j) || eq(i, j); + } +@@ -298,7 +298,7 @@ evaluate(pam_handle_t *pamh, int debug, + } + if (strcasecmp(left, "rhost") == 0) { + const void *rhost; +- if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS || ++ if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS || + rhost == NULL) + rhost = ""; + snprintf(buf, sizeof(buf), "%s", (const char *)rhost); +@@ -306,7 +306,7 @@ evaluate(pam_handle_t *pamh, int debug, + } + if (strcasecmp(left, "tty") == 0) { + const void *tty; +- if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS || ++ if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS || + tty == NULL) + tty = ""; + snprintf(buf, sizeof(buf), "%s", (const char *)tty); diff --git a/SOURCES/pam-1.1.8-translation-updates.patch b/SOURCES/pam-1.1.8-translation-updates.patch new file mode 100644 index 0000000..a0ba9aa --- /dev/null +++ b/SOURCES/pam-1.1.8-translation-updates.patch @@ -0,0 +1,1522 @@ +diff -urN a/Linux-PAM-1.1.8/po/bn_IN.po b/Linux-PAM-1.1.8/po/bn_IN.po +--- a/Linux-PAM-1.1.8/po/bn_IN.po 2013-11-28 17:24:14.190596598 +0530 ++++ b/Linux-PAM-1.1.8/po/bn_IN.po 2013-11-28 17:27:02.136118296 +0530 +@@ -1,314 +1,335 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR Linux-PAM Project + # This file is distributed under the same license as the PACKAGE package. +-# ++# + # Translators: + # Runa Bhattacharjee , 2009. + # Runa Bhattacharjee , 2007, 2008. + # , 2012. ++# sray , 2013. #zanata + msgid "" + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2013-09-19 10:02+0200\n" +-"PO-Revision-Date: 2012-02-28 10:38+0000\n" +-"Last-Translator: runa \n" ++"POT-Creation-Date: 2012-08-17 11:35+0200\n" ++"PO-Revision-Date: 2013-10-03 02:24-0400\n" ++"Last-Translator: sray \n" + "Language-Team: Bengali (India) \n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"Language: bn_IN\n" ++"Language: bn-IN\n" + "Plural-Forms: nplurals=2; plural=(n != 1)\n" ++"X-Generator: Zanata 3.1.2\n" + +-#: libpam_misc/misc_conv.c:33 ++#. * external timeout definitions - these can be overriden by the ++#. * application. ++#. time when we warn ++#. time when we timeout ++#: .././libpam_misc/misc_conv.c:33 + msgid "...Time is running out...\n" + msgstr "...সময় সমাপ্তির পথে...\n" + +-#: libpam_misc/misc_conv.c:34 ++#: .././libpam_misc/misc_conv.c:34 + msgid "...Sorry, your time is up!\n" + msgstr "...দুঃখিত, সময় সমাপ্ত!\n" + +-#: libpam_misc/misc_conv.c:342 ++#: .././libpam_misc/misc_conv.c:342 + #, c-format + msgid "erroneous conversation (%d)\n" + msgstr "ত্রুটিপূর্ণ তথ্যবিনিময় (conversation) (%d)\n" + +-#: libpam/pam_get_authtok.c:39 modules/pam_exec/pam_exec.c:170 +-#: modules/pam_unix/pam_unix_auth.c:160 modules/pam_userdb/pam_userdb.c:64 ++#. get this user's authentication token ++#: .././libpam/pam_get_authtok.c:39 ++#: .././modules/pam_exec/pam_exec.c:142 ++#: .././modules/pam_unix/pam_unix_auth.c:160 ++#: .././modules/pam_userdb/pam_userdb.c:64 + msgid "Password: " + msgstr "পাসওয়ার্ড: " + +-#: libpam/pam_get_authtok.c:41 modules/pam_cracklib/pam_cracklib.c:68 ++#. For Translators: "%s%s" could be replaced with " " or "". ++#: .././libpam/pam_get_authtok.c:41 ++#: .././modules/pam_cracklib/pam_cracklib.c:68 + #, c-format + msgid "New %s%spassword: " + msgstr "নতুন %s%s পাসওয়ার্ড: " + +-#: libpam/pam_get_authtok.c:43 modules/pam_cracklib/pam_cracklib.c:70 ++#. For Translators: "%s%s" could be replaced with " " or "". ++#: .././libpam/pam_get_authtok.c:43 ++#: .././modules/pam_cracklib/pam_cracklib.c:70 + #, c-format + msgid "Retype new %s%spassword: " + msgstr "নতুন %s%s পাসওয়ার্ড পুনরায় লিখুন: " + +-#: libpam/pam_get_authtok.c:44 modules/pam_cracklib/pam_cracklib.c:71 ++#: .././libpam/pam_get_authtok.c:44 ++#: .././modules/pam_cracklib/pam_cracklib.c:71 + msgid "Sorry, passwords do not match." + msgstr "দুঃখিত, পাসওয়ার্ড দুটি এক নয়।" + +-#: libpam/pam_get_authtok.c:135 libpam/pam_get_authtok.c:211 ++#: .././libpam/pam_get_authtok.c:135 ++#: .././libpam/pam_get_authtok.c:211 + #, c-format + msgid "Retype %s" + msgstr "%s পুনরায় লিখুন" + +-#: libpam/pam_get_authtok.c:155 libpam/pam_get_authtok.c:227 ++#. We want to abort the password change ++#: .././libpam/pam_get_authtok.c:155 ++#: .././libpam/pam_get_authtok.c:227 + msgid "Password change aborted." + msgstr "পাসওয়ার্ড পরিবর্তনের কর্ম পরিত্যাগ করা হয়েছে।" + +-#: libpam/pam_item.c:311 ++#: .././libpam/pam_item.c:311 + msgid "login:" + msgstr "লগ-ইন:" + +-#: libpam/pam_strerror.c:40 ++#: .././libpam/pam_strerror.c:40 + msgid "Success" + msgstr "সফল" + +-#: libpam/pam_strerror.c:42 ++#: .././libpam/pam_strerror.c:42 + msgid "Critical error - immediate abort" + msgstr "গুরুতব সমস্যা - এই মুহূর্তে পরিত্যাগ করা হবে" + +-#: libpam/pam_strerror.c:44 ++#: .././libpam/pam_strerror.c:44 + msgid "Failed to load module" + msgstr "মডিউল লোড করতে ব্যর্থ" + +-#: libpam/pam_strerror.c:46 ++#: .././libpam/pam_strerror.c:46 + msgid "Symbol not found" + msgstr "চিহ্ন পাওয়া যায়নি" + +-#: libpam/pam_strerror.c:48 ++#: .././libpam/pam_strerror.c:48 + msgid "Error in service module" + msgstr "পরিসেবা মডিউলে সমস্যা" + +-#: libpam/pam_strerror.c:50 ++#: .././libpam/pam_strerror.c:50 + msgid "System error" + msgstr "সিস্টেম সংক্রান্ত সমস্যা" + +-#: libpam/pam_strerror.c:52 ++#: .././libpam/pam_strerror.c:52 + msgid "Memory buffer error" + msgstr "মেমরি বাফার সংক্রান্ত সমস্যা" + +-#: libpam/pam_strerror.c:54 ++#: .././libpam/pam_strerror.c:54 + msgid "Permission denied" + msgstr "অনুমতি প্রদান করা হয়নি" + +-#: libpam/pam_strerror.c:56 ++#: .././libpam/pam_strerror.c:56 + msgid "Authentication failure" + msgstr "অনুমোদন ব্যর্থ" + +-#: libpam/pam_strerror.c:58 ++#: .././libpam/pam_strerror.c:58 + msgid "Insufficient credentials to access authentication data" + msgstr "অনুমোদন সংক্রান্ত তথ্য প্রাপ্ত করার জন্য পর্যাপ্ত প্রমাণ উপলব্ধ নেই" + +-#: libpam/pam_strerror.c:60 ++#: .././libpam/pam_strerror.c:60 + msgid "Authentication service cannot retrieve authentication info" + msgstr "অনুমোদন পরিসেবা দ্বারা অনুমোদন সংক্রান্ত তথ্য উদ্ধার করা সম্ভব হয়নি" + +-#: libpam/pam_strerror.c:62 ++#: .././libpam/pam_strerror.c:62 + msgid "User not known to the underlying authentication module" + msgstr "পটভূমিতে চলমান অনুমোদন ব্যবস্থায় ব্যবহারকারী পরিচিত নন।" + +-#: libpam/pam_strerror.c:64 ++#: .././libpam/pam_strerror.c:64 + msgid "Have exhausted maximum number of retries for service" + msgstr "পরিসেবায় উপলব্ধ সর্বাধিক প্রচেষ্টার সুযোগ সংখ্যা সমাপ্ত" + +-#: libpam/pam_strerror.c:66 ++#: .././libpam/pam_strerror.c:66 + msgid "Authentication token is no longer valid; new one required" + msgstr "অনুমোদনের টোকেন বৈধ নয়; নতুন টোকেন ব্যবহার করা আবশ্যক" + +-#: libpam/pam_strerror.c:68 ++#: .././libpam/pam_strerror.c:68 + msgid "User account has expired" + msgstr "ব্যবহারকারী অ্যাকাউন্টের মেয়াদ পূর্ণ হয়েছে" + +-#: libpam/pam_strerror.c:70 ++#: .././libpam/pam_strerror.c:70 + msgid "Cannot make/remove an entry for the specified session" + msgstr "সুনির্দিষ্ট সেশানের জন্য কোনো এন্ট্রি নির্মাণ/অপসারণ করা সম্ভব নয়" + +-#: libpam/pam_strerror.c:72 ++#: .././libpam/pam_strerror.c:72 + msgid "Authentication service cannot retrieve user credentials" + msgstr "অনুমোদন পরিসেবা দ্বারা প্রয়োজনীয় প্রমাণ উদ্ধার করা সম্ভব হয়নি" + +-#: libpam/pam_strerror.c:74 ++#: .././libpam/pam_strerror.c:74 + msgid "User credentials expired" + msgstr "ব্যবহারকারীর পরিচয়প্রমাণের তথ্যের মেয়াদ পূর্ণ হয়েছে" + +-#: libpam/pam_strerror.c:76 ++#: .././libpam/pam_strerror.c:76 + msgid "Failure setting user credentials" + msgstr "ব্যবহারকারীর পরিচয়প্রমাণের তথ্য নির্ধারণ করতে ব্যর্থ" + +-#: libpam/pam_strerror.c:78 ++#: .././libpam/pam_strerror.c:78 + msgid "No module specific data is present" + msgstr "মডিউল সংক্রান্ত কোনো তথ্য উপস্থিত নেই" + +-#: libpam/pam_strerror.c:80 ++#: .././libpam/pam_strerror.c:80 + msgid "Bad item passed to pam_*_item()" + msgstr "pam_*_item()-এ সঠিক মান প্রেরিত হয়নি" + +-#: libpam/pam_strerror.c:82 ++#: .././libpam/pam_strerror.c:82 + msgid "Conversation error" + msgstr "Conversation অর্থাৎ তথ্য বিনিময়কালীন সমস্যা" + +-#: libpam/pam_strerror.c:84 ++#: .././libpam/pam_strerror.c:84 + msgid "Authentication token manipulation error" + msgstr "অনুমোদন টোকেন ব্যবস্থাপনা করতে সমস্যা" + +-#: libpam/pam_strerror.c:86 ++#: .././libpam/pam_strerror.c:86 + msgid "Authentication information cannot be recovered" + msgstr "অনুমোদন সংক্রান্ত তথ্য পুনরুদ্ধার করতে ব্যর্থ" + +-#: libpam/pam_strerror.c:88 ++#: .././libpam/pam_strerror.c:88 + msgid "Authentication token lock busy" + msgstr "অনুমোদন টোকেনের লক ব্যস্ত" + +-#: libpam/pam_strerror.c:90 ++#: .././libpam/pam_strerror.c:90 + msgid "Authentication token aging disabled" + msgstr "অনুমোদন টোকেনের মেয়াদ পূর্তী ব্যবস্থা নিষ্ক্রিয়" + +-#: libpam/pam_strerror.c:92 ++#: .././libpam/pam_strerror.c:92 + msgid "Failed preliminary check by password service" + msgstr "পাসওয়ার্ড পরিসেবা দ্বারা প্রারম্ভিক পরীক্ষা ব্যর্থ" + +-#: libpam/pam_strerror.c:94 ++#: .././libpam/pam_strerror.c:94 + msgid "The return value should be ignored by PAM dispatch" + msgstr "উৎপন্ন মান PAM dispatch দ্বারা অগ্রাহ্য করা হবে" + +-#: libpam/pam_strerror.c:96 ++#: .././libpam/pam_strerror.c:96 + msgid "Module is unknown" + msgstr "মডিউল অজানা" + +-#: libpam/pam_strerror.c:98 ++#: .././libpam/pam_strerror.c:98 + msgid "Authentication token expired" + msgstr "অনুমোদন টোকেনের মেয়াদ পূর্ণ হয়েছে" + +-#: libpam/pam_strerror.c:100 ++#: .././libpam/pam_strerror.c:100 + msgid "Conversation is waiting for event" +-msgstr "Conversation অর্থাৎ তথ্য বিনিময় প্রক্রিয়া একটি ইভেন্টের অপেক্ষায় রয়েছে" ++msgstr "" ++"Conversation অর্থাৎ তথ্য বিনিময় প্রক্রিয়া একটি ইভেন্টের অপেক্ষায় রয়েছে" + +-#: libpam/pam_strerror.c:102 ++#: .././libpam/pam_strerror.c:102 + msgid "Application needs to call libpam again" + msgstr "অ্যাপ্লিকেশন দ্বারা পুনরায় libpam আরম্ভ করা আবশ্যক" + +-#: libpam/pam_strerror.c:105 ++#: .././libpam/pam_strerror.c:105 + msgid "Unknown PAM error" + msgstr "PAM সংক্রান্ত অজানা ত্রুটি" + +-#: modules/pam_cracklib/pam_cracklib.c:618 ++#: .././modules/pam_cracklib/pam_cracklib.c:618 + msgid "is the same as the old one" + msgstr "পুরোনোটির অনুরূপ" + +-#: modules/pam_cracklib/pam_cracklib.c:624 +-#: modules/pam_cracklib/pam_cracklib.c:628 +-#: modules/pam_cracklib/pam_cracklib.c:638 ++#: .././modules/pam_cracklib/pam_cracklib.c:624 ++#: .././modules/pam_cracklib/pam_cracklib.c:628 ++#: .././modules/pam_cracklib/pam_cracklib.c:638 + msgid "memory allocation error" + msgstr "মেমরি বরাদ্দ করতে সমস্যা" + +-#: modules/pam_cracklib/pam_cracklib.c:643 ++#: .././modules/pam_cracklib/pam_cracklib.c:643 + msgid "is a palindrome" + msgstr "উভমুখী শব্দ" + +-#: modules/pam_cracklib/pam_cracklib.c:646 ++#: .././modules/pam_cracklib/pam_cracklib.c:646 + msgid "case changes only" + msgstr "শুধুমাত্র হরফের ছাঁদ পরিবর্তন করা হয়েছে" + +-#: modules/pam_cracklib/pam_cracklib.c:649 ++#: .././modules/pam_cracklib/pam_cracklib.c:649 + msgid "is too similar to the old one" + msgstr "পুরোনো পাসওয়ার্ডের সমতূল্য" + +-#: modules/pam_cracklib/pam_cracklib.c:652 ++#: .././modules/pam_cracklib/pam_cracklib.c:652 + msgid "is too simple" + msgstr "জটিল নয়" + +-#: modules/pam_cracklib/pam_cracklib.c:655 ++#: .././modules/pam_cracklib/pam_cracklib.c:655 + msgid "is rotated" + msgstr "ঘোরানো হয়েছে" + +-#: modules/pam_cracklib/pam_cracklib.c:658 ++#: .././modules/pam_cracklib/pam_cracklib.c:658 + msgid "not enough character classes" + msgstr "পর্যাপ্ত অক্ষর শ্রেণী উপস্থিত নেই" + +-#: modules/pam_cracklib/pam_cracklib.c:661 ++#: .././modules/pam_cracklib/pam_cracklib.c:661 + msgid "contains too many same characters consecutively" + msgstr "একই অক্ষর অত্যাধিক বার ক্রমাগত ব্যবহার করা হয়েছে" + +-#: modules/pam_cracklib/pam_cracklib.c:664 +-#, fuzzy ++#: .././modules/pam_cracklib/pam_cracklib.c:664 + msgid "contains too long of a monotonic character sequence" + msgstr "একই অক্ষর অত্যাধিক বার ক্রমাগত ব্যবহার করা হয়েছে" + +-#: modules/pam_cracklib/pam_cracklib.c:667 ++#: .././modules/pam_cracklib/pam_cracklib.c:667 + msgid "contains the user name in some form" + msgstr "কোনো রূপে ব্যবহারকারী নাম অন্তর্ভুক্ত হয়েছে" + +-#: modules/pam_cracklib/pam_cracklib.c:701 +-#: modules/pam_unix/pam_unix_passwd.c:496 ++#: .././modules/pam_cracklib/pam_cracklib.c:701 ++#: .././modules/pam_unix/pam_unix_passwd.c:502 + msgid "No password supplied" + msgstr "কোনো পাসওয়ার্ড উল্লিখিত হয়নি" + +-#: modules/pam_cracklib/pam_cracklib.c:701 +-#: modules/pam_unix/pam_unix_passwd.c:496 ++#: .././modules/pam_cracklib/pam_cracklib.c:701 ++#: .././modules/pam_unix/pam_unix_passwd.c:502 + msgid "Password unchanged" + msgstr "পাসওয়ার্ড পরিবর্তন করা হয়নি" + +-#: modules/pam_cracklib/pam_cracklib.c:721 +-#: modules/pam_cracklib/pam_cracklib.c:803 ++#: .././modules/pam_cracklib/pam_cracklib.c:721 ++#: .././modules/pam_cracklib/pam_cracklib.c:803 + #, c-format + msgid "BAD PASSWORD: %s" + msgstr "পাসওয়ার্ড ভাল নয়: %s" + +-#: modules/pam_exec/pam_exec.c:273 ++#: .././modules/pam_exec/pam_exec.c:215 + #, c-format + msgid "%s failed: exit code %d" + msgstr "%s বিফল: প্রস্থানকালীন কোড %d" + +-#: modules/pam_exec/pam_exec.c:282 ++#: .././modules/pam_exec/pam_exec.c:224 + #, c-format + msgid "%s failed: caught signal %d%s" + msgstr "%s বিফল: %d%s সিগনাল প্রাপ্ত" + +-#: modules/pam_exec/pam_exec.c:291 ++#: .././modules/pam_exec/pam_exec.c:233 + #, c-format + msgid "%s failed: unknown status 0x%x" + msgstr "%s বিফল: অজানা অবস্থা 0x%x" + + #. TRANSLATORS: "strftime options for date of last login" +-#: modules/pam_lastlog/pam_lastlog.c:282 modules/pam_lastlog/pam_lastlog.c:496 ++#: .././modules/pam_lastlog/pam_lastlog.c:282 ++#: .././modules/pam_lastlog/pam_lastlog.c:496 + msgid " %a %b %e %H:%M:%S %Z %Y" + msgstr " %a %b %e %H:%M:%S %Z %Y" + + #. TRANSLATORS: " from " +-#: modules/pam_lastlog/pam_lastlog.c:291 modules/pam_lastlog/pam_lastlog.c:505 ++#: .././modules/pam_lastlog/pam_lastlog.c:291 ++#: .././modules/pam_lastlog/pam_lastlog.c:505 + #, c-format + msgid " from %.*s" + msgstr " %.*s থেকে" + + #. TRANSLATORS: " on " +-#: modules/pam_lastlog/pam_lastlog.c:303 modules/pam_lastlog/pam_lastlog.c:517 ++#: .././modules/pam_lastlog/pam_lastlog.c:303 ++#: .././modules/pam_lastlog/pam_lastlog.c:517 + #, c-format + msgid " on %.*s" + msgstr " %.*s -র উপর" + + #. TRANSLATORS: "Last login: from on " +-#: modules/pam_lastlog/pam_lastlog.c:313 ++#: .././modules/pam_lastlog/pam_lastlog.c:313 + #, c-format + msgid "Last login:%s%s%s" + msgstr "সর্বশেষ লগ-ইন:%s%s%s" + +-#: modules/pam_lastlog/pam_lastlog.c:319 ++#: .././modules/pam_lastlog/pam_lastlog.c:319 + msgid "Welcome to your new account!" + msgstr "নতুন অ্যাকাউন্টে স্বাগতম!" + + #. TRANSLATORS: "Last failed login: from on " +-#: modules/pam_lastlog/pam_lastlog.c:527 ++#: .././modules/pam_lastlog/pam_lastlog.c:527 + #, c-format + msgid "Last failed login:%s%s%s" + msgstr "সর্বশেষ বিফল লগ-ইন:%s%s%s" + +-#: modules/pam_lastlog/pam_lastlog.c:536 modules/pam_lastlog/pam_lastlog.c:543 ++#: .././modules/pam_lastlog/pam_lastlog.c:536 ++#: .././modules/pam_lastlog/pam_lastlog.c:543 + #, c-format + msgid "There was %d failed login attempt since the last successful login." + msgid_plural "" +@@ -317,199 +338,209 @@ + msgstr[1] "সর্বশেষ সফল লগ-ইনের পরে %d-টি ব্যর্থ লগ-ইনের প্রচেষ্টা করা হয়েছে।" + + #. TRANSLATORS: only used if dngettext is not supported +-#: modules/pam_lastlog/pam_lastlog.c:548 ++#: .././modules/pam_lastlog/pam_lastlog.c:548 + #, c-format + msgid "There were %d failed login attempts since the last successful login." + msgstr "সর্বশেষ সফল লগ-ইনের পরে %d-টি ব্যর্থ লগ-ইনের প্রচেষ্টা করা হয়েছে।" + +-#: modules/pam_limits/pam_limits.c:1079 ++#: .././modules/pam_limits/pam_limits.c:1079 + #, c-format + msgid "Too many logins for '%s'." + msgstr "'%s'-র ক্ষেত্রে অত্যাধিক লগ-ইন" + +-#: modules/pam_mail/pam_mail.c:297 ++#: .././modules/pam_mail/pam_mail.c:297 + msgid "No mail." + msgstr "কোনো মেইল নেই।" + +-#: modules/pam_mail/pam_mail.c:300 ++#: .././modules/pam_mail/pam_mail.c:300 + msgid "You have new mail." + msgstr "নতুন মেইল প্রাপ্ত।" + +-#: modules/pam_mail/pam_mail.c:303 ++#: .././modules/pam_mail/pam_mail.c:303 + msgid "You have old mail." + msgstr "পুরোনো মেইল রয়েছে।" + +-#: modules/pam_mail/pam_mail.c:307 ++#: .././modules/pam_mail/pam_mail.c:307 + msgid "You have mail." + msgstr "মেইল রয়েছে।" + +-#: modules/pam_mail/pam_mail.c:314 ++#: .././modules/pam_mail/pam_mail.c:314 + #, c-format + msgid "You have no mail in folder %s." + msgstr "%s ফোল্ডারে কোনো মেইল উপস্থিত নেই।" + +-#: modules/pam_mail/pam_mail.c:318 ++#: .././modules/pam_mail/pam_mail.c:318 + #, c-format + msgid "You have new mail in folder %s." + msgstr "%s ফোল্ডারে নতুন মেইল উপস্থিত।" + +-#: modules/pam_mail/pam_mail.c:322 ++#: .././modules/pam_mail/pam_mail.c:322 + #, c-format + msgid "You have old mail in folder %s." + msgstr "%s ফোল্ডারে পুরোনো মেইল উপস্থিত রয়েছে।" + +-#: modules/pam_mail/pam_mail.c:327 ++#: .././modules/pam_mail/pam_mail.c:327 + #, c-format + msgid "You have mail in folder %s." + msgstr "%s ফোল্ডারে মেইল উপস্থিত রয়েছে।" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:113 ++#: .././modules/pam_mkhomedir/pam_mkhomedir.c:114 + #, c-format + msgid "Creating directory '%s'." + msgstr "'%s' ডিরেক্টরি নির্মাণ করা হচ্ছে।" + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:183 ++#: .././modules/pam_mkhomedir/pam_mkhomedir.c:192 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "ডিরেক্টরি '%s' নির্মাণ ও আরম্ভ করতে ব্যর্থ।" + +-#: modules/pam_pwhistory/pam_pwhistory.c:217 +-#: modules/pam_unix/pam_unix_passwd.c:517 ++#: .././modules/pam_pwhistory/pam_pwhistory.c:384 ++#: .././modules/pam_unix/pam_unix_passwd.c:523 + msgid "Password has been already used. Choose another." + msgstr "পাসওয়ার্ড পূর্বে ব্যবহৃত হয়েছে। একটি পৃথক পাসওয়ার্ড নির্বাচন করুন।" + +-#: modules/pam_pwhistory/pam_pwhistory.c:224 +-#, fuzzy ++#: .././modules/pam_pwhistory/pam_pwhistory.c:391 + msgid "Password has been already used." +-msgstr "পাসওয়ার্ড পূর্বে ব্যবহৃত হয়েছে। একটি পৃথক পাসওয়ার্ড নির্বাচন করুন।" ++msgstr "পাসওয়ার্ড পূর্বে ব্যবহৃত হয়েছে।" + +-#: modules/pam_selinux/pam_selinux.c:210 ++#: .././modules/pam_selinux/pam_selinux.c:210 + #, c-format + msgid "Default Security Context %s\n" + msgstr "ডিফল্ট Security Context %s\n" + +-#: modules/pam_selinux/pam_selinux.c:214 ++#: .././modules/pam_selinux/pam_selinux.c:214 + msgid "Would you like to enter a different role or level?" + msgstr "ভিন্ন role অথবা level লিখতে ইচ্ছুক কি?" + +-#: modules/pam_selinux/pam_selinux.c:227 ++#. Allow the user to enter role and level individually ++#: .././modules/pam_selinux/pam_selinux.c:227 + msgid "role:" + msgstr "role: " + +-#: modules/pam_selinux/pam_selinux.c:230 ++#: .././modules/pam_selinux/pam_selinux.c:230 + #, c-format + msgid "No default type for role %s\n" + msgstr "role %s-র জন্য কোনো ডিফল্ট type উপস্থিত নেই\n" + +-#: modules/pam_selinux/pam_selinux.c:262 ++#: .././modules/pam_selinux/pam_selinux.c:262 + msgid "level:" + msgstr "level: " + +-#: modules/pam_selinux/pam_selinux.c:295 ++#: .././modules/pam_selinux/pam_selinux.c:295 + msgid "Not a valid security context" + msgstr "বৈধ নিরাপত্তা সংক্রান্ত context নয়" + +-#: modules/pam_selinux/pam_selinux.c:539 ++#: .././modules/pam_selinux/pam_selinux.c:539 + #, c-format + msgid "Unable to get valid context for %s" + msgstr "%s-র বৈধ context প্রাপ্ত করতে ব্যর্থ" + +-#: modules/pam_selinux/pam_selinux.c:658 ++#: .././modules/pam_selinux/pam_selinux.c:658 + #, c-format + msgid "Security Context %s Assigned" + msgstr "Security Context %s ধার্য করা হয়েছে" + +-#: modules/pam_selinux/pam_selinux.c:674 ++#: .././modules/pam_selinux/pam_selinux.c:674 + #, c-format + msgid "Key Creation Context %s Assigned" + msgstr "কি নির্মাণের Context %s ধার্য করা হয়েছে" + +-#: modules/pam_selinux/pam_selinux_check.c:99 ++#: .././modules/pam_selinux/pam_selinux_check.c:99 + #, c-format + msgid "failed to initialize PAM\n" + msgstr "PAM আরম্ভ করতে ব্যর্থ\n" + +-#: modules/pam_selinux/pam_selinux_check.c:105 ++#: .././modules/pam_selinux/pam_selinux_check.c:105 + #, c-format + msgid "failed to pam_set_item()\n" + msgstr "pam_set_item() করতে ব্যর্থ\n" + +-#: modules/pam_selinux/pam_selinux_check.c:133 ++#. error in fork() ++#: .././modules/pam_selinux/pam_selinux_check.c:133 + #, c-format + msgid "login: failure forking: %m" + msgstr "লগ-ইন: fork করতে ব্যর্থ: %m" + +-#: modules/pam_stress/pam_stress.c:476 ++#: .././modules/pam_stress/pam_stress.c:476 + #, c-format + msgid "Changing STRESS password for %s." + msgstr "%s-র STRESS পাসওয়ার্ড পরিবর্তন করা হচ্ছে।" + +-#: modules/pam_stress/pam_stress.c:490 ++#: .././modules/pam_stress/pam_stress.c:490 + msgid "Enter new STRESS password: " + msgstr "নতুন STRESS পাসওয়ার্ড লিখুন: " + +-#: modules/pam_stress/pam_stress.c:493 ++#: .././modules/pam_stress/pam_stress.c:493 + msgid "Retype new STRESS password: " + msgstr "নতুন STRESS পাসওয়ার্ড পুনরায় লিখুন: " + +-#: modules/pam_stress/pam_stress.c:522 ++#: .././modules/pam_stress/pam_stress.c:522 + msgid "Verification mis-typed; password unchanged" + msgstr "নিশ্চায়ন কাল ভুল টাইপ করা হয়েছে; পাসওয়ার্ড পরিবর্তন করা হয়নি" + +-#: modules/pam_tally/pam_tally.c:541 modules/pam_tally2/pam_tally2.c:599 ++#: .././modules/pam_tally/pam_tally.c:541 ++#: .././modules/pam_tally2/pam_tally2.c:599 + #, c-format + msgid "Account temporary locked (%ld seconds left)" + msgstr "সাময়িকরূপে অ্যাকাউন্ট লক করা হয়েছে (%ld সেকেন্ড অবশিষ্ট)" + +-#: modules/pam_tally/pam_tally.c:566 modules/pam_tally2/pam_tally2.c:578 ++#: .././modules/pam_tally/pam_tally.c:566 ++#: .././modules/pam_tally2/pam_tally2.c:578 + #, c-format + msgid "Account locked due to %u failed logins" + msgstr "%u ব্যর্থ লগ-ইনের ফলে অ্যাকাউন্ট লক করা হয়েছে" + +-#: modules/pam_tally/pam_tally.c:777 modules/pam_tally2/pam_tally2.c:887 ++#: .././modules/pam_tally/pam_tally.c:777 ++#: .././modules/pam_tally2/pam_tally2.c:887 + msgid "Authentication error" + msgstr "অনুমোদন সংক্রান্ত সমস্যা" + +-#: modules/pam_tally/pam_tally.c:778 modules/pam_tally2/pam_tally2.c:888 ++#: .././modules/pam_tally/pam_tally.c:778 ++#: .././modules/pam_tally2/pam_tally2.c:888 + msgid "Service error" + msgstr "পরিসেবা সংক্রান্ত সমস্যা" + +-#: modules/pam_tally/pam_tally.c:779 modules/pam_tally2/pam_tally2.c:889 ++#: .././modules/pam_tally/pam_tally.c:779 ++#: .././modules/pam_tally2/pam_tally2.c:889 + msgid "Unknown user" + msgstr "অজানা ব্যবহারকারী" + +-#: modules/pam_tally/pam_tally.c:780 modules/pam_tally2/pam_tally2.c:890 ++#: .././modules/pam_tally/pam_tally.c:780 ++#: .././modules/pam_tally2/pam_tally2.c:890 + msgid "Unknown error" + msgstr "অজানা সমস্যা" + +-#: modules/pam_tally/pam_tally.c:796 modules/pam_tally2/pam_tally2.c:909 ++#: .././modules/pam_tally/pam_tally.c:796 ++#: .././modules/pam_tally2/pam_tally2.c:909 + #, c-format + msgid "%s: Bad number given to --reset=\n" + msgstr "%s: --reset= এর জন্য ভুল সংখ্যা উল্লিখিত\n" + +-#: modules/pam_tally/pam_tally.c:800 modules/pam_tally2/pam_tally2.c:913 ++#: .././modules/pam_tally/pam_tally.c:800 ++#: .././modules/pam_tally2/pam_tally2.c:913 + #, c-format + msgid "%s: Unrecognised option %s\n" + msgstr "%s: অজানা বিকল্প %s\n" + +-#: modules/pam_tally/pam_tally.c:812 ++#: .././modules/pam_tally/pam_tally.c:812 + #, c-format + msgid "" + "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" + msgstr "" + "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" + +-#: modules/pam_tally/pam_tally.c:886 modules/pam_tally2/pam_tally2.c:1039 ++#: .././modules/pam_tally/pam_tally.c:886 ++#: .././modules/pam_tally2/pam_tally2.c:1039 + #, c-format + msgid "%s: Can't reset all users to non-zero\n" + msgstr "%s: সব ব্যবহারকারীর জন্য শূণ্য-ভিন্ন মান ধার্য করতে ব্যর্থ\n" + +-#: modules/pam_tally2/pam_tally2.c:940 ++#: .././modules/pam_tally2/pam_tally2.c:940 + #, c-format + msgid "Login Failures Latest failure From\n" + msgstr "লগ-ইন বিফলতা সর্বশেষ বিফলতা চিহ্নিত স্থান থেকে\n" + +-#: modules/pam_tally2/pam_tally2.c:956 ++#: .././modules/pam_tally2/pam_tally2.c:956 + #, c-format + msgid "" + "%s: [-f rooted-filename] [--file rooted-filename]\n" +@@ -520,26 +551,31 @@ + " [-u username] [--user username]\n" + " [-r] [--reset[=n]] [--quiet]\n" + +-#: modules/pam_timestamp/pam_timestamp.c:345 ++#: .././modules/pam_timestamp/pam_timestamp.c:345 + #, c-format + msgid "Access granted (last access was %ld seconds ago)." + msgstr "প্রবেশাধিকার প্রদান করা হয়েছে (%ld পূর্বে সর্বশেষ লগ-ইন করা হয়েছে)।" + +-#: modules/pam_unix/pam_unix_acct.c:247 modules/pam_unix/pam_unix_acct.c:269 ++#: .././modules/pam_unix/pam_unix_acct.c:249 ++#: .././modules/pam_unix/pam_unix_acct.c:271 + msgid "Your account has expired; please contact your system administrator" + msgstr "" +-"আপনার অ্যাকাউন্টের মেয়াদপূর্ণ হয়েছে; অনুগ্রহ করে সিস্টেম অ্যাডমিনিস্ট্রেটরের সাথে " +-"যোগাযোগ করুন।" ++"আপনার অ্যাকাউন্টের মেয়াদপূর্ণ হয়েছে; অনুগ্রহ করে সিস্টেম অ্যাডমিনিস্ট্রেটরের " ++"সাথে যোগাযোগ করুন।" + +-#: modules/pam_unix/pam_unix_acct.c:255 ++#: .././modules/pam_unix/pam_unix_acct.c:257 + msgid "You are required to change your password immediately (root enforced)" +-msgstr "আপনার পাসওয়ার্ড এই মুহূর্তে পরিবর্তন করা আবশ্যক (root দ্বারা কার্যকরী)" ++msgstr "" ++"আপনার পাসওয়ার্ড এই মুহূর্তে পরিবর্তন করা আবশ্যক (root দ্বারা কার্যকরী)" + +-#: modules/pam_unix/pam_unix_acct.c:261 ++#: .././modules/pam_unix/pam_unix_acct.c:263 + msgid "You are required to change your password immediately (password aged)" +-msgstr "আপনার পাসওয়ার্ড এই মুহূর্তে পরিবর্তন করা আবশ্যক (password-র মেয়াদ পূর্ণ হয়েছে)" ++msgstr "" ++"আপনার পাসওয়ার্ড এই মুহূর্তে পরিবর্তন করা আবশ্যক (password-র মেয়াদ পূর্ণ " ++"হয়েছে)" + +-#: modules/pam_unix/pam_unix_acct.c:282 modules/pam_unix/pam_unix_acct.c:289 ++#: .././modules/pam_unix/pam_unix_acct.c:284 ++#: .././modules/pam_unix/pam_unix_acct.c:291 + #, c-format + msgid "Warning: your password will expire in %d day" + msgid_plural "Warning: your password will expire in %d days" +@@ -547,39 +583,37 @@ + msgstr[1] "সতর্কবাণী: %d দিন পরে পাসওয়ার্ডের মেয়াদপূর্ণ হবে" + + #. TRANSLATORS: only used if dngettext is not supported +-#: modules/pam_unix/pam_unix_acct.c:294 ++#: .././modules/pam_unix/pam_unix_acct.c:296 + #, c-format + msgid "Warning: your password will expire in %d days" + msgstr "সতর্কবাণী: %d দিন পরে পাসওয়ার্ডের মেয়াদপূর্ণ হবে" + +-#: modules/pam_unix/pam_unix_passwd.c:398 ++#: .././modules/pam_unix/pam_unix_passwd.c:404 + msgid "NIS password could not be changed." + msgstr "NIS পাসওয়ার্ড পরিবর্তন করা সম্ভব হয়নি।" + +-#: modules/pam_unix/pam_unix_passwd.c:513 ++#: .././modules/pam_unix/pam_unix_passwd.c:519 + msgid "You must choose a longer password" + msgstr "চিহ্নিত পাসওয়ার্ডের থেকে লম্বা পাসওয়ার্ড উল্লেখ করা আবশ্যক" + +-#: modules/pam_unix/pam_unix_passwd.c:619 ++#. instruct user what is happening ++#: .././modules/pam_unix/pam_unix_passwd.c:625 + #, c-format + msgid "Changing password for %s." + msgstr "%s-র পাসওয়ার্ড পরিবর্তন করা হচ্ছে।" + +-#: modules/pam_unix/pam_unix_passwd.c:630 ++#: .././modules/pam_unix/pam_unix_passwd.c:636 + msgid "(current) UNIX password: " + msgstr "(বর্তমান) UNIX পাসওয়ার্ড: " + +-#: modules/pam_unix/pam_unix_passwd.c:665 ++#: .././modules/pam_unix/pam_unix_passwd.c:671 + msgid "You must wait longer to change your password" + msgstr "কিছু কাল পরে পাসওয়ার্ড পরিবর্তন করা সম্ভব হবে" + +-#: modules/pam_unix/pam_unix_passwd.c:725 ++#: .././modules/pam_unix/pam_unix_passwd.c:731 + msgid "Enter new UNIX password: " + msgstr "নতুন UNIX পাসওয়ার্ড উল্লেখ করুন: " + +-#: modules/pam_unix/pam_unix_passwd.c:726 ++#: .././modules/pam_unix/pam_unix_passwd.c:732 + msgid "Retype new UNIX password: " + msgstr "নতুন UNIX পাসওয়ার্ড পুনরায় লিখুন: " +- +-#~ msgid "Would you like to enter a security context? [N] " +-#~ msgstr "নিরাপত্তা সংক্রান্ত context উল্লেখ করতে ইচ্ছুক কি? [N] " +diff -up a/Linux-PAM-1.1.8/po/pt_BR.po.translations b/Linux-PAM-1.1.8/po/pt_BR.po +--- a/Linux-PAM-1.1.8/po/pt_BR.po.translations 2013-09-19 10:02:24.000000000 +0200 ++++ b/Linux-PAM-1.1.8/po/pt_BR.po 2017-09-08 14:14:24.857295156 +0200 +@@ -1,516 +1,546 @@ + # SOME DESCRIPTIVE TITLE. + # Copyright (C) YEAR Linux-PAM Project + # This file is distributed under the same license as the PACKAGE package. +-# ++# + # Translators: + # Diego Búrigo Zacarão , 2008. + # Elder Marco , 2012. + # Glaucia Cintra , 2007. + # Taylon Silmer , 2008, 2009. ++# gcintra , 2013. #zanata + msgid "" + msgstr "" + "Project-Id-Version: Linux-PAM\n" + "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n" +-"POT-Creation-Date: 2013-09-19 10:02+0200\n" +-"PO-Revision-Date: 2012-02-21 12:49+0000\n" +-"Last-Translator: Elder Marco \n" ++"POT-Creation-Date: 2012-08-17 11:35+0200\n" ++"PO-Revision-Date: 2013-09-30 08:32-0400\n" ++"Last-Translator: gcintra \n" + "Language-Team: Portuguese (Brazil) \n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" + "Content-Transfer-Encoding: 8bit\n" +-"Language: pt_BR\n" ++"Language: pt-BR\n" + "Plural-Forms: nplurals=2; plural=(n > 1)\n" ++"X-Generator: Zanata 3.1.2\n" + +-#: libpam_misc/misc_conv.c:33 ++#. * external timeout definitions - these can be overriden by the ++#. * application. ++#. time when we warn ++#. time when we timeout ++#: .././libpam_misc/misc_conv.c:33 + msgid "...Time is running out...\n" + msgstr "...O tempo está acabando...\n" + +-#: libpam_misc/misc_conv.c:34 ++#: .././libpam_misc/misc_conv.c:34 + msgid "...Sorry, your time is up!\n" + msgstr "...Desculpe, seu tempo está aumentando!\n" + +-#: libpam_misc/misc_conv.c:342 ++#: .././libpam_misc/misc_conv.c:342 + #, c-format + msgid "erroneous conversation (%d)\n" + msgstr "conversação errônea (%d)\n" + +-#: libpam/pam_get_authtok.c:39 modules/pam_exec/pam_exec.c:170 +-#: modules/pam_unix/pam_unix_auth.c:160 modules/pam_userdb/pam_userdb.c:64 ++#. get this user's authentication token ++#: .././libpam/pam_get_authtok.c:39 ++#: .././modules/pam_exec/pam_exec.c:142 ++#: .././modules/pam_unix/pam_unix_auth.c:160 ++#: .././modules/pam_userdb/pam_userdb.c:64 + msgid "Password: " + msgstr "Senha:" + +-#: libpam/pam_get_authtok.c:41 modules/pam_cracklib/pam_cracklib.c:68 ++#. For Translators: "%s%s" could be replaced with " " or "". ++#: .././libpam/pam_get_authtok.c:41 ++#: .././modules/pam_cracklib/pam_cracklib.c:68 + #, c-format + msgid "New %s%spassword: " + msgstr "Nova %s%ssenha:" + +-#: libpam/pam_get_authtok.c:43 modules/pam_cracklib/pam_cracklib.c:70 ++#. For Translators: "%s%s" could be replaced with " " or "". ++#: .././libpam/pam_get_authtok.c:43 ++#: .././modules/pam_cracklib/pam_cracklib.c:70 + #, c-format + msgid "Retype new %s%spassword: " + msgstr "Redigite a nova %s%ssenha:" + +-#: libpam/pam_get_authtok.c:44 modules/pam_cracklib/pam_cracklib.c:71 ++#: .././libpam/pam_get_authtok.c:44 ++#: .././modules/pam_cracklib/pam_cracklib.c:71 + msgid "Sorry, passwords do not match." + msgstr "As senhas não são iguais." + +-#: libpam/pam_get_authtok.c:135 libpam/pam_get_authtok.c:211 ++#: .././libpam/pam_get_authtok.c:135 ++#: .././libpam/pam_get_authtok.c:211 + #, c-format + msgid "Retype %s" + msgstr "Redigite %s" + +-#: libpam/pam_get_authtok.c:155 libpam/pam_get_authtok.c:227 ++#. We want to abort the password change ++#: .././libpam/pam_get_authtok.c:155 ++#: .././libpam/pam_get_authtok.c:227 + msgid "Password change aborted." + msgstr "A alteração de senha foi abortada." + +-#: libpam/pam_item.c:311 ++#: .././libpam/pam_item.c:311 + msgid "login:" + msgstr "login:" + +-#: libpam/pam_strerror.c:40 ++#: .././libpam/pam_strerror.c:40 + msgid "Success" + msgstr "Sucesso" + +-#: libpam/pam_strerror.c:42 ++#: .././libpam/pam_strerror.c:42 + msgid "Critical error - immediate abort" + msgstr "Erro crítico - abortar imediatamente" + +-#: libpam/pam_strerror.c:44 ++#: .././libpam/pam_strerror.c:44 + msgid "Failed to load module" + msgstr "Falha ao carregar módulo" + +-#: libpam/pam_strerror.c:46 ++#: .././libpam/pam_strerror.c:46 + msgid "Symbol not found" + msgstr "Símbolo não encontrado" + +-#: libpam/pam_strerror.c:48 ++#: .././libpam/pam_strerror.c:48 + msgid "Error in service module" + msgstr "Erro no módulo de serviço" + +-#: libpam/pam_strerror.c:50 ++#: .././libpam/pam_strerror.c:50 + msgid "System error" + msgstr "Erro do sistema" + +-#: libpam/pam_strerror.c:52 ++#: .././libpam/pam_strerror.c:52 + msgid "Memory buffer error" + msgstr "Erro do buffer de memória" + +-#: libpam/pam_strerror.c:54 ++#: .././libpam/pam_strerror.c:54 + msgid "Permission denied" + msgstr "Permissão negada" + +-#: libpam/pam_strerror.c:56 ++#: .././libpam/pam_strerror.c:56 + msgid "Authentication failure" + msgstr "Falha de autenticação" + +-#: libpam/pam_strerror.c:58 ++#: .././libpam/pam_strerror.c:58 + msgid "Insufficient credentials to access authentication data" + msgstr "Credenciais insuficientes para acessar dados de autenticação" + +-#: libpam/pam_strerror.c:60 ++#: .././libpam/pam_strerror.c:60 + msgid "Authentication service cannot retrieve authentication info" + msgstr "O serviço de autenticação não recuperou informações de autenticação" + +-#: libpam/pam_strerror.c:62 ++#: .././libpam/pam_strerror.c:62 + msgid "User not known to the underlying authentication module" + msgstr "Usuário desconhecido para o módulo de autenticação subjacente" + +-#: libpam/pam_strerror.c:64 ++#: .././libpam/pam_strerror.c:64 + msgid "Have exhausted maximum number of retries for service" + msgstr "Esgotado o número máximo de tentativas para serviço" + +-#: libpam/pam_strerror.c:66 ++#: .././libpam/pam_strerror.c:66 + msgid "Authentication token is no longer valid; new one required" + msgstr "O token de autenticação não é mais válido; é necessario um novo token" + +-#: libpam/pam_strerror.c:68 ++#: .././libpam/pam_strerror.c:68 + msgid "User account has expired" + msgstr "A conta do usuário expirou" + +-#: libpam/pam_strerror.c:70 ++#: .././libpam/pam_strerror.c:70 + msgid "Cannot make/remove an entry for the specified session" + msgstr "Impossível fazer/remover uma entrada para a sessão específica" + +-#: libpam/pam_strerror.c:72 ++#: .././libpam/pam_strerror.c:72 + msgid "Authentication service cannot retrieve user credentials" + msgstr "O serviço de autenticação não recuperou as credenciais do usuário" + +-#: libpam/pam_strerror.c:74 ++#: .././libpam/pam_strerror.c:74 + msgid "User credentials expired" + msgstr "Credenciais do usuário expiradas" + +-#: libpam/pam_strerror.c:76 ++#: .././libpam/pam_strerror.c:76 + msgid "Failure setting user credentials" + msgstr "Falha ao definir credenciais do usuário" + +-#: libpam/pam_strerror.c:78 ++#: .././libpam/pam_strerror.c:78 + msgid "No module specific data is present" + msgstr "Não há nenhum dado específico para o módulo " + +-#: libpam/pam_strerror.c:80 ++#: .././libpam/pam_strerror.c:80 + msgid "Bad item passed to pam_*_item()" + msgstr "Ítem incorreto passado para pam_*_item()" + +-#: libpam/pam_strerror.c:82 ++#: .././libpam/pam_strerror.c:82 + msgid "Conversation error" + msgstr "Erro de conversação" + +-#: libpam/pam_strerror.c:84 ++#: .././libpam/pam_strerror.c:84 + msgid "Authentication token manipulation error" + msgstr "Erro de manipulação de token de autenticação" + +-#: libpam/pam_strerror.c:86 ++#: .././libpam/pam_strerror.c:86 + msgid "Authentication information cannot be recovered" + msgstr "Impossível recuperar informações de autenticação" + +-#: libpam/pam_strerror.c:88 ++#: .././libpam/pam_strerror.c:88 + msgid "Authentication token lock busy" + msgstr "Bloqueio de token de autenticação ocupado" + +-#: libpam/pam_strerror.c:90 ++#: .././libpam/pam_strerror.c:90 + msgid "Authentication token aging disabled" + msgstr "Validade do token de autenticação desabilitado" + +-#: libpam/pam_strerror.c:92 ++#: .././libpam/pam_strerror.c:92 + msgid "Failed preliminary check by password service" + msgstr "Falha na verificação preliminar por serviço de senha" + +-#: libpam/pam_strerror.c:94 ++#: .././libpam/pam_strerror.c:94 + msgid "The return value should be ignored by PAM dispatch" + msgstr "O valor de retorno deve ser ignorado pelo despacho PAM" + +-#: libpam/pam_strerror.c:96 ++#: .././libpam/pam_strerror.c:96 + msgid "Module is unknown" + msgstr "Módulo desconhecido" + +-#: libpam/pam_strerror.c:98 ++#: .././libpam/pam_strerror.c:98 + msgid "Authentication token expired" + msgstr "Token de autenticação expirado" + +-#: libpam/pam_strerror.c:100 ++#: .././libpam/pam_strerror.c:100 + msgid "Conversation is waiting for event" + msgstr "Conversação aguardando por evento" + +-#: libpam/pam_strerror.c:102 ++#: .././libpam/pam_strerror.c:102 + msgid "Application needs to call libpam again" + msgstr "O aplicativo precisa chamar libpam novamente" + +-#: libpam/pam_strerror.c:105 ++#: .././libpam/pam_strerror.c:105 + msgid "Unknown PAM error" + msgstr "Erro desconhecido no PAM" + +-#: modules/pam_cracklib/pam_cracklib.c:618 ++#: .././modules/pam_cracklib/pam_cracklib.c:618 + msgid "is the same as the old one" + msgstr "é igual à antiga senha" + +-#: modules/pam_cracklib/pam_cracklib.c:624 +-#: modules/pam_cracklib/pam_cracklib.c:628 +-#: modules/pam_cracklib/pam_cracklib.c:638 ++#: .././modules/pam_cracklib/pam_cracklib.c:624 ++#: .././modules/pam_cracklib/pam_cracklib.c:628 ++#: .././modules/pam_cracklib/pam_cracklib.c:638 + msgid "memory allocation error" + msgstr "Erro de alocação de memória" + +-#: modules/pam_cracklib/pam_cracklib.c:643 ++#: .././modules/pam_cracklib/pam_cracklib.c:643 + msgid "is a palindrome" + msgstr "é um palíndromo" + +-#: modules/pam_cracklib/pam_cracklib.c:646 ++#: .././modules/pam_cracklib/pam_cracklib.c:646 + msgid "case changes only" + msgstr "mudou apenas maiúsculas/minúsculas" + +-#: modules/pam_cracklib/pam_cracklib.c:649 ++#: .././modules/pam_cracklib/pam_cracklib.c:649 + msgid "is too similar to the old one" + msgstr "é muito semelhante à antiga" + +-#: modules/pam_cracklib/pam_cracklib.c:652 ++#: .././modules/pam_cracklib/pam_cracklib.c:652 + msgid "is too simple" + msgstr "é simples demais" + +-#: modules/pam_cracklib/pam_cracklib.c:655 ++#: .././modules/pam_cracklib/pam_cracklib.c:655 + msgid "is rotated" + msgstr "foi invertida" + +-#: modules/pam_cracklib/pam_cracklib.c:658 ++#: .././modules/pam_cracklib/pam_cracklib.c:658 + msgid "not enough character classes" + msgstr "classes de caractere insuficientes" + +-#: modules/pam_cracklib/pam_cracklib.c:661 ++#: .././modules/pam_cracklib/pam_cracklib.c:661 + msgid "contains too many same characters consecutively" + msgstr "contém muitos caracteres igual consecutivamente" + +-#: modules/pam_cracklib/pam_cracklib.c:664 +-#, fuzzy ++#: .././modules/pam_cracklib/pam_cracklib.c:664 + msgid "contains too long of a monotonic character sequence" +-msgstr "contém muitos caracteres igual consecutivamente" ++msgstr "contém uma sequência de caracteres monotônica muito longa" + +-#: modules/pam_cracklib/pam_cracklib.c:667 ++#: .././modules/pam_cracklib/pam_cracklib.c:667 + msgid "contains the user name in some form" + msgstr "contém o nome de usuário em algum formulário" + +-#: modules/pam_cracklib/pam_cracklib.c:701 +-#: modules/pam_unix/pam_unix_passwd.c:496 ++#: .././modules/pam_cracklib/pam_cracklib.c:701 ++#: .././modules/pam_unix/pam_unix_passwd.c:502 + msgid "No password supplied" + msgstr "Nenhuma senha informada" + +-#: modules/pam_cracklib/pam_cracklib.c:701 +-#: modules/pam_unix/pam_unix_passwd.c:496 ++#: .././modules/pam_cracklib/pam_cracklib.c:701 ++#: .././modules/pam_unix/pam_unix_passwd.c:502 + msgid "Password unchanged" + msgstr "Senha inalterada" + +-#: modules/pam_cracklib/pam_cracklib.c:721 +-#: modules/pam_cracklib/pam_cracklib.c:803 ++#: .././modules/pam_cracklib/pam_cracklib.c:721 ++#: .././modules/pam_cracklib/pam_cracklib.c:803 + #, c-format + msgid "BAD PASSWORD: %s" + msgstr "SENHA INCORRETA: %s" + +-#: modules/pam_exec/pam_exec.c:273 ++#: .././modules/pam_exec/pam_exec.c:215 + #, c-format + msgid "%s failed: exit code %d" + msgstr "%s falhou: código de saída %d" + +-#: modules/pam_exec/pam_exec.c:282 ++#: .././modules/pam_exec/pam_exec.c:224 + #, c-format + msgid "%s failed: caught signal %d%s" + msgstr "%s falhou: detectou sinal %d%s" + +-#: modules/pam_exec/pam_exec.c:291 ++#: .././modules/pam_exec/pam_exec.c:233 + #, c-format + msgid "%s failed: unknown status 0x%x" + msgstr "%s falhou: status desconhecido 0x%x" + + #. TRANSLATORS: "strftime options for date of last login" +-#: modules/pam_lastlog/pam_lastlog.c:282 modules/pam_lastlog/pam_lastlog.c:496 ++#: .././modules/pam_lastlog/pam_lastlog.c:282 ++#: .././modules/pam_lastlog/pam_lastlog.c:496 + msgid " %a %b %e %H:%M:%S %Z %Y" + msgstr "%a %b %e %H:%M:%S %Z %Y" + + #. TRANSLATORS: " from " +-#: modules/pam_lastlog/pam_lastlog.c:291 modules/pam_lastlog/pam_lastlog.c:505 ++#: .././modules/pam_lastlog/pam_lastlog.c:291 ++#: .././modules/pam_lastlog/pam_lastlog.c:505 + #, c-format + msgid " from %.*s" + msgstr "de %.*s" + + #. TRANSLATORS: " on " +-#: modules/pam_lastlog/pam_lastlog.c:303 modules/pam_lastlog/pam_lastlog.c:517 ++#: .././modules/pam_lastlog/pam_lastlog.c:303 ++#: .././modules/pam_lastlog/pam_lastlog.c:517 + #, c-format + msgid " on %.*s" + msgstr "em %.*s" + + #. TRANSLATORS: "Last login: from on " +-#: modules/pam_lastlog/pam_lastlog.c:313 ++#: .././modules/pam_lastlog/pam_lastlog.c:313 + #, c-format + msgid "Last login:%s%s%s" + msgstr "Último login:%s%s%s" + +-#: modules/pam_lastlog/pam_lastlog.c:319 ++#: .././modules/pam_lastlog/pam_lastlog.c:319 + msgid "Welcome to your new account!" + msgstr "Bem-vindo à sua nova conta!" + + #. TRANSLATORS: "Last failed login: from on " +-#: modules/pam_lastlog/pam_lastlog.c:527 ++#: .././modules/pam_lastlog/pam_lastlog.c:527 + #, c-format + msgid "Last failed login:%s%s%s" + msgstr "Falha no último login:%s%s%s" + +-#: modules/pam_lastlog/pam_lastlog.c:536 modules/pam_lastlog/pam_lastlog.c:543 ++#: .././modules/pam_lastlog/pam_lastlog.c:536 ++#: .././modules/pam_lastlog/pam_lastlog.c:543 + #, c-format + msgid "There was %d failed login attempt since the last successful login." + msgid_plural "" + "There were %d failed login attempts since the last successful login." + msgstr[0] "Houve %d falhas de login desde o último login bem sucedido." +-msgstr[1] "Houveram %d falhas de login desde o último login bem sucedido." ++msgstr[1] "Houve %d falhas de login desde o último login bem sucedido." + + #. TRANSLATORS: only used if dngettext is not supported +-#: modules/pam_lastlog/pam_lastlog.c:548 ++#: .././modules/pam_lastlog/pam_lastlog.c:548 + #, c-format + msgid "There were %d failed login attempts since the last successful login." +-msgstr "Houveram %d falhas de login desde o último login bem sucedido." ++msgstr "Houve %d falhas de login desde o último login bem sucedido." + +-#: modules/pam_limits/pam_limits.c:1079 ++#: .././modules/pam_limits/pam_limits.c:1079 + #, c-format + msgid "Too many logins for '%s'." + msgstr "Há logins demais para '%s'." + +-#: modules/pam_mail/pam_mail.c:297 ++#: .././modules/pam_mail/pam_mail.c:297 + msgid "No mail." + msgstr "Não há mensagens." + +-#: modules/pam_mail/pam_mail.c:300 ++#: .././modules/pam_mail/pam_mail.c:300 + msgid "You have new mail." + msgstr "Há novas mensagens." + +-#: modules/pam_mail/pam_mail.c:303 ++#: .././modules/pam_mail/pam_mail.c:303 + msgid "You have old mail." + msgstr "Há mensagens antigas." + +-#: modules/pam_mail/pam_mail.c:307 ++#: .././modules/pam_mail/pam_mail.c:307 + msgid "You have mail." + msgstr "Há mensagens." + +-#: modules/pam_mail/pam_mail.c:314 ++#: .././modules/pam_mail/pam_mail.c:314 + #, c-format + msgid "You have no mail in folder %s." + msgstr "Não há mensagens na pasta %s." + +-#: modules/pam_mail/pam_mail.c:318 ++#: .././modules/pam_mail/pam_mail.c:318 + #, c-format + msgid "You have new mail in folder %s." + msgstr "Há novas mensagens na pasta %s." + +-#: modules/pam_mail/pam_mail.c:322 ++#: .././modules/pam_mail/pam_mail.c:322 + #, c-format + msgid "You have old mail in folder %s." + msgstr "Há mensagens antigas na pasta %s." + +-#: modules/pam_mail/pam_mail.c:327 ++#: .././modules/pam_mail/pam_mail.c:327 + #, c-format + msgid "You have mail in folder %s." + msgstr "Há mensagens na pasta %s." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:113 ++#: .././modules/pam_mkhomedir/pam_mkhomedir.c:114 + #, c-format + msgid "Creating directory '%s'." + msgstr "Criando o diretório '%s'." + +-#: modules/pam_mkhomedir/pam_mkhomedir.c:183 ++#: .././modules/pam_mkhomedir/pam_mkhomedir.c:192 + #, c-format + msgid "Unable to create and initialize directory '%s'." + msgstr "Impossível criar e inicializar o diretório \"%s\"." + +-#: modules/pam_pwhistory/pam_pwhistory.c:217 +-#: modules/pam_unix/pam_unix_passwd.c:517 ++#: .././modules/pam_pwhistory/pam_pwhistory.c:384 ++#: .././modules/pam_unix/pam_unix_passwd.c:523 + msgid "Password has been already used. Choose another." + msgstr "A senha já foi usada. Escolha outra." + +-#: modules/pam_pwhistory/pam_pwhistory.c:224 +-#, fuzzy ++#: .././modules/pam_pwhistory/pam_pwhistory.c:391 + msgid "Password has been already used." +-msgstr "A senha já foi usada. Escolha outra." ++msgstr "A senha já foi usada." + +-#: modules/pam_selinux/pam_selinux.c:210 ++#: .././modules/pam_selinux/pam_selinux.c:210 + #, c-format + msgid "Default Security Context %s\n" + msgstr "Contexto de Segurança Padrão %s\n" + +-#: modules/pam_selinux/pam_selinux.c:214 ++#: .././modules/pam_selinux/pam_selinux.c:214 + msgid "Would you like to enter a different role or level?" + msgstr "Deseja digitar uma função ou nível diferente?" + +-#: modules/pam_selinux/pam_selinux.c:227 ++#. Allow the user to enter role and level individually ++#: .././modules/pam_selinux/pam_selinux.c:227 + msgid "role:" + msgstr "função:" + +-#: modules/pam_selinux/pam_selinux.c:230 ++#: .././modules/pam_selinux/pam_selinux.c:230 + #, c-format + msgid "No default type for role %s\n" + msgstr "Não existe tipo padrão para a função %s\n" + +-#: modules/pam_selinux/pam_selinux.c:262 ++#: .././modules/pam_selinux/pam_selinux.c:262 + msgid "level:" + msgstr "nível:" + +-#: modules/pam_selinux/pam_selinux.c:295 ++#: .././modules/pam_selinux/pam_selinux.c:295 + msgid "Not a valid security context" + msgstr "Não é um contexto de segurança válido" + +-#: modules/pam_selinux/pam_selinux.c:539 ++#: .././modules/pam_selinux/pam_selinux.c:539 + #, c-format + msgid "Unable to get valid context for %s" + msgstr "Impossível obter um contexto válido para %s" + +-#: modules/pam_selinux/pam_selinux.c:658 ++#: .././modules/pam_selinux/pam_selinux.c:658 + #, c-format + msgid "Security Context %s Assigned" + msgstr "Contexto de segurança %s atribuído" + +-#: modules/pam_selinux/pam_selinux.c:674 ++#: .././modules/pam_selinux/pam_selinux.c:674 + #, c-format + msgid "Key Creation Context %s Assigned" + msgstr "Contexto de criação de chave %s atribuído" + +-#: modules/pam_selinux/pam_selinux_check.c:99 ++#: .././modules/pam_selinux/pam_selinux_check.c:99 + #, c-format + msgid "failed to initialize PAM\n" + msgstr "falha ao inicializar PAM\n" + +-#: modules/pam_selinux/pam_selinux_check.c:105 ++#: .././modules/pam_selinux/pam_selinux_check.c:105 + #, c-format + msgid "failed to pam_set_item()\n" + msgstr "falha em pam_set_item()\n" + +-#: modules/pam_selinux/pam_selinux_check.c:133 ++#. error in fork() ++#: .././modules/pam_selinux/pam_selinux_check.c:133 + #, c-format + msgid "login: failure forking: %m" + msgstr "login: falha na bifurcação: %m" + +-#: modules/pam_stress/pam_stress.c:476 ++#: .././modules/pam_stress/pam_stress.c:476 + #, c-format + msgid "Changing STRESS password for %s." + msgstr "Mudando senha STRESS para %s." + +-#: modules/pam_stress/pam_stress.c:490 ++#: .././modules/pam_stress/pam_stress.c:490 + msgid "Enter new STRESS password: " + msgstr "Digite a nova senha STRESS:" + +-#: modules/pam_stress/pam_stress.c:493 ++#: .././modules/pam_stress/pam_stress.c:493 + msgid "Retype new STRESS password: " + msgstr "Digite novamente a nova senha STRESS:" + +-#: modules/pam_stress/pam_stress.c:522 ++#: .././modules/pam_stress/pam_stress.c:522 + msgid "Verification mis-typed; password unchanged" + msgstr "Verificação digitada incorretamente; senha inalterada" + +-#: modules/pam_tally/pam_tally.c:541 modules/pam_tally2/pam_tally2.c:599 ++#: .././modules/pam_tally/pam_tally.c:541 ++#: .././modules/pam_tally2/pam_tally2.c:599 + #, c-format + msgid "Account temporary locked (%ld seconds left)" + msgstr "Conta temporariamente bloqueada (restam %ld segundos)" + +-#: modules/pam_tally/pam_tally.c:566 modules/pam_tally2/pam_tally2.c:578 ++#: .././modules/pam_tally/pam_tally.c:566 ++#: .././modules/pam_tally2/pam_tally2.c:578 + #, c-format + msgid "Account locked due to %u failed logins" + msgstr "Conta bloqueada devido a %u falhas de login" + +-#: modules/pam_tally/pam_tally.c:777 modules/pam_tally2/pam_tally2.c:887 ++#: .././modules/pam_tally/pam_tally.c:777 ++#: .././modules/pam_tally2/pam_tally2.c:887 + msgid "Authentication error" + msgstr "Erro de autenticação" + +-#: modules/pam_tally/pam_tally.c:778 modules/pam_tally2/pam_tally2.c:888 ++#: .././modules/pam_tally/pam_tally.c:778 ++#: .././modules/pam_tally2/pam_tally2.c:888 + msgid "Service error" + msgstr "Erro de serviço" + +-#: modules/pam_tally/pam_tally.c:779 modules/pam_tally2/pam_tally2.c:889 ++#: .././modules/pam_tally/pam_tally.c:779 ++#: .././modules/pam_tally2/pam_tally2.c:889 + msgid "Unknown user" + msgstr "Usuário desconhecido" + +-#: modules/pam_tally/pam_tally.c:780 modules/pam_tally2/pam_tally2.c:890 ++#: .././modules/pam_tally/pam_tally.c:780 ++#: .././modules/pam_tally2/pam_tally2.c:890 + msgid "Unknown error" + msgstr "Erro desconhecido" + +-#: modules/pam_tally/pam_tally.c:796 modules/pam_tally2/pam_tally2.c:909 ++#: .././modules/pam_tally/pam_tally.c:796 ++#: .././modules/pam_tally2/pam_tally2.c:909 + #, c-format + msgid "%s: Bad number given to --reset=\n" + msgstr "%s: Número insuficiente fornecido para --reset=\n" + +-#: modules/pam_tally/pam_tally.c:800 modules/pam_tally2/pam_tally2.c:913 ++#: .././modules/pam_tally/pam_tally.c:800 ++#: .././modules/pam_tally2/pam_tally2.c:913 + #, c-format + msgid "%s: Unrecognised option %s\n" + msgstr "%s: Opção não reconhecida %s\n" + +-#: modules/pam_tally/pam_tally.c:812 ++#: .././modules/pam_tally/pam_tally.c:812 + #, c-format + msgid "" + "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" + msgstr "" + "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n" + +-#: modules/pam_tally/pam_tally.c:886 modules/pam_tally2/pam_tally2.c:1039 ++#: .././modules/pam_tally/pam_tally.c:886 ++#: .././modules/pam_tally2/pam_tally2.c:1039 + #, c-format + msgid "%s: Can't reset all users to non-zero\n" + msgstr "%s: Impossível redefinir todos os usuários para não-zero\n" + +-#: modules/pam_tally2/pam_tally2.c:940 ++#: .././modules/pam_tally2/pam_tally2.c:940 + #, c-format + msgid "Login Failures Latest failure From\n" + msgstr "Login Falhas Último falha De\n" + +-#: modules/pam_tally2/pam_tally2.c:956 ++#: .././modules/pam_tally2/pam_tally2.c:956 + #, c-format + msgid "" + "%s: [-f rooted-filename] [--file rooted-filename]\n" +@@ -521,24 +551,26 @@ + " [-u username] [--user username]\n" + " [-r] [--reset[=n]] [--quiet]\n" + +-#: modules/pam_timestamp/pam_timestamp.c:345 ++#: .././modules/pam_timestamp/pam_timestamp.c:345 + #, c-format + msgid "Access granted (last access was %ld seconds ago)." + msgstr "Acesso concedido (o último acesso foi a %ld segundos atrás)." + +-#: modules/pam_unix/pam_unix_acct.c:247 modules/pam_unix/pam_unix_acct.c:269 ++#: .././modules/pam_unix/pam_unix_acct.c:249 ++#: .././modules/pam_unix/pam_unix_acct.c:271 + msgid "Your account has expired; please contact your system administrator" + msgstr "Sua conta expirou; entre em contato com o administrador do sistema" + +-#: modules/pam_unix/pam_unix_acct.c:255 ++#: .././modules/pam_unix/pam_unix_acct.c:257 + msgid "You are required to change your password immediately (root enforced)" + msgstr "Mude sua senha imediatamente (aplicado pela raiz)" + +-#: modules/pam_unix/pam_unix_acct.c:261 ++#: .././modules/pam_unix/pam_unix_acct.c:263 + msgid "You are required to change your password immediately (password aged)" + msgstr "Mude sua senha imediatamente (senha expirada)" + +-#: modules/pam_unix/pam_unix_acct.c:282 modules/pam_unix/pam_unix_acct.c:289 ++#: .././modules/pam_unix/pam_unix_acct.c:284 ++#: .././modules/pam_unix/pam_unix_acct.c:291 + #, c-format + msgid "Warning: your password will expire in %d day" + msgid_plural "Warning: your password will expire in %d days" +@@ -546,39 +578,37 @@ + msgstr[1] "Aviso: sua senha irá expirar em %d dias" + + #. TRANSLATORS: only used if dngettext is not supported +-#: modules/pam_unix/pam_unix_acct.c:294 ++#: .././modules/pam_unix/pam_unix_acct.c:296 + #, c-format + msgid "Warning: your password will expire in %d days" + msgstr "Aviso: sua senha irá expirar em %d dias" + +-#: modules/pam_unix/pam_unix_passwd.c:398 ++#: .././modules/pam_unix/pam_unix_passwd.c:404 + msgid "NIS password could not be changed." + msgstr "A senha NIS não pôde ser mudada." + +-#: modules/pam_unix/pam_unix_passwd.c:513 ++#: .././modules/pam_unix/pam_unix_passwd.c:519 + msgid "You must choose a longer password" + msgstr "Escolha uma senha mais longa" + +-#: modules/pam_unix/pam_unix_passwd.c:619 ++#. instruct user what is happening ++#: .././modules/pam_unix/pam_unix_passwd.c:625 + #, c-format + msgid "Changing password for %s." + msgstr "Mudando senha para %s." + +-#: modules/pam_unix/pam_unix_passwd.c:630 ++#: .././modules/pam_unix/pam_unix_passwd.c:636 + msgid "(current) UNIX password: " + msgstr "Senha UNIX (atual):" + +-#: modules/pam_unix/pam_unix_passwd.c:665 ++#: .././modules/pam_unix/pam_unix_passwd.c:671 + msgid "You must wait longer to change your password" + msgstr "Aguarde mais tempo para mudar a senha" + +-#: modules/pam_unix/pam_unix_passwd.c:725 ++#: .././modules/pam_unix/pam_unix_passwd.c:731 + msgid "Enter new UNIX password: " + msgstr "Digite a nova senha UNIX:" + +-#: modules/pam_unix/pam_unix_passwd.c:726 ++#: .././modules/pam_unix/pam_unix_passwd.c:732 + msgid "Retype new UNIX password: " + msgstr "Redigite a nova senha UNIX:" +- +-#~ msgid "Would you like to enter a security context? [N] " +-#~ msgstr "Deseja digitar um contexto de segurança? [N]" diff --git a/SOURCES/pam-1.1.8-tty-audit-uid-range.patch b/SOURCES/pam-1.1.8-tty-audit-uid-range.patch new file mode 100644 index 0000000..4d5f63f --- /dev/null +++ b/SOURCES/pam-1.1.8-tty-audit-uid-range.patch @@ -0,0 +1,167 @@ +diff -up Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c.uid-range Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c +--- Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c.uid-range 2017-09-08 14:46:58.869496414 +0200 ++++ Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c 2017-10-09 17:42:13.947599041 +0200 +@@ -198,6 +198,54 @@ cleanup_old_status (pam_handle_t *pamh, + free (data); + } + ++enum uid_range { UID_RANGE_NONE, UID_RANGE_MM, UID_RANGE_MIN, ++ UID_RANGE_ONE, UID_RANGE_ERR }; ++ ++static enum uid_range ++parse_uid_range(pam_handle_t *pamh, const char *s, ++ uid_t *min_uid, uid_t *max_uid) ++{ ++ const char *range = s; ++ const char *pmax; ++ char *endptr; ++ enum uid_range rv = UID_RANGE_MM; ++ ++ if ((pmax=strchr(range, ':')) == NULL) ++ return UID_RANGE_NONE; ++ ++pmax; ++ ++ if (range[0] == ':') ++ rv = UID_RANGE_ONE; ++ else { ++ errno = 0; ++ *min_uid = strtoul (range, &endptr, 10); ++ if (errno != 0 || (range == endptr) || *endptr != ':') { ++ pam_syslog(pamh, LOG_DEBUG, ++ "wrong min_uid value in '%s'", s); ++ return UID_RANGE_ERR; ++ } ++ } ++ ++ if (*pmax == '\0') { ++ if (rv == UID_RANGE_ONE) ++ return UID_RANGE_ERR; ++ ++ return UID_RANGE_MIN; ++ } ++ ++ errno = 0; ++ *max_uid = strtoul (pmax, &endptr, 10); ++ if (errno != 0 || (pmax == endptr) || *endptr != '\0') { ++ pam_syslog(pamh, LOG_DEBUG, ++ "wrong max_uid value in '%s'", s); ++ return UID_RANGE_ERR; ++ } ++ ++ if (rv == UID_RANGE_ONE) ++ *min_uid = *max_uid; ++ return rv; ++} ++ + int + pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv) + { +@@ -207,6 +255,7 @@ pam_sm_open_session (pam_handle_t *pamh, + struct audit_tty_status *old_status, new_status; + const char *user; + int i, fd, open_only; ++ struct passwd *pwd; + #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD + int log_passwd; + #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ +@@ -219,6 +268,14 @@ pam_sm_open_session (pam_handle_t *pamh, + return PAM_SESSION_ERR; + } + ++ pwd = pam_modutil_getpwnam(pamh, user); ++ if (pwd == NULL) ++ { ++ pam_syslog(pamh, LOG_WARNING, ++ "open_session unknown user '%s'", user); ++ return PAM_SESSION_ERR; ++ } ++ + command = CMD_NONE; + open_only = 0; + #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD +@@ -236,13 +293,31 @@ pam_sm_open_session (pam_handle_t *pamh, + copy = strdup (strchr (argv[i], '=') + 1); + if (copy == NULL) + return PAM_SESSION_ERR; +- for (tok = strtok_r (copy, ",", &tok_data); tok != NULL; ++ for (tok = strtok_r (copy, ",", &tok_data); ++ tok != NULL && command != this_command; + tok = strtok_r (NULL, ",", &tok_data)) + { +- if (fnmatch (tok, user, 0) == 0) ++ uid_t min_uid = 0, max_uid = 0; ++ switch (parse_uid_range(pamh, tok, &min_uid, &max_uid)) + { +- command = this_command; +- break; ++ case UID_RANGE_NONE: ++ if (fnmatch (tok, user, 0) == 0) ++ command = this_command; ++ break; ++ case UID_RANGE_MM: ++ if (pwd->pw_uid >= min_uid && pwd->pw_uid <= max_uid) ++ command = this_command; ++ break; ++ case UID_RANGE_MIN: ++ if (pwd->pw_uid >= min_uid) ++ command = this_command; ++ break; ++ case UID_RANGE_ONE: ++ if (pwd->pw_uid == max_uid) ++ command = this_command; ++ break; ++ case UID_RANGE_ERR: ++ break; + } + } + free (copy); +diff -up Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.uid-range Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml +--- Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.uid-range 2013-08-28 10:53:40.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml 2017-09-08 14:46:58.895497022 +0200 +@@ -44,10 +44,10 @@ + + + +- For each user matching one of comma-separated glob +- , disable +- TTY auditing. This overrides any previous +- option matching the same user name on the command line. ++ For each user matching , ++ disable TTY auditing. This overrides any previous ++ option matching the same user name on the command line. See NOTES ++ for further description of . + + + +@@ -57,10 +57,10 @@ + + + +- For each user matching one of comma-separated glob +- , enable +- TTY auditing. This overrides any previous +- option matching the same user name on the command line. ++ For each user matching , ++ enable TTY auditing. This overrides any previous ++ option matching the same user name on the command line. See NOTES ++ for further description of . + + + +@@ -139,6 +139,16 @@ + To view the data that was logged by the kernel to audit use + the command aureport --tty. + ++ ++ The are comma separated ++ lists of glob patterns or ranges of uids. A range is specified as ++ min_uid:max_uid where ++ one of these values can be empty. If min_uid is ++ empty only user with the uid max_uid will be ++ matched. If max_uid is empty users with the uid ++ greater than or equal to min_uid will be ++ matched. ++ + + + diff --git a/SOURCES/pam-1.1.8-unix-expiry.patch b/SOURCES/pam-1.1.8-unix-expiry.patch new file mode 100644 index 0000000..7e0e9f0 --- /dev/null +++ b/SOURCES/pam-1.1.8-unix-expiry.patch @@ -0,0 +1,134 @@ +diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry 2016-03-03 09:58:52.677684261 +0100 ++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c 2016-03-03 09:58:52.712685101 +0100 +@@ -244,6 +244,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int + } else + retval = check_shadow_expiry(pamh, spent, &daysleft); + ++ if (on(UNIX_NO_PASS_EXPIRY, ctrl)) { ++ const void *pretval = NULL; ++ int authrv = PAM_AUTHINFO_UNAVAIL; /* authentication not called */ ++ ++ if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS ++ && pretval) ++ authrv = *(const int *)pretval; ++ ++ if (authrv != PAM_SUCCESS ++ && (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED)) ++ retval = PAM_SUCCESS; ++ } ++ + switch (retval) { + case PAM_ACCT_EXPIRED: + pam_syslog(pamh, LOG_NOTICE, +diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c +--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c 2016-03-03 09:58:52.712685101 +0100 +@@ -82,14 +82,13 @@ + + #define AUTH_RETURN \ + do { \ +- if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \ ++ if (ret_data) { \ + D(("recording return code for next time [%d]", \ + retval)); \ + *ret_data = retval; \ + pam_set_data(pamh, "unix_setcred_return", \ + (void *) ret_data, setcred_free); \ +- } else if (ret_data) \ +- free (ret_data); \ ++ } \ + D(("done. [%s]", pam_strerror(pamh, retval))); \ + return retval; \ + } while (0) +@@ -115,9 +114,8 @@ pam_sm_authenticate(pam_handle_t *pamh, + ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); + + /* Get a few bytes so we can pass our return value to +- pam_sm_setcred(). */ +- if (on(UNIX_LIKE_AUTH, ctrl)) +- ret_data = malloc(sizeof(int)); ++ pam_sm_setcred() and pam_sm_acct_mgmt(). */ ++ ret_data = malloc(sizeof(int)); + + /* get the user'name' */ + +@@ -194,20 +192,24 @@ pam_sm_authenticate(pam_handle_t *pamh, + */ + + int +-pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED, +- int argc UNUSED, const char **argv UNUSED) ++pam_sm_setcred (pam_handle_t *pamh, int flags, ++ int argc, const char **argv) + { + int retval; + const void *pretval = NULL; ++ unsigned int ctrl; + + D(("called.")); + ++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv); ++ + retval = PAM_SUCCESS; + + D(("recovering return code from auth call")); + /* We will only find something here if UNIX_LIKE_AUTH is set -- + don't worry about an explicit check of argv. */ +- if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS ++ if (on(UNIX_LIKE_AUTH, ctrl) ++ && pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS + && pretval) { + retval = *(const int *)pretval; + pam_set_data(pamh, "unix_setcred_return", NULL, NULL); +diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml +--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry 2016-03-03 09:58:52.710685053 +0100 ++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml 2016-03-03 09:58:52.712685101 +0100 +@@ -346,6 +346,25 @@ + + + ++ ++ ++ ++ ++ ++ ++ When set ignore password expiration as defined by the ++ shadow entry of the user. The option has an ++ effect only in case pam_unix was not used ++ for the authentication or it returned authentication failure ++ meaning that other authentication source or method succeeded. ++ The example can be public key authentication in ++ sshd. The module will return ++ PAM_SUCCESS instead of eventual ++ PAM_NEW_AUTHTOK_REQD or ++ PAM_AUTHTOK_EXPIRED. ++ ++ ++ + + + Invalid arguments are logged with +diff -up Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry Linux-PAM-1.1.8/modules/pam_unix/support.h +--- Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry 2016-03-03 09:58:52.712685101 +0100 ++++ Linux-PAM-1.1.8/modules/pam_unix/support.h 2016-03-03 10:00:31.642061166 +0100 +@@ -97,8 +97,9 @@ typedef struct { + password hash algorithms */ + #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ + #define UNIX_MIN_PASS_LEN 27 /* min length for password */ ++#define UNIX_NO_PASS_EXPIRY 28 /* Don't check for password expiration if not used for authentication */ + /* -------------- */ +-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ + + #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) + +@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_C + /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0}, + /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, + /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, ++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) diff --git a/SOURCES/pam-1.1.8-unix-max-fd-no.patch b/SOURCES/pam-1.1.8-unix-max-fd-no.patch new file mode 100644 index 0000000..8612f1c --- /dev/null +++ b/SOURCES/pam-1.1.8-unix-max-fd-no.patch @@ -0,0 +1,12 @@ +diff -up Linux-PAM-1.1.8/modules/pam_unix/support.h.max-fd-no Linux-PAM-1.1.8/modules/pam_unix/support.h +--- Linux-PAM-1.1.8/modules/pam_unix/support.h.max-fd-no 2017-11-02 14:04:25.895425318 +0100 ++++ Linux-PAM-1.1.8/modules/pam_unix/support.h 2019-08-06 14:46:59.237125151 +0200 +@@ -141,7 +141,7 @@ static const UNIX_Ctrls unix_args[UNIX_C + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) + +-#define MAX_FD_NO 2000000 ++#define MAX_FD_NO 65535 + + /* use this to free strings. ESPECIALLY password strings */ + diff --git a/SOURCES/pamtmp.conf b/SOURCES/pamtmp.conf new file mode 100644 index 0000000..61f4c3e --- /dev/null +++ b/SOURCES/pamtmp.conf @@ -0,0 +1,3 @@ +d /var/run/console 0755 root root - +d /var/run/faillock 0755 root root - +d /var/run/sepermit 0755 root root - diff --git a/SOURCES/password-auth.pamd b/SOURCES/password-auth.pamd new file mode 100644 index 0000000..2e01bf9 --- /dev/null +++ b/SOURCES/password-auth.pamd @@ -0,0 +1,18 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass nullok +auth required pam_deny.so + +account required pam_unix.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/SOURCES/postlogin.5 b/SOURCES/postlogin.5 new file mode 100644 index 0000000..3a8abcf --- /dev/null +++ b/SOURCES/postlogin.5 @@ -0,0 +1,46 @@ +.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual" +.SH NAME + +postlogin \- Common configuration file for PAMified services + +.SH SYNOPSIS +.B /etc/pam.d/postlogin +.sp 2 +.SH DESCRIPTION + +The purpose of this PAM configuration file is to provide a common +place for all PAM modules which should be called after the stack +configured in +.BR system-auth +or the other common PAM configuration files. + +.sp +The +.BR postlogin +configuration file is included from all individual service configuration +files that provide login service with shell or file access. + +.SH NOTES +The modules in the postlogin configuration file are executed regardless +of the success or failure of the modules in the +.BR system-auth +configuration file. + +.SH BUGS +.sp 2 +Sometimes it would be useful to be able to skip the postlogin modules in +case the substack of the +.BR system-auth +modules failed. Unfortunately the current Linux-PAM library does not +provide any way how to achieve this. + +.SH "SEE ALSO" +pam(8), config-util(5), system-auth(5) + +The three +.BR Linux-PAM +Guides, for +.BR "system administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/SOURCES/postlogin.pamd b/SOURCES/postlogin.pamd new file mode 100644 index 0000000..e036f4e --- /dev/null +++ b/SOURCES/postlogin.pamd @@ -0,0 +1,7 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. + +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp showfailed +session optional pam_lastlog.so silent noupdate showfailed diff --git a/SOURCES/smartcard-auth.pamd b/SOURCES/smartcard-auth.pamd new file mode 100644 index 0000000..e5b57e3 --- /dev/null +++ b/SOURCES/smartcard-auth.pamd @@ -0,0 +1,19 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password optional pam_pkcs11.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/SOURCES/system-auth.5 b/SOURCES/system-auth.5 new file mode 100644 index 0000000..c0ca80b --- /dev/null +++ b/SOURCES/system-auth.5 @@ -0,0 +1,58 @@ +.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual" +.SH NAME + +system-auth \- Common configuration file for PAMified services + +.SH SYNOPSIS +.B /etc/pam.d/system-auth +.B /etc/pam.d/password-auth +.B /etc/pam.d/fingerprint-auth +.B /etc/pam.d/smartcard-auth +.sp 2 +.SH DESCRIPTION + +The purpose of these configuration files are to provide a common +interface for all applications and service daemons calling into +the PAM library. + +.sp +The +.BR system-auth +configuration file is included from nearly all individual service configuration +files with the help of the +.BR substack +directive. + +.sp +The +.BR password-auth +.BR fingerprint-auth +.BR smartcard-auth +configuration files are for applications which handle authentication from +different types of devices via simultaneously running individual conversations +instead of one aggregate conversation. + +.SH NOTES +Previously these common configuration files were included with the help +of the +.BR include +directive. This limited the use of the different action types of modules. +With the use of +.BR substack +directive to include these common configuration files this limitation +no longer applies. + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" +pam(8), config-util(5), postlogin(5) + +The three +.BR Linux-PAM +Guides, for +.BR "system administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/SOURCES/system-auth.pamd b/SOURCES/system-auth.pamd new file mode 100644 index 0000000..2e01bf9 --- /dev/null +++ b/SOURCES/system-auth.pamd @@ -0,0 +1,18 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass nullok +auth required pam_deny.so + +account required pam_unix.so + +password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= +password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +-session optional pam_systemd.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/SPECS/pam.spec b/SPECS/pam.spec new file mode 100644 index 0000000..a0ec676 --- /dev/null +++ b/SPECS/pam.spec @@ -0,0 +1,2133 @@ +%define pam_redhat_version 0.99.11 + +Summary: An extensible library which provides authentication for applications +Name: pam +Version: 1.1.8 +Release: 23%{?dist} +# The library is BSD licensed with option to relicense as GPLv2+ +# - this option is redundant as the BSD license allows that anyway. +# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. +License: BSD and GPLv2+ +Group: System Environment/Base +Source0: http://www.linux-pam.org/library/Linux-PAM-%{version}.tar.bz2 +# This is the old location that might be revived in future: +#Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 +#Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign +Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2 +Source5: other.pamd +Source6: system-auth.pamd +Source7: password-auth.pamd +Source8: fingerprint-auth.pamd +Source9: smartcard-auth.pamd +Source10: config-util.pamd +Source11: dlopen.sh +Source12: system-auth.5 +Source13: config-util.5 +Source14: 20-nproc.conf +Source15: pamtmp.conf +Source16: postlogin.pamd +Source17: postlogin.5 +Patch1: pam-1.0.90-redhat-modules.patch +Patch2: pam-1.1.6-std-noclose.patch +Patch4: pam-1.1.0-console-nochmod.patch +Patch5: pam-1.1.0-notally.patch +Patch8: pam-1.1.1-faillock.patch +Patch9: pam-1.1.6-noflex.patch +Patch10: pam-1.1.3-nouserenv.patch +Patch12: pam-1.1.3-faillock-screensaver.patch +Patch13: pam-1.1.6-limits-user.patch +Patch15: pam-1.1.8-full-relro.patch +# FIPS related - non upstreamable +Patch20: pam-1.1.5-unix-no-fallback.patch +Patch28: pam-1.1.1-console-errmsg.patch +# Upstreamed partially +Patch29: pam-1.1.8-pwhistory-helper.patch +Patch31: pam-1.1.6-use-links.patch +Patch32: pam-1.1.7-tty-audit-init.patch +Patch33: pam-1.1.8-translation-updates.patch +Patch34: pam-1.1.8-canonicalize-username.patch +Patch35: pam-1.1.8-cve-2013-7041.patch +Patch36: pam-1.1.8-cve-2014-2583.patch +Patch37: pam-1.1.8-lastlog-uninitialized.patch +Patch38: pam-1.1.8-opasswd-tolerant.patch +Patch39: pam-1.1.8-audit-grantor.patch +Patch40: pam-1.1.8-man-dbsuffix.patch +Patch41: pam-1.1.8-limits-check-process.patch +Patch42: pam-1.1.8-limits-docfix.patch +Patch43: pam-1.1.8-audit-user-mgmt.patch +Patch44: pam-1.1.8-cve-2015-3238.patch +Patch45: pam-1.1.8-unix-expiry.patch +Patch46: pam-1.1.8-man-environment.patch +Patch47: pam-1.1.8-loginuid-log-auditd.patch +Patch48: pam-1.1.8-faillock-never.patch +Patch49: pam-1.1.8-relax-audit.patch +Patch50: pam-1.1.8-lastlog-localtime.patch +Patch51: pam-1.1.8-man-delay.patch +Patch52: pam-1.1.8-succeed-if-large-uid.patch +Patch53: pam-1.1.8-access-update.patch +Patch54: pam-1.1.8-man-space.patch +Patch55: pam-1.1.8-tty-audit-uid-range.patch +Patch56: pam-1.1.8-faillock-admin-group.patch +Patch57: pam-1.1.8-mkhomedir-inroot.patch +Patch58: pam-1.1.8-authtok-verified.patch +Patch59: pam-1.1.8-man-fixes.patch +Patch60: pam-1.1.8-unix-max-fd-no.patch +Patch61: pam-1.1.8-loginuid-containers.patch + +%define _pamlibdir %{_libdir} +%define _moduledir %{_libdir}/security +%define _secconfdir %{_sysconfdir}/security +%define _pamconfdir %{_sysconfdir}/pam.d + +%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} +%define WITH_SELINUX 1 +%endif +%if %{?WITH_AUDIT:0}%{!?WITH_AUDIT:1} +%define WITH_AUDIT 1 +%endif +%global _performance_build 1 + +Requires: cracklib-dicts >= 2.8 +Requires: libpwquality >= 0.9.9 +Requires(post): coreutils, /sbin/ldconfig +BuildRequires: autoconf >= 2.60 +BuildRequires: automake, libtool +BuildRequires: bison, flex, sed +BuildRequires: cracklib-devel, cracklib-dicts >= 2.8 +BuildRequires: perl, pkgconfig, gettext-devel +%if %{WITH_AUDIT} +BuildRequires: audit-libs-devel >= 1.0.8 +Requires: audit-libs >= 1.0.8 +%endif +%if %{WITH_SELINUX} +BuildRequires: libselinux-devel >= 1.33.2 +Requires: libselinux >= 1.33.2 +%endif +Requires: glibc >= 2.3.90-37 +BuildRequires: libdb-devel +# Following deps are necessary only to build the pam library documentation. +BuildRequires: linuxdoc-tools, elinks, libxslt +BuildRequires: docbook-style-xsl, docbook-dtds + +URL: http://www.linux-pam.org/ + +%description +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. + +%package devel +Group: Development/Libraries +Summary: Files needed for developing PAM-aware applications and modules for PAM +Requires: pam%{?_isa} = %{version}-%{release} + +%description devel +PAM (Pluggable Authentication Modules) is a system security tool that +allows system administrators to set authentication policy without +having to recompile programs that handle authentication. This package +contains header files used for building both PAM-aware applications +and modules for use with the PAM system. + +%prep +%setup -q -n Linux-PAM-%{version} -a 2 +perl -pi -e "s/ppc64-\*/ppc64-\* \| ppc64p7-\*/" build-aux/config.sub + +# Add custom modules. +mv pam-redhat-%{pam_redhat_version}/* modules + +%patch1 -p1 -b .redhat-modules +%patch2 -p1 -b .std-noclose +%patch4 -p1 -b .nochmod +%patch5 -p1 -b .notally +%patch8 -p1 -b .faillock +%patch9 -p1 -b .noflex +%patch10 -p1 -b .nouserenv +%patch12 -p1 -b .screensaver +%patch13 -p1 -b .limits +%patch15 -p1 -b .relro +%patch20 -p1 -b .no-fallback +%patch28 -p1 -b .errmsg +%patch29 -p1 -b .pwhhelper +%patch31 -p1 -b .links +%patch32 -p1 -b .tty-audit-init +%patch33 -p2 -b .translations +%patch34 -p1 -b .canonicalize +%patch35 -p1 -b .case +%patch36 -p1 -b .timestamp-ruser +%patch37 -p1 -b .uninitialized +%patch38 -p1 -b .opasswd-tolerant +%patch39 -p1 -b .grantor +%patch40 -p1 -b .dbsuffix +%patch41 -p1 -b .check-process +%patch42 -p1 -b .docfix +%patch43 -p1 -b .audit-user-mgmt +%patch44 -p1 -b .password-limit +%patch45 -p1 -b .expiry +%patch46 -p1 -b .man-environment +%patch47 -p1 -b .log-auditd +%patch48 -p1 -b .never +%patch49 -p1 -b .relax-audit +%patch50 -p1 -b .localtime +%patch51 -p1 -b .delay +%patch52 -p1 -b .large-uid +%patch53 -p1 -b .access-update +%patch54 -p1 -b .space +%patch55 -p1 -b .uid-range +%patch56 -p1 -b .admin-group +%patch57 -p1 -b .mkhomedir-inroot +%patch58 -p1 -b .authtok-verified +%patch59 -p1 -b .manfix +%patch60 -p1 -b .max-fd-no +%patch61 -p1 -b .containers + +%build +autoreconf -i +%configure \ + --libdir=%{_pamlibdir} \ + --includedir=%{_includedir}/security \ +%if ! %{WITH_SELINUX} + --disable-selinux \ +%endif +%if ! %{WITH_AUDIT} + --disable-audit \ +%endif + --disable-static \ + --disable-prelude +make -C po update-gmo +make +# we do not use _smp_mflags because the build of sources in yacc/flex fails + +%install +mkdir -p doc/txts +for readme in modules/pam_*/README ; do + cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` +done + +# Install the binaries, libraries, and modules. +make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=: + +%if %{WITH_SELINUX} +# Temporary compat link +ln -sf pam_sepermit.so $RPM_BUILD_ROOT%{_moduledir}/pam_selinux_permit.so +%endif + +# RPM uses docs from source tree +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/Linux-PAM +# Included in setup package +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/environment + +# Install default configuration files. +install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir} +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other +install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth +install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth +install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth +install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth +install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util +install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin +install -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/20-nproc.conf +install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd +install -d -m 755 $RPM_BUILD_ROOT/var/log +install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog +install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock + +# Install man pages. +install -m 644 %{SOURCE12} %{SOURCE13} %{SOURCE17} $RPM_BUILD_ROOT%{_mandir}/man5/ +ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/password-auth.5 +ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/fingerprint-auth.5 +ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/smartcard-auth.5 + + +for phase in auth acct passwd session ; do + ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so +done + +# Remove .la files and make new .so links -- this depends on the value +# of _libdir not changing, and *not* being /usr/lib. +for lib in libpam libpamc libpam_misc ; do +rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.la +done +rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la + +%if "%{_pamlibdir}" != "%{_libdir}" +install -d -m 755 $RPM_BUILD_ROOT%{_libdir} +for lib in libpam libpamc libpam_misc ; do +pushd $RPM_BUILD_ROOT%{_libdir} +ln -sf %{_pamlibdir}/${lib}.so.*.* ${lib}.so +popd +rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.so +done +%endif + +# Duplicate doc file sets. +rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam + +# Install the file for autocreation of /var/run subdirectories on boot +install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf + +%find_lang Linux-PAM + +%check +# Make sure every module subdirectory gave us a module. Yes, this is hackish. +for dir in modules/pam_* ; do +if [ -d ${dir} ] ; then +%if ! %{WITH_SELINUX} + [ ${dir} = "modules/pam_selinux" ] && continue + [ ${dir} = "modules/pam_sepermit" ] && continue +%endif +%if ! %{WITH_AUDIT} + [ ${dir} = "modules/pam_tty_audit" ] && continue +%endif + [ ${dir} = "modules/pam_tally" ] && continue + if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then + echo ERROR `basename ${dir}` did not build a module. + exit 1 + fi +fi +done + +# Check for module problems. Specifically, check that every module we just +# installed can actually be loaded by a minimal PAM-aware application. +/sbin/ldconfig -n $RPM_BUILD_ROOT%{_pamlibdir} +for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do + if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pamlibdir} \ + %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT%{_libdir} ${module} ; then + echo ERROR module: ${module} cannot be loaded. + exit 1 + fi +done + +%post +/sbin/ldconfig +if [ ! -e /var/log/tallylog ] ; then + /usr/bin/install -m 600 /dev/null /var/log/tallylog +fi + +%postun -p /sbin/ldconfig + +%files -f Linux-PAM.lang +%defattr(-,root,root) +%dir %{_pamconfdir} +%config(noreplace) %{_pamconfdir}/other +%config(noreplace) %{_pamconfdir}/system-auth +%config(noreplace) %{_pamconfdir}/password-auth +%config(noreplace) %{_pamconfdir}/fingerprint-auth +%config(noreplace) %{_pamconfdir}/smartcard-auth +%config(noreplace) %{_pamconfdir}/config-util +%config(noreplace) %{_pamconfdir}/postlogin +%doc Copyright +%doc doc/txts +%doc doc/sag/*.txt doc/sag/html +%doc doc/specs/rfc86.0.txt +%{_pamlibdir}/libpam.so.* +%{_pamlibdir}/libpamc.so.* +%{_pamlibdir}/libpam_misc.so.* +%{_sbindir}/pam_console_apply +%{_sbindir}/pam_tally2 +%{_sbindir}/faillock +%attr(4755,root,root) %{_sbindir}/pam_timestamp_check +%attr(4755,root,root) %{_sbindir}/unix_chkpwd +%attr(0700,root,root) %{_sbindir}/unix_update +%attr(0755,root,root) %{_sbindir}/mkhomedir_helper +%attr(0755,root,root) %{_sbindir}/pwhistory_helper +%dir %{_moduledir} +%{_moduledir}/pam_access.so +%{_moduledir}/pam_chroot.so +%{_moduledir}/pam_console.so +%{_moduledir}/pam_cracklib.so +%{_moduledir}/pam_debug.so +%{_moduledir}/pam_deny.so +%{_moduledir}/pam_echo.so +%{_moduledir}/pam_env.so +%{_moduledir}/pam_exec.so +%{_moduledir}/pam_faildelay.so +%{_moduledir}/pam_faillock.so +%{_moduledir}/pam_filter.so +%{_moduledir}/pam_ftp.so +%{_moduledir}/pam_group.so +%{_moduledir}/pam_issue.so +%{_moduledir}/pam_keyinit.so +%{_moduledir}/pam_lastlog.so +%{_moduledir}/pam_limits.so +%{_moduledir}/pam_listfile.so +%{_moduledir}/pam_localuser.so +%{_moduledir}/pam_loginuid.so +%{_moduledir}/pam_mail.so +%{_moduledir}/pam_mkhomedir.so +%{_moduledir}/pam_motd.so +%{_moduledir}/pam_namespace.so +%{_moduledir}/pam_nologin.so +%{_moduledir}/pam_permit.so +%{_moduledir}/pam_postgresok.so +%{_moduledir}/pam_pwhistory.so +%{_moduledir}/pam_rhosts.so +%{_moduledir}/pam_rootok.so +%if %{WITH_SELINUX} +%{_moduledir}/pam_selinux.so +%{_moduledir}/pam_selinux_permit.so +%{_moduledir}/pam_sepermit.so +%endif +%{_moduledir}/pam_securetty.so +%{_moduledir}/pam_shells.so +%{_moduledir}/pam_stress.so +%{_moduledir}/pam_succeed_if.so +%{_moduledir}/pam_tally2.so +%{_moduledir}/pam_time.so +%{_moduledir}/pam_timestamp.so +%if %{WITH_AUDIT} +%{_moduledir}/pam_tty_audit.so +%endif +%{_moduledir}/pam_umask.so +%{_moduledir}/pam_unix.so +%{_moduledir}/pam_unix_acct.so +%{_moduledir}/pam_unix_auth.so +%{_moduledir}/pam_unix_passwd.so +%{_moduledir}/pam_unix_session.so +%{_moduledir}/pam_userdb.so +%{_moduledir}/pam_warn.so +%{_moduledir}/pam_wheel.so +%{_moduledir}/pam_xauth.so +%{_moduledir}/pam_filter +%dir %{_secconfdir} +%config(noreplace) %{_secconfdir}/access.conf +%config(noreplace) %{_secconfdir}/chroot.conf +%config %{_secconfdir}/console.perms +%config(noreplace) %{_secconfdir}/console.handlers +%config(noreplace) %{_secconfdir}/group.conf +%config(noreplace) %{_secconfdir}/limits.conf +%dir %{_secconfdir}/limits.d +%config(noreplace) %{_secconfdir}/limits.d/20-nproc.conf +%config(noreplace) %{_secconfdir}/namespace.conf +%dir %{_secconfdir}/namespace.d +%attr(755,root,root) %config(noreplace) %{_secconfdir}/namespace.init +%config(noreplace) %{_secconfdir}/pam_env.conf +%config(noreplace) %{_secconfdir}/time.conf +%config(noreplace) %{_secconfdir}/opasswd +%dir %{_secconfdir}/console.apps +%dir %{_secconfdir}/console.perms.d +%dir /var/run/console +%if %{WITH_SELINUX} +%config(noreplace) %{_secconfdir}/sepermit.conf +%dir /var/run/sepermit +%endif +%ghost %verify(not md5 size mtime) /var/log/tallylog +%dir /var/run/faillock +%{_prefix}/lib/tmpfiles.d/pam.conf +%{_mandir}/man5/* +%{_mandir}/man8/* + +%files devel +%defattr(-,root,root) +%{_includedir}/security +%{_mandir}/man3/* +%{_libdir}/libpam.so +%{_libdir}/libpamc.so +%{_libdir}/libpam_misc.so +%doc doc/mwg/*.txt doc/mwg/html +%doc doc/adg/*.txt doc/adg/html + +%changelog +* Tue Aug 6 2019 Tomáš Mráz 1.1.8-23 +- pam_get_authtok_verify: ensure no double verification happens +- manual page fixes for pam_tty_audit and pam_wheel +- pam_unix: lower the excessive maximum number of closed fd descriptors + when spawning handlers +- pam_loginuid: do not prevent login in unprivileged containers + +* Fri Nov 3 2017 Tomáš Mráz 1.1.8-22 +- pam_mkhomedir: do not fail creating parent dir if in / + +* Thu Nov 2 2017 Tomáš Mráz 1.1.8-21 +- pam(8) Manual page missing space fix (#1382302) + +* Mon Oct 9 2017 Tomáš Mráz 1.1.8-20 +- pam_tty_audit: add support for uid range matching + +* Fri Sep 8 2017 Tomáš Mráz 1.1.8-19 +- pam_access: (group) match syntax is prioritized over network@netgroup + match (#1358881), add support for additional /etc/security/access.d/*.conf + files, improve documentation (#1421735) +- pam_lastlog: fix pt_BR translation (#1185697) +- pam_faillock: support admin_group with users equivalent to root in + faillock handling (#1285550) + +* Tue Jul 19 2016 Tomáš Mráz 1.1.8-18 +- pam_succeed_if: fix handling of large uids, tty, and rhost + +* Mon May 30 2016 Tomáš Mráz 1.1.8-17 +- fix pam_fail_delay() manual page (#1130053) + +* Thu Apr 28 2016 Tomáš Mráz 1.1.8-15 +- pam_faillock: support permanent locking of user with + unlock_time=never option + +* Fri Apr 22 2016 Tomáš Mráz 1.1.8-14 +- pam_unix: add no_pass_expiry option for ignoring password + expiration in crond and sshd with public key authentication +- add manual page for environment(5) (#1110257) +- pam_loginuid: log if auditd not detected +- always ignore audit error when -EPERM is returned (#1287800) +- pam_lastlog: fix possible NULL dereference when localtime fails (#1313537) + +* Tue Aug 4 2015 Tomáš Mráz 1.1.8-13 +- fix CVE-2015-3238 - DoS due to blocking pipe with very long password + +* Fri Oct 17 2014 Tomáš Mráz 1.1.8-12 +- use USER_MGMT type for auditing in the pam_tally2 and faillock + apps (#1151576) + +* Thu Sep 11 2014 Tomáš Mráz 1.1.8-11 +- be tolerant to corrupted opasswd file +- audit the module names that granted access +- pam_userdb: correct the example in man page (#1078784) +- pam_limits: check whether the utmp login entry is valid (#1080023) +- pam_console_apply: do not print error if console.perms.d is empty +- pam_limits: nofile refers to open file descriptors (#1111220) +- apply PIE and full RELRO to all binaries built + +* Mon Aug 25 2014 Tomáš Mráz 1.1.8-10 +- pam_lastlog: fix uninitialized access of parts of lastlog structure + +* Mon Mar 31 2014 Tomáš Mráz 1.1.8-9 +- fix CVE-2014-2583: potential path traversal issue in pam_timestamp +- pam_pwhistory: call the helper if SELinux enabled + +* Tue Mar 11 2014 Tomáš Mráz 1.1.8-8 +- fix CVE-2013-7041: use case sensitive comparison in pam_userdb + +* Mon Mar 10 2014 Tomáš Mráz 1.1.8-7 +- rename the 90-nproc.conf to 20-nproc.conf (#1071618) +- canonicalize user name in pam_selinux (#1071010) + +* Fri Jan 31 2014 Tomáš Mráz 1.1.8-6 +- refresh the pam-redhat tarball + +* Fri Jan 24 2014 Daniel Mach - 1.1.8-5 +- Mass rebuild 2014-01-24 + +* Wed Jan 15 2014 Tomáš Mráz 1.1.8-4 +- rebuild with -O3 on ppc64 architecture + +* Fri Dec 27 2013 Daniel Mach - 1.1.8-3 +- Mass rebuild 2013-12-27 + +* Tue Dec 3 2013 Tomáš Mráz 1.1.8-2 +- updated translations + +* Mon Oct 14 2013 Tomáš Mráz 1.1.8-1 +- new upstream release + +* Sat Oct 5 2013 Tomáš Mráz 1.1.7-4 +- pam_tty_audit: proper initialization of the tty_audit_status struct + +* Mon Sep 30 2013 Tomáš Mráz 1.1.7-2 +- add "local_users_only" to pam_pwquality in default configuration + +* Fri Sep 13 2013 Tomáš Mráz 1.1.7-1 +- new upstream release + +* Wed Aug 7 2013 Tomáš Mráz 1.1.6-14 +- use links instead of w3m to create txt documentation +- recognize login session in pam_sepermit to prevent gdm from locking (#969174) +- add support for disabling password logging in pam_tty_audit + +* Thu Jul 11 2013 Tomáš Mráz 1.1.6-13 +- add auditing of SELinux policy violation in pam_rootok (#965723) +- add SELinux helper to pam_pwhistory + +* Wed Jun 12 2013 Tomáš Mráz 1.1.6-12 +- lastlog must be updated also for su + +* Tue May 7 2013 Tomáš Mráz 1.1.6-11 +- the default isadir is more correct + +* Wed Apr 24 2013 Tomáš Mráz 1.1.6-10 +- pam_unix: do not fail with bad ld.so.preload + +* Fri Mar 22 2013 Tomáš Mráz 1.1.6-9 +- do not fail if btmp file is corrupted (#906852) +- fix strict aliasing warnings in build +- UsrMove +- use authtok_type with pam_pwquality in system-auth +- remove manual_context handling from pam_selinux (#876976) +- other minor specfile cleanups + +* Tue Mar 19 2013 Tomáš Mráz 1.1.6-8 +- check NULL return from crypt() calls (#915316) + +* Thu Mar 14 2013 Tomáš Mráz 1.1.6-7 +- add workaround for low nproc limit for confined root user (#432903) + +* Thu Feb 21 2013 Karsten Hopp 1.1.6-6 +- add support for ppc64p7 arch (Power7 optimized) + +* Thu Feb 14 2013 Fedora Release Engineering - 1.1.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Tue Jan 22 2013 Tomas Mraz 1.1.6-4 +- fix build with current autotools + +* Mon Oct 15 2012 Tomas Mraz 1.1.6-3 +- add support for tmpfs mount options in pam_namespace + +* Mon Sep 3 2012 Tomas Mraz 1.1.6-2 +- link setuid binaries with full relro (#853158) +- add rhost and tty to auditing data in modules (#677664) + +* Fri Aug 17 2012 Tomas Mraz - 1.1.6-1 +- new upstream release + +* Thu Aug 9 2012 Tomas Mraz - 1.1.5-9 +- make the pam_lastlog module in postlogin 'optional' (#846843) + +* Mon Aug 6 2012 Tomas Mraz - 1.1.5-8 +- fix build failure in pam_unix +- add display of previous bad login attempts to postlogin.pamd +- put the tmpfiles.d config to /usr/lib and rename it to pam.conf +- build against libdb-5 + +* Wed May 9 2012 Tomas Mraz 1.1.5-7 +- add inactive account lock out functionality to pam_lastlog +- fix pam_unix remember user name matching +- add gecoscheck and maxclassrepeat functionality to pam_cracklib +- correctly check for crypt() returning NULL in pam_unix +- pam_unix - do not fallback to MD5 on password change + if requested algorithm not supported by crypt() (#818741) +- install empty directories + +* Wed May 9 2012 Tomas Mraz 1.1.5-6 +- add pam_systemd to session modules + +* Tue Jan 31 2012 Tomas Mraz 1.1.5-5 +- fix pam_namespace leaking the protect mounts to parent namespace (#755216) + +* Fri Jan 13 2012 Fedora Release Engineering - 1.1.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Dec 21 2011 Tomas Mraz 1.1.5-3 +- add a note to limits.conf (#754285) + +* Thu Nov 24 2011 Tomas Mraz 1.1.5-2 +- use pam_pwquality instead of pam_cracklib + +* Thu Nov 24 2011 Tomas Mraz 1.1.5-1 +- upgrade to new upstream release + +* Thu Aug 25 2011 Tomas Mraz 1.1.4-4 +- fix dereference in pam_env +- fix wrong parse of user@host pattern in pam_access (#732081) + +* Sat Jul 23 2011 Ville Skyttä - 1.1.4-3 +- Rebuild to fix trailing slashes in provided dirs added by rpm 4.9.1. + +* Fri Jul 15 2011 Tomas Mraz 1.1.4-2 +- clear supplementary groups in pam_console handler execution + +* Mon Jun 27 2011 Tomas Mraz 1.1.4-1 +- upgrade to new upstream release + +* Tue Jun 7 2011 Tomas Mraz 1.1.3-10 +- detect the shared / and make the polydir mounts private based on that +- fix memory leak and other small errors in pam_namespace + +* Thu Jun 2 2011 Tomas Mraz 1.1.3-9 +- add support for explicit marking of the polydir mount private (#623522) + +* Tue Feb 08 2011 Fedora Release Engineering - 1.1.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 22 2010 Tomas Mraz 1.1.3-7 +- add postlogin common PAM configuration file (#665059) + +* Tue Dec 14 2010 Tomas Mraz 1.1.3-6 +- include patches recently submitted and applied to upstream CVS + +* Thu Nov 25 2010 Tomas Mraz 1.1.3-5 +- add config for autocreation of subdirectories in /var/run (#656655) +- automatically enable kernel console in pam_securetty + +* Wed Nov 10 2010 Tomas Mraz 1.1.3-4 +- fix memory leak in pam_faillock + +* Wed Nov 10 2010 Tomas Mraz 1.1.3-3 +- fix segfault in faillock utility +- remove some cases where the information of existence of + an user account could be leaked by the pam_faillock, + document the remaining case + +* Fri Nov 5 2010 Tomas Mraz 1.1.3-2 +- fix a mistake in the abstract X-socket connect +- make pam_faillock work with screensaver + +* Mon Nov 1 2010 Tomas Mraz 1.1.3-1 +- upgrade to new upstream release fixing CVE-2010-3316 CVE-2010-3435 + CVE-2010-3853 +- try to connect to an abstract X-socket first to verify we are + at real console (#647191) + +* Wed Sep 29 2010 jkeating - 1.1.2-2 +- Rebuilt for gcc bug 634757 + +* Mon Sep 20 2010 Tomas Mraz 1.1.2-1 +- add pam_faillock module implementing temporary account lock out based + on authentication failures during a specified interval +- do not build some auxiliary tools that are not installed that require + flex-static to build +- upgrade to new upstream release + +* Thu Jul 15 2010 Tomas Mraz 1.1.1-5 +- do not overwrite tallylog with empty file on upgrade + +* Mon Feb 15 2010 Tomas Mraz 1.1.1-4 +- change the default password hash to sha512 + +* Fri Jan 22 2010 Tomas Mraz 1.1.1-3 +- fix wrong prompt when pam_get_authtok is used for new password + +* Mon Jan 18 2010 Tomas Mraz 1.1.1-2 +- fix build with disabled audit and SELinux (#556211, #556212) + +* Thu Dec 17 2009 Tomas Mraz 1.1.1-1 +- new upstream version with minor changes + +* Mon Nov 2 2009 Tomas Mraz 1.1.0-7 +- pam_console: fix memory corruption when executing handlers (patch by + Stas Sergeev) and a few more fixes in the handler execution code (#532302) + +* Thu Oct 29 2009 Tomas Mraz 1.1.0-6 +- pam_xauth: set the approprate context when creating .xauth files (#531530) + +* Tue Sep 1 2009 Tomas Mraz 1.1.0-5 +- do not change permissions with pam_console_apply +- drop obsolete pam_tally module and the faillog file (#461258) + +* Wed Aug 19 2009 Tomas Mraz 1.1.0-4 +- rebuild with new libaudit + +* Mon Jul 27 2009 Tomas Mraz 1.1.0-3 +- fix for pam_cracklib from upstream + +* Sat Jul 25 2009 Fedora Release Engineering - 1.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jun 23 2009 Tomas Mraz 1.1.0-1 +- update to new upstream version + +* Wed May 13 2009 Tomas Mraz 1.0.92-1 +- update to new upstream version + +* Fri Apr 10 2009 Tomas Mraz 1.0.91-6 +- add password-auth, fingerprint-auth, and smartcard-auth + for applications which can use them namely gdm (#494874) + patch by Ray Strode + +* Thu Mar 26 2009 Tomas Mraz 1.0.91-5 +- replace also other std descriptors (#491471) + +* Tue Mar 17 2009 Tomas Mraz 1.0.91-3 +- we must replace the stdin when execing the helper (#490644) + +* Mon Mar 16 2009 Tomas Mraz 1.0.91-2 +- do not close stdout/err when execing the helpers (#488147) + +* Mon Mar 9 2009 Tomas Mraz 1.0.91-1 +- upgrade to new upstream release + +* Fri Feb 27 2009 Tomas Mraz 1.0.90-4 +- fix parsing of config files containing non-ASCII characters +- fix CVE-2009-0579 (mininimum days for password change ignored) (#487216) +- pam_access: improve handling of hostname resolution + +* Thu Feb 26 2009 Fedora Release Engineering - 1.0.90-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Jan 19 2009 Tomas Mraz 1.0.90-2 +- add helper to pam_mkhomedir for proper SELinux confinement (#476784) + +* Tue Dec 16 2008 Tomas Mraz 1.0.90-1 +- upgrade to new upstream release +- add --disable-prelude (#466242) + +* Tue Sep 23 2008 Tomas Mraz 1.0.2-2 +- new password quality checks in pam_cracklib +- report failed logins from btmp in pam_lastlog +- allow larger groups in modutil functions +- fix leaked file descriptor in pam_tally + +* Mon Sep 8 2008 Tomas Mraz 1.0.2-1 +- pam_loginuid: uids are unsigned (#460241) +- new minor upstream release +- use external db4 +- drop tests for not pulling in libpthread (as NPTL should + be safe) + +* Wed Jul 9 2008 Tomas Mraz 1.0.1-5 +- update internal db4 + +* Wed May 21 2008 Tomas Mraz 1.0.1-4 +- pam_namespace: allow safe creation of directories owned by user (#437116) +- pam_unix: fix multiple error prompts on password change (#443872) + +* Tue May 20 2008 Tomas Mraz 1.0.1-3 +- pam_selinux: add env_params option which will be used by OpenSSH +- fix build with new autoconf + +* Tue Apr 22 2008 Tomas Mraz 1.0.1-2 +- pam_selinux: restore execcon properly (#443667) + +* Fri Apr 18 2008 Tomas Mraz 1.0.1-1 +- upgrade to new upstream release (one bugfix only) +- fix pam_sepermit use in screensavers + +* Mon Apr 7 2008 Tomas Mraz 1.0.0-2 +- fix regression in pam_set_item + +* Fri Apr 4 2008 Tomas Mraz 1.0.0-1 +- upgrade to new upstream release (bugfix only) + +* Thu Mar 20 2008 Tomas Mraz 0.99.10.0-4 +- pam_namespace: fix problem with level polyinst (#438264) +- pam_namespace: improve override checking for umount +- pam_selinux: fix syslogging a context after free() (#438338) + +* Thu Feb 28 2008 Tomas Mraz 0.99.10.0-3 +- update pam-redhat module tarball +- update internal db4 + +* Fri Feb 22 2008 Tomas Mraz 0.99.10.0-2 +- if shadow is readable for an user do not prevent him from + authenticating any user with unix_chkpwd (#433459) +- call audit from unix_chkpwd when appropriate + +* Fri Feb 15 2008 Tomas Mraz 0.99.10.0-1 +- new upstream release +- add default soft limit for nproc of 1024 to prevent + accidental fork bombs (#432903) + +* Mon Feb 4 2008 Tomas Mraz 0.99.8.1-18 +- allow the package to build without SELinux and audit support (#431415) +- macro usage cleanup + +* Mon Jan 28 2008 Tomas Mraz 0.99.8.1-17 +- test for setkeycreatecon correctly +- add exclusive login mode of operation to pam_selinux_permit (original + patch by Dan Walsh) + +* Tue Jan 22 2008 Tomas Mraz 0.99.8.1-16 +- add auditing to pam_access, pam_limits, and pam_time +- moved sanity testing code to check script + +* Mon Jan 14 2008 Tomas Mraz 0.99.8.1-15 +- merge review fixes (#226228) + +* Tue Jan 8 2008 Tomas Mraz 0.99.8.1-14 +- support for sha256 and sha512 password hashes +- account expiry checks moved to unix_chkpwd helper + +* Wed Jan 2 2008 Tomas Mraz 0.99.8.1-13 +- wildcard match support in pam_tty_audit (by Miloslav Trmač) + +* Thu Nov 29 2007 Tomas Mraz 0.99.8.1-12 +- add pam_tty_audit module (#244352) - written by Miloslav Trmač + +* Wed Nov 7 2007 Tomas Mraz 0.99.8.1-11 +- add substack support + +* Tue Sep 25 2007 Tomas Mraz 0.99.8.1-10 +- update db4 to 4.6.19 (#274661) + +* Fri Sep 21 2007 Tomas Mraz 0.99.8.1-9 +- do not preserve contexts when copying skel and other namespace.init + fixes (#298941) +- do not free memory sent to putenv (#231698) + +* Wed Sep 19 2007 Tomas Mraz 0.99.8.1-8 +- add pam_selinux_permit module +- pam_succeed_if: fix in operator (#295151) + +* Tue Sep 18 2007 Tomas Mraz 0.99.8.1-7 +- when SELinux enabled always run the helper binary instead of + direct shadow access (#293181) + +* Fri Aug 24 2007 Tomas Mraz 0.99.8.1-6 +- do not ask for blank password when SELinux confined (#254044) +- initialize homedirs in namespace init script (original patch by dwalsh) + +* Wed Aug 22 2007 Tomas Mraz 0.99.8.1-5 +- most devices are now handled by HAL and not pam_console (patch by davidz) +- license tag fix +- multifunction scanner device support (#251468) + +* Mon Aug 13 2007 Tomas Mraz 0.99.8.1-4 +- fix auth regression when uid != 0 from previous build (#251804) + +* Mon Aug 6 2007 Tomas Mraz 0.99.8.1-3 +- updated db4 to 4.6.18 (#249740) +- added user and new instance parameters to namespace init +- document the new features of pam_namespace +- do not log an audit error when uid != 0 (#249870) + +* Wed Jul 25 2007 Jeremy Katz - 0.99.8.1-2 +- rebuild for toolchain bug + +* Mon Jul 23 2007 Tomas Mraz 0.99.8.1-1 +- upgrade to latest upstream version +- add some firewire devices to default console perms (#240770) + +* Thu Apr 26 2007 Tomas Mraz 0.99.7.1-6 +- pam_namespace: better document behavior on failure (#237249) +- pam_unix: split out passwd change to a new helper binary (#236316) +- pam_namespace: add support for temporary logons (#241226) + +* Fri Apr 13 2007 Tomas Mraz 0.99.7.1-5 +- pam_selinux: improve context change auditing (#234781) +- pam_namespace: fix parsing config file with unknown users (#234513) + +* Fri Mar 23 2007 Tomas Mraz 0.99.7.1-4 +- pam_console: always decrement use count (#230823) +- pam_namespace: use raw context for poly dir name (#227345) +- pam_namespace: truncate long poly dir name (append hash) (#230120) +- we don't patch any po files anymore + +* Wed Feb 21 2007 Tomas Mraz 0.99.7.1-3 +- correctly relabel tty in the default case (#229542) +- pam_unix: cleanup of bigcrypt support +- pam_unix: allow modification of '*' passwords to root + +* Tue Feb 6 2007 Tomas Mraz 0.99.7.1-2 +- more X displays as consoles (#227462) + +* Wed Jan 24 2007 Tomas Mraz 0.99.7.1-1 +- upgrade to new upstream version resolving CVE-2007-0003 +- pam_namespace: unmount poly dir for override users + +* Mon Jan 22 2007 Tomas Mraz 0.99.7.0-2 +- add back min salt length requirement which was erroneously removed + upstream (CVE-2007-0003) + +* Fri Jan 19 2007 Tomas Mraz 0.99.7.0-1 +- upgrade to new upstream version +- drop pam_stack module as it is obsolete +- some changes to silence rpmlint + +* Tue Jan 16 2007 Tomas Mraz 0.99.6.2-8 +- properly include /var/log/faillog and tallylog as ghosts + and create them in post script (#209646) +- update gmo files as we patch some po files (#218271) +- add use_current_range option to pam_selinux (#220487) +- improve the role selection in pam_selinux +- remove shortcut on Password: in ja locale (#218271) +- revert to old euid and not ruid when setting euid in pam_keyinit (#219486) +- rename selinux-namespace patch to namespace-level + +* Fri Dec 1 2006 Dan Walsh 0.99.6.2-7 +- fix selection of role + +* Fri Dec 1 2006 Dan Walsh 0.99.6.2-6 +- add possibility to pam_namespace to only change MLS component +- Resolves: Bug #216184 + +* Thu Nov 30 2006 Tomas Mraz 0.99.6.2-5 +- add select-context option to pam_selinux (#213812) +- autoreconf won't work with autoconf-2.61 as configure.in is not yet adjusted + for it + +* Mon Nov 13 2006 Tomas Mraz 0.99.6.2-4 +- update internal db4 to 4.5.20 version +- move setgid before setuid in pam_keyinit (#212329) +- make username check in pam_unix consistent with useradd (#212153) + +* Tue Oct 24 2006 Tomas Mraz 0.99.6.2-3.3 +- don't overflow a buffer in pam_namespace (#211989) + +* Mon Oct 16 2006 Tomas Mraz 0.99.6.2-3.2 +- /var/log/faillog and tallylog must be config(noreplace) + +* Fri Oct 13 2006 Tomas Mraz 0.99.6.2-3.1 +- preserve effective uid in namespace.init script (LSPP for newrole) +- include /var/log/faillog and tallylog to filelist (#209646) +- add ids to .xml docs so the generated html is always the same (#210569) + +* Thu Sep 28 2006 Tomas Mraz 0.99.6.2-3 +- add pam_namespace option no_unmount_on_close, required for newrole + +* Mon Sep 4 2006 Tomas Mraz 0.99.6.2-2 +- silence pam_succeed_if in default system-auth (#205067) +- round the pam_timestamp_check sleep up to wake up at the start of the + wallclock second (#205068) + +* Thu Aug 31 2006 Tomas Mraz 0.99.6.2-1 +- upgrade to new upstream version, as there are mostly bugfixes except + improved documentation +- add support for session and password service for pam_access and + pam_succeed_if +- system-auth: skip session pam_unix for crond service + +* Thu Aug 10 2006 Dan Walsh 0.99.5.0-8 +- Add new setkeycreatecon call to pam_selinux to make sure keyring has correct context + +* Thu Aug 10 2006 Tomas Mraz 0.99.5.0-7 +- revoke keyrings properly when pam_keyinit called as root (#201048) +- pam_succeed_if should return PAM_USER_UNKNOWN when getpwnam fails (#197748) + +* Wed Aug 2 2006 Tomas Mraz 0.99.5.0-6 +- revoke keyrings properly when pam_keyinit called more than once (#201048) + patch by David Howells + +* Fri Jul 21 2006 Tomas Mraz 0.99.5.0-5 +- don't log pam_keyinit debug messages by default (#199783) + +* Fri Jul 21 2006 Tomas Mraz 0.99.5.0-4 +- drop ainit from console.handlers (#199561) + +* Mon Jul 17 2006 Tomas Mraz 0.99.5.0-3 +- don't report error in pam_selinux for nonexistent tty (#188722) +- add pam_keyinit to the default system-auth file (#198623) + +* Wed Jul 12 2006 Jesse Keating - 0.99.5.0-2.1 +- rebuild + +* Mon Jul 3 2006 Tomas Mraz 0.99.5.0-2 +- fixed network match in pam_access (patch by Dan Yefimov) + +* Fri Jun 30 2006 Tomas Mraz 0.99.5.0-1 +- updated to a new upstream release +- added service as value to be matched and list matching to + pam_succeed_if +- namespace.init was missing from EXTRA_DIST + +* Thu Jun 8 2006 Tomas Mraz 0.99.4.0-5 +- updated pam_namespace with latest patch by Janak Desai +- merged pam_namespace patches +- added buildrequires libtool +- fixed a few rpmlint warnings + +* Wed May 24 2006 Tomas Mraz 0.99.4.0-4 +- actually don't link to libssl as it is not used (#191915) + +* Wed May 17 2006 Tomas Mraz 0.99.4.0-3 +- use md5 implementation from pam_unix in pam_namespace +- pam_namespace should call setexeccon only when selinux is enabled + +* Tue May 16 2006 Tomas Mraz 0.99.4.0-2 +- pam_console_apply shouldn't access /var when called with -r (#191401) +- actually apply the large-uid patch +- don't build hmactest in pam_timestamp so openssl-devel is not required +- add missing buildrequires (#191915) + +* Wed May 10 2006 Tomas Mraz 0.99.4.0-1 +- upgrade to new upstream version +- make pam_console_apply not dependent on glib +- support large uids in pam_tally, pam_tally2 + +* Thu May 4 2006 Tomas Mraz 0.99.3.0-5 +- the namespace instance init script is now in /etc/security (#190148) +- pam_namespace: added missing braces (#190026) +- pam_tally(2): never call fclose twice on the same FILE (from upstream) + +* Wed Apr 26 2006 Tomas Mraz 0.99.3.0-4 +- fixed console device class for irda (#189966) +- make pam_console_apply fail gracefully when a class is missing + +* Tue Apr 25 2006 Tomas Mraz 0.99.3.0-3 +- added pam_namespace module written by Janak Desai (per-user /tmp +support) +- new pam-redhat modules version + +* Fri Feb 24 2006 Tomas Mraz 0.99.3.0-2 +- added try_first_pass option to pam_cracklib +- use try_first_pass for pam_unix and pam_cracklib in + system-auth (#182350) + +* Fri Feb 10 2006 Jesse Keating - 0.99.3.0-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 0.99.3.0-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Feb 3 2006 Tomas Mraz 0.99.3.0-1 +- new upstream version +- updated db4 to 4.3.29 +- added module pam_tally2 with auditing support +- added manual pages for system-auth and config-util (#179584) + +* Tue Jan 3 2006 Tomas Mraz 0.99.2.1-3 +- remove 'initscripts' dependency (#176508) +- update pam-redhat modules, merged patches + +* Fri Dec 16 2005 Tomas Mraz 0.99.2.1-2 +- fix dangling symlinks in -devel (#175929) +- link libaudit only where necessary +- actually compile in audit support + +* Thu Dec 15 2005 Tomas Mraz 0.99.2.1-1 +- support netgroup matching in pam_succeed_if +- upgrade to new release +- drop pam_pwdb as it was obsolete long ago +- we don't build static libraries anymore + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Tue Nov 15 2005 Tomas Mraz 0.80-14 +- pam_stack is deprecated - log its usage + +* Wed Oct 26 2005 Tomas Mraz 0.80-13 +- fixed CAN-2005-2977 unix_chkpwd should skip user verification only if + run as root (#168181) +- link pam_loginuid to libaudit +- support no tty in pam_access (#170467) +- updated audit patch (by Steve Grubb) +- the previous pam_selinux change was not applied properly +- pam_xauth: look for the xauth binary in multiple directories (#171164) + +* Wed Oct 26 2005 Dan Walsh 0.80-12 +- Eliminate multiple in pam_selinux + +* Fri Oct 14 2005 Dan Walsh 0.80-11 +- Eliminate fail over for getseuserbyname call + +* Thu Oct 13 2005 Dan Walsh 0.80-10 +- Add getseuserbyname call for SELinux MCS/MLS policy + +* Tue Oct 4 2005 Tomas Mraz +- pam_console manpage fixes (#169373) + +* Fri Sep 30 2005 Tomas Mraz 0.80-9 +- don't include ps and pdf docs (#168823) +- new common config file for configuration utilities +- remove glib2 dependency (#166979) + +* Tue Sep 20 2005 Tomas Mraz 0.80-8 +- process limit values other than RLIMIT_NICE correctly (#168790) +- pam_unix: always honor nis flag on password change (by Aaron Hope) + +* Wed Aug 24 2005 Tomas Mraz 0.80-7 +- don't fail in audit code when audit is not compiled in + on the newest kernels (#166422) + +* Mon Aug 01 2005 Tomas Mraz 0.80-6 +- add option to pam_loginuid to require auditd + +* Fri Jul 29 2005 Tomas Mraz 0.80-5 +- fix NULL dereference in pam_userdb (#164418) + +* Tue Jul 26 2005 Tomas Mraz 0.80-4 +- fix 64bit bug in pam_pwdb +- don't crash in pam_unix if pam_get_data fail + +* Fri Jul 22 2005 Tomas Mraz 0.80-3 +- more pam_selinux permissive fixes (Dan Walsh) +- make binaries PIE (#158938) + +* Mon Jul 18 2005 Tomas Mraz 0.80-2 +- fixed module tests so the pam doesn't require itself to build (#163502) +- added buildprereq for building the documentation (#163503) +- relaxed permissions of binaries (u+w) + +* Thu Jul 14 2005 Tomas Mraz 0.80-1 +- upgrade to new upstream sources +- removed obsolete patches +- pam_selinux module shouldn't fail on broken configs unless + policy is set to enforcing (Dan Walsh) + +* Tue Jun 21 2005 Tomas Mraz 0.79-11 +- update pam audit patch +- add support for new limits in kernel-2.6.12 (#157050) + +* Thu Jun 9 2005 Tomas Mraz 0.79-10 +- add the Requires dependency on audit-libs (#159885) +- pam_loginuid shouldn't report error when /proc/self/loginuid + is missing (#159974) + +* Fri May 20 2005 Tomas Mraz 0.79-9 +- update the pam audit patch to support newest audit library, + audit also pam_setcred calls (Steve Grubb) +- don't use the audit_fd as global static variable +- don't unset the XAUTHORITY when target user is root + +* Mon May 2 2005 Tomas Mraz 0.79-8 +- pam_console: support loading .perms files in the console.perms.d (#156069) + +* Tue Apr 26 2005 Tomas Mraz 0.79-7 +- pam_xauth: unset the XAUTHORITY variable on error, fix + potential memory leaks +- modify path to IDE floppy devices in console.perms (#155560) + +* Sat Apr 16 2005 Steve Grubb 0.79-6 +- Adjusted pam audit patch to make exception for ECONNREFUSED + +* Tue Apr 12 2005 Tomas Mraz 0.79-5 +- added auditing patch by Steve Grubb +- added cleanup patches for bugs found by Steve Grubb +- don't clear the shadow option of pam_unix if nis option used + +* Fri Apr 8 2005 Tomas Mraz 0.79-4 +- #150537 - flush input first then write the prompt + +* Thu Apr 7 2005 Tomas Mraz 0.79-3 +- make pam_unix LSB 2.0 compliant even when SELinux enabled +- #88127 - change both local and NIS passwords to keep them in sync, + also fix a regression in passwd functionality on NIS master server + +* Tue Apr 5 2005 Tomas Mraz +- #153711 fix wrong logging in pam_selinux when restoring tty label + +* Sun Apr 3 2005 Tomas Mraz 0.79-2 +- fix NULL deref in pam_tally when it's used in account phase + +* Thu Mar 31 2005 Tomas Mraz 0.79-1 +- upgrade to the new upstream release +- moved pam_loginuid to pam-redhat repository + +* Wed Mar 23 2005 Tomas Mraz 0.78-9 +- fix wrong logging in pam_console handlers +- add executing ainit handler for alsa sound dmix +- #147879, #112777 - change permissions for dri devices + +* Fri Mar 18 2005 Tomas Mraz 0.78-8 +- remove ownership and permissions handling from pam_console call + pam_console_apply as a handler instead + +* Mon Mar 14 2005 Tomas Mraz 0.78-7 +- add pam_loginuid module for setting the the login uid for auditing purposes + (by Steve Grubb) + +* Thu Mar 10 2005 Tomas Mraz 0.78-6 +- add functionality for running handler executables from pam_console + when console lock was obtained/lost +- removed patches merged to pam-redhat + +* Tue Mar 1 2005 Tomas Mraz 0.78-5 +- echo why tests failed when rebuilding +- fixed some warnings and errors in pam_console for gcc4 build +- improved parsing pam_console config file + +* Mon Feb 21 2005 Tomas Mraz +- don't log garbage in pam_console_apply (#147879) + +* Tue Jan 18 2005 Tomas Mraz +- don't require exact db4 version only conflict with incompatible one + +* Wed Jan 12 2005 Tomas Mraz 0.78-4 +- updated pam-redhat from elvis CVS +- removed obsolete patches + +* Mon Jan 3 2005 Jeff Johnson 0.78-3 +- depend on db-4.3.27, not db-4.3.21. + +* Thu Nov 25 2004 Tomas Mraz 0.78-2 +- add argument to pam_console_apply to restrict its work to specified files + +* Tue Nov 23 2004 Tomas Mraz 0.78-1 +- update to Linux-PAM-0.78 +- #140451 parse passwd entries correctly and test for failure +- #137802 allow using pam_console for authentication + +* Fri Nov 12 2004 Jeff Johnson 0.77-67 +- rebuild against db-4.3.21. + +* Thu Nov 11 2004 Tomas Mraz 0.77-66 +- #77646 log failures when renaming the files when changing password +- Log failure on missing /etc/security/opasswd when remember option is present + +* Wed Nov 10 2004 Tomas Mraz +- #87628 pam_timestamp remembers authorization after logout +- #116956 fixed memory leaks in pam_stack + +* Wed Oct 20 2004 Tomas Mraz 0.77-65 +- #74062 modify the pwd-lock patch to remove NIS passwd changing deadlock + +* Wed Oct 20 2004 Tomas Mraz 0.77-64 +- #134941 pam_console should check X11 socket only on login + +* Tue Oct 19 2004 Tomas Mraz 0.77-63 +- Fix checking of group %%group syntax in pam_limits +- Drop fencepost patch as it was already fixed + by upstream change from 0.75 to 0.77 +- Fix brokenshadow patch + +* Mon Oct 11 2004 Tomas Mraz 0.77-62 +- Added bluetooth, raw1394 and flash to console.perms +- pam_console manpage fix + +* Mon Oct 11 2004 Tomas Mraz 0.77-61 +- #129328 pam_env shouldn't abort on missing /etc/environment +- #126985 pam_stack should always copy the conversation function +- #127524 add /etc/security/opasswd to files + +* Tue Sep 28 2004 Phil Knirsch 0.77-60 +- Drop last patch again, fixed now correctly elsewhere + +* Thu Sep 23 2004 Phil Knirsch 0.77-59 +- Fixed bug in pam_env where wrong initializer was used + +* Fri Sep 17 2004 Dan Walsh 0.77-58 +- rebuild selinux patch using checkPasswdAccess + +* Mon Sep 13 2004 Jindrich Novy +- rebuilt + +* Mon Sep 13 2004 Tomas Mraz 0.77-56 +- #75454 fixed locking when changing password +- #127054 +- #125653 removed unnecessary getgrouplist call +- #124979 added quiet option to pam_succeed_if + +* Mon Aug 30 2004 Warren Togami 0.77-55 +- #126024 /dev/pmu console perms + +* Wed Aug 4 2004 Dan Walsh 0.77-54 +- Move pam_console.lock to /var/run/console/ + +* Thu Jul 29 2004 Dan Walsh 0.77-53 +- Close fd[1] before pam_modutilread so that unix_verify will complete + +* Tue Jul 27 2004 Alan Cox 0.77-52 +- First chunk of Steve Grubb's resource leak and other fixes + +* Tue Jul 27 2004 Alan Cox 0.77-51 +- Fixed build testing of modules +- Fixed dependancies + +* Tue Jul 20 2004 Dan Walsh 0.77-50 +- Change unix_chkpwd to return pam error codes + +* Sat Jul 10 2004 Alan Cox +- Fixed the pam glib2 dependancy issue + +* Mon Jun 21 2004 Alan Cox +- Fixed the pam_limits fencepost error (#79989) since nobody seems to + be doing it + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Wed Jun 9 2004 Dan Walsh 0.77-45 +- Add requires libselinux > 1.8 + +* Thu Jun 3 2004 Dan Walsh 0.77-44 +- Add MLS Support to selinux patch + +* Wed Jun 2 2004 Dan Walsh 0.77-43 +- Modify pam_selinux to use open and close param + +* Fri May 28 2004 Dan Walsh 0.77-42 +- Split pam module into two parts open and close + +* Tue May 18 2004 Phil Knirsch 0.77-41 +- Fixed 64bit segfault in pam_succeed_if module. + +* Wed Apr 14 2004 Dan Walsh 0.77-40 +- Apply changes from audit. + +* Mon Apr 12 2004 Dan Walsh 0.77-39 +- Change to only report failure on relabel if debug + +* Wed Mar 3 2004 Dan Walsh 0.77-38 +- Fix error handling of pam_unix + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Thu Feb 26 2004 Dan Walsh 0.77-36 +- fix tty handling + +* Thu Feb 26 2004 Dan Walsh 0.77-35 +- remove tty closing and opening from pam_selinux, it does not work. + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Feb 12 2004 Nalin Dahyabhai +- pam_unix: also log successful password changes when using shadowed passwords + +* Tue Feb 10 2004 Dan Walsh 0.77-33 +- close and reopen terminal after changing context. + +* Thu Feb 5 2004 Dan Walsh 0.77-32 +- Check for valid tty + +* Tue Feb 3 2004 Dan Walsh 0.77-31 +- Check for multiple > 1 + +* Mon Feb 2 2004 Dan Walsh 0.77-30 +- fix is_selinux_enabled call for pam_rootok + +* Wed Jan 28 2004 Dan Walsh 0.77-29 +- More fixes to pam_selinux,pam_rootok + +* Wed Jan 28 2004 Dan Walsh 0.77-28 +- turn on selinux + +* Wed Jan 28 2004 Dan Walsh 0.77-27 +- Fix rootok check. + +* Mon Jan 26 2004 Dan Walsh 0.77-26 +- fix is_selinux_enabled call + +* Sun Jan 25 2004 Dan Walsh 0.77-25 +- Check if ROOTOK for SELinux + +* Thu Jan 15 2004 Dan Walsh 0.77-24 +- Fix tty handling for pts in pam_selinux + +* Thu Jan 15 2004 Dan Walsh 0.77-23 +- Need to add qualifier context for sudo situation + +* Thu Jan 15 2004 Dan Walsh 0.77-22 +- Fix pam_selinux to use prevcon instead of pam_user so it will work for su. + +* Fri Dec 12 2003 Bill Nottingham 0.77-21.sel +- add alsa devs to console.perms + +* Thu Dec 11 2003 Jeff Johnson 0.77-20.sel +- rebuild with db-4.2.52. +- build db4 in build_unix, not dist. + +* Wed Nov 26 2003 Dan Walsh 0.77-19.sel +- Change unix_chkpwd to handle unix_passwd and unix_acct +- This eliminates the need for pam modules to have read/write access to /etc/shadow. + +* Thu Nov 20 2003 Dan Walsh 0.77-18.sel +- Cleanup unix_chkpwd + +* Mon Nov 03 2003 Dan Walsh 0.77-17.sel +- Fix tty handling +- Add back multiple handling + +* Mon Oct 27 2003 Dan Walsh 0.77-16.sel +- Remove Multiple from man page of pam_selinux + +* Thu Oct 23 2003 Nalin Dahyabhai 0.77-15 +- don't install _pam_aconf.h -- apps don't use it, other PAM headers which + are installed don't use it, and its contents may be different for arches + on a multilib system +- check for linkage problems in modules at %%install-time (kill #107093 dead) +- add buildprereq on flex (#101563) + +* Wed Oct 22 2003 Nalin Dahyabhai +- make pam_pwdb.so link with libnsl again so that it loads (#107093) +- remove now-bogus buildprereq on db4-devel (we use a bundled copy for + pam_userdb to avoid symbol collisions with other db libraries in apps) + +* Mon Oct 20 2003 Dan Walsh 0.77-14.sel +- Add Russell Coker patch to handle /dev/pty + +* Fri Oct 17 2003 Dan Walsh 0.77-13.sel +- Turn on Selinux + +* Fri Oct 17 2003 Dan Walsh 0.77-12 +- Fix pam_timestamp to work when 0 seconds have elapsed + +* Mon Oct 6 2003 Dan Walsh 0.77-11 +- Turn off selinux + +* Thu Sep 25 2003 Dan Walsh 0.77-10.sel +- Turn on Selinux and remove multiple choice of context. + +* Wed Sep 24 2003 Dan Walsh 0.77-10 +- Turn off selinux + +* Wed Sep 24 2003 Dan Walsh 0.77-9.sel +- Add Russell's patch to check password + +* Wed Sep 17 2003 Dan Walsh 0.77-8.sel +- handle ttys correctly in pam_selinux + +* Fri Sep 05 2003 Dan Walsh 0.77-7.sel +- Clean up memory problems and fix tty handling. + +* Mon Jul 28 2003 Dan Walsh 0.77-6 +- Add manual context selection to pam_selinux + +* Mon Jul 28 2003 Dan Walsh 0.77-5 +- Add pam_selinux + +* Mon Jul 28 2003 Dan Walsh 0.77-4 +- Add SELinux support + +* Thu Jul 24 2003 Nalin Dahyabhai 0.77-3 +- pam_postgresok: add +- pam_xauth: add "targetuser" argument + +* Tue Jul 22 2003 Nalin Dahyabhai +- pam_succeed_if: fix thinko in argument parsing which would walk past the + end of the argument list + +* Wed Jul 9 2003 Nalin Dahyabhai 0.77-2 +- reapply: + - set handler for SIGCHLD to SIG_DFL around *_chkpwd, not SIG_IGN + +* Mon Jul 7 2003 Nalin Dahyabhai 0.77-1 +- pam_timestamp: fail if the key file doesn't contain enough data + +* Thu Jul 3 2003 Nalin Dahyabhai 0.77-0 +- update to 0.77 upstream release + - pam_limits: limits now affect root as well + - pam_nologin: returns PAM_IGNORE instead of PAM_SUCCESS unless "successok" + is given as an argument + - pam_userdb: correctly return PAM_AUTH_ERR instead of PAM_USER_UNKNOWN when + invoked with the "key_only" argument and the database has an entry of the + form "user-" +- use a bundled libdb for pam_userdb.so because the system copy uses threads, + and demand-loading a shared library which uses threads into an application + which doesn't is a Very Bad Idea + +* Thu Jul 3 2003 Nalin Dahyabhai +- pam_timestamp: use a message authentication code to validate timestamp files + +* Mon Jun 30 2003 Nalin Dahyabhai 0.75-48.1 +- rebuild + +* Mon Jun 9 2003 Nalin Dahyabhai 0.75-49 +- modify calls to getlogin() to check the directory of the current TTY before + searching for an entry in the utmp/utmpx file (#98020, #98826, CAN-2003-0388) + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Mon Feb 10 2003 Bill Nottingham 0.75-48 +- set handler for SIGCHLD to SIG_DFL around *_chkpwd, not SIG_IGN + +* Wed Jan 22 2003 Tim Powers 0.75-47 +- rebuilt + +* Tue Dec 17 2002 Nalin Dahyabhai 0.75-46 +- pam_xauth: reintroduce ACL support, per the original white paper +- pam_xauth: default root's export ACL to none instead of everyone + +* Mon Dec 2 2002 Nalin Dahyabhai 0.75-45 +- create /lib/security, even if it isn't /%%{_lib}/security, because we + can't locate /lib/security/$ISA without it (noted by Arnd Bergmann) +- clear out the duplicate docs directory created during %%install + +* Thu Nov 21 2002 Nalin Dahyabhai 0.75-44 +- fix syntax errors in pam_console's yacc parser which newer bison chokes on +- forcibly set FAKEROOT at make install time + +* Tue Oct 22 2002 Nalin Dahyabhai 0.75-43 +- patch to interpret $ISA in case the fist module load attempt fails +- use $ISA in default configs + +* Fri Oct 04 2002 Elliot Lee 0.75-42 +- Since cracklib-dicts location will not be correctly detected without + that package being installed, add buildreq for cracklib-dicts. +- Add patch57: makes configure use $LIBNAME when searching for cracklib + dicts, and error out if not found. + +* Thu Sep 12 2002 Than Ngo 0.75-41.1 +- Fixed pam config files + +* Wed Sep 11 2002 Than Ngo 0.75-41 +- Added fix to install libs in correct directory on 64bit machine + +* Fri Aug 2 2002 Nalin Dahyabhai 0.75-40 +- pam_timestamp_check: check that stdio descriptors are open before we're + invoked +- add missing chroot.conf + +* Mon Jul 29 2002 Nalin Dahyabhai 0.75-39 +- pam_timestamp: sundry fixes, use "unknown" as the tty when none is found + +* Thu Jun 27 2002 Nalin Dahyabhai 0.75-38 +- pam_timestamp_check: be as smart about figuring out the tty as the module is + +* Wed Jun 19 2002 Nalin Dahyabhai 0.75-37 +- pam_timestamp_check: remove extra unlink() call spotted by Havoc + +* Mon Jun 17 2002 Nalin Dahyabhai 0.75-36 +- pam_timestamp: chown intermediate directories when creating them +- pam_timestamp_check: add -d flag to poll + +* Thu May 23 2002 Nalin Dahyabhai 0.75-35 +- pam_timestamp: add some sanity checks +- pam_timestamp_check: add + +* Wed May 22 2002 Nalin Dahyabhai 0.75-34 +- pam_timestamp: add a 'verbose' option + +* Thu May 16 2002 Nalin Dahyabhai 0.75-33 +- rebuild with db4 +- just bundle install-sh into the source package + +* Tue Apr 9 2002 Nalin Dahyabhai 0.75-32 +- pam_unix: be more compatible with AIX-style shadowing (#19236) + +* Thu Mar 28 2002 Nalin Dahyabhai 0.75-31 +- libpam_misc: fix possible infinite loop in misc_conv (#62195) +- pam_xauth: fix cases where DISPLAY is "localhost:screen" and the xauth + key is actually stored using the system's hostname (#61524) + +* Mon Mar 25 2002 Nalin Dahyabhai 0.75-30 +- rebuild + +* Mon Mar 25 2002 Nalin Dahyabhai 0.75-29 +- rebuild + +* Mon Mar 11 2002 Nalin Dahyabhai 0.75-28 +- include the pwdb config file + +* Fri Mar 1 2002 Nalin Dahyabhai 0.75-27 +- adjust the pwdb-static patch to build pam_radius correctly (#59408) + +* Fri Mar 1 2002 Nalin Dahyabhai 0.75-26 +- change the db4-devel build dependency to db3-devel + +* Thu Feb 21 2002 Nalin Dahyabhai 0.75-25 +- rebuild + +* Fri Feb 8 2002 Nalin Dahyabhai 0.75-24 +- pam_unix: log successful password changes +- remove pam_timestamp + +* Thu Feb 7 2002 Nalin Dahyabhai 0.75-23 +- fix pwdb embedding +- add pam_timestamp + +* Thu Jan 31 2002 Nalin Dahyabhai 0.75-22 +- swallow up pwdb 0.61.1 for building pam_pwdb + +* Wed Jan 23 2002 Nalin Dahyabhai 0.75-21 +- pam_userdb: build with db4 instead of db3 + +* Thu Nov 22 2001 Nalin Dahyabhai 0.75-20 +- pam_stack: fix some memory leaks (reported by Fernando Trias) +- pam_chroot: integrate Owl patch to report the more common causes of failures + +* Fri Nov 9 2001 Nalin Dahyabhai 0.75-19 +- fix a bug in the getpwnam_r wrapper which sometimes resulted in false + positives for non-existent users + +* Wed Nov 7 2001 Nalin Dahyabhai 0.75-18 +- include libpamc in the pam package (#55651) + +* Fri Nov 2 2001 Nalin Dahyabhai 0.75-17 +- pam_xauth: don't free a string after passing it to putenv() + +* Wed Oct 24 2001 Nalin Dahyabhai 0.75-16 +- pam_xauth: always return PAM_SUCCESS or PAM_SESSION_ERR instead of PAM_IGNORE, + matching the previous behavior (libpam treats PAM_IGNORE from a single module + in a stack as a session error, leading to false error messages if we just + return PAM_IGNORE for all cases) + +* Mon Oct 22 2001 Nalin Dahyabhai 0.75-15 +- reorder patches so that the reentrancy patch is applied last -- we never + came to a consensus on how to guard against the bugs in calling applications + which this sort of change addresses, and having them last allows for dropping + in a better strategy for addressing this later on + +* Mon Oct 15 2001 Nalin Dahyabhai +- pam_rhosts: allow "+hostname" as a synonym for "hostname" to jive better + with the hosts.equiv(5) man page +- use the automake install-sh instead of the autoconf install-sh, which + disappeared somewhere between 2.50 and now + +* Mon Oct 8 2001 Nalin Dahyabhai +- add pwdb as a buildprereq + +* Fri Oct 5 2001 Nalin Dahyabhai +- pam_tally: don't try to read past the end of faillog -- it probably contains + garbage, which if written into the file later on will confuse /usr/bin/faillog + +* Thu Oct 4 2001 Nalin Dahyabhai +- pam_limits: don't just return if the user is root -- we'll want to set the + priority (it could be negative to elevate root's sessions) +- pam_issue: fix off-by-one error allocating space for the prompt string + +* Wed Oct 3 2001 Nalin Dahyabhai +- pam_mkhomedir: recurse into subdirectories properly +- pam_mkhomedir: handle symlinks +- pam_mkhomedir: skip over special items in the skeleton directory + +* Tue Oct 2 2001 Nalin Dahyabhai +- add cracklib as a buildprereq +- pam_wheel: don't ignore out if the user is attempting to switch to a + unprivileged user (this lets pam_wheel do its thing when users attempt + to get to system accounts or accounts of other unprivileged users) + +* Fri Sep 28 2001 Nalin Dahyabhai +- pam_xauth: close a possible DoS due to use of dotlock-style locking in + world-writable directories by relocating the temporary file to the target + user's home directory +- general: include headers local to this tree using relative paths so that + system headers for PAM won't be pulled in, in case include paths don't + take care of it + +* Thu Sep 27 2001 Nalin Dahyabhai +- pam_xauth: rewrite to skip refcounting and just use a temporary file + created using mkstemp() in /tmp + +* Tue Sep 25 2001 Nalin Dahyabhai +- pam_userdb: fix the key_only flag so that the null-terminator of the + user-password string isn't expected to be part of the key in the db file, + matching the behavior of db_load 3.2.9 + +* Mon Sep 24 2001 Nalin Dahyabhai +- pam_unix: use crypt() instead of bigcrypt() when salted field is less than + the critical size which lets us know it was generated with bigcrypt() +- use a wrapper to handle ERANGE errors when calling get....._r functions: + defining PAM_GETPWNAM_R and such (for getpwnam, getpwuid, getgrnam, + getgrgid, and getspnam) before including _pam_macros.h will cause them + to be implemented as static functions, similar to how defining PAM_SM_xxx + is used to control whether or not PAM declares prototypes for certain + functions + +* Mon Sep 24 2001 Nalin Dahyabhai 0.75-14 +- pam_unix: argh, compare entire pruned salt string with crypted result, always + +* Sat Sep 8 2001 Bill Nottingham 0.75-13 +- ship /lib/lib{pam,pam_misc}.so for legacy package builds + +* Thu Sep 6 2001 Nalin Dahyabhai 0.75-12 +- noreplace configuration files in /etc/security +- pam_console: update pam_console_apply and man pages to reflect + /var/lock -> /var/run move + +* Wed Sep 5 2001 Nalin Dahyabhai 0.75-11 +- pam_unix: fix the fix for #42394 + +* Tue Sep 4 2001 Nalin Dahyabhai +- modules: use getpwnam_r and friends instead of non-reentrant versions +- pam_console: clear generated .c and .h files in "clean" makefile target + +* Thu Aug 30 2001 Nalin Dahyabhai +- pam_stack: perform deep copy of conversation structures +- include the static libpam in the -devel subpackage (#52321) +- move development .so and .a files to %%{_libdir} +- pam_unix: don't barf on empty passwords (#51846) +- pam_unix: redo compatibility with "hash,age" data wrt bigcrypt (#42394) +- console.perms: add usb camera, scanner, and rio devices (#15528) +- pam_cracklib: initialize all options properly (#49613) + +* Wed Aug 22 2001 Nalin Dahyabhai +- pam_limits: don't rule out negative priorities + +* Mon Aug 13 2001 Nalin Dahyabhai 0.75-10 +- pam_xauth: fix errors due to uninitialized data structure (fix from Tse Huong + Choo) +- pam_xauth: random cleanups +- pam_console: use /var/run/console instead of /var/lock/console at install-time +- pam_unix: fix preserving of permissions on files which are manipulated + +* Fri Aug 10 2001 Bill Nottingham +- fix segfault in pam_securetty + +* Thu Aug 9 2001 Nalin Dahyabhai +- pam_console: use /var/run/console instead of /var/lock/console for lock files +- pam_issue: read the right number of bytes from the file + +* Mon Jul 9 2001 Nalin Dahyabhai +- pam_wheel: don't error out if the group has no members, but is the user's + primary GID (reported by David Vos) +- pam_unix: preserve permissions on files which are manipulated (#43706) +- pam_securetty: check if the user is the superuser before checking the tty, + thereby allowing regular users access to services which don't set the + PAM_TTY item (#39247) +- pam_access: define NIS and link with libnsl (#36864) + +* Thu Jul 5 2001 Nalin Dahyabhai +- link libpam_misc against libpam + +* Tue Jul 3 2001 Nalin Dahyabhai +- pam_chroot: chdir() before chroot() + +* Fri Jun 29 2001 Nalin Dahyabhai +- pam_console: fix logic bug when changing permissions on single + file and/or lists of files +- pam_console: return the proper error code (reported and patches + for both from Frederic Crozat) +- change deprecated Copyright: tag in .spec file to License: + +* Mon Jun 25 2001 Nalin Dahyabhai +- console.perms: change js* to js[0-9]* +- include pam_aconf.h in more modules (patches from Harald Welte) + +* Thu May 24 2001 Nalin Dahyabhai +- console.perms: add apm_bios to the list of devices the console owner can use +- console.perms: add beep to the list of sound devices + +* Mon May 7 2001 Nalin Dahyabhai +- link pam_console_apply statically with libglib (#38891) + +* Mon Apr 30 2001 Nalin Dahyabhai +- pam_access: compare IP addresses with the terminating ".", as documented + (patch from Carlo Marcelo Arenas Belon, I think) (#16505) + +* Mon Apr 23 2001 Nalin Dahyabhai +- merge up to 0.75 +- pam_unix: temporarily ignore SIGCHLD while running the helper +- pam_pwdb: temporarily ignore SIGCHLD while running the helper +- pam_dispatch: default to uncached behavior if the cached chain is empty + +* Fri Apr 6 2001 Nalin Dahyabhai +- correct speling errors in various debug messages and doc files (#33494) + +* Thu Apr 5 2001 Nalin Dahyabhai +- prereq sed, fileutils (used in %%post) + +* Wed Apr 4 2001 Nalin Dahyabhai +- remove /dev/dri from console.perms -- XFree86 munges it, so it's outside of + our control (reminder from Daryll Strauss) +- add /dev/3dfx to console.perms + +* Fri Mar 23 2001 Nalin Dahyabhai +- pam_wheel: make 'trust' and 'deny' work together correctly +- pam_wheel: also check the user's primary gid +- pam_group: also initialize groups when called with PAM_REINITIALIZE_CRED + +* Tue Mar 20 2001 Nalin Dahyabhai +- mention pam_console_apply in the see also section of the pam_console man pages + +* Fri Mar 16 2001 Nalin Dahyabhai +- console.perms: /dev/vc/* should be a regexp, not a glob (thanks to + Charles Lopes) + +* Mon Mar 12 2001 Nalin Dahyabhai +- console.perms: /dev/cdroms/* should belong to the user, from Douglas + Gilbert via Tim Waugh + +* Thu Mar 8 2001 Nalin Dahyabhai +- pam_console_apply: muck with devices even if the mount point doesn't exist + +* Wed Mar 7 2001 Nalin Dahyabhai +- pam_console: error out on undefined classes in pam_console config file +- console.perms: actually change the permissions on the new device classes +- pam_console: add an fstab= argument, and -f and -c flags to pam_console_apply +- pam_console: use g_log instead of g_critical when bailing out +- console.perms: logins on /dev/vc/* are also console logins, from Douglas + Gilbert via Tim Waugh + +* Tue Mar 6 2001 Nalin Dahyabhai +- add pam_console_apply +- /dev/pilot's usually a serial port (or a USB serial port), so revert its + group to 'uucp' instead of 'tty' in console.perms +- change pam_console's behavior wrt directories -- directories which are + mount points according to /etc/fstab are taken to be synonymous with + their device special nodes, and directories which are not mount points + are ignored + +* Tue Feb 27 2001 Nalin Dahyabhai +- handle errors fork()ing in pam_xauth +- make the "other" config noreplace + +* Mon Feb 26 2001 Nalin Dahyabhai +- user should own the /dev/video directory, not the non-existent /dev/v4l +- tweak pam_limits doc + +* Wed Feb 21 2001 Nalin Dahyabhai +- own /etc/security +- be more descriptive when logging messages from pam_limits +- pam_listfile: remove some debugging code (#28346) + +* Mon Feb 19 2001 Nalin Dahyabhai +- pam_lastlog: don't pass NULL to logwtmp() + +* Fri Feb 16 2001 Nalin Dahyabhai +- pam_listfile: fix argument parser (#27773) +- pam_lastlog: link to libutil + +* Tue Feb 13 2001 Nalin Dahyabhai +- pam_limits: change the documented default config file to reflect the defaults +- pam_limits: you should be able to log in a total of maxlogins times, not + (maxlogins - 1) +- handle group limits on maxlogins correctly (#25690) + +* Mon Feb 12 2001 Nalin Dahyabhai +- change the pam_xauth default maximum "system user" ID from 499 to 99 (#26343) + +* Wed Feb 7 2001 Nalin Dahyabhai +- refresh the default system-auth file, pam_access is out + +* Mon Feb 5 2001 Nalin Dahyabhai +- actually time out when attempting to lckpwdf() (#25889) +- include time.h in pam_issue (#25923) +- update the default system-auth to the one generated by authconfig 4.1.1 +- handle getpw??? and getgr??? failures more gracefully (#26115) +- get rid of some extraneous {set,end}{pw,gr}ent() calls + +* Tue Jan 30 2001 Nalin Dahyabhai +- overhaul pam_stack to account for abstraction libpam now provides + +* Tue Jan 23 2001 Nalin Dahyabhai +- remove pam_radius at request of author + +* Mon Jan 22 2001 Nalin Dahyabhai +- merge to 0.74 +- make console.perms match perms set by MAKEDEV, and add some devfs device names +- add 'sed' to the buildprereq list (#24666) + +* Sun Jan 21 2001 Matt Wilson +- added "exit 0" to the end of the pre script + +* Fri Jan 19 2001 Nalin Dahyabhai +- self-hosting fix from Guy Streeter + +* Wed Jan 17 2001 Nalin Dahyabhai +- use gcc for LD_L to pull in intrinsic stuff on ia64 + +* Fri Jan 12 2001 Nalin Dahyabhai +- take another whack at compatibility with "hash,age" data in pam_unix (#21603) + +* Wed Jan 10 2001 Nalin Dahyabhai +- make the -devel subpackage unconditional + +* Tue Jan 9 2001 Nalin Dahyabhai +- merge/update to 0.73 + +* Mon Dec 18 2000 Nalin Dahyabhai +- refresh from CVS -- some weird stuff crept into pam_unix + +* Tue Dec 12 2000 Nalin Dahyabhai +- fix handling of "nis" when changing passwords by adding the checks for the + data source to the password-updating module in pam_unix +- add the original copyright for pam_access (fix from Michael Gerdts) + +* Thu Nov 30 2000 Nalin Dahyabhai +- redo similar() using a distance algorithm and drop the default dif_ok to 5 +- readd -devel + +* Wed Nov 29 2000 Nalin Dahyabhai +- fix similar() function in pam_cracklib (#14740) +- fix example in access.conf (#21467) +- add conditional compilation for building for 6.2 (for pam_userdb) +- tweak post to not use USESHADOW any more + +* Tue Nov 28 2000 Nalin Dahyabhai +- make EINVAL setting lock limits in pam_limits non-fatal, because it's a 2.4ism + +* Tue Nov 21 2000 Nalin Dahyabhai +- revert to DB 3.1, which is what we were supposed to be using from the get-go + +* Mon Nov 20 2000 Nalin Dahyabhai +- add RLIMIT_LOCKS to pam_limits (patch from Jes Sorensen) (#20542) +- link pam_userdb to Berkeley DB 2.x to match 6.2's setup correctly + +* Mon Nov 6 2000 Matt Wilson +- remove prereq on sh-utils, test ([) is built in to bash + +* Thu Oct 19 2000 Nalin Dahyabhai +- fix the pam_userdb module breaking + +* Wed Oct 18 2000 Nalin Dahyabhai +- fix pam_unix likeauth argument for authenticate(),setcred(),setcred() + +* Tue Oct 17 2000 Nalin Dahyabhai +- tweak pre script to be called in all upgrade cases +- get pam_unix to only care about the significant pieces of passwords it checks +- add /usr/include/db1/db.h as a build prereq to pull in the right include + files, no matter whether they're in glibc-devel or db1-devel +- pam_userdb.c: include db1/db.h instead of db.h + +* Wed Oct 11 2000 Nalin Dahyabhai +- add BuildPrereq for bison (suggested by Bryan Stillwell) + +* Fri Oct 6 2000 Nalin Dahyabhai +- patch from Dmitry V. Levin to have pam_stack propagate the PAM fail_delay +- roll back the README for pam_xauth to actually be the right one +- tweak pam_stack to use the parent's service name when calling the substack + +* Wed Oct 4 2000 Nalin Dahyabhai +- create /etc/sysconfig/authconfig at install-time if upgrading + +* Mon Oct 2 2000 Nalin Dahyabhai +- modify the files list to make sure #16456 stays fixed +- make pam_stack track PAM_AUTHTOK and PAM_OLDAUTHTOK items +- add pam_chroot module +- self-hosting fixes from the -devel split +- update generated docs in the tree + +* Tue Sep 12 2000 Nalin Dahyabhai +- split off a -devel subpackage +- install the developer man pages + +* Sun Sep 10 2000 Bill Nottingham +- build libraries before modules + +* Wed Sep 6 2000 Nalin Dahyabhai +- fix problems when looking for headers in /usr/include (#17236) +- clean up a couple of compile warnings + +* Tue Aug 22 2000 Nalin Dahyabhai +- give users /dev/cdrom* instead of /dev/cdrom in console.perms (#16768) +- add nvidia control files to console.perms + +* Tue Aug 22 2000 Bill Nottingham +- add DRI devices to console.perms (#16731) + +* Thu Aug 17 2000 Nalin Dahyabhai +- move pam_filter modules to /lib/security/pam_filter (#16111) +- add pam_tally's application to allow counts to be reset (#16456) +- move README files to the txts subdirectory + +* Mon Aug 14 2000 Nalin Dahyabhai +- add a postun that runs ldconfig +- clean up logging in pam_xauth + +* Fri Aug 4 2000 Nalin Dahyabhai +- make the tarball include the release number in its name + +* Mon Jul 31 2000 Nalin Dahyabhai +- add a broken_shadow option to pam_unix +- add all module README files to the documentation list (#16456) + +* Tue Jul 25 2000 Nalin Dahyabhai +- fix pam_stack debug and losing-track-of-the-result bug + +* Mon Jul 24 2000 Nalin Dahyabhai +- rework pam_console's usage of syslog to actually be sane (#14646) + +* Sat Jul 22 2000 Nalin Dahyabhai +- take the LOG_ERR flag off of some of pam_console's new messages + +* Fri Jul 21 2000 Nalin Dahyabhai +- add pam_localuser + +* Wed Jul 12 2000 Nalin Dahyabhai +- need to make pam_console's checking a little stronger +- only pass data up from pam_stack if the parent didn't already define it + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Tue Jul 11 2000 Nalin Dahyabhai +- make pam_console's extra checks disableable +- simplify extra check to just check if the device owner is root +- add a debug log when pam_stack comes across a NULL item +- have pam_stack hand items up to the parent from the child + +* Mon Jul 3 2000 Nalin Dahyabhai +- fix installation of pam_xauth man pages (#12417) +- forcibly strip helpers (#12430) +- try to make pam_console a little more discriminating + +* Mon Jun 19 2000 Nalin Dahyabhai +- symlink libpam.so to libpam.so.%%{version}, and likewise for libpam_misc +- reverse order of checks in _unix_getpwnam for pam_unix + +* Wed Jun 14 2000 Preston Brown +- include gpmctl in pam_console + +* Mon Jun 05 2000 Nalin Dahyabhai +- add MANDIR definition and use it when installing man pages + +* Mon Jun 05 2000 Preston Brown +- handle scanner and cdwriter devices in pam_console + +* Sat Jun 3 2000 Nalin Dahyabhai +- add account management wrappers for pam_listfile, pam_nologin, pam_securetty, + pam_shells, and pam_wheel + +* Thu Jun 1 2000 Nalin Dahyabhai +- add system-auth control file +- let gethostname() call in pam_access.c be implicitly declared to avoid + conflicting types if unistd.c declares it + +* Mon May 15 2000 Nalin Dahyabhai +- fix problems compiling on Red Hat Linux 5.x (bug #11005) + +* Wed Apr 26 2000 Bill Nottingham +- fix size assumptions in pam_(pwdb|unix) md5 code + +* Mon Mar 20 2000 Nalin Dahyabhai +- Add new pam_stack module. +- Install pwdb_chkpwd and unix_chkpwd as the current user for non-root builds + +* Sat Feb 05 2000 Nalin Dahyabhai +- Fix pam_xauth bug #6191. + +* Thu Feb 03 2000 Elliot Lee +- Add a patch to accept 'pts/N' in /etc/securetty as a match for tty '5' + (which is what other pieces of the system think it is). Fixes bug #7641. + +* Mon Jan 31 2000 Nalin Dahyabhai +- argh, turn off gratuitous debugging + +* Wed Jan 19 2000 Nalin Dahyabhai +- update to 0.72 +- fix pam_unix password-changing bug +- fix pam_unix's cracklib support +- change package URL + +* Mon Jan 03 2000 Cristian Gafton +- don't allow '/' on service_name + +* Thu Oct 21 1999 Cristian Gafton +- enhance the pam_userdb module some more + +* Fri Sep 24 1999 Cristian Gafton +- add documenatation + +* Tue Sep 21 1999 Michael K. Johnson +- a tiny change to pam_console to make it not loose track of console users + +* Mon Sep 20 1999 Michael K. Johnson +- a few fixes to pam_xauth to make it more robust + +* Wed Jul 14 1999 Michael K. Johnson +- pam_console: added to manage /dev/console + +* Thu Jul 01 1999 Michael K. Johnson +- pam_xauth: New refcounting implementation based on idea from Stephen Tweedie + +* Sat Apr 17 1999 Michael K. Johnson +- added video4linux devices to /etc/security/console.perms + +* Fri Apr 16 1999 Michael K. Johnson +- added joystick lines to /etc/security/console.perms + +* Thu Apr 15 1999 Michael K. Johnson +- fixed a couple segfaults in pam_xauth uncovered by yesterday's fix... + +* Wed Apr 14 1999 Cristian Gafton +- use gcc -shared to link the shared libs + +* Wed Apr 14 1999 Michael K. Johnson +- many bug fixes in pam_xauth +- pam_console can now handle broken applications that do not set + the PAM_TTY item. + +* Tue Apr 13 1999 Michael K. Johnson +- fixed glob/regexp confusion in pam_console, added kbd and fixed fb devices +- added pam_xauth module + +* Sat Apr 10 1999 Cristian Gafton +- pam_lastlog does wtmp handling now + +* Thu Apr 08 1999 Michael K. Johnson +- added option parsing to pam_console +- added framebuffer devices to default console.perms settings + +* Wed Apr 07 1999 Cristian Gafton +- fixed empty passwd handling in pam_pwdb + +* Mon Mar 29 1999 Michael K. Johnson +- changed /dev/cdrom default user permissions back to 0600 in console.perms + because some cdrom players open O_RDWR. + +* Fri Mar 26 1999 Michael K. Johnson +- added /dev/jaz and /dev/zip to console.perms + +* Thu Mar 25 1999 Michael K. Johnson +- changed the default user permissions for /dev/cdrom to 0400 in console.perms + +* Fri Mar 19 1999 Michael K. Johnson +- fixed a few bugs in pam_console + +* Thu Mar 18 1999 Michael K. Johnson +- pam_console authentication working +- added /etc/security/console.apps directory + +* Mon Mar 15 1999 Michael K. Johnson +- added pam_console files to filelist + +* Fri Feb 12 1999 Cristian Gafton +- upgraded to 0.66, some source cleanups + +* Mon Dec 28 1998 Cristian Gafton +- add patch from Savochkin Andrey Vladimirovich for umask + security risk + +* Fri Dec 18 1998 Cristian Gafton +- upgrade to ver 0.65 +- build the package out of internal CVS server