diff --git a/pam-1.0.91-std-noclose.patch b/pam-1.0.91-std-noclose.patch deleted file mode 100644 index 7359484..0000000 --- a/pam-1.0.91-std-noclose.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c ---- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100 -@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int - if (child == 0) { - int i; - struct rlimit rlim; -+ int dummyfds[2]; - static char *envp[] = { NULL }; - char *args[] = { NULL, NULL, NULL, NULL, NULL }; - -+ /* replace std file descriptors with a dummy pipe */ -+ if (pipe(dummyfds) == 0) { -+ dup2(dummyfds[0], STDIN_FILENO); -+ dup2(dummyfds[1], STDOUT_FILENO); -+ dup2(dummyfds[1], STDERR_FILENO); -+ } -+ - if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { - close(i); - } - } -diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c ---- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100 -@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100 -@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100 -@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t - - /* reopen stdout as pipe */ - dup2(fds[1], STDOUT_FILENO); -+ /* and replace also the stdin, stderr so we do not exec the helper with -+ tty as stdin, it will not read anything from there anyway */ -+ dup2(fds[0], STDIN_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - /* XXX - should really tidy up PAM here too */ - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDOUT_FILENO) { -- close(i); -- } -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - diff --git a/pam-1.1.2-noflex.patch b/pam-1.1.2-noflex.patch deleted file mode 100644 index fc96555..0000000 --- a/pam-1.1.2-noflex.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am ---- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100 -+++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200 -@@ -2,7 +2,7 @@ - # Copyright (c) 2005, 2006 Thorsten Kukuk - # - --SUBDIRS = man specs sag adg mwg -+SUBDIRS = man sag adg mwg - - CLEANFILES = *~ - -diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am ---- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200 -+++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200 -@@ -5,9 +5,9 @@ - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news - - if STATIC_MODULES --SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests -+SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests - else --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests - endif - - CLEANFILES = *~ diff --git a/pam-1.1.5-cracklib-gecoscheck.patch b/pam-1.1.5-cracklib-gecoscheck.patch deleted file mode 100644 index be55f3a..0000000 --- a/pam-1.1.5-cracklib-gecoscheck.patch +++ /dev/null @@ -1,373 +0,0 @@ -From 422c19520fb814cfd8edd84d7989f4c52acbfa03 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 30 Apr 2012 15:03:32 +0200 -Subject: [PATCH] pam_cracklib: Add maxclassrepeat, gecoscheck checks and - remove unused difignore. - -modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option. -(simple): Add the check for the same class repetition. -(usercheck): Refactor into wordcheck(). -(gecoscheck): New test for words from the GECOS field. -(password_check): Call the gecoscheck(). -(pam_sm_chauthtok): Drop the diff_ignore from options struct. -modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test. ---- - modules/pam_cracklib/pam_cracklib.8.xml | 66 +++++++++------- - modules/pam_cracklib/pam_cracklib.c | 129 +++++++++++++++++++++++++------ - 2 files changed, 142 insertions(+), 53 deletions(-) - -diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml -index 29e00c0..5022c75 100644 ---- a/modules/pam_cracklib/pam_cracklib.8.xml -+++ b/modules/pam_cracklib/pam_cracklib.8.xml -@@ -77,17 +77,10 @@ - - Is the new password too much like the old one? - This is primarily controlled by one argument, -- which is a number of characters -- that if different between the old and new are enough to accept -- the new password, this defaults to 10 or 1/2 the size of the -- new password whichever is smaller. -- -- -- To avoid the lockup associated with trying to change a long and -- complicated password, is available. -- This argument can be used to specify the minimum length a new -- password needs to be before the value is -- ignored. The default value for is 23. -+ which is a number of character changes -+ (inserts, removals, or replacements) between the old and new -+ password that are enough to accept the new password. -+ This defaults to 5 changes. - - - -@@ -96,7 +89,8 @@ - - - Is the new password too small? -- This is controlled by 5 arguments , -+ This is controlled by 6 arguments , -+ , - , , - , and . See the section - on the arguments for the details of how these work and there defaults. -@@ -204,24 +198,9 @@ - - - This argument will change the default of -- 5 for the number of characters in -- the new password that must not be present in the old -- password. In addition, if 1/2 of the characters in the -- new password are different then the new password will -- be accepted anyway. -- -- -- -- -- -- -- -- -- -- -- How many characters should the password have before -- difok will be ignored. The default is -- 23. -+ 5 for the number of character -+ changes in the new password that differentiate it -+ from the old password. - - - -@@ -370,6 +349,19 @@ - - - -+ -+ -+ -+ -+ Reject passwords which contain more than N consecutive -+ characters of the same class. The default is 0 which means -+ that this check is disabled. -+ -+ -+ -+ -+ -+ - - - -@@ -383,6 +375,20 @@ - - - -+ -+ -+ -+ -+ Check whether the words from the GECOS field (usualy full name -+ of the user) longer than 3 characters in straight or reversed -+ form are contained in the new password. If any such word is -+ found the new password is rejected. -+ -+ -+ -+ -+ -+ - - - -diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c -index 1955b83..96ee995 100644 ---- a/modules/pam_cracklib/pam_cracklib.c -+++ b/modules/pam_cracklib/pam_cracklib.c -@@ -51,6 +51,8 @@ - #include - #include - #include -+#include -+#include - - #ifdef HAVE_CRACK_H - #include -@@ -92,7 +94,6 @@ extern char *FascistCheck(char *pw, const char *dictpath); - struct cracklib_options { - int retry_times; - int diff_ok; -- int diff_ignore; - int min_length; - int dig_credit; - int up_credit; -@@ -100,19 +101,21 @@ struct cracklib_options { - int oth_credit; - int min_class; - int max_repeat; -+ int max_class_repeat; - int reject_user; -+ int gecos_check; - const char *cracklib_dictpath; - }; - - #define CO_RETRY_TIMES 1 - #define CO_DIFF_OK 5 --#define CO_DIFF_IGNORE 23 - #define CO_MIN_LENGTH 9 - # define CO_MIN_LENGTH_BASE 5 - #define CO_DIG_CREDIT 1 - #define CO_UP_CREDIT 1 - #define CO_LOW_CREDIT 1 - #define CO_OTH_CREDIT 1 -+#define CO_MIN_WORD_LENGTH 4 - - static int - _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, -@@ -139,9 +142,7 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, - if (!ep || (opt->diff_ok < 0)) - opt->diff_ok = CO_DIFF_OK; - } else if (!strncmp(*argv,"difignore=",10)) { -- opt->diff_ignore = strtol(*argv+10,&ep,10); -- if (!ep || (opt->diff_ignore < 0)) -- opt->diff_ignore = CO_DIFF_IGNORE; -+ /* just ignore */ - } else if (!strncmp(*argv,"minlen=",7)) { - opt->min_length = strtol(*argv+7,&ep,10); - if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE)) -@@ -172,8 +173,14 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, - opt->max_repeat = strtol(*argv+10,&ep,10); - if (!ep) - opt->max_repeat = 0; -+ } else if (!strncmp(*argv,"maxclassrepeat=",15)) { -+ opt->max_class_repeat = strtol(*argv+15,&ep,10); -+ if (!ep) -+ opt->max_class_repeat = 0; - } else if (!strncmp(*argv,"reject_username",15)) { - opt->reject_user = 1; -+ } else if (!strncmp(*argv,"gecoscheck",10)) { -+ opt->gecos_check = 1; - } else if (!strncmp(*argv,"authtok_type",12)) { - /* for pam_get_authtok, ignore */; - } else if (!strncmp(*argv,"use_authtok",11)) { -@@ -357,16 +364,45 @@ static int simple(struct cracklib_options *opt, const char *new) - int others = 0; - int size; - int i; -+ enum { NONE, DIGIT, UCASE, LCASE, OTHER } prevclass = NONE; -+ int sameclass = 0; - - for (i = 0;new[i];i++) { -- if (isdigit (new[i])) -+ if (isdigit (new[i])) { - digits++; -- else if (isupper (new[i])) -+ if (prevclass != DIGIT) { -+ prevclass = DIGIT; -+ sameclass = 1; -+ } else -+ sameclass++; -+ } -+ else if (isupper (new[i])) { - uppers++; -- else if (islower (new[i])) -+ if (prevclass != UCASE) { -+ prevclass = UCASE; -+ sameclass = 1; -+ } else -+ sameclass++; -+ } -+ else if (islower (new[i])) { - lowers++; -- else -+ if (prevclass != LCASE) { -+ prevclass = LCASE; -+ sameclass = 1; -+ } else -+ sameclass++; -+ } -+ else { - others++; -+ if (prevclass != OTHER) { -+ prevclass = OTHER; -+ sameclass = 1; -+ } else -+ sameclass++; -+ } -+ if (opt->max_class_repeat > 1 && sameclass > opt->max_class_repeat) { -+ return 1; -+ } - } - - /* -@@ -439,21 +475,17 @@ static int consecutive(struct cracklib_options *opt, const char *new) - return 0; - } - --static int usercheck(struct cracklib_options *opt, const char *new, -- char *user) -+static int wordcheck(const char *new, char *word) - { - char *f, *b; - -- if (!opt->reject_user) -- return 0; -- -- if (strstr(new, user) != NULL) -+ if (strstr(new, word) != NULL) - return 1; - -- /* now reverse the username, we can do that in place -+ /* now reverse the word, we can do that in place - as it is strdup-ed */ -- f = user; -- b = user+strlen(user)-1; -+ f = word; -+ b = word+strlen(word)-1; - while (f < b) { - char c; - -@@ -464,11 +496,20 @@ static int usercheck(struct cracklib_options *opt, const char *new, - ++f; - } - -- if (strstr(new, user) != NULL) -+ if (strstr(new, word) != NULL) - return 1; - return 0; - } - -+static int usercheck(struct cracklib_options *opt, const char *new, -+ char *user) -+{ -+ if (!opt->reject_user) -+ return 0; -+ -+ return wordcheck(new, user); -+} -+ - static char * str_lower(char *string) - { - char *cp; -@@ -481,7 +522,50 @@ static char * str_lower(char *string) - return string; - } - --static const char *password_check(struct cracklib_options *opt, -+static int gecoscheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new, -+ const char *user) -+{ -+ struct passwd *pwd; -+ char *list; -+ char *p; -+ char *next; -+ -+ if (!opt->gecos_check) -+ return 0; -+ -+ if ((pwd = pam_modutil_getpwnam(pamh, user)) == NULL) { -+ return 0; -+ } -+ -+ list = strdup(pwd->pw_gecos); -+ -+ if (list == NULL || *list == '\0') { -+ free(list); -+ return 0; -+ } -+ -+ for (p = list;;p = next + 1) { -+ next = strchr(p, ' '); -+ if (next) -+ *next = '\0'; -+ -+ if (strlen(p) >= CO_MIN_WORD_LENGTH) { -+ str_lower(p); -+ if (wordcheck(new, p)) { -+ free(list); -+ return 1; -+ } -+ } -+ -+ if (!next) -+ break; -+ } -+ -+ free(list); -+ return 0; -+} -+ -+static const char *password_check(pam_handle_t *pamh, struct cracklib_options *opt, - const char *old, const char *new, - const char *user) - { -@@ -535,7 +619,7 @@ static const char *password_check(struct cracklib_options *opt, - if (!msg && consecutive(opt, new)) - msg = _("contains too many same characters consecutively"); - -- if (!msg && usercheck(opt, newmono, usermono)) -+ if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user))) - msg = _("contains the user name in some form"); - - free(usermono); -@@ -584,7 +668,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh, - * if one wanted to hardwire authentication token strength - * checking this would be the place - */ -- msg = password_check(opt, pass_old, pass_new, user); -+ msg = password_check(pamh, opt, pass_old, pass_new, user); - - if (msg) { - if (ctrl & PAM_DEBUG_ARG) -@@ -611,7 +695,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - memset(&options, 0, sizeof(options)); - options.retry_times = CO_RETRY_TIMES; - options.diff_ok = CO_DIFF_OK; -- options.diff_ignore = CO_DIFF_IGNORE; - options.min_length = CO_MIN_LENGTH; - options.dig_credit = CO_DIG_CREDIT; - options.up_credit = CO_UP_CREDIT; --- -1.7.7.6 - diff --git a/pam-1.1.5-install-empty.patch b/pam-1.1.5-install-empty.patch deleted file mode 100644 index 817a339..0000000 --- a/pam-1.1.5-install-empty.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up Linux-PAM-1.1.5/modules/pam_namespace/Makefile.am.empty Linux-PAM-1.1.5/modules/pam_namespace/Makefile.am ---- Linux-PAM-1.1.5/modules/pam_namespace/Makefile.am.empty 2011-06-21 11:04:56.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_namespace/Makefile.am 2012-05-09 12:23:20.691384345 +0200 -@@ -38,7 +38,9 @@ if HAVE_UNSHARE - - secureconf_DATA = namespace.conf - secureconf_SCRIPTS = namespace.init -- namespaced_DATA = -+ -+install-data-local: -+ mkdir -p $(DESTDIR)$(namespaceddir) - endif - - -diff -up Linux-PAM-1.1.5/modules/pam_sepermit/Makefile.am.empty Linux-PAM-1.1.5/modules/pam_sepermit/Makefile.am ---- Linux-PAM-1.1.5/modules/pam_sepermit/Makefile.am.empty 2011-06-21 11:04:56.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_sepermit/Makefile.am 2012-05-09 12:23:14.291243402 +0200 -@@ -32,9 +32,10 @@ endif - - if HAVE_LIBSELINUX - secureconf_DATA = sepermit.conf -- sepermitlock_DATA = -- - securelib_LTLIBRARIES = pam_sepermit.la -+ -+install-data-local: -+ mkdir -p $(DESTDIR)$(sepermitlockdir) - endif - if ENABLE_REGENERATE_MAN - noinst_DATA = README pam_sepermit.8 sepermit.conf.5 diff --git a/pam-1.1.5-lastlog-inactive.patch b/pam-1.1.5-lastlog-inactive.patch deleted file mode 100644 index da44070..0000000 --- a/pam-1.1.5-lastlog-inactive.patch +++ /dev/null @@ -1,391 +0,0 @@ -diff -up Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml.inactive Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml ---- Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml.inactive 2011-06-21 11:04:56.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml 2012-05-09 11:35:42.810209582 +0200 -@@ -12,7 +12,7 @@ - - - pam_lastlog -- PAM module to display date of last login -+ PAM module to display date of last login and perform inactive account lock out - - - -@@ -45,6 +45,9 @@ - - showfailed - -+ -+ inactive=<days> -+ - - - -@@ -61,6 +64,12 @@ - Some applications may perform this function themselves. In such - cases, this module is not necessary. - -+ -+ If the module is called in the auth or account phase, the accounts that -+ were not used recently enough will be disallowed to log in. The -+ check is not performed for the root account so the root is never -+ locked out. -+ - - - -@@ -165,13 +174,30 @@ - - - -+ -+ -+ -+ -+ -+ -+ This option is specific for the auth or account phase. It -+ specifies the number of days after the last login of the user -+ when the user will be locked out by the module. The default -+ value is 90. -+ -+ -+ - - - - - MODULE TYPES PROVIDED - -- Only the module type is provided. -+ The and module type -+ allows to lock out users which did not login recently enough. -+ The module type is provided for displaying -+ the information about the last login and/or updating the lastlog and -+ wtmp files. - - - -@@ -207,6 +233,27 @@ - - - -+ -+ PAM_AUTH_ERR -+ -+ -+ User locked out in the auth or account phase due to -+ inactivity. -+ -+ -+ -+ -+ -+ PAM_IGNORE -+ -+ -+ There was an error during reading the lastlog file -+ in the auth or account phase and thus inactivity -+ of the user cannot be determined. -+ -+ -+ -+ - - - -@@ -220,6 +267,13 @@ - - session required pam_lastlog.so nowtmp - -+ -+ To reject the user if he did not login during the previous 50 days -+ the following line can be used: -+ -+ -+ auth required pam_lastlog.so inactive=50 -+ - - - -@@ -254,6 +308,9 @@ - - pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. - -+ -+ Inactive account lock out added by Tomáš Mráz <tm@t8m.info>. -+ - - - -diff -up Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c.inactive Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c ---- Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c.inactive 2011-06-21 11:04:56.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c 2012-05-09 11:35:22.363759805 +0200 -@@ -56,6 +56,9 @@ struct lastlog { - #define DEFAULT_HOST "" /* "[no.where]" */ - #define DEFAULT_TERM "" /* "tt???" */ - -+#define DEFAULT_INACTIVE_DAYS 90 -+#define MAX_INACTIVE_DAYS 100000 -+ - /* - * here, we make a definition for the externally accessible function - * in this file (this definition is required for static a module -@@ -64,6 +67,8 @@ struct lastlog { - */ - - #define PAM_SM_SESSION -+#define PAM_SM_AUTH -+#define PAM_SM_ACCOUNT - - #include - #include -@@ -83,7 +88,45 @@ struct lastlog { - #define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */ - - static int --_pam_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) -+_pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv, -+ time_t *inactive) -+{ -+ int ctrl = 0; -+ -+ *inactive = DEFAULT_INACTIVE_DAYS; -+ -+ /* does the appliction require quiet? */ -+ if (flags & PAM_SILENT) { -+ ctrl |= LASTLOG_QUIET; -+ } -+ -+ /* step through arguments */ -+ for (; argc-- > 0; ++argv) { -+ char *ep = NULL; -+ long l; -+ -+ if (!strcmp(*argv,"debug")) { -+ ctrl |= LASTLOG_DEBUG; -+ } else if (!strcmp(*argv,"silent")) { -+ ctrl |= LASTLOG_QUIET; -+ } else if (!strncmp(*argv,"inactive=", 9)) { -+ l = strtol(*argv+9, &ep, 10); -+ if (ep != *argv+9 && l > 0 && l < MAX_INACTIVE_DAYS) -+ *inactive = l; -+ else { -+ pam_syslog(pamh, LOG_ERR, "bad option value: %s", *argv); -+ } -+ } else { -+ pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); -+ } -+ } -+ -+ D(("ctrl = %o", ctrl)); -+ return ctrl; -+} -+ -+static int -+_pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv) - { - int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE); - -@@ -145,6 +188,44 @@ get_tty(pam_handle_t *pamh) - } - - static int -+last_login_open(pam_handle_t *pamh, int announce, uid_t uid) -+{ -+ int last_fd; -+ -+ /* obtain the last login date and all the relevant info */ -+ last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY); -+ if (last_fd < 0) { -+ if (errno == ENOENT && (announce & LASTLOG_UPDATE)) { -+ last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT, -+ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); -+ if (last_fd < 0) { -+ pam_syslog(pamh, LOG_ERR, -+ "unable to create %s: %m", _PATH_LASTLOG); -+ D(("unable to create %s file", _PATH_LASTLOG)); -+ return -1; -+ } -+ pam_syslog(pamh, LOG_WARNING, -+ "file %s created", _PATH_LASTLOG); -+ D(("file %s created", _PATH_LASTLOG)); -+ } else { -+ pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG); -+ D(("unable to open %s file", _PATH_LASTLOG)); -+ return -1; -+ } -+ } -+ -+ if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) { -+ pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG); -+ D(("unable to lseek %s file", _PATH_LASTLOG)); -+ close(last_fd); -+ return -1; -+ } -+ -+ return last_fd; -+} -+ -+ -+static int - last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t *lltime) - { - struct flock last_lock; -@@ -338,31 +419,9 @@ last_login_date(pam_handle_t *pamh, int - int last_fd; - - /* obtain the last login date and all the relevant info */ -- last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY); -+ last_fd = last_login_open(pamh, announce, uid); - if (last_fd < 0) { -- if (errno == ENOENT) { -- last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT, -- S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); -- if (last_fd < 0) { -- pam_syslog(pamh, LOG_ERR, -- "unable to create %s: %m", _PATH_LASTLOG); -- D(("unable to create %s file", _PATH_LASTLOG)); -- return PAM_SERVICE_ERR; -- } -- pam_syslog(pamh, LOG_WARNING, -- "file %s created", _PATH_LASTLOG); -- D(("file %s created", _PATH_LASTLOG)); -- } else { -- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG); -- D(("unable to open %s file", _PATH_LASTLOG)); -- return PAM_SERVICE_ERR; -- } -- } -- -- if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) { -- pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG); -- D(("unable to lseek %s file", _PATH_LASTLOG)); -- return PAM_SERVICE_ERR; -+ return PAM_SERVICE_ERR; - } - - retval = last_login_read(pamh, announce, last_fd, uid, lltime); -@@ -502,7 +561,91 @@ cleanup: - return retval; - } - --/* --- authentication management functions (only) --- */ -+/* --- authentication (locking out inactive users) functions --- */ -+PAM_EXTERN int -+pam_sm_authenticate(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ int retval, ctrl; -+ const char *user = NULL; -+ const struct passwd *pwd; -+ uid_t uid; -+ time_t lltime = 0; -+ time_t inactive_days = 0; -+ int last_fd; -+ -+ /* -+ * Lock out the user if he did not login recently enough. -+ */ -+ -+ ctrl = _pam_auth_parse(pamh, flags, argc, argv, &inactive_days); -+ -+ /* which user? */ -+ -+ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL -+ || *user == '\0') { -+ pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); -+ return PAM_USER_UNKNOWN; -+ } -+ -+ /* what uid? */ -+ -+ pwd = pam_modutil_getpwnam (pamh, user); -+ if (pwd == NULL) { -+ pam_syslog(pamh, LOG_ERR, "user unknown"); -+ return PAM_USER_UNKNOWN; -+ } -+ uid = pwd->pw_uid; -+ pwd = NULL; /* tidy up */ -+ -+ if (uid == 0) -+ return PAM_SUCCESS; -+ -+ /* obtain the last login date and all the relevant info */ -+ last_fd = last_login_open(pamh, ctrl, uid); -+ if (last_fd < 0) { -+ return PAM_IGNORE; -+ } -+ -+ retval = last_login_read(pamh, ctrl|LASTLOG_QUIET, last_fd, uid, &lltime); -+ close(last_fd); -+ -+ if (retval != PAM_SUCCESS) { -+ D(("error while reading lastlog file")); -+ return PAM_IGNORE; -+ } -+ -+ if (lltime == 0) { /* user never logged in before */ -+ if (ctrl & LASTLOG_DEBUG) -+ pam_syslog(pamh, LOG_DEBUG, "user never logged in - pass"); -+ return PAM_SUCCESS; -+ } -+ -+ lltime = (time(NULL) - lltime) / (24*60*60); -+ -+ if (lltime > inactive_days) { -+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime); -+ return PAM_AUTH_ERR; -+ } -+ -+ return PAM_SUCCESS; -+} -+ -+PAM_EXTERN int -+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, -+ int argc UNUSED, const char **argv UNUSED) -+{ -+ return PAM_SUCCESS; -+} -+ -+PAM_EXTERN int -+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ return pam_sm_authenticate(pamh, flags, argc, argv); -+} -+ -+/* --- session management functions --- */ - - PAM_EXTERN int - pam_sm_open_session(pam_handle_t *pamh, int flags, -@@ -519,7 +662,7 @@ pam_sm_open_session(pam_handle_t *pamh, - * last login info and then updates the lastlog for that user. - */ - -- ctrl = _pam_parse(pamh, flags, argc, argv); -+ ctrl = _pam_session_parse(pamh, flags, argc, argv); - - /* which user? */ - -@@ -560,7 +703,7 @@ pam_sm_close_session (pam_handle_t *pamh - { - const char *terminal_line; - -- if (!(_pam_parse(pamh, flags, argc, argv) & LASTLOG_WTMP)) -+ if (!(_pam_session_parse(pamh, flags, argc, argv) & LASTLOG_WTMP)) - return PAM_SUCCESS; - - terminal_line = get_tty(pamh); -@@ -577,9 +720,9 @@ pam_sm_close_session (pam_handle_t *pamh - - struct pam_module _pam_lastlog_modstruct = { - "pam_lastlog", -- NULL, -- NULL, -- NULL, -+ pam_sm_authenticate, -+ pam_sm_setcred, -+ pam_sm_acct_mgmt, - pam_sm_open_session, - pam_sm_close_session, - NULL, diff --git a/pam-1.1.5-namespace-no-unmount.patch b/pam-1.1.5-namespace-no-unmount.patch deleted file mode 100644 index 9e28397..0000000 --- a/pam-1.1.5-namespace-no-unmount.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml -index 6ec3ad2..f0f80d3 100644 ---- a/modules/pam_namespace/pam_namespace.8.xml -+++ b/modules/pam_namespace/pam_namespace.8.xml -@@ -44,7 +44,7 @@ - ignore_instance_parent_mode - - -- no_unmount_on_close -+ unmount_on_close - - - use_current_context -@@ -195,16 +195,17 @@ - - - -- -+ - - - -- For certain trusted programs such as newrole, open session -- is called from a child process while the parent performs -- close session and pam end functions. For these commands -- use this option to instruct pam_close_session to not -- unmount the bind mounted polyinstantiated directory in the -- parent. -+ Explicitly unmount the polyinstantiated directories instead -+ of relying on automatic namespace destruction after the last -+ process in a namespace exits. This option should be used -+ only in case it is ensured by other means that there cannot be -+ any processes running in the private namespace left after the -+ session close. It is also useful only in case there are -+ multiple pam session calls in sequence from the same process. - - - -diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c -index 470f493..a40f05e 100644 ---- a/modules/pam_namespace/pam_namespace.c -+++ b/modules/pam_namespace/pam_namespace.c -@@ -2108,24 +2108,26 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, - idata.flags |= PAMNS_DEBUG; - if (strcmp(argv[i], "ignore_config_error") == 0) - idata.flags |= PAMNS_IGN_CONFIG_ERR; -- if (strcmp(argv[i], "no_unmount_on_close") == 0) -- idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE; -+ if (strcmp(argv[i], "unmount_on_close") == 0) -+ idata.flags |= PAMNS_UNMOUNT_ON_CLOSE; - } - - if (idata.flags & PAMNS_DEBUG) - pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start"); - - /* -- * For certain trusted programs such as newrole, open session -- * is called from a child process while the parent perfoms -- * close session and pam end functions. For these commands -- * pam_close_session should not perform the unmount of the -- * polyinstantiatied directory because it will result in -- * undoing of parents polyinstantiatiaion. These commands -- * will invoke pam_namespace with the "no_unmount_on_close" -- * argument. -+ * Normally the unmount is implicitly done when the last -+ * process in the private namespace exits. -+ * If it is ensured that there are no child processes left in -+ * the private namespace by other means and if there are -+ * multiple sessions opened and closed sequentially by the -+ * same process, the "unmount_on_close" option might be -+ * used to unmount the polydirs explicitly. - */ -- if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) { -+ if (!(idata.flags & PAMNS_UNMOUNT_ON_CLOSE)) { -+ pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL); -+ pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL); -+ - if (idata.flags & PAMNS_DEBUG) - pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful"); - return PAM_SUCCESS; -diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h -index 6bca31c..1d0c11c 100644 ---- a/modules/pam_namespace/pam_namespace.h -+++ b/modules/pam_namespace/pam_namespace.h -@@ -101,7 +101,7 @@ - #define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */ - #define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */ - #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ --#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ -+#define PAMNS_UNMOUNT_ON_CLOSE 0x00010000 /* Unmount at session close */ - #define PAMNS_USE_CURRENT_CONTEXT 0x00020000 /* use getcon instead of getexeccon */ - #define PAMNS_USE_DEFAULT_CONTEXT 0x00040000 /* use get_default_context instead of getexeccon */ - #define PAMNS_MOUNT_PRIVATE 0x00080000 /* Make the polydir mounts private */ diff --git a/pam-1.1.5-namespace-rslave.patch b/pam-1.1.5-namespace-rslave.patch deleted file mode 100644 index 94265c0..0000000 --- a/pam-1.1.5-namespace-rslave.patch +++ /dev/null @@ -1,114 +0,0 @@ -diff -up Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.8.xml.rslave Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.8.xml ---- Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.8.xml.rslave 2011-06-21 11:04:56.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.8.xml 2012-01-31 16:40:36.495716240 +0100 -@@ -246,12 +246,18 @@ - This option can be used on systems where the / mount point or - its submounts are made shared (for example with a - mount --make-rshared / command). -- The module will make the polyinstantiated directory mount points -- private. Normally the pam_namespace will try to detect the -+ The module will mark the whole directory tree so any mount and -+ unmount operations in the polyinstantiation namespace are private. -+ Normally the pam_namespace will try to detect the - shared / mount point and make the polyinstantiated directories - private automatically. This option has to be used just when - only a subtree is shared and / is not. - -+ -+ Note that mounts and unmounts done in the private namespace will not -+ affect the parent namespace if this option is used or when the -+ shared / mount point is autodetected. -+ - - - -diff -up Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.c.rslave Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.c ---- Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.c.rslave 2011-06-21 11:04:56.000000000 +0200 -+++ Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.c 2012-01-31 16:42:07.762506791 +0100 -@@ -1003,7 +1003,7 @@ static int protect_mount(int dfd, const - return 0; - } - --static int protect_dir(const char *path, mode_t mode, int do_mkdir, int always, -+static int protect_dir(const char *path, mode_t mode, int do_mkdir, - struct instance_data *idata) - { - char *p = strdup(path); -@@ -1082,7 +1082,7 @@ static int protect_dir(const char *path, - } - } - -- if ((flags & O_NOFOLLOW) || always) { -+ if (flags & O_NOFOLLOW) { - /* we are inside user-owned dir - protect */ - if (protect_mount(rv, p, idata) == -1) { - save_errno = errno; -@@ -1124,7 +1124,7 @@ static int check_inst_parent(char *ipath - if (trailing_slash) - *trailing_slash = '\0'; - -- dfd = protect_dir(inst_parent, 0, 1, 0, idata); -+ dfd = protect_dir(inst_parent, 0, 1, idata); - - if (dfd == -1 || fstat(dfd, &instpbuf) < 0) { - pam_syslog(idata->pamh, LOG_ERR, -@@ -1259,7 +1259,7 @@ static int create_polydir(struct polydir - } - #endif - -- rc = protect_dir(dir, mode, 1, idata->flags & PAMNS_MOUNT_PRIVATE, idata); -+ rc = protect_dir(dir, mode, 1, idata); - if (rc == -1) { - pam_syslog(idata->pamh, LOG_ERR, - "Error creating directory %s: %m", dir); -@@ -1447,7 +1447,7 @@ static int ns_setup(struct polydir_s *po - pam_syslog(idata->pamh, LOG_DEBUG, - "Set namespace for directory %s", polyptr->dir); - -- retval = protect_dir(polyptr->dir, 0, 0, idata->flags & PAMNS_MOUNT_PRIVATE, idata); -+ retval = protect_dir(polyptr->dir, 0, 0, idata); - - if (retval < 0 && errno != ENOENT) { - pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m", -@@ -1534,22 +1534,6 @@ static int ns_setup(struct polydir_s *po - goto error_out; - } - -- if (idata->flags & PAMNS_MOUNT_PRIVATE) { -- /* -- * Make the polyinstantiated dir private mount. This depends -- * on making the dir a mount point in the protect_dir call. -- */ -- if (mount(polyptr->dir, polyptr->dir, NULL, MS_PRIVATE|MS_REC, NULL) < 0) { -- pam_syslog(idata->pamh, LOG_ERR, "Error making %s a private mount, %m", -- polyptr->dir); -- goto error_out; -- } -- if (idata->flags & PAMNS_DEBUG) -- pam_syslog(idata->pamh, LOG_DEBUG, -- "Polyinstantiated directory %s made as private mount", polyptr->dir); -- -- } -- - /* - * Bind mount instance directory on top of the polyinstantiated - * directory to provide an instance of polyinstantiated directory -@@ -1720,6 +1704,18 @@ static int setup_namespace(struct instan - "Unable to unshare from parent namespace, %m"); - return PAM_SESSION_ERR; - } -+ if (idata->flags & PAMNS_MOUNT_PRIVATE) { -+ /* Remount / as SLAVE so that nothing mounted in the namespace -+ shows up in the parent */ -+ if (mount("/", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) { -+ pam_syslog(idata->pamh, LOG_ERR, -+ "Failed to mark / as a slave mount point, %m"); -+ return PAM_SESSION_ERR; -+ } -+ if (idata->flags & PAMNS_DEBUG) -+ pam_syslog(idata->pamh, LOG_DEBUG, -+ "The / mount point was marked as slave"); -+ } - } else { - del_polydir_list(idata->polydirs_ptr); - return PAM_SUCCESS; diff --git a/pam-1.1.5-unix-crypt.patch b/pam-1.1.5-unix-crypt.patch deleted file mode 100644 index a10ba89..0000000 --- a/pam-1.1.5-unix-crypt.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 1329c68b19daa6d5793dd672db73ebe85465eea9 Mon Sep 17 00:00:00 2001 -From: Paul Wouters -Date: Wed, 11 Apr 2012 21:13:14 +0200 -Subject: [PATCH] Check for crypt() failure returning NULL. - -* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message. -* modules/pam_unix/passverify.c (create_password_hash): Check for crypt() -returning NULL. ---- - modules/pam_unix/pam_unix_passwd.c | 2 +- - modules/pam_unix/passverify.c | 6 ++++-- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c -index e9059d3..9e1302d 100644 ---- a/modules/pam_unix/pam_unix_passwd.c -+++ b/modules/pam_unix/pam_unix_passwd.c -@@ -800,7 +800,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) - tpass = create_password_hash(pamh, pass_new, ctrl, rounds); - if (tpass == NULL) { - pam_syslog(pamh, LOG_CRIT, -- "out of memory for password"); -+ "crypt() failure or out of memory for password"); - pass_new = pass_old = NULL; /* tidy up */ - unlock_pwdf(); - return PAM_BUF_ERR; -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index 5289955..4840bb2 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -424,7 +424,7 @@ PAMH_ARG_DECL(char * create_password_hash, - } - #endif - sp = crypt(password, salt); -- if (strncmp(algoid, sp, strlen(algoid)) != 0) { -+ if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { - /* libxcrypt/libc doesn't know the algorithm, use MD5 */ - pam_syslog(pamh, LOG_ERR, - "Algo %s not supported by the crypto backend, " -@@ -432,7 +432,9 @@ PAMH_ARG_DECL(char * create_password_hash, - on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : - on(UNIX_SHA256_PASS, ctrl) ? "sha256" : - on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); -- memset(sp, '\0', strlen(sp)); -+ if(sp) { -+ memset(sp, '\0', strlen(sp)); -+ } - return crypt_md5_wrapper(password); - } - --- -1.7.7.6 - diff --git a/pam-1.1.5-unix-remember.patch b/pam-1.1.5-unix-remember.patch deleted file mode 100644 index de34428..0000000 --- a/pam-1.1.5-unix-remember.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 0baf28fa03dfa46482e13390fd9a7545c30ccd7f Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 3 Jan 2012 12:30:43 +0100 -Subject: [PATCH] Fix matching of usernames in the pam_unix remember feature. - -* modules/pam_unix/pam_unix_passwd.c (check_old_password): Make -sure we match only the whole username in opasswd entry. -* modules/pam_unix/passverify.c (save_old_password): Likewise make -sure we match only the whole username in opasswd entry. ---- - modules/pam_unix/pam_unix_passwd.c | 4 +++- - modules/pam_unix/passverify.c | 3 ++- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c -index 6ba2c2e..498a81c 100644 ---- a/modules/pam_unix/pam_unix_passwd.c -+++ b/modules/pam_unix/pam_unix_passwd.c -@@ -280,13 +280,15 @@ static int check_old_password(const char *forwho, const char *newpass) - char *s_luser, *s_uid, *s_npas, *s_pas; - int retval = PAM_SUCCESS; - FILE *opwfile; -+ size_t len = strlen(forwho); - - opwfile = fopen(OLD_PASSWORDS_FILE, "r"); - if (opwfile == NULL) - return PAM_ABORT; - - while (fgets(buf, 16380, opwfile)) { -- if (!strncmp(buf, forwho, strlen(forwho))) { -+ if (!strncmp(buf, forwho, len) && (buf[len] == ':' || -+ buf[len] == ',')) { - char *sptr; - buf[strlen(buf) - 1] = '\0'; - s_luser = strtok_r(buf, ":,", &sptr); -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index 089f4b8..5289955 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -562,6 +562,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, - int found = 0; - struct passwd *pwd = NULL; - struct stat st; -+ size_t len = strlen(forwho); - #ifdef WITH_SELINUX - security_context_t prev_context=NULL; - #endif -@@ -629,7 +630,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass, - } - - while (fgets(buf, 16380, opwfile)) { -- if (!strncmp(buf, forwho, strlen(forwho))) { -+ if (!strncmp(buf, forwho, len) && strchr(":,\n", buf[len]) != NULL) { - char *sptr = NULL; - found = 1; - if (howmany == 0) --- -1.7.7.6 - diff --git a/pam-1.1.6-install-empty.patch b/pam-1.1.6-install-empty.patch new file mode 100644 index 0000000..9767577 --- /dev/null +++ b/pam-1.1.6-install-empty.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am.empty Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am +--- Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am.empty 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am 2012-08-17 15:08:33.487322476 +0200 +@@ -40,7 +40,7 @@ if HAVE_UNSHARE + secureconf_SCRIPTS = namespace.init + + install-data-local: +- mkdir -p $(namespaceddir) ++ mkdir -p $(DESTDIR)$(namespaceddir) + endif + + +diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.empty Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am +--- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.empty 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am 2012-08-17 15:08:13.692856948 +0200 +@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX + securelib_LTLIBRARIES = pam_sepermit.la + + install-data-local: +- mkdir -p $(sepermitlockdir) ++ mkdir -p $(DESTDIR)$(sepermitlockdir) + endif + if ENABLE_REGENERATE_MAN + noinst_DATA = README pam_sepermit.8 sepermit.conf.5 diff --git a/pam-1.1.6-noflex.patch b/pam-1.1.6-noflex.patch new file mode 100644 index 0000000..6410a8d --- /dev/null +++ b/pam-1.1.6-noflex.patch @@ -0,0 +1,24 @@ +diff -up Linux-PAM-1.1.6/doc/Makefile.am.noflex Linux-PAM-1.1.6/doc/Makefile.am +--- Linux-PAM-1.1.6/doc/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/doc/Makefile.am 2012-08-17 14:13:11.904949748 +0200 +@@ -2,7 +2,7 @@ + # Copyright (c) 2005, 2006 Thorsten Kukuk + # + +-SUBDIRS = man specs sag adg mwg ++SUBDIRS = man sag adg mwg + + CLEANFILES = *~ + +diff -up Linux-PAM-1.1.6/Makefile.am.noflex Linux-PAM-1.1.6/Makefile.am +--- Linux-PAM-1.1.6/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/Makefile.am 2012-08-17 14:15:36.705359892 +0200 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests + + CLEANFILES = *~ + diff --git a/pam-1.1.6-std-noclose.patch b/pam-1.1.6-std-noclose.patch new file mode 100644 index 0000000..5c8640f --- /dev/null +++ b/pam-1.1.6-std-noclose.patch @@ -0,0 +1,98 @@ +diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c +--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2012-08-17 13:25:20.684075361 +0200 +@@ -133,13 +133,21 @@ create_homedir (pam_handle_t *pamh, opti + if (child == 0) { + int i; + struct rlimit rlim; ++ int dummyfds[2]; + static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL, NULL, NULL }; + ++ /* replace std file descriptors with a dummy pipe */ ++ if (pipe(dummyfds) == 0) { ++ dup2(dummyfds[0], STDIN_FILENO); ++ dup2(dummyfds[1], STDOUT_FILENO); ++ dup2(dummyfds[1], STDERR_FILENO); ++ } ++ + if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { + close(i); + } + } +diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c +--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2012-08-17 13:22:51.664560481 +0200 +@@ -105,16 +105,18 @@ int _unix_run_verify_binary(pam_handle_t + + /* reopen stdout as pipe */ + dup2(fds[1], STDOUT_FILENO); ++ /* and replace also the stdin, stderr so we do not exec the helper with ++ tty as stdin, it will not read anything from there anyway */ ++ dup2(fds[0], STDIN_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + /* XXX - should really tidy up PAM here too */ + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDOUT_FILENO) { +- close(i); +- } ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c +--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2012-08-17 14:10:38.917346789 +0200 +@@ -210,13 +210,16 @@ static int _unix_run_update_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + +diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c +--- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2012-08-17 14:12:10.833511475 +0200 +@@ -469,13 +469,16 @@ static int _unix_run_helper_binary(pam_h + + /* reopen stdin as pipe */ + dup2(fds[0], STDIN_FILENO); ++ /* and replace also the stdout/err as the helper will ++ not write anything there */ ++ dup2(fds[1], STDOUT_FILENO); ++ dup2(fds[1], STDERR_FILENO); + + if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { + if (rlim.rlim_max >= MAX_FD_NO) + rlim.rlim_max = MAX_FD_NO; +- for (i=0; i < (int)rlim.rlim_max; i++) { +- if (i != STDIN_FILENO) +- close(i); ++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { ++ close(i); + } + } + diff --git a/pam.spec b/pam.spec index 3fbe578..b0b0d8c 100644 --- a/pam.spec +++ b/pam.spec @@ -2,14 +2,14 @@ Summary: An extensible library which provides authentication for applications Name: pam -Version: 1.1.5 -Release: 9%{?dist} +Version: 1.1.6 +Release: 1%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. License: BSD and GPLv2+ Group: System Environment/Base -Source0: https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-%{version}.tar.bz2 +Source0: http://www.linux-pam.org/library/Linux-PAM-%{version}.tar.bz2 # This is the old location that might be revived in future: #Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 #Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign @@ -28,32 +28,20 @@ Source15: pamtmp.conf Source16: postlogin.pamd Source17: postlogin.5 Patch1: pam-1.0.90-redhat-modules.patch -Patch2: pam-1.0.91-std-noclose.patch +Patch2: pam-1.1.6-std-noclose.patch Patch4: pam-1.1.0-console-nochmod.patch Patch5: pam-1.1.0-notally.patch Patch7: pam-1.1.0-console-fixes.patch Patch8: pam-1.1.1-faillock.patch -Patch9: pam-1.1.2-noflex.patch +Patch9: pam-1.1.6-noflex.patch Patch10: pam-1.1.3-nouserenv.patch Patch11: pam-1.1.3-console-abstract.patch Patch12: pam-1.1.3-faillock-screensaver.patch Patch13: pam-1.1.5-limits-user.patch -# Committed to upstream git -Patch14: pam-1.1.5-namespace-rslave.patch -# Committed to upstream git -Patch15: pam-1.1.5-namespace-no-unmount.patch -# Committed to upstream git -Patch16: pam-1.1.5-lastlog-inactive.patch -# Committed to upstream git -Patch17: pam-1.1.5-cracklib-gecoscheck.patch -# Committed to upstream git -Patch18: pam-1.1.5-unix-remember.patch -# Committed to upstream git -Patch19: pam-1.1.5-unix-crypt.patch # FIPS related - non upstreamable Patch20: pam-1.1.5-unix-no-fallback.patch -# Will be upstreamed -Patch21: pam-1.1.5-install-empty.patch +# Upstreamed +Patch21: pam-1.1.6-install-empty.patch # Patch22: pam-1.1.5-unix-build.patch @@ -128,12 +116,6 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch11 -p1 -b .abstract %patch12 -p1 -b .screensaver %patch13 -p1 -b .limits -%patch14 -p1 -b .rslave -%patch15 -p1 -b .no-unmount -%patch16 -p1 -b .inactive -%patch17 -p1 -b .gecoscheck -%patch18 -p1 -b .remember -%patch19 -p1 -b .crypt %patch20 -p1 -b .no-fallback %patch21 -p1 -b .empty %patch22 -p1 -b .build @@ -391,6 +373,9 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Aug 17 2012 Tomas Mraz - 1.1.6-1 +- new upstream release + * Thu Aug 9 2012 Tomas Mraz - 1.1.5-9 - make the pam_lastlog module in postlogin 'optional' (#846843) diff --git a/sources b/sources index b1f4b89..2f06b12 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ c115640346a987356f6b76ec1d425185 pam-redhat-0.99.10-1.tar.bz2 -927ee5585bdec5256c75117e9348aa47 Linux-PAM-1.1.5.tar.bz2 +7b73e58b7ce79ffa321d408de06db2c4 Linux-PAM-1.1.6.tar.bz2