!12 openEuler-pam

Merge pull request !12 from Liquor/liquor
2020-07-27 16:12:54 +08:00 · 2020-07-27 16:12:54 +08:00 · a58b773da3
commit a58b773da3
parent 42ce3be67a e423fdae33
10 changed files with 84 additions and 1952 deletions
--- a/Linux-PAM-1.3.1.tar.xz
+++ b/Linux-PAM-1.3.1.tar.xz
--- a/Linux-PAM-1.3.1.tar.xz.asc
+++ b/Linux-PAM-1.3.1.tar.xz.asc
@ -1,7 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 iD8DBQBa/r62bRp/BS5ZJLsRArnKAJ9pGaJHpsEsbOVa5dBQLHYC4DhPuACeJNrg
 +DaNc8W13E4Z2ZEUSsgUGe4=
 =aSTW
 -----END PGP SIGNATURE-----
--- a/Linux-PAM-1.4.0.tar.xz
+++ b/Linux-PAM-1.4.0.tar.xz
--- a/Linux-PAM-1.4.0.tar.xz.asc
+++ b/Linux-PAM-1.4.0.tar.xz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIcBAABCAAGBQJe3hBmAAoJEKgEH6g54W42HDEQAJ9Vs1mxSrz8o/lLyPUYowsx
 US0jMtfC2gyjtpmXiH40CEZB3xeRZ9qJ5eSB2q2MiMRVLwI/rxQUoZ0XeYW9yls0
 g8cAxyCEdaI5GnMjLuG6rBCtlmqbrS/4fzq+AfPAm+7ITajVzcYdqHqQM6EJ6OK9
 uu4Iyt8lDUyh3Vinx9PJy0KfJQAlb5nTuKJS4Kcv5c1wTt6LZiGOM+aERl2JmWJd
 O+QXCQHHWGUlAQSQcP3+p36mdy5VsUbXbT7sNaTTzjvQwxSjJ345nybgk2El571O
 ZvSCdBbswDqGhyyYa8e1rqWDABE5i2Iw81OKNC95e1H4PU/FI32bdQip3cdMbD8t
 kQ+mdMU7LlUUHaKnk38/k0m3GPzo5mjjRApIkZqTZV9lD2FfiQw3FuENNmumMRSR
 iQrMSnr9/o3d6K+BLzbKtNiVduyEMYmfs72Z+D16mfwahlaDCHYOwnW1ieIVFv99
 3tCllbRmYYTXxHVYFkGM76r7xUKrRKYOC29j0fP2nfQChePamUUZ2nVBz3p+18p7
 wNsTS+xx0FCcLDHeU5eAy2iUKuNvvUUFh+8rrIGE5k8GldPlbKc2GrEbukZic72G
 uUJnLXiPOlIMgx+C/BiTWwla1v2FTdB71E/3m6qZ02hRQ19G0GvYhXKXwJ9oLalE
 JrEpuMM0et5vFXfyVnQz
 =Qi9B
 -----END PGP SIGNATURE-----
--- a/bugfix-pam-1.1.8-faillock-failmessages.patch
+++ b/bugfix-pam-1.1.8-faillock-failmessages.patch
@ -1,17 +1,27 @@
 From 7caf16119e3ed87818eb36a09d2fd84c4e027575 Mon Sep 17 00:00:00 2001
 From: openEuler Buildteam <buildteam@openeuler.org>
 Date: Mon, 27 Jul 2020 09:11:29 +0800
 Subject: [PATCH] bugfix pam 1.1.8 faillock failmessages
 ---
 modules/pam_faillock/pam_faillock.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
 diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
-index 1742542..8153638 100644
+index f592d0a..5b5cc2c 100644
 --- a/modules/pam_faillock/pam_faillock.c
 +++ b/modules/pam_faillock/pam_faillock.c
-@@ -445,11 +445,10 @@ faillock_message(pam_handle_t *pamh, struct options *opts)
+@@ -645,9 +645,7 @@ faillock_message(pam_handle_t *pamh, struct options *opts)
- 		}
+ 		pam_info(pamh, _("The account is locked due to %u failed logins."),
- 
+ 			(unsigned int)opts->failures);
 		if (left > 0) {
 -			left = (left + 59)/60; /* minutes */
- 
+-
 			pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
 				opts->failures);
 -			pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
 +			pam_info(pamh, _("(%d seconds left to unlock)"), (int)left);
 		}
- 		else {
+ 	}
- 			pam_info(pamh, _("Account locked due to %d failed logins"),
+ }
 -- 
 2.23.0
--- a/bugfix-pam-1.1.8-faillock-systemtime.patch
+++ b/bugfix-pam-1.1.8-faillock-systemtime.patch
@ -1,24 +1,33 @@
 From c58a79970f5902b5b61b8ca7e82564a7db212be0 Mon Sep 17 00:00:00 2001
 From: openEuler Buildteam <buildteam@openeuler.org>
 Date: Mon, 27 Jul 2020 09:34:43 +0800
 Subject: [PATCH] bugfix pam 1.1.8 faillock systemtime
 ---
 modules/pam_faillock/pam_faillock.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)
 diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
-index 8153638..d71e781 100644
+index 5b5cc2c..600e3f6 100644
 --- a/modules/pam_faillock/pam_faillock.c
 +++ b/modules/pam_faillock/pam_faillock.c
-@@ -84,6 +84,7 @@ struct options {
+@@ -91,6 +91,7 @@ struct options {
 	uid_t uid;
 	int is_admin;
 	uint64_t now;
 	int fatal_error;
 +	int time_jumped;
 };
- static void
+ static int read_config_file(
-@@ -98,6 +99,7 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv,
+@@ -121,6 +122,7 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv,
 	opts->fail_interval = 900;
 	opts->unlock_time = 600;
 	opts->root_unlock_time = MAX_TIME_INTERVAL+1;
 +	opts->time_jumped = 0;
 	for (i = 0; i < argc; ++i) {
- 
+ 		const char *str;
-@@ -266,8 +268,6 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
+@@ -464,8 +466,6 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
 			latest_time = tallies->records[i].time;
 	}
@ -27,7 +36,7 @@ index 8153638..d71e781 100644
 	failures = 0;
 	for (i = 0; i < tallies->count; i++) {
 		if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
-@@ -278,6 +278,19 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
+@@ -476,6 +476,19 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
 	opts->failures = failures;
@ -47,7 +56,7 @@ index 8153638..d71e781 100644
 	if (opts->deny && failures >= opts->deny) {
 		if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
 			(opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
-@@ -508,6 +521,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
+@@ -712,6 +725,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
 					rv = PAM_IGNORE; /* this return value should be ignored */
 					write_tally(pamh, &opts, &tallies, &fd);
 				}
@ -57,4 +66,7 @@ index 8153638..d71e781 100644
 +				}
 				break;
 		}
 	}
 -- 
 2.23.0
--- a/fix-login-message.patch
+++ b/fix-login-message.patch
@ -1,17 +1,17 @@
 From 1a79e750977c2c809d5fc8f44c1c90f58a261926 Mon Sep 17 00:00:00 2001
 From: openEuler Buildteam <buildteam@openeuler.org>
 Date: Wed, 17 Jun 2020 15:14:25 +0800
-Subject: [PATCH] fix login translation inaccurate
+Subject: [PATCH] fix login message
 ---
 po/zh_CN.po | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/po/zh_CN.po b/po/zh_CN.po
-index 33c257d..398d8b6 100644
+index b7d2c83..4227e4f 100644
 --- a/po/zh_CN.po
 +++ b/po/zh_CN.po
-@@ -320,13 +320,13 @@ msgstr "最后一次失败的登录：%s%s%s"
+@@ -355,13 +355,13 @@ msgstr "最后一次失败的登录：%s%s%s"
 msgid "There was %d failed login attempt since the last successful login."
 msgid_plural ""
 "There were %d failed login attempts since the last successful login."
@ -19,14 +19,14 @@ index 33c257d..398d8b6 100644
 +msgstr[0] "最后一次成功登录后有 %d 次失败的登录尝试。"
 #. TRANSLATORS: only used if dngettext is not supported
- #: modules/pam_lastlog/pam_lastlog.c:548
+ #: modules/pam_lastlog/pam_lastlog.c:631
 #, c-format
 msgid "There were %d failed login attempts since the last successful login."
 -msgstr "最有一次成功登录后有 %d 次失败的登录尝试。"
 +msgstr "最后一次成功登录后有 %d 次失败的登录尝试。"
- #: modules/pam_limits/pam_limits.c:1091
+ #: modules/pam_limits/pam_limits.c:1088
- #, c-format
+ #, fuzzy, c-format
 -- 
-1.8.3.1
+2.23.0
--- a/pam-1.2.1-faillock-admin-group.patch
+++ b/pam-1.2.1-faillock-admin-group.patch
@ -1,133 +0,0 @@
 diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c
 --- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group	2016-04-04 16:37:38.696260359 +0200
 +++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c	2017-08-21 16:40:01.624706864 +0200
@@ -1,5 +1,5 @@
 /*
 - * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
 + * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -78,9 +78,11 @@ struct options {
 	unsigned int root_unlock_time;
 	const char *dir;
 	const char *user;
 +	const char *admin_group;
 	int failures;
 	uint64_t latest_time;
 	uid_t uid;
 +	int is_admin;
 	uint64_t now;
 };
@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
 				opts->root_unlock_time = temp;
 			}
 		}
 +		else if (strncmp(argv[i], "admin_group=", 12) == 0) {
 +			opts->admin_group = argv[i] + 12;
 +		}
  		else if (strcmp(argv[i], "preauth") == 0) {
 			opts->action = FAILLOCK_ACTION_PREAUTH;
 		}
@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
 	}
 	opts->user = user;
 	opts->uid = pwd->pw_uid;
 +
 +	if (pwd->pw_uid == 0) {
 +		opts->is_admin = 1;
 +		return PAM_SUCCESS;
 +	}
 +
 +	if (opts->admin_group && *opts->admin_group) {
 +		opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
 +			pwd->pw_uid, opts->admin_group);
 +	}
 +
 	return PAM_SUCCESS;
 }
@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
 		return PAM_SYSTEM_ERR;
 	}
 -	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
 +	if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
 		return PAM_SUCCESS;
 	}
@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o
 	opts->failures = failures;
 -	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
 -		return PAM_SUCCESS;
 -	}
 -
 	if (opts->deny && failures >= opts->deny) {
 -		if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
 -			(!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
 +		if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
 +			(opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
 #ifdef HAVE_LIBAUDIT
 			if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
 				char buf[64];
@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
 		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
 			NULL, NULL, NULL, 1);
 -		if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
 +		if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
 			audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
 				NULL, NULL, NULL, 1);
 		}
@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
 	int64_t left;
 	if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
 -		if (opts->uid) {
 -			left = opts->latest_time + opts->unlock_time - opts->now;
 +		if (opts->is_admin) {
 +			left = opts->latest_time + opts->root_unlock_time - opts->now;
 		}
 		else {
 -			left = opts->latest_time + opts->root_unlock_time - opts->now;
 +			left = opts->latest_time + opts->unlock_time - opts->now;
 		}
 		if (left > 0) {
 diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml
 --- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group	2016-05-06 15:24:10.328281818 +0200
 +++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml	2017-08-21 16:16:09.448033843 +0200
@@ -40,6 +40,9 @@
         root_unlock_time=<replaceable>n</replaceable>
       </arg>
       <arg choice="opt">
 +        admin_group=<replaceable>name</replaceable>
 +      </arg>
 +      <arg choice="opt">
         audit
       </arg>
       <arg choice="opt">
@@ -243,6 +246,20 @@
                 </para>
               </listitem>
             </varlistentry>
 +            <varlistentry>
 +              <term>
 +                <option>admin_group=<replaceable>name</replaceable></option>
 +              </term>
 +              <listitem>
 +                <para>
 +                  If a group name is specified with this option, members
 +                  of the group will be handled by this module the same as
 +                  the root account (the options <option>even_deny_root></option>
 +                  and <option>root_unlock_time</option> will apply to them.
 +                  By default the option is not set.
 +                </para>
 +              </listitem>
 +            </varlistentry>
         </variablelist>
   </refsect1>
--- a/pam-1.2.1-faillock.patch
+++ b/pam-1.2.1-faillock.patch
--- a/pam.spec
+++ b/pam.spec
@ -3,8 +3,8 @@
 %define _secconfdir %{_sysconfdir}/security
 %define _pamconfdir %{_sysconfdir}/pam.d
 Name: pam
-Version: 1.3.1
+Version: 1.4.0
-Release: 9
+Release: 1
 Summary: Pluggable Authentication Modules for Linux
 License: BSD and GPLv2+
 URL: http://www.linux-pam.org/
@ -18,12 +18,9 @@ Source15: pamtmp.conf
 Source16: postlogin.pamd
 Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
-Patch0000:  pam-1.2.1-faillock.patch
+Patch0: bugfix-pam-1.1.8-faillock-failmessages.patch
-Patch0001:  pam-1.2.1-faillock-admin-group.patch
+Patch1: bugfix-pam-1.1.8-faillock-systemtime.patch
-
+Patch2: fix-login-message.patch
 Patch0002: bugfix-pam-1.1.8-faillock-failmessages.patch
 Patch0003: bugfix-pam-1.1.8-faillock-systemtime.patch
 Patch0004: fix-login-message.patch
 BuildRequires: autoconf automake libtool bison flex sed cracklib-devel
 BuildRequires: perl-interpreter pkgconfig gettext-devel libtirpc-devel libnsl2-devel
@ -129,13 +126,13 @@ fi
 %attr(4755,root,root) %{_sbindir}/pam_timestamp_check
 %attr(4755,root,root) %{_sbindir}/unix_chkpwd
 %attr(0700,root,root) %{_sbindir}/unix_update
 %{_sbindir}/pam_tally
 %{_sbindir}/pam_tally2
 %{_sbindir}/faillock
 %{_sbindir}/mkhomedir_helper
 %{_sbindir}/pam_namespace_helper
 %dir %{_moduledir}
 %{_moduledir}/pam*.so
 %{_moduledir}/pam_filter/
 %{_prefix}/lib/systemd/system/pam_namespace.service
 %dir %{_secconfdir}
 %config(noreplace) %{_secconfdir}/access.conf
 %config(noreplace) %{_secconfdir}/group.conf
@ -148,6 +145,7 @@ fi
 %config(noreplace) %{_secconfdir}/time.conf
 %config(noreplace) %{_secconfdir}/opasswd
 %config(noreplace) %{_secconfdir}/sepermit.conf
 %config(noreplace) %{_secconfdir}/faillock.conf
 %dir /var/run/sepermit
 %ghost %verify(not md5 size mtime) /var/log/tallylog
 %dir /var/run/faillock
@ -168,6 +166,9 @@ fi
 %changelog
 * Fri Jul 24 2020 Liquor <lirui130@huawei.com> - 1.4.0-1
 - update to 1.4.0
 * Wed Jun 17 2020 Liquor <lirui130@huawei.com> - 1.3.1-9
 - fix login message