update to 1.4.0

Linux-PAM-1.3.1.tar.xz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iD8DBQBa/r62bRp/BS5ZJLsRArnKAJ9pGaJHpsEsbOVa5dBQLHYC4DhPuACeJNrg
-+DaNc8W13E4Z2ZEUSsgUGe4=
-=aSTW
------END PGP SIGNATURE-----

Linux-PAM-1.4.0.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABCAAGBQJe3hBmAAoJEKgEH6g54W42HDEQAJ9Vs1mxSrz8o/lLyPUYowsx
+US0jMtfC2gyjtpmXiH40CEZB3xeRZ9qJ5eSB2q2MiMRVLwI/rxQUoZ0XeYW9yls0
+g8cAxyCEdaI5GnMjLuG6rBCtlmqbrS/4fzq+AfPAm+7ITajVzcYdqHqQM6EJ6OK9
+uu4Iyt8lDUyh3Vinx9PJy0KfJQAlb5nTuKJS4Kcv5c1wTt6LZiGOM+aERl2JmWJd
+O+QXCQHHWGUlAQSQcP3+p36mdy5VsUbXbT7sNaTTzjvQwxSjJ345nybgk2El571O
+ZvSCdBbswDqGhyyYa8e1rqWDABE5i2Iw81OKNC95e1H4PU/FI32bdQip3cdMbD8t
+kQ+mdMU7LlUUHaKnk38/k0m3GPzo5mjjRApIkZqTZV9lD2FfiQw3FuENNmumMRSR
+iQrMSnr9/o3d6K+BLzbKtNiVduyEMYmfs72Z+D16mfwahlaDCHYOwnW1ieIVFv99
+3tCllbRmYYTXxHVYFkGM76r7xUKrRKYOC29j0fP2nfQChePamUUZ2nVBz3p+18p7
+wNsTS+xx0FCcLDHeU5eAy2iUKuNvvUUFh+8rrIGE5k8GldPlbKc2GrEbukZic72G
+uUJnLXiPOlIMgx+C/BiTWwla1v2FTdB71E/3m6qZ02hRQ19G0GvYhXKXwJ9oLalE
+JrEpuMM0et5vFXfyVnQz
+=Qi9B
+-----END PGP SIGNATURE-----

bugfix-pam-1.1.8-faillock-failmessages.patch

@@ -1,17 +1,27 @@
+From 7caf16119e3ed87818eb36a09d2fd84c4e027575 Mon Sep 17 00:00:00 2001
+From: openEuler Buildteam <buildteam@openeuler.org>
+Date: Mon, 27 Jul 2020 09:11:29 +0800
+Subject: [PATCH] bugfix pam 1.1.8 faillock failmessages
+
+---
+ modules/pam_faillock/pam_faillock.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
 diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
-index 1742542..8153638 100644
+index f592d0a..5b5cc2c 100644
 --- a/modules/pam_faillock/pam_faillock.c
 +++ b/modules/pam_faillock/pam_faillock.c
-@@ -445,11 +445,10 @@ faillock_message(pam_handle_t *pamh, struct options *opts)
- 		}
- 
+@@ -645,9 +645,7 @@ faillock_message(pam_handle_t *pamh, struct options *opts)
+ 		pam_info(pamh, _("The account is locked due to %u failed logins."),
+ 			(unsigned int)opts->failures);
  		if (left > 0) {
 -			left = (left + 59)/60; /* minutes */
- 
- 			pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
- 				opts->failures);
+-
 -			pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
 +			pam_info(pamh, _("(%d seconds left to unlock)"), (int)left);
  		}
- 		else {
- 			pam_info(pamh, _("Account locked due to %d failed logins"),
+ 	}
+ }
+-- 
+2.23.0
+

bugfix-pam-1.1.8-faillock-systemtime.patch

@@ -1,33 +1,42 @@
+From c58a79970f5902b5b61b8ca7e82564a7db212be0 Mon Sep 17 00:00:00 2001
+From: openEuler Buildteam <buildteam@openeuler.org>
+Date: Mon, 27 Jul 2020 09:34:43 +0800
+Subject: [PATCH] bugfix pam 1.1.8 faillock systemtime
+
+---
+ modules/pam_faillock/pam_faillock.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
 diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
-index 8153638..d71e781 100644
+index 5b5cc2c..600e3f6 100644
 --- a/modules/pam_faillock/pam_faillock.c
 +++ b/modules/pam_faillock/pam_faillock.c
-@@ -84,6 +84,7 @@ struct options {
- 	uid_t uid;
+@@ -91,6 +91,7 @@ struct options {
  	int is_admin;
  	uint64_t now;
+ 	int fatal_error;
 +	int time_jumped;
  };
  
- static void
-@@ -98,6 +99,7 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv,
+ static int read_config_file(
+@@ -121,6 +122,7 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv,
  	opts->fail_interval = 900;
  	opts->unlock_time = 600;
  	opts->root_unlock_time = MAX_TIME_INTERVAL+1;
 +	opts->time_jumped = 0;
  
  	for (i = 0; i < argc; ++i) {
- 
-@@ -266,8 +268,6 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
+ 		const char *str;
+@@ -464,8 +466,6 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
  			latest_time = tallies->records[i].time;
  	}
  
 -	opts->latest_time = latest_time;
 -
  	failures = 0;
- 	for(i = 0; i < tallies->count; i++) {
+ 	for (i = 0; i < tallies->count; i++) {
  		if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
-@@ -278,6 +278,19 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
+@@ -476,6 +476,19 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
  
  	opts->failures = failures;
  
@@ -47,14 +56,17 @@ index 8153638..d71e781 100644
  	if (opts->deny && failures >= opts->deny) {
  		if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
  			(opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
-@@ -508,6 +521,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
- 				rv = PAM_IGNORE; /* this return value should be ignored */
- 				write_tally(pamh, &opts, &tallies, &fd);
- 			}
-+			if (opts.time_jumped) {
-+				if (update_tally(fd, &tallies) != 0)
-+					rv = PAM_IGNORE;
-+			}
- 			break;
+@@ -712,6 +725,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
+ 					rv = PAM_IGNORE; /* this return value should be ignored */
+ 					write_tally(pamh, &opts, &tallies, &fd);
+ 				}
++				if (opts.time_jumped) {
++					if (update_tally(fd, &tallies) != 0)
++						rv = PAM_IGNORE;
++				}
+ 				break;
+ 		}
  	}
- 
+-- 
+2.23.0
+

fix-login-message.patch

@@ -1,17 +1,17 @@
 From 1a79e750977c2c809d5fc8f44c1c90f58a261926 Mon Sep 17 00:00:00 2001
 From: openEuler Buildteam <buildteam@openeuler.org>
 Date: Wed, 17 Jun 2020 15:14:25 +0800
-Subject: [PATCH] fix login translation inaccurate
+Subject: [PATCH] fix login message
 
 ---
  po/zh_CN.po | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/po/zh_CN.po b/po/zh_CN.po
-index 33c257d..398d8b6 100644
+index b7d2c83..4227e4f 100644
 --- a/po/zh_CN.po
 +++ b/po/zh_CN.po
-@@ -320,13 +320,13 @@ msgstr "最后一次失败的登录：%s%s%s"
+@@ -355,13 +355,13 @@ msgstr "最后一次失败的登录：%s%s%s"
  msgid "There was %d failed login attempt since the last successful login."
  msgid_plural ""
  "There were %d failed login attempts since the last successful login."
@@ -19,14 +19,14 @@ index 33c257d..398d8b6 100644
 +msgstr[0] "最后一次成功登录后有 %d 次失败的登录尝试。"
  
  #. TRANSLATORS: only used if dngettext is not supported
- #: modules/pam_lastlog/pam_lastlog.c:548
+ #: modules/pam_lastlog/pam_lastlog.c:631
  #, c-format
  msgid "There were %d failed login attempts since the last successful login."
 -msgstr "最有一次成功登录后有 %d 次失败的登录尝试。"
 +msgstr "最后一次成功登录后有 %d 次失败的登录尝试。"
  
- #: modules/pam_limits/pam_limits.c:1091
- #, c-format
+ #: modules/pam_limits/pam_limits.c:1088
+ #, fuzzy, c-format
 -- 
-1.8.3.1
+2.23.0
 

pam-1.2.1-faillock-admin-group.patch

@@ -1,133 +0,0 @@
-diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c
---- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group	2016-04-04 16:37:38.696260359 +0200
-+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c	2017-08-21 16:40:01.624706864 +0200
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
-+ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
-  *
-  * Redistribution and use in source and binary forms, with or without
-  * modification, are permitted provided that the following conditions
-@@ -78,9 +78,11 @@ struct options {
- 	unsigned int root_unlock_time;
- 	const char *dir;
- 	const char *user;
-+	const char *admin_group;
- 	int failures;
- 	uint64_t latest_time;
- 	uid_t uid;
-+	int is_admin;
- 	uint64_t now;
- };
- 
-@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
- 				opts->root_unlock_time = temp;
- 			}
- 		}
-+		else if (strncmp(argv[i], "admin_group=", 12) == 0) {
-+			opts->admin_group = argv[i] + 12;
-+		}
-  		else if (strcmp(argv[i], "preauth") == 0) {
- 			opts->action = FAILLOCK_ACTION_PREAUTH;
- 		}
-@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
- 	}
- 	opts->user = user;
- 	opts->uid = pwd->pw_uid;
-+
-+	if (pwd->pw_uid == 0) {
-+		opts->is_admin = 1;
-+		return PAM_SUCCESS;
-+	}
-+
-+	if (opts->admin_group && *opts->admin_group) {
-+		opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
-+			pwd->pw_uid, opts->admin_group);
-+	}
-+
- 	return PAM_SUCCESS;
- }
- 
-@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
- 		return PAM_SYSTEM_ERR;
- 	}
- 
--	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
-+	if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
- 		return PAM_SUCCESS;
- 	}
- 
-@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o
- 
- 	opts->failures = failures;
- 
--	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
--		return PAM_SUCCESS;
--	}
--
- 	if (opts->deny && failures >= opts->deny) {
--		if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
--			(!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
-+		if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
-+			(opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
- #ifdef HAVE_LIBAUDIT
- 			if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
- 				char buf[64];
-@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
- 		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
- 			NULL, NULL, NULL, 1);
- 
--		if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
-+		if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
- 			audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
- 				NULL, NULL, NULL, 1);
- 		}
-@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
- 	int64_t left;
- 
- 	if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
--		if (opts->uid) {
--			left = opts->latest_time + opts->unlock_time - opts->now;
-+		if (opts->is_admin) {
-+			left = opts->latest_time + opts->root_unlock_time - opts->now;
- 		}
- 		else {
--			left = opts->latest_time + opts->root_unlock_time - opts->now;
-+			left = opts->latest_time + opts->unlock_time - opts->now;
- 		}
- 
- 		if (left > 0) {
-diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml
---- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group	2016-05-06 15:24:10.328281818 +0200
-+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml	2017-08-21 16:16:09.448033843 +0200
-@@ -40,6 +40,9 @@
-         root_unlock_time=<replaceable>n</replaceable>
-       </arg>
-       <arg choice="opt">
-+        admin_group=<replaceable>name</replaceable>
-+      </arg>
-+      <arg choice="opt">
-         audit
-       </arg>
-       <arg choice="opt">
-@@ -243,6 +246,20 @@
-                 </para>
-               </listitem>
-             </varlistentry>
-+            <varlistentry>
-+              <term>
-+                <option>admin_group=<replaceable>name</replaceable></option>
-+              </term>
-+              <listitem>
-+                <para>
-+                  If a group name is specified with this option, members
-+                  of the group will be handled by this module the same as
-+                  the root account (the options <option>even_deny_root></option>
-+                  and <option>root_unlock_time</option> will apply to them.
-+                  By default the option is not set.
-+                </para>
-+              </listitem>
-+            </varlistentry>
-         </variablelist>
-   </refsect1>
- 

pam.spec

@@ -3,8 +3,8 @@
 %define _secconfdir %{_sysconfdir}/security
 %define _pamconfdir %{_sysconfdir}/pam.d
 Name: pam
-Version: 1.3.1
-Release: 9
+Version: 1.4.0
+Release: 1
 Summary: Pluggable Authentication Modules for Linux
 License: BSD and GPLv2+
 URL: http://www.linux-pam.org/
@@ -18,12 +18,9 @@ Source15: pamtmp.conf
 Source16: postlogin.pamd
 Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
 
-Patch0000:  pam-1.2.1-faillock.patch
-Patch0001:  pam-1.2.1-faillock-admin-group.patch
-
-Patch0002: bugfix-pam-1.1.8-faillock-failmessages.patch
-Patch0003: bugfix-pam-1.1.8-faillock-systemtime.patch
-Patch0004: fix-login-message.patch
+Patch0: bugfix-pam-1.1.8-faillock-failmessages.patch
+Patch1: bugfix-pam-1.1.8-faillock-systemtime.patch
+Patch2: fix-login-message.patch
 
 BuildRequires: autoconf automake libtool bison flex sed cracklib-devel
 BuildRequires: perl-interpreter pkgconfig gettext-devel libtirpc-devel libnsl2-devel
@@ -129,13 +126,13 @@ fi
 %attr(4755,root,root) %{_sbindir}/pam_timestamp_check
 %attr(4755,root,root) %{_sbindir}/unix_chkpwd
 %attr(0700,root,root) %{_sbindir}/unix_update
-%{_sbindir}/pam_tally
-%{_sbindir}/pam_tally2
 %{_sbindir}/faillock
 %{_sbindir}/mkhomedir_helper
+%{_sbindir}/pam_namespace_helper
 %dir %{_moduledir}
 %{_moduledir}/pam*.so
 %{_moduledir}/pam_filter/
+%{_prefix}/lib/systemd/system/pam_namespace.service
 %dir %{_secconfdir}
 %config(noreplace) %{_secconfdir}/access.conf
 %config(noreplace) %{_secconfdir}/group.conf
@@ -148,6 +145,7 @@ fi
 %config(noreplace) %{_secconfdir}/time.conf
 %config(noreplace) %{_secconfdir}/opasswd
 %config(noreplace) %{_secconfdir}/sepermit.conf
+%config(noreplace) %{_secconfdir}/faillock.conf
 %dir /var/run/sepermit
 %ghost %verify(not md5 size mtime) /var/log/tallylog
 %dir /var/run/faillock
@@ -168,6 +166,9 @@ fi
 
 
 %changelog
+* Fri Jul 24 2020 Liquor <lirui130@huawei.com> - 1.4.0-1
+- update to 1.4.0
+
 * Wed Jun 17 2020 Liquor <lirui130@huawei.com> - 1.3.1-9
 - fix login message