diff --git a/Linux-PAM-1.4.0.tar.xz b/Linux-PAM-1.4.0.tar.xz deleted file mode 100644 index 507857d..0000000 Binary files a/Linux-PAM-1.4.0.tar.xz and /dev/null differ diff --git a/Linux-PAM-1.4.0.tar.xz.asc b/Linux-PAM-1.4.0.tar.xz.asc deleted file mode 100644 index 9d8c774..0000000 --- a/Linux-PAM-1.4.0.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABCAAGBQJe3hBmAAoJEKgEH6g54W42HDEQAJ9Vs1mxSrz8o/lLyPUYowsx -US0jMtfC2gyjtpmXiH40CEZB3xeRZ9qJ5eSB2q2MiMRVLwI/rxQUoZ0XeYW9yls0 -g8cAxyCEdaI5GnMjLuG6rBCtlmqbrS/4fzq+AfPAm+7ITajVzcYdqHqQM6EJ6OK9 -uu4Iyt8lDUyh3Vinx9PJy0KfJQAlb5nTuKJS4Kcv5c1wTt6LZiGOM+aERl2JmWJd -O+QXCQHHWGUlAQSQcP3+p36mdy5VsUbXbT7sNaTTzjvQwxSjJ345nybgk2El571O -ZvSCdBbswDqGhyyYa8e1rqWDABE5i2Iw81OKNC95e1H4PU/FI32bdQip3cdMbD8t -kQ+mdMU7LlUUHaKnk38/k0m3GPzo5mjjRApIkZqTZV9lD2FfiQw3FuENNmumMRSR -iQrMSnr9/o3d6K+BLzbKtNiVduyEMYmfs72Z+D16mfwahlaDCHYOwnW1ieIVFv99 -3tCllbRmYYTXxHVYFkGM76r7xUKrRKYOC29j0fP2nfQChePamUUZ2nVBz3p+18p7 -wNsTS+xx0FCcLDHeU5eAy2iUKuNvvUUFh+8rrIGE5k8GldPlbKc2GrEbukZic72G -uUJnLXiPOlIMgx+C/BiTWwla1v2FTdB71E/3m6qZ02hRQ19G0GvYhXKXwJ9oLalE -JrEpuMM0et5vFXfyVnQz -=Qi9B ------END PGP SIGNATURE----- diff --git a/Linux-PAM-1.5.1.tar.xz b/Linux-PAM-1.5.1.tar.xz new file mode 100644 index 0000000..a2fd982 Binary files /dev/null and b/Linux-PAM-1.5.1.tar.xz differ diff --git a/Linux-PAM-1.5.1.tar.xz.asc b/Linux-PAM-1.5.1.tar.xz.asc new file mode 100644 index 0000000..01d6a46 --- /dev/null +++ b/Linux-PAM-1.5.1.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCAAGBQJfvo0CAAoJEKgEH6g54W42L+0P/19bgVH4cRd7ONZLwYvWvWlQ +NXkjwn26MEXElWESlKnQQz08W5QASWCz3vgAn9NGDmS+lJ38i4Li4aGpn3COPE2g +BAN9LEaAErK60b3ZkWwDEARDs1JntA1vUuuHx0EoLEMtFEeU20h5PPMrsDwu7LGF +sD6KYdM6TWLMXcRybqGOeWmWxfp8S8MVNwVN3C3q0aVIOMxky0i4rzCL7zRTJztQ +q7FaX2xrTGfUiAI7smT/KGoK7pbQTzZtoR67uE/2WZ4bSyWMZcuDkt16WP/L6x9v +c5DnVaLazM9xYUAOn4tlPiG8LLmfXo1MjD+KOS9byAx+uTij3avxaC/vv0BDcATH +jywxH8iTPkvYXP0uJIa4Gbs1qi3vNZn+gaQt/T+rCVNo3dfFZZxBvLbTQ8AN1hKr +MnoQbIQh0buuSuwmAxF0EDIefX3bDCurKOTQrRajK7huFm0w2NgBqL8WR8f1Wmm9 +mGSdKuVpWSk5uEygCUFOfwviYbi1I1K2Dmo3TsLBgNPKvAF3LAGJC7KzD+Q+Nmos +XBOljilcAfdJ7t2P8W7xTSMEnXu7nI1TM+Er80ukfu0fipJEP0xyi+XWh+2n0Bx+ +3wwt8fSL7rmI4I4l6GRb3Jk/Gq1bKy956tgm3TE6gXTXVGZqNs0E28rNRURXDqZu +XrjVwhlpsH/Auk17hU65 +=E0ev +-----END PGP SIGNATURE----- diff --git a/Move-check_user_in_passwd-from-pam_localuser.c-to-pa.patch b/Move-check_user_in_passwd-from-pam_localuser.c-to-pa.patch deleted file mode 100644 index 86a6642..0000000 --- a/Move-check_user_in_passwd-from-pam_localuser.c-to-pa.patch +++ /dev/null @@ -1,276 +0,0 @@ -From c9593778a6133bf29eb2f47c24cc6d2f5d729fc8 Mon Sep 17 00:00:00 2001 -From: Fabrice Fontaine -Date: Thu, 11 Jun 2020 17:39:03 +0200 -Subject: [PATCH] Move check_user_in_passwd from pam_localuser.c to pam_modutil - -Signed-off-by: Fabrice Fontaine - -* modules/pam_localuser/pam_localuser.c: Include -. -(pam_sm_authenticate): Replace check_user_in_passwd with -pam_modutil_check_user_in_passwd. -(check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd, -move to ... -* libpam/pam_modutil_check_user.c: ... new file. -* libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c. -* libpam/include/security/pam_modutil.h -(pam_modutil_check_user_in_passwd): New function declaration. -* libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface. - -Co-authored-by: Dmitry V. Levin ---- - libpam/Makefile.am | 1 + - libpam/include/security/pam_modutil.h | 5 ++ - libpam/libpam.map | 5 ++ - libpam/pam_modutil_check_user.c | 90 +++++++++++++++++++++++++++++++++++ - modules/pam_localuser/pam_localuser.c | 86 +-------------------------------- - 5 files changed, 103 insertions(+), 84 deletions(-) - create mode 100644 libpam/pam_modutil_check_user.c - -diff --git a/libpam/Makefile.am b/libpam/Makefile.am -index 9252a83..11a1f32 100644 ---- a/libpam/Makefile.am -+++ b/libpam/Makefile.am -@@ -35,6 +35,7 @@ libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ - pam_misc.c pam_password.c pam_prelude.c \ - pam_session.c pam_start.c pam_strerror.c \ - pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \ -+ pam_modutil_check_user.c \ - pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \ - pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \ - pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \ -diff --git a/libpam/include/security/pam_modutil.h b/libpam/include/security/pam_modutil.h -index 3a6aec6..33f87b9 100644 ---- a/libpam/include/security/pam_modutil.h -+++ b/libpam/include/security/pam_modutil.h -@@ -58,6 +58,11 @@ extern "C" { - - #include - -+extern int PAM_NONNULL((1,2)) -+pam_modutil_check_user_in_passwd(pam_handle_t *pamh, -+ const char *user_name, -+ const char *file_name); -+ - extern struct passwd * PAM_NONNULL((1,2)) - pam_modutil_getpwnam(pam_handle_t *pamh, const char *user); - -diff --git a/libpam/libpam.map b/libpam/libpam.map -index c9690a9..3cc7ef3 100644 ---- a/libpam/libpam.map -+++ b/libpam/libpam.map -@@ -82,3 +82,8 @@ LIBPAM_1.4 { - global: - pam_start_confdir; - } LIBPAM_1.0; -+ -+LIBPAM_MODUTIL_1.4.1 { -+ global: -+ pam_modutil_check_user_in_passwd; -+} LIBPAM_MODUTIL_1.3.2; -diff --git a/libpam/pam_modutil_check_user.c b/libpam/pam_modutil_check_user.c -new file mode 100644 -index 0000000..898b13a ---- /dev/null -+++ b/libpam/pam_modutil_check_user.c -@@ -0,0 +1,90 @@ -+#include "pam_modutil_private.h" -+#include -+ -+#include -+#include -+#include -+ -+int -+pam_modutil_check_user_in_passwd(pam_handle_t *pamh, -+ const char *user_name, -+ const char *file_name) -+{ -+ int rc; -+ size_t user_len; -+ FILE *fp; -+ char line[BUFSIZ]; -+ -+ /* Validate the user name. */ -+ if ((user_len = strlen(user_name)) == 0) { -+ pam_syslog(pamh, LOG_NOTICE, "user name is not valid"); -+ return PAM_SERVICE_ERR; -+ } -+ -+ if (user_len > sizeof(line) - sizeof(":")) { -+ pam_syslog(pamh, LOG_NOTICE, "user name is too long"); -+ return PAM_SERVICE_ERR; -+ } -+ -+ if (strchr(user_name, ':') != NULL) { -+ /* -+ * "root:x" is not a local user name even if the passwd file -+ * contains a line starting with "root:x:". -+ */ -+ return PAM_PERM_DENIED; -+ } -+ -+ /* Open the passwd file. */ -+ if (file_name == NULL) { -+ file_name = "/etc/passwd"; -+ } -+ if ((fp = fopen(file_name, "r")) == NULL) { -+ pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name); -+ return PAM_SERVICE_ERR; -+ } -+ -+ /* -+ * Scan the file using fgets() instead of fgetpwent_r() because -+ * the latter is not flexible enough in handling long lines -+ * in passwd files. -+ */ -+ rc = PAM_PERM_DENIED; -+ while (fgets(line, sizeof(line), fp) != NULL) { -+ size_t line_len; -+ const char *str; -+ -+ /* -+ * Does this line start with the user name -+ * followed by a colon? -+ */ -+ if (strncmp(user_name, line, user_len) == 0 && -+ line[user_len] == ':') { -+ rc = PAM_SUCCESS; -+ break; -+ } -+ /* Has a newline been read? */ -+ line_len = strlen(line); -+ if (line_len < sizeof(line) - 1 || -+ line[line_len - 1] == '\n') { -+ /* Yes, continue with the next line. */ -+ continue; -+ } -+ -+ /* No, read till the end of this line first. */ -+ while ((str = fgets(line, sizeof(line), fp)) != NULL) { -+ line_len = strlen(line); -+ if (line_len == 0 || -+ line[line_len - 1] == '\n') { -+ break; -+ } -+ } -+ if (str == NULL) { -+ /* fgets returned NULL, we are done. */ -+ break; -+ } -+ /* Continue with the next line. */ -+ } -+ -+ fclose(fp); -+ return rc; -+} -diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c -index cb50752..a9f2233 100644 ---- a/modules/pam_localuser/pam_localuser.c -+++ b/modules/pam_localuser/pam_localuser.c -@@ -45,92 +45,10 @@ - #include - - #include -+#include - #include - #include "pam_inline.h" - --static int --check_user_in_passwd(pam_handle_t *pamh, const char *user_name, -- const char *file_name) --{ -- int rc; -- size_t user_len; -- FILE *fp; -- char line[BUFSIZ]; -- -- /* Validate the user name. */ -- if ((user_len = strlen(user_name)) == 0) { -- pam_syslog(pamh, LOG_NOTICE, "user name is not valid"); -- return PAM_SERVICE_ERR; -- } -- -- if (user_len > sizeof(line) - sizeof(":")) { -- pam_syslog(pamh, LOG_NOTICE, "user name is too long"); -- return PAM_SERVICE_ERR; -- } -- -- if (strchr(user_name, ':') != NULL) { -- /* -- * "root:x" is not a local user name even if the passwd file -- * contains a line starting with "root:x:". -- */ -- return PAM_PERM_DENIED; -- } -- -- /* Open the passwd file. */ -- if (file_name == NULL) { -- file_name = "/etc/passwd"; -- } -- if ((fp = fopen(file_name, "r")) == NULL) { -- pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name); -- return PAM_SERVICE_ERR; -- } -- -- /* -- * Scan the file using fgets() instead of fgetpwent_r() because -- * the latter is not flexible enough in handling long lines -- * in passwd files. -- */ -- rc = PAM_PERM_DENIED; -- while (fgets(line, sizeof(line), fp) != NULL) { -- size_t line_len; -- const char *str; -- -- /* -- * Does this line start with the user name -- * followed by a colon? -- */ -- if (strncmp(user_name, line, user_len) == 0 && -- line[user_len] == ':') { -- rc = PAM_SUCCESS; -- break; -- } -- /* Has a newline been read? */ -- line_len = strlen(line); -- if (line_len < sizeof(line) - 1 || -- line[line_len - 1] == '\n') { -- /* Yes, continue with the next line. */ -- continue; -- } -- -- /* No, read till the end of this line first. */ -- while ((str = fgets(line, sizeof(line), fp)) != NULL) { -- line_len = strlen(line); -- if (line_len == 0 || -- line[line_len - 1] == '\n') { -- break; -- } -- } -- if (str == NULL) { -- /* fgets returned NULL, we are done. */ -- break; -- } -- /* Continue with the next line. */ -- } -- -- fclose(fp); -- return rc; --} -- - int - pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) -@@ -173,7 +91,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, - return rc == PAM_CONV_AGAIN ? PAM_INCOMPLETE : rc; - } - -- return check_user_in_passwd(pamh, user_name, file_name); -+ return pam_modutil_check_user_in_passwd(pamh, user_name, file_name); - } - - int --- -1.8.3.1 - diff --git a/Prevent-SEGFAULT-for-unknown-UID.patch b/Prevent-SEGFAULT-for-unknown-UID.patch deleted file mode 100644 index 0421523..0000000 --- a/Prevent-SEGFAULT-for-unknown-UID.patch +++ /dev/null @@ -1,32 +0,0 @@ -From e21fd1f344a67844925ab9a06b0f54299c94b56c Mon Sep 17 00:00:00 2001 -From: "Anton D. Kachalov" -Date: Tue, 29 Sep 2020 23:20:57 +0200 -Subject: [PATCH] Prevent SEGFAULT for unknown UID - -When running systemd service with DynamicUser being set, the dynamic UID -might be not mapped to user name (/etc/nsswitch.conf is not configured -with systemd nss module). - -The getuidname() routine might return NULL and this is not checked by callee. - -Signed-off-by: Anton D. Kachalov ---- - modules/pam_unix/unix_chkpwd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c -index 15a1c2a..3931bab 100644 ---- a/modules/pam_unix/unix_chkpwd.c -+++ b/modules/pam_unix/unix_chkpwd.c -@@ -137,7 +137,7 @@ int main(int argc, char *argv[]) - user = getuidname(getuid()); - /* if the caller specifies the username, verify that user - matches it */ -- if (strcmp(user, argv[1])) { -+ if (user == NULL || strcmp(user, argv[1])) { - user = argv[1]; - /* no match -> permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) --- -1.8.3.1 - diff --git a/bugfix-pam-1.1.8-faillock-systemtime.patch b/bugfix-pam-1.1.8-faillock-systemtime.patch index dd2d417..a742ec8 100644 --- a/bugfix-pam-1.1.8-faillock-systemtime.patch +++ b/bugfix-pam-1.1.8-faillock-systemtime.patch @@ -26,7 +26,7 @@ index 5b5cc2c..600e3f6 100644 + opts->time_jumped = 0; for (i = 0; i < argc; ++i) { - const char *str; + const char *str = pam_str_skip_prefix(argv[i], "conf="); @@ -464,8 +466,6 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies latest_time = tallies->records[i].time; } diff --git a/fix-login-message.patch b/fix-login-message.patch index 94f3fbd..b161ec6 100644 --- a/fix-login-message.patch +++ b/fix-login-message.patch @@ -11,7 +11,7 @@ diff --git a/po/zh_CN.po b/po/zh_CN.po index b7d2c83..4227e4f 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po -@@ -355,13 +355,13 @@ msgstr "最后一次失败的登录:%s%s%s" +@@ -290,13 +290,13 @@ msgstr "最后一次失败的登录:%s%s%s" msgid "There was %d failed login attempt since the last successful login." msgid_plural "" "There were %d failed login attempts since the last successful login." @@ -25,8 +25,8 @@ index b7d2c83..4227e4f 100644 -msgstr "最有一次成功登录后有 %d 次失败的登录尝试。" +msgstr "最后一次成功登录后有 %d 次失败的登录尝试。" - #: modules/pam_limits/pam_limits.c:1088 - #, fuzzy, c-format + #: modules/pam_limits/pam_limits.c:1115 + #, c-format -- 2.23.0 diff --git a/pam.spec b/pam.spec index 7e0e089..286dd17 100644 --- a/pam.spec +++ b/pam.spec @@ -3,8 +3,8 @@ %define _secconfdir %{_sysconfdir}/security %define _pamconfdir %{_sysconfdir}/pam.d Name: pam -Version: 1.4.0 -Release: 3 +Version: 1.5.1 +Release: 1 Summary: Pluggable Authentication Modules for Linux License: BSD and GPLv2+ URL: http://www.linux-pam.org/ @@ -21,10 +21,6 @@ Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt Patch0: bugfix-pam-1.1.8-faillock-failmessages.patch Patch1: bugfix-pam-1.1.8-faillock-systemtime.patch Patch2: fix-login-message.patch -Patch3: Move-check_user_in_passwd-from-pam_localuser.c-to-pa.patch -Patch4: pam_faillock-fix-build-on-musl.patch -Patch5: pam_modutil_check_user_in_passwd-avoid-timing-attack.patch -Patch6: Prevent-SEGFAULT-for-unknown-UID.patch BuildRequires: autoconf automake libtool bison flex sed cracklib-devel BuildRequires: perl-interpreter pkgconfig gettext-devel libtirpc-devel libnsl2-devel @@ -130,6 +126,7 @@ fi %attr(4755,root,root) %{_sbindir}/pam_timestamp_check %attr(4755,root,root) %{_sbindir}/unix_chkpwd %attr(0700,root,root) %{_sbindir}/unix_update +%attr(0755,root,root) %{_sbindir}/pwhistory_helper %{_sbindir}/faillock %{_sbindir}/mkhomedir_helper %{_sbindir}/pam_namespace_helper @@ -170,6 +167,9 @@ fi %changelog +* Sat Jan 23 2021 panxiaohe - 1.5.1-1 +- update to 1.5.1 + * Sat Oct 31 2020 panxiaohe - 1.4.0-3 - Prevent SEGFAULT for unknown UID diff --git a/pam_faillock-fix-build-on-musl.patch b/pam_faillock-fix-build-on-musl.patch deleted file mode 100644 index da51666..0000000 --- a/pam_faillock-fix-build-on-musl.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 0adbaeb273da1d45213134aa271e95987103281c Mon Sep 17 00:00:00 2001 -From: Fabrice Fontaine -Date: Thu, 11 Jun 2020 17:39:03 +0200 -Subject: [PATCH] pam_faillock: fix build on musl - -Use pam_modutil_check_user_in_passwd in pam_faillock.c instead of -fgetpwent_r which is not available on musl. - -Resolves: https://github.com/linux-pam/linux-pam/issues/236 -Resolves: https://github.com/linux-pam/linux-pam/pull/237 -Fixes: http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b -Signed-off-by: Fabrice Fontaine ---- - modules/pam_faillock/pam_faillock.c | 39 +------------------------------------ - 1 file changed, 1 insertion(+), 38 deletions(-) - -diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c -index f592d0a..71988d0 100644 ---- a/modules/pam_faillock/pam_faillock.c -+++ b/modules/pam_faillock/pam_faillock.c -@@ -71,8 +71,6 @@ - #define MAX_TIME_INTERVAL 604800 /* 7 days */ - #define FAILLOCK_CONF_MAX_LINELEN 1023 - --#define PATH_PASSWD "/etc/passwd" -- - static const char default_faillock_conf[] = FAILLOCK_DEFAULT_CONF; - - struct options { -@@ -348,42 +346,7 @@ set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const c - static int - check_local_user (pam_handle_t *pamh, const char *user) - { -- struct passwd pw, *pwp; -- char buf[16384]; -- int found = 0; -- FILE *fp; -- int errn; -- -- fp = fopen(PATH_PASSWD, "r"); -- if (fp == NULL) { -- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", -- PATH_PASSWD); -- return -1; -- } -- -- for (;;) { -- errn = fgetpwent_r(fp, &pw, buf, sizeof (buf), &pwp); -- if (errn == ERANGE) { -- pam_syslog(pamh, LOG_WARNING, "%s contains very long lines; corrupted?", -- PATH_PASSWD); -- break; -- } -- if (errn != 0) -- break; -- if (strcmp(pwp->pw_name, user) == 0) { -- found = 1; -- break; -- } -- } -- -- fclose (fp); -- -- if (errn != 0 && errn != ENOENT) { -- pam_syslog(pamh, LOG_ERR, "unable to enumerate local accounts: %m"); -- return -1; -- } else { -- return found; -- } -+ return pam_modutil_check_user_in_passwd(pamh, user, NULL) == PAM_SUCCESS; - } - - static int --- -1.8.3.1 - diff --git a/pam_modutil_check_user_in_passwd-avoid-timing-attack.patch b/pam_modutil_check_user_in_passwd-avoid-timing-attack.patch deleted file mode 100644 index f92054e..0000000 --- a/pam_modutil_check_user_in_passwd-avoid-timing-attack.patch +++ /dev/null @@ -1,30 +0,0 @@ -From efd2a79c11982d0feebebbf740506c9555120b97 Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Tue, 16 Jun 2020 15:00:00 +0000 -Subject: [PATCH] pam_modutil_check_user_in_passwd: avoid timing attacks - -* libpam/pam_modutil_check_user.c (pam_modutil_check_user_in_passwd): Do -not exit the file reading loop when the user is found, continue reading -the file to avoid timing attacks. ---- - libpam/pam_modutil_check_user.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/libpam/pam_modutil_check_user.c b/libpam/pam_modutil_check_user.c -index 898b13a..cf1bd1b 100644 ---- a/libpam/pam_modutil_check_user.c -+++ b/libpam/pam_modutil_check_user.c -@@ -60,7 +60,9 @@ pam_modutil_check_user_in_passwd(pam_handle_t *pamh, - if (strncmp(user_name, line, user_len) == 0 && - line[user_len] == ':') { - rc = PAM_SUCCESS; -- break; -+ /* -+ * Continue reading the file to avoid timing attacks. -+ */ - } - /* Has a newline been read? */ - line_len = strlen(line); --- -1.8.3.1 -