diff options
21 files changed, 126 insertions, 349 deletions
diff --git a/debian/changelog b/debian/changelog index 7649336c..e5b27e96 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,13 @@ pam (1.5.2-1) UNRELEASED; urgency=medium * New upstream release. - fixes compatibility with libpam-systemd. Closes: #1017467. + * Refresh patches. + * Drop patches included or obsoleted upstream: + - debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch + - debian/patches-applied/pam_unix_initialize_daysleft + - debian/patches-applied/pam_faillock_create_directory + - debian/patches-applied/pam_unix_avoid_checksalt + - debian/patches-applied/pam_env-allow-environment-files-without-EOL-at-EOF.patch -- Steve Langasek <vorlon@debian.org> Wed, 17 Aug 2022 05:10:03 +0000 diff --git a/debian/patches-applied/008_modules_pam_limits_chroot b/debian/patches-applied/008_modules_pam_limits_chroot index acbdc1a9..7a86fdd5 100644 --- a/debian/patches-applied/008_modules_pam_limits_chroot +++ b/debian/patches-applied/008_modules_pam_limits_chroot @@ -2,19 +2,19 @@ Index: pam/modules/pam_limits/pam_limits.c =================================================================== --- pam.orig/modules/pam_limits/pam_limits.c +++ pam/modules/pam_limits/pam_limits.c -@@ -88,6 +88,7 @@ - int flag_numsyslogins; /* whether to limit logins only for a +@@ -90,6 +90,7 @@ specific user or to count all logins */ int priority; /* the priority to run user process with */ + int nonewprivs; /* whether to prctl(PR_SET_NO_NEW_PRIVS) */ + char chroot_dir[8092]; /* directory to chroot into */ struct user_limits_struct limits[RLIM_NLIMITS]; const char *conf_file; int utmp_after_pam_call; -@@ -98,6 +99,7 @@ - #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 +@@ -101,6 +102,7 @@ #define LIMIT_PRI RLIM_NLIMITS+3 -+#define LIMIT_CHROOT RLIM_NLIMITS+4 + #define LIMIT_NONEWPRIVS RLIM_NLIMITS+4 ++#define LIMIT_CHROOT RLIM_NLIMITS+5 #define LIMIT_SOFT 1 #define LIMIT_HARD 2 @@ -27,16 +27,16 @@ Index: pam/modules/pam_limits/pam_limits.c return retval; } -@@ -554,6 +558,8 @@ - pl->flag_numsyslogins = 1; - } else if (strcmp(lim_item, "priority") == 0) { +@@ -591,6 +595,8 @@ limit_item = LIMIT_PRI; + } else if (strcmp(lim_item, "nonewprivs") == 0) { + limit_item = LIMIT_NONEWPRIVS; + } else if (strcmp(lim_item, "chroot") == 0) { -+ limit_item = LIMIT_CHROOT; ++ limit_item = LIMIT_CHROOT; } else { pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); return; -@@ -591,9 +597,9 @@ +@@ -640,9 +646,9 @@ pam_syslog(pamh, LOG_DEBUG, "wrong limit value '%s' for limit type '%s'", lim_value, lim_type); @@ -48,8 +48,8 @@ Index: pam/modules/pam_limits/pam_limits.c #ifdef __USE_FILE_OFFSET64 rlimit_value = strtoull (lim_value, &endptr, 10); #else -@@ -654,7 +660,11 @@ - #endif +@@ -717,7 +723,11 @@ + break; } - if ( (limit_item != LIMIT_LOGIN) @@ -59,10 +59,10 @@ Index: pam/modules/pam_limits/pam_limits.c + } + else if ( (limit_item != LIMIT_LOGIN) && (limit_item != LIMIT_NUMSYSLOGINS) - && (limit_item != LIMIT_PRI) ) { - if (limit_type & LIMIT_SOFT) { -@@ -998,6 +1008,15 @@ - retval |= LOGIN_ERR; + && (limit_item != LIMIT_PRI) + && (limit_item != LIMIT_NONEWPRIVS) ) { +@@ -1071,6 +1081,15 @@ + } } + if (!retval && pl->chroot_dir[0]) { @@ -81,7 +81,7 @@ Index: pam/modules/pam_limits/limits.conf.5.xml =================================================================== --- pam.orig/modules/pam_limits/limits.conf.5.xml +++ pam/modules/pam_limits/limits.conf.5.xml -@@ -266,6 +266,12 @@ +@@ -273,6 +273,12 @@ (Linux 2.6.12 and higher)</para> </listitem> </varlistentry> @@ -98,7 +98,7 @@ Index: pam/modules/pam_limits/limits.conf.5 =================================================================== --- pam.orig/modules/pam_limits/limits.conf.5 +++ pam/modules/pam_limits/limits.conf.5 -@@ -271,6 +271,11 @@ +@@ -279,6 +279,11 @@ .RS 4 maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) .RE @@ -114,7 +114,7 @@ Index: pam/modules/pam_limits/limits.conf =================================================================== --- pam.orig/modules/pam_limits/limits.conf +++ pam/modules/pam_limits/limits.conf -@@ -35,6 +35,7 @@ +@@ -46,6 +46,7 @@ # - msgqueue - max memory used by POSIX message queues (bytes) # - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority @@ -122,7 +122,7 @@ Index: pam/modules/pam_limits/limits.conf # #<domain> <type> <item> <value> # -@@ -45,6 +46,7 @@ +@@ -56,6 +57,7 @@ #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 diff --git a/debian/patches-applied/022_pam_unix_group_time_miscfixes b/debian/patches-applied/022_pam_unix_group_time_miscfixes index b940aa27..8239fd98 100644 --- a/debian/patches-applied/022_pam_unix_group_time_miscfixes +++ b/debian/patches-applied/022_pam_unix_group_time_miscfixes @@ -6,7 +6,7 @@ Index: pam/modules/pam_group/pam_group.c =================================================================== --- pam.orig/modules/pam_group/pam_group.c +++ pam/modules/pam_group/pam_group.c -@@ -761,9 +761,12 @@ +@@ -754,9 +754,12 @@ unsigned setting; /* only interested in establishing credentials */ diff --git a/debian/patches-applied/026_pam_unix_passwd_unknown_user b/debian/patches-applied/026_pam_unix_passwd_unknown_user index 99ac3f62..d277fee9 100644 --- a/debian/patches-applied/026_pam_unix_passwd_unknown_user +++ b/debian/patches-applied/026_pam_unix_passwd_unknown_user @@ -5,7 +5,7 @@ Index: pam/modules/pam_unix/passverify.c =================================================================== --- pam.orig/modules/pam_unix/passverify.c +++ pam/modules/pam_unix/passverify.c -@@ -749,7 +749,7 @@ +@@ -801,7 +801,7 @@ struct passwd *tmpent = NULL; struct stat st; FILE *pwfile, *opwfile; @@ -13,8 +13,8 @@ Index: pam/modules/pam_unix/passverify.c + int err = 1, found = 0; int oldmask; #ifdef WITH_SELINUX - security_context_t prev_context=NULL; -@@ -820,6 +820,7 @@ + char *prev_context_raw = NULL; +@@ -872,6 +872,7 @@ tmpent->pw_passwd = assigned_passwd.charp; err = 0; @@ -22,7 +22,7 @@ Index: pam/modules/pam_unix/passverify.c } if (putpwent(tmpent, pwfile)) { D(("error writing entry to password file: %m")); -@@ -862,7 +863,7 @@ +@@ -914,7 +915,7 @@ return PAM_SUCCESS; } else { unlink(PW_TMPFILE); diff --git a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root index 5ac946f5..c4603f5a 100644 --- a/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root +++ b/debian/patches-applied/027_pam_limits_better_init_allow_explicit_root @@ -17,7 +17,7 @@ Index: pam/modules/pam_limits/pam_limits.c =================================================================== --- pam.orig/modules/pam_limits/pam_limits.c +++ pam/modules/pam_limits/pam_limits.c -@@ -46,6 +46,14 @@ +@@ -47,6 +47,14 @@ #include <libaudit.h> #endif @@ -32,7 +32,7 @@ Index: pam/modules/pam_limits/pam_limits.c /* Module defines */ #define LINE_LENGTH 1024 -@@ -83,6 +91,7 @@ +@@ -84,6 +92,7 @@ /* internal data */ struct pam_limit_s { @@ -40,7 +40,7 @@ Index: pam/modules/pam_limits/pam_limits.c int login_limit; /* the max logins limit */ int login_limit_def; /* which entry set the login limit */ int flag_numsyslogins; /* whether to limit logins only for a -@@ -448,9 +457,18 @@ +@@ -447,9 +456,18 @@ { int i; int retval = PAM_SUCCESS; @@ -59,7 +59,7 @@ Index: pam/modules/pam_limits/pam_limits.c for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { -@@ -466,18 +484,68 @@ +@@ -465,18 +483,68 @@ } #ifdef __linux__ @@ -134,7 +134,7 @@ Index: pam/modules/pam_limits/pam_limits.c errno = 0; pl->priority = getpriority (PRIO_PROCESS, 0); -@@ -816,7 +884,7 @@ +@@ -881,7 +949,7 @@ if (strcmp(uname, domain) == 0) /* this user have a limit */ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); @@ -143,7 +143,7 @@ Index: pam/modules/pam_limits/pam_limits.c if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -842,7 +910,7 @@ +@@ -907,7 +975,7 @@ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, pl); } @@ -152,7 +152,7 @@ Index: pam/modules/pam_limits/pam_limits.c if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -876,7 +944,7 @@ +@@ -941,7 +1009,7 @@ } else { switch(rngtype) { case LIMIT_RANGE_NONE: @@ -161,7 +161,7 @@ Index: pam/modules/pam_limits/pam_limits.c process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, pl); break; -@@ -1062,6 +1130,8 @@ +@@ -1134,6 +1202,8 @@ return PAM_ABORT; } @@ -174,7 +174,7 @@ Index: pam/modules/pam_limits/limits.conf =================================================================== --- pam.orig/modules/pam_limits/limits.conf +++ pam/modules/pam_limits/limits.conf -@@ -11,6 +11,9 @@ +@@ -22,6 +22,9 @@ # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, # for maxlogin limit @@ -184,7 +184,7 @@ Index: pam/modules/pam_limits/limits.conf # #<type> can have the two values: # - "soft" for enforcing the soft limits -@@ -41,6 +44,7 @@ +@@ -52,6 +55,7 @@ # #* soft core 0 @@ -208,7 +208,7 @@ Index: pam/modules/pam_limits/limits.conf.5.xml </listitem> </varlistentry> -@@ -323,6 +328,7 @@ +@@ -333,6 +338,7 @@ </para> <programlisting> * soft core 0 @@ -220,7 +220,7 @@ Index: pam/modules/pam_limits/limits.conf.5 =================================================================== --- pam.orig/modules/pam_limits/limits.conf.5 +++ pam/modules/pam_limits/limits.conf.5 -@@ -142,6 +142,10 @@ +@@ -145,6 +145,10 @@ \fB%:\fR\fI<gid>\fR applicable to maxlogins limit only\&. It limits the total number of logins of all users that are member of the group with the specified gid\&. .RE @@ -231,7 +231,7 @@ Index: pam/modules/pam_limits/limits.conf.5 .RE .PP \fB<type>\fR -@@ -317,6 +321,7 @@ +@@ -327,6 +331,7 @@ .\} .nf * soft core 0 @@ -243,7 +243,7 @@ Index: pam/modules/pam_limits/README =================================================================== --- pam.orig/modules/pam_limits/README +++ pam/modules/pam_limits/README -@@ -54,6 +54,7 @@ +@@ -56,6 +56,7 @@ limits.conf. * soft core 0 diff --git a/debian/patches-applied/031_pam_include b/debian/patches-applied/031_pam_include index 1948f894..16cf6d31 100644 --- a/debian/patches-applied/031_pam_include +++ b/debian/patches-applied/031_pam_include @@ -8,7 +8,7 @@ Index: pam/libpam/pam_handlers.c =================================================================== --- pam.orig/libpam/pam_handlers.c +++ pam/libpam/pam_handlers.c -@@ -122,6 +122,10 @@ +@@ -123,6 +123,10 @@ module_type = PAM_T_ACCT; } else if (!strcasecmp("password", tok)) { module_type = PAM_T_PASS; @@ -19,7 +19,7 @@ Index: pam/libpam/pam_handlers.c } else { /* Illegal module type */ D(("_pam_init_handlers: bad module type: %s", tok)); -@@ -192,8 +196,10 @@ +@@ -193,8 +197,10 @@ _pam_set_default_control(actions, _PAM_ACTION_BAD); } @@ -30,7 +30,7 @@ Index: pam/libpam/pam_handlers.c if (substack) { res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other, stack_level, module_type, actions, tok, -@@ -204,13 +210,35 @@ +@@ -205,13 +211,35 @@ return PAM_ABORT; } } diff --git a/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL index d5ce6953..ec97b441 100644 --- a/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL +++ b/debian/patches-applied/032_pam_limits_EPERM_NOT_FATAL @@ -11,7 +11,7 @@ Index: pam/modules/pam_limits/pam_limits.c =================================================================== --- pam.orig/modules/pam_limits/pam_limits.c +++ pam/modules/pam_limits/pam_limits.c -@@ -1046,6 +1046,8 @@ +@@ -1111,6 +1111,8 @@ if (res != 0) pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", rlimit2str(i)); diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful index ca465d99..805c62f4 100644 --- a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful +++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful @@ -12,7 +12,7 @@ Index: pam/modules/pam_wheel/pam_wheel.c =================================================================== --- pam.orig/modules/pam_wheel/pam_wheel.c +++ pam/modules/pam_wheel/pam_wheel.c -@@ -60,9 +60,8 @@ +@@ -47,9 +47,8 @@ /* argument parsing */ #define PAM_DEBUG_ARG 0x0001 @@ -24,7 +24,7 @@ Index: pam/modules/pam_wheel/pam_wheel.c #define PAM_ROOT_ONLY_ARG 0x0020 static int -@@ -80,8 +79,7 @@ +@@ -68,8 +67,7 @@ if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; @@ -34,35 +34,47 @@ Index: pam/modules/pam_wheel/pam_wheel.c else if (!strcmp(*argv,"trust")) ctrl |= PAM_TRUST_ARG; else if (!strcmp(*argv,"deny")) -@@ -129,27 +127,14 @@ +@@ -118,39 +116,14 @@ } } - if (ctrl & PAM_USE_UID_ARG) { -- tpwd = pam_modutil_getpwuid (pamh, getuid()); -- if (!tpwd) { -- if (ctrl & PAM_DEBUG_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (tpwd == NULL) { +- if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); -- } -- return PAM_SERVICE_ERR; -- } -- fromsu = tpwd->pw_name; +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; - } else { -- fromsu = pam_modutil_getlogin(pamh); -- if (fromsu) { -- tpwd = pam_modutil_getpwnam (pamh, fromsu); -- } -- if (!fromsu || !tpwd) { -- if (ctrl & PAM_DEBUG_ARG) { -- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); -- } -- return PAM_SERVICE_ERR; +- fromsu = pam_modutil_getlogin(pamh); +- +- /* if getlogin fails try a fallback to PAM_RUSER */ +- if (fromsu == NULL) { +- const char *rhostname; +- +- retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname); +- if (retval != PAM_SUCCESS || rhostname == NULL) { +- retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu); +- } +- } +- +- if (fromsu != NULL) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- +- if (fromsu == NULL || tpwd == NULL) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; + tpwd = pam_modutil_getpwuid (pamh, getuid()); -+ if (!tpwd) { -+ if (ctrl & PAM_DEBUG_ARG) { -+ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } -+ return PAM_SERVICE_ERR; ++ if (tpwd == NULL) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } ++ return PAM_SERVICE_ERR; } + fromsu = tpwd->pw_name; @@ -92,9 +104,9 @@ Index: pam/modules/pam_wheel/pam_wheel.8.xml - </term> - <listitem> - <para> -- The check for wheel membership will be done against -- the current uid instead of the original one (useful when -- jumping with su from one account to another for example). +- The check will be done against the real uid of the calling process, +- instead of trying to obtain the user from the login session +- associated with the terminal in use. - </para> - </listitem> - </varlistentry> @@ -121,7 +133,7 @@ Index: pam/modules/pam_wheel/pam_wheel.8 -.PP -\fBuse_uid\fR -.RS 4 --The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\&. +-The check will be done against the real uid of the calling process, instead of trying to obtain the user from the login session associated with the terminal in use\&. -.RE .SH "MODULE TYPES PROVIDED" .PP @@ -136,9 +148,9 @@ Index: pam/modules/pam_wheel/README -use_uid - -- The check for wheel membership will be done against the current uid instead -- of the original one (useful when jumping with su from one account to -- another for example). +- The check will be done against the real uid of the calling process, instead +- of trying to obtain the user from the login session associated with the +- terminal in use. - EXAMPLES diff --git a/debian/patches-applied/040_pam_limits_log_failure b/debian/patches-applied/040_pam_limits_log_failure index 616887c3..0ef703bf 100644 --- a/debian/patches-applied/040_pam_limits_log_failure +++ b/debian/patches-applied/040_pam_limits_log_failure @@ -11,7 +11,7 @@ Index: pam/modules/pam_limits/pam_limits.c =================================================================== --- pam.orig/modules/pam_limits/pam_limits.c +++ pam/modules/pam_limits/pam_limits.c -@@ -1043,9 +1043,19 @@ +@@ -1108,9 +1108,19 @@ if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; res = setrlimit(i, &pl->limits[i].limit); diff --git a/debian/patches-applied/PAM-manpage-section b/debian/patches-applied/PAM-manpage-section index 815c2614..7cdadad3 100644 --- a/debian/patches-applied/PAM-manpage-section +++ b/debian/patches-applied/PAM-manpage-section @@ -35,8 +35,8 @@ Index: pam/doc/man/PAM.8 .\" Source: Linux-PAM Manual .\" Language: English .\" --.TH "PAM" "8" "06/08/2020" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM" "7" "06/08/2020" "Linux-PAM Manual" "Linux-PAM Manual" +-.TH "PAM" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM" "7" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -128,7 +128,7 @@ Index: pam/modules/pam_limits/limits.conf.5.xml =================================================================== --- pam.orig/modules/pam_limits/limits.conf.5.xml +++ pam/modules/pam_limits/limits.conf.5.xml -@@ -346,7 +346,7 @@ +@@ -357,7 +357,7 @@ <para> <citerefentry><refentrytitle>pam_limits</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, @@ -141,7 +141,7 @@ Index: pam/modules/pam_limits/limits.conf.5 =================================================================== --- pam.orig/modules/pam_limits/limits.conf.5 +++ pam/modules/pam_limits/limits.conf.5 -@@ -343,7 +343,7 @@ +@@ -351,7 +351,7 @@ .PP \fBpam_limits\fR(8), \fBpam.d\fR(5), @@ -228,32 +228,6 @@ Index: pam/modules/pam_access/pam_access.8 .SH "AUTHORS" .PP The logdaemon style login access control scheme was designed and implemented by Wietse Venema\&. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\&.dnttm\&.ru>\&. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\&.becher@lrz\-muenchen\&.de>\&. -Index: pam/modules/pam_cracklib/pam_cracklib.8.xml -=================================================================== ---- pam.orig/modules/pam_cracklib/pam_cracklib.8.xml -+++ pam/modules/pam_cracklib/pam_cracklib.8.xml -@@ -577,7 +577,7 @@ - <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> -- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> -+ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> - </citerefentry> - </para> - </refsect1> -Index: pam/modules/pam_cracklib/pam_cracklib.8 -=================================================================== ---- pam.orig/modules/pam_cracklib/pam_cracklib.8 -+++ pam/modules/pam_cracklib/pam_cracklib.8 -@@ -357,7 +357,7 @@ - .PP - \fBpam.conf\fR(5), - \fBpam.d\fR(5), --\fBpam\fR(8) -+\fBpam\fR(7) - .SH "AUTHOR" - .PP - pam_cracklib was written by Cristian Gafton <gafton@redhat\&.com> Index: pam/modules/pam_debug/pam_debug.8.xml =================================================================== --- pam.orig/modules/pam_debug/pam_debug.8.xml @@ -336,7 +310,7 @@ Index: pam/modules/pam_env/pam_env.8.xml =================================================================== --- pam.orig/modules/pam_env/pam_env.8.xml +++ pam/modules/pam_env/pam_env.8.xml -@@ -246,7 +246,7 @@ +@@ -254,7 +254,7 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> @@ -349,7 +323,7 @@ Index: pam/modules/pam_exec/pam_exec.8.xml =================================================================== --- pam.orig/modules/pam_exec/pam_exec.8.xml +++ pam/modules/pam_exec/pam_exec.8.xml -@@ -287,7 +287,7 @@ +@@ -303,7 +303,7 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> @@ -362,7 +336,7 @@ Index: pam/modules/pam_exec/pam_exec.8 =================================================================== --- pam.orig/modules/pam_exec/pam_exec.8 +++ pam/modules/pam_exec/pam_exec.8 -@@ -177,7 +177,7 @@ +@@ -182,7 +182,7 @@ .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), @@ -687,7 +661,7 @@ Index: pam/modules/pam_mkhomedir/pam_mkhomedir.8.xml =================================================================== --- pam.orig/modules/pam_mkhomedir/pam_mkhomedir.8.xml +++ pam/modules/pam_mkhomedir/pam_mkhomedir.8.xml -@@ -198,7 +198,7 @@ +@@ -205,7 +205,7 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> @@ -700,7 +674,7 @@ Index: pam/modules/pam_mkhomedir/pam_mkhomedir.8 =================================================================== --- pam.orig/modules/pam_mkhomedir/pam_mkhomedir.8 +++ pam/modules/pam_mkhomedir/pam_mkhomedir.8 -@@ -124,7 +124,7 @@ +@@ -129,7 +129,7 @@ .SH "SEE ALSO" .PP \fBpam.d\fR(5), @@ -713,7 +687,7 @@ Index: pam/modules/pam_motd/pam_motd.8.xml =================================================================== --- pam.orig/modules/pam_motd/pam_motd.8.xml +++ pam/modules/pam_motd/pam_motd.8.xml -@@ -195,7 +195,7 @@ +@@ -196,7 +196,7 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> @@ -739,7 +713,7 @@ Index: pam/modules/pam_namespace/pam_namespace.8.xml =================================================================== --- pam.orig/modules/pam_namespace/pam_namespace.8.xml +++ pam/modules/pam_namespace/pam_namespace.8.xml -@@ -399,7 +399,7 @@ +@@ -362,7 +362,7 @@ <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> @@ -752,7 +726,7 @@ Index: pam/modules/pam_namespace/pam_namespace.8 =================================================================== --- pam.orig/modules/pam_namespace/pam_namespace.8 +++ pam/modules/pam_namespace/pam_namespace.8 -@@ -178,7 +178,7 @@ +@@ -148,7 +148,7 @@ \fBnamespace.conf\fR(5), \fBpam.d\fR(5), \fBmount\fR(8), @@ -912,8 +886,8 @@ Index: pam/modules/pam_selinux/pam_selinux.8 .\" Source: Linux-PAM Manual .\" Language: English .\" --.TH "PAM_SELINUX" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_SELINUX" "7" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" +-.TH "PAM_SELINUX" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_SELINUX" "7" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -1004,32 +978,6 @@ Index: pam/modules/pam_succeed_if/pam_succeed_if.8 .SH "AUTHOR" .PP Nalin Dahyabhai <nalin@redhat\&.com> -Index: pam/modules/pam_tally/pam_tally.8.xml -=================================================================== ---- pam.orig/modules/pam_tally/pam_tally.8.xml -+++ pam/modules/pam_tally/pam_tally.8.xml -@@ -444,7 +444,7 @@ - <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> -- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> -+ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> - </citerefentry> - </para> - </refsect1> -Index: pam/modules/pam_tally/pam_tally.8 -=================================================================== ---- pam.orig/modules/pam_tally/pam_tally.8 -+++ pam/modules/pam_tally/pam_tally.8 -@@ -250,7 +250,7 @@ - \fBfaillog\fR(8), - \fBpam.conf\fR(5), - \fBpam.d\fR(5), --\fBpam\fR(8) -+\fBpam\fR(7) - .SH "AUTHOR" - .PP - pam_tally was written by Tim Baverstock and Tomas Mraz\&. Index: pam/modules/pam_time/pam_time.8.xml =================================================================== --- pam.orig/modules/pam_time/pam_time.8.xml @@ -1504,7 +1452,7 @@ Index: pam/modules/pam_userdb/pam_userdb.8.xml =================================================================== --- pam.orig/modules/pam_userdb/pam_userdb.8.xml +++ pam/modules/pam_userdb/pam_userdb.8.xml -@@ -278,7 +278,7 @@ +@@ -279,7 +279,7 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> @@ -1612,8 +1560,8 @@ Index: pam/modules/pam_env/pam_env.8 .\" Source: Linux-PAM Manual .\" Language: English .\" --.TH "PAM_ENV" "8" "06/08/2020" "Linux-PAM Manual" "Linux-PAM Manual" -+.TH "PAM_ENV" "7" "06/08/2020" "Linux-PAM Manual" "Linux-PAM Manual" +-.TH "PAM_ENV" "8" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" ++.TH "PAM_ENV" "7" "09/03/2021" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -1669,37 +1617,11 @@ Index: pam/modules/pam_sepermit/sepermit.conf.5 \fBselinux\fR(8), .SH "AUTHOR" .PP -Index: pam/modules/pam_tally2/pam_tally2.8.xml -=================================================================== ---- pam.orig/modules/pam_tally2/pam_tally2.8.xml -+++ pam/modules/pam_tally2/pam_tally2.8.xml -@@ -435,7 +435,7 @@ - <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> - </citerefentry>, - <citerefentry> -- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> -+ <refentrytitle>pam</refentrytitle><manvolnum>7</manvolnum> - </citerefentry> - </para> - </refsect1> -Index: pam/modules/pam_tally2/pam_tally2.8 -=================================================================== ---- pam.orig/modules/pam_tally2/pam_tally2.8 -+++ pam/modules/pam_tally2/pam_tally2.8 -@@ -238,7 +238,7 @@ - .PP - \fBpam.conf\fR(5), - \fBpam.d\fR(5), --\fBpam\fR(8) -+\fBpam\fR(7) - .SH "AUTHOR" - .PP - pam_tally2 was written by Tim Baverstock and Tomas Mraz\&. Index: pam/modules/pam_timestamp/pam_timestamp.8.xml =================================================================== --- pam.orig/modules/pam_timestamp/pam_timestamp.8.xml +++ pam/modules/pam_timestamp/pam_timestamp.8.xml -@@ -188,7 +188,7 @@ +@@ -193,7 +193,7 @@ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> @@ -1712,7 +1634,7 @@ Index: pam/modules/pam_timestamp/pam_timestamp.8 =================================================================== --- pam.orig/modules/pam_timestamp/pam_timestamp.8 +++ pam/modules/pam_timestamp/pam_timestamp.8 -@@ -124,7 +124,7 @@ +@@ -129,7 +129,7 @@ \fBpam_timestamp_check\fR(8), \fBpam.conf\fR(5), \fBpam.d\fR(5), @@ -1746,7 +1668,7 @@ Index: pam/modules/pam_timestamp/pam_timestamp_check.8 +\fBpam\fR(7) .SH "AUTHOR" .PP - pam_tally was written by Nalin Dahyabhai\&. + pam_timestamp was written by Nalin Dahyabhai\&. Index: pam/modules/pam_tty_audit/pam_tty_audit.8.xml =================================================================== --- pam.orig/modules/pam_tty_audit/pam_tty_audit.8.xml diff --git a/debian/patches-applied/make_documentation_reproducible.patch b/debian/patches-applied/make_documentation_reproducible.patch index ed15df13..b6a4bfe3 100644 --- a/debian/patches-applied/make_documentation_reproducible.patch +++ b/debian/patches-applied/make_documentation_reproducible.patch @@ -8,7 +8,7 @@ Index: pam/configure.ac =================================================================== --- pam.orig/configure.ac +++ pam/configure.ac -@@ -619,7 +619,7 @@ +@@ -585,7 +585,7 @@ AC_PATH_PROG([BROWSER], [w3m]) if test -n "$BROWSER"; then diff --git a/debian/patches-applied/pam-limits-nofile-fd-setsize-cap b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap index 302c911f..9c0503c7 100644 --- a/debian/patches-applied/pam-limits-nofile-fd-setsize-cap +++ b/debian/patches-applied/pam-limits-nofile-fd-setsize-cap @@ -43,7 +43,7 @@ Index: pam/modules/pam_limits/pam_limits.c =================================================================== --- pam.orig/modules/pam_limits/pam_limits.c +++ pam/modules/pam_limits/pam_limits.c -@@ -451,6 +451,14 @@ +@@ -450,6 +450,14 @@ pl->limits[i].src_hard = LIMITS_DEF_KERNEL; } fclose(limitsfile); diff --git a/debian/patches-applied/pam_env-allow-environment-files-without-EOL-at-EOF.patch b/debian/patches-applied/pam_env-allow-environment-files-without-EOL-at-EOF.patch deleted file mode 100644 index 340e4a7f..00000000 --- a/debian/patches-applied/pam_env-allow-environment-files-without-EOL-at-EOF.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Tomas Mraz <tmraz@fedoraproject.org> -Date: Wed, 4 Nov 2020 09:37:36 +0100 -Subject: pam_env: allow environment files without EOL at EOF - -Fixes #263 - -* modules/pam_env/pam_env.c (_assemble_line): Do not error out if at feof() - -Origin: upstream, https://github.com/linux-pam/linux-pam/commit/12824dd648b0668968231044ed805d1f3b212d7e -Applied-Upstream: 1.5.0 -Bug: https://github.com/linux-pam/linux-pam/issues/263 -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1953201 -Reviewed-By: Sergio Durigan Junior <sergiodj@ubuntu.com> ---- - modules/pam_env/pam_env.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c -index 79d4372..4aa3777 100644 ---- a/modules/pam_env/pam_env.c -+++ b/modules/pam_env/pam_env.c -@@ -311,7 +311,7 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len) - D(("_assemble_line: corrupted or binary file")); - return -1; - } -- if (p[strlen(p)-1] != '\n') { -+ if (p[strlen(p)-1] != '\n' && !feof(f)) { - D(("_assemble_line: line too long")); - return -1; - } diff --git a/debian/patches-applied/pam_faillock_create_directory b/debian/patches-applied/pam_faillock_create_directory deleted file mode 100644 index 420e2937..00000000 --- a/debian/patches-applied/pam_faillock_create_directory +++ /dev/null @@ -1,31 +0,0 @@ -commit d54870f993e97fe75e2cd0470a3701d5af22877c -Author: Changqing Li <changqing.li@windriver.com> -Date: Tue Jan 12 14:45:34 2021 +0800 - - faillock: create tallydir before creating tallyfile - - The default tallydir is "/var/run/faillock", and this default - tallydir may not exist. - - Function open may fail as tallydir does not exist when creating - the tallyfile. Therefore, faillock will not work well. - - Fix this problem by creating tallydir before creating tallyfile - when the tallydir does not exist. - - Signed-off-by: Changqing Li <changqing.li@windriver.com> - -Index: pam/modules/pam_faillock/faillock.c -=================================================================== ---- pam.orig/modules/pam_faillock/faillock.c -+++ pam/modules/pam_faillock/faillock.c -@@ -74,6 +74,9 @@ open_tally (const char *dir, const char - - if (create) { - flags |= O_CREAT; -+ if (access(dir, F_OK) != 0) { -+ mkdir(dir, 0755); -+ } - } - - fd = open(path, flags, 0600); diff --git a/debian/patches-applied/pam_mkhomedir_stat_before_opendir b/debian/patches-applied/pam_mkhomedir_stat_before_opendir index 3e5f0a12..aec49b69 100644 --- a/debian/patches-applied/pam_mkhomedir_stat_before_opendir +++ b/debian/patches-applied/pam_mkhomedir_stat_before_opendir @@ -2,7 +2,7 @@ Index: pam/modules/pam_mkhomedir/mkhomedir_helper.c =================================================================== --- pam.orig/modules/pam_mkhomedir/mkhomedir_helper.c +++ pam/modules/pam_mkhomedir/mkhomedir_helper.c -@@ -38,6 +38,7 @@ create_homedir(const struct passwd *pwd, +@@ -39,6 +39,7 @@ DIR *d; struct dirent *dent; int retval = PAM_SESSION_ERR; @@ -10,7 +10,7 @@ Index: pam/modules/pam_mkhomedir/mkhomedir_helper.c /* Create the new directory */ if (mkdir(dest, 0700) && errno != EEXIST) -@@ -53,6 +54,12 @@ create_homedir(const struct passwd *pwd, +@@ -54,6 +55,12 @@ goto go_out; } diff --git a/debian/patches-applied/pam_unix_avoid_checksalt b/debian/patches-applied/pam_unix_avoid_checksalt deleted file mode 100644 index 5a441145..00000000 --- a/debian/patches-applied/pam_unix_avoid_checksalt +++ /dev/null @@ -1,43 +0,0 @@ -debian-bug: #992848 -upstream-bug: https://github.com/linux-pam/linux-pam/issues/367 - - -From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" <ldv@altlinux.org> -Date: Thu, 10 Jun 2021 14:00:00 +0000 -Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for - password expiration - -According to Zack Weinberg, the intended meaning of -CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing -method", it is not supposed to mean "force a password change on next -login for any user with an existing stored hash using this method". - -This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5. - -* modules/pam_unix/passverify.c (check_shadow_expiry) -[CRYPT_CHECKSALT_AVAILABLE]: Remove. - -Closes: https://github.com/linux-pam/linux-pam/issues/367 ---- - modules/pam_unix/passverify.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c -index f6132f805..5a19ed856 100644 ---- a/modules/pam_unix/passverify.c -+++ b/modules/pam_unix/passverify.c -@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry, - D(("account expired")); - return PAM_ACCT_EXPIRED; - } --#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE -- if (spent->sp_lstchg == 0 || -- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY || -- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) { --#else - if (spent->sp_lstchg == 0) { --#endif - D(("need a new password")); - *daysleft = 0; - return PAM_NEW_AUTHTOK_REQD; diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch index 11d4ee31..6a9e525e 100644 --- a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch +++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -11,10 +11,10 @@ Index: pam/modules/pam_unix/unix_chkpwd.c =================================================================== --- pam.orig/modules/pam_unix/unix_chkpwd.c +++ pam/modules/pam_unix/unix_chkpwd.c -@@ -137,9 +137,10 @@ +@@ -138,9 +138,10 @@ /* if the caller specifies the username, verify that user matches it */ - if (strcmp(user, argv[1])) { + if (user == NULL || strcmp(user, argv[1])) { + gid_t gid = getgid(); user = argv[1]; /* no match -> permanently change to the real user and proceed */ diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch deleted file mode 100644 index 0ce85eb7..00000000 --- a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch +++ /dev/null @@ -1,25 +0,0 @@ -Revert upstream change that prevents pam_unix from working with sgid -shadow applications. - -Authors: Steve Langasek <vorlon@debian.org> - -Upstream status: to be submitted (and debated...) - -Index: pam/modules/pam_unix/passverify.c -=================================================================== ---- pam.orig/modules/pam_unix/passverify.c -+++ pam/modules/pam_unix/passverify.c -@@ -198,11 +198,11 @@ - * ...and shadow password file entry for this user, - * if shadowing is enabled - */ -+ *spwdent = pam_modutil_getspnam(pamh, name); - #ifndef HELPER_COMPILE -- if (geteuid() || SELINUX_ENABLED) -+ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED)) - return PAM_UNIX_RUN_HELPER; - #endif -- *spwdent = pam_modutil_getspnam(pamh, name); - if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) - return PAM_AUTHINFO_UNAVAIL; - } diff --git a/debian/patches-applied/pam_unix_initialize_daysleft b/debian/patches-applied/pam_unix_initialize_daysleft deleted file mode 100644 index e304a16e..00000000 --- a/debian/patches-applied/pam_unix_initialize_daysleft +++ /dev/null @@ -1,29 +0,0 @@ -bug-debian: https://bugs.debian.org/980285 - -commit db6b293046aee4735f3aa2d1713742ed4b533219 -Author: Tomas Mraz <tmraz@fedoraproject.org> -Date: Wed Jul 22 11:47:55 2020 +0200 - - Fix missing initialization of daysleft - - The daysleft otherwise stays uninitialized if there is no shadow entry. - - Regression from commit f5adefa. - - Fixes #255 - - * modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft. - -Index: pam/modules/pam_unix/pam_unix_acct.c -=================================================================== ---- pam.orig/modules/pam_unix/pam_unix_acct.c -+++ pam/modules/pam_unix/pam_unix_acct.c -@@ -189,7 +189,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int - unsigned long long ctrl; - const void *void_uname; - const char *uname; -- int retval, daysleft; -+ int retval, daysleft = -1; - char buf[256]; - - D(("called.")); diff --git a/debian/patches-applied/series b/debian/patches-applied/series index d3f4a191..3ea285ae 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -1,4 +1,3 @@ -pam_unix_fix_sgid_shadow_auth.patch pam_unix_dont_trust_chkpwd_caller.patch make_documentation_reproducible.patch 007_modules_pam_unix @@ -22,9 +21,4 @@ pam-limits-nofile-fd-setsize-cap fix-autoreconf.patch nullok_secure-compat.patch -pam_unix_initialize_daysleft -pam_faillock_create_directory pam_mkhomedir_stat_before_opendir -pam_unix_avoid_checksalt - -pam_env-allow-environment-files-without-EOL-at-EOF.patch diff --git a/debian/patches-applied/update-motd b/debian/patches-applied/update-motd index d84ecf57..14d5fee4 100644 --- a/debian/patches-applied/update-motd +++ b/debian/patches-applied/update-motd @@ -10,7 +10,7 @@ Index: pam/modules/pam_motd/pam_motd.c =================================================================== --- pam.orig/modules/pam_motd/pam_motd.c +++ pam/modules/pam_motd/pam_motd.c -@@ -286,6 +286,7 @@ +@@ -352,6 +352,7 @@ int argc, const char **argv) { int retval = PAM_IGNORE; @@ -18,7 +18,7 @@ Index: pam/modules/pam_motd/pam_motd.c const char *motd_path = NULL; char *motd_path_copy = NULL; unsigned int num_motd_paths = 0; -@@ -295,6 +296,7 @@ +@@ -361,6 +362,7 @@ unsigned int num_motd_dir_paths = 0; char **motd_dir_path_split = NULL; int report_missing; @@ -26,7 +26,7 @@ Index: pam/modules/pam_motd/pam_motd.c if (flags & PAM_SILENT) { return retval; -@@ -324,6 +326,9 @@ +@@ -390,6 +392,9 @@ "motd_dir= specification missing argument - ignored"); } } @@ -36,7 +36,7 @@ Index: pam/modules/pam_motd/pam_motd.c else pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } -@@ -336,6 +341,19 @@ +@@ -402,6 +407,19 @@ report_missing = 1; } @@ -60,7 +60,7 @@ Index: pam/modules/pam_motd/pam_motd.8.xml =================================================================== --- pam.orig/modules/pam_motd/pam_motd.8.xml +++ pam/modules/pam_motd/pam_motd.8.xml -@@ -114,6 +114,17 @@ +@@ -115,6 +115,17 @@ </para> </listitem> </varlistentry> @@ -100,7 +100,7 @@ Index: pam/modules/pam_motd/README =================================================================== --- pam.orig/modules/pam_motd/README +++ pam/modules/pam_motd/README -@@ -51,6 +51,10 @@ +@@ -52,6 +52,10 @@ colon-separated list. By default this option is set to /etc/motd.d:/run/ motd.d:/usr/lib/motd.d. |