Hello community,
here is the log from the commit of package pam for openSUSE:Factory checked in
at 2020-11-15 15:17:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam (Old)
and /work/SRC/openSUSE:Factory/.pam.new.24930 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam"
Sun Nov 15 15:17:04 2020 rev:105 rq:847481 version:1.4.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam/pam.changes 2020-10-19 09:48:18.633286682
+0200
+++ /work/SRC/openSUSE:Factory/.pam.new.24930/pam.changes 2020-11-15
15:17:10.598862977 +0100
@@ -1,0 +2,33 @@
+Tue Nov 10 11:09:39 UTC 2020 - Thorsten Kukuk <ku...@suse.com>
+
+- Enable pam_faillock [bnc#1171562]
+
+-------------------------------------------------------------------
+Wed Oct 8 13:31:39 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- /usr/bin/xauth chokes on the old user's $HOME being on an NFS
+ file system. Run /usr/bin/xauth using the old user's uid/gid
+ Patch courtesy of Dr. Werner Fink.
+ [bsc#1174593, pam-xauth_ownership.patch]
+
+-------------------------------------------------------------------
+Thu Oct 8 02:33:16 UTC 2020 - Stanislav Brabec <sbra...@suse.com>
+
+- pam-login_defs-check.sh: Fix the regexp to get a real variable
+ list (boo#1164274).
+
+-------------------------------------------------------------------
+Wed Jun 24 13:06:33 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Revert the previous change [SR#815713].
+ The group is not necessary for PAM functionality but used only
+ during testing. The test system should therefore create this group.
+ [bsc#1171016, pam.spec]
+
+-------------------------------------------------------------------
+Mon Jun 15 15:05:18 UTC 2020 - Josef Möllers <josef.moell...@suse.com>
+
+- Add requirement for group "wheel" to spec file.
+ [bsc#1171016, pam.spec]
+
+-------------------------------------------------------------------
New:
----
pam-xauth_ownership.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam.spec ++++++
--- /var/tmp/diff_new_pack.NX9Ghh/_old 2020-11-15 15:17:12.222864696 +0100
+++ /var/tmp/diff_new_pack.NX9Ghh/_new 2020-11-15 15:17:12.226864701 +0100
@@ -47,6 +47,7 @@
Source12: pam-login_defs-check.sh
Patch2: pam-limit-nproc.patch
Patch4: pam-hostnames-in-access_conf.patch
+Patch5: pam-xauth_ownership.patch
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: cracklib-devel
@@ -139,6 +140,7 @@
cp -a %{SOURCE12} .
%patch2 -p1
%patch4 -p1
+%patch5 -p1
%build
bash ./pam-login_defs-check.sh
@@ -210,8 +212,6 @@
cp -fpv "$i" "$DOC/modules/README.${i%/*}"
done
popd
-# XXX Remove until whitelisted
-rm %{buildroot}/%{_lib}/security/pam_faillock.so
# Install unix2_chkpwd
install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}/sbin/
install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
@@ -338,7 +338,7 @@
/%{_lib}/security/pam_env.so
/%{_lib}/security/pam_exec.so
/%{_lib}/security/pam_faildelay.so
-#/%{_lib}/security/pam_faillock.so
+/%{_lib}/security/pam_faillock.so
/%{_lib}/security/pam_filter.so
%dir /%{_lib}/security/pam_filter
/%{_lib}/security//pam_filter/upperLOWER
++++++ pam-login_defs-check.sh ++++++
--- /var/tmp/diff_new_pack.NX9Ghh/_old 2020-11-15 15:17:12.370864853 +0100
+++ /var/tmp/diff_new_pack.NX9Ghh/_new 2020-11-15 15:17:12.374864858 +0100
@@ -9,10 +9,10 @@
echo -n "Checking login.defs variables in pam... " >&2
grep -rh LOGIN_DEFS . |
- sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
+ sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS,
*"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst
-if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') !=
da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then
+if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') !=
3c6e0020c31609690b69ef391654df930b74151d ; then
echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')"
>&2
++++++ pam-xauth_ownership.patch ++++++
Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
===================================================================
--- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c
+++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
@@ -355,11 +355,13 @@ pam_sm_open_session (pam_handle_t *pamh,
char *cookiefile = NULL, *xauthority = NULL,
*cookie = NULL, *display = NULL, *tmp = NULL,
*xauthlocalhostname = NULL;
- const char *user, *xauth = NULL;
+ const char *user, *xauth = NULL, *login_name;
struct passwd *tpwd, *rpwd;
int fd, i, debug = 0;
int retval = PAM_SUCCESS;
- uid_t systemuser = 499, targetuser = 0;
+ uid_t systemuser = 499, targetuser = 0, uid;
+ gid_t gid;
+ struct stat st;
/* Parse arguments. We don't understand many, so no sense in breaking
* this into a separate function. */
@@ -429,7 +431,16 @@ pam_sm_open_session (pam_handle_t *pamh,
retval = PAM_SESSION_ERR;
goto cleanup;
}
- rpwd = pam_modutil_getpwuid(pamh, getuid());
+
+ login_name = pam_modutil_getlogin(pamh);
+ if (login_name == NULL) {
+ login_name = "";
+ }
+ if (*login_name)
+ rpwd = pam_modutil_getpwnam(pamh, login_name);
+ else
+ rpwd = pam_modutil_getpwuid(pamh, getuid());
+
if (rpwd == NULL) {
pam_syslog(pamh, LOG_ERR,
"error determining invoking user's name");
@@ -518,18 +529,26 @@ pam_sm_open_session (pam_handle_t *pamh,
cookiefile);
}
+ /* Get owner and group of the cookiefile */
+ uid = getuid();
+ gid = getgid();
+ if (stat(cookiefile, &st) == 0) {
+ uid = st.st_uid;
+ gid = st.st_gid;
+ }
+
/* Read the user's .Xauthority file. Because the current UID is
* the original user's UID, this will only fail if something has
* gone wrong, or we have no cookies. */
if (debug) {
pam_syslog(pamh, LOG_DEBUG,
- "running \"%s %s %s %s %s\" as %lu/%lu",
- xauth, "-f", cookiefile, "nlist", display,
- (unsigned long) getuid(), (unsigned long) getgid());
+ "running \"%s %s %s %s %s %s\" as %lu/%lu",
+ xauth, "-i", "-f", cookiefile, "nlist", display,
+ (unsigned long) uid, (unsigned long) gid);
}
if (run_coprocess(pamh, NULL, &cookie,
- getuid(), getgid(),
- xauth, "-f", cookiefile, "nlist", display,
+ uid, gid,
+ xauth, "-i", "-f", cookiefile, "nlist", display,
NULL) == 0) {
#ifdef WITH_SELINUX
security_context_t context = NULL;
@@ -583,12 +602,12 @@ pam_sm_open_session (pam_handle_t *pamh,
cookiefile,
"nlist",
t,
- (unsigned long) getuid(),
- (unsigned long)
getgid());
+ (unsigned long) uid,
+ (unsigned long) gid);
}
run_coprocess(pamh, NULL, &cookie,
- getuid(), getgid(),
- xauth, "-f", cookiefile,
+ uid, gid,
+ xauth, "-i", "-f",
cookiefile,
"nlist", t, NULL);
}
free(t);
@@ -673,13 +692,17 @@ pam_sm_open_session (pam_handle_t *pamh,
goto cleanup;
}
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG, "set environment variable
'%s'",
+ xauthority);
+ }
/* Set the new variable in the environment. */
if (pam_putenv (pamh, xauthority) != PAM_SUCCESS)
pam_syslog(pamh, LOG_ERR,
"can't set environment variable '%s'",
xauthority);
putenv (xauthority); /* The environment owns this string now. */
- xauthority = NULL; /* Don't free environment variables. */
+ /* Don't free environment variables nor set them to NULL. */
/* set $DISPLAY in pam handle to make su - work */
{
_______________________________________________
openSUSE Commits mailing list -- commit@lists.opensuse.org
To unsubscribe, email commit-le...@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
