diff --git a/bugfix-pam-1.1.8-mod-chinese-date-format.patch b/bugfix-pam-1.1.8-mod-chinese-date-format.patch deleted file mode 100644 index fab3dff3a0bb76af7ca761a03fccfa513fe0eea2..0000000000000000000000000000000000000000 --- a/bugfix-pam-1.1.8-mod-chinese-date-format.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/po/zh_CN.po b/po/zh_CN.po -index 33c257d..2ae6e50 100644 ---- a/po/zh_CN.po -+++ b/po/zh_CN.po -@@ -285,7 +285,7 @@ msgstr "%s 失败:未知的状态 0x%x" - #. TRANSLATORS: "strftime options for date of last login" - #: modules/pam_lastlog/pam_lastlog.c:282 modules/pam_lastlog/pam_lastlog.c:496 - msgid " %a %b %e %H:%M:%S %Z %Y" --msgstr "%a %b %e %H:%M:%S %Z %Y" -+msgstr "%Y年 %b %e日 %H:%M:%S 星期%a %Z" - - #. TRANSLATORS: " from " - #: modules/pam_lastlog/pam_lastlog.c:291 modules/pam_lastlog/pam_lastlog.c:505 -@@ -320,13 +320,13 @@ msgstr "最后一次失败的登录:%s%s%s" - msgid "There was %d failed login attempt since the last successful login." - msgid_plural "" - "There were %d failed login attempts since the last successful login." --msgstr[0] "最有一次成功登录后有 %d 次失败的登录尝试。" -+msgstr[0] "最近一次成功登录后有 %d 次失败的登录尝试。" - - #. TRANSLATORS: only used if dngettext is not supported - #: modules/pam_lastlog/pam_lastlog.c:548 - #, c-format - msgid "There were %d failed login attempts since the last successful login." --msgstr "最有一次成功登录后有 %d 次失败的登录尝试。" -+msgstr "最近一次成功登录后有 %d 次失败的登录尝试。" - - #: modules/pam_limits/pam_limits.c:1091 - #, c-format diff --git a/bugfix-pam-1.1.8-translation-missing-add.patch b/bugfix-pam-1.1.8-translation-missing-add.patch deleted file mode 100644 index e356ea90d0c36942ae5fcd9c508cda267ae0e487..0000000000000000000000000000000000000000 --- a/bugfix-pam-1.1.8-translation-missing-add.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/po/zh_CN.po b/po/zh_CN.po -index 2ae6e50..17eb79e 100644 ---- a/po/zh_CN.po -+++ b/po/zh_CN.po -@@ -572,3 +572,11 @@ msgstr "为 %s 更改 STRESS 密码。" - #: modules/pam_unix/pam_unix_passwd.c:722 - msgid "You must wait longer to change your password" - msgstr "您必须等待更长时间以更改密码" -+ -+#: modules/pam_faillock/pam_faillock.c:447 -+msgid "Account temporarily locked due to %d failed logins" -+msgstr "账户由于%d次登录失败而暂时锁定" -+ -+#: modules/pam_faillock/pam_faillock.c:449 -+msgid "(%d seconds left to unlock)" -+msgstr "%d 秒后解锁" diff --git a/pam-1.1.0-notally.patch b/pam-1.1.0-notally.patch deleted file mode 100644 index 9188422d0e24bc692ba4c21cfae19aa166fe4bf6..0000000000000000000000000000000000000000 --- a/pam-1.1.0-notally.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: openEuler Buildteam -Date: Sat, 14 Sep 2019 17:37:36 +0800 -Subject: [PATCH] unsupport pam_tally - ---- - modules/Makefile.am | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/Makefile.am b/modules/Makefile.am -index 0c80cea..4847759 100644 ---- a/modules/Makefile.am -+++ b/modules/Makefile.am -@@ -9,7 +9,7 @@ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ - pam_mkhomedir pam_motd pam_namespace pam_nologin \ - pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ -- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ -+ pam_succeed_if pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth - --- -2.19.1 - diff --git a/pam-1.1.3-nouserenv.patch b/pam-1.1.3-nouserenv.patch deleted file mode 100644 index f3a742c8d2cc11608a0cf842dd178fae6516519c..0000000000000000000000000000000000000000 --- a/pam-1.1.3-nouserenv.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c ---- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200 -+++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100 -@@ -10,7 +10,7 @@ - #define DEFAULT_READ_ENVFILE 1 - - #define DEFAULT_USER_ENVFILE ".pam_environment" --#define DEFAULT_USER_READ_ENVFILE 1 -+#define DEFAULT_USER_READ_ENVFILE 0 - - #include "config.h" - -diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml ---- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200 -+++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100 -@@ -147,7 +147,10 @@ - - - Turns on or off the reading of the user specific environment -- file. 0 is off, 1 is on. By default this option is on. -+ file. 0 is off, 1 is on. By default this option is off as user -+ supplied environment variables in the PAM environment could affect -+ behavior of subsequent modules in the stack without the consent -+ of the system administrator. - - - diff --git a/pam-1.1.6-limits-user.patch b/pam-1.1.6-limits-user.patch deleted file mode 100644 index 3c17b781a205faaffbe144f314b3f14d4b0e3e07..0000000000000000000000000000000000000000 --- a/pam-1.1.6-limits-user.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf ---- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200 -+++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100 -@@ -1,5 +1,16 @@ - # /etc/security/limits.conf - # -+#This file sets the resource limits for the users logged in via PAM. -+#It does not affect resource limits of the system services. -+# -+#Also note that configuration files in /etc/security/limits.d directory, -+#which are read in alphabetical order, override the settings in this -+#file in case the domain is the same or more specific. -+#That means for example that setting a limit for wildcard domain here -+#can be overriden with a wildcard setting in a config file in the -+#subdirectory, but a user specific setting here can be overriden only -+#with a user specific setting in the subdirectory. -+# - #Each line describes a limit for a user in the form: - # - # diff --git a/pam-1.1.8-audit-user-mgmt.patch b/pam-1.1.8-audit-user-mgmt.patch deleted file mode 100644 index 277a5699f3ce04436235aa498f26f963fc328156..0000000000000000000000000000000000000000 --- a/pam-1.1.8-audit-user-mgmt.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c ---- Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200 -@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv ) - #ifdef HAVE_LIBAUDIT - char buf[64]; - int audit_fd = audit_open(); -- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); -- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); -+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset); -+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, -+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1); - if (audit_fd >=0) - close(audit_fd); - #endif -@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv ) - } - else if ( !cline_reset ) { - #ifdef HAVE_LIBAUDIT -- char buf[64]; - int audit_fd = audit_open(); -- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); -- audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -- buf, NULL, NULL, ttyname(STDIN_FILENO), 1); -+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, -+ "pam_tally2-reset-all-accts reset=0", "*", -1, -+ NULL, NULL, ttyname(STDIN_FILENO), 1); - if (audit_fd >=0) - close(audit_fd); - #endif diff --git a/pam-1.1.8-full-relro.patch b/pam-1.1.8-full-relro.patch deleted file mode 100644 index b2d8526f9df79b80d5dc74242dc826e34e83127a..0000000000000000000000000000000000000000 --- a/pam-1.1.8-full-relro.patch +++ /dev/null @@ -1,67 +0,0 @@ -diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200 -+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200 -@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi - - AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ - -I$(srcdir)/.. @PIE_CFLAGS@ --AM_LDFLAGS = @PIE_LDFLAGS@ -+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - LDADD = $(top_builddir)/libpam/libpam.la - - securelibfilter_PROGRAMS = upperLOWER -diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200 -@@ -30,6 +30,8 @@ endif - - sbin_PROGRAMS = mkhomedir_helper - mkhomedir_helper_SOURCES = mkhomedir_helper.c -+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la - - if ENABLE_REGENERATE_MAN -diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200 -@@ -26,6 +26,8 @@ if HAVE_VERSIONING - pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map - endif - -+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT) - - securelib_LTLIBRARIES = pam_tally2.la -diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200 -@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS) - pam_timestamp_check_SOURCES = pam_timestamp_check.c - pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ - pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la --pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ -+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - - hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c - hmacfile_LDADD = $(top_builddir)/libpam/libpam.la -diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am ---- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200 -+++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200 -@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@ - unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \ - passverify.c - unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" --unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ -+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ - - unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ - passverify.c - unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\" --unix_update_LDFLAGS = @PIE_LDFLAGS@ -+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ - unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@ - - if ENABLE_REGENERATE_MAN diff --git a/pam-1.2.0-unix-no-fallback.patch b/pam-1.2.0-unix-no-fallback.patch deleted file mode 100644 index 6295da77caa572ddce7485d6417fe48dc0a57c66..0000000000000000000000000000000000000000 --- a/pam-1.2.0-unix-no-fallback.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml ---- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback 2015-04-27 16:38:03.000000000 +0200 -+++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml 2015-05-15 15:54:21.524440864 +0200 -@@ -284,11 +284,10 @@ - - - When a user changes their password next, -- encrypt it with the SHA256 algorithm. If the -- SHA256 algorithm is not known to the -+ encrypt it with the SHA256 algorithm. The -+ SHA256 algorithm must be supported by the - crypt3 -- function, -- fall back to MD5. -+ function. - - - -@@ -299,11 +298,10 @@ - - - When a user changes their password next, -- encrypt it with the SHA512 algorithm. If the -- SHA512 algorithm is not known to the -+ encrypt it with the SHA512 algorithm. The -+ SHA512 algorithm must be supported by the - crypt3 -- function, -- fall back to MD5. -+ function. - - - -@@ -314,11 +312,10 @@ - - - When a user changes their password next, -- encrypt it with the blowfish algorithm. If the -- blowfish algorithm is not known to the -+ encrypt it with the blowfish algorithm. The -+ blowfish algorithm must be supported by the - crypt3 -- function, -- fall back to MD5. -+ function. - - - -diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c ---- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback 2015-05-15 15:54:21.525440887 +0200 -+++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c 2015-05-15 15:57:23.138613273 +0200 -@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has - sp = crypt(password, salt); - #endif - if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) { -- /* libxcrypt/libc doesn't know the algorithm, use MD5 */ -+ /* libxcrypt/libc doesn't know the algorithm, error out */ - pam_syslog(pamh, LOG_ERR, -- "Algo %s not supported by the crypto backend, " -- "falling back to MD5\n", -+ "Algo %s not supported by the crypto backend.\n", - on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" : - on(UNIX_SHA256_PASS, ctrl) ? "sha256" : - on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid); -@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has - #ifdef HAVE_CRYPT_R - free(cdata); - #endif -- return crypt_md5_wrapper(password); -+ return NULL; - } - sp = x_strdup(sp); - #ifdef HAVE_CRYPT_R diff --git a/pam-1.2.1-faillock.patch b/pam-1.2.1-faillock.patch index 3348ec7119eec2fb258f348e3485474d66e83d6f..c173702457bf37ed8c3e5f59c217340b1df6a261 100644 --- a/pam-1.2.1-faillock.patch +++ b/pam-1.2.1-faillock.patch @@ -45,7 +45,7 @@ index 4847759..adcc641 100644 @@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ pam_selinux pam_sepermit pam_shells pam_stress \ - pam_succeed_if pam_tally2 pam_time pam_timestamp \ + pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ + pam_tty_audit pam_umask pam_faillock \ pam_unix pam_userdb pam_warn pam_wheel pam_xauth diff --git a/pam-1.3.0-pwhistory-helper.patch b/pam-1.3.0-pwhistory-helper.patch deleted file mode 100644 index 554e5c8f83cd1888eb21d6a36b62bf7778b625e3..0000000000000000000000000000000000000000 --- a/pam-1.3.0-pwhistory-helper.patch +++ /dev/null @@ -1,806 +0,0 @@ -diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am ---- Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2016-03-24 12:45:42.000000000 +0100 -+++ Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am 2016-05-06 15:18:42.307637933 +0200 -@@ -1,5 +1,6 @@ - # - # Copyright (c) 2008, 2009 Thorsten Kukuk -+# Copyright (c) 2013 Red Hat, Inc. - # - - CLEANFILES = *~ -@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst- - - TESTS = tst-pam_pwhistory - --man_MANS = pam_pwhistory.8 -+man_MANS = pam_pwhistory.8 pwhistory_helper.8 - --XMLS = README.xml pam_pwhistory.8.xml -+XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml - - securelibdir = $(SECUREDIR) - secureconfdir = $(SCONFIGDIR) - --AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include --AM_LDFLAGS = -no-undefined -avoid-version -module -+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -+ -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\" -+ -+pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module - if HAVE_VERSIONING -- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -+ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map - endif - - noinst_HEADERS = opasswd.h - - securelib_LTLIBRARIES = pam_pwhistory.la --pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ -+pam_pwhistory_la_CFLAGS = $(AM_CFLAGS) -+pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@ - pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c - -+sbin_PROGRAMS = pwhistory_helper -+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@ -+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c -+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ -+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ -+ - if ENABLE_REGENERATE_MAN - noinst_DATA = README - README: pam_pwhistory.8.xml -diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c ---- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2016-03-24 12:45:42.000000000 +0100 -+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c 2016-05-06 15:18:42.307637933 +0200 -@@ -1,5 +1,6 @@ - /* - * Copyright (c) 2008 Thorsten Kukuk -+ * Copyright (c) 2013 Red Hat, Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -38,6 +39,7 @@ - #endif - - #include -+#include - #include - #include - #include -@@ -47,6 +49,7 @@ - #include - #include - #include -+#include - #include - - #if defined (HAVE_XCRYPT_H) -@@ -55,7 +58,14 @@ - #include - #endif - -+#ifdef HELPER_COMPILE -+#define pam_modutil_getpwnam(h,n) getpwnam(n) -+#define pam_modutil_getspnam(h,n) getspnam(n) -+#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__) -+#else -+#include - #include -+#endif - #include - - #include "opasswd.h" -@@ -76,6 +86,19 @@ typedef struct { - char *old_passwords; - } opwd; - -+#ifdef HELPER_COMPILE -+void -+helper_log_err(int err, const char *format, ...) -+{ -+ va_list args; -+ -+ va_start(args, format); -+ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV); -+ vsyslog(err, format, args); -+ va_end(args); -+ closelog(); -+} -+#endif - - static int - parse_entry (char *line, opwd *data) -@@ -117,8 +140,8 @@ compare_password(const char *newpass, co - } - - /* Check, if the new password is already in the opasswd file. */ --int --check_old_pass (pam_handle_t *pamh, const char *user, -+PAMH_ARG_DECL(int -+check_old_pass, const char *user, - const char *newpass, int debug) - { - int retval = PAM_SUCCESS; -@@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons - opwd entry; - int found = 0; - -+#ifndef HELPER_COMPILE -+ if (SELINUX_ENABLED) -+ return PAM_PWHISTORY_RUN_HELPER; -+#endif -+ - if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) - { - if (errno != ENOENT) -@@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons - return retval; - } - --int --save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, -- const char *oldpass, int howmany, int debug UNUSED) -+PAMH_ARG_DECL(int -+save_old_pass, const char *user, -+ int howmany, int debug UNUSED) - { - char opasswd_tmp[] = TMP_PASSWORDS_FILE; - struct stat opasswd_stat; -@@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const - char *buf = NULL; - size_t buflen = 0; - int found = 0; -+ struct passwd *pwd; -+ const char *oldpass; -+ -+ pwd = pam_modutil_getpwnam (pamh, user); -+ if (pwd == NULL) -+ return PAM_USER_UNKNOWN; - - if (howmany <= 0) - return PAM_SUCCESS; - -+#ifndef HELPER_COMPILE -+ if (SELINUX_ENABLED) -+ return PAM_PWHISTORY_RUN_HELPER; -+#endif -+ -+ if ((strcmp(pwd->pw_passwd, "x") == 0) || -+ ((pwd->pw_passwd[0] == '#') && -+ (pwd->pw_passwd[1] == '#') && -+ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) -+ { -+ struct spwd *spw = pam_modutil_getspnam (pamh, user); -+ -+ if (spw == NULL) -+ return PAM_USER_UNKNOWN; -+ oldpass = spw->sp_pwdp; -+ } -+ else -+ oldpass = pwd->pw_passwd; -+ - if (oldpass == NULL || *oldpass == '\0') - return PAM_SUCCESS; - -@@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const - { - char *out; - -- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0) -+ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0) - { - retval = PAM_AUTHTOK_ERR; - if (oldpf) -diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h ---- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2016-03-24 12:45:42.000000000 +0100 -+++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h 2016-05-06 15:18:42.307637933 +0200 -@@ -1,5 +1,6 @@ - /* - * Copyright (c) 2008 Thorsten Kukuk -+ * Copyright (c) 2013 Red Hat, Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -36,10 +37,32 @@ - #ifndef __OPASSWD_H__ - #define __OPASSWD_H__ - --extern int check_old_pass (pam_handle_t *pamh, const char *user, -- const char *newpass, int debug); --extern int save_old_pass (pam_handle_t *pamh, const char *user, -- uid_t uid, const char *oldpass, -- int howmany, int debug); -+#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT -+ -+#ifdef WITH_SELINUX -+#include -+#define SELINUX_ENABLED is_selinux_enabled()>0 -+#else -+#define SELINUX_ENABLED 0 -+#endif -+ -+#ifdef HELPER_COMPILE -+#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__) -+#define PAMH_ARG(...) __VA_ARGS__ -+#else -+#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__) -+#define PAMH_ARG(...) pamh, __VA_ARGS__ -+#endif -+ -+#ifdef HELPER_COMPILE -+void -+helper_log_err(int err, const char *format, ...); -+#endif -+ -+PAMH_ARG_DECL(int -+check_old_pass, const char *user, const char *newpass, int debug); -+ -+PAMH_ARG_DECL(int -+save_old_pass, const char *user, int howmany, int debug); - - #endif /* __OPASSWD_H__ */ -diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c ---- Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2016-04-04 11:22:28.000000000 +0200 -+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c 2016-05-06 15:19:31.610785512 +0200 -@@ -1,6 +1,7 @@ - /* - * Copyright (c) 2008, 2012 Thorsten Kukuk - * Author: Thorsten Kukuk -+ * Copyright (c) 2013 Red Hat, Inc. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -46,10 +47,14 @@ - #include - #include - #include --#include - #include - #include - #include -+#include -+#include -+#include -+#include -+#include - - #include - #include -@@ -59,6 +64,7 @@ - #include "opasswd.h" - - #define DEFAULT_BUFLEN 2048 -+#define MAX_FD_NO 20000 - - struct options_t { - int debug; -@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const - pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); - } - -+static int -+run_save_helper(pam_handle_t *pamh, const char *user, -+ int howmany, int debug) -+{ -+ int retval, child; -+ struct sigaction newsa, oldsa; -+ -+ memset(&newsa, '\0', sizeof(newsa)); -+ newsa.sa_handler = SIG_DFL; -+ sigaction(SIGCHLD, &newsa, &oldsa); -+ -+ child = fork(); -+ if (child == 0) -+ { -+ int i = 0; -+ struct rlimit rlim; -+ int dummyfds[2]; -+ static char *envp[] = { NULL }; -+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL }; -+ -+ /* replace std file descriptors with a dummy pipe */ -+ if (pipe2(dummyfds, O_NONBLOCK) == 0) -+ { -+ dup2(dummyfds[0], STDIN_FILENO); -+ dup2(dummyfds[1], STDOUT_FILENO); -+ dup2(dummyfds[1], STDERR_FILENO); -+ } -+ -+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0) -+ { -+ if (rlim.rlim_max >= MAX_FD_NO) -+ rlim.rlim_max = MAX_FD_NO; -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) -+ { -+ if (i != dummyfds[0]) -+ close(i); -+ } -+ } -+ -+ /* exec binary helper */ -+ args[0] = strdup(PWHISTORY_HELPER); -+ args[1] = strdup("save"); -+ args[2] = x_strdup(user); -+ asprintf(&args[3], "%d", howmany); -+ asprintf(&args[4], "%d", debug); -+ -+ execve(args[0], args, envp); -+ -+ _exit(PAM_SYSTEM_ERR); -+ } -+ else if (child > 0) -+ { -+ /* wait for child */ -+ int rc = 0; -+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */ -+ if (rc < 0) -+ { -+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc); -+ retval = PAM_SYSTEM_ERR; -+ } -+ else if (!WIFEXITED(retval)) -+ { -+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval); -+ retval = PAM_SYSTEM_ERR; -+ } -+ else -+ { -+ retval = WEXITSTATUS(retval); -+ } -+ } -+ else -+ { -+ retval = PAM_SYSTEM_ERR; -+ } -+ -+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ -+ -+ return retval; -+} -+ -+static int -+run_check_helper(pam_handle_t *pamh, const char *user, -+ const char *newpass, int debug) -+{ -+ int retval, child, fds[2]; -+ struct sigaction newsa, oldsa; -+ -+ /* create a pipe for the password */ -+ if (pipe(fds) != 0) -+ return PAM_SYSTEM_ERR; -+ -+ memset(&newsa, '\0', sizeof(newsa)); -+ newsa.sa_handler = SIG_DFL; -+ sigaction(SIGCHLD, &newsa, &oldsa); -+ -+ child = fork(); -+ if (child == 0) -+ { -+ int i = 0; -+ struct rlimit rlim; -+ int dummyfds[2]; -+ static char *envp[] = { NULL }; -+ char *args[] = { NULL, NULL, NULL, NULL, NULL }; -+ -+ /* reopen stdin as pipe */ -+ dup2(fds[0], STDIN_FILENO); -+ -+ /* replace std file descriptors with a dummy pipe */ -+ if (pipe2(dummyfds, O_NONBLOCK) == 0) -+ { -+ dup2(dummyfds[1], STDOUT_FILENO); -+ dup2(dummyfds[1], STDERR_FILENO); -+ } -+ -+ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0) -+ { -+ if (rlim.rlim_max >= MAX_FD_NO) -+ rlim.rlim_max = MAX_FD_NO; -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) -+ { -+ if (i != dummyfds[0]) -+ close(i); -+ } -+ } -+ -+ /* exec binary helper */ -+ args[0] = strdup(PWHISTORY_HELPER); -+ args[1] = strdup("check"); -+ args[2] = x_strdup(user); -+ asprintf(&args[3], "%d", debug); -+ -+ execve(args[0], args, envp); -+ -+ _exit(PAM_SYSTEM_ERR); -+ } -+ else if (child > 0) -+ { -+ /* wait for child */ -+ int rc = 0; -+ if (newpass == NULL) -+ newpass = ""; -+ -+ /* send the password to the child */ -+ if (write(fds[1], newpass, strlen(newpass)+1) == -1) -+ { -+ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m"); -+ retval = PAM_SYSTEM_ERR; -+ } -+ newpass = NULL; -+ close(fds[0]); /* close here to avoid possible SIGPIPE above */ -+ close(fds[1]); -+ rc = waitpid(child, &retval, 0); /* wait for helper to complete */ -+ if (rc < 0) -+ { -+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc); -+ retval = PAM_SYSTEM_ERR; -+ } -+ else if (!WIFEXITED(retval)) -+ { -+ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval); -+ retval = PAM_SYSTEM_ERR; -+ } -+ else -+ { -+ retval = WEXITSTATUS(retval); -+ } -+ } -+ else -+ { -+ close(fds[0]); -+ close(fds[1]); -+ retval = PAM_SYSTEM_ERR; -+ } -+ -+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */ -+ -+ return retval; -+} - - /* This module saves the current crypted password in /etc/security/opasswd - and then compares the new password with all entries in this file. */ -@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const - int - pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) - { -- struct passwd *pwd; - const char *newpass; - const char *user; - int retval, tries; -@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - return PAM_SUCCESS; - } - -- pwd = pam_modutil_getpwnam (pamh, user); -- if (pwd == NULL) -- return PAM_USER_UNKNOWN; -- -- if ((strcmp(pwd->pw_passwd, "x") == 0) || -- ((pwd->pw_passwd[0] == '#') && -- (pwd->pw_passwd[1] == '#') && -- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0))) -- { -- struct spwd *spw = pam_modutil_getspnam (pamh, user); -- if (spw == NULL) -- return PAM_USER_UNKNOWN; -+ retval = save_old_pass (pamh, user, options.remember, options.debug); - -- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, -- options.remember, options.debug); -- if (retval != PAM_SUCCESS) -- return retval; -- } -- else -- { -- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd, -- options.remember, options.debug); -- if (retval != PAM_SUCCESS) -- return retval; -- } -+ if (retval == PAM_PWHISTORY_RUN_HELPER) -+ retval = run_save_helper(pamh, user, options.remember, options.debug); -+ -+ if (retval != PAM_SUCCESS) -+ return retval; - - newpass = NULL; - tries = 0; -@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - if (options.debug) - pam_syslog (pamh, LOG_DEBUG, "check against old password file"); - -- if (check_old_pass (pamh, user, newpass, -- options.debug) != PAM_SUCCESS) -+ retval = check_old_pass (pamh, user, newpass, options.debug); -+ if (retval == PAM_PWHISTORY_RUN_HELPER) -+ retval = run_check_helper(pamh, user, newpass, options.debug); -+ -+ if (retval != PAM_SUCCESS) - { - if (getuid() || options.enforce_for_root || - (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) -diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c ---- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2016-05-06 15:18:42.308637957 +0200 -+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c 2016-05-06 15:18:42.308637957 +0200 -@@ -0,0 +1,209 @@ -+/* -+ * Copyright (c) 2013 Red Hat, Inc. -+ * Author: Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "opasswd.h" -+ -+#define MAXPASS 200 -+ -+static void -+su_sighandler(int sig) -+{ -+#ifndef SA_RESETHAND -+ /* emulate the behaviour of the SA_RESETHAND flag */ -+ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) { -+ struct sigaction sa; -+ memset(&sa, '\0', sizeof(sa)); -+ sa.sa_handler = SIG_DFL; -+ sigaction(sig, &sa, NULL); -+ } -+#endif -+ if (sig > 0) { -+ _exit(sig); -+ } -+} -+ -+static void -+setup_signals(void) -+{ -+ struct sigaction action; /* posix signal structure */ -+ -+ /* -+ * Setup signal handlers -+ */ -+ (void) memset((void *) &action, 0, sizeof(action)); -+ action.sa_handler = su_sighandler; -+#ifdef SA_RESETHAND -+ action.sa_flags = SA_RESETHAND; -+#endif -+ (void) sigaction(SIGILL, &action, NULL); -+ (void) sigaction(SIGTRAP, &action, NULL); -+ (void) sigaction(SIGBUS, &action, NULL); -+ (void) sigaction(SIGSEGV, &action, NULL); -+ action.sa_handler = SIG_IGN; -+ action.sa_flags = 0; -+ (void) sigaction(SIGTERM, &action, NULL); -+ (void) sigaction(SIGHUP, &action, NULL); -+ (void) sigaction(SIGINT, &action, NULL); -+ (void) sigaction(SIGQUIT, &action, NULL); -+} -+ -+static int -+read_passwords(int fd, int npass, char **passwords) -+{ -+ int rbytes = 0; -+ int offset = 0; -+ int i = 0; -+ char *pptr; -+ while (npass > 0) -+ { -+ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset); -+ -+ if (rbytes < 0) -+ { -+ if (errno == EINTR) continue; -+ break; -+ } -+ if (rbytes == 0) -+ break; -+ -+ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes)) -+ != NULL) -+ { -+ rbytes -= pptr - (passwords[i]+offset) + 1; -+ i++; -+ offset = 0; -+ npass--; -+ if (rbytes > 0) -+ { -+ if (npass > 0) -+ memcpy(passwords[i], pptr+1, rbytes); -+ memset(pptr+1, '\0', rbytes); -+ } -+ } -+ offset += rbytes; -+ } -+ -+ /* clear up */ -+ if (offset > 0 && npass > 0) -+ memset(passwords[i], '\0', offset); -+ -+ return i; -+} -+ -+ -+static int -+check_history(const char *user, const char *debug) -+{ -+ char pass[MAXPASS + 1]; -+ char *passwords[] = { pass }; -+ int npass; -+ int dbg = atoi(debug); /* no need to be too fancy here */ -+ int retval; -+ -+ /* read the password from stdin (a pipe from the pam_pwhistory module) */ -+ npass = read_passwords(STDIN_FILENO, 1, passwords); -+ -+ if (npass != 1) -+ { /* is it a valid password? */ -+ helper_log_err(LOG_DEBUG, "no password supplied"); -+ return PAM_AUTHTOK_ERR; -+ } -+ -+ retval = check_old_pass(user, pass, dbg); -+ -+ memset(pass, '\0', MAXPASS); /* clear memory of the password */ -+ -+ return retval; -+} -+ -+static int -+save_history(const char *user, const char *howmany, const char *debug) -+{ -+ int num = atoi(howmany); -+ int dbg = atoi(debug); /* no need to be too fancy here */ -+ int retval; -+ -+ retval = save_old_pass(user, num, dbg); -+ -+ return retval; -+} -+ -+int -+main(int argc, char *argv[]) -+{ -+ const char *option; -+ const char *user; -+ -+ /* -+ * Catch or ignore as many signal as possible. -+ */ -+ setup_signals(); -+ -+ /* -+ * we establish that this program is running with non-tty stdin. -+ * this is to discourage casual use. -+ */ -+ -+ if (isatty(STDIN_FILENO) || argc < 4) -+ { -+ fprintf(stderr, -+ "This binary is not designed for running in this way.\n"); -+ sleep(10); /* this should discourage/annoy the user */ -+ return PAM_SYSTEM_ERR; -+ } -+ -+ option = argv[1]; -+ user = argv[2]; -+ -+ if (strcmp(option, "check") == 0 && argc == 4) -+ return check_history(user, argv[3]); -+ else if (strcmp(option, "save") == 0 && argc == 5) -+ return save_history(user, argv[3], argv[4]); -+ -+ return PAM_SYSTEM_ERR; -+} -+ -diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml ---- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2016-05-06 15:18:42.308637957 +0200 -+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2016-05-06 15:18:42.308637957 +0200 -@@ -0,0 +1,68 @@ -+ -+ -+ -+ -+ -+ -+ pwhistory_helper -+ 8 -+ Linux-PAM Manual -+ -+ -+ -+ pwhistory_helper -+ Helper binary that transfers password hashes from passwd or shadow to opasswd -+ -+ -+ -+ -+ pwhistory_helper -+ -+ ... -+ -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ pwhistory_helper is a helper program for the -+ pam_pwhistory module that transfers password hashes -+ from passwd or shadow file to the opasswd file and checks a password -+ supplied by user against the existing hashes in the opasswd file. -+ -+ -+ -+ The purpose of the helper is to enable tighter confinement of -+ login and password changing services. The helper is thus called only -+ when SELinux is enabled on the system. -+ -+ -+ -+ The interface of the helper - command line options, and input/output -+ data format are internal to the pam_pwhistory -+ module and it should not be called directly from applications. -+ -+ -+ -+ -+ SEE ALSO -+ -+ -+ pam_pwhistory8 -+ -+ -+ -+ -+ -+ AUTHOR -+ -+ Written by Tomas Mraz based on the code originally in -+ pam_pwhistory and pam_unix modules. -+ -+ -+ -+ diff --git a/pam-1.3.0-unix-nomsg.patch b/pam-1.3.0-unix-nomsg.patch deleted file mode 100644 index 33c226773ca246226a6f2145f18f2d160f30201d..0000000000000000000000000000000000000000 --- a/pam-1.3.0-unix-nomsg.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -up Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c.nomsg 2016-04-11 13:08:47.000000000 +0200 -+++ Linux-PAM-1.3.0/modules/pam_unix/pam_unix_passwd.c 2017-04-20 16:51:24.853106709 +0200 -@@ -687,12 +687,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int - return PAM_SUCCESS; - } else if (off(UNIX__IAMROOT, ctrl) || - (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) { -- /* instruct user what is happening */ -- if (off(UNIX__QUIET, ctrl)) { -- retval = pam_info(pamh, _("Changing password for %s."), user); -- if (retval != PAM_SUCCESS) -- return retval; -- } - retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass_old, NULL); - - if (retval != PAM_SUCCESS) { diff --git a/pam-1.3.1-noflex.patch b/pam-1.3.1-noflex.patch deleted file mode 100644 index c65d225377267448ec4927056930c30c051ac413..0000000000000000000000000000000000000000 --- a/pam-1.3.1-noflex.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up Linux-PAM-1.3.1/doc/Makefile.am.noflex Linux-PAM-1.3.1/doc/Makefile.am ---- Linux-PAM-1.3.1/doc/Makefile.am.noflex 2017-02-10 11:10:15.000000000 +0100 -+++ Linux-PAM-1.3.1/doc/Makefile.am 2018-05-18 14:53:50.300997606 +0200 -@@ -2,7 +2,7 @@ - # Copyright (c) 2005, 2006 Thorsten Kukuk - # - --SUBDIRS = man specs sag adg mwg -+SUBDIRS = man sag adg mwg - - CLEANFILES = *~ - -diff -up Linux-PAM-1.3.1/Makefile.am.noflex Linux-PAM-1.3.1/Makefile.am ---- Linux-PAM-1.3.1/Makefile.am.noflex 2018-05-18 14:53:50.301997629 +0200 -+++ Linux-PAM-1.3.1/Makefile.am 2018-05-18 14:55:31.576353800 +0200 -@@ -4,7 +4,7 @@ - - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 dist-xz check-news - --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests - - CLEANFILES = *~ - diff --git a/pam.spec b/pam.spec index 26afc10e4fee2568c7e883fea81d8f73bd3b8e8c..004ab575d1977d5177eb25eba57fa9855289fce9 100644 --- a/pam.spec +++ b/pam.spec @@ -4,7 +4,7 @@ %define _pamconfdir %{_sysconfdir}/pam.d Name: pam Version: 1.3.1 -Release: 6 +Release: 7 Summary: Pluggable Authentication Modules for Linux License: BSD and GPLv2+ URL: http://www.linux-pam.org/ @@ -19,22 +19,12 @@ Source10: config-util.pamd Source15: pamtmp.conf Source16: postlogin.pamd Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -Patch5: pam-1.1.0-notally.patch + Patch6: pam-1.2.1-faillock.patch Patch7: pam-1.2.1-faillock-admin-group.patch -Patch9: pam-1.3.1-noflex.patch -Patch10: pam-1.1.3-nouserenv.patch -Patch13: pam-1.1.6-limits-user.patch -Patch15: pam-1.1.8-full-relro.patch -Patch20: pam-1.2.0-unix-no-fallback.patch -Patch29: pam-1.3.0-pwhistory-helper.patch -Patch31: pam-1.1.8-audit-user-mgmt.patch -Patch33: pam-1.3.0-unix-nomsg.patch Patch6000: bugfix-pam-1.1.8-faillock-failmessages.patch Patch6001: bugfix-pam-1.1.8-faillock-systemtime.patch -Patch6002: bugfix-pam-1.1.8-mod-chinese-date-format.patch -Patch6003: bugfix-pam-1.1.8-translation-missing-add.patch BuildRequires: autoconf automake libtool bison flex sed cracklib-devel BuildRequires: perl-interpreter pkgconfig gettext-devel libtirpc-devel libnsl2-devel @@ -144,10 +134,10 @@ fi %attr(4755,root,root) %{_sbindir}/pam_timestamp_check %attr(4755,root,root) %{_sbindir}/unix_chkpwd %attr(0700,root,root) %{_sbindir}/unix_update +%{_sbindir}/pam_tally %{_sbindir}/pam_tally2 %{_sbindir}/faillock %{_sbindir}/mkhomedir_helper -%{_sbindir}/pwhistory_helper %dir %{_moduledir} %{_moduledir}/pam*.so %{_moduledir}/pam_filter/ @@ -183,6 +173,9 @@ fi %changelog +* Fri Jan 10 2020 openEuler Buildteam - 1.3.1-7 +- clean code + * Mon Dec 30 2019 openEuler Buildteam - 1.3.1-6 - Modify man