commit 41f9ee75a7b2332825eafd07a82eb27e741286a9 Author: zyppe <210hcl@gmail.com> Date: Tue Mar 5 16:54:18 2024 +0800 Initialize for pam-config diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d6d4a8b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +pam-config-1.1.tar.xz diff --git a/.pam-config.metadata b/.pam-config.metadata new file mode 100644 index 0000000..47e3a16 --- /dev/null +++ b/.pam-config.metadata @@ -0,0 +1 @@ +6ad3e06d99d0c1c7d7cee47dd2dcc7f2185e376ad6ba5a09670c90f2f751d88c pam-config-1.1.tar.xz diff --git a/pam-config-fix-pam_keyinit-options.patch b/pam-config-fix-pam_keyinit-options.patch new file mode 100644 index 0000000..d4cb21e --- /dev/null +++ b/pam-config-fix-pam_keyinit-options.patch @@ -0,0 +1,42 @@ +Index: pam-config-1.3/src/mod_pam_keyinit.c +=================================================================== +--- pam-config-1.3.orig/src/mod_pam_keyinit.c ++++ pam-config-1.3/src/mod_pam_keyinit.c +@@ -47,20 +47,15 @@ write_config_keyinit (pam_module_t *this + fp = create_service_file (gl_service); + if (!fp) return 0; + +- fprintf(stderr, "writeit=%d, is_written=%d\n", writeit, is_written); + while (cfg_content != NULL) + { +- fprintf(stderr, "cfg_content->line = >>%s", cfg_content->line); + if (writeit) + { +- fprintf(stderr, "writeit=%d\n", writeit); + if (!is_written) + { +- fprintf(stderr, "is_written=%d\n", is_written); + /* write this entry as the first in the session part */ + if (strstr(cfg_content->line, "session") != NULL) + { +- fprintf(stderr, "strstr(cfg_content->line, \"session\") != NULL\n"); + write_entry(fp, opt_set); + is_written = 1; + } +@@ -97,7 +92,6 @@ write_config_keyinit (pam_module_t *this + static void + write_entry(FILE *fp, option_set_t *opt_set) + { +- fprintf(stderr, "write_entry(fp, opt_set)\n"); + fprintf (fp, "session optional\tpam_keyinit.so revoke "); + if (opt_set->is_enabled (opt_set, "force")) + fprintf (fp, "force "); +@@ -121,7 +115,7 @@ PRINT_ARGS("keyinit") + PRINT_XMLHELP("keyinit") + + /* ---- contruct module object ---- */ +-DECLARE_BOOL_OPTS_3 (is_enabled, debug, force); ++DECLARE_BOOL_OPTS_4 (is_enabled, debug, force, revoke); + DECLARE_STRING_OPTS_0; + DECLARE_OPT_SETS; + diff --git a/pam-config-remove-bad-access-call.patch b/pam-config-remove-bad-access-call.patch new file mode 100644 index 0000000..b97cf2c --- /dev/null +++ b/pam-config-remove-bad-access-call.patch @@ -0,0 +1,54 @@ +Index: pam-config-1.3/src/pam-config.c +=================================================================== +--- pam-config-1.3.orig/src/pam-config.c ++++ pam-config-1.3/src/pam-config.c +@@ -1075,19 +1075,10 @@ main (int argc, char *argv[]) + if (debug) + printf ("*** write_config (%s/pam.d/%s)\n", confdir, gl_service); + +- /* Check if service file exists */ +- char *conffile; +- if (asprintf (&conffile, "%s/pam.d/%s", confdir, gl_service) < 0) +- return 1; +- +- if (access (conffile, R_OK) != 0) +- { +- fprintf (stderr, _("Cannot access '%s': %m\n"), conffile); +- free (conffile); +- return 1; +- } +- free (conffile); +- ++ /* ++ * Note that the modules in service_module_list[] ++ * do not use the "op" and the "fp" parameters. ++ */ + while (*modptr != NULL) + { + retval |= (*modptr)->write_config (*modptr, -1, NULL); +Index: pam-config-1.3/src/single_config.c +=================================================================== +--- pam-config-1.3.orig/src/single_config.c ++++ pam-config-1.3/src/single_config.c +@@ -245,12 +245,15 @@ create_service_file (const char *service + return NULL; + + if (stat (conffile, &f_stat) != 0) +- { +- fprintf (stderr, _("Cannot stat '%s': %m\n"), conffile); +- free (tmp_file); +- free (conffile); +- return NULL; +- } ++ { ++ /* Make them owned by root and writable only by root */ ++ fprintf (stderr, _("Cannot stat '%s': %m\n"), conffile); ++ ++ memset(&f_stat, 0, sizeof(struct stat)); /* To be on the safe side ... */ ++ f_stat.st_mode = 0644; ++ f_stat.st_uid = 0; ++ f_stat.st_gid = 0; ++ } + + free (conffile); + fd = mkstemp (tmp_file); diff --git a/pam-config.changes b/pam-config.changes new file mode 100644 index 0000000..26dbadc --- /dev/null +++ b/pam-config.changes @@ -0,0 +1,309 @@ +* Wed Jun 9 2021 josef.moellers@suse.com +- Add "revoke" to the option list for pam_keyinit + (Remove some leftover debugs while we're at it) + [pam-config-fix-pam_keyinit-options.patch] +* Wed Jun 9 2021 josef.moellers@suse.com +- prior to writing an service-specific config file, the main function + calls access() on the destination file in /etc/pam.d. + This will fail and no config file will be written when the original + config file was installed in /usr/etc/pam.d. + A similar problem exists when creating the new service file: + create_service_file() wants to give the new service file the same + user, group and mode as the old one, but the old one may not exist. + In that case, set these to 0(root), 0(root), and 0644. + [pam-config-remove-bad-access-call.patch, bsc#1187091] +* Tue Jul 16 2019 kukuk@suse.de +- Update to version 1.1: + - enhance comments in common-*-pc files +* Tue Mar 26 2019 kukuk@suse.de +- Update to version 1.0: + - Add search in different locations for config files + - Add support for pam_mktemp [bsc#1123878] +* Mon Dec 10 2018 kukuk@suse.de +- Update to version 0.96: + * Add missing pam_cracklib options [bsc#1114835] +* Wed Apr 11 2018 kukuk@suse.de +- Add triggerun script: update config if pam-modules is removed + [bsc#1088863] +* Fri Feb 23 2018 kukuk@suse.com +- Use %%license instead of %%doc [bsc#1082318] +* Thu Feb 22 2018 kukuk@suse.de +- Update to version 0.95: + - fix migration from pam_unix2/pam_pwcheck to pam_unix/pam_cracklib +* Mon Jan 15 2018 kukuk@suse.de +- Update to version 0.94: add support for keyinit [bsc#1045886] +* Fri Oct 20 2017 kukuk@suse.de +- Update to version 0.93: Teach pam_cracklib module about + enforce_for_root [bnc#929079, FATE#312643]. +* Wed Aug 9 2017 kukuk@suse.de +- Update to version 0.92 + - add pam_kwallet5 support + - move pam_systemd before pam_krb5 [bsc#1014995] + - obsoletes gcc7-Add-break-to-a-case-label.patch +* Mon Jan 9 2017 mliska@suse.cz +- Add gcc7-Add-break-to-a-case-label.patch: fix new warning reported + by GCC7. +* Thu Jun 23 2016 kukuk@suse.de +- Update to version 0.91 + - Adjust for Linux-PAM 1.3.0 + - Automatically replace obsolete PAM modules no longer installed + - Extend error messages +* Fri Apr 1 2016 kukuk@suse.de +- Update to version 0.89 + - Includes pam_google_authenticator.patch + - Better check for dual-arch PAM stack +* Sat Dec 13 2014 ledest@gmail.com +- fix bashism in postun script +* Wed Nov 12 2014 kukuk@suse.de +- Added pam_google_authenticator.patch: support google authentiator + [bnc#888149] +* Thu Sep 25 2014 kukuk@suse.de +- Update to pam-config 0.88 + - Add pam_ecryptfs to password section [bnc#895096] +* Wed Apr 2 2014 kukuk@suse.de +- Update to pam-config 0.87 + - Add support for pam_access.so +- Rervert last change, it will break manually adjusted config + files as documented +* Mon Mar 17 2014 speilicke@suse.com +- "pam-config --debug --update" in the %%post section fails if any + /etc/pam.d/common-$TYPE file is not a symlink to /etc/pam.d/common-$TYPE-pc. + Fix that by adding '--force'. This is mainly an update issue since + fresh configs are created appropriatly +* Thu Feb 7 2013 kukuk@suse.de +- Remove last change regarding sha512, is now solved directly by + pam_unix.so. +* Mon Feb 4 2013 kukuk@suse.de +- Add sha512 and shadow to pam_unix.so when creating common-passwd-pc + by default, did somehow got lost [bnc#801970] +* Mon Nov 12 2012 kukuk@suse.de +- Use --create --force for new installation +- Update to pam-config 0.84 + - Add pam_env per default + - Don't print wrong error messages +* Tue Sep 25 2012 kukuk@suse.de +- Update to pam-config 0.83: + - Fix stacking of pam_unix + - Add new pam_unix options +* Thu Sep 20 2012 kukuk@suse.de +- Use pam_unix and pam_cracklib as default on fresh installations. +* Tue Aug 14 2012 vcizek@suse.com +- make pam_ssh a sufficient auth module (bnc#730851) +* Tue Aug 7 2012 kukuk@suse.de +- Update to pam-config 0.81: + - pam_ssh: fix try_first_pass bug fixed [bnc#773560] + - pam_ecryptfs: fix order, still does not work with + krb5 [bnc#740110] +* Tue Apr 3 2012 kukuk@suse.de +- Add support for pam_ecryptfs [bnc#752851] +* Wed Dec 7 2011 jengelh@medozas.de +- Remove redundant/unwanted tags/section (cf. specfile guidelines) +- Use %%_smp_mflags for parallel building +* Fri Dec 2 2011 coolo@suse.com +- add automake as buildrequire to avoid implicit dependency +* Wed Aug 17 2011 fcrozat@suse.com +- Add pam_systemd.patch: Add pam_systemd support +* Tue May 10 2011 kukuk@suse.de +- Version 0.79 + * Make pam_lastlog optional [bnc#686034]. + * Document that if symlinks don't point to *-pc files config is + ignored [FATE#310739]. +* Wed Oct 13 2010 kukuk@suse.de +- Version 0.78 + * Add pam_fprintd support [bnc#644168] + * Move pam_env at the end of session stack +* Tue Aug 31 2010 kukuk@suse.de +- Version 0.77 + * Fix check for lib64 [bnc#635098] + * Add pam_sss support +* Wed Aug 25 2010 kukuk@suse.de +- Version 0.76 + * Add pam_fprint (patch from ro@suse.de) +* Wed Aug 11 2010 kukuk@suse.de +- Version 0.75 + * Update translations + * Add pam_exec support + * Rewrite pam_make rules to use pam_exec +* Tue Jun 29 2010 kukuk@suse.de +- Version 0.74 + * Fix typo in warning + * Update translations +* Tue Dec 8 2009 jengelh@medozas.de +- enable parallel building +* Tue Dec 1 2009 mc@suse.de +- Version 0.73 + * Add support for pam_passwdqc + * Print warning if cracklib-minlen <= 5 is used (bnc#539053) +* Wed Jul 29 2009 mc@novell.com +- Version 0.72 + * src/mod_pam_gnome_keyring.c: enable use_authtok and support + new option only_if. (bnc#523379) +* Fri May 8 2009 mc@suse.de +- Version 0.71 + * re-add lost query option [bnc#501341] +* Thu Apr 30 2009 kukuk@suse.de +- Version 0.70 + * Fix try_first_pass handling for pam_ssh [bnc#499711] +* Wed Mar 25 2009 kukuk@suse.de +- Version 0.69 + * Add --verify option. + * pam_cracklib is now default instead of pam_pwcheck + [FATE#305468]. +* Mon Dec 1 2008 mc@suse.de +- Version 0.68 + * fix linking; accept relative links (bnc#450019) + * fix some testcases + * Update translations. +* Fri Nov 21 2008 kukuk@suse.de +- Version 0.67 + * Update translations. + * Add type option for pam_pwhistory. +* Mon Nov 10 2008 mc@suse.de +- No options in AUTH section for gnome-keyring (bnc#43189) +* Fri Nov 7 2008 mc@suse.de +- Version 0.66 + * delete option, if argument is 0 (bnc#442552) + * Add support for pam_gnome_keyring [bnc#440448]. + * Implement nullok for single services, too [bnc#440437]. +* Wed Nov 5 2008 mc@suse.de +- Version 0.65 + * fix error at option parsing.(bnc#440436) + * update translations. +* Wed Oct 22 2008 mc@suse.de +- configure pam_selinux with open and close option +* Tue Oct 21 2008 mc@suse.de +- Version 0.64 + - Add support for pam_selinux +* Tue Oct 14 2008 kukuk@suse.de +- Version 0.63 + - Add support for pam_pwhistory +* Tue Oct 7 2008 mc@suse.de +- Version 0.62 +- add support for pam_fp +* Mon Oct 6 2008 mc@suse.de +- Version 0.61 + * print correct error message if sanity check fails + * fix the loose of values in case of some string options. + (bnc#414447) +* Thu Sep 4 2008 kukuk@suse.de +- Version 0.60 + * Generate manual page from internal data + * Remove obsolete pam_pwcheck options +* Fri Aug 29 2008 mc@suse.de +- Version 0.59 + * skip unix password change for uid > 999 in case of krb5 is used. + * set LANG=C when running checks + * Update translations. +* Fri Aug 22 2008 mc@suse.de +- Version 0.58 + * return correct query result in case of + - -ldap vs. --ldap-account_only +* Mon Jul 28 2008 sschober@suse.de +- Version 0.57 + * fix pam_mount: use "optional" in session stack [bnc#409541] +* Mon Jul 14 2008 kukuk@suse.de +- Version 0.56 + * Add is_enabled to pam_csync +* Thu Jul 10 2008 kukuk@suse.de +- Version 0.55 + * Add pam_csync support [FATE#303805] +* Mon Jun 30 2008 kukuk@suse.de +- Version 0.54 + * Add pam_ssh support (to start ssh-agent, not for authentication) +* Fri May 23 2008 kukuk@suse.de +- Version 0.53 + * Better debug messages on writing config files + * Fix handling of backup files + (both found when debugging [bnc#392950]) + * Update translations +* Tue Apr 1 2008 mc@suse.de +- Version 0.52 + * fix missing pam_localuser (bnc#371558) + * update localization files +* Mon Mar 10 2008 mc@suse.de +- Version 0.51 + - adapt krb5 support to new pam_krb5 version +* Wed Feb 13 2008 kukuk@suse.de +- Version 0.50 + - Add pam_time and pam_group support + - Rewrite option handling +* Fri Nov 23 2007 mc@suse.de +- Version 0.27 + - Move write_config after sanitize_check calles +* Wed Nov 14 2007 mc@suse.de +- Version 0.26 + - Add support for ldap-account_only +* Tue Nov 13 2007 mc@suse.de +- Version 0.25 + - Do not check for installed pam-module on + delete request [#337369]. + - fix missconfiguration of pam_krb5 [#335521] +* Thu Oct 25 2007 sschober@suse.de +- Version 0.24: + - Bug fixing [#328519] + - integrated testsuite +* Tue Aug 14 2007 sschober@suse.de +- Version 0.23: + - Bug fixing + - Support for pam_thinkfinger [#300201] [Fate#301952] +* Tue Aug 14 2007 sschober@suse.de +- Version 0.22: + - Bug fixing + - Support for pam_ck_connector [#297559] +* Fri Jul 27 2007 kukuk@suse.de +- Version 0.21: + - Add translations + - Bug fixing + - Add pam_cryptpass +* Fri Jul 6 2007 kukuk@suse.de +- Version 0.20: + - Rewrite internal interface + - Add pam_unix and pam_mount +* Wed Jun 27 2007 kukuk@suse.de +- Version 0.16: + - Add support for pam_lastlog and pam_loginuid +* Mon Jan 29 2007 kukuk@suse.de +- Version 0.15: + - Fix -d handling of minlen option of pam_pwcheck +* Fri Jan 26 2007 kukuk@suse.de +- Version 0.14: + - Add --krb5_ignore_unknown_principals option + - Add --pam_pwcheck-no_minlen option [bnc#227395] +* Wed Oct 25 2006 kukuk@suse.de +- Version 0.13: + - Add pam_capability support + - pam_apparmor should only be optional [Fate#300510] +* Wed Sep 20 2006 kukuk@suse.de +- Fix debug flag handling for pam_cracklib/pam_pwcheck +* Thu Sep 14 2006 kukuk@suse.de +- Version 0.11: + - Changes to account stack with krb5 and ldap + - Add support for pam_umask.so +* Thu Aug 31 2006 kukuk@suse.de +- Version 0.10: + - Fix first install if pam-modules was updated before + - Document missing options in manual page +* Fri Aug 25 2006 kukuk@suse.de +- Version 0.9: + - Add pam_winbind support + - Rename pam_krb5afs to pam_krb5 if we find it + - Support minimum_uid for pam_krb5 +* Fri Aug 25 2006 kukuk@suse.de +- Add LUM support and no_obscure_checks to pam_pwcheck (0.8) +* Thu Aug 24 2006 kukuk@suse.de +- Version 0.7: + - Add support for pam_cracklib. + - Add support for pam_apparmor. + - Fix stacking of pam_unix2 with pam_ldap. +* Wed Aug 23 2006 kukuk@suse.de +- Fix stacking of modules, add query option for YaST2 (version 0.6) +* Tue Aug 22 2006 kukuk@suse.de +- Bug fixes, add --update option (version 0.5) +* Tue Aug 22 2006 kukuk@suse.de +- Add support for ccreds and pkcs11 (version 0.4) +* Mon Aug 21 2006 kukuk@suse.de +- Add support for ldap and krb5 (version 0.3) +* Mon Aug 21 2006 kukuk@suse.de +- Add documentation (version 0.2) +* Sun Aug 20 2006 kukuk@suse.de +- Initial release diff --git a/pam-config.spec b/pam-config.spec new file mode 100644 index 0000000..0103070 --- /dev/null +++ b/pam-config.spec @@ -0,0 +1,85 @@ +# +# spec file for package pam-config +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +Name: pam-config +Version: 1.1 +Release: 3.3.1 +Summary: Modify common PAM configuration files +License: GPL-2.0-only +Group: System/Management +URL: https://github.com/SUSE/pam-config +Source: %{name}-%{version}.tar.xz +Patch1: pam-config-remove-bad-access-call.patch +Patch2: pam-config-fix-pam_keyinit-options.patch +PreReq: pam >= 1.3.0 + +%description +pam-config is a command line utility to maintain the common PAM +configuration files included by most PAM application configuration +files. It can be used to configure a system for different network or +hardware based authentication schemes. pam-config can also +add/adjust/remove other PAM modules and their options. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 + +%build +%configure +make %{?_smp_mflags} + +%install +%make_install +mkdir -p %{buildroot}/%{_sysconfdir}/pam.d +for i in account auth password session ; do + touch %{buildroot}/%{_sysconfdir}/pam.d/common-$i-pc +done +%find_lang pam-config + +%post +if [ ! -f %{_sysconfdir}/pam.d/common-auth-pc ] ; then + pam-config --debug --create --force +else + pam-config --debug --update ||: +fi + +%postun +if [ $1 = 0 ]; then + # Deinstall + dir=%{_sysconfdir}/security + for conf in pam_unix2.conf pam_pwcheck.conf ; do + if [ -f $dir/$conf.pam-config-backup -a ! -f $dir/$conf ]; then + mv -v $dir/$conf.pam-config-backup $dir/$conf + fi + done + dir=%{_sysconfdir}/pam.d + for pamd in common-account common-auth common-password common-session ; do + if [ -f $dir/$pamd.pam-config-backup -a -L $dir/$pamd ]; then + rm -v $dir/$pamd && mv -v $dir/$pamd.pam-config-backup $dir/$pamd + fi + # common-*-pc are ghost, so we have to move them away... + if [ -f $dir/$pamd-pc ]; then + mv -v $dir/$pamd-pc $dir/$pamd-pc.bak + fi + done +fi + +%triggerpostun -- pam-modules +[ $2 = 0 ] || exit 0 +pam-config --debug --update ||: + +%files -f pam-config.lang +%license COPYING +%{_sbindir}/pam-config +%{_mandir}/man8/pam-config.8* +%ghost %config %{_sysconfdir}/pam.d/common-account-pc +%ghost %config %{_sysconfdir}/pam.d/common-auth-pc +%ghost %config %{_sysconfdir}/pam.d/common-password-pc +%ghost %config %{_sysconfdir}/pam.d/common-session-pc + +%changelog