Sat Jun 13 20:40:31 UTC 202020200613204031

a/pam-1.4.0-x86_64-1.txz: Upgraded. IMPORTANT NOTE: This update removes the pam_cracklib and pam_tally2 modules. None of our current configuration files in /etc/pam.d/ use either of those, but if the configuration files on your machine do you'll need to comment out or remove those lines, otherwise you may experience login failures. a/shadow-4.8.1-x86_64-9.txz: Rebuilt. /etc/pam.d/system-auth: prefix lines that call pam_gnome_keyring.so with '-' to avoid spamming the logs about failures. a/sysvinit-scripts-2.1-noarch-32.txz: Rebuilt. rc.S: create /var/run/faillock directory for pam_faillock(8). a/util-linux-2.35.2-x86_64-2.txz: Rebuilt. /etc/pam.d/login: change the example for locking an account for too many failed login attempts to use pam_faillock instead of pam_tally2. l/imagemagick-7.0.10_19-x86_64-1.txz: Upgraded. l/libzip-1.7.1-x86_64-1.txz: Upgraded. n/openssh-8.3p1-x86_64-2.txz: Rebuilt. /etc/pam.d/sshd: change the example for locking an account for too many failed login attempts to use pam_faillock instead of pam_tally2.
author: Patrick J Volkerding <volkerdi@slackware.com> 2020-06-13 20:40:31 +0000
committer: Eric Hameleers <alien@slackware.com> 2020-06-14 08:59:53 +0200
commit: 0959f2bb54a685807217ea93b53db25a8ce9181e (patch)
tree: da80cc426ce1136cac13dc613a6c11c43baada9c /source/a/pam
parent: bf14db28cb4ba1b9bcb3e355ce067b61220d7289 (diff)
download: current-0959f2bb54a685807217ea93b53db25a8ce9181e.tar.gz
4 files changed, 55 insertions, 73 deletions
diff --git a/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch b/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch
new file mode 100644
index 00000000..fda4eca7
--- /dev/null
+++ b/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch
@@ -0,0 +1,29 @@
+--- ./configure.ac.orig	2020-06-08 05:17:27.000000000 -0500
++++ ./configure.ac	2020-06-13 14:11:04.857950668 -0500
+@@ -712,6 +712,7 @@
+ 	po/Makefile.in \
+ 	Make.xml.rules \
+ 	modules/Makefile \
++	modules/pam_chroot/Makefile modules/pam_console/Makefile modules/pam_postgresok/Makefile \
+ 	modules/pam_access/Makefile modules/pam_cracklib/Makefile \
+         modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ 	modules/pam_echo/Makefile modules/pam_env/Makefile \
+--- ./modules/Makefile.am.orig	2020-06-08 05:17:27.000000000 -0500
++++ ./modules/Makefile.am	2020-06-13 14:12:28.614946035 -0500
+@@ -53,6 +53,8 @@
+ SUBDIRS := \
+ 	pam_access \
+ 	$(MAYBE_PAM_CRACKLIB) \
++	pam_chroot \
++	pam_console \
+ 	pam_debug \
+ 	pam_deny \
+ 	pam_echo \
+@@ -76,6 +78,7 @@
+ 	$(MAYBE_PAM_NAMESPACE) \
+ 	pam_nologin \
+ 	pam_permit \
++	pam_postgresok \
+ 	pam_pwhistory \
+ 	$(MAYBE_PAM_RHOSTS) \
+ 	pam_rootok \
diff --git a/source/a/pam/pam.SlackBuild b/source/a/pam/pam.SlackBuild
index 23aad8bc..f5d1d3d6 100755
--- a/source/a/pam/pam.SlackBuild
+++ b/source/a/pam/pam.SlackBuild
@@ -87,36 +87,35 @@ tar xvf $CWD/pam-redhat-$PAMRHVER.tar.?z || exit 1
 for file in CHANGELOG COPYING README ; do
   mv pam-redhat-$PAMRHVER/${file}* ./${file}.pam-redhat
 done
-mv pam-redhat-$PAMRHVER/* modules
-zcat $CWD/fedora-patches/pam-1.3.1-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-noflex.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1
+# Add additional PAM modules from Red Hat:
+for file in pam-redhat-$PAMRHVER/* ; do
+  if [ ! -d modules/$(basename $file) ]; then
+    echo "Moving module directory $(basename $file)."
+    mv $file modules
+  else
+    echo "$(basename $file) already exists in modules/, not moving!"
+  fi
+done
+# NOTE: Linux-PAM-1.4.0 already ships with most of these applied:
+#zcat $CWD/fedora-patches/pam-1.3.1-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/fedora-patches/pam-1.4.0-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-noflex.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/fedora-patches/pam-1.1.6-limits-user.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.1.8-full-relro.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.0-pwhistory-helper.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.1.8-full-relro.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.0-pwhistory-helper.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/fedora-patches/pam-1.1.8-audit-user-mgmt.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/fedora-patches/pam-1.3.0-unix-nomsg.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-coverity.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-yescrypt.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-no-fallback.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-motd-multiple-paths.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
-
-# pam_tally2 removed in recent redhat-modules.patch, but we'll keep it
-# for now since system-auth in the shadow package uses it. Perhaps see if
-# pam_faillock can replace the usage there?
-zcat $CWD/patches/pam.pam_tally2.slackware.diff.gz | patch -p1 --verbose || exit 1
-
-# Upstream git patch to prevent pam_tally2 from doing an fsync()
-# with every failed login. This can cause system slowdowns, especially
-# on Internet-connected machines that may endure endless dictionary
-# attacks.
-zcat $CWD/patches/pam.pam_tally2.no.fsync.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-coverity.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-yescrypt.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-no-fallback.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-motd-multiple-paths.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
 
 # Improve the comments in /etc/environment:
 zcat $CWD/patches/pam.etc.environment.better.comments.diff.gz | patch -p1 --verbose || exit 1
diff --git a/source/a/pam/patches/pam.pam_tally2.no.fsync.patch b/source/a/pam/patches/pam.pam_tally2.no.fsync.patch
deleted file mode 100644
index 15b40115..00000000
--- a/source/a/pam/patches/pam.pam_tally2.no.fsync.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From b136bff25e93be6f11de74aca03569022364b973 Mon Sep 17 00:00:00 2001
-From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
-Date: Mon, 25 Feb 2019 20:50:48 +0100
-Subject: [PATCH] pam_tally2: Remove unnecessary fsync()
-
-pam_tally2 does fsync() after writing to a tally file.
-This causes hard drive cache flushes on every failed SSH login on many
-(if not most) filesystems.
-And an internet-exposed machine can have a lot of these failed logins.
-
-This operation however doesn't seem to be necessary - the pam_tally2
-module does not do any operation which would need explicit post-crash
-ordering, it just does simple file reads and writes.
-And doing a fsync() after them doesn't close any race if the system happens
-to crash between a write being posted and its fsync() completion.
-
-Let's remove this operation to get rid of all these extra cache flushes.
----
- modules/pam_tally2/pam_tally2.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c
-index 984edf6a..ce7f5aee 100644
---- a/modules/pam_tally2/pam_tally2.c
-+++ b/modules/pam_tally2/pam_tally2.c
-@@ -484,10 +484,6 @@ set_tally(pam_handle_t *pamh, uid_t uid,
-         }
-     }
- 
--    if (fsync(*tfile)) {
--      pam_syslog(pamh, LOG_ALERT, "update (fsync) failed for %s: %m", filename);
--      return PAM_AUTH_ERR;
--    }
-     return PAM_SUCCESS;
- }
diff --git a/source/a/pam/patches/pam.pam_tally2.slackware.diff b/source/a/pam/patches/pam.pam_tally2.slackware.diff
deleted file mode 100644
index 8ab85321..00000000
--- a/source/a/pam/patches/pam.pam_tally2.slackware.diff
+++ /dev/null
@@ -1,11 +0,0 @@
---- ./modules/Makefile.am.orig	2019-07-16 13:18:28.619322386 -0500
-+++ ./modules/Makefile.am	2019-07-16 13:45:49.260371056 -0500
-@@ -10,7 +10,7 @@
- 	pam_mkhomedir pam_motd pam_namespace pam_nologin \
- 	pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
- 	pam_selinux pam_sepermit pam_shells pam_stress \
--	pam_succeed_if pam_time pam_timestamp \
-+	pam_succeed_if pam_tally2 pam_time pam_timestamp \
- 	pam_tty_audit pam_umask \
- 	pam_unix pam_userdb pam_warn pam_wheel pam_xauth
-
author	Patrick J Volkerding <volkerdi@slackware.com>	2020-06-13 20:40:31 +0000
committer	Eric Hameleers <alien@slackware.com>	2020-06-14 08:59:53 +0200
commit	0959f2bb54a685807217ea93b53db25a8ce9181e (patch)
tree	da80cc426ce1136cac13dc613a6c11c43baada9c /source/a/pam
parent	bf14db28cb4ba1b9bcb3e355ce067b61220d7289 (diff)
download	current-0959f2bb54a685807217ea93b53db25a8ce9181e.tar.gz