Sat Jun 13 20:40:31 UTC 202020200613204031

a/pam-1.4.0-x86_64-1.txz:  Upgraded.
  IMPORTANT NOTE: This update removes the pam_cracklib and pam_tally2 modules.
  None of our current configuration files in /etc/pam.d/ use either of those,
  but if the configuration files on your machine do you'll need to comment out
  or remove those lines, otherwise you may experience login failures.
a/shadow-4.8.1-x86_64-9.txz:  Rebuilt.
  /etc/pam.d/system-auth: prefix lines that call pam_gnome_keyring.so with '-'
  to avoid spamming the logs about failures.
a/sysvinit-scripts-2.1-noarch-32.txz:  Rebuilt.
  rc.S: create /var/run/faillock directory for pam_faillock(8).
a/util-linux-2.35.2-x86_64-2.txz:  Rebuilt.
  /etc/pam.d/login: change the example for locking an account for too many
  failed login attempts to use pam_faillock instead of pam_tally2.
l/imagemagick-7.0.10_19-x86_64-1.txz:  Upgraded.
l/libzip-1.7.1-x86_64-1.txz:  Upgraded.
n/openssh-8.3p1-x86_64-2.txz:  Rebuilt.
  /etc/pam.d/sshd: change the example for locking an account for too many
  failed login attempts to use pam_faillock instead of pam_tally2.

10 files changed, 71 insertions, 81 deletions

diff --git a/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch b/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch
new file mode 100644
index 00000000..fda4eca7
--- /dev/null
+++ b/source/a/pam/fedora-patches/pam-1.4.0-redhat-modules.patch
@@ -0,0 +1,29 @@
+--- ./configure.ac.orig	2020-06-08 05:17:27.000000000 -0500
++++ ./configure.ac	2020-06-13 14:11:04.857950668 -0500
+@@ -712,6 +712,7 @@
+ 	po/Makefile.in \
+ 	Make.xml.rules \
+ 	modules/Makefile \
++	modules/pam_chroot/Makefile modules/pam_console/Makefile modules/pam_postgresok/Makefile \
+ 	modules/pam_access/Makefile modules/pam_cracklib/Makefile \
+         modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ 	modules/pam_echo/Makefile modules/pam_env/Makefile \
+--- ./modules/Makefile.am.orig	2020-06-08 05:17:27.000000000 -0500
++++ ./modules/Makefile.am	2020-06-13 14:12:28.614946035 -0500
+@@ -53,6 +53,8 @@
+ SUBDIRS := \
+ 	pam_access \
+ 	$(MAYBE_PAM_CRACKLIB) \
++	pam_chroot \
++	pam_console \
+ 	pam_debug \
+ 	pam_deny \
+ 	pam_echo \
+@@ -76,6 +78,7 @@
+ 	$(MAYBE_PAM_NAMESPACE) \
+ 	pam_nologin \
+ 	pam_permit \
++	pam_postgresok \
+ 	pam_pwhistory \
+ 	$(MAYBE_PAM_RHOSTS) \
+ 	pam_rootok \
diff --git a/source/a/pam/pam.SlackBuild b/source/a/pam/pam.SlackBuild
index 23aad8bc..f5d1d3d6 100755
--- a/source/a/pam/pam.SlackBuild
+++ b/source/a/pam/pam.SlackBuild
@@ -87,36 +87,35 @@ tar xvf $CWD/pam-redhat-$PAMRHVER.tar.?z || exit 1
 for file in CHANGELOG COPYING README ; do
   mv pam-redhat-$PAMRHVER/${file}* ./${file}.pam-redhat
 done
-mv pam-redhat-$PAMRHVER/* modules
-zcat $CWD/fedora-patches/pam-1.3.1-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-noflex.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1
+# Add additional PAM modules from Red Hat:
+for file in pam-redhat-$PAMRHVER/* ; do
+  if [ ! -d modules/$(basename $file) ]; then
+    echo "Moving module directory $(basename $file)."
+    mv $file modules
+  else
+    echo "$(basename $file) already exists in modules/, not moving!"
+  fi
+done
+# NOTE: Linux-PAM-1.4.0 already ships with most of these applied:
+#zcat $CWD/fedora-patches/pam-1.3.1-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/fedora-patches/pam-1.4.0-redhat-modules.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-noflex.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/fedora-patches/pam-1.1.6-limits-user.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.1.8-full-relro.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.0-pwhistory-helper.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.1.8-full-relro.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.0-pwhistory-helper.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/fedora-patches/pam-1.1.8-audit-user-mgmt.patch.gz | patch -p1 --verbose || exit 1
 zcat $CWD/fedora-patches/pam-1.3.0-unix-nomsg.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-coverity.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-yescrypt.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-no-fallback.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-motd-multiple-paths.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
-zcat $CWD/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
-
-# pam_tally2 removed in recent redhat-modules.patch, but we'll keep it
-# for now since system-auth in the shadow package uses it. Perhaps see if
-# pam_faillock can replace the usage there?
-zcat $CWD/patches/pam.pam_tally2.slackware.diff.gz | patch -p1 --verbose || exit 1
-
-# Upstream git patch to prevent pam_tally2 from doing an fsync()
-# with every failed login. This can cause system slowdowns, especially
-# on Internet-connected machines that may endure endless dictionary
-# attacks.
-zcat $CWD/patches/pam.pam_tally2.no.fsync.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-coverity.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-remove-obsolete-_unix_read_password-prototype.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-bcrypt_b.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-gensalt-autoentropy.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-crypt_checksalt.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-yescrypt.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-no-fallback.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-motd-multiple-paths.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
+#zcat $CWD/fedora-patches/pam-1.3.1-unix-fix_checksalt_syslog.patch.gz | patch -p1 --verbose || exit 1
 
 # Improve the comments in /etc/environment:
 zcat $CWD/patches/pam.etc.environment.better.comments.diff.gz | patch -p1 --verbose || exit 1
diff --git a/source/a/pam/patches/pam.pam_tally2.no.fsync.patch b/source/a/pam/patches/pam.pam_tally2.no.fsync.patch
deleted file mode 100644
index 15b40115..00000000
--- a/source/a/pam/patches/pam.pam_tally2.no.fsync.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From b136bff25e93be6f11de74aca03569022364b973 Mon Sep 17 00:00:00 2001
-From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
-Date: Mon, 25 Feb 2019 20:50:48 +0100
-Subject: [PATCH] pam_tally2: Remove unnecessary fsync()
-
-pam_tally2 does fsync() after writing to a tally file.
-This causes hard drive cache flushes on every failed SSH login on many
-(if not most) filesystems.
-And an internet-exposed machine can have a lot of these failed logins.
-
-This operation however doesn't seem to be necessary - the pam_tally2
-module does not do any operation which would need explicit post-crash
-ordering, it just does simple file reads and writes.
-And doing a fsync() after them doesn't close any race if the system happens
-to crash between a write being posted and its fsync() completion.
-
-Let's remove this operation to get rid of all these extra cache flushes.
----
- modules/pam_tally2/pam_tally2.c | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c
-index 984edf6a..ce7f5aee 100644
---- a/modules/pam_tally2/pam_tally2.c
-+++ b/modules/pam_tally2/pam_tally2.c
-@@ -484,10 +484,6 @@ set_tally(pam_handle_t *pamh, uid_t uid,
-         }
-     }
- 
--    if (fsync(*tfile)) {
--      pam_syslog(pamh, LOG_ALERT, "update (fsync) failed for %s: %m", filename);
--      return PAM_AUTH_ERR;
--    }
-     return PAM_SUCCESS;
- }
diff --git a/source/a/pam/patches/pam.pam_tally2.slackware.diff b/source/a/pam/patches/pam.pam_tally2.slackware.diff
deleted file mode 100644
index 8ab85321..00000000
--- a/source/a/pam/patches/pam.pam_tally2.slackware.diff
+++ /dev/null
@@ -1,11 +0,0 @@
---- ./modules/Makefile.am.orig	2019-07-16 13:18:28.619322386 -0500
-+++ ./modules/Makefile.am	2019-07-16 13:45:49.260371056 -0500
-@@ -10,7 +10,7 @@
- 	pam_mkhomedir pam_motd pam_namespace pam_nologin \
- 	pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
- 	pam_selinux pam_sepermit pam_shells pam_stress \
--	pam_succeed_if pam_time pam_timestamp \
-+	pam_succeed_if pam_tally2 pam_time pam_timestamp \
- 	pam_tty_audit pam_umask \
- 	pam_unix pam_userdb pam_warn pam_wheel pam_xauth
- 
diff --git a/source/a/shadow/pam.d/system-auth b/source/a/shadow/pam.d/system-auth
index c1d77dbd..d504e232 100644
--- a/source/a/shadow/pam.d/system-auth
+++ b/source/a/shadow/pam.d/system-auth
@@ -12,7 +12,7 @@ auth        required      pam_env.so
 auth        optional      pam_group.so
 auth        sufficient    pam_unix.so likeauth nullok
 auth        required      pam_deny.so
-auth        optional      pam_gnome_keyring.so
+-auth        optional      pam_gnome_keyring.so
 
 ##################
 # Account checks #
@@ -67,4 +67,4 @@ session     required      pam_limits.so
 session     required      pam_unix.so
 #session     required      pam_lastlog.so showfailed
 #session     optional      pam_mail.so standard
-session     optional      pam_gnome_keyring.so auto_start
+-session     optional      pam_gnome_keyring.so auto_start
diff --git a/source/a/shadow/shadow.SlackBuild b/source/a/shadow/shadow.SlackBuild
index 40326878..a37b2ef3 100755
--- a/source/a/shadow/shadow.SlackBuild
+++ b/source/a/shadow/shadow.SlackBuild
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=shadow
 VERSION=${VERSION:-$(echo $PKGNAM-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-8}
+BUILD=${BUILD:-9}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
diff --git a/source/a/sysvinit-scripts/scripts/rc.S b/source/a/sysvinit-scripts/scripts/rc.S
index 0fecf21f..e0188a10 100644
--- a/source/a/sysvinit-scripts/scripts/rc.S
+++ b/source/a/sysvinit-scripts/scripts/rc.S
@@ -420,6 +420,9 @@ touch /var/run/utmp
 chown root:utmp /var/run/utmp
 chmod 664 /var/run/utmp
 
+# In case pam_faillock(8) is being used, create the tally directory:
+mkdir -p /var/run/faillock
+
 # Update the current kernel level in the /etc/motd (Message Of The Day) file,
 # if the first line of that file begins with the word 'Linux'.
 # You are free to modify the rest of the file as you see fit.
diff --git a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild
index 07249e8e..212f7887 100755
--- a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild
+++ b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=sysvinit-scripts
 VERSION=${VERSION:-2.1}
 ARCH=noarch
-BUILD=${BUILD:-31}
+BUILD=${BUILD:-32}
 
 # If the variable PRINT_PACKAGE_NAME is set, then this script will report what
 # the name of the created package would be, and then exit. This information
diff --git a/source/a/util-linux/pam.d/login b/source/a/util-linux/pam.d/login
index 9209ef5b..1e965f11 100644
--- a/source/a/util-linux/pam.d/login
+++ b/source/a/util-linux/pam.d/login
@@ -1,9 +1,14 @@
 #%PAM-1.0
 auth            required        pam_securetty.so
-# To set a limit on failed authentications, the pam_tally2 module
-# can be enabled. See pam_tally2(8) for options.
-#auth            required        pam_tally2.so deny=4 unlock_time=1200
+# When using pam_faillock, print a message to the user if the account is
+# locked. This lets the user know what is going on, but it also potentially
+# gives additional information to attackers:
+#auth            requisite       pam_faillock.so preauth
 auth            include         system-auth
+# To set a limit on failed authentications, the pam_faillock module
+# can be enabled. See pam_faillock(8) for more information.
+#auth            [default=die]   pam_faillock.so authfail
+#auth            sufficient      pam_faillock.so authsucc
 auth            include         postlogin
 account         required        pam_nologin.so
 account         include         system-auth
diff --git a/source/a/util-linux/util-linux.SlackBuild b/source/a/util-linux/util-linux.SlackBuild
index 1467bc42..3c33fe58 100755
--- a/source/a/util-linux/util-linux.SlackBuild
+++ b/source/a/util-linux/util-linux.SlackBuild
@@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PKGNAM=util-linux
 VERSION=${VERSION:-$(echo util-linux*.tar.xz | cut -d - -f 3  | rev | cut -f 3- -d . | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 ADJTIMEXVERS=1.29
 SETSERIALVERS=2.17