|
@@ -1,32 +1,51 @@
|
|
|
%define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0}
|
|
|
|
|
|
-%define pam_redhat_version 0.99.10-1
|
|
|
+%define pam_redhat_version 0.99.11
|
|
|
|
|
|
Summary: A security tool which provides authentication for applications
|
|
|
Summary(ja): アプリケーションに認証の仕組みを提供するセキュリティツール
|
|
|
Name: pam
|
|
|
-Version: 1.1.1
|
|
|
-Release: 8%{?_dist_release}
|
|
|
+Version: 1.1.8
|
|
|
+Release: 1%{?_dist_release}
|
|
|
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
|
|
|
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+
|
|
|
License: BSD and GPLv2+
|
|
|
Group: System Environment/Base
|
|
|
-Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
|
|
|
-Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2.sign
|
|
|
+URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html
|
|
|
+
|
|
|
+Source0: http://www.linux-pam.org/library/Linux-PAM-%{version}.tar.bz2
|
|
|
Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2
|
|
|
Source5: other.pamd
|
|
|
Source6: system-auth.pamd
|
|
|
-Source7: config-util.pamd
|
|
|
-Source8: dlopen.sh
|
|
|
-Source9: system-auth.5
|
|
|
-Source10: config-util.5
|
|
|
-Source11: 90-nproc.conf
|
|
|
+Source7: password-auth.pamd
|
|
|
+Source8: fingerprint-auth.pamd
|
|
|
+Source9: smartcard-auth.pamd
|
|
|
+Source10: config-util.pamd
|
|
|
+Source11: dlopen.sh
|
|
|
+Source12: system-auth.5
|
|
|
+Source13: config-util.5
|
|
|
+Source14: 90-nproc.conf
|
|
|
+Source15: pamtmp.conf
|
|
|
+Source16: postlogin.pamd
|
|
|
+Source17: postlogin.5
|
|
|
Patch1: pam-1.0.90-redhat-modules.patch
|
|
|
-Patch2: pam-1.0.91-std-noclose.patch
|
|
|
+Patch2: pam-1.1.6-std-noclose.patch
|
|
|
Patch4: pam-1.1.0-console-nochmod.patch
|
|
|
Patch5: pam-1.1.0-notally.patch
|
|
|
-Patch7: pam-1.1.0-console-fixes.patch
|
|
|
-Patch8: pam-1.1.1-authtok-prompt.patch
|
|
|
+Patch9: pam-1.1.6-noflex.patch
|
|
|
+Patch10: pam-1.1.3-nouserenv.patch
|
|
|
+Patch13: pam-1.1.6-limits-user.patch
|
|
|
+Patch15: pam-1.1.6-full-relro.patch
|
|
|
+# FIPS related - non upstreamable
|
|
|
+Patch20: pam-1.1.5-unix-no-fallback.patch
|
|
|
+# Upstreamed partially
|
|
|
+Patch31: pam-1.1.6-use-links.patch
|
|
|
+Patch32: pam-1.1.7-tty-audit-init.patch
|
|
|
+Patch33: pam-1.1.8-translation-updates.patch
|
|
|
+Patch34: pam-1.1.8-canonicalize-username.patch
|
|
|
+Patch35: pam-1.1.8-cve-2013-7041.patch
|
|
|
+Patch36: pam-1.1.8-cve-2014-2583.patch
|
|
|
+Patch37: pam-1.1.8-loginuid-container.patch
|
|
|
|
|
|
Patch700: pam-0.99.9-sg-dev.patch
|
|
|
|
|
@@ -43,16 +62,11 @@ Patch1030: pam-1.1.1_CVE-2011-3149.patch
|
|
|
%define _secconfdir %{_sysconfdir}/security
|
|
|
%define _pamconfdir %{_sysconfdir}/pam.d
|
|
|
|
|
|
-%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1}
|
|
|
-%define WITH_SELINUX 1
|
|
|
-%endif
|
|
|
-%if %{?WITH_AUDIT:0}%{!?WITH_AUDIT:1}
|
|
|
-%define WITH_AUDIT 1
|
|
|
-%endif
|
|
|
-
|
|
|
# VINE
|
|
|
%define WITH_SELINUX 0
|
|
|
-%define WITH_AUDIT 0
|
|
|
+%define WITH_AUDIT 1
|
|
|
+
|
|
|
+%global _performance_build 1
|
|
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
|
Requires: cracklib, cracklib-dicts >= 2.8
|
|
@@ -76,13 +90,13 @@ Requires: glibc >= 2.3.90-37
|
|
|
# Following deps are necessary only to build the pam library documentation.
|
|
|
BuildRequires: linuxdoc-tools, w3m, libxslt
|
|
|
BuildRequires: docbook-style-xsl, docbook-dtds
|
|
|
-BuildRequires: db4-devel
|
|
|
+BuildRequires: libdb-devel
|
|
|
# pam.d/login in old util-linux uses obsolete pam module.
|
|
|
Conflicts: util-linux < 2.14
|
|
|
|
|
|
-URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html
|
|
|
Vendor: Project Vine
|
|
|
Distribution: Vine Linux
|
|
|
+Packager: daisuke
|
|
|
|
|
|
%description
|
|
|
PAM (Pluggable Authentication Modules) is a system security tool that
|
|
@@ -170,22 +184,26 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
|
|
%patch2 -p1 -b .std-noclose
|
|
|
%patch4 -p1 -b .nochmod
|
|
|
%patch5 -p1 -b .notally
|
|
|
-%patch7 -p1 -b .console-fixes
|
|
|
-%patch8 -p0 -b .prompt
|
|
|
+%patch9 -p1 -b .noflex
|
|
|
+%patch10 -p1 -b .nouserenv
|
|
|
+%patch13 -p1 -b .limits
|
|
|
+%patch15 -p1 -b .relro
|
|
|
+%patch20 -p1 -b .no-fallback
|
|
|
+%patch31 -p1 -b .links
|
|
|
+%patch32 -p1 -b .tty-audit-init
|
|
|
+%patch33 -p2 -b .translations
|
|
|
+%patch34 -p1 -b .canonicalize
|
|
|
+%patch35 -p1 -b .case
|
|
|
+%patch36 -p1 -b .timestamp-ruser
|
|
|
+%patch37 -p1 -b .container
|
|
|
|
|
|
%patch700 -p1
|
|
|
|
|
|
## security patch(es)
|
|
|
-%patch1009 -p1 -b .drop-privs
|
|
|
-%patch1010 -p1 -b .execle
|
|
|
-%patch1020 -p1 -b .CVE-2011-3148
|
|
|
-%patch1030 -p1 -b .CVE-2011-3149
|
|
|
-
|
|
|
-libtoolize -f
|
|
|
-autoreconf
|
|
|
|
|
|
|
|
|
%build
|
|
|
+autoreconf -i
|
|
|
%configure \
|
|
|
--libdir=/%{_lib} \
|
|
|
--includedir=%{_includedir}/security \
|
|
@@ -196,7 +214,10 @@ autoreconf
|
|
|
%if ! %{WITH_AUDIT}
|
|
|
--disable-audit \
|
|
|
%endif
|
|
|
- --enable-isadir=../../%{_moduledir}
|
|
|
+ --disable-static \
|
|
|
+ --enable-isadir=../../%{_moduledir} \
|
|
|
+ --disable-prelude
|
|
|
+make -C po update-gmo
|
|
|
make
|
|
|
# we do not use _smp_mflags because the build of sources in yacc/flex fails
|
|
|
|
|
@@ -226,15 +247,19 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/environment
|
|
|
install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir}
|
|
|
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other
|
|
|
install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth
|
|
|
-install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
|
|
|
-install -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf
|
|
|
+install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth
|
|
|
+install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth
|
|
|
+install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth
|
|
|
+install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
|
|
|
+install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
|
|
|
+install -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/90-nproc.conf
|
|
|
install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
|
|
|
install -d -m 755 $RPM_BUILD_ROOT/var/log
|
|
|
install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/faillog
|
|
|
install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
|
|
|
|
|
|
# Install man pages.
|
|
|
-install -m 644 %{SOURCE9} %{SOURCE10} $RPM_BUILD_ROOT%{_mandir}/man5/
|
|
|
+install -m 644 %{SOURCE12} %{SOURCE13} ${SOURCE17} $RPM_BUILD_ROOT%{_mandir}/man5/
|
|
|
|
|
|
for phase in auth acct passwd session ; do
|
|
|
ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so
|
|
@@ -255,6 +280,9 @@ rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la
|
|
|
# Duplicate doc file sets.
|
|
|
rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
|
|
|
|
|
|
+# Install the file for autocreation of /var/run subdirectories on boot
|
|
|
+install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf
|
|
|
+
|
|
|
# Create /lib/security in case it isn't the same as %{_moduledir}.
|
|
|
install -m755 -d $RPM_BUILD_ROOT/lib/security
|
|
|
|
|
@@ -285,7 +313,7 @@ done
|
|
|
/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
|
|
|
for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do
|
|
|
if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \
|
|
|
- %{SOURCE8} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then
|
|
|
+ %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then
|
|
|
echo ERROR module: ${module} cannot be loaded.
|
|
|
exit 1
|
|
|
fi
|
|
@@ -322,7 +350,11 @@ end
|
|
|
%dir %{_pamconfdir}
|
|
|
%config(noreplace) %{_pamconfdir}/other
|
|
|
%config(noreplace) %{_pamconfdir}/system-auth
|
|
|
+%config(noreplace) %{_pamconfdir}/password-auth
|
|
|
+%config(noreplace) %{_pamconfdir}/fingerprint-auth
|
|
|
+%config(noreplace) %{_pamconfdir}/smartcard-auth
|
|
|
%config(noreplace) %{_pamconfdir}/config-util
|
|
|
+%config(noreplace) %{_pamconfdir}/postlogin
|
|
|
%doc Copyright
|
|
|
%doc doc/txts
|
|
|
%doc doc/sag/*.txt doc/sag/html
|
|
@@ -422,6 +454,7 @@ end
|
|
|
%endif
|
|
|
%ghost %verify(not md5 size mtime) /var/log/faillog
|
|
|
%ghost %verify(not md5 size mtime) /var/log/tallylog
|
|
|
+%{_prefix}/lib/tmpfiles.d/pam.conf
|
|
|
%{_mandir}/man5/*
|
|
|
%{_mandir}/man8/*
|
|
|
|
|
@@ -433,7 +466,6 @@ end
|
|
|
%{_libdir}/libpam.so
|
|
|
%{_libdir}/libpamc.so
|
|
|
%{_libdir}/libpam_misc.so
|
|
|
-%doc doc/mwg/*.txt doc/mwg/html
|
|
|
%doc doc/adg/*.txt doc/adg/html
|
|
|
|
|
|
|
|
@@ -512,6 +544,10 @@ end
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
+* Tue Jun 17 2014 Daisuke SUZUKI <daisuke@vinelinux.org> 1.1.8-1
|
|
|
+- update to 1.1.8
|
|
|
+- add default password-auth, fingerprint-auth, smartcard-auth and postlogin
|
|
|
+
|
|
|
* Wed Oct 26 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.1.1-8
|
|
|
- add patch1020 for fix CVE-2011-3148 (parsing environment)
|
|
|
- add patch1030 for fix CVE-2011-3149 (parsing environment)
|
|
@@ -613,7 +649,7 @@ end
|
|
|
* Mon Jan 14 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-15
|
|
|
- merge review fixes (#226228)
|
|
|
|
|
|
-* Wed Jan 8 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-14
|
|
|
+* Tue Jan 8 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-14
|
|
|
- support for sha256 and sha512 password hashes
|
|
|
- account expiry checks moved to unix_chkpwd helper
|
|
|
|
|
@@ -713,10 +749,10 @@ end
|
|
|
- revert to old euid and not ruid when setting euid in pam_keyinit (#219486)
|
|
|
- rename selinux-namespace patch to namespace-level
|
|
|
|
|
|
-* Thu Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-7
|
|
|
+* Fri Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-7
|
|
|
- fix selection of role
|
|
|
|
|
|
-* Thu Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-6
|
|
|
+* Fri Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-6
|
|
|
- add possibility to pam_namespace to only change MLS component
|
|
|
- Resolves: Bug #216184
|
|
|
|
|
@@ -1111,10 +1147,10 @@ support)
|
|
|
* Tue May 18 2004 Phil Knirsch <pknirsch@redhat.com> 0.77-41
|
|
|
- Fixed 64bit segfault in pam_succeed_if module.
|
|
|
|
|
|
-* Thu Apr 14 2004 Dan Walsh <dwalsh@redhat.com> 0.77-40
|
|
|
+* Wed Apr 14 2004 Dan Walsh <dwalsh@redhat.com> 0.77-40
|
|
|
- Apply changes from audit.
|
|
|
|
|
|
-* Tue Apr 12 2004 Dan Walsh <dwalsh@redhat.com> 0.77-39
|
|
|
+* Mon Apr 12 2004 Dan Walsh <dwalsh@redhat.com> 0.77-39
|
|
|
- Change to only report failure on relabel if debug
|
|
|
|
|
|
* Wed Mar 3 2004 Dan Walsh <dwalsh@redhat.com> 0.77-38
|
|
@@ -1132,7 +1168,7 @@ support)
|
|
|
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
|
|
|
- rebuilt
|
|
|
|
|
|
-* Tue Feb 12 2004 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
+* Thu Feb 12 2004 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
- pam_unix: also log successful password changes when using shadowed passwords
|
|
|
|
|
|
* Tue Feb 10 2004 Dan Walsh <dwalsh@redhat.com> 0.77-33
|
|
@@ -1384,7 +1420,7 @@ support)
|
|
|
* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-21
|
|
|
- pam_userdb: build with db4 instead of db3
|
|
|
|
|
|
-* Wed Nov 22 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-20
|
|
|
+* Thu Nov 22 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-20
|
|
|
- pam_stack: fix some memory leaks (reported by Fernando Trias)
|
|
|
- pam_chroot: integrate Owl patch to report the more common causes of failures
|
|
|
|
|
@@ -1671,7 +1707,7 @@ support)
|
|
|
* Mon Dec 18 2000 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
- refresh from CVS -- some weird stuff crept into pam_unix
|
|
|
|
|
|
-* Wed Dec 12 2000 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
+* Tue Dec 12 2000 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
- fix handling of "nis" when changing passwords by adding the checks for the
|
|
|
data source to the password-updating module in pam_unix
|
|
|
- add the original copyright for pam_access (fix from Michael Gerdts)
|
|
@@ -1764,10 +1800,10 @@ support)
|
|
|
- add a broken_shadow option to pam_unix
|
|
|
- add all module README files to the documentation list (#16456)
|
|
|
|
|
|
-* Wed Jul 25 2000 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
+* Tue Jul 25 2000 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
- fix pam_stack debug and losing-track-of-the-result bug
|
|
|
|
|
|
-* Tue Jul 24 2000 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
+* Mon Jul 24 2000 Nalin Dahyabhai <nalin@redhat.com>
|
|
|
- rework pam_console's usage of syslog to actually be sane (#14646)
|
|
|
|
|
|
* Sat Jul 22 2000 Nalin Dahyabhai <nalin@redhat.com>
|