upg btrfs-origs oan

This commit is contained in:
joborun linux 2024-02-15 02:33:46 +02:00
parent b81cb4bbb4
commit 8230d5b75e
6 changed files with 145 additions and 12 deletions

View file

@ -6,7 +6,7 @@
#-----------------------------------------| DESCRIPTION |---------------------------------------
pkgname=btrfs-progs
pkgver=6.7
pkgver=6.7.1
pkgrel=01
pkgdesc='Btrfs filesystem utilities w/o systemd'
makedepends=('asciidoc' 'xmlto' 'python' 'python-setuptools' 'e2fsprogs'
@ -72,10 +72,10 @@ license=('GPL-2.0-only')
validpgpkeys=('F2B41200C54EFB30380C1756C565D5F9D76D583B')
sha256sums=(c27f755185b9f2dab31f42e8a303d36bed2a3f3341cc6d75ee68a0a650a24767 # btrfs-progs-v6.7.tar.xz
e44a1c6a33f06f38b4199db5c85202a930fd4e1a4e4f89b4cfce4afea0e61c01 # btrfs-progs-v6.7.tar.sign
sha256sums=(24dc7b974f0a57ba0eca80f97440b840dfa85b0f1cb2c01bdfd97659a480b200 # btrfs-progs-v6.7.1.tar.xz
181ebfef6c8fb7df1015478b5ecec2a33a49437ed1c4e48188eed722648b6ee1 # btrfs-progs-v6.7.1.tar.sign
bbe60b35d1b1e2efc1308a8f54f1fdc6808240a81c5f5b4d75321b7ee86e41f4 # initcpio-install-btrfs
35efeee8590d6d60c711ae9cdc918e4841ab61d10cb02359e65e36ebff95ffc5) # initcpio-hook-btrfs
## 548361394d138e6cf48440daa570458c5a018eea77c5a7fa24ed996991cf80d0 btrfs-progs-6.7-01-x86_64.pkg.tar.lz
## 2b7c446a389b12c5e059dfff5f25782e39c0bdeb8589f4cc1000dc4b7ff5a1f1 btrfs-progs-6.7.1-01-x86_64.pkg.tar.lz

View file

@ -3,7 +3,7 @@
# Contributor: Tobias Powalowski <tpowa@archlinux.org>
pkgname=btrfs-progs
pkgver=6.7
pkgver=6.7.1
pkgrel=1
pkgdesc='Btrfs filesystem utilities'
arch=('x86_64')
@ -28,7 +28,7 @@ source=("https://www.kernel.org/pub/linux/kernel/people/kdave/btrfs-progs/btrfs-
install=btrfs-progs.install
options=(!staticlibs)
sha256sums=('SKIP'
'c27f755185b9f2dab31f42e8a303d36bed2a3f3341cc6d75ee68a0a650a24767'
'24dc7b974f0a57ba0eca80f97440b840dfa85b0f1cb2c01bdfd97659a480b200'
'bbe60b35d1b1e2efc1308a8f54f1fdc6808240a81c5f5b4d75321b7ee86e41f4'
'35efeee8590d6d60c711ae9cdc918e4841ab61d10cb02359e65e36ebff95ffc5'
'eaa7af92d28bfa8940bb551560fd7be777f9f175292eaa72b5f6ef00fb240252'

View file

@ -0,0 +1,27 @@
From 470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Fri, 19 Jan 2024 10:09:00 +0100
Subject: [PATCH] pam_unix: do not warn if password aging is disabled
Later checks will print a warning if daysleft is 0. If password
aging is disabled, leave daysleft at -1.
Resolves: https://github.com/linux-pam/linux-pam/issues/743
Fixes: 9ebc14085a3b ("pam_unix: allow disabled password aging")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_unix/passverify.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 5c4f862e7..1bc98fa25 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -314,7 +314,6 @@ PAMH_ARG_DECL(int check_shadow_expiry,
}
if (spent->sp_lstchg < 0) {
D(("password aging disabled"));
- *daysleft = 0;
return PAM_SUCCESS;
}
if (curdays < spent->sp_lstchg) {

View file

@ -7,7 +7,7 @@
pkgname=pam
pkgver=1.6.0
pkgrel=03
pkgrel=04
pkgdesc="PAM (Pluggable Authentication Modules) library - w/o systemd"
url="http://linux-pam.org"
depends=('glibc' 'libtirpc' 'pambase' 'audit' 'libaudit.so' 'libxcrypt' 'libcrypt.so')
@ -15,10 +15,24 @@ makedepends=('flex' 'w3m' 'docbook-xml>=4.4' 'docbook-xsl')
provides=('libpam.so' 'libpamc.so' 'libpam_misc.so')
backup=(etc/security/{access.conf,faillock.conf,group.conf,limits.conf,namespace.conf,namespace.init,pwhistory.conf,pam_env.conf,time.conf} etc/environment)
source=(https://github.com/linux-pam/linux-pam/releases/download/v$pkgver/Linux-PAM-$pkgver{,-docs}.tar.xz{,.asc}
https://github.com/linux-pam/linux-pam/commit/470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200.patch
https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620.patch
$pkgname.tmpfiles)
options=('!emptydirs')
prepare() {
cd Linux-PAM-$pkgver
# apply patch from the source array (should be a pacman feature)
local src
for src in "${source[@]}"; do
src="${src%%::*}"
src="${src##*/}"
[[ $src = *.patch ]] || continue
echo "Applying patch $src..."
patch -Np1 < "../$src"
done
}
build() {
cd Linux-PAM-$pkgver
# prevent the installation of an unneeded systemd file:
@ -67,7 +81,7 @@ post_install() {
arch=(x86_64)
license=('GPL2')
license=('GPL-2.0-only')
validpgpkeys=(8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB # Thorsten Kukuk
296D6F29A020808E8717A8842DB5BD89A340AEB7) #Dimitry V. Levin <ldv@altlinux.org>
@ -76,7 +90,9 @@ sha256sums=(fff4a34e5bbee77e2e8f1992f27631e2329bcbf8a0563ddeb5c3389b4e3169ad #
de8059f3c5ede8efe8feaa74db64e27f2a8d0b6efb119d6b7b7f9baea78dc57a # Linux-PAM-1.6.0.tar.xz.asc
3e82730d3350795c42f3708f6609a92c1df841d518aa17c28fd702fe5ec23a32 # Linux-PAM-1.6.0-docs.tar.xz
bc052464739edb68fc170b660253cca7adc596056cb2a60f11262639a3d3e1e9 # Linux-PAM-1.6.0-docs.tar.xz.asc
ee7333ad2c8b2a710c73d8a2d202027d0c79d3628fefe58073f2d78ecefa121e # 470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200.patch
450760e1989f036acee157f91a3028264f8ce7fb0cbdd65eccf8a0fc0084497c # b7b96362087414e52524d3d9d9b3faa21e1db620.patch
5631f224e90c4f0459361c2a5b250112e3a91ba849754bb6f67d69d683a2e5ac) # pam.tmpfiles
## 8fb425ef6dfe311d95408d4cac67f12389a7a5bc5dd81ba9cab6321818367384 pam-1.6.0-03-x86_64.pkg.tar.lz
## 2b41498e68f35858bd73fa7b133bb24a9a6e6aa6b1847d9a1b9b169dae3906c1 pam-1.6.0-04-x86_64.pkg.tar.lz

View file

@ -4,16 +4,18 @@
pkgname=pam
pkgver=1.6.0
pkgrel=3
pkgrel=4
pkgdesc="PAM (Pluggable Authentication Modules) library"
arch=('x86_64')
license=('GPL2')
license=('GPL-2.0-only')
url="http://linux-pam.org"
depends=('glibc' 'libtirpc' 'pambase' 'audit' 'libaudit.so' 'libxcrypt' 'libcrypt.so')
makedepends=('flex' 'w3m' 'docbook-xml>=4.4' 'docbook-xsl')
provides=('libpam.so' 'libpamc.so' 'libpam_misc.so')
backup=(etc/security/{access.conf,faillock.conf,group.conf,limits.conf,namespace.conf,namespace.init,pwhistory.conf,pam_env.conf,time.conf} etc/environment)
source=(https://github.com/linux-pam/linux-pam/releases/download/v$pkgver/Linux-PAM-$pkgver{,-docs}.tar.xz{,.asc}
https://github.com/linux-pam/linux-pam/commit/470b5bdd8fd29d6b35e3a80f9a57bdd4b2438200.patch
https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620.patch
$pkgname.tmpfiles)
validpgpkeys=(
'8C6BFD92EE0F42EDF91A6A736D1A7F052E5924BB' # Thorsten Kukuk
@ -24,10 +26,25 @@ sha256sums=('fff4a34e5bbee77e2e8f1992f27631e2329bcbf8a0563ddeb5c3389b4e3169ad'
'SKIP'
'3e82730d3350795c42f3708f6609a92c1df841d518aa17c28fd702fe5ec23a32'
'SKIP'
'ee7333ad2c8b2a710c73d8a2d202027d0c79d3628fefe58073f2d78ecefa121e'
'450760e1989f036acee157f91a3028264f8ce7fb0cbdd65eccf8a0fc0084497c'
'5631f224e90c4f0459361c2a5b250112e3a91ba849754bb6f67d69d683a2e5ac')
options=('!emptydirs')
prepare() {
cd Linux-PAM-$pkgver
# apply patch from the source array (should be a pacman feature)
local src
for src in "${source[@]}"; do
src="${src%%::*}"
src="${src##*/}"
[[ $src = *.patch ]] || continue
echo "Applying patch $src..."
patch -Np1 < "../$src"
done
}
build() {
cd Linux-PAM-$pkgver
./configure \

View file

@ -0,0 +1,73 @@
From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Wed, 24 Jan 2024 18:57:42 +0100
Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
The geteuid check does not cover all cases. If a program runs with
elevated capabilities like CAP_SETUID then we can still check
credentials of other users.
Keep logging for future analysis though.
Resolves: https://github.com/linux-pam/linux-pam/issues/747
Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
modules/pam_unix/support.c | 14 +++++++-------
2 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 8f5ed3e0d..7ffcb9e3f 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
_exit(PAM_AUTHINFO_UNAVAIL);
}
- if (geteuid() == 0) {
- /* must set the real uid to 0 so the helper will not error
- out if pam is called from setuid binary (su, sudo...) */
- if (setuid(0) == -1) {
- pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
- printf("-1\n");
- fflush(stdout);
- _exit(PAM_AUTHINFO_UNAVAIL);
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ if (setuid(0) == -1) {
+ uid_t euid = geteuid();
+ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
+ if (euid == 0) {
+ printf("-1\n");
+ fflush(stdout);
+ _exit(PAM_AUTHINFO_UNAVAIL);
}
}
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index d391973f9..69811048e 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
_exit(PAM_AUTHINFO_UNAVAIL);
}
- if (geteuid() == 0) {
- /* must set the real uid to 0 so the helper will not error
- out if pam is called from setuid binary (su, sudo...) */
- if (setuid(0) == -1) {
- D(("setuid failed"));
- _exit(PAM_AUTHINFO_UNAVAIL);
- }
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ if (setuid(0) == -1) {
+ D(("setuid failed"));
+ if (geteuid() == 0) {
+ _exit(PAM_AUTHINFO_UNAVAIL);
+ }
}
/* exec binary helper */