#
# Conditional build:
%bcond_without doc # don't build documentation
-%bcond_with prelude # build with Prelude IDS support
+%bcond_with prelude # build with Prelude IDS support (in libpam)
%bcond_without selinux # build without SELinux support
%bcond_without audit # build with Linux Auditing library support
Summary(tr.UTF-8): Modüler, artımsal doğrulama birimleri
Summary(uk.UTF-8): Інструмент, що забезпечує аутентифікацію для програм
Name: pam
-Version: 1.1.5
+Version: 1.1.7
Release: 1
Epoch: 1
License: GPL or BSD
Group: Base
#Source0: http://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2
Source0: https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-%{version}.tar.bz2
-# Source0-md5: 927ee5585bdec5256c75117e9348aa47
+# Source0-md5: 9f90888cd22212a6b5af2920f4eaaf1b
#xSource1: http://ftp.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign
# xSource1-md5: 2435d4a23aaf871bcec436f863b0de6c
Source2: ftp://ftp.pld-linux.org/software/pam/%{name}-pld-%{pam_pld_version}.tar.gz
Source6: %{name}_selinux_check.pamd
Source7: system-auth.5
Source8: config-util.5
+Source9: %{name}.tmpfiles
Patch0: %{name}-pld-modules.patch
-Patch1: %{name}-cracklib-enforce.patch
+Patch1: %{name}_unix_passwd-typo.patch
Patch2: %{name}-tally-fail-close.patch
Patch3: %{name}-mkhomedir-notfound.patch
Patch4: %{name}-db-gdbm.patch
%install
rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{_libdir},/etc/pam.d,/var/log}
+install -d $RPM_BUILD_ROOT{%{_libdir},/etc/pam.d,/var/{log,run/sepermit}} \
+ $RPM_BUILD_ROOT%{systemdtmpfilesdir}
%{__make} install \
DESTDIR=$RPM_BUILD_ROOT
%if %{with selinux}
-install modules/pam_selinux/.libs/pam_selinux_check $RPM_BUILD_ROOT%{_sbindir}
-install modules/pam_selinux/pam_selinux_check.8 $RPM_BUILD_ROOT%{_mandir}/man8
-install %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/pam_selinux_check
+install -p modules/pam_selinux/.libs/pam_selinux_check $RPM_BUILD_ROOT%{_sbindir}
+cp -p modules/pam_selinux/pam_selinux_check.8 $RPM_BUILD_ROOT%{_mandir}/man8
+cp -p %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/pam_selinux_check
%endif
+cp -p %{SOURCE9} $RPM_BUILD_ROOT%{systemdtmpfilesdir}/%{name}.conf
+
install -d doc/txts
for r in modules/pam_*/README ; do
cp -f $r doc/txts/README.$(basename $(dirname $r))
ln -sf /%{_lib}/$(echo libpamc.so.*.*.*) $RPM_BUILD_ROOT%{_libdir}/libpamc.so
cd -
-install %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/other
-install %{SOURCE4} $RPM_BUILD_ROOT/etc/pam.d/system-auth
-install %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/config-util
+cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/other
+cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/pam.d/system-auth
+cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/pam.d/config-util
-install %{SOURCE7} $RPM_BUILD_ROOT%{_mandir}/man5/system-auth.5
-install %{SOURCE8} $RPM_BUILD_ROOT%{_mandir}/man5/config-util.5
+cp -p %{SOURCE7} $RPM_BUILD_ROOT%{_mandir}/man5/system-auth.5
+cp -p %{SOURCE8} $RPM_BUILD_ROOT%{_mandir}/man5/config-util.5
# Make sure every module subdirectory gave us a module. Yes, this is hackish.
for dir in modules/pam_* ; do
# useless - shut up check-files
rm -f $RPM_BUILD_ROOT/%{_lib}/security/*.{la,a}
rm -f $RPM_BUILD_ROOT/%{_lib}/lib*.so
-rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/Linux-PAM
+rm -rf $RPM_BUILD_ROOT%{_docdir}/Linux-PAM
%if %{without selinux}
rm -rf $RPM_BUILD_ROOT{/%{_lib}/security/pam_selinux.so,%{_sbindir}/pam_selinux_check,%{_mandir}/man8/pam_selinux*.8*}
rm -rf $RPM_BUILD_ROOT
%triggerpostun libs -- %{name}-libs < 0.99.7.1
-for f in `grep -l "\(pam_make\|pam_homedir\)" /etc/pam.d/*` ; do
+for f in $(grep -l "\(pam_make\|pam_homedir\)" /etc/pam.d/*); do
case "$f" in
*rpmorig|*rpmnew|*rpmsave|*~|*.orig)
continue
if [ "$1" != 1 ]; then
%service -q crond restart
fi
+exit 0
+
+%triggerpostun -- %{name} < 1:1.1.5-8
+# removed in 1.1.4
+if grep -qs change_uid /etc/pam.d/system-auth; then
+ %{__sed} -i -e '/session/ s/change_uid//' /etc/pam.d/system-auth
+fi
+
+# We want it added for painless upgarde even if it mean log pollution for non-systemd
+# enabled systems,
+# If this module is not present on systemd enabled system then `systemctl restart sshd.service`
+# will kill all sessions.
+if ! grep -qs pam_systemd /etc/pam.d/system-auth; then
+ echo "-session optional pam_systemd.so" >>/etc/pam.d/system-auth
+fi
%post -p <lua>
fh, error = io.open("/var/log/tallylog")
%dir /etc/security/console.apps
%dir /etc/security/console.perms.d
%dir /var/run/console
+/usr/lib/tmpfiles.d/%{name}.conf
%config(noreplace) %verify(not md5 mtime size) /etc/environment
%config(noreplace) %verify(not md5 mtime size) /etc/pam.d/other
%config(noreplace) %verify(not md5 mtime size) /etc/pam.d/system-auth
%attr(755,root,root) %{_sbindir}/pwgen_trigram
%attr(4755,root,root) %{_sbindir}/unix_chkpwd
%attr(4755,root,root) %{_sbindir}/unix_update
-%{_mandir}/man5/*
-%{_mandir}/man8/PAM.*
+%{_mandir}/man5/access.conf.5*
+%{_mandir}/man5/config-util.5*
+%{_mandir}/man5/console.apps.5*
+%{_mandir}/man5/console.handlers.5*
+%{_mandir}/man5/console.perms.5*
+%{_mandir}/man5/group.conf.5*
+%{_mandir}/man5/limits.conf.5*
+%{_mandir}/man5/namespace.conf.5*
+%{_mandir}/man5/pam.conf.5*
+%{_mandir}/man5/pam.d.5*
+%{_mandir}/man5/pam_env.conf.5*
+%{_mandir}/man5/system-auth.5*
+%{_mandir}/man5/time.conf.5*
+%{_mandir}/man8/PAM.8*
%{_mandir}/man8/mkhomedir_helper.8*
-%{_mandir}/man8/pam.*
-%{_mandir}/man8/pam_[a-r]*
-%{_mandir}/man8/pam_securetty*
-%{_mandir}/man8/pam_shells*
-%{_mandir}/man8/pam_succeed_if*
-%{_mandir}/man8/pam_[t-x]*
-%{_mandir}/man8/unix_chkpwd*
-%{_mandir}/man8/unix_update*
+%{_mandir}/man8/pam.8*
+%{_mandir}/man8/pam_*.8*
+%{_mandir}/man8/unix_chkpwd.8*
+%{_mandir}/man8/unix_update.8*
+%if %{with selinux}
+%exclude %{_mandir}/man8/pam_selinux*.8*
+%exclude %{_mandir}/man8/pam_sepermit.8*
+%endif
%ghost %verify(not md5 mtime size) /var/log/tallylog
%files libs
%attr(755,root,root) %{_sbindir}/pam_selinux_check
%config(noreplace) %verify(not md5 mtime size) /etc/pam.d/pam_selinux_check
%config(noreplace) %verify(not md5 mtime size) /etc/security/sepermit.conf
+%{_mandir}/man5/sepermit.conf.5*
%{_mandir}/man8/pam_selinux*.8*
-%{_mandir}/man8/pam_sepermit*.8*
+%{_mandir}/man8/pam_sepermit.8*
+%dir /var/run/sepermit
%endif