Merge pull request 'control-pam: Add unix_chkpwd and pam_timestamp_check' (#22) from solardiz-patch-20 into main

Reviewed-on: #22
Reviewed-by: Neil Hanlon <neil@noreply@resf.org>

docs/news.md

@@ -2,6 +2,10 @@
 
 These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
 
+## January 3, 2024
+
+[control](packages/control.md) `0.8.0-7` can now manage two SUID root PAM helper programs `unix_chkpwd` and `pam_timestamp_check`.
+
 ## December 27, 2023
 
 [control](packages/control.md) `0.8.0-5` can now manage user password hashing scheme and password policy in use by PAM-aware programs.

docs/packages/control.md

@@ -2,7 +2,7 @@
 
 ## EL9
 
-- Version `0.8.0-5.el9_3.security`
+- Version `0.8.0-7.el9_3.security`
 
 ### Package summary
 
@@ -26,8 +26,10 @@ mount           public          (public wheelonly unprivileged restricted)
 newgidmap           public        (public wheelonly restricted)
 newgrp              public        (public wheelonly restricted)
 newuidmap           public        (public wheelonly restricted)
+pam_timestamp_check public        (public restricted)
 password-hash       sha512crypt   (sha512crypt yescrypt)
 password-policy     pwquality     (pwquality passwdqc)
+unix_chkpwd         public        (public restricted)
 write               public        (public restricted)
 ```
 
@@ -40,18 +42,18 @@ mount           restricted      (public wheelonly unprivileged restricted)
 newgidmap           restricted    (public wheelonly restricted)
 newgrp              restricted    (public wheelonly restricted)
 newuidmap           restricted    (public wheelonly restricted)
+pam_timestamp_check restricted    (public restricted)
 password-hash       yescrypt      (sha512crypt yescrypt)
 password-policy     passwdqc      (pwquality passwdqc)
+unix_chkpwd         restricted    (public restricted)
 write               restricted    (public restricted)
 ```
 
-The default settings (typically `public`) correspond to EL packages' defaults (and are typically the most relaxed security-wise).
-
 Please refer to `control(8)` man page for command-line usage syntax.
 
 ### Sub-packages
 
-Currently, there are 3 sub-packages:
+Currently, there are 4 sub-packages:
 
 #### control
 
@@ -67,11 +69,20 @@ Facility specifications corresponding to the `util-linux` and `util-linux-core`
 
 #### control-pam
 
-Facility specifications corresponding to the `pam` package. Currently, these allow to `control` user password hashing scheme and password policy in use by PAM-aware programs.
+Facility specifications corresponding to the `pam` package. Currently, these allow to `control` user password hashing scheme and password policy in use by PAM-aware programs, as well as two SUID root PAM helper programs `unix_chkpwd` and `pam_timestamp_check`.
 
 ### Change log
 
 ```
+* Wed Jan  3 2024 Solar Designer <solar@openwall.com> 0.8.0-7
+- Add unix_chkpwd and pam_timestamp_check facilities to the pam sub-package
+
+* Wed Jan  3 2024 Solar Designer <solar@openwall.com> 0.8.0-6
+- Revise password-hash and password-policy to process the underlying two
+  "sub-facilities" (for the two configuration files updated by each of these)
+  using the same logic that we had used for mount (where the two underlying
+  "sub-facilities" are the mount and umount programs)
+
 * Wed Dec 27 2023 Solar Designer <solar@openwall.com> 0.8.0-5
 - Install control(8) mode 755 since some of its features work as non-root
 - Add sub-package with facilities and triggers for pam password hashing and
@@ -87,7 +98,7 @@ Facility specifications corresponding to the `pam` package. Currently, these all
 
 * Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-2
 - In addition to Requires(pre), also use Requires in the sub-package
-- In %%triggerprein_control, pre-check that the facility exists
+- In %triggerprein_control, pre-check that the facility exists
 - Use (renamed) copies of the trigger macros within this spec file
 
 * Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-1