rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

link setuid binaries with full relro (#853158)

Browse Source 
- add rhost and tty to auditing data in modules (#677664)
This commit is contained in:
Tomas Mraz 2012-09-03 15:24:00 +02:00
parent 8a0ba11ae1
commit 010ed2b452
3 changed files with 213 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

173
pam-1.1.6-audit-data.patch Normal file
View File

@ -0,0 +1,173 @@
diff -up Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata Linux-PAM-1.1.6/modules/pam_faillock/main.c
--- Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata 2012-09-03 15:18:19.077405822 +0200
+++ Linux-PAM-1.1.6/modules/pam_faillock/main.c 2012-09-03 15:18:19.082405927 +0200
@@ -42,6 +42,7 @@
#include <errno.h>
#include <pwd.h>
#include <time.h>
+#include <unistd.h>
#ifdef HAVE_LIBAUDIT
#include <libaudit.h>
#endif
@@ -142,7 +143,7 @@ do_user(struct options *opts, const char
snprintf(buf, sizeof(buf), "faillock reset uid=%u",
pwd->pw_uid);
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, rv == 0);
+ buf, NULL, NULL, ttyname(fileno(stdin)), rv == 0);
}
close(audit_fd);
}
diff -up Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c
--- Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata 2012-09-03 15:18:19.077405822 +0200
+++ Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c 2012-09-03 15:18:19.083405948 +0200
@@ -264,6 +264,7 @@ check_tally(pam_handle_t *pamh, struct o
if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
char buf[64];
int audit_fd;
+ const void *rhost = NULL, *tty = NULL;
audit_fd = audit_open();
/* If there is an error & audit support is in the kernel report error */
@@ -271,9 +272,11 @@ check_tally(pam_handle_t *pamh, struct o
errno == EAFNOSUPPORT))
return PAM_SYSTEM_ERR;
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
opts->flags |= FAILLOCK_FLAG_UNLOCKED;
@@ -378,6 +381,7 @@ write_tally(pam_handle_t *pamh, struct o
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd;
+ const void *tty = NULL, *rhost = NULL;
audit_fd = audit_open();
/* If there is an error & audit support is in the kernel report error */
@@ -385,13 +389,15 @@ write_tally(pam_handle_t *pamh, struct o
errno == EAFNOSUPPORT))
return PAM_SYSTEM_ERR;
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
close(audit_fd);
#endif
diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-09-03 15:18:19.083405948 +0200
@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pam
int audit_fd = audit_open();
security_context_t default_raw=NULL;
security_context_t selected_raw=NULL;
+ const void *tty = NULL, *rhost = NULL;
rc = -1;
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pam
pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
return rc;
}
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
pam_syslog(pamh, LOG_ERR, "Error translating default context.");
default_raw = NULL;
@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pam
goto out;
}
if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
- msg, NULL, NULL, NULL, success) <= 0) {
+ msg, rhost, NULL, tty, success) <= 0) {
pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
goto out;
}
diff -up Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c
--- Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c 2012-09-03 15:20:06.071641000 +0200
@@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldt
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd = -1;
+ const void *rhost = NULL, *tty = NULL;
#endif
if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
@@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldt
if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT))
return PAM_SYSTEM_ERR;
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
#endif
if (opts->deny != 0 && /* deny==0 means no deny */
tally->fail_cnt > opts->deny && /* tally>deny means exceeded */
@@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldt
/* First say that max number was hit. */
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
if (uid) {
@@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldt
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
#endif
rv = PAM_SUCCESS;
goto cleanup;
@@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldt
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
#endif
rv = PAM_SUCCESS;
goto cleanup;
@@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldt
if (tally->fail_cnt == opts->deny+1) {
/* First say that max number was hit. */
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
@@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv )
int audit_fd = audit_open();
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, 1);
+ buf, NULL, NULL, ttyname(fileno(stdin)), 1);
if (audit_fd >=0)
close(audit_fd);
#endif
@@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv )
int audit_fd = audit_open();
snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, 1);
+ buf, NULL, NULL, ttyname(fileno(stdin)), 1);
if (audit_fd >=0)
close(audit_fd);
#endif

31
pam-1.1.6-full-relro.patch Normal file
View File

@ -0,0 +1,31 @@
diff -up Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am 2012-09-03 15:22:13.735307976 +0200
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
pam_timestamp_check_SOURCES = pam_timestamp_check.c
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
diff -up Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_unix/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_unix/Makefile.am 2012-09-03 15:21:31.464424910 +0200
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
-unix_update_LDFLAGS = @PIE_LDFLAGS@
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
if ENABLE_REGENERATE_MAN

10
pam.spec
View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.6
Release: 1%{?dist}
Release: 2%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -38,6 +38,8 @@ Patch10: pam-1.1.3-nouserenv.patch
Patch11: pam-1.1.3-console-abstract.patch
Patch12: pam-1.1.3-faillock-screensaver.patch
Patch13: pam-1.1.5-limits-user.patch
Patch14: pam-1.1.6-audit-data.patch
Patch15: pam-1.1.6-full-relro.patch
# FIPS related - non upstreamable
Patch20: pam-1.1.5-unix-no-fallback.patch
# Upstreamed
@ -116,6 +118,8 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch11 -p1 -b .abstract
%patch12 -p1 -b .screensaver
%patch13 -p1 -b .limits
%patch14 -p1 -b .audata
%patch15 -p1 -b .relro
%patch20 -p1 -b .no-fallback
%patch21 -p1 -b .empty
%patch22 -p1 -b .build
@ -373,6 +377,10 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Mon Sep 3 2012 Tomas Mraz <tmraz@redhat.com> 1.1.6-2
- link setuid binaries with full relro (#853158)
- add rhost and tty to auditing data in modules (#677664)
* Fri Aug 17 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.6-1
- new upstream release