link setuid binaries with full relro (#853158)
- add rhost and tty to auditing data in modules (#677664)
This commit is contained in:
parent
8a0ba11ae1
commit
010ed2b452
173
pam-1.1.6-audit-data.patch
Normal file
173
pam-1.1.6-audit-data.patch
Normal file
@ -0,0 +1,173 @@
|
|||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata Linux-PAM-1.1.6/modules/pam_faillock/main.c
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata 2012-09-03 15:18:19.077405822 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_faillock/main.c 2012-09-03 15:18:19.082405927 +0200
|
||||||
|
@@ -42,6 +42,7 @@
|
||||||
|
#include <errno.h>
|
||||||
|
#include <pwd.h>
|
||||||
|
#include <time.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
#ifdef HAVE_LIBAUDIT
|
||||||
|
#include <libaudit.h>
|
||||||
|
#endif
|
||||||
|
@@ -142,7 +143,7 @@ do_user(struct options *opts, const char
|
||||||
|
snprintf(buf, sizeof(buf), "faillock reset uid=%u",
|
||||||
|
pwd->pw_uid);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||||
|
- buf, NULL, NULL, NULL, rv == 0);
|
||||||
|
+ buf, NULL, NULL, ttyname(fileno(stdin)), rv == 0);
|
||||||
|
}
|
||||||
|
close(audit_fd);
|
||||||
|
}
|
||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata 2012-09-03 15:18:19.077405822 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c 2012-09-03 15:18:19.083405948 +0200
|
||||||
|
@@ -264,6 +264,7 @@ check_tally(pam_handle_t *pamh, struct o
|
||||||
|
if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
|
||||||
|
char buf[64];
|
||||||
|
int audit_fd;
|
||||||
|
+ const void *rhost = NULL, *tty = NULL;
|
||||||
|
|
||||||
|
audit_fd = audit_open();
|
||||||
|
/* If there is an error & audit support is in the kernel report error */
|
||||||
|
@@ -271,9 +272,11 @@ check_tally(pam_handle_t *pamh, struct o
|
||||||
|
errno == EAFNOSUPPORT))
|
||||||
|
return PAM_SYSTEM_ERR;
|
||||||
|
|
||||||
|
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
|
||||||
|
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
|
||||||
|
snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
||||||
|
- NULL, NULL, NULL, 1);
|
||||||
|
+ rhost, NULL, tty, 1);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
opts->flags |= FAILLOCK_FLAG_UNLOCKED;
|
||||||
|
@@ -378,6 +381,7 @@ write_tally(pam_handle_t *pamh, struct o
|
||||||
|
#ifdef HAVE_LIBAUDIT
|
||||||
|
char buf[64];
|
||||||
|
int audit_fd;
|
||||||
|
+ const void *tty = NULL, *rhost = NULL;
|
||||||
|
|
||||||
|
audit_fd = audit_open();
|
||||||
|
/* If there is an error & audit support is in the kernel report error */
|
||||||
|
@@ -385,13 +389,15 @@ write_tally(pam_handle_t *pamh, struct o
|
||||||
|
errno == EAFNOSUPPORT))
|
||||||
|
return PAM_SYSTEM_ERR;
|
||||||
|
|
||||||
|
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
|
||||||
|
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
|
||||||
|
snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
|
||||||
|
- NULL, NULL, NULL, 1);
|
||||||
|
+ rhost, NULL, tty, 1);
|
||||||
|
|
||||||
|
if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
|
||||||
|
- NULL, NULL, NULL, 1);
|
||||||
|
+ rhost, NULL, tty, 1);
|
||||||
|
}
|
||||||
|
close(audit_fd);
|
||||||
|
#endif
|
||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata 2012-08-15 13:08:43.000000000 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-09-03 15:18:19.083405948 +0200
|
||||||
|
@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pam
|
||||||
|
int audit_fd = audit_open();
|
||||||
|
security_context_t default_raw=NULL;
|
||||||
|
security_context_t selected_raw=NULL;
|
||||||
|
+ const void *tty = NULL, *rhost = NULL;
|
||||||
|
rc = -1;
|
||||||
|
if (audit_fd < 0) {
|
||||||
|
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||||
|
@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pam
|
||||||
|
pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
|
||||||
|
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
|
||||||
|
if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
|
||||||
|
pam_syslog(pamh, LOG_ERR, "Error translating default context.");
|
||||||
|
default_raw = NULL;
|
||||||
|
@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pam
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
|
||||||
|
- msg, NULL, NULL, NULL, success) <= 0) {
|
||||||
|
+ msg, rhost, NULL, tty, success) <= 0) {
|
||||||
|
pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata 2012-08-15 13:08:43.000000000 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c 2012-09-03 15:20:06.071641000 +0200
|
||||||
|
@@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldt
|
||||||
|
#ifdef HAVE_LIBAUDIT
|
||||||
|
char buf[64];
|
||||||
|
int audit_fd = -1;
|
||||||
|
+ const void *rhost = NULL, *tty = NULL;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
|
||||||
|
@@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldt
|
||||||
|
if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||||
|
errno == EAFNOSUPPORT))
|
||||||
|
return PAM_SYSTEM_ERR;
|
||||||
|
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
|
||||||
|
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
|
||||||
|
#endif
|
||||||
|
if (opts->deny != 0 && /* deny==0 means no deny */
|
||||||
|
tally->fail_cnt > opts->deny && /* tally>deny means exceeded */
|
||||||
|
@@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldt
|
||||||
|
/* First say that max number was hit. */
|
||||||
|
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
|
||||||
|
- NULL, NULL, NULL, 1);
|
||||||
|
+ rhost, NULL, tty, 1);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if (uid) {
|
||||||
|
@@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldt
|
||||||
|
#ifdef HAVE_LIBAUDIT
|
||||||
|
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
||||||
|
- NULL, NULL, NULL, 1);
|
||||||
|
+ rhost, NULL, tty, 1);
|
||||||
|
#endif
|
||||||
|
rv = PAM_SUCCESS;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldt
|
||||||
|
#ifdef HAVE_LIBAUDIT
|
||||||
|
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
||||||
|
- NULL, NULL, NULL, 1);
|
||||||
|
+ rhost, NULL, tty, 1);
|
||||||
|
#endif
|
||||||
|
rv = PAM_SUCCESS;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldt
|
||||||
|
if (tally->fail_cnt == opts->deny+1) {
|
||||||
|
/* First say that max number was hit. */
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
|
||||||
|
- NULL, NULL, NULL, 1);
|
||||||
|
+ rhost, NULL, tty, 1);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv )
|
||||||
|
int audit_fd = audit_open();
|
||||||
|
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||||
|
- buf, NULL, NULL, NULL, 1);
|
||||||
|
+ buf, NULL, NULL, ttyname(fileno(stdin)), 1);
|
||||||
|
if (audit_fd >=0)
|
||||||
|
close(audit_fd);
|
||||||
|
#endif
|
||||||
|
@@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv )
|
||||||
|
int audit_fd = audit_open();
|
||||||
|
snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||||
|
- buf, NULL, NULL, NULL, 1);
|
||||||
|
+ buf, NULL, NULL, ttyname(fileno(stdin)), 1);
|
||||||
|
if (audit_fd >=0)
|
||||||
|
close(audit_fd);
|
||||||
|
#endif
|
31
pam-1.1.6-full-relro.patch
Normal file
31
pam-1.1.6-full-relro.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am 2012-09-03 15:22:13.735307976 +0200
|
||||||
|
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
|
||||||
|
pam_timestamp_check_SOURCES = pam_timestamp_check.c
|
||||||
|
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||||
|
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
|
||||||
|
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
|
||||||
|
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||||
|
|
||||||
|
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
|
||||||
|
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
|
||||||
|
diff -up Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_unix/Makefile.am
|
||||||
|
--- Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
|
||||||
|
+++ Linux-PAM-1.1.6/modules/pam_unix/Makefile.am 2012-09-03 15:21:31.464424910 +0200
|
||||||
|
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
|
||||||
|
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
|
||||||
|
passverify.c
|
||||||
|
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
|
||||||
|
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
|
||||||
|
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||||
|
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
|
||||||
|
|
||||||
|
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
|
||||||
|
passverify.c
|
||||||
|
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
|
||||||
|
-unix_update_LDFLAGS = @PIE_LDFLAGS@
|
||||||
|
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||||
|
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
|
||||||
|
|
||||||
|
if ENABLE_REGENERATE_MAN
|
10
pam.spec
10
pam.spec
@ -3,7 +3,7 @@
|
|||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.1.6
|
Version: 1.1.6
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -38,6 +38,8 @@ Patch10: pam-1.1.3-nouserenv.patch
|
|||||||
Patch11: pam-1.1.3-console-abstract.patch
|
Patch11: pam-1.1.3-console-abstract.patch
|
||||||
Patch12: pam-1.1.3-faillock-screensaver.patch
|
Patch12: pam-1.1.3-faillock-screensaver.patch
|
||||||
Patch13: pam-1.1.5-limits-user.patch
|
Patch13: pam-1.1.5-limits-user.patch
|
||||||
|
Patch14: pam-1.1.6-audit-data.patch
|
||||||
|
Patch15: pam-1.1.6-full-relro.patch
|
||||||
# FIPS related - non upstreamable
|
# FIPS related - non upstreamable
|
||||||
Patch20: pam-1.1.5-unix-no-fallback.patch
|
Patch20: pam-1.1.5-unix-no-fallback.patch
|
||||||
# Upstreamed
|
# Upstreamed
|
||||||
@ -116,6 +118,8 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
|||||||
%patch11 -p1 -b .abstract
|
%patch11 -p1 -b .abstract
|
||||||
%patch12 -p1 -b .screensaver
|
%patch12 -p1 -b .screensaver
|
||||||
%patch13 -p1 -b .limits
|
%patch13 -p1 -b .limits
|
||||||
|
%patch14 -p1 -b .audata
|
||||||
|
%patch15 -p1 -b .relro
|
||||||
%patch20 -p1 -b .no-fallback
|
%patch20 -p1 -b .no-fallback
|
||||||
%patch21 -p1 -b .empty
|
%patch21 -p1 -b .empty
|
||||||
%patch22 -p1 -b .build
|
%patch22 -p1 -b .build
|
||||||
@ -373,6 +377,10 @@ fi
|
|||||||
%doc doc/adg/*.txt doc/adg/html
|
%doc doc/adg/*.txt doc/adg/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 3 2012 Tomas Mraz <tmraz@redhat.com> 1.1.6-2
|
||||||
|
- link setuid binaries with full relro (#853158)
|
||||||
|
- add rhost and tty to auditing data in modules (#677664)
|
||||||
|
|
||||||
* Fri Aug 17 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.6-1
|
* Fri Aug 17 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.6-1
|
||||||
- new upstream release
|
- new upstream release
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user