rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- pam_namespace: better document behavior on failure (#237249)

Browse Source 
- pam_unix: split out passwd change to a new helper binary (#236316)
- pam_namespace: add support for temporary logons (#241226)
This commit is contained in:
Tomáš Mráz 2007-06-04 14:22:15 +00:00
parent 33d3c087e3
commit 09b44afcb6
6 changed files with 3050 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pam-0.99.6.2-namespace-docfix.patch Normal file
View File

@ -0,0 +1,18 @@
--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml.docfix 2007-04-03 17:51:29.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml 2007-04-23 19:04:10.000000000 +0200
@@ -86,6 +86,15 @@
for all users.
</para>
+ <para>
+ In case of context or level polyinstantiation the SELinux context
+ which is used for polyinstantiation is the context used for executing
+ a new process as obtained by getexeccon. This context must be set
+ by the calling application or <filename>pam_selinux.so</filename>
+ module. If this context is not set the polyinstatiation will be
+ based just on user name.
+ </para>
+
</refsect1>
<refsect1 id="namespace.conf-examples">

433
pam-0.99.6.2-namespace-temp-logon.patch Normal file
View File

@ -0,0 +1,433 @@
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.temp-logon 2007-05-31 17:04:17.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2007-05-31 17:04:18.000000000 +0200
@@ -90,6 +90,7 @@
#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
#define NAMESPACE_MAX_DIR_LEN 80
+#define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data"
/*
* Polyinstantiation method options, based on user, security context
@@ -100,6 +101,8 @@
USER,
CONTEXT,
LEVEL,
+ TMPDIR,
+ TMPFS
};
/*
@@ -128,6 +131,7 @@
enum polymethod method; /* method used to polyinstantiate */
unsigned int num_uids; /* number of override uids */
uid_t *uid; /* list of override uids */
+ int exclusive; /* polyinstatiate exclusively for override uids */
struct polydir_s *next; /* pointer to the next polydir entry */
};
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.temp-logon 2007-05-31 17:04:18.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2007-05-31 17:54:14.000000000 +0200
@@ -43,6 +43,7 @@
strcpy(pent->instance_prefix, ent->instance_prefix);
pent->method = ent->method;
pent->num_uids = ent->num_uids;
+ pent->exclusive = ent->exclusive;
if (ent->num_uids) {
uid_t *pptr, *eptr;
@@ -120,6 +121,10 @@
}
}
+static void cleanup_data(pam_handle_t *pamh, void *data, int err)
+{
+ del_polydir_list(data);
+}
/*
* Called from parse_config_file, this function processes a single line
@@ -140,6 +145,7 @@
poly.uid = NULL;
poly.num_uids = 0;
+ poly.exclusive = 0;
/*
* skip the leading white space
@@ -223,24 +229,13 @@
}
/*
- * Ensure that all pathnames are absolute path names.
- */
- if ((dir[0] != '/') || (instance_prefix[0] != '/')) {
- pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must start with '/'");
- goto skipping;
- }
- if (strstr(dir, "..") || strstr(instance_prefix, "..")) {
- pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must not contain '..'");
- goto skipping;
- }
-
- /*
* Populate polyinstantiated directory structure with appropriate
* pathnames and the method with which to polyinstantiate.
*/
if (strlen(dir) >= sizeof(poly.dir)
|| strlen(instance_prefix) >= sizeof(poly.instance_prefix)) {
pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long");
+ goto skipping;
}
strcpy(poly.dir, dir);
strcpy(poly.instance_prefix, instance_prefix);
@@ -248,6 +243,18 @@
poly.method = NONE;
if (strcmp(method, "user") == 0)
poly.method = USER;
+
+ if (strcmp(method, "tmpdir") == 0) {
+ poly.method = TMPDIR;
+ if (sizeof(poly.instance_prefix) - strlen(poly.instance_prefix) < 7) {
+ pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long");
+ goto skipping;
+ }
+ strcat(poly.instance_prefix, "XXXXXX");
+ }
+
+ if (strcmp(method, "tmpfs") == 0)
+ poly.method = TMPFS;
#ifdef WITH_SELINUX
if (strcmp(method, "level") == 0) {
@@ -266,12 +273,24 @@
#endif
- if ( poly.method == NONE) {
+ if (poly.method == NONE) {
pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
goto skipping;
}
/*
+ * Ensure that all pathnames are absolute path names.
+ */
+ if ((dir[0] != '/') || (poly.method != TMPFS && instance_prefix[0] != '/')) {
+ pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must start with '/'");
+ goto skipping;
+ }
+ if (strstr(dir, "..") || strstr(instance_prefix, "..")) {
+ pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must not contain '..'");
+ goto skipping;
+ }
+
+ /*
* If the line in namespace.conf for a directory to polyinstantiate
* contains a list of override users (users for whom polyinstantiation
* is not performed), read the user ids, convert names into uids, and
@@ -281,7 +300,11 @@
uid_t *uidptr;
const char *ustr, *sstr;
int count, i;
-
+
+ if (*uids == '~') {
+ poly.exclusive = 1;
+ uids++;
+ }
for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++)
sstr = strchr(ustr, ',');
@@ -419,6 +442,7 @@
* directory's list of override uids. If the uid is one of the override
* uids for the polyinstantiated directory, polyinstantiation is not
* performed for that user for that directory.
+ * If exclusive is set the returned values are opposite.
*/
static int ns_override(struct polydir_s *polyptr, struct instance_data *idata,
uid_t uid)
@@ -432,11 +456,11 @@
for (i = 0; i < polyptr->num_uids; i++) {
if (uid == polyptr->uid[i]) {
- return 1;
+ return !polyptr->exclusive;
}
}
- return 0;
+ return polyptr->exclusive;
}
/*
@@ -622,6 +646,12 @@
#endif /* WITH_SELINUX */
+ case TMPDIR:
+ case TMPFS:
+ if ((*i_name=strdup("")) == NULL)
+ goto fail;
+ return PAM_SUCCESS;
+
default:
if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
@@ -725,7 +755,7 @@
* execute it and pass directory to polyinstantiate and instance
* directory as arguments.
*/
-static int inst_init(const struct polydir_s *polyptr, char *ipath,
+static int inst_init(const struct polydir_s *polyptr, const char *ipath,
struct instance_data *idata)
{
pid_t rc, pid;
@@ -791,11 +821,11 @@
* Create polyinstantiated instance directory (ipath).
*/
#ifdef WITH_SELINUX
-static int create_dirs(const struct polydir_s *polyptr, char *ipath,
+static int create_dirs(struct polydir_s *polyptr, char *ipath,
security_context_t icontext, security_context_t ocontext,
struct instance_data *idata)
#else
-static int create_dirs(const struct polydir_s *polyptr, char *ipath,
+static int create_dirs(struct polydir_s *polyptr, char *ipath,
struct instance_data *idata)
#endif
{
@@ -834,7 +864,17 @@
* attributes to match that of the original directory that is being
* polyinstantiated.
*/
- if (mkdir(ipath, S_IRUSR) < 0) {
+
+ if (polyptr->method == TMPDIR) {
+ if (mkdtemp(polyptr->instance_prefix) == NULL) {
+ pam_syslog(idata->pamh, LOG_ERR, "Error creating temporary instance %s, %m",
+ polyptr->instance_prefix);
+ polyptr->method = NONE; /* do not clean up! */
+ return PAM_SESSION_ERR;
+ }
+ /* copy the actual directory name to ipath */
+ strcpy(ipath, polyptr->instance_prefix);
+ } else if (mkdir(ipath, S_IRUSR) < 0) {
if (errno == EEXIST)
goto inst_init;
else {
@@ -920,13 +960,12 @@
* security attributes, and performs bind mount to setup the process
* namespace.
*/
-static int ns_setup(const struct polydir_s *polyptr,
+static int ns_setup(struct polydir_s *polyptr,
struct instance_data *idata)
{
int retval = 0;
char *inst_dir = NULL;
char *instname = NULL;
- char *dir;
#ifdef WITH_SELINUX
security_context_t instcontext = NULL, origcontext = NULL;
#endif
@@ -935,9 +974,15 @@
pam_syslog(idata->pamh, LOG_DEBUG,
"Set namespace for directory %s", polyptr->dir);
- dir = strrchr(polyptr->dir, '/');
- if (dir && strlen(dir) > 1)
- dir++;
+ if (polyptr->method == TMPFS) {
+ if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) {
+ pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
+ polyptr->dir);
+ return PAM_SESSION_ERR;
+ }
+ /* we must call inst_init after the mount in this case */
+ return inst_init(polyptr, "tmpfs", idata);
+ }
/*
* Obtain the name of instance pathname based on the
@@ -1043,6 +1088,58 @@
return retval;
}
+static int cleanup_tmpdirs(struct instance_data *idata)
+{
+ struct polydir_s *pptr;
+ pid_t rc, pid;
+ sighandler_t osighand = NULL;
+ int status;
+
+ osighand = signal(SIGCHLD, SIG_DFL);
+ if (osighand == SIG_ERR) {
+ pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value");
+ rc = PAM_SESSION_ERR;
+ goto out;
+ }
+
+ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+ if (pptr->method == TMPDIR && access(pptr->instance_prefix, F_OK) == 0) {
+ pid = fork();
+ if (pid == 0) {
+#ifdef WITH_SELINUX
+ if (idata->flags & PAMNS_SELINUX_ENABLED) {
+ if (setexeccon(NULL) < 0)
+ exit(1);
+ }
+#endif
+ if (execl("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, (char *)NULL) < 0)
+ exit(1);
+ } else if (pid > 0) {
+ while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) &&
+ (errno == EINTR));
+ if (rc == (pid_t)-1) {
+ pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m");
+ rc = PAM_SESSION_ERR;
+ goto out;
+ }
+ if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
+ pam_syslog(idata->pamh, LOG_ERR,
+ "Error removing %s", pptr->instance_prefix);
+ }
+ } else if (pid < 0) {
+ pam_syslog(idata->pamh, LOG_ERR,
+ "Cannot fork to run namespace init script, %m");
+ rc = PAM_SESSION_ERR;
+ goto out;
+ }
+ }
+ }
+
+ rc = PAM_SUCCESS;
+out:
+ signal(SIGCHLD, osighand);
+ return rc;
+}
/*
* This function checks to see if polyinstantiation is needed for any
@@ -1111,13 +1208,22 @@
* disassociate from the parent namespace.
*/
if (need_poly) {
+ if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr,
+ cleanup_data) != PAM_SUCCESS) {
+ pam_syslog(idata->pamh, LOG_ERR,
+ "Unable to set namespace data");
+ return PAM_SYSTEM_ERR;
+ }
if (unshare(CLONE_NEWNS) < 0) {
- pam_syslog(idata->pamh, LOG_ERR,
+ pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL);
+ pam_syslog(idata->pamh, LOG_ERR,
"Unable to unshare from parent namespace, %m");
return PAM_SESSION_ERR;
}
- } else
+ } else {
+ del_polydir_list(idata->polydirs_ptr);
return PAM_SUCCESS;
+ }
/*
* Again cycle through all polyinstantiated directories, this time,
@@ -1144,7 +1250,8 @@
* umount
*/
if ((changing_dir = cwd_in(pptr->dir, idata)) < 0) {
- return PAM_SESSION_ERR;
+ retval = PAM_SESSION_ERR;
+ goto out;
} else if (changing_dir) {
if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "changing cwd");
@@ -1172,8 +1279,10 @@
int saved_errno = errno;
pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m",
pptr->dir);
- if (saved_errno != EINVAL)
- return PAM_SESSION_ERR;
+ if (saved_errno != EINVAL) {
+ retval = PAM_SESSION_ERR;
+ goto out;
+ }
} else if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s",
pptr->dir);
@@ -1185,7 +1294,9 @@
break;
}
}
-
+out:
+ if (retval != PAM_SUCCESS)
+ cleanup_tmpdirs(idata);
return retval;
}
@@ -1224,8 +1335,10 @@
} else if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "Unmount of %s succeeded",
pptr->dir);
- }
+ }
}
+
+ cleanup_tmpdirs(idata);
return 0;
}
@@ -1349,7 +1462,8 @@
} else if (idata.flags & PAMNS_DEBUG)
pam_syslog(idata.pamh, LOG_DEBUG, "Nothing to polyinstantiate");
- del_polydir_list(idata.polydirs_ptr);
+ if (retval != PAM_SUCCESS)
+ del_polydir_list(idata.polydirs_ptr);
return retval;
}
@@ -1364,6 +1478,7 @@
struct instance_data idata;
char *user_name;
struct passwd *pwd;
+ const void *polyptr;
/* init instance data */
idata.flags = 0;
@@ -1425,16 +1540,12 @@
idata.user = user_name;
idata.uid = pwd->pw_uid;
- /*
- * Parse namespace configuration file which lists directories that
- * are polyinstantiated, directories where instance directories are
- * created and the method used for polyinstantiation.
- */
- retval = parse_config_file(&idata);
- if ((retval != PAM_SUCCESS) || !idata.polydirs_ptr) {
- del_polydir_list(idata.polydirs_ptr);
- return PAM_SESSION_ERR;
- }
+ retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, &polyptr);
+ if (retval != PAM_SUCCESS || polyptr == NULL)
+ /* nothing to reset */
+ return PAM_SUCCESS;
+
+ idata.polydirs_ptr = polyptr;
if (idata.flags & PAMNS_DEBUG)
pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d",
@@ -1449,7 +1560,9 @@
pam_syslog(idata.pamh, LOG_DEBUG,
"resetting namespace ok for pid %d", getpid());
}
- del_polydir_list(idata.polydirs_ptr);
+
+ pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL);
+
return PAM_SUCCESS;
}

32
pam-0.99.7.1-unix-bigcrypt.patch
View File

@ -1,15 +1,15 @@
--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100 --- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-01-23 10:41:21.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-02-21 21:17:29.000000000 +0100 +++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-06-01 15:11:51.000000000 +0200
@@ -694,7 +694,7 @@ @@ -679,7 +679,7 @@
} }
} }
} else { } else {
- int salt_len; - int salt_len = strlen(salt);
+ size_t salt_len; + size_t salt_len = strlen(salt);
strip_hpux_aging(salt);
salt_len = strlen(salt);
if (!salt_len) { if (!salt_len) {
@@ -706,19 +706,19 @@ /* the stored password is NULL */
if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
@@ -689,19 +689,19 @@
D(("user has empty password - access denied")); D(("user has empty password - access denied"));
retval = PAM_AUTH_ERR; retval = PAM_AUTH_ERR;
} }
@ -33,7 +33,7 @@
} }
} else { } else {
/* /*
@@ -732,7 +732,7 @@ @@ -715,7 +715,7 @@
/* the moment of truth -- do we agree with the password? */ /* the moment of truth -- do we agree with the password? */
D(("comparing state of pp[%s] and salt[%s]", pp, salt)); D(("comparing state of pp[%s] and salt[%s]", pp, salt));
@ -42,9 +42,9 @@
retval = PAM_SUCCESS; retval = PAM_SUCCESS;
} else { } else {
retval = PAM_AUTH_ERR; retval = PAM_AUTH_ERR;
--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100 --- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2006-10-24 12:01:49.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-02-21 21:18:57.000000000 +0100 +++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-06-01 15:08:46.000000000 +0200
@@ -159,7 +159,7 @@ @@ -144,7 +144,7 @@
char *salt = NULL; char *salt = NULL;
char *pp = NULL; char *pp = NULL;
int retval = PAM_AUTH_ERR; int retval = PAM_AUTH_ERR;
@ -53,7 +53,7 @@
/* UNIX passwords area */ /* UNIX passwords area */
setpwent(); setpwent();
@@ -205,6 +205,8 @@ @@ -189,6 +189,8 @@
return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS; return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
} }
if (p == NULL || strlen(p) == 0) { if (p == NULL || strlen(p) == 0) {
@ -62,7 +62,7 @@
return PAM_AUTHTOK_ERR; return PAM_AUTHTOK_ERR;
} }
@@ -212,11 +214,13 @@ @@ -196,11 +198,13 @@
retval = PAM_AUTH_ERR; retval = PAM_AUTH_ERR;
if (!strncmp(salt, "$1$", 3)) { if (!strncmp(salt, "$1$", 3)) {
pp = Goodcrypt_md5(p, salt); pp = Goodcrypt_md5(p, salt);
@ -78,7 +78,7 @@
retval = PAM_SUCCESS; retval = PAM_SUCCESS;
} }
} else if (*salt == '$') { } else if (*salt == '$') {
@@ -225,10 +229,10 @@ @@ -209,10 +213,10 @@
* libcrypt nows about it? We should try it. * libcrypt nows about it? We should try it.
*/ */
pp = x_strdup (crypt(p, salt)); pp = x_strdup (crypt(p, salt));
@ -91,7 +91,7 @@
retval = PAM_AUTH_ERR; retval = PAM_AUTH_ERR;
} else { } else {
pp = bigcrypt(p, salt); pp = bigcrypt(p, salt);
@@ -239,24 +243,21 @@ @@ -223,24 +227,21 @@
* have been truncated for storage relative to the output * have been truncated for storage relative to the output
* of bigcrypt here. As such we need to compare only the * of bigcrypt here. As such we need to compare only the
* stored string with the subset of bigcrypt's result. * stored string with the subset of bigcrypt's result.

37
pam-0.78-unix-hpux-aging.patch → pam-0.99.7.1-unix-hpux-aging.patch
View File

@ -7,9 +7,9 @@ o For non-extensible-style hashes, strip off anything after the 13th character
for users across operating systems, but there's nothing we can do about that for users across operating systems, but there's nothing we can do about that
here. here.
--- Linux-PAM-0.78/modules/pam_unix/support.c.unix-hpux-aging 2004-10-06 16:05:17.000000000 +0200 --- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.unix-hpux-aging 2007-06-01 15:21:08.000000000 +0200
+++ Linux-PAM-0.78/modules/pam_unix/support.c 2004-11-23 14:55:27.885063264 +0100 +++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-06-01 15:24:32.000000000 +0200
@@ -611,6 +611,21 @@ @@ -573,6 +573,21 @@
return retval; return retval;
} }
@ -31,24 +31,25 @@ o For non-extensible-style hashes, strip off anything after the 13th character
int _unix_verify_password(pam_handle_t * pamh, const char *name int _unix_verify_password(pam_handle_t * pamh, const char *name
,const char *p, unsigned int ctrl) ,const char *p, unsigned int ctrl)
{ {
@@ -712,7 +727,9 @@ @@ -679,7 +694,9 @@
retval = PAM_AUTHINFO_UNAVAIL; }
} }
} else { } else {
- int salt_len = strlen(salt); - size_t salt_len = strlen(salt);
+ int salt_len; + size_t salt_len;
+ strip_hpux_aging(salt); + strip_hpux_aging(salt);
+ salt_len = strlen(salt); + salt_len = strlen(salt);
if (!salt_len) { if (!salt_len) {
/* the stored password is NULL */ /* the stored password is NULL */
if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */ if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
--- Linux-PAM-0.78/modules/pam_unix/unix_chkpwd.c.unix-hpux-aging 2004-11-18 14:41:20.000000000 +0100 --- Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c.unix-hpux-aging 2007-06-01 15:21:08.000000000 +0200
+++ Linux-PAM-0.78/modules/pam_unix/unix_chkpwd.c 2004-11-23 15:03:43.979169586 +0100 +++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c 2007-06-01 15:26:26.000000000 +0200
@@ -112,6 +112,21 @@ @@ -146,6 +146,22 @@
(void) sigaction(SIGQUIT, &action, NULL); return i;
} }
+static void strip_hpux_aging(char *p) +static void
+strip_hpux_aging(char *p)
+{ +{
+ const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz" + "abcdefghijklmnopqrstuvwxyz"
@ -63,14 +64,14 @@ o For non-extensible-style hashes, strip off anything after the 13th character
+ } + }
+} +}
+ +
static int _unix_verify_password(const char *name, const char *p, int nullok) int
_unix_verify_password(const char *name, const char *p, int nullok)
{ {
struct passwd *pwd = NULL; @@ -194,6 +210,7 @@
@@ -159,6 +174,7 @@ return PAM_USER_UNKNOWN;
return retval;
} }
+ strip_hpux_aging(salt); + strip_hpux_aging(salt);
salt_len = strlen(salt); salt_len = strlen(salt);
if (salt_len == 0) if (salt_len == 0) {
return (nullok == 0) ? UNIX_FAILED : UNIX_PASSED; return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;

2548
pam-0.99.7.1-unix-update-helper.patch Normal file
View File

File diff suppressed because it is too large Load Diff

18
pam.spec
View File

@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications Summary: A security tool which provides authentication for applications
Name: pam Name: pam
Version: 0.99.7.1 Version: 0.99.7.1
Release: 5%{?dist} Release: 6%{?dist}
License: GPL or BSD License: GPL or BSD
Group: System Environment/Base Group: System Environment/Base
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@ -27,9 +27,10 @@ Source10: config-util.5
Patch1: pam-0.99.7.0-redhat-modules.patch Patch1: pam-0.99.7.0-redhat-modules.patch
Patch2: pam-0.99.7.1-console-more-displays.patch Patch2: pam-0.99.7.1-console-more-displays.patch
Patch3: pam-0.99.7.1-console-decrement.patch Patch3: pam-0.99.7.1-console-decrement.patch
Patch21: pam-0.78-unix-hpux-aging.patch
Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
Patch23: pam-0.99.7.1-unix-bigcrypt.patch Patch23: pam-0.99.7.1-unix-bigcrypt.patch
Patch24: pam-0.99.7.1-unix-update-helper.patch
Patch25: pam-0.99.7.1-unix-hpux-aging.patch
Patch34: pam-0.99.7.0-dbpam.patch Patch34: pam-0.99.7.0-dbpam.patch
Patch70: pam-0.99.2.1-selinux-nofail.patch Patch70: pam-0.99.2.1-selinux-nofail.patch
Patch80: pam-0.99.6.2-selinux-drop-multiple.patch Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
@ -45,6 +46,8 @@ Patch95: pam-0.99.6.2-selinux-use-current-range.patch
Patch96: pam-0.99.6.2-namespace-dirnames.patch Patch96: pam-0.99.6.2-namespace-dirnames.patch
Patch97: pam-0.99.7.1-namespace-unknown-user.patch Patch97: pam-0.99.7.1-namespace-unknown-user.patch
Patch98: pam-0.99.6.2-selinux-audit-context.patch Patch98: pam-0.99.6.2-selinux-audit-context.patch
Patch99: pam-0.99.6.2-namespace-docfix.patch
Patch100: pam-0.99.7.1-namespace-temp-logon.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: cracklib, cracklib-dicts >= 2.8 Requires: cracklib, cracklib-dicts >= 2.8
@ -100,9 +103,10 @@ cp %{SOURCE7} .
%patch1 -p1 -b .redhat-modules %patch1 -p1 -b .redhat-modules
%patch2 -p1 -b .displays %patch2 -p1 -b .displays
%patch3 -p1 -b .decrement %patch3 -p1 -b .decrement
%patch21 -p1 -b .unix-hpux-aging
%patch22 -p1 -b .pwmodify %patch22 -p1 -b .pwmodify
%patch23 -p1 -b .bigcrypt %patch23 -p1 -b .bigcrypt
%patch24 -p1 -b .update-helper
%patch25 -p1 -b .unix-hpux-aging
%patch34 -p1 -b .dbpam %patch34 -p1 -b .dbpam
%patch70 -p1 -b .nofail %patch70 -p1 -b .nofail
%patch80 -p1 -b .drop-multiple %patch80 -p1 -b .drop-multiple
@ -118,6 +122,8 @@ cp %{SOURCE7} .
%patch96 -p1 -b .dirnames %patch96 -p1 -b .dirnames
%patch97 -p1 -b .unknown-user %patch97 -p1 -b .unknown-user
%patch98 -p1 -b .audit-context %patch98 -p1 -b .audit-context
%patch99 -p1 -b .docfix
%patch100 -p1 -b .temp-logon
autoreconf autoreconf
@ -319,6 +325,7 @@ fi
%{_sbindir}/pam_tally2 %{_sbindir}/pam_tally2
%attr(4755,root,root) %{_sbindir}/pam_timestamp_check %attr(4755,root,root) %{_sbindir}/pam_timestamp_check
%attr(4755,root,root) %{_sbindir}/unix_chkpwd %attr(4755,root,root) %{_sbindir}/unix_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update
%if %{_lib} != lib %if %{_lib} != lib
%dir /lib/security %dir /lib/security
%endif %endif
@ -406,6 +413,11 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Thu Apr 26 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-6
- pam_namespace: better document behavior on failure (#237249)
- pam_unix: split out passwd change to a new helper binary (#236316)
- pam_namespace: add support for temporary logons (#241226)
* Fri Apr 13 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-5 * Fri Apr 13 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-5
- pam_selinux: improve context change auditing (#234781) - pam_selinux: improve context change auditing (#234781)
- pam_namespace: fix parsing config file with unknown users (#234513) - pam_namespace: fix parsing config file with unknown users (#234513)