- pam_namespace: better document behavior on failure (#237249)
- pam_unix: split out passwd change to a new helper binary (#236316) - pam_namespace: add support for temporary logons (#241226)
This commit is contained in:
parent
33d3c087e3
commit
09b44afcb6
18
pam-0.99.6.2-namespace-docfix.patch
Normal file
18
pam-0.99.6.2-namespace-docfix.patch
Normal file
@ -0,0 +1,18 @@
|
||||
--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml.docfix 2007-04-03 17:51:29.000000000 +0200
|
||||
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml 2007-04-23 19:04:10.000000000 +0200
|
||||
@@ -86,6 +86,15 @@
|
||||
for all users.
|
||||
</para>
|
||||
|
||||
+ <para>
|
||||
+ In case of context or level polyinstantiation the SELinux context
|
||||
+ which is used for polyinstantiation is the context used for executing
|
||||
+ a new process as obtained by getexeccon. This context must be set
|
||||
+ by the calling application or <filename>pam_selinux.so</filename>
|
||||
+ module. If this context is not set the polyinstatiation will be
|
||||
+ based just on user name.
|
||||
+ </para>
|
||||
+
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id="namespace.conf-examples">
|
433
pam-0.99.6.2-namespace-temp-logon.patch
Normal file
433
pam-0.99.6.2-namespace-temp-logon.patch
Normal file
@ -0,0 +1,433 @@
|
||||
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.temp-logon 2007-05-31 17:04:17.000000000 +0200
|
||||
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2007-05-31 17:04:18.000000000 +0200
|
||||
@@ -90,6 +90,7 @@
|
||||
#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
|
||||
|
||||
#define NAMESPACE_MAX_DIR_LEN 80
|
||||
+#define NAMESPACE_POLYDIR_DATA "pam_namespace:polydir_data"
|
||||
|
||||
/*
|
||||
* Polyinstantiation method options, based on user, security context
|
||||
@@ -100,6 +101,8 @@
|
||||
USER,
|
||||
CONTEXT,
|
||||
LEVEL,
|
||||
+ TMPDIR,
|
||||
+ TMPFS
|
||||
};
|
||||
|
||||
/*
|
||||
@@ -128,6 +131,7 @@
|
||||
enum polymethod method; /* method used to polyinstantiate */
|
||||
unsigned int num_uids; /* number of override uids */
|
||||
uid_t *uid; /* list of override uids */
|
||||
+ int exclusive; /* polyinstatiate exclusively for override uids */
|
||||
struct polydir_s *next; /* pointer to the next polydir entry */
|
||||
};
|
||||
|
||||
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.temp-logon 2007-05-31 17:04:18.000000000 +0200
|
||||
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2007-05-31 17:54:14.000000000 +0200
|
||||
@@ -43,6 +43,7 @@
|
||||
strcpy(pent->instance_prefix, ent->instance_prefix);
|
||||
pent->method = ent->method;
|
||||
pent->num_uids = ent->num_uids;
|
||||
+ pent->exclusive = ent->exclusive;
|
||||
if (ent->num_uids) {
|
||||
uid_t *pptr, *eptr;
|
||||
|
||||
@@ -120,6 +121,10 @@
|
||||
}
|
||||
}
|
||||
|
||||
+static void cleanup_data(pam_handle_t *pamh, void *data, int err)
|
||||
+{
|
||||
+ del_polydir_list(data);
|
||||
+}
|
||||
|
||||
/*
|
||||
* Called from parse_config_file, this function processes a single line
|
||||
@@ -140,6 +145,7 @@
|
||||
|
||||
poly.uid = NULL;
|
||||
poly.num_uids = 0;
|
||||
+ poly.exclusive = 0;
|
||||
|
||||
/*
|
||||
* skip the leading white space
|
||||
@@ -223,24 +229,13 @@
|
||||
}
|
||||
|
||||
/*
|
||||
- * Ensure that all pathnames are absolute path names.
|
||||
- */
|
||||
- if ((dir[0] != '/') || (instance_prefix[0] != '/')) {
|
||||
- pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must start with '/'");
|
||||
- goto skipping;
|
||||
- }
|
||||
- if (strstr(dir, "..") || strstr(instance_prefix, "..")) {
|
||||
- pam_syslog(idata->pamh, LOG_NOTICE,"Pathnames must not contain '..'");
|
||||
- goto skipping;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
* Populate polyinstantiated directory structure with appropriate
|
||||
* pathnames and the method with which to polyinstantiate.
|
||||
*/
|
||||
if (strlen(dir) >= sizeof(poly.dir)
|
||||
|| strlen(instance_prefix) >= sizeof(poly.instance_prefix)) {
|
||||
pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long");
|
||||
+ goto skipping;
|
||||
}
|
||||
strcpy(poly.dir, dir);
|
||||
strcpy(poly.instance_prefix, instance_prefix);
|
||||
@@ -248,6 +243,18 @@
|
||||
poly.method = NONE;
|
||||
if (strcmp(method, "user") == 0)
|
||||
poly.method = USER;
|
||||
+
|
||||
+ if (strcmp(method, "tmpdir") == 0) {
|
||||
+ poly.method = TMPDIR;
|
||||
+ if (sizeof(poly.instance_prefix) - strlen(poly.instance_prefix) < 7) {
|
||||
+ pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames too long");
|
||||
+ goto skipping;
|
||||
+ }
|
||||
+ strcat(poly.instance_prefix, "XXXXXX");
|
||||
+ }
|
||||
+
|
||||
+ if (strcmp(method, "tmpfs") == 0)
|
||||
+ poly.method = TMPFS;
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
if (strcmp(method, "level") == 0) {
|
||||
@@ -266,12 +273,24 @@
|
||||
|
||||
#endif
|
||||
|
||||
- if ( poly.method == NONE) {
|
||||
+ if (poly.method == NONE) {
|
||||
pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
|
||||
goto skipping;
|
||||
}
|
||||
|
||||
/*
|
||||
+ * Ensure that all pathnames are absolute path names.
|
||||
+ */
|
||||
+ if ((dir[0] != '/') || (poly.method != TMPFS && instance_prefix[0] != '/')) {
|
||||
+ pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must start with '/'");
|
||||
+ goto skipping;
|
||||
+ }
|
||||
+ if (strstr(dir, "..") || strstr(instance_prefix, "..")) {
|
||||
+ pam_syslog(idata->pamh, LOG_NOTICE, "Pathnames must not contain '..'");
|
||||
+ goto skipping;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
* If the line in namespace.conf for a directory to polyinstantiate
|
||||
* contains a list of override users (users for whom polyinstantiation
|
||||
* is not performed), read the user ids, convert names into uids, and
|
||||
@@ -281,7 +300,11 @@
|
||||
uid_t *uidptr;
|
||||
const char *ustr, *sstr;
|
||||
int count, i;
|
||||
-
|
||||
+
|
||||
+ if (*uids == '~') {
|
||||
+ poly.exclusive = 1;
|
||||
+ uids++;
|
||||
+ }
|
||||
for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++)
|
||||
sstr = strchr(ustr, ',');
|
||||
|
||||
@@ -419,6 +442,7 @@
|
||||
* directory's list of override uids. If the uid is one of the override
|
||||
* uids for the polyinstantiated directory, polyinstantiation is not
|
||||
* performed for that user for that directory.
|
||||
+ * If exclusive is set the returned values are opposite.
|
||||
*/
|
||||
static int ns_override(struct polydir_s *polyptr, struct instance_data *idata,
|
||||
uid_t uid)
|
||||
@@ -432,11 +456,11 @@
|
||||
|
||||
for (i = 0; i < polyptr->num_uids; i++) {
|
||||
if (uid == polyptr->uid[i]) {
|
||||
- return 1;
|
||||
+ return !polyptr->exclusive;
|
||||
}
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ return polyptr->exclusive;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -622,6 +646,12 @@
|
||||
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
+ case TMPDIR:
|
||||
+ case TMPFS:
|
||||
+ if ((*i_name=strdup("")) == NULL)
|
||||
+ goto fail;
|
||||
+ return PAM_SUCCESS;
|
||||
+
|
||||
default:
|
||||
if (idata->flags & PAMNS_DEBUG)
|
||||
pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
|
||||
@@ -725,7 +755,7 @@
|
||||
* execute it and pass directory to polyinstantiate and instance
|
||||
* directory as arguments.
|
||||
*/
|
||||
-static int inst_init(const struct polydir_s *polyptr, char *ipath,
|
||||
+static int inst_init(const struct polydir_s *polyptr, const char *ipath,
|
||||
struct instance_data *idata)
|
||||
{
|
||||
pid_t rc, pid;
|
||||
@@ -791,11 +821,11 @@
|
||||
* Create polyinstantiated instance directory (ipath).
|
||||
*/
|
||||
#ifdef WITH_SELINUX
|
||||
-static int create_dirs(const struct polydir_s *polyptr, char *ipath,
|
||||
+static int create_dirs(struct polydir_s *polyptr, char *ipath,
|
||||
security_context_t icontext, security_context_t ocontext,
|
||||
struct instance_data *idata)
|
||||
#else
|
||||
-static int create_dirs(const struct polydir_s *polyptr, char *ipath,
|
||||
+static int create_dirs(struct polydir_s *polyptr, char *ipath,
|
||||
struct instance_data *idata)
|
||||
#endif
|
||||
{
|
||||
@@ -834,7 +864,17 @@
|
||||
* attributes to match that of the original directory that is being
|
||||
* polyinstantiated.
|
||||
*/
|
||||
- if (mkdir(ipath, S_IRUSR) < 0) {
|
||||
+
|
||||
+ if (polyptr->method == TMPDIR) {
|
||||
+ if (mkdtemp(polyptr->instance_prefix) == NULL) {
|
||||
+ pam_syslog(idata->pamh, LOG_ERR, "Error creating temporary instance %s, %m",
|
||||
+ polyptr->instance_prefix);
|
||||
+ polyptr->method = NONE; /* do not clean up! */
|
||||
+ return PAM_SESSION_ERR;
|
||||
+ }
|
||||
+ /* copy the actual directory name to ipath */
|
||||
+ strcpy(ipath, polyptr->instance_prefix);
|
||||
+ } else if (mkdir(ipath, S_IRUSR) < 0) {
|
||||
if (errno == EEXIST)
|
||||
goto inst_init;
|
||||
else {
|
||||
@@ -920,13 +960,12 @@
|
||||
* security attributes, and performs bind mount to setup the process
|
||||
* namespace.
|
||||
*/
|
||||
-static int ns_setup(const struct polydir_s *polyptr,
|
||||
+static int ns_setup(struct polydir_s *polyptr,
|
||||
struct instance_data *idata)
|
||||
{
|
||||
int retval = 0;
|
||||
char *inst_dir = NULL;
|
||||
char *instname = NULL;
|
||||
- char *dir;
|
||||
#ifdef WITH_SELINUX
|
||||
security_context_t instcontext = NULL, origcontext = NULL;
|
||||
#endif
|
||||
@@ -935,9 +974,15 @@
|
||||
pam_syslog(idata->pamh, LOG_DEBUG,
|
||||
"Set namespace for directory %s", polyptr->dir);
|
||||
|
||||
- dir = strrchr(polyptr->dir, '/');
|
||||
- if (dir && strlen(dir) > 1)
|
||||
- dir++;
|
||||
+ if (polyptr->method == TMPFS) {
|
||||
+ if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) {
|
||||
+ pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
|
||||
+ polyptr->dir);
|
||||
+ return PAM_SESSION_ERR;
|
||||
+ }
|
||||
+ /* we must call inst_init after the mount in this case */
|
||||
+ return inst_init(polyptr, "tmpfs", idata);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Obtain the name of instance pathname based on the
|
||||
@@ -1043,6 +1088,58 @@
|
||||
return retval;
|
||||
}
|
||||
|
||||
+static int cleanup_tmpdirs(struct instance_data *idata)
|
||||
+{
|
||||
+ struct polydir_s *pptr;
|
||||
+ pid_t rc, pid;
|
||||
+ sighandler_t osighand = NULL;
|
||||
+ int status;
|
||||
+
|
||||
+ osighand = signal(SIGCHLD, SIG_DFL);
|
||||
+ if (osighand == SIG_ERR) {
|
||||
+ pam_syslog(idata->pamh, LOG_ERR, "Cannot set signal value");
|
||||
+ rc = PAM_SESSION_ERR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
|
||||
+ if (pptr->method == TMPDIR && access(pptr->instance_prefix, F_OK) == 0) {
|
||||
+ pid = fork();
|
||||
+ if (pid == 0) {
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (idata->flags & PAMNS_SELINUX_ENABLED) {
|
||||
+ if (setexeccon(NULL) < 0)
|
||||
+ exit(1);
|
||||
+ }
|
||||
+#endif
|
||||
+ if (execl("/bin/rm", "/bin/rm", "-rf", pptr->instance_prefix, (char *)NULL) < 0)
|
||||
+ exit(1);
|
||||
+ } else if (pid > 0) {
|
||||
+ while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) &&
|
||||
+ (errno == EINTR));
|
||||
+ if (rc == (pid_t)-1) {
|
||||
+ pam_syslog(idata->pamh, LOG_ERR, "waitpid failed- %m");
|
||||
+ rc = PAM_SESSION_ERR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if (!WIFEXITED(status) || WIFSIGNALED(status) > 0) {
|
||||
+ pam_syslog(idata->pamh, LOG_ERR,
|
||||
+ "Error removing %s", pptr->instance_prefix);
|
||||
+ }
|
||||
+ } else if (pid < 0) {
|
||||
+ pam_syslog(idata->pamh, LOG_ERR,
|
||||
+ "Cannot fork to run namespace init script, %m");
|
||||
+ rc = PAM_SESSION_ERR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ rc = PAM_SUCCESS;
|
||||
+out:
|
||||
+ signal(SIGCHLD, osighand);
|
||||
+ return rc;
|
||||
+}
|
||||
|
||||
/*
|
||||
* This function checks to see if polyinstantiation is needed for any
|
||||
@@ -1111,13 +1208,22 @@
|
||||
* disassociate from the parent namespace.
|
||||
*/
|
||||
if (need_poly) {
|
||||
+ if (pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, idata->polydirs_ptr,
|
||||
+ cleanup_data) != PAM_SUCCESS) {
|
||||
+ pam_syslog(idata->pamh, LOG_ERR,
|
||||
+ "Unable to set namespace data");
|
||||
+ return PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
if (unshare(CLONE_NEWNS) < 0) {
|
||||
- pam_syslog(idata->pamh, LOG_ERR,
|
||||
+ pam_set_data(idata->pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL);
|
||||
+ pam_syslog(idata->pamh, LOG_ERR,
|
||||
"Unable to unshare from parent namespace, %m");
|
||||
return PAM_SESSION_ERR;
|
||||
}
|
||||
- } else
|
||||
+ } else {
|
||||
+ del_polydir_list(idata->polydirs_ptr);
|
||||
return PAM_SUCCESS;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Again cycle through all polyinstantiated directories, this time,
|
||||
@@ -1144,7 +1250,8 @@
|
||||
* umount
|
||||
*/
|
||||
if ((changing_dir = cwd_in(pptr->dir, idata)) < 0) {
|
||||
- return PAM_SESSION_ERR;
|
||||
+ retval = PAM_SESSION_ERR;
|
||||
+ goto out;
|
||||
} else if (changing_dir) {
|
||||
if (idata->flags & PAMNS_DEBUG)
|
||||
pam_syslog(idata->pamh, LOG_DEBUG, "changing cwd");
|
||||
@@ -1172,8 +1279,10 @@
|
||||
int saved_errno = errno;
|
||||
pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m",
|
||||
pptr->dir);
|
||||
- if (saved_errno != EINVAL)
|
||||
- return PAM_SESSION_ERR;
|
||||
+ if (saved_errno != EINVAL) {
|
||||
+ retval = PAM_SESSION_ERR;
|
||||
+ goto out;
|
||||
+ }
|
||||
} else if (idata->flags & PAMNS_DEBUG)
|
||||
pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s",
|
||||
pptr->dir);
|
||||
@@ -1185,7 +1294,9 @@
|
||||
break;
|
||||
}
|
||||
}
|
||||
-
|
||||
+out:
|
||||
+ if (retval != PAM_SUCCESS)
|
||||
+ cleanup_tmpdirs(idata);
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -1224,8 +1335,10 @@
|
||||
} else if (idata->flags & PAMNS_DEBUG)
|
||||
pam_syslog(idata->pamh, LOG_DEBUG, "Unmount of %s succeeded",
|
||||
pptr->dir);
|
||||
- }
|
||||
+ }
|
||||
}
|
||||
+
|
||||
+ cleanup_tmpdirs(idata);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -1349,7 +1462,8 @@
|
||||
} else if (idata.flags & PAMNS_DEBUG)
|
||||
pam_syslog(idata.pamh, LOG_DEBUG, "Nothing to polyinstantiate");
|
||||
|
||||
- del_polydir_list(idata.polydirs_ptr);
|
||||
+ if (retval != PAM_SUCCESS)
|
||||
+ del_polydir_list(idata.polydirs_ptr);
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -1364,6 +1478,7 @@
|
||||
struct instance_data idata;
|
||||
char *user_name;
|
||||
struct passwd *pwd;
|
||||
+ const void *polyptr;
|
||||
|
||||
/* init instance data */
|
||||
idata.flags = 0;
|
||||
@@ -1425,16 +1540,12 @@
|
||||
idata.user = user_name;
|
||||
idata.uid = pwd->pw_uid;
|
||||
|
||||
- /*
|
||||
- * Parse namespace configuration file which lists directories that
|
||||
- * are polyinstantiated, directories where instance directories are
|
||||
- * created and the method used for polyinstantiation.
|
||||
- */
|
||||
- retval = parse_config_file(&idata);
|
||||
- if ((retval != PAM_SUCCESS) || !idata.polydirs_ptr) {
|
||||
- del_polydir_list(idata.polydirs_ptr);
|
||||
- return PAM_SESSION_ERR;
|
||||
- }
|
||||
+ retval = pam_get_data(idata.pamh, NAMESPACE_POLYDIR_DATA, &polyptr);
|
||||
+ if (retval != PAM_SUCCESS || polyptr == NULL)
|
||||
+ /* nothing to reset */
|
||||
+ return PAM_SUCCESS;
|
||||
+
|
||||
+ idata.polydirs_ptr = polyptr;
|
||||
|
||||
if (idata.flags & PAMNS_DEBUG)
|
||||
pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d",
|
||||
@@ -1449,7 +1560,9 @@
|
||||
pam_syslog(idata.pamh, LOG_DEBUG,
|
||||
"resetting namespace ok for pid %d", getpid());
|
||||
}
|
||||
- del_polydir_list(idata.polydirs_ptr);
|
||||
+
|
||||
+ pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL);
|
||||
+
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
@ -1,15 +1,15 @@
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-02-21 21:17:29.000000000 +0100
|
||||
@@ -694,7 +694,7 @@
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-01-23 10:41:21.000000000 +0100
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-06-01 15:11:51.000000000 +0200
|
||||
@@ -679,7 +679,7 @@
|
||||
}
|
||||
}
|
||||
} else {
|
||||
- int salt_len;
|
||||
+ size_t salt_len;
|
||||
strip_hpux_aging(salt);
|
||||
salt_len = strlen(salt);
|
||||
- int salt_len = strlen(salt);
|
||||
+ size_t salt_len = strlen(salt);
|
||||
if (!salt_len) {
|
||||
@@ -706,19 +706,19 @@
|
||||
/* the stored password is NULL */
|
||||
if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
|
||||
@@ -689,19 +689,19 @@
|
||||
D(("user has empty password - access denied"));
|
||||
retval = PAM_AUTH_ERR;
|
||||
}
|
||||
@ -33,7 +33,7 @@
|
||||
}
|
||||
} else {
|
||||
/*
|
||||
@@ -732,7 +732,7 @@
|
||||
@@ -715,7 +715,7 @@
|
||||
/* the moment of truth -- do we agree with the password? */
|
||||
D(("comparing state of pp[%s] and salt[%s]", pp, salt));
|
||||
|
||||
@ -42,9 +42,9 @@
|
||||
retval = PAM_SUCCESS;
|
||||
} else {
|
||||
retval = PAM_AUTH_ERR;
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-02-21 21:18:57.000000000 +0100
|
||||
@@ -159,7 +159,7 @@
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2006-10-24 12:01:49.000000000 +0200
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-06-01 15:08:46.000000000 +0200
|
||||
@@ -144,7 +144,7 @@
|
||||
char *salt = NULL;
|
||||
char *pp = NULL;
|
||||
int retval = PAM_AUTH_ERR;
|
||||
@ -53,7 +53,7 @@
|
||||
|
||||
/* UNIX passwords area */
|
||||
setpwent();
|
||||
@@ -205,6 +205,8 @@
|
||||
@@ -189,6 +189,8 @@
|
||||
return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
|
||||
}
|
||||
if (p == NULL || strlen(p) == 0) {
|
||||
@ -62,7 +62,7 @@
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
@@ -212,11 +214,13 @@
|
||||
@@ -196,11 +198,13 @@
|
||||
retval = PAM_AUTH_ERR;
|
||||
if (!strncmp(salt, "$1$", 3)) {
|
||||
pp = Goodcrypt_md5(p, salt);
|
||||
@ -78,7 +78,7 @@
|
||||
retval = PAM_SUCCESS;
|
||||
}
|
||||
} else if (*salt == '$') {
|
||||
@@ -225,10 +229,10 @@
|
||||
@@ -209,10 +213,10 @@
|
||||
* libcrypt nows about it? We should try it.
|
||||
*/
|
||||
pp = x_strdup (crypt(p, salt));
|
||||
@ -91,7 +91,7 @@
|
||||
retval = PAM_AUTH_ERR;
|
||||
} else {
|
||||
pp = bigcrypt(p, salt);
|
||||
@@ -239,24 +243,21 @@
|
||||
@@ -223,24 +227,21 @@
|
||||
* have been truncated for storage relative to the output
|
||||
* of bigcrypt here. As such we need to compare only the
|
||||
* stored string with the subset of bigcrypt's result.
|
||||
|
@ -7,9 +7,9 @@ o For non-extensible-style hashes, strip off anything after the 13th character
|
||||
for users across operating systems, but there's nothing we can do about that
|
||||
here.
|
||||
|
||||
--- Linux-PAM-0.78/modules/pam_unix/support.c.unix-hpux-aging 2004-10-06 16:05:17.000000000 +0200
|
||||
+++ Linux-PAM-0.78/modules/pam_unix/support.c 2004-11-23 14:55:27.885063264 +0100
|
||||
@@ -611,6 +611,21 @@
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.unix-hpux-aging 2007-06-01 15:21:08.000000000 +0200
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-06-01 15:24:32.000000000 +0200
|
||||
@@ -573,6 +573,21 @@
|
||||
return retval;
|
||||
}
|
||||
|
||||
@ -31,24 +31,25 @@ o For non-extensible-style hashes, strip off anything after the 13th character
|
||||
int _unix_verify_password(pam_handle_t * pamh, const char *name
|
||||
,const char *p, unsigned int ctrl)
|
||||
{
|
||||
@@ -712,7 +727,9 @@
|
||||
retval = PAM_AUTHINFO_UNAVAIL;
|
||||
@@ -679,7 +694,9 @@
|
||||
}
|
||||
}
|
||||
} else {
|
||||
- int salt_len = strlen(salt);
|
||||
+ int salt_len;
|
||||
- size_t salt_len = strlen(salt);
|
||||
+ size_t salt_len;
|
||||
+ strip_hpux_aging(salt);
|
||||
+ salt_len = strlen(salt);
|
||||
if (!salt_len) {
|
||||
/* the stored password is NULL */
|
||||
if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
|
||||
--- Linux-PAM-0.78/modules/pam_unix/unix_chkpwd.c.unix-hpux-aging 2004-11-18 14:41:20.000000000 +0100
|
||||
+++ Linux-PAM-0.78/modules/pam_unix/unix_chkpwd.c 2004-11-23 15:03:43.979169586 +0100
|
||||
@@ -112,6 +112,21 @@
|
||||
(void) sigaction(SIGQUIT, &action, NULL);
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c.unix-hpux-aging 2007-06-01 15:21:08.000000000 +0200
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c 2007-06-01 15:26:26.000000000 +0200
|
||||
@@ -146,6 +146,22 @@
|
||||
return i;
|
||||
}
|
||||
|
||||
+static void strip_hpux_aging(char *p)
|
||||
+static void
|
||||
+strip_hpux_aging(char *p)
|
||||
+{
|
||||
+ const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
+ "abcdefghijklmnopqrstuvwxyz"
|
||||
@ -63,14 +64,14 @@ o For non-extensible-style hashes, strip off anything after the 13th character
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int _unix_verify_password(const char *name, const char *p, int nullok)
|
||||
int
|
||||
_unix_verify_password(const char *name, const char *p, int nullok)
|
||||
{
|
||||
struct passwd *pwd = NULL;
|
||||
@@ -159,6 +174,7 @@
|
||||
return retval;
|
||||
@@ -194,6 +210,7 @@
|
||||
return PAM_USER_UNKNOWN;
|
||||
}
|
||||
|
||||
+ strip_hpux_aging(salt);
|
||||
salt_len = strlen(salt);
|
||||
if (salt_len == 0)
|
||||
return (nullok == 0) ? UNIX_FAILED : UNIX_PASSED;
|
||||
if (salt_len == 0) {
|
||||
return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
|
2548
pam-0.99.7.1-unix-update-helper.patch
Normal file
2548
pam-0.99.7.1-unix-update-helper.patch
Normal file
File diff suppressed because it is too large
Load Diff
18
pam.spec
18
pam.spec
@ -11,7 +11,7 @@
|
||||
Summary: A security tool which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 0.99.7.1
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: GPL or BSD
|
||||
Group: System Environment/Base
|
||||
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
|
||||
@ -27,9 +27,10 @@ Source10: config-util.5
|
||||
Patch1: pam-0.99.7.0-redhat-modules.patch
|
||||
Patch2: pam-0.99.7.1-console-more-displays.patch
|
||||
Patch3: pam-0.99.7.1-console-decrement.patch
|
||||
Patch21: pam-0.78-unix-hpux-aging.patch
|
||||
Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
|
||||
Patch23: pam-0.99.7.1-unix-bigcrypt.patch
|
||||
Patch24: pam-0.99.7.1-unix-update-helper.patch
|
||||
Patch25: pam-0.99.7.1-unix-hpux-aging.patch
|
||||
Patch34: pam-0.99.7.0-dbpam.patch
|
||||
Patch70: pam-0.99.2.1-selinux-nofail.patch
|
||||
Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
|
||||
@ -45,6 +46,8 @@ Patch95: pam-0.99.6.2-selinux-use-current-range.patch
|
||||
Patch96: pam-0.99.6.2-namespace-dirnames.patch
|
||||
Patch97: pam-0.99.7.1-namespace-unknown-user.patch
|
||||
Patch98: pam-0.99.6.2-selinux-audit-context.patch
|
||||
Patch99: pam-0.99.6.2-namespace-docfix.patch
|
||||
Patch100: pam-0.99.7.1-namespace-temp-logon.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: cracklib, cracklib-dicts >= 2.8
|
||||
@ -100,9 +103,10 @@ cp %{SOURCE7} .
|
||||
%patch1 -p1 -b .redhat-modules
|
||||
%patch2 -p1 -b .displays
|
||||
%patch3 -p1 -b .decrement
|
||||
%patch21 -p1 -b .unix-hpux-aging
|
||||
%patch22 -p1 -b .pwmodify
|
||||
%patch23 -p1 -b .bigcrypt
|
||||
%patch24 -p1 -b .update-helper
|
||||
%patch25 -p1 -b .unix-hpux-aging
|
||||
%patch34 -p1 -b .dbpam
|
||||
%patch70 -p1 -b .nofail
|
||||
%patch80 -p1 -b .drop-multiple
|
||||
@ -118,6 +122,8 @@ cp %{SOURCE7} .
|
||||
%patch96 -p1 -b .dirnames
|
||||
%patch97 -p1 -b .unknown-user
|
||||
%patch98 -p1 -b .audit-context
|
||||
%patch99 -p1 -b .docfix
|
||||
%patch100 -p1 -b .temp-logon
|
||||
|
||||
autoreconf
|
||||
|
||||
@ -319,6 +325,7 @@ fi
|
||||
%{_sbindir}/pam_tally2
|
||||
%attr(4755,root,root) %{_sbindir}/pam_timestamp_check
|
||||
%attr(4755,root,root) %{_sbindir}/unix_chkpwd
|
||||
%attr(0700,root,root) %{_sbindir}/unix_update
|
||||
%if %{_lib} != lib
|
||||
%dir /lib/security
|
||||
%endif
|
||||
@ -406,6 +413,11 @@ fi
|
||||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Thu Apr 26 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-6
|
||||
- pam_namespace: better document behavior on failure (#237249)
|
||||
- pam_unix: split out passwd change to a new helper binary (#236316)
|
||||
- pam_namespace: add support for temporary logons (#241226)
|
||||
|
||||
* Fri Apr 13 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-5
|
||||
- pam_selinux: improve context change auditing (#234781)
|
||||
- pam_namespace: fix parsing config file with unknown users (#234513)
|
||||
|
Loading…
Reference in New Issue
Block a user