- libpam: use close_range() to close file descriptors
- fix formatting of audit messages Resolves: RHEL-5099 Resolves: RHEL-5100 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
This commit is contained in:
parent
773403c3b7
commit
2a8b5fe8cc
72
pam-1.5.1-audit-messages-formatting.patch
Normal file
72
pam-1.5.1-audit-messages-formatting.patch
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
From c85513220c1bd3150e39c6277422d29cfa44acc7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Steve Grubb <sgrubb@redhat.com>
|
||||||
|
Date: Thu, 27 Jul 2023 13:14:42 -0400
|
||||||
|
Subject: [PATCH 1/2] pam_faillock: fix formatting of audit messages
|
||||||
|
|
||||||
|
pam_faillock uses audit_log_user_message to write to the audit system.
|
||||||
|
It does not take an op argument, so you have to add one yourself. Otherwise
|
||||||
|
the pam_faillock part of the message is lost because it's not in key=value
|
||||||
|
format.
|
||||||
|
|
||||||
|
Also, we can't use uid in that event because the kernel already adds that
|
||||||
|
field. What we normally do is use 'suid' (meaning sender uid) as the
|
||||||
|
field name.
|
||||||
|
---
|
||||||
|
modules/pam_faillock/pam_faillock.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
|
||||||
|
index ca1c7035..a89909ab 100644
|
||||||
|
--- a/modules/pam_faillock/pam_faillock.c
|
||||||
|
+++ b/modules/pam_faillock/pam_faillock.c
|
||||||
|
@@ -248,7 +248,7 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
|
||||||
|
|
||||||
|
(void)pam_get_item(pamh, PAM_TTY, &tty);
|
||||||
|
(void)pam_get_item(pamh, PAM_RHOST, &rhost);
|
||||||
|
- snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
|
||||||
|
+ snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
|
||||||
|
rhost, NULL, tty, 1);
|
||||||
|
}
|
||||||
|
@@ -364,7 +364,7 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
|
||||||
|
errno == EAFNOSUPPORT))
|
||||||
|
return PAM_SYSTEM_ERR;
|
||||||
|
|
||||||
|
- snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
|
||||||
|
+ snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
|
||||||
|
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
|
||||||
|
NULL, NULL, NULL, 1);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
|
|
||||||
|
From 1648734a69c31e9ce834da70144ac9a453296807 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Steve Grubb <sgrubb@redhat.com>
|
||||||
|
Date: Fri, 4 Aug 2023 17:45:45 -0400
|
||||||
|
Subject: [PATCH 2/2] pam_selinux: fix formatting of audit messages
|
||||||
|
|
||||||
|
pam_selinux uses audit_log_user_message to write to the audit system.
|
||||||
|
It does not take an op argument, so you have to add one yourself. Otherwise
|
||||||
|
the pam_selinux part of the message is lost because it's not in key=value
|
||||||
|
format.
|
||||||
|
---
|
||||||
|
modules/pam_selinux/pam_selinux.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
|
||||||
|
index e52e0fc4..713b3f73 100644
|
||||||
|
--- a/modules/pam_selinux/pam_selinux.c
|
||||||
|
+++ b/modules/pam_selinux/pam_selinux.c
|
||||||
|
@@ -97,7 +97,7 @@ send_audit_message(const pam_handle_t *pamh, int success, const char *default_co
|
||||||
|
pam_syslog(pamh, LOG_ERR, "Error translating selected context '%s'.", selected_context);
|
||||||
|
selected_raw = NULL;
|
||||||
|
}
|
||||||
|
- if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
|
||||||
|
+ if (asprintf(&msg, "op=pam_selinux default-context=%s selected-context=%s",
|
||||||
|
default_raw ? default_raw : (default_context ? default_context : "?"),
|
||||||
|
selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
|
||||||
|
msg = NULL; /* asprintf leaves msg in undefined state on failure */
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
55
pam-1.5.1-libpam-close-range.patch
Normal file
55
pam-1.5.1-libpam-close-range.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
diff -up Linux-PAM-1.5.1/configure.ac.libpam-close-range Linux-PAM-1.5.1/configure.ac
|
||||||
|
--- Linux-PAM-1.5.1/configure.ac.libpam-close-range 2023-11-10 10:35:00.142833269 +0100
|
||||||
|
+++ Linux-PAM-1.5.1/configure.ac 2023-11-10 10:36:29.158987392 +0100
|
||||||
|
@@ -552,6 +552,7 @@ AC_CHECK_FUNCS(inet_ntop inet_pton innet
|
||||||
|
AC_CHECK_FUNCS(quotactl)
|
||||||
|
AC_CHECK_FUNCS(unshare)
|
||||||
|
AC_CHECK_FUNCS([ruserok_af ruserok], [break])
|
||||||
|
+AC_CHECK_FUNCS(close_range)
|
||||||
|
BACKUP_LIBS=$LIBS
|
||||||
|
LIBS="$LIBS -lutil"
|
||||||
|
AC_CHECK_FUNCS([logwtmp])
|
||||||
|
diff -up Linux-PAM-1.5.1/libpam/pam_modutil_sanitize.c.libpam-close-range Linux-PAM-1.5.1/libpam/pam_modutil_sanitize.c
|
||||||
|
--- Linux-PAM-1.5.1/libpam/pam_modutil_sanitize.c.libpam-close-range 2020-11-25 17:57:02.000000000 +0100
|
||||||
|
+++ Linux-PAM-1.5.1/libpam/pam_modutil_sanitize.c 2023-11-10 10:35:00.142833269 +0100
|
||||||
|
@@ -11,6 +11,10 @@
|
||||||
|
#include <syslog.h>
|
||||||
|
#include <sys/resource.h>
|
||||||
|
|
||||||
|
+#ifndef CLOSE_RANGE_UNSHARE
|
||||||
|
+#define CLOSE_RANGE_UNSHARE (1U << 1)
|
||||||
|
+#endif /* CLOSE_RANGE_UNSHARE */
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Creates a pipe, closes its write end, redirects fd to its read end.
|
||||||
|
* Returns fd on success, -1 otherwise.
|
||||||
|
@@ -84,9 +88,8 @@ redirect_out(pam_handle_t *pamh, enum pa
|
||||||
|
return fd;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* Closes all descriptors after stderr. */
|
||||||
|
static void
|
||||||
|
-close_fds(void)
|
||||||
|
+close_fds_iteratively(void)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* An arbitrary upper limit for the maximum file descriptor number
|
||||||
|
@@ -111,6 +114,18 @@ close_fds(void)
|
||||||
|
close(fd);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Closes all descriptors after stderr. */
|
||||||
|
+static void
|
||||||
|
+close_fds(void)
|
||||||
|
+{
|
||||||
|
+#ifdef HAVE_CLOSE_RANGE
|
||||||
|
+ if (close_range(STDERR_FILENO+1, -1U, CLOSE_RANGE_UNSHARE) == 0)
|
||||||
|
+ return;
|
||||||
|
+#endif /* HAVE_CLOSE_RANGE */
|
||||||
|
+
|
||||||
|
+ close_fds_iteratively();
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
pam_modutil_sanitize_helper_fds(pam_handle_t *pamh,
|
||||||
|
enum pam_modutil_redirect_fd stdin_mode,
|
13
pam.spec
13
pam.spec
@ -3,7 +3,7 @@
|
|||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.5.1
|
Version: 1.5.1
|
||||||
Release: 15%{?dist}
|
Release: 16%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -51,6 +51,11 @@ Patch13: pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch
|
|||||||
# https://github.com/linux-pam/linux-pam/commit/55f206447a1e4ee26e307e7a9c069236e823b1a5
|
# https://github.com/linux-pam/linux-pam/commit/55f206447a1e4ee26e307e7a9c069236e823b1a5
|
||||||
# https://github.com/linux-pam/linux-pam/commit/80bfda5962e5be3daa70e0fc8c75fc97d1c55121
|
# https://github.com/linux-pam/linux-pam/commit/80bfda5962e5be3daa70e0fc8c75fc97d1c55121
|
||||||
Patch14: pam-1.5.1-pam-misc-configurable.patch
|
Patch14: pam-1.5.1-pam-misc-configurable.patch
|
||||||
|
# https://github.com/linux-pam/linux-pam/commit/d6103b30050554d7b6ca6d55cb5b4ed3c9516663
|
||||||
|
Patch15: pam-1.5.1-libpam-close-range.patch
|
||||||
|
# https://github.com/linux-pam/linux-pam/commit/c85513220c1bd3150e39c6277422d29cfa44acc7
|
||||||
|
# https://github.com/linux-pam/linux-pam/commit/1648734a69c31e9ce834da70144ac9a453296807
|
||||||
|
Patch16: pam-1.5.1-audit-messages-formatting.patch
|
||||||
|
|
||||||
%global _pamlibdir %{_libdir}
|
%global _pamlibdir %{_libdir}
|
||||||
%global _moduledir %{_libdir}/security
|
%global _moduledir %{_libdir}/security
|
||||||
@ -147,6 +152,8 @@ cp %{SOURCE18} .
|
|||||||
%patch12 -p1 -b .pam-faillock-clarify-missing-user
|
%patch12 -p1 -b .pam-faillock-clarify-missing-user
|
||||||
%patch13 -p1 -b .pam-faillock-avoid-logging-erroneous
|
%patch13 -p1 -b .pam-faillock-avoid-logging-erroneous
|
||||||
%patch14 -p1 -b .pam-misc-configurable
|
%patch14 -p1 -b .pam-misc-configurable
|
||||||
|
%patch15 -p1 -b .libpam-close-range
|
||||||
|
%patch16 -p1 -b .audit-messages-formatting
|
||||||
|
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
|
|
||||||
@ -402,6 +409,10 @@ done
|
|||||||
%doc doc/sag/*.txt doc/sag/html
|
%doc doc/sag/*.txt doc/sag/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Oct 10 2023 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-16
|
||||||
|
- libpam: use close_range() to close file descriptors. Resolves: RHEL-5099
|
||||||
|
- fix formatting of audit messages. Resolves: RHEL-5100
|
||||||
|
|
||||||
* Mon Jun 26 2023 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-15
|
* Mon Jun 26 2023 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-15
|
||||||
- pam_misc: make length of misc_conv() configurable and set to 4096. Resolves: #2215007
|
- pam_misc: make length of misc_conv() configurable and set to 4096. Resolves: #2215007
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user