rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

new upstream release

Browse Source
This commit is contained in:
Tomas Mraz 2013-09-13 14:26:54 +02:00
parent c8a6aadf10
commit 384fedfade
14 changed files with 50 additions and 841 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
pam-1.1.5-unix-build.patch
View File

@ -1,34 +0,0 @@
diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c.build 2012-07-23 18:46:27.709804094 +0200
+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_acct.c 2012-07-23 18:46:27.764805293 +0200
@@ -47,6 +47,8 @@
#include <time.h> /* for time() */
#include <errno.h>
#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/resource.h>
#include <security/_pam_macros.h>
diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c.build 2012-07-23 18:55:16.433314731 +0200
+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix_passwd.c 2012-07-23 18:54:48.064697131 +0200
@@ -53,6 +53,7 @@
#include <fcntl.h>
#include <ctype.h>
#include <sys/time.h>
+#include <sys/resource.h>
#include <sys/stat.h>
#include <signal.h>
diff -up Linux-PAM-1.1.5/modules/pam_unix/support.c.build Linux-PAM-1.1.5/modules/pam_unix/support.c
--- Linux-PAM-1.1.5/modules/pam_unix/support.c.build 2012-07-23 18:46:27.000000000 +0200
+++ Linux-PAM-1.1.5/modules/pam_unix/support.c 2012-07-23 18:54:23.645165507 +0200
@@ -18,6 +18,7 @@
#include <signal.h>
#include <ctype.h>
#include <syslog.h>
+#include <sys/time.h>
#include <sys/resource.h>
#ifdef HAVE_RPCSVC_YPCLNT_H
#include <rpcsvc/ypclnt.h>

173
pam-1.1.6-audit-data.patch
View File

@ -1,173 +0,0 @@
diff -up Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata Linux-PAM-1.1.6/modules/pam_faillock/main.c
--- Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata 2012-09-03 15:18:19.077405822 +0200
+++ Linux-PAM-1.1.6/modules/pam_faillock/main.c 2012-09-03 15:18:19.082405927 +0200
@@ -42,6 +42,7 @@
#include <errno.h>
#include <pwd.h>
#include <time.h>
+#include <unistd.h>
#ifdef HAVE_LIBAUDIT
#include <libaudit.h>
#endif
@@ -142,7 +143,7 @@ do_user(struct options *opts, const char
snprintf(buf, sizeof(buf), "faillock reset uid=%u",
pwd->pw_uid);
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, rv == 0);
+ buf, NULL, NULL, ttyname(fileno(stdin)), rv == 0);
}
close(audit_fd);
}
diff -up Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c
--- Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata 2012-09-03 15:18:19.077405822 +0200
+++ Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c 2012-09-03 15:18:19.083405948 +0200
@@ -264,6 +264,7 @@ check_tally(pam_handle_t *pamh, struct o
if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
char buf[64];
int audit_fd;
+ const void *rhost = NULL, *tty = NULL;
audit_fd = audit_open();
/* If there is an error & audit support is in the kernel report error */
@@ -271,9 +272,11 @@ check_tally(pam_handle_t *pamh, struct o
errno == EAFNOSUPPORT))
return PAM_SYSTEM_ERR;
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
opts->flags |= FAILLOCK_FLAG_UNLOCKED;
@@ -378,6 +381,7 @@ write_tally(pam_handle_t *pamh, struct o
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd;
+ const void *tty = NULL, *rhost = NULL;
audit_fd = audit_open();
/* If there is an error & audit support is in the kernel report error */
@@ -385,13 +389,15 @@ write_tally(pam_handle_t *pamh, struct o
errno == EAFNOSUPPORT))
return PAM_SYSTEM_ERR;
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
close(audit_fd);
#endif
diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-09-03 15:18:19.083405948 +0200
@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pam
int audit_fd = audit_open();
security_context_t default_raw=NULL;
security_context_t selected_raw=NULL;
+ const void *tty = NULL, *rhost = NULL;
rc = -1;
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pam
pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
return rc;
}
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
pam_syslog(pamh, LOG_ERR, "Error translating default context.");
default_raw = NULL;
@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pam
goto out;
}
if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
- msg, NULL, NULL, NULL, success) <= 0) {
+ msg, rhost, NULL, tty, success) <= 0) {
pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
goto out;
}
diff -up Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c
--- Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c 2012-09-03 15:20:06.071641000 +0200
@@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldt
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd = -1;
+ const void *rhost = NULL, *tty = NULL;
#endif
if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
@@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldt
if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT))
return PAM_SYSTEM_ERR;
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
#endif
if (opts->deny != 0 && /* deny==0 means no deny */
tally->fail_cnt > opts->deny && /* tally>deny means exceeded */
@@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldt
/* First say that max number was hit. */
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
if (uid) {
@@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldt
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
#endif
rv = PAM_SUCCESS;
goto cleanup;
@@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldt
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
#endif
rv = PAM_SUCCESS;
goto cleanup;
@@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldt
if (tally->fail_cnt == opts->deny+1) {
/* First say that max number was hit. */
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
@@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv )
int audit_fd = audit_open();
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, 1);
+ buf, NULL, NULL, ttyname(fileno(stdin)), 1);
if (audit_fd >=0)
close(audit_fd);
#endif
@@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv )
int audit_fd = audit_open();
snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, 1);
+ buf, NULL, NULL, ttyname(fileno(stdin)), 1);
if (audit_fd >=0)
close(audit_fd);
#endif

31
pam-1.1.6-autoupdate.patch
View File

@ -1,31 +0,0 @@
diff --git a/configure.in b/configure.in
index ae762a2..729e7f1 100644
--- a/configure.in
+++ b/configure.in
@@ -3,7 +3,8 @@ AC_INIT
AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
AC_CONFIG_AUX_DIR([build-aux])
AM_INIT_AUTOMAKE("Linux-PAM", 1.1.6)
-AC_PREREQ(2.61)
+LT_INIT
+AC_PREREQ([2.68])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
AC_CANONICAL_HOST
@@ -82,7 +83,6 @@ AM_PROG_LEX
AC_PROG_INSTALL
AC_PROG_LN_S
AC_PROG_MAKE_SET
-AC_PROG_LIBTOOL
AM_PROG_CC_C_O
PAM_LD_AS_NEEDED
PAM_LD_NO_UNDEFINED
@@ -532,7 +532,7 @@ AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
AC_ARG_ENABLE([regenerate-docu],
- AC_HELP_STRING([--disable-regenerate-docu], [Don't re-build documentation from XML souces]),
+ AS_HELP_STRING([--disable-regenerate-docu],[Don't re-build documentation from XML sources]),
[enable_docu=$enableval], [enable_docu=yes])
dnl
dnl Check for xsltproc

55
pam-1.1.6-crypt-null-check.patch
View File

@ -1,55 +0,0 @@
From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 8 Feb 2013 15:04:26 +0100
Subject: [PATCH] Add checks for crypt() returning NULL.
modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
---
modules/pam_pwhistory/opasswd.c | 2 +-
modules/pam_unix/bigcrypt.c | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
index 274fdb9..836d713 100644
--- a/modules/pam_pwhistory/opasswd.c
+++ b/modules/pam_pwhistory/opasswd.c
@@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass)
outval = crypt (newpass, oldpass);
#endif
- return strcmp(outval, oldpass) == 0;
+ return outval != NULL && strcmp(outval, oldpass) == 0;
}
/* Check, if the new password is already in the opasswd file. */
diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c
index e10d1c5..e1d57a0 100644
--- a/modules/pam_unix/bigcrypt.c
+++ b/modules/pam_unix/bigcrypt.c
@@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt)
#else
tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */
#endif
+ if (tmp_ptr == NULL) {
+ free(dec_c2_cryptbuf);
+ return NULL;
+ }
/* and place in the static area */
strncpy(cipher_ptr, tmp_ptr, 13);
cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
@@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt)
#else
tmp_ptr = crypt(plaintext_ptr, salt_ptr);
#endif
+ if (tmp_ptr == NULL) {
+ _pam_overwrite(dec_c2_cryptbuf);
+ free(dec_c2_cryptbuf);
+ return NULL;
+ }
/* skip the salt for seg!=0 */
strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE);
--
1.7.7.6

24
pam-1.1.6-install-empty.patch
View File

@ -1,24 +0,0 @@
diff -up Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am.empty Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am.empty 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am 2012-08-17 15:08:33.487322476 +0200
@@ -40,7 +40,7 @@ if HAVE_UNSHARE
secureconf_SCRIPTS = namespace.init
install-data-local:
- mkdir -p $(namespaceddir)
+ mkdir -p $(DESTDIR)$(namespaceddir)
endif
diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.empty Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.empty 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am 2012-08-17 15:08:13.692856948 +0200
@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX
securelib_LTLIBRARIES = pam_sepermit.la
install-data-local:
- mkdir -p $(sepermitlockdir)
+ mkdir -p $(DESTDIR)$(sepermitlockdir)
endif
if ENABLE_REGENERATE_MAN
noinst_DATA = README pam_sepermit.8 sepermit.conf.5

15
pam-1.1.6-lastlog-retval.patch
View File

@ -1,15 +0,0 @@
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index 50e5a59..bd454ff 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -479,6 +479,10 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
}
}
+ if (retval != 0)
+ pam_syslog(pamh, LOG_WARNING, "corruption detected in %s", _PATH_BTMP);
+ retval = PAM_SUCCESS;
+
if (failed) {
/* we want the date? */
if (announce & LASTLOG_DATE) {

93
pam-1.1.6-namespace-mntopts.patch
View File

@ -1,93 +0,0 @@
diff --git a/modules/pam_namespace/namespace.conf.5.xml b/modules/pam_namespace/namespace.conf.5.xml
index 673099b..f28350d 100644
--- a/modules/pam_namespace/namespace.conf.5.xml
+++ b/modules/pam_namespace/namespace.conf.5.xml
@@ -119,6 +119,14 @@
contain the user name and will be shared among all users.
</para>
+ <para><emphasis>mntopts</emphasis>=<replaceable>value</replaceable>
+ - this flag value is passed to the mount call when the tmpfs mount is done.
+ It allows for example the specification of the maximum size of the tmpfs
+ instance that is created by the mount call. See <citerefentry>
+ <refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry> for details.
+ </para>
+
<para>
The directory where polyinstantiated instances are to be
created, must exist and must have, by default, the mode of 0000. The
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index a40f05e..e0d5e30 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -64,6 +64,7 @@ static void del_polydir(struct polydir_s *poly)
if (poly) {
free(poly->uid);
free(poly->init_script);
+ free(poly->mount_opts);
free(poly);
}
}
@@ -237,9 +238,9 @@ static int parse_method(char *method, struct polydir_s *poly,
static const char *method_names[] = { "user", "context", "level", "tmpdir",
"tmpfs", NULL };
static const char *flag_names[] = { "create", "noinit", "iscript",
- "shared", NULL };
+ "shared", "mntopts", NULL };
static const unsigned int flag_values[] = { POLYDIR_CREATE, POLYDIR_NOINIT,
- POLYDIR_ISCRIPT, POLYDIR_SHARED };
+ POLYDIR_ISCRIPT, POLYDIR_SHARED, POLYDIR_MNTOPTS };
int i;
char *flag;
@@ -279,6 +280,20 @@ static int parse_method(char *method, struct polydir_s *poly,
return -1;
};
break;
+
+ case POLYDIR_MNTOPTS:
+ if (flag[namelen] != '=')
+ break;
+ if (poly->method != TMPFS) {
+ pam_syslog(idata->pamh, LOG_WARNING, "Mount options applicable only to tmpfs method");
+ break;
+ }
+ free(poly->mount_opts); /* if duplicate mntopts specified */
+ if ((poly->mount_opts = strdup(flag+namelen+1)) == NULL) {
+ pam_syslog(idata->pamh, LOG_CRIT, "Memory allocation error");
+ return -1;
+ }
+ break;
}
}
}
@@ -1464,7 +1479,7 @@ static int ns_setup(struct polydir_s *polyptr,
}
if (polyptr->method == TMPFS) {
- if (mount("tmpfs", polyptr->dir, "tmpfs", 0, NULL) < 0) {
+ if (mount("tmpfs", polyptr->dir, "tmpfs", 0, polyptr->mount_opts) < 0) {
pam_syslog(idata->pamh, LOG_ERR, "Error mounting tmpfs on %s, %m",
polyptr->dir);
return PAM_SESSION_ERR;
diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h
index 51d2388..47ebcc3 100644
--- a/modules/pam_namespace/pam_namespace.h
+++ b/modules/pam_namespace/pam_namespace.h
@@ -116,6 +116,7 @@
#define POLYDIR_NOINIT 0x00000004 /* no init script */
#define POLYDIR_SHARED 0x00000008 /* share context/level instances among users */
#define POLYDIR_ISCRIPT 0x00000010 /* non default init script */
+#define POLYDIR_MNTOPTS 0x00000020 /* mount options for tmpfs mount */
#define NAMESPACE_MAX_DIR_LEN 80
@@ -164,6 +165,7 @@ struct polydir_s {
uid_t *uid; /* list of override uids */
unsigned int flags; /* polydir flags */
char *init_script; /* path to init script */
+ char *mount_opts; /* mount options for tmpfs mount */
uid_t owner; /* user which should own the polydir */
gid_t group; /* group which should own the polydir */
mode_t mode; /* mode of the polydir */

99
pam-1.1.6-rootok-audit.patch
View File

@ -1,99 +0,0 @@
diff -up Linux-PAM-1.1.6/modules/pam_rootok/Makefile.am.audit Linux-PAM-1.1.6/modules/pam_rootok/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_rootok/Makefile.am.audit 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_rootok/Makefile.am 2013-07-04 10:30:21.000000000 +0200
@@ -25,7 +25,7 @@ if HAVE_VERSIONING
endif
securelib_LTLIBRARIES = pam_rootok.la
-pam_rootok_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@
+pam_rootok_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@
if ENABLE_REGENERATE_MAN
noinst_DATA = README
diff -up Linux-PAM-1.1.6/modules/pam_rootok/pam_rootok.c.audit Linux-PAM-1.1.6/modules/pam_rootok/pam_rootok.c
--- Linux-PAM-1.1.6/modules/pam_rootok/pam_rootok.c.audit 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_rootok/pam_rootok.c 2013-03-22 09:41:48.000000000 +0100
@@ -28,7 +28,11 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
-#include <selinux/av_permissions.h>
+#include <selinux/avc.h>
+#endif
+
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
#endif
/* argument parsing */
@@ -55,6 +59,61 @@ _pam_parse (const pam_handle_t *pamh, in
return ctrl;
}
+#ifdef WITH_SELINUX
+static int
+log_callback (int type, const char *fmt, ...)
+{
+ int audit_fd;
+ va_list ap;
+
+ va_start(ap, fmt);
+#ifdef HAVE_LIBAUDIT
+ audit_fd = audit_open();
+
+ if (audit_fd >= 0) {
+ char *buf;
+
+ if (vasprintf (&buf, fmt, ap) < 0)
+ return 0;
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+ NULL, 0);
+ audit_close(audit_fd);
+ free(buf);
+ return 0;
+ }
+
+#endif
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ va_end(ap);
+ return 0;
+}
+
+static int
+selinux_check_root (void)
+{
+ int status = -1;
+ security_context_t user_context;
+ union selinux_callback old_callback;
+
+ if (is_selinux_enabled() < 1)
+ return 0;
+
+ old_callback = selinux_get_callback(SELINUX_CB_LOG);
+ /* setup callbacks */
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback);
+ if ((status = getprevcon(&user_context)) < 0) {
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ return status;
+ }
+
+ status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL);
+
+ selinux_set_callback(SELINUX_CB_LOG, old_callback);
+ freecon(user_context);
+ return status;
+}
+#endif
+
static int
check_for_root (pam_handle_t *pamh, int ctrl)
{
@@ -62,7 +121,7 @@ check_for_root (pam_handle_t *pamh, int
if (getuid() == 0)
#ifdef WITH_SELINUX
- if (is_selinux_enabled()<1 || checkPasswdAccess(PASSWD__ROOTOK)==0)
+ if (selinux_check_root() == 0 || security_getenforce() == 0)
#endif
retval = PAM_SUCCESS;

97
pam-1.1.6-selinux-manualctx.patch
View File

@ -1,97 +0,0 @@
diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx 2012-09-03 15:23:21.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-11-30 21:03:40.000000000 +0100
@@ -161,81 +161,6 @@ query_response (pam_handle_t *pamh, cons
return rc;
}
-static security_context_t
-manual_context (pam_handle_t *pamh, const char *user, int debug)
-{
- security_context_t newcon=NULL;
- context_t new_context;
- int mls_enabled = is_selinux_mls_enabled();
- char *type=NULL;
- char *response=NULL;
-
- while (1) {
- if (query_response(pamh,
- _("Would you like to enter a security context? [N] "), NULL,
- &response, debug) != PAM_SUCCESS)
- return NULL;
-
- if ((response[0] == 'y') || (response[0] == 'Y'))
- {
- if (mls_enabled)
- new_context = context_new ("user:role:type:level");
- else
- new_context = context_new ("user:role:type");
-
- if (!new_context)
- goto fail_set;
-
- if (context_user_set (new_context, user))
- goto fail_set;
-
- _pam_drop(response);
- /* Allow the user to enter each field of the context individually */
- if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS &&
- response[0] != '\0') {
- if (context_role_set (new_context, response))
- goto fail_set;
- if (get_default_type(response, &type))
- goto fail_set;
- if (context_type_set (new_context, type))
- goto fail_set;
- _pam_drop(type);
- }
- _pam_drop(response);
-
- if (mls_enabled)
- {
- if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS &&
- response[0] != '\0') {
- if (context_range_set (new_context, response))
- goto fail_set;
- }
- _pam_drop(response);
- }
-
- /* Get the string value of the context and see if it is valid. */
- if (!security_check_context(context_str(new_context))) {
- newcon = strdup(context_str(new_context));
- context_free (new_context);
- return newcon;
- }
- else
- send_text(pamh,_("Not a valid security context"),debug);
-
- context_free (new_context);
- }
- else {
- _pam_drop(response);
- return NULL;
- }
- } /* end while */
- fail_set:
- free(type);
- _pam_drop(response);
- context_free (new_context);
- return NULL;
-}
-
static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
{
struct av_decision avd;
@@ -606,11 +531,6 @@ compute_exec_context(pam_handle_t *pamh,
data->exec_context = context_from_env(pamh, data->default_user_context,
env_params, use_current_range,
debug);
- } else {
- if (seuser) {
- data->exec_context = manual_context(pamh, seuser, debug);
- free(seuser);
- }
}
if (!data->exec_context) {

58
pam-1.1.6-sepermit-user.patch
View File

@ -1,58 +0,0 @@
diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit 2013-07-24 12:55:08.822987098 -0400
+++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am 2013-07-24 12:55:11.653004214 -0400
@@ -24,7 +24,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/inclu
-D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \
-D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\"
-pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@
+pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -lsystemd-login
pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
diff -up Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c
--- Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit 2012-08-15 07:08:43.000000000 -0400
+++ Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c 2013-07-24 13:17:24.088061506 -0400
@@ -65,6 +65,7 @@
#include <security/pam_ext.h>
#include <selinux/selinux.h>
+#include <systemd/sd-login.h>
#define MODULE "pam_sepermit"
#define OPT_DELIM ":"
@@ -187,6 +188,25 @@ sepermit_unlock(pam_handle_t *pamh, void
}
static int
+check_user_session(pam_handle_t *pamh) {
+ char *session = NULL;
+ char *class = NULL;
+ int rc;
+
+ if (sd_pid_get_session(0, &session))
+ return -1;
+ rc = sd_session_get_class(session, &class);
+ pam_syslog(pamh, LOG_ERR, "Session %s", session);
+ if (rc == 0) {
+ rc = strcmp(class, "user");
+ pam_syslog(pamh, LOG_ERR, "Class %s", class);
+ }
+ free(session);
+ free(class);
+ return rc;
+}
+
+static int
sepermit_lock(pam_handle_t *pamh, const char *user, int debug)
{
char buf[PATH_MAX];
@@ -319,7 +339,7 @@ sepermit_match(pam_handle_t *pamh, const
if (*sense == PAM_SUCCESS) {
if (ignore)
*sense = PAM_IGNORE;
- if (geteuid() == 0 && exclusive)
+ if (geteuid() == 0 && exclusive && check_user_session(pamh) != 0)
if (sepermit_lock(pamh, user, debug) < 0)
*sense = PAM_AUTH_ERR;
}

28
pam-1.1.6-strict-aliasing.patch
View File

@ -1,28 +0,0 @@
diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c
index ce4f7d6..dc95ab1 100644
--- a/modules/pam_namespace/md5.c
+++ b/modules/pam_namespace/md5.c
@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
byteReverse(ctx->in, 14);
/* Append length in bits and transform */
- ((uint32 *) ctx->in)[14] = ctx->bits[0];
- ((uint32 *) ctx->in)[15] = ctx->bits[1];
+ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
byteReverse((unsigned char *) ctx->buf, 4);
diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c
index 7881db5..94f0485 100644
--- a/modules/pam_unix/md5.c
+++ b/modules/pam_unix/md5.c
@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
byteReverse(ctx->in, 14);
/* Append length in bits and transform */
- ((uint32 *) ctx->in)[14] = ctx->bits[0];
- ((uint32 *) ctx->in)[15] = ctx->bits[1];
+ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
byteReverse((unsigned char *) ctx->buf, 4);

100
pam-1.1.6-tty-audit-echo.patch
View File

@ -1,100 +0,0 @@
diff -up Linux-PAM-1.1.6/configure.in.tty-audit-echo Linux-PAM-1.1.6/configure.in
--- Linux-PAM-1.1.6/configure.in.tty-audit-echo 2013-08-07 15:41:08.245745447 +0200
+++ Linux-PAM-1.1.6/configure.in 2013-08-07 18:13:04.358958936 +0200
@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then
fi
if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
+ [[#include <libaudit.h>]])
fi
else
LIBAUDIT=""
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml 2013-08-07 18:08:55.310028229 +0200
@@ -77,6 +77,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>log_passwd</option>
+ </term>
+ <listitem>
+ <para>
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
+ This is the mode in which the tty is placed during password entry.
+ By default, passwords are not logged. This option may not be
+ available on older kernels (3.9?).
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -161,6 +174,8 @@ session required pam_tty_audit.so disabl
<para>
pam_tty_audit was written by Miloslav Trma&ccaron;
&lt;mitr@redhat.com&gt;.
+ The log_passwd option was added by Richard Guy Briggs
+ &lt;rgb@redhat.com&gt;.
</para>
</refsect1>
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c 2013-08-07 18:09:29.428694493 +0200
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh,
struct audit_tty_status *old_status, new_status;
const char *user;
int i, fd, open_only;
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ int log_passwd;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
(void)flags;
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh,
command = CMD_NONE;
open_only = 0;
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 0;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
for (i = 0; i < argc; i++)
{
if (strncmp (argv[i], "enable=", 7) == 0
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh,
}
else if (strcmp (argv[i], "open_only") == 0)
open_only = 1;
+ else if (strcmp (argv[i], "log_passwd") == 0)
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 1;
+#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ pam_syslog (pamh, LOG_WARNING,
+ "The log_passwd option was not available at compile time.");
+#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel."
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
else
{
pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
}
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
- if (old_status->enabled == new_status.enabled)
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ new_status.log_passwd = log_passwd;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ if (old_status->enabled == new_status.enabled
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ && old_status->log_passwd == new_status.log_passwd
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ )
{
open_only = 1; /* to clean up old_status */
goto ok_fd;

43
pam-1.1.7-unix-build.patch Normal file
View File

@ -0,0 +1,43 @@
diff -up Linux-PAM-1.1.7/modules/pam_unix/pam_unix_acct.c.build Linux-PAM-1.1.7/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-1.1.7/modules/pam_unix/pam_unix_acct.c.build 2013-09-13 13:22:12.715064174 +0200
+++ Linux-PAM-1.1.7/modules/pam_unix/pam_unix_acct.c 2013-09-13 13:22:12.754065021 +0200
@@ -49,6 +49,8 @@
#include <time.h> /* for time() */
#include <errno.h>
#include <sys/wait.h>
+#include <sys/time.h>
+#include <sys/resource.h>
#include <security/_pam_macros.h>
diff -up Linux-PAM-1.1.7/modules/pam_unix/pam_unix_passwd.c.build Linux-PAM-1.1.7/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-1.1.7/modules/pam_unix/pam_unix_passwd.c.build 2013-09-13 13:22:12.716064196 +0200
+++ Linux-PAM-1.1.7/modules/pam_unix/pam_unix_passwd.c 2013-09-13 14:06:01.581056247 +0200
@@ -53,6 +53,7 @@
#include <fcntl.h>
#include <ctype.h>
#include <sys/time.h>
+#include <sys/resource.h>
#include <sys/stat.h>
#include <signal.h>
@@ -262,7 +263,7 @@ static int _unix_run_update_binary(pam_h
close(fds[0]); /* close here to avoid possible SIGPIPE above */
close(fds[1]);
/* wait for helper to complete: */
- while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR);
+ while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
if (rc<0) {
pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m");
retval = PAM_AUTHTOK_ERR;
diff -up Linux-PAM-1.1.7/modules/pam_unix/support.c.build Linux-PAM-1.1.7/modules/pam_unix/support.c
--- Linux-PAM-1.1.7/modules/pam_unix/support.c.build 2013-09-13 13:22:12.716064196 +0200
+++ Linux-PAM-1.1.7/modules/pam_unix/support.c 2013-09-13 13:22:12.755065042 +0200
@@ -19,6 +19,7 @@
#include <signal.h>
#include <ctype.h>
#include <syslog.h>
+#include <sys/time.h>
#include <sys/resource.h>
#ifdef HAVE_RPCSVC_YPCLNT_H
#include <rpcsvc/ypclnt.h>

41
pam.spec
View File

@ -2,8 +2,8 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.6
Release: 14%{?dist}
Version: 1.1.7
Release: 1%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -38,31 +38,13 @@ Patch10: pam-1.1.3-nouserenv.patch
Patch11: pam-1.1.3-console-abstract.patch
Patch12: pam-1.1.3-faillock-screensaver.patch
Patch13: pam-1.1.6-limits-user.patch
Patch14: pam-1.1.6-audit-data.patch
Patch15: pam-1.1.6-full-relro.patch
# FIPS related - non upstreamable
Patch20: pam-1.1.5-unix-no-fallback.patch
# Upstreamed
Patch21: pam-1.1.6-install-empty.patch
#
Patch22: pam-1.1.5-unix-build.patch
# Upstreamed
Patch23: pam-1.1.6-autoupdate.patch
# Upstreamed
Patch24: pam-1.1.6-namespace-mntopts.patch
# Upstreamed
Patch25: pam-1.1.6-crypt-null-check.patch
# Upstreamed
Patch26: pam-1.1.6-lastlog-retval.patch
# Sent to upstream for review
Patch27: pam-1.1.6-strict-aliasing.patch
# Upstreamed
Patch28: pam-1.1.6-selinux-manualctx.patch
# Upstreamed partially
Patch22: pam-1.1.7-unix-build.patch
Patch29: pam-1.1.6-pwhistory-helper.patch
Patch30: pam-1.1.6-rootok-audit.patch
Patch31: pam-1.1.6-use-links.patch
Patch32: pam-1.1.6-sepermit-user.patch
Patch33: pam-1.1.6-tty-audit-echo.patch
%define _pamlibdir %{_libdir}
%define _moduledir %{_libdir}/security
@ -94,7 +76,6 @@ Requires: libselinux >= 1.33.2
%endif
Requires: glibc >= 2.3.90-37
BuildRequires: libdb-devel
BuildRequires: systemd-devel
# Following deps are necessary only to build the pam library documentation.
BuildRequires: linuxdoc-tools, elinks, libxslt
BuildRequires: docbook-style-xsl, docbook-dtds
@ -136,22 +117,11 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch11 -p1 -b .abstract
%patch12 -p1 -b .screensaver
%patch13 -p1 -b .limits
%patch14 -p1 -b .audata
%patch15 -p1 -b .relro
%patch20 -p1 -b .no-fallback
%patch21 -p1 -b .empty
%patch22 -p1 -b .build
%patch23 -p1 -b .autoupdate
%patch24 -p1 -b .mntopts
%patch25 -p1 -b .null-check
%patch26 -p1 -b .retval
%patch27 -p1 -b .strict-aliasing
%patch28 -p1 -b .manualctx
%patch29 -p1 -b .pwhhelper
%patch30 -p1 -b .audit
%patch31 -p1 -b .links
%patch32 -p1 -b .sepermit-user
%patch33 -p1 -b .tty-audit-echo
%build
@ -400,6 +370,9 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Fri Sep 13 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.7-1
- new upstream release
* Wed Aug 7 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-14
- use links instead of w3m to create txt documentation
- recognize login session in pam_sepermit to prevent gdm from locking (#969174)