diff --git a/.cvsignore b/.cvsignore index e2ddd1f..1924600 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,3 +1,3 @@ -db-4.3.29.tar.gz Linux-PAM-0.99.6.2.tar.bz2 pam-redhat-0.99.6-2.tar.bz2 +db-4.5.20.tar.gz diff --git a/pam-0.99.6.2-namespace-preserve-uid.patch b/pam-0.99.6.2-namespace-preserve-uid.patch new file mode 100644 index 0000000..d4cdf14 --- /dev/null +++ b/pam-0.99.6.2-namespace-preserve-uid.patch @@ -0,0 +1,8 @@ +--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init.preserve-uid 2006-06-27 15:07:43.000000000 +0200 ++++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init 2006-10-13 10:51:03.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/sh -p + # This is only a boilerplate for the instance initialization script. + # It receives polydir path as $1 and the instance path as $2. + # diff --git a/pam-0.99.6.2-selinux-drop-multiple.patch b/pam-0.99.6.2-selinux-drop-multiple.patch new file mode 100644 index 0000000..6b7d88a --- /dev/null +++ b/pam-0.99.6.2-selinux-drop-multiple.patch @@ -0,0 +1,125 @@ +--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.drop-multiple 2006-06-18 10:26:59.000000000 +0200 ++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-11-10 17:47:16.000000000 +0100 +@@ -25,9 +25,6 @@ + debug + + +- multiple +- +- + open + + +@@ -93,18 +90,6 @@ + + + +- +- +- +- +- Tells pam_selinux.so to allow the user to select the +- security context they will login with, if the user has +- more than one role. +- +- +- +- +- + + + +--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.drop-multiple 2006-11-10 17:44:33.000000000 +0100 ++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2006-11-10 17:44:33.000000000 +0100 +@@ -89,56 +89,6 @@ + } + + static security_context_t +-select_context (pam_handle_t *pamh, security_context_t* contextlist, +- int debug) +-{ +- char *responses; +- char *text=calloc(PATH_MAX,1); +- +- if (text == NULL) +- return (security_context_t) strdup(contextlist[0]); +- +- snprintf(text, PATH_MAX, +- _("Your default context is %s. \n"), contextlist[0]); +- send_text(pamh,text,debug); +- free(text); +- query_response(pamh,_("Do you want to choose a different one? [n]"), +- &responses,debug); +- if (responses && ((responses[0] == 'y') || +- (responses[0] == 'Y'))) +- { +- int choice=0; +- int i; +- const char *prompt=_("Enter number of choice: "); +- int len=strlen(prompt); +- char buf[PATH_MAX]; +- +- _pam_drop(responses); +- for (i = 0; contextlist[i]; i++) { +- len+=strlen(contextlist[i]) + 10; +- } +- text=calloc(len,1); +- for (i = 0; contextlist[i]; i++) { +- snprintf(buf, PATH_MAX, +- "[%d] %s\n", i+1, contextlist[i]); +- strncat(text,buf,len); +- } +- strcat(text,prompt); +- while ((choice < 1) || (choice > i)) { +- query_response(pamh,text,&responses,debug); +- choice = strtol (responses, NULL, 10); +- _pam_drop(responses); +- } +- free(text); +- return (security_context_t) strdup(contextlist[choice-1]); +- } +- else if (responses) +- _pam_drop(responses); +- +- return (security_context_t) strdup(contextlist[0]); +-} +- +-static security_context_t + manual_context (pam_handle_t *pamh, const char *user, int debug) + { + security_context_t newcon; +@@ -322,7 +272,7 @@ + int argc, const char **argv) + { + int i, debug = 0, ttys=1, has_tty=isatty(0); +- int verbose=0, multiple=0, close_session=0; ++ int verbose=0, close_session=0; + int ret = 0; + security_context_t* contextlist = NULL; + int num_contexts = 0; +@@ -342,9 +292,6 @@ + if (strcmp(argv[i], "verbose") == 0) { + verbose = 1; + } +- if (strcmp(argv[i], "multiple") == 0) { +- multiple = 1; +- } + if (strcmp(argv[i], "close") == 0) { + close_session = 1; + } +@@ -377,13 +324,8 @@ + free(level); + } + if (num_contexts > 0) { +- if (multiple && (num_contexts > 1) && has_tty) { +- user_context = select_context(pamh,contextlist, debug); +- freeconary(contextlist); +- } else { +- user_context = (security_context_t) strdup(contextlist[0]); +- freeconary(contextlist); +- } ++ user_context = (security_context_t) strdup(contextlist[0]); ++ freeconary(contextlist); + } else { + if (has_tty) { + user_context = manual_context(pamh,username,debug); diff --git a/pam.spec b/pam.spec index 49ed026..0e90af3 100644 --- a/pam.spec +++ b/pam.spec @@ -4,14 +4,14 @@ %define _sysconfdir /etc %define pwdb_version 0.62 -%define db_version 4.3.29 -%define db_conflicting_version 4.4.0 +%define db_version 4.5.20 +%define db_conflicting_version 4.6.0 %define pam_redhat_version 0.99.6-2 Summary: A security tool which provides authentication for applications Name: pam Version: 0.99.6.2 -Release: 3%{?dist} +Release: 4%{?dist} License: GPL or BSD Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 @@ -28,12 +28,17 @@ Patch1: pam-0.99.5.0-redhat-modules.patch Patch21: pam-0.78-unix-hpux-aging.patch Patch34: pam-0.99.4.0-dbpam.patch Patch70: pam-0.99.2.1-selinux-nofail.patch -Patch80: pam-0.99.5.0-selinux-drop-multiple.patch +Patch80: pam-0.99.6.2-selinux-drop-multiple.patch Patch81: pam-0.99.3.0-cracklib-try-first-pass.patch Patch82: pam-0.99.3.0-tally-fail-close.patch Patch84: pam-0.99.6.2-selinux-keycreate.patch Patch85: pam-0.99.6.0-succif-session.patch Patch86: pam-0.99.6.2-namespace-no-unmount.patch +Patch87: pam-0.99.6.2-namespace-preserve-uid.patch +Patch88: pam-0.99.6.2-doc-add-ids.patch +Patch89: pam-0.99.6.2-namespace-overflow.patch +Patch90: pam-0.99.6.2-keyinit-setgid.patch +Patch91: pam-0.99.6.2-unix-username.patch BuildRoot: %{_tmppath}/%{name}-root Requires: cracklib, cracklib-dicts >= 2.8 @@ -41,14 +46,14 @@ Obsoletes: pamconfig Prereq: grep, mktemp, sed, coreutils, /sbin/ldconfig BuildRequires: autoconf, automake, libtool BuildRequires: bison, flex, sed -BuildRequires: cracklib, cracklib-dicts >= 2.8 +BuildRequires: cracklib-devel, cracklib-dicts >= 2.8 BuildRequires: perl, pkgconfig %if %{WITH_AUDIT} BuildRequires: audit-libs-devel >= 1.0.8 Requires: audit-libs >= 1.0.8 %endif -BuildRequires: libselinux-devel >= 1.27.7 -Requires: libselinux >= 1.27.7 +BuildRequires: libselinux-devel >= 1.33.1-2 +Requires: libselinux >= 1.33.1-2 BuildRequires: glibc >= 2.3.90-37 Requires: glibc >= 2.3.90-37 # Following deps are necessary only to build the pam library documentation. @@ -95,6 +100,11 @@ cp %{SOURCE7} . %patch84 -p1 -b .keycreate %patch85 -p0 -b .session %patch86 -p1 -b .no-unmount +%patch87 -p1 -b .preserve-uid +%patch88 -p0 -b .add-ids +%patch89 -p1 -b .overflow +%patch90 -p1 -b .setgid +%patch91 -p1 -b .username autoreconf @@ -153,6 +163,9 @@ install -m 644 other.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/other install -m 644 system-auth.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/system-auth install -m 644 config-util.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/config-util install -m 600 /dev/null $RPM_BUILD_ROOT%{_sysconfdir}/security/opasswd +install -d -m 755 $RPM_BUILD_ROOT/var/log +install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/faillog +install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog # Forcibly strip binaries. strip $RPM_BUILD_ROOT%{_sbindir}/* ||: @@ -353,6 +366,8 @@ fi %dir %{_sysconfdir}/security/console.perms.d %config %{_sysconfdir}/security/console.perms.d/50-default.perms %dir /var/run/console +%config(noreplace) %verify(not md5 size mtime) /var/log/faillog +%config(noreplace) %verify(not md5 size mtime) /var/log/tallylog %{_mandir}/man5/* %{_mandir}/man8/* @@ -367,6 +382,22 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Mon Nov 13 2006 Tomas Mraz 0.99.6.2-4 +- update internal db4 to 4.5.20 version +- move setgid before setuid in pam_keyinit (#212329) +- make username check in pam_unix consistent with useradd (#212153) + +* Tue Oct 24 2006 Tomas Mraz 0.99.6.2-3.3 +- don't overflow a buffer in pam_namespace (#211989) + +* Mon Oct 16 2006 Tomas Mraz 0.99.6.2-3.2 +- /var/log/faillog and tallylog must be %config(noreplace) + +* Fri Oct 13 2006 Tomas Mraz 0.99.6.2-3.1 +- preserve effective uid in namespace.init script (LSPP for newrole) +- include /var/log/faillog and tallylog to filelist (#209646) +- add ids to .xml docs so the generated html is always the same (#210569) + * Thu Sep 28 2006 Tomas Mraz 0.99.6.2-3 - add pam_namespace option no_unmount_on_close, required for newrole diff --git a/sources b/sources index b9220ac..ea060b5 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -13585a20ce32f113b8e8cdb57f52e3bb db-4.3.29.tar.gz 52844c64efa6f8b6a9ed702eec341a4c Linux-PAM-0.99.6.2.tar.bz2 03b4148754928c045b28650f14f427af pam-redhat-0.99.6-2.tar.bz2 +b0f1c777708cb8e9d37fb47e7ed3312d db-4.5.20.tar.gz