From 6c6453458aeaf6198e826f45f64184c866258a32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Mon, 23 Jul 2007 18:46:31 +0000 Subject: [PATCH] - upgrade to latest upstream version - add some firewire devices to default console perms (#240770) --- .cvsignore | 4 +- pam-0.99.2.1-selinux-nofail.patch | 78 --- pam-0.99.6.2-namespace-dirnames.patch | 206 -------- pam-0.99.6.2-namespace-docfix.patch | 18 - pam-0.99.6.2-namespace-preserve-uid.patch | 8 - pam-0.99.6.2-selinux-audit-context.patch | 85 ---- pam-0.99.6.2-selinux-drop-multiple.patch | 125 ----- pam-0.99.6.2-selinux-keycreate.patch | 42 -- pam-0.99.6.2-selinux-select-context.patch | 463 ------------------ pam-0.99.6.2-selinux-use-current-range.patch | 113 ----- pam-0.99.7.0-dbpam.patch | 11 - pam-0.99.7.0-namespace-level.patch | 250 ---------- pam-0.99.7.0-namespace-no-unmount.patch | 95 ---- pam-0.99.7.0-namespace-unmnt-override.patch | 125 ----- pam-0.99.7.1-namespace-unknown-user.patch | 20 - pam-0.99.7.1-unix-allow-pwmodify.patch | 16 - pam-0.99.7.1-unix-bigcrypt.patch | 126 ----- pam-0.99.8.1-dbpam.patch | 11 + ...h => pam-0.99.8.1-unix-update-helper.patch | 59 +-- pam.spec | 61 +-- sources | 4 +- 21 files changed, 63 insertions(+), 1857 deletions(-) delete mode 100644 pam-0.99.2.1-selinux-nofail.patch delete mode 100644 pam-0.99.6.2-namespace-dirnames.patch delete mode 100644 pam-0.99.6.2-namespace-docfix.patch delete mode 100644 pam-0.99.6.2-namespace-preserve-uid.patch delete mode 100644 pam-0.99.6.2-selinux-audit-context.patch delete mode 100644 pam-0.99.6.2-selinux-drop-multiple.patch delete mode 100644 pam-0.99.6.2-selinux-keycreate.patch delete mode 100644 pam-0.99.6.2-selinux-select-context.patch delete mode 100644 pam-0.99.6.2-selinux-use-current-range.patch delete mode 100644 pam-0.99.7.0-dbpam.patch delete mode 100644 pam-0.99.7.0-namespace-level.patch delete mode 100644 pam-0.99.7.0-namespace-no-unmount.patch delete mode 100644 pam-0.99.7.0-namespace-unmnt-override.patch delete mode 100644 pam-0.99.7.1-namespace-unknown-user.patch delete mode 100644 pam-0.99.7.1-unix-allow-pwmodify.patch delete mode 100644 pam-0.99.7.1-unix-bigcrypt.patch create mode 100644 pam-0.99.8.1-dbpam.patch rename pam-0.99.7.1-unix-update-helper.patch => pam-0.99.8.1-unix-update-helper.patch (97%) diff --git a/.cvsignore b/.cvsignore index 07b5925..357da6c 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,5 +1,5 @@ db-4.5.20.tar.gz *.src.rpm *.tar.bz2 -pam-redhat-0.99.7-1.tar.bz2 -Linux-PAM-0.99.7.1.tar.bz2 +pam-redhat-0.99.8-1.tar.bz2 +Linux-PAM-0.99.8.1.tar.bz2 diff --git a/pam-0.99.2.1-selinux-nofail.patch b/pam-0.99.2.1-selinux-nofail.patch deleted file mode 100644 index 83dcef7..0000000 --- a/pam-0.99.2.1-selinux-nofail.patch +++ /dev/null @@ -1,78 +0,0 @@ ---- Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c.nofail 2005-11-29 10:22:05.000000000 +0100 -+++ Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c 2005-12-15 14:12:54.000000000 +0100 -@@ -327,6 +327,8 @@ - int num_contexts = 0; - const void *username = NULL; - const void *tty = NULL; -+ char *seuser=NULL; -+ char *level=NULL; - - /* Parse arguments. */ - for (i = 0; i < argc; i++) { -@@ -361,7 +363,18 @@ - username == NULL) { - return PAM_AUTH_ERR; - } -- num_contexts = get_ordered_context_list(username, 0, &contextlist); -+ -+ if (getseuserbyname(username, &seuser, &level)==0) { -+ num_contexts = get_ordered_context_list_with_level(seuser, -+ level, -+ NULL, -+ &contextlist); -+ if (debug) -+ pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", -+ (const char *)username, seuser, level); -+ free(seuser); -+ free(level); -+ } - if (num_contexts > 0) { - if (multiple && (num_contexts > 1) && has_tty) { - user_context = select_context(pamh,contextlist, debug); -@@ -376,13 +389,19 @@ - if (user_context == NULL) { - pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", - (const char *)username); -- return PAM_AUTH_ERR; -+ if (security_getenforce() == 1) -+ return PAM_AUTH_ERR; -+ else -+ return PAM_SUCCESS; - } - } else { - pam_syslog (pamh, LOG_ERR, - "Unable to get valid context for %s, No valid tty", - (const char *)username); -- return PAM_AUTH_ERR; -+ if (security_getenforce() == 1) -+ return PAM_AUTH_ERR; -+ else -+ return PAM_SUCCESS; - } - } - if (getexeccon(&prev_user_context)<0) { -@@ -420,8 +439,10 @@ - pam_syslog(pamh, LOG_ERR, - "Error! Unable to set %s executable context %s.", - (const char *)username, user_context); -- freecon(user_context); -- return PAM_AUTH_ERR; -+ if (security_getenforce() == 1) { -+ freecon(user_context); -+ return PAM_AUTH_ERR; -+ } - } else { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", -@@ -471,7 +492,10 @@ - if (status) { - pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.", - prev_user_context); -- return PAM_AUTH_ERR; -+ if (security_getenforce() == 1) -+ return PAM_AUTH_ERR; -+ else -+ return PAM_SUCCESS; - } - - if (debug) diff --git a/pam-0.99.6.2-namespace-dirnames.patch b/pam-0.99.6.2-namespace-dirnames.patch deleted file mode 100644 index 6e224d0..0000000 --- a/pam-0.99.6.2-namespace-dirnames.patch +++ /dev/null @@ -1,206 +0,0 @@ ---- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.dirnames 2007-02-26 23:31:26.000000000 +0100 -+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2007-02-27 00:40:04.000000000 +0100 -@@ -89,6 +89,8 @@ - #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ - #define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ - -+#define NAMESPACE_MAX_DIR_LEN 80 -+ - /* - * Polyinstantiation method options, based on user, security context - * or both ---- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.dirnames 2007-02-26 23:31:26.000000000 +0100 -+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2007-02-27 00:39:51.000000000 +0100 -@@ -436,6 +436,36 @@ - return 0; - } - -+/* -+ * md5hash generates a hash of the passed in instance directory name. -+ */ -+static char *md5hash(const char *instname, struct instance_data *idata) -+{ -+ int i; -+ char *md5inst = NULL; -+ char *to; -+ unsigned char inst_digest[MD5_DIGEST_LENGTH]; -+ -+ /* -+ * Create MD5 hashes for instance pathname. -+ */ -+ -+ MD5((const unsigned char *)instname, strlen(instname), inst_digest); -+ -+ if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) { -+ pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer"); -+ return NULL; -+ } -+ -+ to = md5inst; -+ for (i = 0; i < MD5_DIGEST_LENGTH; i++) { -+ snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]); -+ to += 2; -+ } -+ -+ return md5inst; -+} -+ - #ifdef WITH_SELINUX - static int form_context(const struct polydir_s *polyptr, - security_context_t *i_context, security_context_t *origcon, -@@ -547,12 +577,21 @@ - #endif - { - int rc; -+ char *hash = NULL; -+#ifdef WITH_SELINUX -+ security_context_t rawcon = NULL; -+#endif - --# ifdef WITH_SELINUX -- rc = form_context(polyptr, i_context, origcon, idata); -+ *i_name = NULL; -+#ifdef WITH_SELINUX -+ *i_context = NULL; -+ *origcon = NULL; -+ if ((rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) { -+ return rc; -+ } - #endif -- rc = PAM_SUCCESS; - -+ rc = PAM_SESSION_ERR; - /* - * Set the name of the polyinstantiated instance dir based on the - * polyinstantiation method. -@@ -561,16 +600,20 @@ - case USER: - if (asprintf(i_name, "%s", idata->user) < 0) { - *i_name = NULL; -- rc = PAM_SESSION_ERR; -- } -+ goto fail; -+ } - break; - - #ifdef WITH_SELINUX - case LEVEL: - case CONTEXT: -- if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) { -+ if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) { -+ pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context"); -+ goto fail; -+ } -+ if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) { - *i_name = NULL; -- rc = PAM_SESSION_ERR; -+ goto fail; - } - break; - -@@ -579,12 +622,48 @@ - default: - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_ERR, "Unknown method"); -- rc = PAM_SESSION_ERR; -+ goto fail; - } - -- if ((idata->flags & PAMNS_DEBUG) && rc == PAM_SUCCESS) -+ if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name); - -+ if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) { -+ hash = md5hash(*i_name, idata); -+ if (hash == NULL) { -+ goto fail; -+ } -+ if (idata->flags & PAMNS_GEN_HASH) { -+ free(*i_name); -+ *i_name = hash; -+ hash = NULL; -+ } else { -+ char *newname; -+ if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash), -+ *i_name, hash) < 0) { -+ goto fail; -+ } -+ free(*i_name); -+ *i_name = newname; -+ } -+ } -+ rc = PAM_SUCCESS; -+ -+fail: -+ free(hash); -+#ifdef WITH_SELINUX -+ freecon(rawcon); -+#endif -+ if (rc != PAM_SUCCESS) { -+#ifdef WITH_SELINUX -+ freecon(*i_context); -+ *i_context = NULL; -+ freecon(*origcon); -+ *origcon = NULL; -+#endif -+ free(*i_name); -+ *i_name = NULL; -+ } - return rc; - } - -@@ -832,39 +911,6 @@ - - - /* -- * md5hash generates a hash of the passed in instance directory name. -- */ --static int md5hash(char **instname, struct instance_data *idata) --{ -- int i; -- char *md5inst = NULL; -- char *to; -- unsigned char inst_digest[MD5_DIGEST_LENGTH]; -- -- /* -- * Create MD5 hashes for instance pathname. -- */ -- -- MD5((unsigned char *)*instname, strlen(*instname), inst_digest); -- -- if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) { -- pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer"); -- return PAM_SESSION_ERR; -- } -- -- to = md5inst; -- for (i = 0; i < MD5_DIGEST_LENGTH; i++) { -- snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]); -- to += 3; -- } -- -- free(*instname); -- *instname = md5inst; -- -- return PAM_SUCCESS; --} -- --/* - * This function performs the namespace setup for a particular directory - * that is being polyinstantiated. It creates an MD5 hash of instance - * directory, calls create_dirs to create it with appropriate -@@ -914,14 +960,6 @@ - #endif - } - -- if (idata->flags & PAMNS_GEN_HASH) { -- retval = md5hash(&instname, idata); -- if (retval < 0) { -- pam_syslog(idata->pamh, LOG_ERR, "Error generating md5 hash"); -- goto error_out; -- } -- } -- - if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0) - goto error_out; - diff --git a/pam-0.99.6.2-namespace-docfix.patch b/pam-0.99.6.2-namespace-docfix.patch deleted file mode 100644 index 66620c8..0000000 --- a/pam-0.99.6.2-namespace-docfix.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml.docfix 2007-04-03 17:51:29.000000000 +0200 -+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml 2007-04-23 19:04:10.000000000 +0200 -@@ -86,6 +86,15 @@ - for all users. - - -+ -+ In case of context or level polyinstantiation the SELinux context -+ which is used for polyinstantiation is the context used for executing -+ a new process as obtained by getexeccon. This context must be set -+ by the calling application or pam_selinux.so -+ module. If this context is not set the polyinstatiation will be -+ based just on user name. -+ -+ - - - diff --git a/pam-0.99.6.2-namespace-preserve-uid.patch b/pam-0.99.6.2-namespace-preserve-uid.patch deleted file mode 100644 index d4cdf14..0000000 --- a/pam-0.99.6.2-namespace-preserve-uid.patch +++ /dev/null @@ -1,8 +0,0 @@ ---- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init.preserve-uid 2006-06-27 15:07:43.000000000 +0200 -+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init 2006-10-13 10:51:03.000000000 +0200 -@@ -1,4 +1,4 @@ --#!/bin/sh -+#!/bin/sh -p - # This is only a boilerplate for the instance initialization script. - # It receives polydir path as $1 and the instance path as $2. - # diff --git a/pam-0.99.6.2-selinux-audit-context.patch b/pam-0.99.6.2-selinux-audit-context.patch deleted file mode 100644 index 08908f2..0000000 --- a/pam-0.99.6.2-selinux-audit-context.patch +++ /dev/null @@ -1,85 +0,0 @@ ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.audit-context 2007-04-03 17:51:29.000000000 +0200 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-04-03 18:15:06.000000000 +0200 -@@ -88,33 +88,36 @@ - security_context_t selected_raw=NULL; - rc = -1; - if (audit_fd < 0) { -- pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n")); -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return 0; /* No audit support in kernel */ -+ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.")); - return rc; - } - if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { -- pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n")); -- goto out; -+ pam_syslog(pamh, LOG_ERR, _("Error translating default context.")); -+ default_raw = NULL; - } - if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { -- pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n")); -- goto out; -+ pam_syslog(pamh, LOG_ERR, _("Error translating selected context.")); -+ selected_raw = NULL; - } - if (asprintf(&msg, "pam: default-context=%s selected-context=%s", -- default_context ? default_raw : "?", -- selected_context ? selected_raw : "?") < 0) { -- pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n")); -+ default_raw ? default_raw : (default_context ? default_context : "?"), -+ selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) { -+ pam_syslog(pamh, LOG_ERR, ("Error allocating memory.")); - goto out; - } - if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, - msg, NULL, NULL, NULL, success) <= 0) { -- pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n")); -+ pam_syslog(pamh, LOG_ERR, _("Error sending audit message.")); - goto out; - } - rc = 0; - out: - free(msg); - freecon(default_raw); -- free(selected_raw); -+ freecon(selected_raw); - close(audit_fd); - #else - pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success); -@@ -298,14 +301,17 @@ - if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) { - pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon); - -+ send_audit_message(pamh, 0, puser_context, newcon); - -+ free(newcon); - goto fail_range; - } - return newcon; - } -- else -+ else { -+ send_audit_message(pamh, 0, puser_context, context_str(new_context)); - send_text(pamh,_("Not a valid security context"),debug); -- -+ } - context_free(new_context); /* next time around allocates another */ - } - else -@@ -318,6 +324,7 @@ - free(type); - _pam_drop(responses); - context_free (new_context); -+ send_audit_message(pamh, 0, puser_context, NULL); - fail_range: - return NULL; - } -@@ -509,7 +516,6 @@ - if (select_context && has_tty) { - user_context = config_context(pamh, default_user_context, debug); - if (user_context == NULL) { -- send_audit_message(pamh, 0, default_user_context, default_user_context); - freecon(default_user_context); - pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"), - username); diff --git a/pam-0.99.6.2-selinux-drop-multiple.patch b/pam-0.99.6.2-selinux-drop-multiple.patch deleted file mode 100644 index 6b7d88a..0000000 --- a/pam-0.99.6.2-selinux-drop-multiple.patch +++ /dev/null @@ -1,125 +0,0 @@ ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.drop-multiple 2006-06-18 10:26:59.000000000 +0200 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-11-10 17:47:16.000000000 +0100 -@@ -25,9 +25,6 @@ - debug - - -- multiple -- -- - open - - -@@ -93,18 +90,6 @@ - - - -- -- -- -- -- Tells pam_selinux.so to allow the user to select the -- security context they will login with, if the user has -- more than one role. -- -- -- -- -- - - - ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.drop-multiple 2006-11-10 17:44:33.000000000 +0100 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2006-11-10 17:44:33.000000000 +0100 -@@ -89,56 +89,6 @@ - } - - static security_context_t --select_context (pam_handle_t *pamh, security_context_t* contextlist, -- int debug) --{ -- char *responses; -- char *text=calloc(PATH_MAX,1); -- -- if (text == NULL) -- return (security_context_t) strdup(contextlist[0]); -- -- snprintf(text, PATH_MAX, -- _("Your default context is %s. \n"), contextlist[0]); -- send_text(pamh,text,debug); -- free(text); -- query_response(pamh,_("Do you want to choose a different one? [n]"), -- &responses,debug); -- if (responses && ((responses[0] == 'y') || -- (responses[0] == 'Y'))) -- { -- int choice=0; -- int i; -- const char *prompt=_("Enter number of choice: "); -- int len=strlen(prompt); -- char buf[PATH_MAX]; -- -- _pam_drop(responses); -- for (i = 0; contextlist[i]; i++) { -- len+=strlen(contextlist[i]) + 10; -- } -- text=calloc(len,1); -- for (i = 0; contextlist[i]; i++) { -- snprintf(buf, PATH_MAX, -- "[%d] %s\n", i+1, contextlist[i]); -- strncat(text,buf,len); -- } -- strcat(text,prompt); -- while ((choice < 1) || (choice > i)) { -- query_response(pamh,text,&responses,debug); -- choice = strtol (responses, NULL, 10); -- _pam_drop(responses); -- } -- free(text); -- return (security_context_t) strdup(contextlist[choice-1]); -- } -- else if (responses) -- _pam_drop(responses); -- -- return (security_context_t) strdup(contextlist[0]); --} -- --static security_context_t - manual_context (pam_handle_t *pamh, const char *user, int debug) - { - security_context_t newcon; -@@ -322,7 +272,7 @@ - int argc, const char **argv) - { - int i, debug = 0, ttys=1, has_tty=isatty(0); -- int verbose=0, multiple=0, close_session=0; -+ int verbose=0, close_session=0; - int ret = 0; - security_context_t* contextlist = NULL; - int num_contexts = 0; -@@ -342,9 +292,6 @@ - if (strcmp(argv[i], "verbose") == 0) { - verbose = 1; - } -- if (strcmp(argv[i], "multiple") == 0) { -- multiple = 1; -- } - if (strcmp(argv[i], "close") == 0) { - close_session = 1; - } -@@ -377,13 +324,8 @@ - free(level); - } - if (num_contexts > 0) { -- if (multiple && (num_contexts > 1) && has_tty) { -- user_context = select_context(pamh,contextlist, debug); -- freeconary(contextlist); -- } else { -- user_context = (security_context_t) strdup(contextlist[0]); -- freeconary(contextlist); -- } -+ user_context = (security_context_t) strdup(contextlist[0]); -+ freeconary(contextlist); - } else { - if (has_tty) { - user_context = manual_context(pamh,username,debug); diff --git a/pam-0.99.6.2-selinux-keycreate.patch b/pam-0.99.6.2-selinux-keycreate.patch deleted file mode 100644 index 9747b0b..0000000 --- a/pam-0.99.6.2-selinux-keycreate.patch +++ /dev/null @@ -1,42 +0,0 @@ ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.keycreate 2006-08-31 17:26:46.000000000 +0200 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2006-08-31 19:01:05.000000000 +0200 -@@ -391,6 +391,28 @@ - pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", - (const char *)username, user_context); - } -+#ifdef HAVE_SETKEYCREATECON -+ ret = setkeycreatecon(user_context); -+ if (ret==0 && verbose) { -+ char msg[PATH_MAX]; -+ snprintf(msg, sizeof(msg), -+ _("Key Creation Context %s Assigned"), user_context); -+ verbose_message(pamh, msg, debug); -+ } -+ if (ret) { -+ pam_syslog(pamh, LOG_ERR, -+ "Error! Unable to set %s key creation context %s.", -+ (const char *)username, user_context); -+ if (security_getenforce() == 1) { -+ freecon(user_context); -+ return PAM_AUTH_ERR; -+ } -+ } else { -+ if (debug) -+ pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", -+ (const char *)username, user_context); -+ } -+#endif - freecon(user_context); - - return PAM_SUCCESS; ---- Linux-PAM-0.99.6.2/configure.in.keycreate 2006-08-31 17:26:46.000000000 +0200 -+++ Linux-PAM-0.99.6.2/configure.in 2006-08-31 18:59:52.000000000 +0200 -@@ -397,7 +397,7 @@ - AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) - AC_CHECK_FUNCS(getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) - AC_CHECK_FUNCS(getgrouplist getline getdelim) --AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af) -+AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af setkeycreatecon) - - AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) - AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) diff --git a/pam-0.99.6.2-selinux-select-context.patch b/pam-0.99.6.2-selinux-select-context.patch deleted file mode 100644 index 475369c..0000000 --- a/pam-0.99.6.2-selinux-select-context.patch +++ /dev/null @@ -1,463 +0,0 @@ ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2007-02-21 20:38:10.000000000 +0100 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-02-21 20:38:11.000000000 +0100 -@@ -33,6 +33,9 @@ - - verbose - -+ -+ select_context -+ - - - -@@ -118,6 +121,17 @@ - - - -+ -+ -+ -+ -+ -+ -+ Attempt to ask the user for a custom security context role. -+ If MLS is on ask also for sensitivity level. -+ -+ -+ - - - ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2007-02-21 20:38:10.000000000 +0100 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-02-21 20:44:01.000000000 +0100 -@@ -63,9 +63,64 @@ - #include - #include - #include -+#include - #include - #include -+#include - -+#ifdef HAVE_LIBAUDIT -+#include -+#include -+#include -+#endif -+ -+/* Send audit message */ -+static -+ -+int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context, -+ security_context_t selected_context) -+{ -+ int rc=0; -+#ifdef HAVE_LIBAUDIT -+ char *msg = NULL; -+ int audit_fd = audit_open(); -+ security_context_t default_raw=NULL; -+ security_context_t selected_raw=NULL; -+ rc = -1; -+ if (audit_fd < 0) { -+ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n")); -+ return rc; -+ } -+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { -+ pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n")); -+ goto out; -+ } -+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { -+ pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n")); -+ goto out; -+ } -+ if (asprintf(&msg, "pam: default-context=%s selected-context=%s", -+ default_context ? default_raw : "?", -+ selected_context ? selected_raw : "?") < 0) { -+ pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n")); -+ goto out; -+ } -+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, -+ msg, NULL, NULL, NULL, success) <= 0) { -+ pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n")); -+ goto out; -+ } -+ rc = 0; -+ out: -+ free(msg); -+ freecon(default_raw); -+ free(selected_raw); -+ close(audit_fd); -+#else -+ pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success); -+#endif -+ return rc; -+} - static int - send_text (pam_handle_t *pamh, const char *text, int debug) - { -@@ -79,69 +134,64 @@ - * is responsible for freeing the responses. - */ - static int --query_response (pam_handle_t *pamh, const char *text, -+query_response (pam_handle_t *pamh, const char *text, const char *def, - char **responses, int debug) - { -+ int rc; -+ if (def) -+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s [%s] ", text, def); -+ else -+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s ", text); - if (debug) -- pam_syslog(pamh, LOG_NOTICE, "%s", text); -- -- return pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s", text); -+ pam_syslog(pamh, LOG_NOTICE, "%s %s", text, responses[0]); -+ return rc; - } - - static security_context_t - manual_context (pam_handle_t *pamh, const char *user, int debug) - { -- security_context_t newcon; -+ security_context_t newcon=NULL; - context_t new_context; - int mls_enabled = is_selinux_mls_enabled(); -- -- char *responses; -+ char *type=NULL; -+ char *responses=NULL; - - while (1) { - query_response(pamh, -- _("Would you like to enter a security context? [y] "), -+ _("Would you like to enter a security context? [N] "), NULL, - &responses,debug); -- if ((responses[0] == 'y') || (responses[0] == 'Y') || -- (responses[0] == '\0') ) -+ if ((responses[0] == 'y') || (responses[0] == 'Y')) - { - if (mls_enabled) - new_context = context_new ("user:role:type:level"); - else - new_context = context_new ("user:role:type"); -- _pam_drop(responses); - -- /* Allow the user to enter each field of the context individually */ -+ if (!new_context) -+ goto fail_set; -+ - if (context_user_set (new_context, user)) -- { -- context_free (new_context); -- return NULL; -- } -- query_response(pamh,_("role: "),&responses,debug); -- if (context_role_set (new_context, responses)) -- { -- _pam_drop(responses); -- context_free (new_context); -- return NULL; -- } -+ goto fail_set; -+ - _pam_drop(responses); -- query_response(pamh,_("type: "),&responses,debug); -- if (context_type_set (new_context, responses)) -- { -- _pam_drop(responses); -- context_free (new_context); -- return NULL; -- } -+ /* Allow the user to enter each field of the context individually */ -+ query_response(pamh,_("role:"), NULL, &responses,debug); -+ if (responses[0] != '\0') { -+ if (context_role_set (new_context, responses)) -+ goto fail_set; -+ if (get_default_type(responses, &type)) -+ goto fail_set; -+ if (context_type_set (new_context, type)) -+ goto fail_set; -+ } - _pam_drop(responses); - if (mls_enabled) - { -- query_response(pamh,_("level: "),&responses,debug); -- if (context_range_set (new_context, responses)) -- { -- _pam_drop(responses); -- context_free (new_context); -- return NULL; -- } -- _pam_drop(responses); -+ query_response(pamh,_("level:"), NULL, &responses,debug); -+ if (responses[0] != '\0') { -+ if (context_range_set (new_context, responses)) -+ goto fail_set; -+ } - } - /* Get the string value of the context and see if it is valid. */ - if (!security_check_context(context_str(new_context))) { -@@ -151,14 +201,125 @@ - } - else - send_text(pamh,_("Not a valid security context"),debug); -+ context_free (new_context); - } - else { - _pam_drop(responses); - return NULL; - } - } /* end while */ -+ fail_set: -+ free(type); -+ _pam_drop(responses); -+ context_free (new_context); -+ return NULL; -+} -+ -+static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) -+{ -+ struct av_decision avd; -+ int retval; -+ unsigned int bit = CONTEXT__CONTAINS; -+ context_t src_context = context_new (src); -+ context_t dst_context = context_new (dst); -+ context_range_set(dst_context, context_range_get(src_context)); -+ if (debug) -+ pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); -+ -+ retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd); -+ context_free(src_context); -+ context_free(dst_context); -+ if (retval || ((bit & avd.allowed) != bit)) -+ return 0; -+ -+ return 1; -+} -+ -+static security_context_t -+config_context (pam_handle_t *pamh, security_context_t puser_context, int debug) -+{ -+ security_context_t newcon=NULL; -+ context_t new_context; -+ int mls_enabled = is_selinux_mls_enabled(); -+ char *responses=NULL; -+ char *type=NULL; -+ char resp_val = 0; -+ -+ pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), puser_context); -+ -+ while (1) { -+ query_response(pamh, -+ _("Would you like to enter a different role or level?"), "n", -+ &responses,debug); -+ -+ resp_val = responses[0]; -+ _pam_drop(responses); -+ if ((resp_val == 'y') || (resp_val == 'Y')) -+ { -+ new_context = context_new(puser_context); -+ -+ /* Allow the user to enter role and level individually */ -+ query_response(pamh,_("role:"), context_role_get(new_context), -+ &responses, debug); -+ if (responses[0]) { -+ if (get_default_type(responses, &type)) { -+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), responses); -+ _pam_drop(responses); -+ continue; -+ } else { -+ if (context_role_set(new_context, responses)) -+ goto fail_set; -+ if (context_type_set (new_context, type)) -+ goto fail_set; -+ } -+ } -+ _pam_drop(responses); -+ if (mls_enabled) -+ { -+ query_response(pamh,_("level:"), context_range_get(new_context), -+ &responses, debug); -+ if (responses[0]) { -+ if (context_range_set(new_context, responses)) -+ goto fail_set; -+ } -+ _pam_drop(responses); -+ } -+ if (debug) -+ pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", context_str(new_context)); -+ -+ /* Get the string value of the context and see if it is valid. */ -+ if (!security_check_context(context_str(new_context))) { -+ newcon = strdup(context_str(new_context)); -+ context_free (new_context); -+ -+ /* we have to check that this user is allowed to go into the -+ range they have specified ... role is tied to an seuser, so that'll -+ be checked at setexeccon time */ -+ if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) { -+ pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon); -+ -+ -+ goto fail_range; -+ } -+ return newcon; -+ } -+ else -+ send_text(pamh,_("Not a valid security context"),debug); -+ -+ context_free(new_context); /* next time around allocates another */ -+ } -+ else -+ return strdup(puser_context); -+ } /* end while */ - - return NULL; -+ -+ fail_set: -+ free(type); -+ _pam_drop(responses); -+ context_free (new_context); -+ fail_range: -+ return NULL; - } - - static void -@@ -273,13 +434,15 @@ - { - int i, debug = 0, ttys=1, has_tty=isatty(0); - int verbose=0, close_session=0; -+ int select_context = 0; - int ret = 0; - security_context_t* contextlist = NULL; - int num_contexts = 0; -- const void *username = NULL; -+ const char *username = NULL; - const void *tty = NULL; - char *seuser=NULL; - char *level=NULL; -+ security_context_t default_user_context=NULL; - - /* Parse arguments. */ - for (i = 0; i < argc; i++) { -@@ -295,6 +458,9 @@ - if (strcmp(argv[i], "close") == 0) { - close_session = 1; - } -+ if (strcmp(argv[i], "select_context") == 0) { -+ select_context = 1; -+ } - } - - if (debug) -@@ -307,7 +473,7 @@ - if (!(selinux_enabled = is_selinux_enabled()>0) ) - return PAM_SUCCESS; - -- if (pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS || -+ if (pam_get_item(pamh, PAM_USER, (void *) &username) != PAM_SUCCESS || - username == NULL) { - return PAM_USER_UNKNOWN; - } -@@ -319,19 +485,39 @@ - &contextlist); - if (debug) - pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", -- (const char *)username, seuser, level); -+ username, seuser, level); - free(seuser); - free(level); - } - if (num_contexts > 0) { -- user_context = (security_context_t) strdup(contextlist[0]); -+ default_user_context=strdup(contextlist[0]); - freeconary(contextlist); -- } else { -+ if (default_user_context == NULL) { -+ pam_syslog(pamh, LOG_ERR, _("Out of memory")); -+ return PAM_AUTH_ERR; -+ } -+ user_context = default_user_context; -+ if (select_context && has_tty) { -+ user_context = config_context(pamh, default_user_context, debug); -+ if (user_context == NULL) { -+ send_audit_message(pamh, 0, default_user_context, default_user_context); -+ freecon(default_user_context); -+ pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"), -+ username); -+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username); -+ if (security_getenforce() == 1) -+ return PAM_AUTH_ERR; -+ else -+ return PAM_SUCCESS; -+ } -+ } -+ } -+ else { - if (has_tty) { -- user_context = manual_context(pamh,username,debug); -+ user_context = manual_context(pamh,seuser,debug); - if (user_context == NULL) { - pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", -- (const char *)username); -+ username); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else -@@ -340,7 +526,7 @@ - } else { - pam_syslog (pamh, LOG_ERR, - "Unable to get valid context for %s, No valid tty", -- (const char *)username); -+ username); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else -@@ -371,6 +557,10 @@ - ttyn=strdup(tty); - ttyn_context=security_label_tty(pamh,ttyn,user_context); - } -+ send_audit_message(pamh, 1, default_user_context, user_context); -+ if (default_user_context != user_context) { -+ freecon(default_user_context); -+ } - ret = setexeccon(user_context); - if (ret==0 && verbose) { - char msg[PATH_MAX]; -@@ -381,7 +571,7 @@ - if (ret) { - pam_syslog(pamh, LOG_ERR, - "Error! Unable to set %s executable context %s.", -- (const char *)username, user_context); -+ username, user_context); - if (security_getenforce() == 1) { - freecon(user_context); - return PAM_AUTH_ERR; -@@ -389,7 +579,7 @@ - } else { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", -- (const char *)username, user_context); -+ username, user_context); - } - #ifdef HAVE_SETKEYCREATECON - ret = setkeycreatecon(user_context); -@@ -402,7 +592,7 @@ - if (ret) { - pam_syslog(pamh, LOG_ERR, - "Error! Unable to set %s key creation context %s.", -- (const char *)username, user_context); -+ username, user_context); - if (security_getenforce() == 1) { - freecon(user_context); - return PAM_AUTH_ERR; -@@ -410,7 +600,7 @@ - } else { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", -- (const char *)username, user_context); -+ username, user_context); - } - #endif - freecon(user_context); diff --git a/pam-0.99.6.2-selinux-use-current-range.patch b/pam-0.99.6.2-selinux-use-current-range.patch deleted file mode 100644 index d2836a7..0000000 --- a/pam-0.99.6.2-selinux-use-current-range.patch +++ /dev/null @@ -1,113 +0,0 @@ ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.range 2007-01-04 23:29:04.000000000 +0100 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-05 13:30:31.000000000 +0100 -@@ -435,6 +435,7 @@ - int i, debug = 0, ttys=1, has_tty=isatty(0); - int verbose=0, close_session=0; - int select_context = 0; -+ int use_current_range = 0; - int ret = 0; - security_context_t* contextlist = NULL; - int num_contexts = 0; -@@ -461,11 +462,19 @@ - if (strcmp(argv[i], "select_context") == 0) { - select_context = 1; - } -+ if (strcmp(argv[i], "use_current_range") == 0) { -+ use_current_range = 1; -+ } - } -- -+ - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Open Session"); - -+ if (select_context && use_current_range) { -+ pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range"); -+ select_context = 0; -+ } -+ - /* this module is only supposed to execute close_session */ - if (close_session) - return PAM_SUCCESS; -@@ -532,6 +541,51 @@ - return PAM_SUCCESS; - } - } -+ -+ if (use_current_range && is_selinux_mls_enabled()) { -+ security_context_t process_context=NULL; -+ if (getcon(&process_context) == 0) { -+ context_t pcon, ucon; -+ char *process_level=NULL; -+ security_context_t orig_context; -+ -+ if (user_context) -+ orig_context = user_context; -+ else -+ orig_context = default_user_context; -+ -+ pcon = context_new(process_context); -+ freecon(process_context); -+ process_level = strdup(context_range_get(pcon)); -+ context_free(pcon); -+ -+ if (debug) -+ pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level); -+ -+ ucon = context_new(orig_context); -+ -+ context_range_set(ucon, process_level); -+ free(process_level); -+ -+ if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) { -+ send_text(pamh, _("Requested MLS level not in permitted range"), debug); -+ /* even if default_user_context is NULL audit that anyway */ -+ send_audit_message(pamh, 0, default_user_context, context_str(ucon)); -+ context_free(ucon); -+ return PAM_AUTH_ERR; -+ } -+ -+ if (debug) -+ pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon)); -+ -+ /* replace the user context with the level adjusted one */ -+ freecon(user_context); -+ user_context = strdup(context_str(ucon)); -+ -+ context_free(ucon); -+ } -+ } -+ - if (getexeccon(&prev_user_context)<0) { - prev_user_context=NULL; - } ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.range 2007-01-04 23:29:04.000000000 +0100 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-01-04 23:35:03.000000000 +0100 -@@ -36,6 +36,9 @@ - - select_context - -+ -+ use_current_range -+ - - - -@@ -132,6 +135,17 @@ - - - -+ -+ -+ -+ -+ -+ -+ Use the sensitivity range of the process for the user context. -+ This option and the select_context option are mutually exclusive. -+ -+ -+ - - - diff --git a/pam-0.99.7.0-dbpam.patch b/pam-0.99.7.0-dbpam.patch deleted file mode 100644 index 2e3387e..0000000 --- a/pam-0.99.7.0-dbpam.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Linux-PAM-0.99.7.0/configure.in.dbpam 2007-01-19 07:39:09.000000000 -0500 -+++ Linux-PAM-0.99.7.0/configure.in 2007-01-19 07:40:07.000000000 -0500 -@@ -348,7 +348,7 @@ - WITH_DB=$enableval, WITH_DB=yes) - if test x"$WITH_DB" != xno ; then - if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then -- AC_CHECK_LIB([db], [db_create], LIBDB="-ldb", LIBDB="") -+ AC_CHECK_LIB([db], [db_create_pam], LIBDB="-ldb", LIBDB="") - if test -z "$LIBDB" ; then - AC_CHECK_LIB([db], [dbm_store], LIBDB="-ldb", LIBDB="") - fi diff --git a/pam-0.99.7.0-namespace-level.patch b/pam-0.99.7.0-namespace-level.patch deleted file mode 100644 index 2c18a90..0000000 --- a/pam-0.99.7.0-namespace-level.patch +++ /dev/null @@ -1,250 +0,0 @@ ---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.level 2007-01-19 08:33:11.000000000 -0500 -+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:33:11.000000000 -0500 -@@ -244,23 +244,29 @@ - } - strcpy(poly.dir, dir); - strcpy(poly.instance_prefix, instance_prefix); -- if (strcmp(method, "user") == 0) -- poly.method = USER; -+ -+ poly.method = NONE; -+ if (strcmp(method, "user") == 0) -+ poly.method = USER; -+ - #ifdef WITH_SELINUX -- else if (strcmp(method, "context") == 0) { -+ if (strcmp(method, "level") == 0) { - if (idata->flags & PAMNS_CTXT_BASED_INST) -- poly.method = CONTEXT; -+ poly.method = LEVEL; - else - poly.method = USER; -- } else if (strcmp(method, "both") == 0) { -+ } -+ -+ if (strcmp(method, "context") == 0) { - if (idata->flags & PAMNS_CTXT_BASED_INST) -- poly.method = BOTH; -+ poly.method = CONTEXT; - else - poly.method = USER; - } - - #endif -- else { -+ -+ if ( poly.method == NONE) { - pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method"); - goto skipping; - } -@@ -448,19 +454,23 @@ - return PAM_SESSION_ERR; - } - -+ if (polyptr->method == USER) return PAM_SUCCESS; -+ -+ rc = getexeccon(&scon); -+ if (rc < 0 || scon == NULL) { -+ pam_syslog(idata->pamh, LOG_ERR, -+ "Error getting exec context, %m"); -+ return PAM_SESSION_ERR; -+ } -+ - /* - * If polyinstantiating based on security context, get current - * process security context, get security class for directories, - * and ask the policy to provide security context of the - * polyinstantiated instance directory. - */ -- if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) { -- rc = getexeccon(&scon); -- if (rc < 0 || scon == NULL) { -- pam_syslog(idata->pamh, LOG_ERR, -- "Error getting exec context, %m"); -- return PAM_SESSION_ERR; -- } -+ -+ if (polyptr->method == CONTEXT) { - tclass = string_to_security_class("dir"); - - if (security_compute_member(scon, *origcon, tclass, -@@ -473,7 +483,48 @@ - pam_syslog(idata->pamh, LOG_DEBUG, - "member context returned by policy %s", *i_context); - freecon(scon); -+ return PAM_SUCCESS; - } -+ -+ /* -+ * If polyinstantiating based on security level, get current -+ * process security context, get security class for directories, -+ * and change the directories MLS Level to match process. -+ */ -+ -+ if (polyptr->method == LEVEL) { -+ context_t scontext = NULL; -+ context_t fcontext = NULL; -+ rc = PAM_SESSION_ERR; -+ -+ scontext = context_new(scon); -+ if (! scontext) { -+ pam_syslog(idata->pamh, LOG_ERR, "out of memory"); -+ goto fail; -+ } -+ fcontext = context_new(*origcon); -+ if (! fcontext) { -+ pam_syslog(idata->pamh, LOG_ERR, "out of memory"); -+ goto fail; -+ } -+ if (context_range_set(fcontext, context_range_get(scontext)) != 0) { -+ pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context"); -+ goto fail; -+ } -+ *i_context=strdup(context_str(fcontext)); -+ if (! *i_context) { -+ pam_syslog(idata->pamh, LOG_ERR, "out of memory"); -+ goto fail; -+ } -+ -+ rc = PAM_SUCCESS; -+ fail: -+ context_free(scontext); -+ context_free(fcontext); -+ freecon(scon); -+ return rc; -+ } -+ /* Should never get here */ - return PAM_SUCCESS; - } - #endif -@@ -514,19 +565,14 @@ - break; - - #ifdef WITH_SELINUX -+ case LEVEL: - case CONTEXT: -- if (asprintf(i_name, "%s", *i_context) < 0) { -- *i_name = NULL; -- rc = PAM_SESSION_ERR; -- } -- break; -- -- case BOTH: - if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) { - *i_name = NULL; - rc = PAM_SESSION_ERR; - } - break; -+ - #endif /* WITH_SELINUX */ - - default: -@@ -1158,7 +1204,7 @@ - #ifdef WITH_SELINUX - if (is_selinux_enabled()) - idata.flags |= PAMNS_SELINUX_ENABLED; -- if (ctxt_based_inst_needed()) -+ if (ctxt_based_inst_needed()) - idata.flags |= PAMNS_CTXT_BASED_INST; - #endif - ---- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.level 2006-06-27 09:07:43.000000000 -0400 -+++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf 2007-01-19 08:33:11.000000000 -0500 -@@ -4,12 +4,10 @@ - # - # Uncommenting the following three lines will polyinstantiate - # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will --# be polyinstantiated based on both security context as well as user --# name, whereas home directory will be polyinstantiated based on --# security context only. Polyinstantion will not be performed for --# user root and adm for directories /tmp and /var/tmp, whereas home --# directories will be polyinstantiated for all users. The user name --# and/or context is appended to the instance prefix. -+# be polyinstantiated based on the MLS level part of the security context as well as user -+# name, Polyinstantion will not be performed for user root and adm for directories -+# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. -+# The user name and context is appended to the instance prefix. - # - # Note that instance directories do not have to reside inside the - # polyinstantiated directory. In the examples below, instances of /tmp -@@ -25,6 +23,6 @@ - # caution, as it will reduce security and isolation achieved by - # polyinstantiation. - # --#/tmp /tmp-inst/ both root,adm --#/var/tmp /var/tmp/tmp-inst/ both root,adm --#$HOME $HOME/$USER.inst/inst- context -+#/tmp /tmp-inst/ level root,adm -+#/var/tmp /var/tmp/tmp-inst/ level root,adm -+#$HOME $HOME/$USER.inst/ level ---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.level 2007-01-19 08:33:11.000000000 -0500 -+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 08:33:11.000000000 -0500 -@@ -63,6 +63,7 @@ - - #ifdef WITH_SELINUX - #include -+#include - #endif - - #ifndef CLONE_NEWNS -@@ -93,9 +94,10 @@ - * or both - */ - enum polymethod { -+ NONE, - USER, - CONTEXT, -- BOTH, -+ LEVEL, - }; - - /* ---- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml.level 2006-06-27 09:07:43.000000000 -0400 -+++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml 2007-01-19 08:33:11.000000000 -0500 -@@ -22,7 +22,7 @@ - - This module allows setup of private namespaces with polyinstantiated - directories. Directories can be polyinstantiated based on user name -- or, in the case of SELinux, user name, security context or both. If an -+ or, in the case of SELinux, user name, sensitivity level or complete security context. If an - executable script /etc/security/namespace.init - exists, it is used to initialize the namespace every time a new instance - directory is setup. The script receives the polyinstantiated -@@ -72,10 +72,10 @@ - - The third field, method, is the method - used for polyinstantiation. It can take 3 different values; "user" -- for polyinstantiation based on user name, "context" for -- polyinstantiation based on process security context, and "both" -- for polyinstantiation based on both user name and security context. -- Methods "context" and "both" are only available with SELinux. This -+ for polyinstantiation based on user name, "level" for -+ polyinstantiation based on process MLS level and user name, and "context" for -+ polyinstantiation based on process security context and user name -+ Methods "context" and "level" are only available with SELinux. This - field cannot be blank. - - -@@ -98,9 +98,9 @@ - - # The following three lines will polyinstantiate /tmp, - # /var/tmp and user's home directories. /tmp and /var/tmp -- # will be polyinstantiated based on both security context -+ # will be polyinstantiated based on the security level - # as well as user name, whereas home directory will be -- # polyinstantiated based on security context only. -+ # polyinstantiated based on the full security context and user name. - # Polyinstantiation will not be performed for user root - # and adm for directories /tmp and /var/tmp, whereas home - # directories will be polyinstantiated for all users. -@@ -112,8 +112,8 @@ - # will reside within the directories that are being - # polyinstantiated. - # -- /tmp /tmp-inst/ both root,adm -- /var/tmp /var/tmp/tmp-inst/ both root,adm -+ /tmp /tmp-inst/ level root,adm -+ /var/tmp /var/tmp/tmp-inst/ level root,adm - $HOME $HOME/$USER.inst/inst- context - - diff --git a/pam-0.99.7.0-namespace-no-unmount.patch b/pam-0.99.7.0-namespace-no-unmount.patch deleted file mode 100644 index c5a02b7..0000000 --- a/pam-0.99.7.0-namespace-no-unmount.patch +++ /dev/null @@ -1,95 +0,0 @@ ---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount 2006-10-24 07:45:36.000000000 -0400 -+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:08:58.000000000 -0500 -@@ -1266,12 +1266,30 @@ - idata.flags |= PAMNS_DEBUG; - if (strcmp(argv[i], "ignore_config_error") == 0) - idata.flags |= PAMNS_IGN_CONFIG_ERR; -+ if (strcmp(argv[i], "no_unmount_on_close") == 0) -+ idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE; - } - - if (idata.flags & PAMNS_DEBUG) - pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start"); - - /* -+ * For certain trusted programs such as newrole, open session -+ * is called from a child process while the parent perfoms -+ * close session and pam end functions. For these commands -+ * pam_close_session should not perform the unmount of the -+ * polyinstantiatied directory because it will result in -+ * undoing of parents polyinstantiatiaion. These commands -+ * will invoke pam_namespace with the "no_unmount_on_close" -+ * argument. -+ */ -+ if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) { -+ if (idata.flags & PAMNS_DEBUG) -+ pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful"); -+ return PAM_SUCCESS; -+ } -+ -+ /* - * Lookup user and fill struct items - */ - retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name ); ---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount 2006-06-27 09:07:44.000000000 -0400 -+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml 2007-01-19 07:45:02.000000000 -0500 -@@ -43,6 +43,9 @@ - - ignore_instance_parent_mode - -+ -+ no_unmount_on_close -+ - - - -@@ -179,6 +182,22 @@ - - - -+ -+ -+ -+ -+ -+ -+ For certain trusted programs such as newrole, open session -+ is called from a child process while the parent perfoms -+ close session and pam end functions. For these commands -+ use this option to instruct pam_close_session to not -+ unmount the bind mounted polyinstantiated directory in the -+ parent. -+ -+ -+ -+ - - - ---- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount 2006-06-28 03:22:43.000000000 -0400 -+++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml 2007-01-19 07:45:02.000000000 -0500 -@@ -121,6 +121,14 @@ - the restrictive mode of 000. Using this option, an administrator - can choose to ignore the mode of the instance parent. - -+ no_unmount_on_close -+ For certain trusted programs such as newrole, open session -+ is called from a child process while the parent perfoms -+ close session and pam end functions. For these commands -+ use this option to instruct pam_close_session to not -+ unmount the bind mounted polyinstantiated directory in the -+ parent. -+ - MODULE SERVICES PROVIDED: - session open_session and close_session - ---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount 2006-07-28 07:59:28.000000000 -0400 -+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 07:45:02.000000000 -0500 -@@ -86,6 +86,7 @@ - #define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */ - #define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */ - #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ -+#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ - - /* - * Polyinstantiation method options, based on user, security context diff --git a/pam-0.99.7.0-namespace-unmnt-override.patch b/pam-0.99.7.0-namespace-unmnt-override.patch deleted file mode 100644 index 204c289..0000000 --- a/pam-0.99.7.0-namespace-unmnt-override.patch +++ /dev/null @@ -1,125 +0,0 @@ ---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.unmnt-override 2007-01-22 14:06:31.000000000 +0100 -+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-23 16:41:57.000000000 +0100 -@@ -417,17 +417,18 @@ - * uids for the polyinstantiated directory, polyinstantiation is not - * performed for that user for that directory. - */ --static int ns_override(struct polydir_s *polyptr, struct instance_data *idata) -+static int ns_override(struct polydir_s *polyptr, struct instance_data *idata, -+ uid_t uid) - { - unsigned int i; - - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, - "Checking for ns override in dir %s for uid %d", -- polyptr->dir, idata->uid); -+ polyptr->dir, uid); - - for (i = 0; i < polyptr->num_uids; i++) { -- if (idata->uid == polyptr->uid[i]) { -+ if (uid == polyptr->uid[i]) { - return 1; - } - } -@@ -1013,21 +1014,46 @@ - int retval = 0, need_poly = 0, changing_dir = 0; - char *cptr, *fptr, poly_parent[PATH_MAX]; - struct polydir_s *pptr; -+ uid_t req_uid; -+ const void *ruser_name; -+ struct passwd *pwd; - - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d", - getpid()); - -+ retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name); -+ if (ruser_name == NULL || retval != PAM_SUCCESS) { -+ retval = PAM_SUCCESS; -+ req_uid = getuid(); -+ } else { -+ pwd = pam_modutil_getpwnam(idata->pamh, ruser_name); -+ if (pwd != NULL) { -+ req_uid = pwd->pw_uid; -+ } else { -+ req_uid = getuid(); -+ } -+ } -+ - /* - * Cycle through all polyinstantiated directory entries to see if - * polyinstantiation is needed at all. - */ - for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { -- if (ns_override(pptr, idata)) { -- if (idata->flags & PAMNS_DEBUG) -- pam_syslog(idata->pamh, LOG_DEBUG, -+ if (ns_override(pptr, idata, idata->uid)) { -+ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { -+ if (idata->flags & PAMNS_DEBUG) -+ pam_syslog(idata->pamh, LOG_DEBUG, - "Overriding poly for user %d for dir %s", - idata->uid, pptr->dir); -+ } else { -+ if (idata->flags & PAMNS_DEBUG) -+ pam_syslog(idata->pamh, LOG_DEBUG, -+ "Need unmount ns for user %d for dir %s", -+ idata->uid, pptr->dir); -+ need_poly = 1; -+ break; -+ } - continue; - } else { - if (idata->flags & PAMNS_DEBUG) -@@ -1057,15 +1083,20 @@ - * call ns_setup to setup polyinstantiation for a particular entry. - */ - for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { -- if (ns_override(pptr, idata)) -- continue; -- else { -- if (idata->flags & PAMNS_DEBUG) -+ enum unmnt_op dir_unmnt = unmnt; -+ if (ns_override(pptr, idata, idata->uid)) { -+ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { -+ continue; -+ } else { -+ dir_unmnt = UNMNT_ONLY; -+ } -+ } -+ if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, - "Setting poly ns for user %d for dir %s", - idata->uid, pptr->dir); - -- if ((unmnt == UNMNT_REMNT) || (unmnt == UNMNT_ONLY)) { -+ if ((dir_unmnt == UNMNT_REMNT) || (dir_unmnt == UNMNT_ONLY)) { - /* - * Check to see if process current directory is in the - * bind mounted instance_parent directory that we are trying to -@@ -1105,13 +1136,12 @@ - } else if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", - pptr->dir); -- } -+ } - -- if (unmnt != UNMNT_ONLY) { -+ if (dir_unmnt != UNMNT_ONLY) { - retval = ns_setup(pptr, idata); - if (retval != PAM_SUCCESS) - break; -- } - } - } - -@@ -1138,7 +1168,7 @@ - * appropriate polyinstantiated instance directories. - */ - for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { -- if (ns_override(pptr, idata)) -+ if (ns_override(pptr, idata, idata->uid)) - continue; - else { - if (idata->flags & PAMNS_DEBUG) diff --git a/pam-0.99.7.1-namespace-unknown-user.patch b/pam-0.99.7.1-namespace-unknown-user.patch deleted file mode 100644 index e659435..0000000 --- a/pam-0.99.7.1-namespace-unknown-user.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.unknown-user 2007-04-13 17:12:40.000000000 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-04-13 18:11:57.000000000 +0200 -@@ -302,11 +302,14 @@ - *tptr = '\0'; - - pwd = pam_modutil_getpwnam(idata->pamh, ustr); -- *uidptr = pwd->pw_uid; -- if (i < count - 1) { -- ustr = tptr + 1; -+ if (pwd == NULL) { -+ pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr); -+ poly.num_uids--; -+ } else { -+ *uidptr = pwd->pw_uid; - uidptr++; - } -+ ustr = tptr + 1; - } - } - diff --git a/pam-0.99.7.1-unix-allow-pwmodify.patch b/pam-0.99.7.1-unix-allow-pwmodify.patch deleted file mode 100644 index 2a0914c..0000000 --- a/pam-0.99.7.1-unix-allow-pwmodify.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.pwmodify 2006-12-20 12:08:59.000000000 +0100 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-02-21 21:01:48.000000000 +0100 -@@ -1077,13 +1077,6 @@ - user); - return PAM_USER_UNKNOWN; - } -- if (!_unix_shadowed(pwd) && -- (strchr(pwd->pw_passwd, '*') != NULL)) { -- pam_syslog(pamh, LOG_DEBUG, -- "user \"%s\" does not have modifiable password", -- user); -- return PAM_USER_UNKNOWN; -- } - } - - /* diff --git a/pam-0.99.7.1-unix-bigcrypt.patch b/pam-0.99.7.1-unix-bigcrypt.patch deleted file mode 100644 index f7bdbed..0000000 --- a/pam-0.99.7.1-unix-bigcrypt.patch +++ /dev/null @@ -1,126 +0,0 @@ ---- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-01-23 10:41:21.000000000 +0100 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-06-01 15:11:51.000000000 +0200 -@@ -679,7 +679,7 @@ - } - } - } else { -- int salt_len = strlen(salt); -+ size_t salt_len = strlen(salt); - if (!salt_len) { - /* the stored password is NULL */ - if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */ -@@ -689,19 +689,19 @@ - D(("user has empty password - access denied")); - retval = PAM_AUTH_ERR; - } -- } else if (!p || (*salt == '*')) { -+ } else if (!p || *salt == '*' || *salt == '!') { - retval = PAM_AUTH_ERR; - } else { - if (!strncmp(salt, "$1$", 3)) { - pp = Goodcrypt_md5(p, salt); -- if (strcmp(pp, salt) != 0) { -+ if (pp && strcmp(pp, salt) != 0) { - _pam_delete(pp); - pp = Brokencrypt_md5(p, salt); - } - } else if (*salt != '$' && salt_len >= 13) { - pp = bigcrypt(p, salt); -- if (strlen(pp) > salt_len) { -- pp[salt_len] = '\0'; -+ if (pp && salt_len == 13 && strlen(pp) > salt_len) { -+ _pam_overwrite(pp + salt_len); - } - } else { - /* -@@ -715,7 +715,7 @@ - /* the moment of truth -- do we agree with the password? */ - D(("comparing state of pp[%s] and salt[%s]", pp, salt)); - -- if (strcmp(pp, salt) == 0) { -+ if (pp && strcmp(pp, salt) == 0) { - retval = PAM_SUCCESS; - } else { - retval = PAM_AUTH_ERR; ---- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2006-10-24 12:01:49.000000000 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-06-01 15:08:46.000000000 +0200 -@@ -144,7 +144,7 @@ - char *salt = NULL; - char *pp = NULL; - int retval = PAM_AUTH_ERR; -- int salt_len; -+ size_t salt_len; - - /* UNIX passwords area */ - setpwent(); -@@ -189,6 +189,8 @@ - return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS; - } - if (p == NULL || strlen(p) == 0) { -+ _pam_overwrite(salt); -+ _pam_drop(salt); - return PAM_AUTHTOK_ERR; - } - -@@ -196,11 +198,13 @@ - retval = PAM_AUTH_ERR; - if (!strncmp(salt, "$1$", 3)) { - pp = Goodcrypt_md5(p, salt); -- if (strcmp(pp, salt) == 0) { -+ if (pp && strcmp(pp, salt) == 0) { - retval = PAM_SUCCESS; - } else { -+ _pam_overwrite(pp); -+ _pam_drop(pp); - pp = Brokencrypt_md5(p, salt); -- if (strcmp(pp, salt) == 0) -+ if (pp && strcmp(pp, salt) == 0) - retval = PAM_SUCCESS; - } - } else if (*salt == '$') { -@@ -209,10 +213,10 @@ - * libcrypt nows about it? We should try it. - */ - pp = x_strdup (crypt(p, salt)); -- if (strcmp(pp, salt) == 0) { -+ if (pp && strcmp(pp, salt) == 0) { - retval = PAM_SUCCESS; - } -- } else if ((*salt == '*') || (salt_len < 13)) { -+ } else if (*salt == '*' || *salt == '!' || salt_len < 13) { - retval = PAM_AUTH_ERR; - } else { - pp = bigcrypt(p, salt); -@@ -223,24 +227,21 @@ - * have been truncated for storage relative to the output - * of bigcrypt here. As such we need to compare only the - * stored string with the subset of bigcrypt's result. -- * Bug 521314: the strncmp comparison is for legacy support. -+ * Bug 521314. - */ -- if (strncmp(pp, salt, salt_len) == 0) { -+ if (pp && salt_len == 13 && strlen(pp) > salt_len) { -+ _pam_overwrite(pp+salt_len); -+ } -+ -+ if (pp && strcmp(pp, salt) == 0) { - retval = PAM_SUCCESS; - } - } - p = NULL; /* no longer needed here */ - - /* clean up */ -- { -- char *tp = pp; -- if (pp != NULL) { -- while (tp && *tp) -- *tp++ = '\0'; -- free(pp); -- } -- pp = tp = NULL; -- } -+ _pam_overwrite(pp); -+ _pam_drop(pp); - - return retval; - } diff --git a/pam-0.99.8.1-dbpam.patch b/pam-0.99.8.1-dbpam.patch new file mode 100644 index 0000000..dfb7344 --- /dev/null +++ b/pam-0.99.8.1-dbpam.patch @@ -0,0 +1,11 @@ +--- Linux-PAM-0.99.8.1/configure.in.dbpam 2007-07-23 13:59:20.000000000 +0200 ++++ Linux-PAM-0.99.8.1/configure.in 2007-07-23 14:06:54.000000000 +0200 +@@ -355,7 +355,7 @@ + AC_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.])) + if test x"$WITH_DB" != xno ; then + if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then +- AC_CHECK_LIB([db$with_db_uniquename], [db_create$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="") ++ AC_CHECK_LIB([db], [db_create$with_db_uniquename], LIBDB="-ldb", LIBDB="") + if test -z "$LIBDB" ; then + AC_CHECK_LIB([db$with_db_uniquename], [dbm_store$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="") + fi diff --git a/pam-0.99.7.1-unix-update-helper.patch b/pam-0.99.8.1-unix-update-helper.patch similarity index 97% rename from pam-0.99.7.1-unix-update-helper.patch rename to pam-0.99.8.1-unix-update-helper.patch index b8d253c..013b9f4 100644 --- a/pam-0.99.7.1-unix-update-helper.patch +++ b/pam-0.99.8.1-unix-update-helper.patch @@ -1,5 +1,5 @@ ---- /dev/null 2007-05-28 11:10:34.936447748 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/passupdate.c 2007-06-01 15:13:57.000000000 +0200 +--- /dev/null 2007-07-08 21:11:04.052436262 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_unix/passupdate.c 2007-07-23 13:40:56.000000000 +0200 @@ -0,0 +1,560 @@ +/* + * Main coding by Elliot Lee , Red Hat Software. @@ -561,8 +561,8 @@ + return PAM_AUTHTOK_ERR; + } +} ---- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_acct.c.update-helper 2006-06-27 10:38:14.000000000 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_acct.c 2007-06-01 15:13:57.000000000 +0200 +--- Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_acct.c.update-helper 2006-06-27 10:38:14.000000000 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_acct.c 2007-07-23 13:40:56.000000000 +0200 @@ -124,11 +124,11 @@ } @@ -621,8 +621,8 @@ } else if (_unix_shadowed (pwent)) spent = pam_modutil_getspnam (pamh, uname); else ---- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.update-helper 2007-06-01 15:13:57.000000000 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-06-01 15:13:57.000000000 +0200 +--- Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c.update-helper 2007-04-30 12:47:30.000000000 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c 2007-07-23 13:54:55.000000000 +0200 @@ -2,6 +2,7 @@ * Main coding by Elliot Lee , Red Hat Software. * Copyright (C) 1996. @@ -838,7 +838,7 @@ static int check_old_password(const char *forwho, const char *newpass) { static char buf[16384]; -@@ -353,392 +335,6 @@ +@@ -354,393 +336,6 @@ return retval; } @@ -921,11 +921,12 @@ - - while (fgets(buf, 16380, opwfile)) { - if (!strncmp(buf, forwho, strlen(forwho))) { +- char *sptr; - buf[strlen(buf) - 1] = '\0'; -- s_luser = strtok(buf, ":"); -- s_uid = strtok(NULL, ":"); -- s_npas = strtok(NULL, ":"); -- s_pas = strtok(NULL, ":"); +- s_luser = strtok_r(buf, ":", &sptr); +- s_uid = strtok_r(NULL, ":", &sptr); +- s_npas = strtok_r(NULL, ":", &sptr); +- s_pas = strtok_r(NULL, ":", &sptr); - npas = strtol(s_npas, NULL, 10) + 1; - while (npas > howmany) { - s_pas = strpbrk(s_pas, ","); @@ -1231,7 +1232,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, const char *fromwhat, char *towhat, unsigned int ctrl, int remember) -@@ -767,7 +363,7 @@ +@@ -769,7 +364,7 @@ /* Unlock passwd file to avoid deadlock */ #ifdef USE_LCKPWDF @@ -1240,7 +1241,7 @@ #endif unlocked = 1; -@@ -830,33 +426,22 @@ +@@ -832,33 +427,22 @@ if (_unix_comesfromsource(pamh, forwho, 1, 0)) { #ifdef USE_LCKPWDF if(unlocked) { @@ -1280,7 +1281,7 @@ if (retval == PAM_SUCCESS) if (!_unix_shadowed(pwd)) retval = _update_passwd(pamh, forwho, "x"); -@@ -868,7 +453,7 @@ +@@ -870,7 +454,7 @@ done: #ifdef USE_LCKPWDF @@ -1289,7 +1290,7 @@ #endif return retval; -@@ -889,13 +474,17 @@ +@@ -891,13 +475,17 @@ if (_unix_shadowed(pwd)) { /* ...and shadow password file entry for this user, if shadowing is enabled */ @@ -1313,7 +1314,7 @@ #endif if (spwdent == NULL) return PAM_AUTHINFO_UNAVAIL; -@@ -1018,7 +607,7 @@ +@@ -1020,7 +608,7 @@ int argc, const char **argv) { unsigned int ctrl, lctrl; @@ -1322,7 +1323,7 @@ int remember = -1; /* */ -@@ -1238,49 +827,40 @@ +@@ -1240,49 +828,40 @@ return retval; } #ifdef USE_LCKPWDF @@ -1383,7 +1384,7 @@ #endif return retval; } -@@ -1324,7 +904,7 @@ +@@ -1326,7 +905,7 @@ "out of memory for password"); pass_new = pass_old = NULL; /* tidy up */ #ifdef USE_LCKPWDF @@ -1392,7 +1393,7 @@ #endif return PAM_BUF_ERR; } -@@ -1347,7 +927,7 @@ +@@ -1349,7 +928,7 @@ retval = _do_setpass(pamh, user, pass_old, tpass, ctrl, remember); @@ -1401,8 +1402,8 @@ _pam_delete(tpass); pass_old = pass_new = NULL; ---- /dev/null 2007-05-28 11:10:34.936447748 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.h 2007-06-01 15:13:57.000000000 +0200 +--- /dev/null 2007-07-08 21:11:04.052436262 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h 2007-07-23 13:40:56.000000000 +0200 @@ -0,0 +1,60 @@ +/* + * This program is designed to run setuid(root) or with sufficient @@ -1464,8 +1465,8 @@ + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ ---- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.update-helper 2007-06-01 15:13:57.000000000 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-06-01 15:16:00.000000000 +0200 +--- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.update-helper 2007-03-12 15:35:14.000000000 +0100 ++++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c 2007-07-23 13:40:56.000000000 +0200 @@ -41,386 +41,7 @@ #include "md5.h" @@ -1928,8 +1929,8 @@ * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions ---- /dev/null 2007-05-28 11:10:34.936447748 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_update.c 2007-06-01 15:13:57.000000000 +0200 +--- /dev/null 2007-07-08 21:11:04.052436262 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_update.c 2007-07-23 13:40:56.000000000 +0200 @@ -0,0 +1,262 @@ +/* + * This program is designed to run setuid(root) or with sufficient @@ -2193,8 +2194,8 @@ + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ ---- /dev/null 2007-05-28 11:10:34.936447748 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c 2007-06-01 15:13:57.000000000 +0200 +--- /dev/null 2007-07-08 21:11:04.052436262 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c 2007-07-23 13:40:56.000000000 +0200 @@ -0,0 +1,308 @@ +/* + * This program is designed to run setuid(root) or with sufficient @@ -2504,8 +2505,8 @@ + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ ---- Linux-PAM-0.99.7.1/modules/pam_unix/Makefile.am.update-helper 2006-12-18 19:50:50.000000000 +0100 -+++ Linux-PAM-0.99.7.1/modules/pam_unix/Makefile.am 2007-06-01 15:15:04.000000000 +0200 +--- Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am.update-helper 2006-12-18 19:50:50.000000000 +0100 ++++ Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am 2007-07-23 13:40:56.000000000 +0200 @@ -16,7 +16,8 @@ secureconfdir = $(SCONFIGDIR) diff --git a/pam.spec b/pam.spec index c7caaed..83a0b08 100644 --- a/pam.spec +++ b/pam.spec @@ -6,12 +6,12 @@ %define pwdb_version 0.62 %define db_version 4.5.20 %define db_conflicting_version 4.6.0 -%define pam_redhat_version 0.99.7-1 +%define pam_redhat_version 0.99.8-1 Summary: A security tool which provides authentication for applications Name: pam -Version: 0.99.7.1 -Release: 6%{?dist} +Version: 0.99.8.1 +Release: 1%{?dist} License: GPL or BSD Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 @@ -27,27 +27,12 @@ Source10: config-util.5 Patch1: pam-0.99.7.0-redhat-modules.patch Patch2: pam-0.99.7.1-console-more-displays.patch Patch3: pam-0.99.7.1-console-decrement.patch -Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch -Patch23: pam-0.99.7.1-unix-bigcrypt.patch -Patch24: pam-0.99.7.1-unix-update-helper.patch +Patch4: pam-0.99.8.1-dbpam.patch +Patch24: pam-0.99.8.1-unix-update-helper.patch Patch25: pam-0.99.7.1-unix-hpux-aging.patch -Patch34: pam-0.99.7.0-dbpam.patch -Patch70: pam-0.99.2.1-selinux-nofail.patch -Patch80: pam-0.99.6.2-selinux-drop-multiple.patch -Patch81: pam-0.99.3.0-cracklib-try-first-pass.patch -Patch82: pam-0.99.3.0-tally-fail-close.patch -Patch84: pam-0.99.6.2-selinux-keycreate.patch -Patch86: pam-0.99.7.0-namespace-no-unmount.patch -Patch87: pam-0.99.6.2-namespace-preserve-uid.patch -Patch92: pam-0.99.6.2-selinux-select-context.patch -Patch93: pam-0.99.7.0-namespace-level.patch -Patch94: pam-0.99.7.0-namespace-unmnt-override.patch -Patch95: pam-0.99.6.2-selinux-use-current-range.patch -Patch96: pam-0.99.6.2-namespace-dirnames.patch -Patch97: pam-0.99.7.1-namespace-unknown-user.patch -Patch98: pam-0.99.6.2-selinux-audit-context.patch -Patch99: pam-0.99.6.2-namespace-docfix.patch -Patch100: pam-0.99.7.1-namespace-temp-logon.patch +Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch +Patch32: pam-0.99.3.0-tally-fail-close.patch +Patch40: pam-0.99.7.1-namespace-temp-logon.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: cracklib, cracklib-dicts >= 2.8 @@ -103,27 +88,12 @@ cp %{SOURCE7} . %patch1 -p1 -b .redhat-modules %patch2 -p1 -b .displays %patch3 -p1 -b .decrement -%patch22 -p1 -b .pwmodify -%patch23 -p1 -b .bigcrypt +%patch4 -p1 -b .dbpam %patch24 -p1 -b .update-helper %patch25 -p1 -b .unix-hpux-aging -%patch34 -p1 -b .dbpam -%patch70 -p1 -b .nofail -%patch80 -p1 -b .drop-multiple -%patch81 -p1 -b .try-first-pass -%patch82 -p1 -b .fail-close -%patch84 -p1 -b .keycreate -%patch86 -p1 -b .no-unmount -%patch87 -p1 -b .preserve-uid -%patch92 -p1 -b .select-context -%patch93 -p1 -b .level -%patch94 -p1 -b .unmnt-override -%patch95 -p1 -b .range -%patch96 -p1 -b .dirnames -%patch97 -p1 -b .unknown-user -%patch98 -p1 -b .audit-context -%patch99 -p1 -b .docfix -%patch100 -p1 -b .temp-logon +%patch31 -p1 -b .try-first-pass +%patch32 -p1 -b .fail-close +%patch40 -p1 -b .temp-logon autoreconf @@ -162,7 +132,8 @@ LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS %configure \ --libdir=/%{_lib} \ --includedir=%{_includedir}/security \ - --enable-isadir=../../%{_lib}/security + --enable-isadir=../../%{_lib}/security \ + --with-db-uniquename=_pam make %install @@ -413,6 +384,10 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Mon Jul 23 2007 Tomas Mraz 0.99.8.1-1 +- upgrade to latest upstream version +- add some firewire devices to default console perms (#240770) + * Thu Apr 26 2007 Tomas Mraz 0.99.7.1-6 - pam_namespace: better document behavior on failure (#237249) - pam_unix: split out passwd change to a new helper binary (#236316) diff --git a/sources b/sources index d583211..02424fc 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ b0f1c777708cb8e9d37fb47e7ed3312d db-4.5.20.tar.gz -66845048120c71205bd3363264f2bfe7 pam-redhat-0.99.7-1.tar.bz2 -385458dfb4633071594e255a6ebec9da Linux-PAM-0.99.7.1.tar.bz2 +2a23dc703b550223206021ff03b1e434 pam-redhat-0.99.8-1.tar.bz2 +a6472db4afe13850cb401922211bba4e Linux-PAM-0.99.8.1.tar.bz2