rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- upgrade to latest upstream version

Browse Source 
- add some firewire devices to default console perms (#240770)
This commit is contained in:
Tomáš Mráz 2007-07-23 18:46:31 +00:00
parent 8e3ad05d67
commit 6c6453458a
21 changed files with 63 additions and 1857 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.cvsignore
View File

@ -1,5 +1,5 @@
db-4.5.20.tar.gz db-4.5.20.tar.gz
*.src.rpm *.src.rpm
*.tar.bz2 *.tar.bz2
pam-redhat-0.99.7-1.tar.bz2 pam-redhat-0.99.8-1.tar.bz2
Linux-PAM-0.99.7.1.tar.bz2 Linux-PAM-0.99.8.1.tar.bz2

78
pam-0.99.2.1-selinux-nofail.patch
View File

@ -1,78 +0,0 @@
--- Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c.nofail 2005-11-29 10:22:05.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c 2005-12-15 14:12:54.000000000 +0100
@@ -327,6 +327,8 @@
int num_contexts = 0;
const void *username = NULL;
const void *tty = NULL;
+ char *seuser=NULL;
+ char *level=NULL;
/* Parse arguments. */
for (i = 0; i < argc; i++) {
@@ -361,7 +363,18 @@
username == NULL) {
return PAM_AUTH_ERR;
}
- num_contexts = get_ordered_context_list(username, 0, &contextlist);
+
+ if (getseuserbyname(username, &seuser, &level)==0) {
+ num_contexts = get_ordered_context_list_with_level(seuser,
+ level,
+ NULL,
+ &contextlist);
+ if (debug)
+ pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
+ (const char *)username, seuser, level);
+ free(seuser);
+ free(level);
+ }
if (num_contexts > 0) {
if (multiple && (num_contexts > 1) && has_tty) {
user_context = select_context(pamh,contextlist, debug);
@@ -376,13 +389,19 @@
if (user_context == NULL) {
pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
(const char *)username);
- return PAM_AUTH_ERR;
+ if (security_getenforce() == 1)
+ return PAM_AUTH_ERR;
+ else
+ return PAM_SUCCESS;
}
} else {
pam_syslog (pamh, LOG_ERR,
"Unable to get valid context for %s, No valid tty",
(const char *)username);
- return PAM_AUTH_ERR;
+ if (security_getenforce() == 1)
+ return PAM_AUTH_ERR;
+ else
+ return PAM_SUCCESS;
}
}
if (getexeccon(&prev_user_context)<0) {
@@ -420,8 +439,10 @@
pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s executable context %s.",
(const char *)username, user_context);
- freecon(user_context);
- return PAM_AUTH_ERR;
+ if (security_getenforce() == 1) {
+ freecon(user_context);
+ return PAM_AUTH_ERR;
+ }
} else {
if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
@@ -471,7 +492,10 @@
if (status) {
pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.",
prev_user_context);
- return PAM_AUTH_ERR;
+ if (security_getenforce() == 1)
+ return PAM_AUTH_ERR;
+ else
+ return PAM_SUCCESS;
}
if (debug)

206
pam-0.99.6.2-namespace-dirnames.patch
View File

@ -1,206 +0,0 @@
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.dirnames 2007-02-26 23:31:26.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2007-02-27 00:40:04.000000000 +0100
@@ -89,6 +89,8 @@
#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
+#define NAMESPACE_MAX_DIR_LEN 80
+
/*
* Polyinstantiation method options, based on user, security context
* or both
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.dirnames 2007-02-26 23:31:26.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2007-02-27 00:39:51.000000000 +0100
@@ -436,6 +436,36 @@
return 0;
}
+/*
+ * md5hash generates a hash of the passed in instance directory name.
+ */
+static char *md5hash(const char *instname, struct instance_data *idata)
+{
+ int i;
+ char *md5inst = NULL;
+ char *to;
+ unsigned char inst_digest[MD5_DIGEST_LENGTH];
+
+ /*
+ * Create MD5 hashes for instance pathname.
+ */
+
+ MD5((const unsigned char *)instname, strlen(instname), inst_digest);
+
+ if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) {
+ pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer");
+ return NULL;
+ }
+
+ to = md5inst;
+ for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
+ snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]);
+ to += 2;
+ }
+
+ return md5inst;
+}
+
#ifdef WITH_SELINUX
static int form_context(const struct polydir_s *polyptr,
security_context_t *i_context, security_context_t *origcon,
@@ -547,12 +577,21 @@
#endif
{
int rc;
+ char *hash = NULL;
+#ifdef WITH_SELINUX
+ security_context_t rawcon = NULL;
+#endif
-# ifdef WITH_SELINUX
- rc = form_context(polyptr, i_context, origcon, idata);
+ *i_name = NULL;
+#ifdef WITH_SELINUX
+ *i_context = NULL;
+ *origcon = NULL;
+ if ((rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) {
+ return rc;
+ }
#endif
- rc = PAM_SUCCESS;
+ rc = PAM_SESSION_ERR;
/*
* Set the name of the polyinstantiated instance dir based on the
* polyinstantiation method.
@@ -561,16 +600,20 @@
case USER:
if (asprintf(i_name, "%s", idata->user) < 0) {
*i_name = NULL;
- rc = PAM_SESSION_ERR;
- }
+ goto fail;
+ }
break;
#ifdef WITH_SELINUX
case LEVEL:
case CONTEXT:
- if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) {
+ if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) {
+ pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context");
+ goto fail;
+ }
+ if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) {
*i_name = NULL;
- rc = PAM_SESSION_ERR;
+ goto fail;
}
break;
@@ -579,12 +622,48 @@
default:
if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
- rc = PAM_SESSION_ERR;
+ goto fail;
}
- if ((idata->flags & PAMNS_DEBUG) && rc == PAM_SUCCESS)
+ if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name);
+ if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) {
+ hash = md5hash(*i_name, idata);
+ if (hash == NULL) {
+ goto fail;
+ }
+ if (idata->flags & PAMNS_GEN_HASH) {
+ free(*i_name);
+ *i_name = hash;
+ hash = NULL;
+ } else {
+ char *newname;
+ if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash),
+ *i_name, hash) < 0) {
+ goto fail;
+ }
+ free(*i_name);
+ *i_name = newname;
+ }
+ }
+ rc = PAM_SUCCESS;
+
+fail:
+ free(hash);
+#ifdef WITH_SELINUX
+ freecon(rawcon);
+#endif
+ if (rc != PAM_SUCCESS) {
+#ifdef WITH_SELINUX
+ freecon(*i_context);
+ *i_context = NULL;
+ freecon(*origcon);
+ *origcon = NULL;
+#endif
+ free(*i_name);
+ *i_name = NULL;
+ }
return rc;
}
@@ -832,39 +911,6 @@
/*
- * md5hash generates a hash of the passed in instance directory name.
- */
-static int md5hash(char **instname, struct instance_data *idata)
-{
- int i;
- char *md5inst = NULL;
- char *to;
- unsigned char inst_digest[MD5_DIGEST_LENGTH];
-
- /*
- * Create MD5 hashes for instance pathname.
- */
-
- MD5((unsigned char *)*instname, strlen(*instname), inst_digest);
-
- if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) {
- pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer");
- return PAM_SESSION_ERR;
- }
-
- to = md5inst;
- for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
- snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]);
- to += 3;
- }
-
- free(*instname);
- *instname = md5inst;
-
- return PAM_SUCCESS;
-}
-
-/*
* This function performs the namespace setup for a particular directory
* that is being polyinstantiated. It creates an MD5 hash of instance
* directory, calls create_dirs to create it with appropriate
@@ -914,14 +960,6 @@
#endif
}
- if (idata->flags & PAMNS_GEN_HASH) {
- retval = md5hash(&instname, idata);
- if (retval < 0) {
- pam_syslog(idata->pamh, LOG_ERR, "Error generating md5 hash");
- goto error_out;
- }
- }
-
if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0)
goto error_out;

18
pam-0.99.6.2-namespace-docfix.patch
View File

@ -1,18 +0,0 @@
--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml.docfix 2007-04-03 17:51:29.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml 2007-04-23 19:04:10.000000000 +0200
@@ -86,6 +86,15 @@
for all users.
</para>
+ <para>
+ In case of context or level polyinstantiation the SELinux context
+ which is used for polyinstantiation is the context used for executing
+ a new process as obtained by getexeccon. This context must be set
+ by the calling application or <filename>pam_selinux.so</filename>
+ module. If this context is not set the polyinstatiation will be
+ based just on user name.
+ </para>
+
</refsect1>
<refsect1 id="namespace.conf-examples">

8
pam-0.99.6.2-namespace-preserve-uid.patch
View File

@ -1,8 +0,0 @@
--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init.preserve-uid 2006-06-27 15:07:43.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init 2006-10-13 10:51:03.000000000 +0200
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -p
# This is only a boilerplate for the instance initialization script.
# It receives polydir path as $1 and the instance path as $2.
#

85
pam-0.99.6.2-selinux-audit-context.patch
View File

@ -1,85 +0,0 @@
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.audit-context 2007-04-03 17:51:29.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-04-03 18:15:06.000000000 +0200
@@ -88,33 +88,36 @@
security_context_t selected_raw=NULL;
rc = -1;
if (audit_fd < 0) {
- pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n"));
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return 0; /* No audit support in kernel */
+ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system."));
return rc;
}
if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
- pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n"));
- goto out;
+ pam_syslog(pamh, LOG_ERR, _("Error translating default context."));
+ default_raw = NULL;
}
if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
- pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n"));
- goto out;
+ pam_syslog(pamh, LOG_ERR, _("Error translating selected context."));
+ selected_raw = NULL;
}
if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
- default_context ? default_raw : "?",
- selected_context ? selected_raw : "?") < 0) {
- pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n"));
+ default_raw ? default_raw : (default_context ? default_context : "?"),
+ selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
+ pam_syslog(pamh, LOG_ERR, ("Error allocating memory."));
goto out;
}
if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
msg, NULL, NULL, NULL, success) <= 0) {
- pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n"));
+ pam_syslog(pamh, LOG_ERR, _("Error sending audit message."));
goto out;
}
rc = 0;
out:
free(msg);
freecon(default_raw);
- free(selected_raw);
+ freecon(selected_raw);
close(audit_fd);
#else
pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
@@ -298,14 +301,17 @@
if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) {
pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon);
+ send_audit_message(pamh, 0, puser_context, newcon);
+ free(newcon);
goto fail_range;
}
return newcon;
}
- else
+ else {
+ send_audit_message(pamh, 0, puser_context, context_str(new_context));
send_text(pamh,_("Not a valid security context"),debug);
-
+ }
context_free(new_context); /* next time around allocates another */
}
else
@@ -318,6 +324,7 @@
free(type);
_pam_drop(responses);
context_free (new_context);
+ send_audit_message(pamh, 0, puser_context, NULL);
fail_range:
return NULL;
}
@@ -509,7 +516,6 @@
if (select_context && has_tty) {
user_context = config_context(pamh, default_user_context, debug);
if (user_context == NULL) {
- send_audit_message(pamh, 0, default_user_context, default_user_context);
freecon(default_user_context);
pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"),
username);

125
pam-0.99.6.2-selinux-drop-multiple.patch
View File

@ -1,125 +0,0 @@
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.drop-multiple 2006-06-18 10:26:59.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-11-10 17:47:16.000000000 +0100
@@ -25,9 +25,6 @@
debug
</arg>
<arg choice="opt">
- multiple
- </arg>
- <arg choice="opt">
open
</arg>
<arg choice="opt">
@@ -93,18 +90,6 @@
</varlistentry>
<varlistentry>
<term>
- <option>multiple</option>
- </term>
- <listitem>
- <para>
- Tells pam_selinux.so to allow the user to select the
- security context they will login with, if the user has
- more than one role.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
<option>open</option>
</term>
<listitem>
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.drop-multiple 2006-11-10 17:44:33.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2006-11-10 17:44:33.000000000 +0100
@@ -89,56 +89,6 @@
}
static security_context_t
-select_context (pam_handle_t *pamh, security_context_t* contextlist,
- int debug)
-{
- char *responses;
- char *text=calloc(PATH_MAX,1);
-
- if (text == NULL)
- return (security_context_t) strdup(contextlist[0]);
-
- snprintf(text, PATH_MAX,
- _("Your default context is %s. \n"), contextlist[0]);
- send_text(pamh,text,debug);
- free(text);
- query_response(pamh,_("Do you want to choose a different one? [n]"),
- &responses,debug);
- if (responses && ((responses[0] == 'y') ||
- (responses[0] == 'Y')))
- {
- int choice=0;
- int i;
- const char *prompt=_("Enter number of choice: ");
- int len=strlen(prompt);
- char buf[PATH_MAX];
-
- _pam_drop(responses);
- for (i = 0; contextlist[i]; i++) {
- len+=strlen(contextlist[i]) + 10;
- }
- text=calloc(len,1);
- for (i = 0; contextlist[i]; i++) {
- snprintf(buf, PATH_MAX,
- "[%d] %s\n", i+1, contextlist[i]);
- strncat(text,buf,len);
- }
- strcat(text,prompt);
- while ((choice < 1) || (choice > i)) {
- query_response(pamh,text,&responses,debug);
- choice = strtol (responses, NULL, 10);
- _pam_drop(responses);
- }
- free(text);
- return (security_context_t) strdup(contextlist[choice-1]);
- }
- else if (responses)
- _pam_drop(responses);
-
- return (security_context_t) strdup(contextlist[0]);
-}
-
-static security_context_t
manual_context (pam_handle_t *pamh, const char *user, int debug)
{
security_context_t newcon;
@@ -322,7 +272,7 @@
int argc, const char **argv)
{
int i, debug = 0, ttys=1, has_tty=isatty(0);
- int verbose=0, multiple=0, close_session=0;
+ int verbose=0, close_session=0;
int ret = 0;
security_context_t* contextlist = NULL;
int num_contexts = 0;
@@ -342,9 +292,6 @@
if (strcmp(argv[i], "verbose") == 0) {
verbose = 1;
}
- if (strcmp(argv[i], "multiple") == 0) {
- multiple = 1;
- }
if (strcmp(argv[i], "close") == 0) {
close_session = 1;
}
@@ -377,13 +324,8 @@
free(level);
}
if (num_contexts > 0) {
- if (multiple && (num_contexts > 1) && has_tty) {
- user_context = select_context(pamh,contextlist, debug);
- freeconary(contextlist);
- } else {
- user_context = (security_context_t) strdup(contextlist[0]);
- freeconary(contextlist);
- }
+ user_context = (security_context_t) strdup(contextlist[0]);
+ freeconary(contextlist);
} else {
if (has_tty) {
user_context = manual_context(pamh,username,debug);

42
pam-0.99.6.2-selinux-keycreate.patch
View File

@ -1,42 +0,0 @@
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.keycreate 2006-08-31 17:26:46.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2006-08-31 19:01:05.000000000 +0200
@@ -391,6 +391,28 @@
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
(const char *)username, user_context);
}
+#ifdef HAVE_SETKEYCREATECON
+ ret = setkeycreatecon(user_context);
+ if (ret==0 && verbose) {
+ char msg[PATH_MAX];
+ snprintf(msg, sizeof(msg),
+ _("Key Creation Context %s Assigned"), user_context);
+ verbose_message(pamh, msg, debug);
+ }
+ if (ret) {
+ pam_syslog(pamh, LOG_ERR,
+ "Error! Unable to set %s key creation context %s.",
+ (const char *)username, user_context);
+ if (security_getenforce() == 1) {
+ freecon(user_context);
+ return PAM_AUTH_ERR;
+ }
+ } else {
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
+ (const char *)username, user_context);
+ }
+#endif
freecon(user_context);
return PAM_SUCCESS;
--- Linux-PAM-0.99.6.2/configure.in.keycreate 2006-08-31 17:26:46.000000000 +0200
+++ Linux-PAM-0.99.6.2/configure.in 2006-08-31 18:59:52.000000000 +0200
@@ -397,7 +397,7 @@
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)
-AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af)
+AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af setkeycreatecon)
AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])

463
pam-0.99.6.2-selinux-select-context.patch
View File

@ -1,463 +0,0 @@
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2007-02-21 20:38:10.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-02-21 20:38:11.000000000 +0100
@@ -33,6 +33,9 @@
<arg choice="opt">
verbose
</arg>
+ <arg choice="opt">
+ select_context
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -118,6 +121,17 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>select_context</option>
+ </term>
+ <listitem>
+ <para>
+ Attempt to ask the user for a custom security context role.
+ If MLS is on ask also for sensitivity level.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2007-02-21 20:38:10.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-02-21 20:44:01.000000000 +0100
@@ -63,9 +63,64 @@
#include <selinux/selinux.h>
#include <selinux/get_context_list.h>
#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
+#include <selinux/get_default_type.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#include <sys/select.h>
+#include <errno.h>
+#endif
+
+/* Send audit message */
+static
+
+int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context,
+ security_context_t selected_context)
+{
+ int rc=0;
+#ifdef HAVE_LIBAUDIT
+ char *msg = NULL;
+ int audit_fd = audit_open();
+ security_context_t default_raw=NULL;
+ security_context_t selected_raw=NULL;
+ rc = -1;
+ if (audit_fd < 0) {
+ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n"));
+ return rc;
+ }
+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+ pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n"));
+ goto out;
+ }
+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
+ pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n"));
+ goto out;
+ }
+ if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
+ default_context ? default_raw : "?",
+ selected_context ? selected_raw : "?") < 0) {
+ pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n"));
+ goto out;
+ }
+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ msg, NULL, NULL, NULL, success) <= 0) {
+ pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n"));
+ goto out;
+ }
+ rc = 0;
+ out:
+ free(msg);
+ freecon(default_raw);
+ free(selected_raw);
+ close(audit_fd);
+#else
+ pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
+#endif
+ return rc;
+}
static int
send_text (pam_handle_t *pamh, const char *text, int debug)
{
@@ -79,69 +134,64 @@
* is responsible for freeing the responses.
*/
static int
-query_response (pam_handle_t *pamh, const char *text,
+query_response (pam_handle_t *pamh, const char *text, const char *def,
char **responses, int debug)
{
+ int rc;
+ if (def)
+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s [%s] ", text, def);
+ else
+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s ", text);
if (debug)
- pam_syslog(pamh, LOG_NOTICE, "%s", text);
-
- return pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s", text);
+ pam_syslog(pamh, LOG_NOTICE, "%s %s", text, responses[0]);
+ return rc;
}
static security_context_t
manual_context (pam_handle_t *pamh, const char *user, int debug)
{
- security_context_t newcon;
+ security_context_t newcon=NULL;
context_t new_context;
int mls_enabled = is_selinux_mls_enabled();
-
- char *responses;
+ char *type=NULL;
+ char *responses=NULL;
while (1) {
query_response(pamh,
- _("Would you like to enter a security context? [y] "),
+ _("Would you like to enter a security context? [N] "), NULL,
&responses,debug);
- if ((responses[0] == 'y') || (responses[0] == 'Y') ||
- (responses[0] == '\0') )
+ if ((responses[0] == 'y') || (responses[0] == 'Y'))
{
if (mls_enabled)
new_context = context_new ("user:role:type:level");
else
new_context = context_new ("user:role:type");
- _pam_drop(responses);
- /* Allow the user to enter each field of the context individually */
+ if (!new_context)
+ goto fail_set;
+
if (context_user_set (new_context, user))
- {
- context_free (new_context);
- return NULL;
- }
- query_response(pamh,_("role: "),&responses,debug);
- if (context_role_set (new_context, responses))
- {
- _pam_drop(responses);
- context_free (new_context);
- return NULL;
- }
+ goto fail_set;
+
_pam_drop(responses);
- query_response(pamh,_("type: "),&responses,debug);
- if (context_type_set (new_context, responses))
- {
- _pam_drop(responses);
- context_free (new_context);
- return NULL;
- }
+ /* Allow the user to enter each field of the context individually */
+ query_response(pamh,_("role:"), NULL, &responses,debug);
+ if (responses[0] != '\0') {
+ if (context_role_set (new_context, responses))
+ goto fail_set;
+ if (get_default_type(responses, &type))
+ goto fail_set;
+ if (context_type_set (new_context, type))
+ goto fail_set;
+ }
_pam_drop(responses);
if (mls_enabled)
{
- query_response(pamh,_("level: "),&responses,debug);
- if (context_range_set (new_context, responses))
- {
- _pam_drop(responses);
- context_free (new_context);
- return NULL;
- }
- _pam_drop(responses);
+ query_response(pamh,_("level:"), NULL, &responses,debug);
+ if (responses[0] != '\0') {
+ if (context_range_set (new_context, responses))
+ goto fail_set;
+ }
}
/* Get the string value of the context and see if it is valid. */
if (!security_check_context(context_str(new_context))) {
@@ -151,14 +201,125 @@
}
else
send_text(pamh,_("Not a valid security context"),debug);
+ context_free (new_context);
}
else {
_pam_drop(responses);
return NULL;
}
} /* end while */
+ fail_set:
+ free(type);
+ _pam_drop(responses);
+ context_free (new_context);
+ return NULL;
+}
+
+static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
+{
+ struct av_decision avd;
+ int retval;
+ unsigned int bit = CONTEXT__CONTAINS;
+ context_t src_context = context_new (src);
+ context_t dst_context = context_new (dst);
+ context_range_set(dst_context, context_range_get(src_context));
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context));
+
+ retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd);
+ context_free(src_context);
+ context_free(dst_context);
+ if (retval || ((bit & avd.allowed) != bit))
+ return 0;
+
+ return 1;
+}
+
+static security_context_t
+config_context (pam_handle_t *pamh, security_context_t puser_context, int debug)
+{
+ security_context_t newcon=NULL;
+ context_t new_context;
+ int mls_enabled = is_selinux_mls_enabled();
+ char *responses=NULL;
+ char *type=NULL;
+ char resp_val = 0;
+
+ pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), puser_context);
+
+ while (1) {
+ query_response(pamh,
+ _("Would you like to enter a different role or level?"), "n",
+ &responses,debug);
+
+ resp_val = responses[0];
+ _pam_drop(responses);
+ if ((resp_val == 'y') || (resp_val == 'Y'))
+ {
+ new_context = context_new(puser_context);
+
+ /* Allow the user to enter role and level individually */
+ query_response(pamh,_("role:"), context_role_get(new_context),
+ &responses, debug);
+ if (responses[0]) {
+ if (get_default_type(responses, &type)) {
+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), responses);
+ _pam_drop(responses);
+ continue;
+ } else {
+ if (context_role_set(new_context, responses))
+ goto fail_set;
+ if (context_type_set (new_context, type))
+ goto fail_set;
+ }
+ }
+ _pam_drop(responses);
+ if (mls_enabled)
+ {
+ query_response(pamh,_("level:"), context_range_get(new_context),
+ &responses, debug);
+ if (responses[0]) {
+ if (context_range_set(new_context, responses))
+ goto fail_set;
+ }
+ _pam_drop(responses);
+ }
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", context_str(new_context));
+
+ /* Get the string value of the context and see if it is valid. */
+ if (!security_check_context(context_str(new_context))) {
+ newcon = strdup(context_str(new_context));
+ context_free (new_context);
+
+ /* we have to check that this user is allowed to go into the
+ range they have specified ... role is tied to an seuser, so that'll
+ be checked at setexeccon time */
+ if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) {
+ pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon);
+
+
+ goto fail_range;
+ }
+ return newcon;
+ }
+ else
+ send_text(pamh,_("Not a valid security context"),debug);
+
+ context_free(new_context); /* next time around allocates another */
+ }
+ else
+ return strdup(puser_context);
+ } /* end while */
return NULL;
+
+ fail_set:
+ free(type);
+ _pam_drop(responses);
+ context_free (new_context);
+ fail_range:
+ return NULL;
}
static void
@@ -273,13 +434,15 @@
{
int i, debug = 0, ttys=1, has_tty=isatty(0);
int verbose=0, close_session=0;
+ int select_context = 0;
int ret = 0;
security_context_t* contextlist = NULL;
int num_contexts = 0;
- const void *username = NULL;
+ const char *username = NULL;
const void *tty = NULL;
char *seuser=NULL;
char *level=NULL;
+ security_context_t default_user_context=NULL;
/* Parse arguments. */
for (i = 0; i < argc; i++) {
@@ -295,6 +458,9 @@
if (strcmp(argv[i], "close") == 0) {
close_session = 1;
}
+ if (strcmp(argv[i], "select_context") == 0) {
+ select_context = 1;
+ }
}
if (debug)
@@ -307,7 +473,7 @@
if (!(selinux_enabled = is_selinux_enabled()>0) )
return PAM_SUCCESS;
- if (pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS ||
+ if (pam_get_item(pamh, PAM_USER, (void *) &username) != PAM_SUCCESS ||
username == NULL) {
return PAM_USER_UNKNOWN;
}
@@ -319,19 +485,39 @@
&contextlist);
if (debug)
pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
- (const char *)username, seuser, level);
+ username, seuser, level);
free(seuser);
free(level);
}
if (num_contexts > 0) {
- user_context = (security_context_t) strdup(contextlist[0]);
+ default_user_context=strdup(contextlist[0]);
freeconary(contextlist);
- } else {
+ if (default_user_context == NULL) {
+ pam_syslog(pamh, LOG_ERR, _("Out of memory"));
+ return PAM_AUTH_ERR;
+ }
+ user_context = default_user_context;
+ if (select_context && has_tty) {
+ user_context = config_context(pamh, default_user_context, debug);
+ if (user_context == NULL) {
+ send_audit_message(pamh, 0, default_user_context, default_user_context);
+ freecon(default_user_context);
+ pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"),
+ username);
+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username);
+ if (security_getenforce() == 1)
+ return PAM_AUTH_ERR;
+ else
+ return PAM_SUCCESS;
+ }
+ }
+ }
+ else {
if (has_tty) {
- user_context = manual_context(pamh,username,debug);
+ user_context = manual_context(pamh,seuser,debug);
if (user_context == NULL) {
pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
- (const char *)username);
+ username);
if (security_getenforce() == 1)
return PAM_AUTH_ERR;
else
@@ -340,7 +526,7 @@
} else {
pam_syslog (pamh, LOG_ERR,
"Unable to get valid context for %s, No valid tty",
- (const char *)username);
+ username);
if (security_getenforce() == 1)
return PAM_AUTH_ERR;
else
@@ -371,6 +557,10 @@
ttyn=strdup(tty);
ttyn_context=security_label_tty(pamh,ttyn,user_context);
}
+ send_audit_message(pamh, 1, default_user_context, user_context);
+ if (default_user_context != user_context) {
+ freecon(default_user_context);
+ }
ret = setexeccon(user_context);
if (ret==0 && verbose) {
char msg[PATH_MAX];
@@ -381,7 +571,7 @@
if (ret) {
pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s executable context %s.",
- (const char *)username, user_context);
+ username, user_context);
if (security_getenforce() == 1) {
freecon(user_context);
return PAM_AUTH_ERR;
@@ -389,7 +579,7 @@
} else {
if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
- (const char *)username, user_context);
+ username, user_context);
}
#ifdef HAVE_SETKEYCREATECON
ret = setkeycreatecon(user_context);
@@ -402,7 +592,7 @@
if (ret) {
pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s key creation context %s.",
- (const char *)username, user_context);
+ username, user_context);
if (security_getenforce() == 1) {
freecon(user_context);
return PAM_AUTH_ERR;
@@ -410,7 +600,7 @@
} else {
if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
- (const char *)username, user_context);
+ username, user_context);
}
#endif
freecon(user_context);

113
pam-0.99.6.2-selinux-use-current-range.patch
View File

@ -1,113 +0,0 @@
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.range 2007-01-04 23:29:04.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-05 13:30:31.000000000 +0100
@@ -435,6 +435,7 @@
int i, debug = 0, ttys=1, has_tty=isatty(0);
int verbose=0, close_session=0;
int select_context = 0;
+ int use_current_range = 0;
int ret = 0;
security_context_t* contextlist = NULL;
int num_contexts = 0;
@@ -461,11 +462,19 @@
if (strcmp(argv[i], "select_context") == 0) {
select_context = 1;
}
+ if (strcmp(argv[i], "use_current_range") == 0) {
+ use_current_range = 1;
+ }
}
-
+
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Open Session");
+ if (select_context && use_current_range) {
+ pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range");
+ select_context = 0;
+ }
+
/* this module is only supposed to execute close_session */
if (close_session)
return PAM_SUCCESS;
@@ -532,6 +541,51 @@
return PAM_SUCCESS;
}
}
+
+ if (use_current_range && is_selinux_mls_enabled()) {
+ security_context_t process_context=NULL;
+ if (getcon(&process_context) == 0) {
+ context_t pcon, ucon;
+ char *process_level=NULL;
+ security_context_t orig_context;
+
+ if (user_context)
+ orig_context = user_context;
+ else
+ orig_context = default_user_context;
+
+ pcon = context_new(process_context);
+ freecon(process_context);
+ process_level = strdup(context_range_get(pcon));
+ context_free(pcon);
+
+ if (debug)
+ pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level);
+
+ ucon = context_new(orig_context);
+
+ context_range_set(ucon, process_level);
+ free(process_level);
+
+ if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) {
+ send_text(pamh, _("Requested MLS level not in permitted range"), debug);
+ /* even if default_user_context is NULL audit that anyway */
+ send_audit_message(pamh, 0, default_user_context, context_str(ucon));
+ context_free(ucon);
+ return PAM_AUTH_ERR;
+ }
+
+ if (debug)
+ pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon));
+
+ /* replace the user context with the level adjusted one */
+ freecon(user_context);
+ user_context = strdup(context_str(ucon));
+
+ context_free(ucon);
+ }
+ }
+
if (getexeccon(&prev_user_context)<0) {
prev_user_context=NULL;
}
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.range 2007-01-04 23:29:04.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-01-04 23:35:03.000000000 +0100
@@ -36,6 +36,9 @@
<arg choice="opt">
select_context
</arg>
+ <arg choice="opt">
+ use_current_range
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -132,6 +135,17 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>use_current_range</option>
+ </term>
+ <listitem>
+ <para>
+ Use the sensitivity range of the process for the user context.
+ This option and the select_context option are mutually exclusive.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>

11
pam-0.99.7.0-dbpam.patch
View File

@ -1,11 +0,0 @@
--- Linux-PAM-0.99.7.0/configure.in.dbpam 2007-01-19 07:39:09.000000000 -0500
+++ Linux-PAM-0.99.7.0/configure.in 2007-01-19 07:40:07.000000000 -0500
@@ -348,7 +348,7 @@
WITH_DB=$enableval, WITH_DB=yes)
if test x"$WITH_DB" != xno ; then
if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then
- AC_CHECK_LIB([db], [db_create], LIBDB="-ldb", LIBDB="")
+ AC_CHECK_LIB([db], [db_create_pam], LIBDB="-ldb", LIBDB="")
if test -z "$LIBDB" ; then
AC_CHECK_LIB([db], [dbm_store], LIBDB="-ldb", LIBDB="")
fi

250
pam-0.99.7.0-namespace-level.patch
View File

@ -1,250 +0,0 @@
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.level 2007-01-19 08:33:11.000000000 -0500
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:33:11.000000000 -0500
@@ -244,23 +244,29 @@
}
strcpy(poly.dir, dir);
strcpy(poly.instance_prefix, instance_prefix);
- if (strcmp(method, "user") == 0)
- poly.method = USER;
+
+ poly.method = NONE;
+ if (strcmp(method, "user") == 0)
+ poly.method = USER;
+
#ifdef WITH_SELINUX
- else if (strcmp(method, "context") == 0) {
+ if (strcmp(method, "level") == 0) {
if (idata->flags & PAMNS_CTXT_BASED_INST)
- poly.method = CONTEXT;
+ poly.method = LEVEL;
else
poly.method = USER;
- } else if (strcmp(method, "both") == 0) {
+ }
+
+ if (strcmp(method, "context") == 0) {
if (idata->flags & PAMNS_CTXT_BASED_INST)
- poly.method = BOTH;
+ poly.method = CONTEXT;
else
poly.method = USER;
}
#endif
- else {
+
+ if ( poly.method == NONE) {
pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
goto skipping;
}
@@ -448,19 +454,23 @@
return PAM_SESSION_ERR;
}
+ if (polyptr->method == USER) return PAM_SUCCESS;
+
+ rc = getexeccon(&scon);
+ if (rc < 0 || scon == NULL) {
+ pam_syslog(idata->pamh, LOG_ERR,
+ "Error getting exec context, %m");
+ return PAM_SESSION_ERR;
+ }
+
/*
* If polyinstantiating based on security context, get current
* process security context, get security class for directories,
* and ask the policy to provide security context of the
* polyinstantiated instance directory.
*/
- if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) {
- rc = getexeccon(&scon);
- if (rc < 0 || scon == NULL) {
- pam_syslog(idata->pamh, LOG_ERR,
- "Error getting exec context, %m");
- return PAM_SESSION_ERR;
- }
+
+ if (polyptr->method == CONTEXT) {
tclass = string_to_security_class("dir");
if (security_compute_member(scon, *origcon, tclass,
@@ -473,7 +483,48 @@
pam_syslog(idata->pamh, LOG_DEBUG,
"member context returned by policy %s", *i_context);
freecon(scon);
+ return PAM_SUCCESS;
}
+
+ /*
+ * If polyinstantiating based on security level, get current
+ * process security context, get security class for directories,
+ * and change the directories MLS Level to match process.
+ */
+
+ if (polyptr->method == LEVEL) {
+ context_t scontext = NULL;
+ context_t fcontext = NULL;
+ rc = PAM_SESSION_ERR;
+
+ scontext = context_new(scon);
+ if (! scontext) {
+ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
+ goto fail;
+ }
+ fcontext = context_new(*origcon);
+ if (! fcontext) {
+ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
+ goto fail;
+ }
+ if (context_range_set(fcontext, context_range_get(scontext)) != 0) {
+ pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context");
+ goto fail;
+ }
+ *i_context=strdup(context_str(fcontext));
+ if (! *i_context) {
+ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
+ goto fail;
+ }
+
+ rc = PAM_SUCCESS;
+ fail:
+ context_free(scontext);
+ context_free(fcontext);
+ freecon(scon);
+ return rc;
+ }
+ /* Should never get here */
return PAM_SUCCESS;
}
#endif
@@ -514,19 +565,14 @@
break;
#ifdef WITH_SELINUX
+ case LEVEL:
case CONTEXT:
- if (asprintf(i_name, "%s", *i_context) < 0) {
- *i_name = NULL;
- rc = PAM_SESSION_ERR;
- }
- break;
-
- case BOTH:
if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) {
*i_name = NULL;
rc = PAM_SESSION_ERR;
}
break;
+
#endif /* WITH_SELINUX */
default:
@@ -1158,7 +1204,7 @@
#ifdef WITH_SELINUX
if (is_selinux_enabled())
idata.flags |= PAMNS_SELINUX_ENABLED;
- if (ctxt_based_inst_needed())
+ if (ctxt_based_inst_needed())
idata.flags |= PAMNS_CTXT_BASED_INST;
#endif
--- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.level 2006-06-27 09:07:43.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf 2007-01-19 08:33:11.000000000 -0500
@@ -4,12 +4,10 @@
#
# Uncommenting the following three lines will polyinstantiate
# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
-# be polyinstantiated based on both security context as well as user
-# name, whereas home directory will be polyinstantiated based on
-# security context only. Polyinstantion will not be performed for
-# user root and adm for directories /tmp and /var/tmp, whereas home
-# directories will be polyinstantiated for all users. The user name
-# and/or context is appended to the instance prefix.
+# be polyinstantiated based on the MLS level part of the security context as well as user
+# name, Polyinstantion will not be performed for user root and adm for directories
+# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
+# The user name and context is appended to the instance prefix.
#
# Note that instance directories do not have to reside inside the
# polyinstantiated directory. In the examples below, instances of /tmp
@@ -25,6 +23,6 @@
# caution, as it will reduce security and isolation achieved by
# polyinstantiation.
#
-#/tmp /tmp-inst/ both root,adm
-#/var/tmp /var/tmp/tmp-inst/ both root,adm
-#$HOME $HOME/$USER.inst/inst- context
+#/tmp /tmp-inst/ level root,adm
+#/var/tmp /var/tmp/tmp-inst/ level root,adm
+#$HOME $HOME/$USER.inst/ level
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.level 2007-01-19 08:33:11.000000000 -0500
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 08:33:11.000000000 -0500
@@ -63,6 +63,7 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
+#include <selinux/context.h>
#endif
#ifndef CLONE_NEWNS
@@ -93,9 +94,10 @@
* or both
*/
enum polymethod {
+ NONE,
USER,
CONTEXT,
- BOTH,
+ LEVEL,
};
/*
--- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml.level 2006-06-27 09:07:43.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml 2007-01-19 08:33:11.000000000 -0500
@@ -22,7 +22,7 @@
<para>
This module allows setup of private namespaces with polyinstantiated
directories. Directories can be polyinstantiated based on user name
- or, in the case of SELinux, user name, security context or both. If an
+ or, in the case of SELinux, user name, sensitivity level or complete security context. If an
executable script <filename>/etc/security/namespace.init</filename>
exists, it is used to initialize the namespace every time a new instance
directory is setup. The script receives the polyinstantiated
@@ -72,10 +72,10 @@
<para>
The third field, <replaceable>method</replaceable>, is the method
used for polyinstantiation. It can take 3 different values; "user"
- for polyinstantiation based on user name, "context" for
- polyinstantiation based on process security context, and "both"
- for polyinstantiation based on both user name and security context.
- Methods "context" and "both" are only available with SELinux. This
+ for polyinstantiation based on user name, "level" for
+ polyinstantiation based on process MLS level and user name, and "context" for
+ polyinstantiation based on process security context and user name
+ Methods "context" and "level" are only available with SELinux. This
field cannot be blank.
</para>
@@ -98,9 +98,9 @@
<literallayout>
# The following three lines will polyinstantiate /tmp,
# /var/tmp and user's home directories. /tmp and /var/tmp
- # will be polyinstantiated based on both security context
+ # will be polyinstantiated based on the security level
# as well as user name, whereas home directory will be
- # polyinstantiated based on security context only.
+ # polyinstantiated based on the full security context and user name.
# Polyinstantiation will not be performed for user root
# and adm for directories /tmp and /var/tmp, whereas home
# directories will be polyinstantiated for all users.
@@ -112,8 +112,8 @@
# will reside within the directories that are being
# polyinstantiated.
#
- /tmp /tmp-inst/ both root,adm
- /var/tmp /var/tmp/tmp-inst/ both root,adm
+ /tmp /tmp-inst/ level root,adm
+ /var/tmp /var/tmp/tmp-inst/ level root,adm
$HOME $HOME/$USER.inst/inst- context
</literallayout>

95
pam-0.99.7.0-namespace-no-unmount.patch
View File

@ -1,95 +0,0 @@
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount 2006-10-24 07:45:36.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:08:58.000000000 -0500
@@ -1266,12 +1266,30 @@
idata.flags |= PAMNS_DEBUG;
if (strcmp(argv[i], "ignore_config_error") == 0)
idata.flags |= PAMNS_IGN_CONFIG_ERR;
+ if (strcmp(argv[i], "no_unmount_on_close") == 0)
+ idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE;
}
if (idata.flags & PAMNS_DEBUG)
pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");
/*
+ * For certain trusted programs such as newrole, open session
+ * is called from a child process while the parent perfoms
+ * close session and pam end functions. For these commands
+ * pam_close_session should not perform the unmount of the
+ * polyinstantiatied directory because it will result in
+ * undoing of parents polyinstantiatiaion. These commands
+ * will invoke pam_namespace with the "no_unmount_on_close"
+ * argument.
+ */
+ if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {
+ if (idata.flags & PAMNS_DEBUG)
+ pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");
+ return PAM_SUCCESS;
+ }
+
+ /*
* Lookup user and fill struct items
*/
retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount 2006-06-27 09:07:44.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml 2007-01-19 07:45:02.000000000 -0500
@@ -43,6 +43,9 @@
<arg choice="opt">
ignore_instance_parent_mode
</arg>
+ <arg choice="opt">
+ no_unmount_on_close
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -179,6 +182,22 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>no_unmount_on_close</option>
+ </term>
+ <listitem>
+ <para>
+ For certain trusted programs such as newrole, open session
+ is called from a child process while the parent perfoms
+ close session and pam end functions. For these commands
+ use this option to instruct pam_close_session to not
+ unmount the bind mounted polyinstantiated directory in the
+ parent.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
--- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount 2006-06-28 03:22:43.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml 2007-01-19 07:45:02.000000000 -0500
@@ -121,6 +121,14 @@
the restrictive mode of 000. Using this option, an administrator
can choose to ignore the mode of the instance parent.
+ no_unmount_on_close
+ For certain trusted programs such as newrole, open session
+ is called from a child process while the parent perfoms
+ close session and pam end functions. For these commands
+ use this option to instruct pam_close_session to not
+ unmount the bind mounted polyinstantiated directory in the
+ parent.
+
MODULE SERVICES PROVIDED:
session open_session and close_session
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount 2006-07-28 07:59:28.000000000 -0400
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 07:45:02.000000000 -0500
@@ -86,6 +86,7 @@
#define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */
#define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */
#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
+#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
/*
* Polyinstantiation method options, based on user, security context

125
pam-0.99.7.0-namespace-unmnt-override.patch
View File

@ -1,125 +0,0 @@
--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.unmnt-override 2007-01-22 14:06:31.000000000 +0100
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-23 16:41:57.000000000 +0100
@@ -417,17 +417,18 @@
* uids for the polyinstantiated directory, polyinstantiation is not
* performed for that user for that directory.
*/
-static int ns_override(struct polydir_s *polyptr, struct instance_data *idata)
+static int ns_override(struct polydir_s *polyptr, struct instance_data *idata,
+ uid_t uid)
{
unsigned int i;
if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG,
"Checking for ns override in dir %s for uid %d",
- polyptr->dir, idata->uid);
+ polyptr->dir, uid);
for (i = 0; i < polyptr->num_uids; i++) {
- if (idata->uid == polyptr->uid[i]) {
+ if (uid == polyptr->uid[i]) {
return 1;
}
}
@@ -1013,21 +1014,46 @@
int retval = 0, need_poly = 0, changing_dir = 0;
char *cptr, *fptr, poly_parent[PATH_MAX];
struct polydir_s *pptr;
+ uid_t req_uid;
+ const void *ruser_name;
+ struct passwd *pwd;
if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d",
getpid());
+ retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name);
+ if (ruser_name == NULL || retval != PAM_SUCCESS) {
+ retval = PAM_SUCCESS;
+ req_uid = getuid();
+ } else {
+ pwd = pam_modutil_getpwnam(idata->pamh, ruser_name);
+ if (pwd != NULL) {
+ req_uid = pwd->pw_uid;
+ } else {
+ req_uid = getuid();
+ }
+ }
+
/*
* Cycle through all polyinstantiated directory entries to see if
* polyinstantiation is needed at all.
*/
for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
- if (ns_override(pptr, idata)) {
- if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG,
+ if (ns_override(pptr, idata, idata->uid)) {
+ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
+ if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_DEBUG,
"Overriding poly for user %d for dir %s",
idata->uid, pptr->dir);
+ } else {
+ if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_DEBUG,
+ "Need unmount ns for user %d for dir %s",
+ idata->uid, pptr->dir);
+ need_poly = 1;
+ break;
+ }
continue;
} else {
if (idata->flags & PAMNS_DEBUG)
@@ -1057,15 +1083,20 @@
* call ns_setup to setup polyinstantiation for a particular entry.
*/
for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
- if (ns_override(pptr, idata))
- continue;
- else {
- if (idata->flags & PAMNS_DEBUG)
+ enum unmnt_op dir_unmnt = unmnt;
+ if (ns_override(pptr, idata, idata->uid)) {
+ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
+ continue;
+ } else {
+ dir_unmnt = UNMNT_ONLY;
+ }
+ }
+ if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG,
"Setting poly ns for user %d for dir %s",
idata->uid, pptr->dir);
- if ((unmnt == UNMNT_REMNT) || (unmnt == UNMNT_ONLY)) {
+ if ((dir_unmnt == UNMNT_REMNT) || (dir_unmnt == UNMNT_ONLY)) {
/*
* Check to see if process current directory is in the
* bind mounted instance_parent directory that we are trying to
@@ -1105,13 +1136,12 @@
} else if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s",
pptr->dir);
- }
+ }
- if (unmnt != UNMNT_ONLY) {
+ if (dir_unmnt != UNMNT_ONLY) {
retval = ns_setup(pptr, idata);
if (retval != PAM_SUCCESS)
break;
- }
}
}
@@ -1138,7 +1168,7 @@
* appropriate polyinstantiated instance directories.
*/
for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
- if (ns_override(pptr, idata))
+ if (ns_override(pptr, idata, idata->uid))
continue;
else {
if (idata->flags & PAMNS_DEBUG)

20
pam-0.99.7.1-namespace-unknown-user.patch
View File

@ -1,20 +0,0 @@
--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.unknown-user 2007-04-13 17:12:40.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-04-13 18:11:57.000000000 +0200
@@ -302,11 +302,14 @@
*tptr = '\0';
pwd = pam_modutil_getpwnam(idata->pamh, ustr);
- *uidptr = pwd->pw_uid;
- if (i < count - 1) {
- ustr = tptr + 1;
+ if (pwd == NULL) {
+ pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr);
+ poly.num_uids--;
+ } else {
+ *uidptr = pwd->pw_uid;
uidptr++;
}
+ ustr = tptr + 1;
}
}

16
pam-0.99.7.1-unix-allow-pwmodify.patch
View File

@ -1,16 +0,0 @@
--- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.pwmodify 2006-12-20 12:08:59.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-02-21 21:01:48.000000000 +0100
@@ -1077,13 +1077,6 @@
user);
return PAM_USER_UNKNOWN;
}
- if (!_unix_shadowed(pwd) &&
- (strchr(pwd->pw_passwd, '*') != NULL)) {
- pam_syslog(pamh, LOG_DEBUG,
- "user \"%s\" does not have modifiable password",
- user);
- return PAM_USER_UNKNOWN;
- }
}
/*

126
pam-0.99.7.1-unix-bigcrypt.patch
View File

@ -1,126 +0,0 @@
--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-01-23 10:41:21.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-06-01 15:11:51.000000000 +0200
@@ -679,7 +679,7 @@
}
}
} else {
- int salt_len = strlen(salt);
+ size_t salt_len = strlen(salt);
if (!salt_len) {
/* the stored password is NULL */
if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
@@ -689,19 +689,19 @@
D(("user has empty password - access denied"));
retval = PAM_AUTH_ERR;
}
- } else if (!p || (*salt == '*')) {
+ } else if (!p || *salt == '*' || *salt == '!') {
retval = PAM_AUTH_ERR;
} else {
if (!strncmp(salt, "$1$", 3)) {
pp = Goodcrypt_md5(p, salt);
- if (strcmp(pp, salt) != 0) {
+ if (pp && strcmp(pp, salt) != 0) {
_pam_delete(pp);
pp = Brokencrypt_md5(p, salt);
}
} else if (*salt != '$' && salt_len >= 13) {
pp = bigcrypt(p, salt);
- if (strlen(pp) > salt_len) {
- pp[salt_len] = '\0';
+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
+ _pam_overwrite(pp + salt_len);
}
} else {
/*
@@ -715,7 +715,7 @@
/* the moment of truth -- do we agree with the password? */
D(("comparing state of pp[%s] and salt[%s]", pp, salt));
- if (strcmp(pp, salt) == 0) {
+ if (pp && strcmp(pp, salt) == 0) {
retval = PAM_SUCCESS;
} else {
retval = PAM_AUTH_ERR;
--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2006-10-24 12:01:49.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-06-01 15:08:46.000000000 +0200
@@ -144,7 +144,7 @@
char *salt = NULL;
char *pp = NULL;
int retval = PAM_AUTH_ERR;
- int salt_len;
+ size_t salt_len;
/* UNIX passwords area */
setpwent();
@@ -189,6 +189,8 @@
return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
}
if (p == NULL || strlen(p) == 0) {
+ _pam_overwrite(salt);
+ _pam_drop(salt);
return PAM_AUTHTOK_ERR;
}
@@ -196,11 +198,13 @@
retval = PAM_AUTH_ERR;
if (!strncmp(salt, "$1$", 3)) {
pp = Goodcrypt_md5(p, salt);
- if (strcmp(pp, salt) == 0) {
+ if (pp && strcmp(pp, salt) == 0) {
retval = PAM_SUCCESS;
} else {
+ _pam_overwrite(pp);
+ _pam_drop(pp);
pp = Brokencrypt_md5(p, salt);
- if (strcmp(pp, salt) == 0)
+ if (pp && strcmp(pp, salt) == 0)
retval = PAM_SUCCESS;
}
} else if (*salt == '$') {
@@ -209,10 +213,10 @@
* libcrypt nows about it? We should try it.
*/
pp = x_strdup (crypt(p, salt));
- if (strcmp(pp, salt) == 0) {
+ if (pp && strcmp(pp, salt) == 0) {
retval = PAM_SUCCESS;
}
- } else if ((*salt == '*') || (salt_len < 13)) {
+ } else if (*salt == '*' || *salt == '!' || salt_len < 13) {
retval = PAM_AUTH_ERR;
} else {
pp = bigcrypt(p, salt);
@@ -223,24 +227,21 @@
* have been truncated for storage relative to the output
* of bigcrypt here. As such we need to compare only the
* stored string with the subset of bigcrypt's result.
- * Bug 521314: the strncmp comparison is for legacy support.
+ * Bug 521314.
*/
- if (strncmp(pp, salt, salt_len) == 0) {
+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
+ _pam_overwrite(pp+salt_len);
+ }
+
+ if (pp && strcmp(pp, salt) == 0) {
retval = PAM_SUCCESS;
}
}
p = NULL; /* no longer needed here */
/* clean up */
- {
- char *tp = pp;
- if (pp != NULL) {
- while (tp && *tp)
- *tp++ = '\0';
- free(pp);
- }
- pp = tp = NULL;
- }
+ _pam_overwrite(pp);
+ _pam_drop(pp);
return retval;
}

11
pam-0.99.8.1-dbpam.patch Normal file
View File

@ -0,0 +1,11 @@
--- Linux-PAM-0.99.8.1/configure.in.dbpam 2007-07-23 13:59:20.000000000 +0200
+++ Linux-PAM-0.99.8.1/configure.in 2007-07-23 14:06:54.000000000 +0200
@@ -355,7 +355,7 @@
AC_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.]))
if test x"$WITH_DB" != xno ; then
if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then
- AC_CHECK_LIB([db$with_db_uniquename], [db_create$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="")
+ AC_CHECK_LIB([db], [db_create$with_db_uniquename], LIBDB="-ldb", LIBDB="")
if test -z "$LIBDB" ; then
AC_CHECK_LIB([db$with_db_uniquename], [dbm_store$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="")
fi

59
pam-0.99.7.1-unix-update-helper.patch → pam-0.99.8.1-unix-update-helper.patch
View File

@ -1,5 +1,5 @@
--- /dev/null 2007-05-28 11:10:34.936447748 +0200 --- /dev/null 2007-07-08 21:11:04.052436262 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/passupdate.c 2007-06-01 15:13:57.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/passupdate.c 2007-07-23 13:40:56.000000000 +0200
@@ -0,0 +1,560 @@ @@ -0,0 +1,560 @@
+/* +/*
+ * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software. + * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
@ -561,8 +561,8 @@
+ return PAM_AUTHTOK_ERR; + return PAM_AUTHTOK_ERR;
+ } + }
+} +}
--- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_acct.c.update-helper 2006-06-27 10:38:14.000000000 +0200 --- Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_acct.c.update-helper 2006-06-27 10:38:14.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_acct.c 2007-06-01 15:13:57.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_acct.c 2007-07-23 13:40:56.000000000 +0200
@@ -124,11 +124,11 @@ @@ -124,11 +124,11 @@
} }
@ -621,8 +621,8 @@
} else if (_unix_shadowed (pwent)) } else if (_unix_shadowed (pwent))
spent = pam_modutil_getspnam (pamh, uname); spent = pam_modutil_getspnam (pamh, uname);
else else
--- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.update-helper 2007-06-01 15:13:57.000000000 +0200 --- Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c.update-helper 2007-04-30 12:47:30.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-06-01 15:13:57.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c 2007-07-23 13:54:55.000000000 +0200
@@ -2,6 +2,7 @@ @@ -2,6 +2,7 @@
* Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software. * Main coding by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
* Copyright (C) 1996. * Copyright (C) 1996.
@ -838,7 +838,7 @@
static int check_old_password(const char *forwho, const char *newpass) static int check_old_password(const char *forwho, const char *newpass)
{ {
static char buf[16384]; static char buf[16384];
@@ -353,392 +335,6 @@ @@ -354,393 +336,6 @@
return retval; return retval;
} }
@ -921,11 +921,12 @@
- -
- while (fgets(buf, 16380, opwfile)) { - while (fgets(buf, 16380, opwfile)) {
- if (!strncmp(buf, forwho, strlen(forwho))) { - if (!strncmp(buf, forwho, strlen(forwho))) {
- char *sptr;
- buf[strlen(buf) - 1] = '\0'; - buf[strlen(buf) - 1] = '\0';
- s_luser = strtok(buf, ":"); - s_luser = strtok_r(buf, ":", &sptr);
- s_uid = strtok(NULL, ":"); - s_uid = strtok_r(NULL, ":", &sptr);
- s_npas = strtok(NULL, ":"); - s_npas = strtok_r(NULL, ":", &sptr);
- s_pas = strtok(NULL, ":"); - s_pas = strtok_r(NULL, ":", &sptr);
- npas = strtol(s_npas, NULL, 10) + 1; - npas = strtol(s_npas, NULL, 10) + 1;
- while (npas > howmany) { - while (npas > howmany) {
- s_pas = strpbrk(s_pas, ","); - s_pas = strpbrk(s_pas, ",");
@ -1231,7 +1232,7 @@
static int _do_setpass(pam_handle_t* pamh, const char *forwho, static int _do_setpass(pam_handle_t* pamh, const char *forwho,
const char *fromwhat, const char *fromwhat,
char *towhat, unsigned int ctrl, int remember) char *towhat, unsigned int ctrl, int remember)
@@ -767,7 +363,7 @@ @@ -769,7 +364,7 @@
/* Unlock passwd file to avoid deadlock */ /* Unlock passwd file to avoid deadlock */
#ifdef USE_LCKPWDF #ifdef USE_LCKPWDF
@ -1240,7 +1241,7 @@
#endif #endif
unlocked = 1; unlocked = 1;
@@ -830,33 +426,22 @@ @@ -832,33 +427,22 @@
if (_unix_comesfromsource(pamh, forwho, 1, 0)) { if (_unix_comesfromsource(pamh, forwho, 1, 0)) {
#ifdef USE_LCKPWDF #ifdef USE_LCKPWDF
if(unlocked) { if(unlocked) {
@ -1280,7 +1281,7 @@
if (retval == PAM_SUCCESS) if (retval == PAM_SUCCESS)
if (!_unix_shadowed(pwd)) if (!_unix_shadowed(pwd))
retval = _update_passwd(pamh, forwho, "x"); retval = _update_passwd(pamh, forwho, "x");
@@ -868,7 +453,7 @@ @@ -870,7 +454,7 @@
done: done:
#ifdef USE_LCKPWDF #ifdef USE_LCKPWDF
@ -1289,7 +1290,7 @@
#endif #endif
return retval; return retval;
@@ -889,13 +474,17 @@ @@ -891,13 +475,17 @@
if (_unix_shadowed(pwd)) { if (_unix_shadowed(pwd)) {
/* ...and shadow password file entry for this user, if shadowing /* ...and shadow password file entry for this user, if shadowing
is enabled */ is enabled */
@ -1313,7 +1314,7 @@
#endif #endif
if (spwdent == NULL) if (spwdent == NULL)
return PAM_AUTHINFO_UNAVAIL; return PAM_AUTHINFO_UNAVAIL;
@@ -1018,7 +607,7 @@ @@ -1020,7 +608,7 @@
int argc, const char **argv) int argc, const char **argv)
{ {
unsigned int ctrl, lctrl; unsigned int ctrl, lctrl;
@ -1322,7 +1323,7 @@
int remember = -1; int remember = -1;
/* <DO NOT free() THESE> */ /* <DO NOT free() THESE> */
@@ -1238,49 +827,40 @@ @@ -1240,49 +828,40 @@
return retval; return retval;
} }
#ifdef USE_LCKPWDF #ifdef USE_LCKPWDF
@ -1383,7 +1384,7 @@
#endif #endif
return retval; return retval;
} }
@@ -1324,7 +904,7 @@ @@ -1326,7 +905,7 @@
"out of memory for password"); "out of memory for password");
pass_new = pass_old = NULL; /* tidy up */ pass_new = pass_old = NULL; /* tidy up */
#ifdef USE_LCKPWDF #ifdef USE_LCKPWDF
@ -1392,7 +1393,7 @@
#endif #endif
return PAM_BUF_ERR; return PAM_BUF_ERR;
} }
@@ -1347,7 +927,7 @@ @@ -1349,7 +928,7 @@
retval = _do_setpass(pamh, user, pass_old, tpass, ctrl, retval = _do_setpass(pamh, user, pass_old, tpass, ctrl,
remember); remember);
@ -1401,8 +1402,8 @@
_pam_delete(tpass); _pam_delete(tpass);
pass_old = pass_new = NULL; pass_old = pass_new = NULL;
--- /dev/null 2007-05-28 11:10:34.936447748 +0200 --- /dev/null 2007-07-08 21:11:04.052436262 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.h 2007-06-01 15:13:57.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h 2007-07-23 13:40:56.000000000 +0200
@@ -0,0 +1,60 @@ @@ -0,0 +1,60 @@
+/* +/*
+ * This program is designed to run setuid(root) or with sufficient + * This program is designed to run setuid(root) or with sufficient
@ -1464,8 +1465,8 @@
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE. + * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */ + */
--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.update-helper 2007-06-01 15:13:57.000000000 +0200 --- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.update-helper 2007-03-12 15:35:14.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-06-01 15:16:00.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c 2007-07-23 13:40:56.000000000 +0200
@@ -41,386 +41,7 @@ @@ -41,386 +41,7 @@
#include "md5.h" #include "md5.h"
@ -1928,8 +1929,8 @@
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
--- /dev/null 2007-05-28 11:10:34.936447748 +0200 --- /dev/null 2007-07-08 21:11:04.052436262 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_update.c 2007-06-01 15:13:57.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_update.c 2007-07-23 13:40:56.000000000 +0200
@@ -0,0 +1,262 @@ @@ -0,0 +1,262 @@
+/* +/*
+ * This program is designed to run setuid(root) or with sufficient + * This program is designed to run setuid(root) or with sufficient
@ -2193,8 +2194,8 @@
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE. + * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */ + */
--- /dev/null 2007-05-28 11:10:34.936447748 +0200 --- /dev/null 2007-07-08 21:11:04.052436262 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c 2007-06-01 15:13:57.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c 2007-07-23 13:40:56.000000000 +0200
@@ -0,0 +1,308 @@ @@ -0,0 +1,308 @@
+/* +/*
+ * This program is designed to run setuid(root) or with sufficient + * This program is designed to run setuid(root) or with sufficient
@ -2504,8 +2505,8 @@
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE. + * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */ + */
--- Linux-PAM-0.99.7.1/modules/pam_unix/Makefile.am.update-helper 2006-12-18 19:50:50.000000000 +0100 --- Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am.update-helper 2006-12-18 19:50:50.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/Makefile.am 2007-06-01 15:15:04.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am 2007-07-23 13:40:56.000000000 +0200
@@ -16,7 +16,8 @@ @@ -16,7 +16,8 @@
secureconfdir = $(SCONFIGDIR) secureconfdir = $(SCONFIGDIR)

61
pam.spec
View File

@ -6,12 +6,12 @@
%define pwdb_version 0.62 %define pwdb_version 0.62
%define db_version 4.5.20 %define db_version 4.5.20
%define db_conflicting_version 4.6.0 %define db_conflicting_version 4.6.0
%define pam_redhat_version 0.99.7-1 %define pam_redhat_version 0.99.8-1
Summary: A security tool which provides authentication for applications Summary: A security tool which provides authentication for applications
Name: pam Name: pam
Version: 0.99.7.1 Version: 0.99.8.1
Release: 6%{?dist} Release: 1%{?dist}
License: GPL or BSD License: GPL or BSD
Group: System Environment/Base Group: System Environment/Base
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@ -27,27 +27,12 @@ Source10: config-util.5
Patch1: pam-0.99.7.0-redhat-modules.patch Patch1: pam-0.99.7.0-redhat-modules.patch
Patch2: pam-0.99.7.1-console-more-displays.patch Patch2: pam-0.99.7.1-console-more-displays.patch
Patch3: pam-0.99.7.1-console-decrement.patch Patch3: pam-0.99.7.1-console-decrement.patch
Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch Patch4: pam-0.99.8.1-dbpam.patch
Patch23: pam-0.99.7.1-unix-bigcrypt.patch Patch24: pam-0.99.8.1-unix-update-helper.patch
Patch24: pam-0.99.7.1-unix-update-helper.patch
Patch25: pam-0.99.7.1-unix-hpux-aging.patch Patch25: pam-0.99.7.1-unix-hpux-aging.patch
Patch34: pam-0.99.7.0-dbpam.patch Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
Patch70: pam-0.99.2.1-selinux-nofail.patch Patch32: pam-0.99.3.0-tally-fail-close.patch
Patch80: pam-0.99.6.2-selinux-drop-multiple.patch Patch40: pam-0.99.7.1-namespace-temp-logon.patch
Patch81: pam-0.99.3.0-cracklib-try-first-pass.patch
Patch82: pam-0.99.3.0-tally-fail-close.patch
Patch84: pam-0.99.6.2-selinux-keycreate.patch
Patch86: pam-0.99.7.0-namespace-no-unmount.patch
Patch87: pam-0.99.6.2-namespace-preserve-uid.patch
Patch92: pam-0.99.6.2-selinux-select-context.patch
Patch93: pam-0.99.7.0-namespace-level.patch
Patch94: pam-0.99.7.0-namespace-unmnt-override.patch
Patch95: pam-0.99.6.2-selinux-use-current-range.patch
Patch96: pam-0.99.6.2-namespace-dirnames.patch
Patch97: pam-0.99.7.1-namespace-unknown-user.patch
Patch98: pam-0.99.6.2-selinux-audit-context.patch
Patch99: pam-0.99.6.2-namespace-docfix.patch
Patch100: pam-0.99.7.1-namespace-temp-logon.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: cracklib, cracklib-dicts >= 2.8 Requires: cracklib, cracklib-dicts >= 2.8
@ -103,27 +88,12 @@ cp %{SOURCE7} .
%patch1 -p1 -b .redhat-modules %patch1 -p1 -b .redhat-modules
%patch2 -p1 -b .displays %patch2 -p1 -b .displays
%patch3 -p1 -b .decrement %patch3 -p1 -b .decrement
%patch22 -p1 -b .pwmodify %patch4 -p1 -b .dbpam
%patch23 -p1 -b .bigcrypt
%patch24 -p1 -b .update-helper %patch24 -p1 -b .update-helper
%patch25 -p1 -b .unix-hpux-aging %patch25 -p1 -b .unix-hpux-aging
%patch34 -p1 -b .dbpam %patch31 -p1 -b .try-first-pass
%patch70 -p1 -b .nofail %patch32 -p1 -b .fail-close
%patch80 -p1 -b .drop-multiple %patch40 -p1 -b .temp-logon
%patch81 -p1 -b .try-first-pass
%patch82 -p1 -b .fail-close
%patch84 -p1 -b .keycreate
%patch86 -p1 -b .no-unmount
%patch87 -p1 -b .preserve-uid
%patch92 -p1 -b .select-context
%patch93 -p1 -b .level
%patch94 -p1 -b .unmnt-override
%patch95 -p1 -b .range
%patch96 -p1 -b .dirnames
%patch97 -p1 -b .unknown-user
%patch98 -p1 -b .audit-context
%patch99 -p1 -b .docfix
%patch100 -p1 -b .temp-logon
autoreconf autoreconf
@ -162,7 +132,8 @@ LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS
%configure \ %configure \
--libdir=/%{_lib} \ --libdir=/%{_lib} \
--includedir=%{_includedir}/security \ --includedir=%{_includedir}/security \
--enable-isadir=../../%{_lib}/security --enable-isadir=../../%{_lib}/security \
--with-db-uniquename=_pam
make make
%install %install
@ -413,6 +384,10 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Mon Jul 23 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-1
- upgrade to latest upstream version
- add some firewire devices to default console perms (#240770)
* Thu Apr 26 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-6 * Thu Apr 26 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-6
- pam_namespace: better document behavior on failure (#237249) - pam_namespace: better document behavior on failure (#237249)
- pam_unix: split out passwd change to a new helper binary (#236316) - pam_unix: split out passwd change to a new helper binary (#236316)

4
sources
View File

@ -1,3 +1,3 @@
b0f1c777708cb8e9d37fb47e7ed3312d db-4.5.20.tar.gz b0f1c777708cb8e9d37fb47e7ed3312d db-4.5.20.tar.gz
66845048120c71205bd3363264f2bfe7 pam-redhat-0.99.7-1.tar.bz2 2a23dc703b550223206021ff03b1e434 pam-redhat-0.99.8-1.tar.bz2
385458dfb4633071594e255a6ebec9da Linux-PAM-0.99.7.1.tar.bz2 a6472db4afe13850cb401922211bba4e Linux-PAM-0.99.8.1.tar.bz2