Minor security and bugfix updates
- fix CVE-2014-2583: potential path traversal issue in pam_timestamp - fix CVE-2013-7041: use case sensitive comparison in pam_userdb - be tolerant to corrupted opasswd file
This commit is contained in:
parent
1634393187
commit
6ccbfce566
@ -1,146 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c
|
|
||||||
--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2013-04-24 13:11:14.768817086 +0200
|
|
||||||
@@ -35,6 +35,7 @@
|
|
||||||
#include <sys/time.h>
|
|
||||||
#include <sys/resource.h>
|
|
||||||
#include <sys/wait.h>
|
|
||||||
+#include <fcntl.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
#include <errno.h>
|
|
||||||
@@ -133,13 +134,21 @@ create_homedir (pam_handle_t *pamh, opti
|
|
||||||
if (child == 0) {
|
|
||||||
int i;
|
|
||||||
struct rlimit rlim;
|
|
||||||
+ int dummyfds[2];
|
|
||||||
static char *envp[] = { NULL };
|
|
||||||
char *args[] = { NULL, NULL, NULL, NULL, NULL };
|
|
||||||
|
|
||||||
+ /* replace std file descriptors with a dummy pipe */
|
|
||||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0) {
|
|
||||||
+ dup2(dummyfds[0], STDIN_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (getrlimit(RLIMIT_NOFILE, &rlim)==0) {
|
|
||||||
if (rlim.rlim_max >= MAX_FD_NO)
|
|
||||||
rlim.rlim_max = MAX_FD_NO;
|
|
||||||
- for (i=0; i < (int)rlim.rlim_max; i++) {
|
|
||||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
|
|
||||||
close(i);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c
|
|
||||||
--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2013-04-24 13:12:17.105990961 +0200
|
|
||||||
@@ -39,6 +39,7 @@
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <string.h>
|
|
||||||
+#include <fcntl.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/resource.h>
|
|
||||||
@@ -100,21 +101,26 @@ int _unix_run_verify_binary(pam_handle_t
|
|
||||||
if (child == 0) {
|
|
||||||
int i=0;
|
|
||||||
struct rlimit rlim;
|
|
||||||
+ int dummyfds[2];
|
|
||||||
static char *envp[] = { NULL };
|
|
||||||
char *args[] = { NULL, NULL, NULL, NULL };
|
|
||||||
|
|
||||||
/* reopen stdout as pipe */
|
|
||||||
dup2(fds[1], STDOUT_FILENO);
|
|
||||||
|
|
||||||
+ /* replace std file descriptors with a dummy pipe */
|
|
||||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0) {
|
|
||||||
+ dup2(dummyfds[0], STDIN_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* XXX - should really tidy up PAM here too */
|
|
||||||
|
|
||||||
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
|
|
||||||
if (rlim.rlim_max >= MAX_FD_NO)
|
|
||||||
rlim.rlim_max = MAX_FD_NO;
|
|
||||||
- for (i=0; i < (int)rlim.rlim_max; i++) {
|
|
||||||
- if (i != STDOUT_FILENO) {
|
|
||||||
- close(i);
|
|
||||||
- }
|
|
||||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
|
|
||||||
+ close(i);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c
|
|
||||||
--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2013-04-23 17:13:49.047499806 +0200
|
|
||||||
@@ -202,6 +202,7 @@ static int _unix_run_update_binary(pam_h
|
|
||||||
if (child == 0) {
|
|
||||||
int i=0;
|
|
||||||
struct rlimit rlim;
|
|
||||||
+ int dummyfds[2];
|
|
||||||
static char *envp[] = { NULL };
|
|
||||||
char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
|
|
||||||
char buffer[16];
|
|
||||||
@@ -211,11 +212,17 @@ static int _unix_run_update_binary(pam_h
|
|
||||||
/* reopen stdin as pipe */
|
|
||||||
dup2(fds[0], STDIN_FILENO);
|
|
||||||
|
|
||||||
+ /* replace std file descriptors with a dummy pipe */
|
|
||||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0) {
|
|
||||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
|
|
||||||
if (rlim.rlim_max >= MAX_FD_NO)
|
|
||||||
rlim.rlim_max = MAX_FD_NO;
|
|
||||||
- for (i=0; i < (int)rlim.rlim_max; i++) {
|
|
||||||
- if (i != STDIN_FILENO)
|
|
||||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
|
|
||||||
+ if (i != dummyfds[0])
|
|
||||||
close(i);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c
|
|
||||||
--- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2013-04-24 13:12:42.893064361 +0200
|
|
||||||
@@ -5,6 +5,7 @@
|
|
||||||
#include "config.h"
|
|
||||||
|
|
||||||
#include <stdlib.h>
|
|
||||||
+#include <fcntl.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
@@ -462,6 +463,7 @@ static int _unix_run_helper_binary(pam_h
|
|
||||||
if (child == 0) {
|
|
||||||
int i=0;
|
|
||||||
struct rlimit rlim;
|
|
||||||
+ int dummyfds[2];
|
|
||||||
static char *envp[] = { NULL };
|
|
||||||
char *args[] = { NULL, NULL, NULL, NULL };
|
|
||||||
|
|
||||||
@@ -470,11 +472,17 @@ static int _unix_run_helper_binary(pam_h
|
|
||||||
/* reopen stdin as pipe */
|
|
||||||
dup2(fds[0], STDIN_FILENO);
|
|
||||||
|
|
||||||
+ /* replace std file descriptors with a dummy pipe */
|
|
||||||
+ if (pipe2(dummyfds, O_NONBLOCK) == 0) {
|
|
||||||
+ dup2(dummyfds[1], STDOUT_FILENO);
|
|
||||||
+ dup2(dummyfds[1], STDERR_FILENO);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
|
|
||||||
if (rlim.rlim_max >= MAX_FD_NO)
|
|
||||||
rlim.rlim_max = MAX_FD_NO;
|
|
||||||
- for (i=0; i < (int)rlim.rlim_max; i++) {
|
|
||||||
- if (i != STDIN_FILENO)
|
|
||||||
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
|
|
||||||
+ if (i != dummyfds[0])
|
|
||||||
close(i);
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,48 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c
|
|
||||||
--- Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init 2013-08-28 10:53:40.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c 2013-10-04 14:51:19.944994905 +0200
|
|
||||||
@@ -36,6 +36,7 @@
|
|
||||||
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
|
|
||||||
DAMAGE. */
|
|
||||||
|
|
||||||
+#include "config.h"
|
|
||||||
#include <errno.h>
|
|
||||||
#include <fnmatch.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
@@ -108,7 +109,7 @@ nl_recv (int fd, unsigned type, void *bu
|
|
||||||
struct msghdr msg;
|
|
||||||
struct nlmsghdr nlm;
|
|
||||||
struct iovec iov[2];
|
|
||||||
- ssize_t res;
|
|
||||||
+ ssize_t res, resdiff;
|
|
||||||
|
|
||||||
again:
|
|
||||||
iov[0].iov_base = &nlm;
|
|
||||||
@@ -160,12 +161,17 @@ nl_recv (int fd, unsigned type, void *bu
|
|
||||||
res = recvmsg (fd, &msg, 0);
|
|
||||||
if (res == -1)
|
|
||||||
return -1;
|
|
||||||
- if ((size_t)res != NLMSG_LENGTH (size)
|
|
||||||
+ resdiff = NLMSG_LENGTH(size) - (size_t)res;
|
|
||||||
+ if (resdiff < 0
|
|
||||||
|| nlm.nlmsg_type != type)
|
|
||||||
{
|
|
||||||
errno = EIO;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ else if (resdiff > 0)
|
|
||||||
+ {
|
|
||||||
+ memset((char *)buf + size - resdiff, 0, resdiff);
|
|
||||||
+ }
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -275,6 +281,8 @@ pam_sm_open_session (pam_handle_t *pamh,
|
|
||||||
return PAM_SESSION_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ memcpy(&new_status, old_status, sizeof(new_status));
|
|
||||||
+
|
|
||||||
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
|
|
||||||
#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
|
|
||||||
new_status.log_passwd = log_passwd;
|
|
@ -1,435 +0,0 @@
|
|||||||
From 0d29e379601819c7f7ed8de18b54de803a9f4049 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Fri, 5 Sep 2014 09:09:37 +0200
|
|
||||||
Subject: [PATCH] Add grantor field to audit records of libpam.
|
|
||||||
|
|
||||||
The grantor field gives audit trail of PAM modules which granted access
|
|
||||||
for successful return from libpam calls. In case of failed return
|
|
||||||
the grantor field is set to '?'.
|
|
||||||
libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
|
|
||||||
libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
|
|
||||||
libpam/pam_password.c (pam_chauthtok): Likewise.
|
|
||||||
libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
|
|
||||||
libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
|
|
||||||
add grantor= field to the message if grantors is set.
|
|
||||||
(_pam_list_grantors): New function creating the string with grantors list.
|
|
||||||
(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
|
|
||||||
to list the grantors from the handler list.
|
|
||||||
(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
|
|
||||||
(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
|
|
||||||
libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
|
|
||||||
(_pam_clear_grantors): New function to clear grantor field of handler.
|
|
||||||
(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
|
|
||||||
Call _pam_auditlog() when appropriate.
|
|
||||||
libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
|
|
||||||
or just "?" to avoid confusing audit trail.
|
|
||||||
(_pam_add_handler): Test for NULL return from extract_modulename().
|
|
||||||
Clear grantor field of handler.
|
|
||||||
libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
|
|
||||||
parameter to _pam_auditlog().
|
|
||||||
---
|
|
||||||
libpam/pam_account.c | 4 ---
|
|
||||||
libpam/pam_audit.c | 84 +++++++++++++++++++++++++++++++++++++++++++--------
|
|
||||||
libpam/pam_auth.c | 8 -----
|
|
||||||
libpam/pam_dispatch.c | 41 ++++++++++++++++++++-----
|
|
||||||
libpam/pam_handlers.c | 14 +++++++--
|
|
||||||
libpam/pam_password.c | 4 ---
|
|
||||||
libpam/pam_private.h | 3 +-
|
|
||||||
libpam/pam_session.c | 7 -----
|
|
||||||
8 files changed, 119 insertions(+), 46 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libpam/pam_account.c b/libpam/pam_account.c
|
|
||||||
index 572acc4..3a4fb1f 100644
|
|
||||||
--- a/libpam/pam_account.c
|
|
||||||
+++ b/libpam/pam_account.c
|
|
||||||
@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags)
|
|
||||||
|
|
||||||
retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT);
|
|
||||||
|
|
||||||
-#ifdef HAVE_LIBAUDIT
|
|
||||||
- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags);
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
|
|
||||||
index 531746a..24fb799 100644
|
|
||||||
--- a/libpam/pam_audit.c
|
|
||||||
+++ b/libpam/pam_audit.c
|
|
||||||
@@ -6,12 +6,12 @@
|
|
||||||
Authors:
|
|
||||||
Steve Grubb <sgrubb@redhat.com> */
|
|
||||||
|
|
||||||
-#include <stdio.h>
|
|
||||||
-#include <syslog.h>
|
|
||||||
#include "pam_private.h"
|
|
||||||
#include "pam_modutil_private.h"
|
|
||||||
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
#include <libaudit.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
#include <netdb.h>
|
|
||||||
@@ -25,17 +25,24 @@
|
|
||||||
|
|
||||||
static int
|
|
||||||
_pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
|
|
||||||
- const char *message, int retval)
|
|
||||||
+ const char *message, const char *grantors, int retval)
|
|
||||||
{
|
|
||||||
static int old_errno = -1;
|
|
||||||
- int rc;
|
|
||||||
- char buf[32];
|
|
||||||
+ int rc = -ENOMEM;
|
|
||||||
+ char *buf;
|
|
||||||
+ const char *grantors_field = " grantors=";
|
|
||||||
|
|
||||||
- snprintf(buf, sizeof(buf), "PAM:%s", message);
|
|
||||||
+ if (grantors == NULL) {
|
|
||||||
+ grantors = "";
|
|
||||||
+ grantors_field = "";
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- rc = audit_log_acct_message (audit_fd, type, NULL, buf,
|
|
||||||
- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
|
|
||||||
- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
|
|
||||||
+ if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) {
|
|
||||||
+ rc = audit_log_acct_message(audit_fd, type, NULL, buf,
|
|
||||||
+ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
|
|
||||||
+ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);
|
|
||||||
+ free(buf);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* libaudit sets errno to his own negative error code. This can be
|
|
||||||
an official errno number, but must not. It can also be a audit
|
|
||||||
@@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh)
|
|
||||||
return audit_fd;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+_pam_list_grantors(struct handler *hlist, int retval, char **list)
|
|
||||||
+{
|
|
||||||
+ *list = NULL;
|
|
||||||
+
|
|
||||||
+ if (retval == PAM_SUCCESS) {
|
|
||||||
+ struct handler *h;
|
|
||||||
+ char *p = NULL;
|
|
||||||
+ size_t len = 0;
|
|
||||||
+
|
|
||||||
+ for (h = hlist; h != NULL; h = h->next) {
|
|
||||||
+ if (h->grantor) {
|
|
||||||
+ len += strlen(h->mod_name) + 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (len == 0) {
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *list = malloc(len);
|
|
||||||
+ if (*list == NULL) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (h = hlist; h != NULL; h = h->next) {
|
|
||||||
+ if (h->grantor) {
|
|
||||||
+ if (p == NULL) {
|
|
||||||
+ p = *list;
|
|
||||||
+ } else {
|
|
||||||
+ p = stpcpy(p, ",");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ p = stpcpy(p, h->mod_name);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int
|
|
||||||
-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
|
|
||||||
+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h)
|
|
||||||
{
|
|
||||||
const char *message;
|
|
||||||
int type;
|
|
||||||
int audit_fd;
|
|
||||||
+ char *grantors;
|
|
||||||
|
|
||||||
if ((audit_fd=_pam_audit_open(pamh)) == -1) {
|
|
||||||
return PAM_SYSTEM_ERR;
|
|
||||||
@@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
|
|
||||||
retval = PAM_SYSTEM_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0)
|
|
||||||
+ if (_pam_list_grantors(h, retval, &grantors) < 0) {
|
|
||||||
+ /* allocation failure */
|
|
||||||
+ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m");
|
|
||||||
retval = PAM_SYSTEM_ERR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (_pam_audit_writelog(pamh, audit_fd, type, message,
|
|
||||||
+ grantors ? grantors : "?", retval) < 0)
|
|
||||||
+ retval = PAM_SYSTEM_ERR;
|
|
||||||
+
|
|
||||||
+ free(grantors);
|
|
||||||
|
|
||||||
audit_close(audit_fd);
|
|
||||||
return retval;
|
|
||||||
@@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
|
|
||||||
* stacks having been run. Assume that this is sshd faking
|
|
||||||
* things for an unknown user.
|
|
||||||
*/
|
|
||||||
- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0);
|
|
||||||
+ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
@@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type,
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
- rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
|
|
||||||
+ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval);
|
|
||||||
|
|
||||||
audit_close(audit_fd);
|
|
||||||
|
|
||||||
diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c
|
|
||||||
index 5984fa5..1e7bc6e 100644
|
|
||||||
--- a/libpam/pam_auth.c
|
|
||||||
+++ b/libpam/pam_auth.c
|
|
||||||
@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags)
|
|
||||||
prelude_send_alert(pamh, retval);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-#ifdef HAVE_LIBAUDIT
|
|
||||||
- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags)
|
|
||||||
|
|
||||||
retval = _pam_dispatch(pamh, flags, PAM_SETCRED);
|
|
||||||
|
|
||||||
-#ifdef HAVE_LIBAUDIT
|
|
||||||
- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags);
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
D(("pam_setcred exit"));
|
|
||||||
|
|
||||||
return retval;
|
|
||||||
diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
|
|
||||||
index eb52c82..cf632e8 100644
|
|
||||||
--- a/libpam/pam_dispatch.c
|
|
||||||
+++ b/libpam/pam_dispatch.c
|
|
||||||
@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
|
|
||||||
status = retval;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) {
|
|
||||||
- goto decision_made;
|
|
||||||
+ if ( impression == _PAM_POSITIVE ) {
|
|
||||||
+ if ( retval == PAM_SUCCESS ) {
|
|
||||||
+ h->grantor = 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ( action == _PAM_ACTION_DONE ) {
|
|
||||||
+ goto decision_made;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
@@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
|
|
||||||
|| (impression == _PAM_POSITIVE
|
|
||||||
&& status == PAM_SUCCESS) ) {
|
|
||||||
if ( retval != PAM_IGNORE || cached_retval == retval ) {
|
|
||||||
+ if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) {
|
|
||||||
+ h->grantor = 1;
|
|
||||||
+ }
|
|
||||||
impression = _PAM_POSITIVE;
|
|
||||||
status = retval;
|
|
||||||
}
|
|
||||||
@@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void _pam_clear_grantors(struct handler *h)
|
|
||||||
+{
|
|
||||||
+ for (; h != NULL; h = h->next) {
|
|
||||||
+ h->grantor = 0;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* This function translates the module dispatch request into a pointer
|
|
||||||
* to the stack of modules that will actually be run. the
|
|
||||||
@@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */
|
|
||||||
int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
|
||||||
{
|
|
||||||
struct handler *h = NULL;
|
|
||||||
- int retval, use_cached_chain;
|
|
||||||
+ int retval = PAM_SYSTEM_ERR, use_cached_chain;
|
|
||||||
_pam_boolean resumed;
|
|
||||||
|
|
||||||
IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR);
|
|
||||||
|
|
||||||
if (__PAM_FROM_MODULE(pamh)) {
|
|
||||||
D(("called from a module!?"));
|
|
||||||
- return PAM_SYSTEM_ERR;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Load all modules, resolve all symbols */
|
|
||||||
|
|
||||||
if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) {
|
|
||||||
pam_syslog(pamh, LOG_ERR, "unable to dispatch function");
|
|
||||||
- return retval;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
use_cached_chain = _PAM_PLEASE_FREEZE;
|
|
||||||
@@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
|
|
||||||
- return PAM_ABORT;
|
|
||||||
+ retval = PAM_ABORT;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (h == NULL) { /* there was no handlers.conf... entry; will use
|
|
||||||
@@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
|
||||||
pam_syslog(pamh, LOG_ERR,
|
|
||||||
"application failed to re-exec stack [%d:%d]",
|
|
||||||
pamh->former.choice, choice);
|
|
||||||
- return PAM_ABORT;
|
|
||||||
+ retval = PAM_ABORT;
|
|
||||||
+ goto end;
|
|
||||||
}
|
|
||||||
resumed = PAM_TRUE;
|
|
||||||
} else {
|
|
||||||
resumed = PAM_FALSE;
|
|
||||||
+ _pam_clear_grantors(h);
|
|
||||||
}
|
|
||||||
|
|
||||||
__PAM_TO_MODULE(pamh);
|
|
||||||
@@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
|
||||||
pamh->former.choice = PAM_NOT_STACKED;
|
|
||||||
}
|
|
||||||
|
|
||||||
+end:
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_LIBAUDIT
|
|
||||||
+ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) {
|
|
||||||
+ retval = _pam_auditlog(pamh, choice, retval, flags, h);
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
|
|
||||||
index 02714f7..df3a1d9 100644
|
|
||||||
--- a/libpam/pam_handlers.c
|
|
||||||
+++ b/libpam/pam_handlers.c
|
|
||||||
@@ -611,6 +611,12 @@ extract_modulename(const char *mod_path)
|
|
||||||
if (dot)
|
|
||||||
*dot = '\0';
|
|
||||||
|
|
||||||
+ if (*retval == '\0' || strcmp(retval, "?") == 0) {
|
|
||||||
+ /* do not allow empty module name or "?" to avoid confusing audit trail */
|
|
||||||
+ _pam_drop(retval);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -888,7 +894,9 @@ int _pam_add_handler(pam_handle_t *pamh
|
|
||||||
(*handler_p)->cached_retval_p = &((*handler_p)->cached_retval);
|
|
||||||
(*handler_p)->argc = argc;
|
|
||||||
(*handler_p)->argv = argv; /* not a copy */
|
|
||||||
- (*handler_p)->mod_name = extract_modulename(mod_path);
|
|
||||||
+ if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL)
|
|
||||||
+ return PAM_ABORT;
|
|
||||||
+ (*handler_p)->grantor = 0;
|
|
||||||
(*handler_p)->next = NULL;
|
|
||||||
|
|
||||||
/* some of the modules have a second calling function */
|
|
||||||
@@ -920,7 +928,9 @@ int _pam_add_handler(pam_handle_t *pamh
|
|
||||||
} else {
|
|
||||||
(*handler_p2)->argv = NULL; /* no arguments */
|
|
||||||
}
|
|
||||||
- (*handler_p2)->mod_name = extract_modulename(mod_path);
|
|
||||||
+ if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL)
|
|
||||||
+ return PAM_ABORT;
|
|
||||||
+ (*handler_p2)->grantor = 0;
|
|
||||||
(*handler_p2)->next = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/libpam/pam_password.c b/libpam/pam_password.c
|
|
||||||
index 75db5e5..592e01f 100644
|
|
||||||
--- a/libpam/pam_password.c
|
|
||||||
+++ b/libpam/pam_password.c
|
|
||||||
@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags)
|
|
||||||
D(("will resume when ready", retval));
|
|
||||||
}
|
|
||||||
|
|
||||||
-#ifdef HAVE_LIBAUDIT
|
|
||||||
- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
|
|
||||||
index 134dc72..d93283c 100644
|
|
||||||
--- a/libpam/pam_private.h
|
|
||||||
+++ b/libpam/pam_private.h
|
|
||||||
@@ -55,6 +55,7 @@ struct handler {
|
|
||||||
struct handler *next;
|
|
||||||
char *mod_name;
|
|
||||||
int stack_level;
|
|
||||||
+ int grantor;
|
|
||||||
};
|
|
||||||
|
|
||||||
#define PAM_HT_MODULE 0
|
|
||||||
@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \
|
|
||||||
do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
|
|
||||||
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags);
|
|
||||||
+extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h);
|
|
||||||
extern int _pam_audit_end(pam_handle_t *pamh, int pam_status);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
diff --git a/libpam/pam_session.c b/libpam/pam_session.c
|
|
||||||
index 512153f..cb393c1 100644
|
|
||||||
--- a/libpam/pam_session.c
|
|
||||||
+++ b/libpam/pam_session.c
|
|
||||||
@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags)
|
|
||||||
}
|
|
||||||
retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);
|
|
||||||
|
|
||||||
-#ifdef HAVE_LIBAUDIT
|
|
||||||
- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags);
|
|
||||||
-#endif
|
|
||||||
return retval;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags)
|
|
||||||
|
|
||||||
retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
|
|
||||||
|
|
||||||
-#ifdef HAVE_LIBAUDIT
|
|
||||||
- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags);
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
return retval;
|
|
||||||
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
@ -1,21 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c 2014-03-06 12:03:54.429639972 +0100
|
|
||||||
@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh,
|
|
||||||
char *level = NULL;
|
|
||||||
security_context_t *contextlist = NULL;
|
|
||||||
int num_contexts = 0;
|
|
||||||
+ const struct passwd *pwd;
|
|
||||||
|
|
||||||
if (!(username = get_item(pamh, PAM_USER))) {
|
|
||||||
pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name");
|
|
||||||
return PAM_USER_UNKNOWN;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) {
|
|
||||||
+ username = pwd->pw_name;
|
|
||||||
+ } /* ignore error and keep using original username */
|
|
||||||
+
|
|
||||||
/* compute execute context */
|
|
||||||
#ifdef HAVE_GETSEUSER
|
|
||||||
if (!(service = get_item(pamh, PAM_SERVICE))) {
|
|
@ -1,52 +0,0 @@
|
|||||||
From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
|
||||||
Date: Fri, 24 Jan 2014 22:18:32 +0000
|
|
||||||
Subject: [PATCH] pam_userdb: fix password hash comparison
|
|
||||||
|
|
||||||
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
|
|
||||||
passwords support in pam_userdb, hashes are compared case-insensitively.
|
|
||||||
This bug leads to accepting hashes for completely different passwords in
|
|
||||||
addition to those that should be accepted.
|
|
||||||
|
|
||||||
Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
|
|
||||||
modern password hashes with different lengths and settings, did not
|
|
||||||
update the hash comparison accordingly, which leads to accepting
|
|
||||||
computed hashes longer than stored hashes when the latter is a prefix
|
|
||||||
of the former.
|
|
||||||
|
|
||||||
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
|
|
||||||
hash whose length differs from the stored hash length.
|
|
||||||
Compare computed and stored hashes case-sensitively.
|
|
||||||
Fixes CVE-2013-7041.
|
|
||||||
|
|
||||||
Bug-Debian: http://bugs.debian.org/731368
|
|
||||||
---
|
|
||||||
modules/pam_userdb/pam_userdb.c | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
|
|
||||||
index de8b5b1..ff040e6 100644
|
|
||||||
--- a/modules/pam_userdb/pam_userdb.c
|
|
||||||
+++ b/modules/pam_userdb/pam_userdb.c
|
|
||||||
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
|
|
||||||
} else {
|
|
||||||
cryptpw = crypt (pass, data.dptr);
|
|
||||||
|
|
||||||
- if (cryptpw) {
|
|
||||||
- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
|
|
||||||
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
|
|
||||||
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
|
|
||||||
} else {
|
|
||||||
compare = -2;
|
|
||||||
if (ctrl & PAM_DEBUG_ARG) {
|
|
||||||
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
|
||||||
+ if (cryptpw)
|
|
||||||
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
|
|
||||||
+ else
|
|
||||||
+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
@ -1,56 +0,0 @@
|
|||||||
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
|
||||||
Date: Wed, 26 Mar 2014 22:17:23 +0000
|
|
||||||
Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
|
|
||||||
(ticket #27)
|
|
||||||
|
|
||||||
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
|
|
||||||
the timestamp pathname it creates, so extra care should be taken to
|
|
||||||
avoid potential directory traversal issues.
|
|
||||||
|
|
||||||
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
|
|
||||||
"." and ".." tty values as invalid.
|
|
||||||
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
|
|
||||||
value containing '/', as invalid.
|
|
||||||
|
|
||||||
Fixes CVE-2014-2583.
|
|
||||||
|
|
||||||
Reported-by: Sebastian Krahmer <krahmer@suse.de>
|
|
||||||
---
|
|
||||||
modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
|
|
||||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
|
|
||||||
index 5193733..b3f08b1 100644
|
|
||||||
--- a/modules/pam_timestamp/pam_timestamp.c
|
|
||||||
+++ b/modules/pam_timestamp/pam_timestamp.c
|
|
||||||
@@ -158,7 +158,7 @@ check_tty(const char *tty)
|
|
||||||
tty = strrchr(tty, '/') + 1;
|
|
||||||
}
|
|
||||||
/* Make sure the tty wasn't actually a directory (no basename). */
|
|
||||||
- if (strlen(tty) == 0) {
|
|
||||||
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
return tty;
|
|
||||||
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
|
|
||||||
if (pwd != NULL) {
|
|
||||||
ruser = pwd->pw_name;
|
|
||||||
}
|
|
||||||
+ } else {
|
|
||||||
+ /*
|
|
||||||
+ * This ruser is used by format_timestamp_name as a component
|
|
||||||
+ * of constructed timestamp pathname, so ".", "..", and '/'
|
|
||||||
+ * are disallowed to avoid potential path traversal issues.
|
|
||||||
+ */
|
|
||||||
+ if (!strcmp(ruser, ".") ||
|
|
||||||
+ !strcmp(ruser, "..") ||
|
|
||||||
+ strchr(ruser, '/')) {
|
|
||||||
+ ruser = NULL;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
|
|
||||||
*ruserbuf = '\0';
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2014-08-25 16:44:24.365174752 +0200
|
|
||||||
@@ -350,6 +350,8 @@ last_login_write(pam_handle_t *pamh, int
|
|
||||||
return PAM_SERVICE_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ memset(&last_login, 0, sizeof(last_login));
|
|
||||||
+
|
|
||||||
/* set this login date */
|
|
||||||
D(("set the most recent login time"));
|
|
||||||
(void) time(&ll_time); /* set the time */
|
|
||||||
@@ -364,14 +366,12 @@ last_login_write(pam_handle_t *pamh, int
|
|
||||||
}
|
|
||||||
|
|
||||||
/* copy to last_login */
|
|
||||||
- last_login.ll_host[0] = '\0';
|
|
||||||
strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1);
|
|
||||||
|
|
||||||
/* set the terminal line */
|
|
||||||
terminal_line = get_tty(pamh);
|
|
||||||
|
|
||||||
/* copy to last_login */
|
|
||||||
- last_login.ll_line[0] = '\0';
|
|
||||||
strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1);
|
|
||||||
terminal_line = NULL;
|
|
||||||
|
|
||||||
@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
|
||||||
lltime = (time(NULL) - lltime) / (24*60*60);
|
|
||||||
|
|
||||||
if (lltime > inactive_days) {
|
|
||||||
- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
|
|
||||||
+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied",
|
|
||||||
+ user, (long) lltime);
|
|
||||||
return PAM_AUTH_ERR;
|
|
||||||
}
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c 2014-09-10 16:39:36.263256066 +0200
|
|
||||||
@@ -27,6 +27,7 @@
|
|
||||||
#include <errno.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
+#include <signal.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
#include <sys/resource.h>
|
|
||||||
@@ -269,16 +270,27 @@ check_logins (pam_handle_t *pamh, const
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if (!pl->flag_numsyslogins) {
|
|
||||||
+ char user[sizeof(ut->UT_USER) + 1];
|
|
||||||
+ user[0] = '\0';
|
|
||||||
+ strncat(user, ut->UT_USER, sizeof(ut->UT_USER));
|
|
||||||
+
|
|
||||||
if (((pl->login_limit_def == LIMITS_DEF_USER)
|
|
||||||
|| (pl->login_limit_def == LIMITS_DEF_GROUP)
|
|
||||||
|| (pl->login_limit_def == LIMITS_DEF_DEFAULT))
|
|
||||||
- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) {
|
|
||||||
+ && strcmp(name, user) != 0) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
|
|
||||||
- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) {
|
|
||||||
+ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
+ if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) {
|
|
||||||
+ /* process does not exist anymore */
|
|
||||||
+ pam_syslog(pamh, LOG_WARNING,
|
|
||||||
+ "Stale utmp entry (pid %d) for '%s' ignored",
|
|
||||||
+ ut->ut_pid, user);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
if (++count > limit) {
|
|
||||||
break;
|
|
@ -1,54 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix 2014-07-14 14:58:05.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf 2014-09-10 16:42:51.254747161 +0200
|
|
||||||
@@ -32,7 +32,7 @@
|
|
||||||
# - data - max data size (KB)
|
|
||||||
# - fsize - maximum filesize (KB)
|
|
||||||
# - memlock - max locked-in-memory address space (KB)
|
|
||||||
-# - nofile - max number of open files
|
|
||||||
+# - nofile - max number of open file descriptors
|
|
||||||
# - rss - max resident set size (KB)
|
|
||||||
# - stack - max stack size (KB)
|
|
||||||
# - cpu - max CPU time (MIN)
|
|
||||||
diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml 2014-09-10 16:44:01.624367933 +0200
|
|
||||||
@@ -178,7 +178,7 @@
|
|
||||||
<varlistentry>
|
|
||||||
<term><option>nofile</option></term>
|
|
||||||
<listitem>
|
|
||||||
- <para>maximum number of open files</para>
|
|
||||||
+ <para>maximum number of open file descriptors</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
@@ -214,14 +214,17 @@
|
|
||||||
<varlistentry>
|
|
||||||
<term><option>maxlogins</option></term>
|
|
||||||
<listitem>
|
|
||||||
- <para>maximum number of logins for this user except
|
|
||||||
- for this with <emphasis>uid=0</emphasis></para>
|
|
||||||
+ <para>maximum number of logins for this user (this limit does
|
|
||||||
+ not apply to user with <emphasis>uid=0</emphasis>)</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
<term><option>maxsyslogins</option></term>
|
|
||||||
<listitem>
|
|
||||||
- <para>maximum number of all logins on system</para>
|
|
||||||
+ <para>maximum number of all logins on system; user is not
|
|
||||||
+ allowed to log-in if total number of all users' logins is
|
|
||||||
+ greater than specified number (this limit does not apply to
|
|
||||||
+ user with <emphasis>uid=0</emphasis>)</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
<varlistentry>
|
|
||||||
@@ -292,7 +295,7 @@
|
|
||||||
permanent; existing only for the duration of the session.
|
|
||||||
One exception is the <emphasis>maxlogin</emphasis> option, this one
|
|
||||||
is system wide. But there is a race, concurrent logins at the same
|
|
||||||
- time will not always be detect as such but only counted as one.
|
|
||||||
+ time will not always be detected as such but only counted as one.
|
|
||||||
</para>
|
|
||||||
<para>
|
|
||||||
In the <emphasis>limits</emphasis> configuration file, the
|
|
@ -1,151 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.container Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.container 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c 2014-01-27 17:24:53.000000000 +0100
|
|
||||||
@@ -47,25 +47,56 @@
|
|
||||||
|
|
||||||
/*
|
|
||||||
* This function writes the loginuid to the /proc system. It returns
|
|
||||||
- * 0 on success and 1 on failure.
|
|
||||||
+ * PAM_SUCCESS on success,
|
|
||||||
+ * PAM_IGNORE when /proc/self/loginuid does not exist,
|
|
||||||
+ * PAM_SESSION_ERR in case of any other error.
|
|
||||||
*/
|
|
||||||
static int set_loginuid(pam_handle_t *pamh, uid_t uid)
|
|
||||||
{
|
|
||||||
- int fd, count, rc = 0;
|
|
||||||
- char loginuid[24];
|
|
||||||
+ int fd, count, rc = PAM_SESSION_ERR;
|
|
||||||
+ char loginuid[24], buf[24];
|
|
||||||
+ static const char host_uid_map[] = " 0 0 4294967295\n";
|
|
||||||
+ char uid_map[sizeof(host_uid_map)];
|
|
||||||
+
|
|
||||||
+ /* loginuid in user namespaces currently isn't writable and in some
|
|
||||||
+ case, not even readable, so consider any failure as ignorable (but try
|
|
||||||
+ anyway, in case we hit a kernel which supports it). */
|
|
||||||
+ fd = open("/proc/self/uid_map", O_RDONLY);
|
|
||||||
+ if (fd >= 0) {
|
|
||||||
+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
|
|
||||||
+ if (strncmp(uid_map, host_uid_map, count) != 0)
|
|
||||||
+ rc = PAM_IGNORE;
|
|
||||||
+ close(fd);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
|
|
||||||
- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
|
|
||||||
+ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
|
|
||||||
if (fd < 0) {
|
|
||||||
- if (errno != ENOENT) {
|
|
||||||
- rc = 1;
|
|
||||||
- pam_syslog(pamh, LOG_ERR,
|
|
||||||
- "Cannot open /proc/self/loginuid: %m");
|
|
||||||
+ if (errno == ENOENT) {
|
|
||||||
+ rc = PAM_IGNORE;
|
|
||||||
+ }
|
|
||||||
+ if (rc != PAM_IGNORE) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
|
|
||||||
+ "/proc/self/loginuid");
|
|
||||||
}
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
- if (pam_modutil_write(fd, loginuid, count) != count)
|
|
||||||
- rc = 1;
|
|
||||||
+
|
|
||||||
+ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
|
|
||||||
+ if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
|
|
||||||
+ memcmp(buf, loginuid, count) == 0) {
|
|
||||||
+ rc = PAM_SUCCESS;
|
|
||||||
+ goto done; /* already correct */
|
|
||||||
+ }
|
|
||||||
+ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
|
|
||||||
+ pam_modutil_write(fd, loginuid, count) == count) {
|
|
||||||
+ rc = PAM_SUCCESS;
|
|
||||||
+ } else {
|
|
||||||
+ if (rc != PAM_IGNORE) {
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
|
|
||||||
+ "/proc/self/loginuid");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ done:
|
|
||||||
close(fd);
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
@@ -165,6 +196,7 @@ _pam_loginuid(pam_handle_t *pamh, int fl
|
|
||||||
{
|
|
||||||
const char *user = NULL;
|
|
||||||
struct passwd *pwd;
|
|
||||||
+ int ret;
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
int require_auditd = 0;
|
|
||||||
#endif
|
|
||||||
@@ -183,9 +215,14 @@ _pam_loginuid(pam_handle_t *pamh, int fl
|
|
||||||
return PAM_SESSION_ERR;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (set_loginuid(pamh, pwd->pw_uid)) {
|
|
||||||
- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n");
|
|
||||||
- return PAM_SESSION_ERR;
|
|
||||||
+ ret = set_loginuid(pamh, pwd->pw_uid);
|
|
||||||
+ switch (ret) {
|
|
||||||
+ case PAM_SUCCESS:
|
|
||||||
+ case PAM_IGNORE:
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ pam_syslog(pamh, LOG_ERR, "set_loginuid failed");
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef HAVE_LIBAUDIT
|
|
||||||
@@ -195,11 +232,12 @@ _pam_loginuid(pam_handle_t *pamh, int fl
|
|
||||||
argv++;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (require_auditd)
|
|
||||||
- return check_auditd();
|
|
||||||
- else
|
|
||||||
+ if (require_auditd) {
|
|
||||||
+ int rc = check_auditd();
|
|
||||||
+ return rc != PAM_SUCCESS ? rc : ret;
|
|
||||||
+ } else
|
|
||||||
#endif
|
|
||||||
- return PAM_SUCCESS;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml.container Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml.container 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml 2014-05-22 11:33:14.000000000 +0200
|
|
||||||
@@ -69,14 +69,31 @@
|
|
||||||
<para>
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
+ <term>PAM_SUCCESS</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ The loginuid value is set and auditd is running if check requested.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
+ <term>PAM_IGNORE</term>
|
|
||||||
+ <listitem>
|
|
||||||
+ <para>
|
|
||||||
+ The /proc/self/loginuid file is not present on the system or the
|
|
||||||
+ login process runs inside uid namespace and kernel does not support
|
|
||||||
+ overwriting loginuid.
|
|
||||||
+ </para>
|
|
||||||
+ </listitem>
|
|
||||||
+ </varlistentry>
|
|
||||||
+ <varlistentry>
|
|
||||||
<term>PAM_SESSION_ERR</term>
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
- An error occurred during session management.
|
|
||||||
+ Any other error prevented setting loginuid or auditd is not running.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
-
|
|
||||||
</variablelist>
|
|
||||||
</para>
|
|
||||||
</refsect1>
|
|
@ -1,22 +0,0 @@
|
|||||||
diff -up Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml
|
|
||||||
--- Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix 2013-06-18 16:11:21.000000000 +0200
|
|
||||||
+++ Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml 2014-09-10 16:28:19.916678273 +0200
|
|
||||||
@@ -89,7 +89,8 @@
|
|
||||||
Use the <filename>/path/database</filename> database for
|
|
||||||
performing lookup. There is no default; the module will
|
|
||||||
return <emphasis remap='B'>PAM_IGNORE</emphasis> if no
|
|
||||||
- database is provided.
|
|
||||||
+ database is provided. Note that the path to the database file
|
|
||||||
+ should be specified without the <filename>.db</filename> suffix.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
@@ -260,7 +261,7 @@
|
|
||||||
<refsect1 id='pam_userdb-examples'>
|
|
||||||
<title>EXAMPLES</title>
|
|
||||||
<programlisting>
|
|
||||||
-auth sufficient pam_userdb.so icase db=/etc/dbtest.db
|
|
||||||
+auth sufficient pam_userdb.so icase db=/etc/dbtest
|
|
||||||
</programlisting>
|
|
||||||
</refsect1>
|
|
||||||
|
|
@ -1,50 +0,0 @@
|
|||||||
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
|
|
||||||
index 836d713..c36628e 100644
|
|
||||||
--- a/modules/pam_pwhistory/opasswd.c
|
|
||||||
+++ b/modules/pam_pwhistory/opasswd.c
|
|
||||||
@@ -82,10 +82,15 @@ parse_entry (char *line, opwd *data)
|
|
||||||
{
|
|
||||||
const char delimiters[] = ":";
|
|
||||||
char *endptr;
|
|
||||||
+ char *count;
|
|
||||||
|
|
||||||
data->user = strsep (&line, delimiters);
|
|
||||||
data->uid = strsep (&line, delimiters);
|
|
||||||
- data->count = strtol (strsep (&line, delimiters), &endptr, 10);
|
|
||||||
+ count = strsep (&line, delimiters);
|
|
||||||
+ if (data->user == NULL || data->uid == NULL || count == NULL)
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+ data->count = strtol (count, &endptr, 10);
|
|
||||||
if (endptr != NULL && *endptr != '\0')
|
|
||||||
return 1;
|
|
||||||
|
|
||||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
||||||
index 4840bb2..7f7bc49 100644
|
|
||||||
--- a/modules/pam_unix/passverify.c
|
|
||||||
+++ b/modules/pam_unix/passverify.c
|
|
||||||
@@ -639,11 +639,23 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
|
|
||||||
continue;
|
|
||||||
buf[strlen(buf) - 1] = '\0';
|
|
||||||
s_luser = strtok_r(buf, ":", &sptr);
|
|
||||||
+ if (s_luser == NULL) {
|
|
||||||
+ found = 0;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
s_uid = strtok_r(NULL, ":", &sptr);
|
|
||||||
+ if (s_uid == NULL) {
|
|
||||||
+ found = 0;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
s_npas = strtok_r(NULL, ":", &sptr);
|
|
||||||
+ if (s_npas == NULL) {
|
|
||||||
+ found = 0;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
s_pas = strtok_r(NULL, ":", &sptr);
|
|
||||||
npas = strtol(s_npas, NULL, 10) + 1;
|
|
||||||
- while (npas > howmany) {
|
|
||||||
+ while (npas > howmany && s_pas != NULL) {
|
|
||||||
s_pas = strpbrk(s_pas, ",");
|
|
||||||
if (s_pas != NULL)
|
|
||||||
s_pas++;
|
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
|||||||
diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
|
diff -up Linux-PAM-1.2.0/configure.ac.faillock Linux-PAM-1.2.0/configure.ac
|
||||||
--- Linux-PAM-1.1.1/configure.in.faillock 2010-10-20 15:46:34.000000000 +0200
|
--- Linux-PAM-1.2.0/configure.ac.faillock 2015-05-15 15:52:13.794506394 +0200
|
||||||
+++ Linux-PAM-1.1.1/configure.in 2011-01-25 18:24:43.000000000 +0100
|
+++ Linux-PAM-1.2.0/configure.ac 2015-05-15 15:52:13.798506486 +0200
|
||||||
@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
@@ -621,7 +621,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||||
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
||||||
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
||||||
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
||||||
@ -10,9 +10,9 @@ diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
|
|||||||
modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
|
modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
|
||||||
modules/pam_ftp/Makefile modules/pam_group/Makefile \
|
modules/pam_ftp/Makefile modules/pam_group/Makefile \
|
||||||
modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
|
modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
|
||||||
diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml
|
diff -up Linux-PAM-1.2.0/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.2.0/doc/sag/pam_faillock.xml
|
||||||
--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/doc/sag/pam_faillock.xml.faillock 2015-05-15 15:52:13.799506509 +0200
|
||||||
+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2011-01-25 18:24:43.000000000 +0100
|
+++ Linux-PAM-1.2.0/doc/sag/pam_faillock.xml 2015-05-15 15:52:13.799506509 +0200
|
||||||
@@ -0,0 +1,38 @@
|
@@ -0,0 +1,38 @@
|
||||||
+<?xml version='1.0' encoding='UTF-8'?>
|
+<?xml version='1.0' encoding='UTF-8'?>
|
||||||
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||||
@ -52,9 +52,9 @@ diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/s
|
|||||||
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
|
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
|
||||||
+ </section>
|
+ </section>
|
||||||
+</section>
|
+</section>
|
||||||
diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am
|
diff -up Linux-PAM-1.2.0/modules/Makefile.am.faillock Linux-PAM-1.2.0/modules/Makefile.am
|
||||||
--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-10-20 15:46:34.000000000 +0200
|
--- Linux-PAM-1.2.0/modules/Makefile.am.faillock 2015-05-15 15:52:13.797506463 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/Makefile.am 2011-01-25 18:24:43.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/Makefile.am 2015-05-15 15:52:13.799506509 +0200
|
||||||
@@ -3,7 +3,7 @@
|
@@ -3,7 +3,7 @@
|
||||||
#
|
#
|
||||||
|
|
||||||
@ -64,9 +64,9 @@ diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Ma
|
|||||||
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
|
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
|
||||||
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
||||||
pam_listfile pam_localuser pam_loginuid pam_mail \
|
pam_listfile pam_localuser pam_loginuid pam_mail \
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c
|
diff -up Linux-PAM-1.2.0/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.2.0/modules/pam_faillock/faillock.c
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/modules/pam_faillock/faillock.c.faillock 2015-05-15 15:52:13.799506509 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2011-01-25 18:24:56.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/pam_faillock/faillock.c 2015-05-15 15:52:13.799506509 +0200
|
||||||
@@ -0,0 +1,158 @@
|
@@ -0,0 +1,158 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||||
@ -226,9 +226,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.
|
|||||||
+
|
+
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h
|
diff -up Linux-PAM-1.2.0/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.2.0/modules/pam_faillock/faillock.h
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/modules/pam_faillock/faillock.h.faillock 2015-05-15 15:52:13.799506509 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2011-01-25 18:24:56.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/pam_faillock/faillock.h 2015-05-15 15:52:13.799506509 +0200
|
||||||
@@ -0,0 +1,73 @@
|
@@ -0,0 +1,73 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||||
@ -303,9 +303,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.
|
|||||||
+int update_tally(int fd, struct tally_data *tallies);
|
+int update_tally(int fd, struct tally_data *tallies);
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml
|
diff -up Linux-PAM-1.2.0/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.2.0/modules/pam_faillock/faillock.8.xml
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/modules/pam_faillock/faillock.8.xml.faillock 2015-05-15 15:52:13.799506509 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2011-01-25 18:24:43.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/pam_faillock/faillock.8.xml 2015-05-15 15:52:13.799506509 +0200
|
||||||
@@ -0,0 +1,123 @@
|
@@ -0,0 +1,123 @@
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
+<?xml version="1.0" encoding='UTF-8'?>
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||||
@ -430,9 +430,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-
|
|||||||
+ </refsect1>
|
+ </refsect1>
|
||||||
+
|
+
|
||||||
+</refentry>
|
+</refentry>
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c
|
diff -up Linux-PAM-1.2.0/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.0/modules/pam_faillock/main.c
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/modules/pam_faillock/main.c.faillock 2015-05-15 15:52:13.799506509 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2011-01-25 18:24:56.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/pam_faillock/main.c 2015-05-15 15:52:13.799506509 +0200
|
||||||
@@ -0,0 +1,235 @@
|
@@ -0,0 +1,235 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||||
@ -669,9 +669,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
|
|||||||
+ return do_user(&opts, opts.user);
|
+ return do_user(&opts, opts.user);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am
|
diff -up Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am.faillock 2015-05-15 15:52:13.799506509 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2011-01-25 18:24:43.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/pam_faillock/Makefile.am 2015-05-15 15:52:13.799506509 +0200
|
||||||
@@ -0,0 +1,43 @@
|
@@ -0,0 +1,43 @@
|
||||||
+#
|
+#
|
||||||
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
|
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
|
||||||
@ -716,9 +716,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1
|
|||||||
+README: pam_faillock.8.xml
|
+README: pam_faillock.8.xml
|
||||||
+-include $(top_srcdir)/Make.xml.rules
|
+-include $(top_srcdir)/Make.xml.rules
|
||||||
+endif
|
+endif
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
|
diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c.faillock 2015-05-15 15:52:13.800506532 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2011-01-25 18:24:56.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.c 2015-05-15 15:52:13.800506532 +0200
|
||||||
@@ -0,0 +1,556 @@
|
@@ -0,0 +1,556 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||||
@ -1276,9 +1276,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
|||||||
+
|
+
|
||||||
+#endif /* #ifdef PAM_STATIC */
|
+#endif /* #ifdef PAM_STATIC */
|
||||||
+
|
+
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
|
diff -up Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml.faillock 2015-05-15 15:52:13.800506532 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2011-01-25 18:24:56.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/pam_faillock/pam_faillock.8.xml 2015-05-15 15:52:13.800506532 +0200
|
||||||
@@ -0,0 +1,392 @@
|
@@ -0,0 +1,392 @@
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
+<?xml version="1.0" encoding='UTF-8'?>
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||||
@ -1672,9 +1672,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
|
|||||||
+ </refsect1>
|
+ </refsect1>
|
||||||
+
|
+
|
||||||
+</refentry>
|
+</refentry>
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml
|
diff -up Linux-PAM-1.2.0/modules/pam_faillock/README.xml.faillock Linux-PAM-1.2.0/modules/pam_faillock/README.xml
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/modules/pam_faillock/README.xml.faillock 2015-05-15 15:52:13.800506532 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2011-01-25 18:24:43.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/pam_faillock/README.xml 2015-05-15 15:52:13.800506532 +0200
|
||||||
@@ -0,0 +1,46 @@
|
@@ -0,0 +1,46 @@
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
+<?xml version="1.0" encoding='UTF-8'?>
|
||||||
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||||
@ -1722,9 +1722,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.
|
|||||||
+ </section>
|
+ </section>
|
||||||
+
|
+
|
||||||
+</article>
|
+</article>
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock
|
diff -up Linux-PAM-1.2.0/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.2.0/modules/pam_faillock/tst-pam_faillock
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2011-01-25 18:24:43.000000000 +0100
|
--- Linux-PAM-1.2.0/modules/pam_faillock/tst-pam_faillock.faillock 2015-05-15 15:52:13.800506532 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2011-01-25 18:24:43.000000000 +0100
|
+++ Linux-PAM-1.2.0/modules/pam_faillock/tst-pam_faillock 2015-05-15 15:52:13.800506532 +0200
|
||||||
@@ -0,0 +1,2 @@
|
@@ -0,0 +1,2 @@
|
||||||
+#!/bin/sh
|
+#!/bin/sh
|
||||||
+../../tests/tst-dlopen .libs/pam_faillock.so
|
+../../tests/tst-dlopen .libs/pam_faillock.so
|
@ -1,18 +1,7 @@
|
|||||||
diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am
|
diff -up Linux-PAM-1.2.0/configure.ac.redhat-modules Linux-PAM-1.2.0/configure.ac
|
||||||
--- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100
|
--- Linux-PAM-1.2.0/configure.ac.redhat-modules 2015-03-25 16:50:10.000000000 +0100
|
||||||
+++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100
|
+++ Linux-PAM-1.2.0/configure.ac 2015-05-15 15:46:50.996074677 +0200
|
||||||
@@ -3,6 +3,7 @@
|
@@ -616,6 +616,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
||||||
#
|
|
||||||
|
|
||||||
SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
|
|
||||||
+ pam_chroot pam_console pam_postgresok \
|
|
||||||
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
|
|
||||||
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
|
||||||
pam_listfile pam_localuser pam_loginuid pam_mail \
|
|
||||||
diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in
|
|
||||||
--- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100
|
|
||||||
+++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100
|
|
||||||
@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
|
|
||||||
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
|
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
|
||||||
po/Makefile.in \
|
po/Makefile.in \
|
||||||
modules/Makefile \
|
modules/Makefile \
|
||||||
@ -21,3 +10,14 @@ diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure
|
|||||||
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
|
||||||
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
modules/pam_debug/Makefile modules/pam_deny/Makefile \
|
||||||
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
modules/pam_echo/Makefile modules/pam_env/Makefile \
|
||||||
|
diff -up Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules Linux-PAM-1.2.0/modules/Makefile.am
|
||||||
|
--- Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules 2015-03-24 13:02:32.000000000 +0100
|
||||||
|
+++ Linux-PAM-1.2.0/modules/Makefile.am 2015-05-15 15:46:50.995074654 +0200
|
||||||
|
@@ -3,6 +3,7 @@
|
||||||
|
#
|
||||||
|
|
||||||
|
SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
|
||||||
|
+ pam_chroot pam_console pam_postgresok \
|
||||||
|
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
|
||||||
|
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
|
||||||
|
pam_listfile pam_localuser pam_loginuid pam_mail \
|
@ -1,7 +1,7 @@
|
|||||||
diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml
|
diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml
|
||||||
--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback 2011-06-21 11:04:56.000000000 +0200
|
--- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback 2015-04-27 16:38:03.000000000 +0200
|
||||||
+++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml 2012-05-09 11:54:34.442036404 +0200
|
+++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml 2015-05-15 15:54:21.524440864 +0200
|
||||||
@@ -265,11 +265,10 @@
|
@@ -284,11 +284,10 @@
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
When a user changes their password next,
|
When a user changes their password next,
|
||||||
@ -16,7 +16,7 @@ diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1
|
|||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -280,11 +279,10 @@
|
@@ -299,11 +298,10 @@
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
When a user changes their password next,
|
When a user changes their password next,
|
||||||
@ -31,7 +31,7 @@ diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1
|
|||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -295,11 +293,10 @@
|
@@ -314,11 +312,10 @@
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
When a user changes their password next,
|
When a user changes their password next,
|
||||||
@ -46,12 +46,15 @@ diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1
|
|||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
diff -up Linux-PAM-1.1.5/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.1.5/modules/pam_unix/passverify.c
|
diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c
|
||||||
--- Linux-PAM-1.1.5/modules/pam_unix/passverify.c.no-fallback 2012-05-09 11:48:12.409632377 +0200
|
--- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback 2015-05-15 15:54:21.525440887 +0200
|
||||||
+++ Linux-PAM-1.1.5/modules/pam_unix/passverify.c 2012-05-09 11:48:36.953172291 +0200
|
+++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c 2015-05-15 15:57:23.138613273 +0200
|
||||||
@@ -427,15 +427,14 @@ PAMH_ARG_DECL(char * create_password_has
|
@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has
|
||||||
|
sp = crypt(password, salt);
|
||||||
|
#endif
|
||||||
if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
|
if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
|
||||||
/* libxcrypt/libc doesn't know the algorithm, use MD5 */
|
- /* libxcrypt/libc doesn't know the algorithm, use MD5 */
|
||||||
|
+ /* libxcrypt/libc doesn't know the algorithm, error out */
|
||||||
pam_syslog(pamh, LOG_ERR,
|
pam_syslog(pamh, LOG_ERR,
|
||||||
- "Algo %s not supported by the crypto backend, "
|
- "Algo %s not supported by the crypto backend, "
|
||||||
- "falling back to MD5\n",
|
- "falling back to MD5\n",
|
||||||
@ -59,11 +62,12 @@ diff -up Linux-PAM-1.1.5/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.1
|
|||||||
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
|
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
|
||||||
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
|
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
|
||||||
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
|
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
|
||||||
if(sp) {
|
@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has
|
||||||
memset(sp, '\0', strlen(sp));
|
#ifdef HAVE_CRYPT_R
|
||||||
}
|
free(cdata);
|
||||||
|
#endif
|
||||||
- return crypt_md5_wrapper(password);
|
- return crypt_md5_wrapper(password);
|
||||||
+ return NULL;
|
+ return NULL;
|
||||||
}
|
}
|
||||||
|
sp = x_strdup(sp);
|
||||||
return x_strdup(sp);
|
#ifdef HAVE_CRYPT_R
|
@ -1,7 +1,7 @@
|
|||||||
diff -up Linux-PAM-1.1.6/configure.in.links Linux-PAM-1.1.6/configure.in
|
diff -up Linux-PAM-1.2.0/configure.ac.links Linux-PAM-1.2.0/configure.ac
|
||||||
--- Linux-PAM-1.1.6/configure.in.links 2013-04-24 13:13:36.000000000 +0200
|
--- Linux-PAM-1.2.0/configure.ac.links 2015-05-15 16:00:03.406295266 +0200
|
||||||
+++ Linux-PAM-1.1.6/configure.in 2013-08-07 14:08:03.818055990 +0200
|
+++ Linux-PAM-1.2.0/configure.ac 2015-05-15 16:00:03.425295702 +0200
|
||||||
@@ -548,9 +548,9 @@ JH_CHECK_XML_CATALOG([-//OASIS//DTD DocB
|
@@ -564,9 +564,9 @@ JH_CHECK_XML_CATALOG([-//OASIS//DTD DocB
|
||||||
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
|
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
|
||||||
[DocBook XSL Stylesheets], [], enable_docu=no)
|
[DocBook XSL Stylesheets], [], enable_docu=no)
|
||||||
|
|
49
pam.spec
49
pam.spec
@ -2,8 +2,8 @@
|
|||||||
|
|
||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.1.8
|
Version: 1.2.0
|
||||||
Release: 18%{?dist}
|
Release: 1%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -28,34 +28,21 @@ Source15: pamtmp.conf
|
|||||||
Source16: postlogin.pamd
|
Source16: postlogin.pamd
|
||||||
Source17: postlogin.5
|
Source17: postlogin.5
|
||||||
Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||||
Patch1: pam-1.0.90-redhat-modules.patch
|
Patch1: pam-1.2.0-redhat-modules.patch
|
||||||
Patch2: pam-1.1.6-std-noclose.patch
|
|
||||||
Patch4: pam-1.1.0-console-nochmod.patch
|
Patch4: pam-1.1.0-console-nochmod.patch
|
||||||
Patch5: pam-1.1.0-notally.patch
|
Patch5: pam-1.1.0-notally.patch
|
||||||
Patch8: pam-1.1.1-faillock.patch
|
Patch8: pam-1.2.0-faillock.patch
|
||||||
Patch9: pam-1.1.6-noflex.patch
|
Patch9: pam-1.1.6-noflex.patch
|
||||||
Patch10: pam-1.1.3-nouserenv.patch
|
Patch10: pam-1.1.3-nouserenv.patch
|
||||||
Patch13: pam-1.1.6-limits-user.patch
|
Patch13: pam-1.1.6-limits-user.patch
|
||||||
Patch15: pam-1.1.8-full-relro.patch
|
Patch15: pam-1.1.8-full-relro.patch
|
||||||
# FIPS related - non upstreamable
|
# FIPS related - non upstreamable
|
||||||
Patch20: pam-1.1.5-unix-no-fallback.patch
|
Patch20: pam-1.2.0-unix-no-fallback.patch
|
||||||
Patch27: pam-1.1.8-lastlog-uninitialized.patch
|
|
||||||
Patch28: pam-1.1.1-console-errmsg.patch
|
Patch28: pam-1.1.1-console-errmsg.patch
|
||||||
# Upstreamed partially
|
# Upstreamed partially
|
||||||
Patch29: pam-1.1.8-pwhistory-helper.patch
|
Patch29: pam-1.1.8-pwhistory-helper.patch
|
||||||
Patch31: pam-1.1.6-use-links.patch
|
Patch30: pam-1.2.0-use-links.patch
|
||||||
Patch32: pam-1.1.7-tty-audit-init.patch
|
Patch31: pam-1.1.8-audit-user-mgmt.patch
|
||||||
Patch33: pam-1.1.8-translation-updates.patch
|
|
||||||
Patch34: pam-1.1.8-canonicalize-username.patch
|
|
||||||
Patch35: pam-1.1.8-cve-2013-7041.patch
|
|
||||||
Patch36: pam-1.1.8-cve-2014-2583.patch
|
|
||||||
Patch37: pam-1.1.8-loginuid-container.patch
|
|
||||||
Patch38: pam-1.1.8-opasswd-tolerant.patch
|
|
||||||
Patch39: pam-1.1.8-audit-grantor.patch
|
|
||||||
Patch40: pam-1.1.8-man-dbsuffix.patch
|
|
||||||
Patch41: pam-1.1.8-limits-check-process.patch
|
|
||||||
Patch42: pam-1.1.8-limits-docfix.patch
|
|
||||||
Patch43: pam-1.1.8-audit-user-mgmt.patch
|
|
||||||
|
|
||||||
%define _pamlibdir %{_libdir}
|
%define _pamlibdir %{_libdir}
|
||||||
%define _moduledir %{_libdir}/security
|
%define _moduledir %{_libdir}/security
|
||||||
@ -114,6 +101,7 @@ and modules for use with the PAM system.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q -n Linux-PAM-%{version} -a 2
|
%setup -q -n Linux-PAM-%{version} -a 2
|
||||||
perl -pi -e "s/ppc64-\*/ppc64-\* \| ppc64p7-\*/" build-aux/config.sub
|
perl -pi -e "s/ppc64-\*/ppc64-\* \| ppc64p7-\*/" build-aux/config.sub
|
||||||
|
perl -pi -e "s/\/lib \/usr\/lib/\/lib \/usr\/lib \/lib64 \/usr\/lib64/" m4/libtool.m4
|
||||||
|
|
||||||
# Add custom modules.
|
# Add custom modules.
|
||||||
mv pam-redhat-%{pam_redhat_version}/* modules
|
mv pam-redhat-%{pam_redhat_version}/* modules
|
||||||
@ -121,7 +109,6 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
|||||||
cp %{SOURCE18} .
|
cp %{SOURCE18} .
|
||||||
|
|
||||||
%patch1 -p1 -b .redhat-modules
|
%patch1 -p1 -b .redhat-modules
|
||||||
%patch2 -p1 -b .std-noclose
|
|
||||||
%patch4 -p1 -b .nochmod
|
%patch4 -p1 -b .nochmod
|
||||||
%patch5 -p1 -b .notally
|
%patch5 -p1 -b .notally
|
||||||
%patch8 -p1 -b .faillock
|
%patch8 -p1 -b .faillock
|
||||||
@ -130,26 +117,15 @@ cp %{SOURCE18} .
|
|||||||
%patch13 -p1 -b .limits
|
%patch13 -p1 -b .limits
|
||||||
%patch15 -p1 -b .relro
|
%patch15 -p1 -b .relro
|
||||||
%patch20 -p1 -b .no-fallback
|
%patch20 -p1 -b .no-fallback
|
||||||
%patch27 -p1 -b .uninitialized
|
|
||||||
%patch28 -p1 -b .errmsg
|
%patch28 -p1 -b .errmsg
|
||||||
%patch29 -p1 -b .pwhhelper
|
%patch29 -p1 -b .pwhhelper
|
||||||
%patch31 -p1 -b .links
|
%patch30 -p1 -b .links
|
||||||
%patch32 -p1 -b .tty-audit-init
|
%patch31 -p1 -b .audit-user-mgmt
|
||||||
%patch33 -p2 -b .translations
|
|
||||||
%patch34 -p1 -b .canonicalize
|
|
||||||
%patch35 -p1 -b .case
|
|
||||||
%patch36 -p1 -b .timestamp-ruser
|
|
||||||
%patch37 -p1 -b .container
|
|
||||||
%patch38 -p1 -b .opasswd-tolerant
|
|
||||||
%patch39 -p1 -b .grantor
|
|
||||||
%patch40 -p1 -b .dbsuffix
|
|
||||||
%patch41 -p1 -b .check-process
|
|
||||||
%patch42 -p1 -b .docfix
|
|
||||||
%patch43 -p1 -b .audit-user-mgmt
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
%configure \
|
%configure \
|
||||||
|
--disable-rpath \
|
||||||
--libdir=%{_pamlibdir} \
|
--libdir=%{_pamlibdir} \
|
||||||
--includedir=%{_includedir}/security \
|
--includedir=%{_includedir}/security \
|
||||||
%if ! %{WITH_SELINUX}
|
%if ! %{WITH_SELINUX}
|
||||||
@ -396,6 +372,9 @@ fi
|
|||||||
%doc doc/adg/*.txt doc/adg/html
|
%doc doc/adg/*.txt doc/adg/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.2.0-1
|
||||||
|
- new upstream release with multiple minor improvements
|
||||||
|
|
||||||
* Fri Oct 17 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-18
|
* Fri Oct 17 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-18
|
||||||
- use USER_MGMT type for auditing in the pam_tally2 and faillock
|
- use USER_MGMT type for auditing in the pam_tally2 and faillock
|
||||||
apps (#1151576)
|
apps (#1151576)
|
||||||
|
Loading…
Reference in New Issue
Block a user