- correctly relabel tty in the default case (#229542)
- pam_unix: cleanup of bigcrypt support - pam_unix: allow modification of '*' passwords to root
This commit is contained in:
parent
504a3315ce
commit
71ab958a92
@ -1,5 +1,5 @@
|
||||
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2006-12-27 10:59:06.000000000 -0500
|
||||
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-12-27 10:59:06.000000000 -0500
|
||||
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2007-02-21 20:38:10.000000000 +0100
|
||||
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-02-21 20:38:11.000000000 +0100
|
||||
@@ -33,6 +33,9 @@
|
||||
<arg choice="opt">
|
||||
verbose
|
||||
@ -28,8 +28,8 @@
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2006-12-27 10:59:06.000000000 -0500
|
||||
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-03 16:06:21.000000000 -0500
|
||||
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2007-02-21 20:38:10.000000000 +0100
|
||||
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-02-21 20:44:01.000000000 +0100
|
||||
@@ -63,9 +63,64 @@
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/get_context_list.h>
|
||||
@ -360,7 +360,7 @@
|
||||
username == NULL) {
|
||||
return PAM_USER_UNKNOWN;
|
||||
}
|
||||
@@ -319,19 +485,38 @@
|
||||
@@ -319,19 +485,39 @@
|
||||
&contextlist);
|
||||
if (debug)
|
||||
pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
|
||||
@ -378,6 +378,7 @@
|
||||
+ pam_syslog(pamh, LOG_ERR, _("Out of memory"));
|
||||
+ return PAM_AUTH_ERR;
|
||||
+ }
|
||||
+ user_context = default_user_context;
|
||||
+ if (select_context && has_tty) {
|
||||
+ user_context = config_context(pamh, default_user_context, debug);
|
||||
+ if (user_context == NULL) {
|
||||
@ -404,7 +405,7 @@
|
||||
if (security_getenforce() == 1)
|
||||
return PAM_AUTH_ERR;
|
||||
else
|
||||
@@ -340,7 +525,7 @@
|
||||
@@ -340,7 +526,7 @@
|
||||
} else {
|
||||
pam_syslog (pamh, LOG_ERR,
|
||||
"Unable to get valid context for %s, No valid tty",
|
||||
@ -413,17 +414,18 @@
|
||||
if (security_getenforce() == 1)
|
||||
return PAM_AUTH_ERR;
|
||||
else
|
||||
@@ -371,6 +556,9 @@
|
||||
@@ -371,6 +557,10 @@
|
||||
ttyn=strdup(tty);
|
||||
ttyn_context=security_label_tty(pamh,ttyn,user_context);
|
||||
}
|
||||
+ send_audit_message(pamh, 1, default_user_context, user_context);
|
||||
+ freecon(default_user_context);
|
||||
+
|
||||
+ if (default_user_context != user_context) {
|
||||
+ freecon(default_user_context);
|
||||
+ }
|
||||
ret = setexeccon(user_context);
|
||||
if (ret==0 && verbose) {
|
||||
char msg[PATH_MAX];
|
||||
@@ -381,7 +569,7 @@
|
||||
@@ -381,7 +571,7 @@
|
||||
if (ret) {
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
"Error! Unable to set %s executable context %s.",
|
||||
@ -432,7 +434,7 @@
|
||||
if (security_getenforce() == 1) {
|
||||
freecon(user_context);
|
||||
return PAM_AUTH_ERR;
|
||||
@@ -389,7 +577,7 @@
|
||||
@@ -389,7 +579,7 @@
|
||||
} else {
|
||||
if (debug)
|
||||
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
|
||||
@ -441,7 +443,7 @@
|
||||
}
|
||||
#ifdef HAVE_SETKEYCREATECON
|
||||
ret = setkeycreatecon(user_context);
|
||||
@@ -402,7 +590,7 @@
|
||||
@@ -402,7 +592,7 @@
|
||||
if (ret) {
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
"Error! Unable to set %s key creation context %s.",
|
||||
@ -450,7 +452,7 @@
|
||||
if (security_getenforce() == 1) {
|
||||
freecon(user_context);
|
||||
return PAM_AUTH_ERR;
|
||||
@@ -410,7 +598,7 @@
|
||||
@@ -410,7 +600,7 @@
|
||||
} else {
|
||||
if (debug)
|
||||
pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
|
||||
|
16
pam-0.99.7.1-unix-allow-pwmodify.patch
Normal file
16
pam-0.99.7.1-unix-allow-pwmodify.patch
Normal file
@ -0,0 +1,16 @@
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.pwmodify 2006-12-20 12:08:59.000000000 +0100
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-02-21 21:01:48.000000000 +0100
|
||||
@@ -1077,13 +1077,6 @@
|
||||
user);
|
||||
return PAM_USER_UNKNOWN;
|
||||
}
|
||||
- if (!_unix_shadowed(pwd) &&
|
||||
- (strchr(pwd->pw_passwd, '*') != NULL)) {
|
||||
- pam_syslog(pamh, LOG_DEBUG,
|
||||
- "user \"%s\" does not have modifiable password",
|
||||
- user);
|
||||
- return PAM_USER_UNKNOWN;
|
||||
- }
|
||||
}
|
||||
|
||||
/*
|
126
pam-0.99.7.1-unix-bigcrypt.patch
Normal file
126
pam-0.99.7.1-unix-bigcrypt.patch
Normal file
@ -0,0 +1,126 @@
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-02-21 21:17:29.000000000 +0100
|
||||
@@ -694,7 +694,7 @@
|
||||
}
|
||||
}
|
||||
} else {
|
||||
- int salt_len;
|
||||
+ size_t salt_len;
|
||||
strip_hpux_aging(salt);
|
||||
salt_len = strlen(salt);
|
||||
if (!salt_len) {
|
||||
@@ -706,19 +706,19 @@
|
||||
D(("user has empty password - access denied"));
|
||||
retval = PAM_AUTH_ERR;
|
||||
}
|
||||
- } else if (!p || (*salt == '*')) {
|
||||
+ } else if (!p || *salt == '*' || *salt == '!') {
|
||||
retval = PAM_AUTH_ERR;
|
||||
} else {
|
||||
if (!strncmp(salt, "$1$", 3)) {
|
||||
pp = Goodcrypt_md5(p, salt);
|
||||
- if (strcmp(pp, salt) != 0) {
|
||||
+ if (pp && strcmp(pp, salt) != 0) {
|
||||
_pam_delete(pp);
|
||||
pp = Brokencrypt_md5(p, salt);
|
||||
}
|
||||
} else if (*salt != '$' && salt_len >= 13) {
|
||||
pp = bigcrypt(p, salt);
|
||||
- if (strlen(pp) > salt_len) {
|
||||
- pp[salt_len] = '\0';
|
||||
+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
|
||||
+ _pam_overwrite(pp + salt_len);
|
||||
}
|
||||
} else {
|
||||
/*
|
||||
@@ -732,7 +732,7 @@
|
||||
/* the moment of truth -- do we agree with the password? */
|
||||
D(("comparing state of pp[%s] and salt[%s]", pp, salt));
|
||||
|
||||
- if (strcmp(pp, salt) == 0) {
|
||||
+ if (pp && strcmp(pp, salt) == 0) {
|
||||
retval = PAM_SUCCESS;
|
||||
} else {
|
||||
retval = PAM_AUTH_ERR;
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-02-21 21:18:57.000000000 +0100
|
||||
@@ -159,7 +159,7 @@
|
||||
char *salt = NULL;
|
||||
char *pp = NULL;
|
||||
int retval = PAM_AUTH_ERR;
|
||||
- int salt_len;
|
||||
+ size_t salt_len;
|
||||
|
||||
/* UNIX passwords area */
|
||||
setpwent();
|
||||
@@ -205,6 +205,8 @@
|
||||
return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
|
||||
}
|
||||
if (p == NULL || strlen(p) == 0) {
|
||||
+ _pam_overwrite(salt);
|
||||
+ _pam_drop(salt);
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
@@ -212,11 +214,13 @@
|
||||
retval = PAM_AUTH_ERR;
|
||||
if (!strncmp(salt, "$1$", 3)) {
|
||||
pp = Goodcrypt_md5(p, salt);
|
||||
- if (strcmp(pp, salt) == 0) {
|
||||
+ if (pp && strcmp(pp, salt) == 0) {
|
||||
retval = PAM_SUCCESS;
|
||||
} else {
|
||||
+ _pam_overwrite(pp);
|
||||
+ _pam_drop(pp);
|
||||
pp = Brokencrypt_md5(p, salt);
|
||||
- if (strcmp(pp, salt) == 0)
|
||||
+ if (pp && strcmp(pp, salt) == 0)
|
||||
retval = PAM_SUCCESS;
|
||||
}
|
||||
} else if (*salt == '$') {
|
||||
@@ -225,10 +229,10 @@
|
||||
* libcrypt nows about it? We should try it.
|
||||
*/
|
||||
pp = x_strdup (crypt(p, salt));
|
||||
- if (strcmp(pp, salt) == 0) {
|
||||
+ if (pp && strcmp(pp, salt) == 0) {
|
||||
retval = PAM_SUCCESS;
|
||||
}
|
||||
- } else if ((*salt == '*') || (salt_len < 13)) {
|
||||
+ } else if (*salt == '*' || *salt == '!' || salt_len < 13) {
|
||||
retval = PAM_AUTH_ERR;
|
||||
} else {
|
||||
pp = bigcrypt(p, salt);
|
||||
@@ -239,24 +243,21 @@
|
||||
* have been truncated for storage relative to the output
|
||||
* of bigcrypt here. As such we need to compare only the
|
||||
* stored string with the subset of bigcrypt's result.
|
||||
- * Bug 521314: the strncmp comparison is for legacy support.
|
||||
+ * Bug 521314.
|
||||
*/
|
||||
- if (strncmp(pp, salt, salt_len) == 0) {
|
||||
+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
|
||||
+ _pam_overwrite(pp+salt_len);
|
||||
+ }
|
||||
+
|
||||
+ if (pp && strcmp(pp, salt) == 0) {
|
||||
retval = PAM_SUCCESS;
|
||||
}
|
||||
}
|
||||
p = NULL; /* no longer needed here */
|
||||
|
||||
/* clean up */
|
||||
- {
|
||||
- char *tp = pp;
|
||||
- if (pp != NULL) {
|
||||
- while (tp && *tp)
|
||||
- *tp++ = '\0';
|
||||
- free(pp);
|
||||
- }
|
||||
- pp = tp = NULL;
|
||||
- }
|
||||
+ _pam_overwrite(pp);
|
||||
+ _pam_drop(pp);
|
||||
|
||||
return retval;
|
||||
}
|
12
pam.spec
12
pam.spec
@ -11,7 +11,7 @@
|
||||
Summary: A security tool which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 0.99.7.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPL or BSD
|
||||
Group: System Environment/Base
|
||||
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
|
||||
@ -27,6 +27,8 @@ Source10: config-util.5
|
||||
Patch1: pam-0.99.7.0-redhat-modules.patch
|
||||
Patch2: pam-0.99.7.1-console-more-displays.patch
|
||||
Patch21: pam-0.78-unix-hpux-aging.patch
|
||||
Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
|
||||
Patch23: pam-0.99.7.1-unix-bigcrypt.patch
|
||||
Patch34: pam-0.99.7.0-dbpam.patch
|
||||
Patch70: pam-0.99.2.1-selinux-nofail.patch
|
||||
Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
|
||||
@ -94,6 +96,8 @@ cp %{SOURCE7} .
|
||||
%patch1 -p1 -b .redhat-modules
|
||||
%patch2 -p1 -b .displays
|
||||
%patch21 -p1 -b .unix-hpux-aging
|
||||
%patch22 -p1 -b .pwmodify
|
||||
%patch23 -p1 -b .bigcrypt
|
||||
%patch34 -p1 -b .dbpam
|
||||
%patch70 -p1 -b .nofail
|
||||
%patch80 -p1 -b .drop-multiple
|
||||
@ -106,6 +110,7 @@ cp %{SOURCE7} .
|
||||
%patch93 -p1 -b .level
|
||||
%patch94 -p1 -b .unmnt-override
|
||||
%patch95 -p1 -b .range
|
||||
|
||||
autoreconf
|
||||
|
||||
%build
|
||||
@ -397,6 +402,11 @@ fi
|
||||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Wed Feb 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-3
|
||||
- correctly relabel tty in the default case (#229542)
|
||||
- pam_unix: cleanup of bigcrypt support
|
||||
- pam_unix: allow modification of '*' passwords to root
|
||||
|
||||
* Tue Feb 6 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-2
|
||||
- more X displays as consoles (#227462)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user