From 71ab958a92158315776d38e538686aedb42d8e78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Wed, 21 Feb 2007 20:32:28 +0000 Subject: [PATCH] - correctly relabel tty in the default case (#229542) - pam_unix: cleanup of bigcrypt support - pam_unix: allow modification of '*' passwords to root --- pam-0.99.6.2-selinux-select-context.patch | 28 ++--- pam-0.99.7.1-unix-allow-pwmodify.patch | 16 +++ pam-0.99.7.1-unix-bigcrypt.patch | 126 ++++++++++++++++++++++ pam.spec | 12 ++- 4 files changed, 168 insertions(+), 14 deletions(-) create mode 100644 pam-0.99.7.1-unix-allow-pwmodify.patch create mode 100644 pam-0.99.7.1-unix-bigcrypt.patch diff --git a/pam-0.99.6.2-selinux-select-context.patch b/pam-0.99.6.2-selinux-select-context.patch index 0a0040e..475369c 100644 --- a/pam-0.99.6.2-selinux-select-context.patch +++ b/pam-0.99.6.2-selinux-select-context.patch @@ -1,5 +1,5 @@ ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2006-12-27 10:59:06.000000000 -0500 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-12-27 10:59:06.000000000 -0500 +--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2007-02-21 20:38:10.000000000 +0100 ++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-02-21 20:38:11.000000000 +0100 @@ -33,6 +33,9 @@ verbose @@ -28,8 +28,8 @@ ---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2006-12-27 10:59:06.000000000 -0500 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-03 16:06:21.000000000 -0500 +--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2007-02-21 20:38:10.000000000 +0100 ++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-02-21 20:44:01.000000000 +0100 @@ -63,9 +63,64 @@ #include #include @@ -360,7 +360,7 @@ username == NULL) { return PAM_USER_UNKNOWN; } -@@ -319,19 +485,38 @@ +@@ -319,19 +485,39 @@ &contextlist); if (debug) pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", @@ -378,6 +378,7 @@ + pam_syslog(pamh, LOG_ERR, _("Out of memory")); + return PAM_AUTH_ERR; + } ++ user_context = default_user_context; + if (select_context && has_tty) { + user_context = config_context(pamh, default_user_context, debug); + if (user_context == NULL) { @@ -404,7 +405,7 @@ if (security_getenforce() == 1) return PAM_AUTH_ERR; else -@@ -340,7 +525,7 @@ +@@ -340,7 +526,7 @@ } else { pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s, No valid tty", @@ -413,17 +414,18 @@ if (security_getenforce() == 1) return PAM_AUTH_ERR; else -@@ -371,6 +556,9 @@ +@@ -371,6 +557,10 @@ ttyn=strdup(tty); ttyn_context=security_label_tty(pamh,ttyn,user_context); } + send_audit_message(pamh, 1, default_user_context, user_context); -+ freecon(default_user_context); -+ ++ if (default_user_context != user_context) { ++ freecon(default_user_context); ++ } ret = setexeccon(user_context); if (ret==0 && verbose) { char msg[PATH_MAX]; -@@ -381,7 +569,7 @@ +@@ -381,7 +571,7 @@ if (ret) { pam_syslog(pamh, LOG_ERR, "Error! Unable to set %s executable context %s.", @@ -432,7 +434,7 @@ if (security_getenforce() == 1) { freecon(user_context); return PAM_AUTH_ERR; -@@ -389,7 +577,7 @@ +@@ -389,7 +579,7 @@ } else { if (debug) pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", @@ -441,7 +443,7 @@ } #ifdef HAVE_SETKEYCREATECON ret = setkeycreatecon(user_context); -@@ -402,7 +590,7 @@ +@@ -402,7 +592,7 @@ if (ret) { pam_syslog(pamh, LOG_ERR, "Error! Unable to set %s key creation context %s.", @@ -450,7 +452,7 @@ if (security_getenforce() == 1) { freecon(user_context); return PAM_AUTH_ERR; -@@ -410,7 +598,7 @@ +@@ -410,7 +600,7 @@ } else { if (debug) pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", diff --git a/pam-0.99.7.1-unix-allow-pwmodify.patch b/pam-0.99.7.1-unix-allow-pwmodify.patch new file mode 100644 index 0000000..2a0914c --- /dev/null +++ b/pam-0.99.7.1-unix-allow-pwmodify.patch @@ -0,0 +1,16 @@ +--- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.pwmodify 2006-12-20 12:08:59.000000000 +0100 ++++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-02-21 21:01:48.000000000 +0100 +@@ -1077,13 +1077,6 @@ + user); + return PAM_USER_UNKNOWN; + } +- if (!_unix_shadowed(pwd) && +- (strchr(pwd->pw_passwd, '*') != NULL)) { +- pam_syslog(pamh, LOG_DEBUG, +- "user \"%s\" does not have modifiable password", +- user); +- return PAM_USER_UNKNOWN; +- } + } + + /* diff --git a/pam-0.99.7.1-unix-bigcrypt.patch b/pam-0.99.7.1-unix-bigcrypt.patch new file mode 100644 index 0000000..e5f53d6 --- /dev/null +++ b/pam-0.99.7.1-unix-bigcrypt.patch @@ -0,0 +1,126 @@ +--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100 ++++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-02-21 21:17:29.000000000 +0100 +@@ -694,7 +694,7 @@ + } + } + } else { +- int salt_len; ++ size_t salt_len; + strip_hpux_aging(salt); + salt_len = strlen(salt); + if (!salt_len) { +@@ -706,19 +706,19 @@ + D(("user has empty password - access denied")); + retval = PAM_AUTH_ERR; + } +- } else if (!p || (*salt == '*')) { ++ } else if (!p || *salt == '*' || *salt == '!') { + retval = PAM_AUTH_ERR; + } else { + if (!strncmp(salt, "$1$", 3)) { + pp = Goodcrypt_md5(p, salt); +- if (strcmp(pp, salt) != 0) { ++ if (pp && strcmp(pp, salt) != 0) { + _pam_delete(pp); + pp = Brokencrypt_md5(p, salt); + } + } else if (*salt != '$' && salt_len >= 13) { + pp = bigcrypt(p, salt); +- if (strlen(pp) > salt_len) { +- pp[salt_len] = '\0'; ++ if (pp && salt_len == 13 && strlen(pp) > salt_len) { ++ _pam_overwrite(pp + salt_len); + } + } else { + /* +@@ -732,7 +732,7 @@ + /* the moment of truth -- do we agree with the password? */ + D(("comparing state of pp[%s] and salt[%s]", pp, salt)); + +- if (strcmp(pp, salt) == 0) { ++ if (pp && strcmp(pp, salt) == 0) { + retval = PAM_SUCCESS; + } else { + retval = PAM_AUTH_ERR; +--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100 ++++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-02-21 21:18:57.000000000 +0100 +@@ -159,7 +159,7 @@ + char *salt = NULL; + char *pp = NULL; + int retval = PAM_AUTH_ERR; +- int salt_len; ++ size_t salt_len; + + /* UNIX passwords area */ + setpwent(); +@@ -205,6 +205,8 @@ + return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS; + } + if (p == NULL || strlen(p) == 0) { ++ _pam_overwrite(salt); ++ _pam_drop(salt); + return PAM_AUTHTOK_ERR; + } + +@@ -212,11 +214,13 @@ + retval = PAM_AUTH_ERR; + if (!strncmp(salt, "$1$", 3)) { + pp = Goodcrypt_md5(p, salt); +- if (strcmp(pp, salt) == 0) { ++ if (pp && strcmp(pp, salt) == 0) { + retval = PAM_SUCCESS; + } else { ++ _pam_overwrite(pp); ++ _pam_drop(pp); + pp = Brokencrypt_md5(p, salt); +- if (strcmp(pp, salt) == 0) ++ if (pp && strcmp(pp, salt) == 0) + retval = PAM_SUCCESS; + } + } else if (*salt == '$') { +@@ -225,10 +229,10 @@ + * libcrypt nows about it? We should try it. + */ + pp = x_strdup (crypt(p, salt)); +- if (strcmp(pp, salt) == 0) { ++ if (pp && strcmp(pp, salt) == 0) { + retval = PAM_SUCCESS; + } +- } else if ((*salt == '*') || (salt_len < 13)) { ++ } else if (*salt == '*' || *salt == '!' || salt_len < 13) { + retval = PAM_AUTH_ERR; + } else { + pp = bigcrypt(p, salt); +@@ -239,24 +243,21 @@ + * have been truncated for storage relative to the output + * of bigcrypt here. As such we need to compare only the + * stored string with the subset of bigcrypt's result. +- * Bug 521314: the strncmp comparison is for legacy support. ++ * Bug 521314. + */ +- if (strncmp(pp, salt, salt_len) == 0) { ++ if (pp && salt_len == 13 && strlen(pp) > salt_len) { ++ _pam_overwrite(pp+salt_len); ++ } ++ ++ if (pp && strcmp(pp, salt) == 0) { + retval = PAM_SUCCESS; + } + } + p = NULL; /* no longer needed here */ + + /* clean up */ +- { +- char *tp = pp; +- if (pp != NULL) { +- while (tp && *tp) +- *tp++ = '\0'; +- free(pp); +- } +- pp = tp = NULL; +- } ++ _pam_overwrite(pp); ++ _pam_drop(pp); + + return retval; + } diff --git a/pam.spec b/pam.spec index 13b0e6c..23d95aa 100644 --- a/pam.spec +++ b/pam.spec @@ -11,7 +11,7 @@ Summary: A security tool which provides authentication for applications Name: pam Version: 0.99.7.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL or BSD Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 @@ -27,6 +27,8 @@ Source10: config-util.5 Patch1: pam-0.99.7.0-redhat-modules.patch Patch2: pam-0.99.7.1-console-more-displays.patch Patch21: pam-0.78-unix-hpux-aging.patch +Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch +Patch23: pam-0.99.7.1-unix-bigcrypt.patch Patch34: pam-0.99.7.0-dbpam.patch Patch70: pam-0.99.2.1-selinux-nofail.patch Patch80: pam-0.99.6.2-selinux-drop-multiple.patch @@ -94,6 +96,8 @@ cp %{SOURCE7} . %patch1 -p1 -b .redhat-modules %patch2 -p1 -b .displays %patch21 -p1 -b .unix-hpux-aging +%patch22 -p1 -b .pwmodify +%patch23 -p1 -b .bigcrypt %patch34 -p1 -b .dbpam %patch70 -p1 -b .nofail %patch80 -p1 -b .drop-multiple @@ -106,6 +110,7 @@ cp %{SOURCE7} . %patch93 -p1 -b .level %patch94 -p1 -b .unmnt-override %patch95 -p1 -b .range + autoreconf %build @@ -397,6 +402,11 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Wed Feb 21 2007 Tomas Mraz 0.99.7.1-3 +- correctly relabel tty in the default case (#229542) +- pam_unix: cleanup of bigcrypt support +- pam_unix: allow modification of '*' passwords to root + * Tue Feb 6 2007 Tomas Mraz 0.99.7.1-2 - more X displays as consoles (#227462)