- correctly relabel tty in the default case (#229542)

- pam_unix: cleanup of bigcrypt support
- pam_unix: allow modification of '*' passwords to root

pam-0.99.6.2-selinux-select-context.patch

@@ -1,5 +1,5 @@
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context	2006-12-27 10:59:06.000000000 -0500
+--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context	2007-02-21 20:38:10.000000000 +0100
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml	2006-12-27 10:59:06.000000000 -0500
++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml	2007-02-21 20:38:11.000000000 +0100
 @@ -33,6 +33,9 @@
        <arg choice="opt">
  	verbose
@@ -28,8 +28,8 @@
      </variablelist>
    </refsect1>
  
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context	2006-12-27 10:59:06.000000000 -0500
+--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context	2007-02-21 20:38:10.000000000 +0100
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2007-01-03 16:06:21.000000000 -0500
++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2007-02-21 20:44:01.000000000 +0100
 @@ -63,9 +63,64 @@
  #include <selinux/selinux.h>
  #include <selinux/get_context_list.h>
@@ -360,7 +360,7 @@
                     username == NULL) {
      return PAM_USER_UNKNOWN;
    }
-@@ -319,19 +485,38 @@
+@@ -319,19 +485,39 @@
  							     &contextlist);
  	  if (debug)
  		  pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
@@ -378,6 +378,7 @@
 +	  pam_syslog(pamh, LOG_ERR, _("Out of memory"));
 +          return PAM_AUTH_ERR;
 +    }
++    user_context = default_user_context;
 +    if (select_context && has_tty) {
 +      user_context = config_context(pamh, default_user_context, debug);
 +      if (user_context == NULL) {
@@ -404,7 +405,7 @@
          if (security_getenforce() == 1)
            return PAM_AUTH_ERR;
          else
-@@ -340,7 +525,7 @@
+@@ -340,7 +526,7 @@
      } else {
          pam_syslog (pamh, LOG_ERR,
  		    "Unable to get valid context for %s, No valid tty",
@@ -413,17 +414,18 @@
          if (security_getenforce() == 1)
            return PAM_AUTH_ERR;
          else
-@@ -371,6 +556,9 @@
+@@ -371,6 +557,10 @@
      ttyn=strdup(tty);
      ttyn_context=security_label_tty(pamh,ttyn,user_context);
    }
 +  send_audit_message(pamh, 1, default_user_context, user_context);
++  if (default_user_context != user_context) {
 +    freecon(default_user_context);
-+
++  }
    ret = setexeccon(user_context);
    if (ret==0 && verbose) {
      char msg[PATH_MAX];
-@@ -381,7 +569,7 @@
+@@ -381,7 +571,7 @@
    if (ret) {
      pam_syslog(pamh, LOG_ERR,
  	       "Error!  Unable to set %s executable context %s.",
@@ -432,7 +434,7 @@
      if (security_getenforce() == 1) {
         freecon(user_context);
         return PAM_AUTH_ERR;
-@@ -389,7 +577,7 @@
+@@ -389,7 +579,7 @@
    } else {
      if (debug)
        pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
@@ -441,7 +443,7 @@
    }
  #ifdef HAVE_SETKEYCREATECON
    ret = setkeycreatecon(user_context);
-@@ -402,7 +590,7 @@
+@@ -402,7 +592,7 @@
    if (ret) {
      pam_syslog(pamh, LOG_ERR,
  	       "Error!  Unable to set %s key creation context %s.",
@@ -450,7 +452,7 @@
      if (security_getenforce() == 1) {
         freecon(user_context);
         return PAM_AUTH_ERR;
-@@ -410,7 +598,7 @@
+@@ -410,7 +600,7 @@
    } else {
      if (debug)
        pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",

pam-0.99.7.1-unix-allow-pwmodify.patch

@@ -0,0 +1,16 @@
+--- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.pwmodify	2006-12-20 12:08:59.000000000 +0100
++++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c	2007-02-21 21:01:48.000000000 +0100
+@@ -1077,13 +1077,6 @@
+ 				user);
+ 			return PAM_USER_UNKNOWN;
+ 		}
+-		if (!_unix_shadowed(pwd) &&
+-		    (strchr(pwd->pw_passwd, '*') != NULL)) {
+-			pam_syslog(pamh, LOG_DEBUG,
+-				"user \"%s\" does not have modifiable password",
+-				user);
+-			return PAM_USER_UNKNOWN;
+-		}
+ 	}
+ 
+ 	/*

pam-0.99.7.1-unix-bigcrypt.patch

@@ -0,0 +1,126 @@
+--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt	2007-02-21 20:30:24.000000000 +0100
++++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c	2007-02-21 21:17:29.000000000 +0100
+@@ -694,7 +694,7 @@
+ 			}
+ 		}
+ 	} else {
+-	    int salt_len;
++	    size_t salt_len;
+ 	    strip_hpux_aging(salt);
+ 	    salt_len = strlen(salt);
+ 	    if (!salt_len) {
+@@ -706,19 +706,19 @@
+ 		    D(("user has empty password - access denied"));
+ 		    retval = PAM_AUTH_ERR;
+ 		}
+-	    } else if (!p || (*salt == '*')) {
++	    } else if (!p || *salt == '*' || *salt == '!') {
+ 		retval = PAM_AUTH_ERR;
+ 	    } else {
+ 		if (!strncmp(salt, "$1$", 3)) {
+ 		    pp = Goodcrypt_md5(p, salt);
+-		    if (strcmp(pp, salt) != 0) {
++		    if (pp && strcmp(pp, salt) != 0) {
+ 			_pam_delete(pp);
+ 			pp = Brokencrypt_md5(p, salt);
+ 		    }
+ 		} else if (*salt != '$' && salt_len >= 13) {
+ 		    pp = bigcrypt(p, salt);
+-		    if (strlen(pp) > salt_len) {
+-			pp[salt_len] = '\0';
++		    if (pp && salt_len == 13 && strlen(pp) > salt_len) {
++			_pam_overwrite(pp + salt_len);
+ 		    }
+ 		} else {
+                     /*
+@@ -732,7 +732,7 @@
+ 		/* the moment of truth -- do we agree with the password? */
+ 		D(("comparing state of pp[%s] and salt[%s]", pp, salt));
+ 
+-		if (strcmp(pp, salt) == 0) {
++		if (pp && strcmp(pp, salt) == 0) {
+ 		    retval = PAM_SUCCESS;
+ 		} else {
+ 		    retval = PAM_AUTH_ERR;
+--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt	2007-02-21 20:30:24.000000000 +0100
++++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c	2007-02-21 21:18:57.000000000 +0100
+@@ -159,7 +159,7 @@
+ 	char *salt = NULL;
+ 	char *pp = NULL;
+ 	int retval = PAM_AUTH_ERR;
+-	int salt_len;
++	size_t salt_len;
+ 
+ 	/* UNIX passwords area */
+ 	setpwent();
+@@ -205,6 +205,8 @@
+ 		return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
+ 	}
+ 	if (p == NULL || strlen(p) == 0) {
++		_pam_overwrite(salt);
++		_pam_drop(salt);
+ 		return PAM_AUTHTOK_ERR;
+ 	}
+ 
+@@ -212,11 +214,13 @@
+ 	retval = PAM_AUTH_ERR;
+ 	if (!strncmp(salt, "$1$", 3)) {
+ 		pp = Goodcrypt_md5(p, salt);
+-		if (strcmp(pp, salt) == 0) {
++		if (pp && strcmp(pp, salt) == 0) {
+ 			retval = PAM_SUCCESS;
+ 		} else {
++			_pam_overwrite(pp);
++			_pam_drop(pp);
+ 			pp = Brokencrypt_md5(p, salt);
+-			if (strcmp(pp, salt) == 0)
++			if (pp && strcmp(pp, salt) == 0)
+ 				retval = PAM_SUCCESS;
+ 		}
+ 	} else if (*salt == '$') {
+@@ -225,10 +229,10 @@
+ 		 * libcrypt nows about it? We should try it.
+ 		 */
+ 	        pp = x_strdup (crypt(p, salt));
+-		if (strcmp(pp, salt) == 0) {
++		if (pp && strcmp(pp, salt) == 0) {
+ 			retval = PAM_SUCCESS;
+ 		}
+-	} else if ((*salt == '*') || (salt_len < 13)) {
++	} else if (*salt == '*' || *salt == '!' || salt_len < 13) {
+ 	    retval = PAM_AUTH_ERR;
+ 	} else {
+ 		pp = bigcrypt(p, salt);
+@@ -239,24 +243,21 @@
+ 		 * have been truncated for storage relative to the output
+ 		 * of bigcrypt here. As such we need to compare only the
+ 		 * stored string with the subset of bigcrypt's result.
+-		 * Bug 521314: the strncmp comparison is for legacy support.
++		 * Bug 521314.
+ 		 */
+-		if (strncmp(pp, salt, salt_len) == 0) {
++		if (pp && salt_len == 13 && strlen(pp) > salt_len) {
++		    _pam_overwrite(pp+salt_len);
++		}
++		
++		if (pp && strcmp(pp, salt) == 0) {
+ 			retval = PAM_SUCCESS;
+ 		}
+ 	}
+ 	p = NULL;		/* no longer needed here */
+ 
+ 	/* clean up */
+-	{
+-		char *tp = pp;
+-		if (pp != NULL) {
+-			while (tp && *tp)
+-				*tp++ = '\0';
+-			free(pp);
+-		}
+-		pp = tp = NULL;
+-	}
++	_pam_overwrite(pp);
++	_pam_drop(pp);
+ 
+ 	return retval;
+ }

pam.spec

@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.7.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPL or BSD
 Group: System Environment/Base
 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -27,6 +27,8 @@ Source10: config-util.5
 Patch1:  pam-0.99.7.0-redhat-modules.patch
 Patch2:  pam-0.99.7.1-console-more-displays.patch
 Patch21: pam-0.78-unix-hpux-aging.patch
+Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
+Patch23: pam-0.99.7.1-unix-bigcrypt.patch
 Patch34: pam-0.99.7.0-dbpam.patch
 Patch70: pam-0.99.2.1-selinux-nofail.patch
 Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
@@ -94,6 +96,8 @@ cp %{SOURCE7} .
 %patch1 -p1 -b .redhat-modules
 %patch2 -p1 -b .displays
 %patch21 -p1 -b .unix-hpux-aging
+%patch22 -p1 -b .pwmodify
+%patch23 -p1 -b .bigcrypt
 %patch34 -p1 -b .dbpam
 %patch70 -p1 -b .nofail
 %patch80 -p1 -b .drop-multiple
@@ -106,6 +110,7 @@ cp %{SOURCE7} .
 %patch93 -p1 -b .level
 %patch94 -p1 -b .unmnt-override
 %patch95 -p1 -b .range
+
 autoreconf
 
 %build
@@ -397,6 +402,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Wed Feb 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-3
+- correctly relabel tty in the default case (#229542)
+- pam_unix: cleanup of bigcrypt support
+- pam_unix: allow modification of '*' passwords to root
+
 * Tue Feb  6 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-2
 - more X displays as consoles (#227462)