- correctly relabel tty in the default case (#229542)

- pam_unix: cleanup of bigcrypt support
- pam_unix: allow modification of '*' passwords to root
This commit is contained in:
Tomáš Mráz 2007-02-21 20:32:28 +00:00
parent 504a3315ce
commit 71ab958a92
4 changed files with 168 additions and 14 deletions

View File

@ -1,5 +1,5 @@
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2006-12-27 10:59:06.000000000 -0500 --- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2007-02-21 20:38:10.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-12-27 10:59:06.000000000 -0500 +++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-02-21 20:38:11.000000000 +0100
@@ -33,6 +33,9 @@ @@ -33,6 +33,9 @@
<arg choice="opt"> <arg choice="opt">
verbose verbose
@ -28,8 +28,8 @@
</variablelist> </variablelist>
</refsect1> </refsect1>
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2006-12-27 10:59:06.000000000 -0500 --- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2007-02-21 20:38:10.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-03 16:06:21.000000000 -0500 +++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-02-21 20:44:01.000000000 +0100
@@ -63,9 +63,64 @@ @@ -63,9 +63,64 @@
#include <selinux/selinux.h> #include <selinux/selinux.h>
#include <selinux/get_context_list.h> #include <selinux/get_context_list.h>
@ -360,7 +360,7 @@
username == NULL) { username == NULL) {
return PAM_USER_UNKNOWN; return PAM_USER_UNKNOWN;
} }
@@ -319,19 +485,38 @@ @@ -319,19 +485,39 @@
&contextlist); &contextlist);
if (debug) if (debug)
pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
@ -378,6 +378,7 @@
+ pam_syslog(pamh, LOG_ERR, _("Out of memory")); + pam_syslog(pamh, LOG_ERR, _("Out of memory"));
+ return PAM_AUTH_ERR; + return PAM_AUTH_ERR;
+ } + }
+ user_context = default_user_context;
+ if (select_context && has_tty) { + if (select_context && has_tty) {
+ user_context = config_context(pamh, default_user_context, debug); + user_context = config_context(pamh, default_user_context, debug);
+ if (user_context == NULL) { + if (user_context == NULL) {
@ -404,7 +405,7 @@
if (security_getenforce() == 1) if (security_getenforce() == 1)
return PAM_AUTH_ERR; return PAM_AUTH_ERR;
else else
@@ -340,7 +525,7 @@ @@ -340,7 +526,7 @@
} else { } else {
pam_syslog (pamh, LOG_ERR, pam_syslog (pamh, LOG_ERR,
"Unable to get valid context for %s, No valid tty", "Unable to get valid context for %s, No valid tty",
@ -413,17 +414,18 @@
if (security_getenforce() == 1) if (security_getenforce() == 1)
return PAM_AUTH_ERR; return PAM_AUTH_ERR;
else else
@@ -371,6 +556,9 @@ @@ -371,6 +557,10 @@
ttyn=strdup(tty); ttyn=strdup(tty);
ttyn_context=security_label_tty(pamh,ttyn,user_context); ttyn_context=security_label_tty(pamh,ttyn,user_context);
} }
+ send_audit_message(pamh, 1, default_user_context, user_context); + send_audit_message(pamh, 1, default_user_context, user_context);
+ freecon(default_user_context); + if (default_user_context != user_context) {
+ + freecon(default_user_context);
+ }
ret = setexeccon(user_context); ret = setexeccon(user_context);
if (ret==0 && verbose) { if (ret==0 && verbose) {
char msg[PATH_MAX]; char msg[PATH_MAX];
@@ -381,7 +569,7 @@ @@ -381,7 +571,7 @@
if (ret) { if (ret) {
pam_syslog(pamh, LOG_ERR, pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s executable context %s.", "Error! Unable to set %s executable context %s.",
@ -432,7 +434,7 @@
if (security_getenforce() == 1) { if (security_getenforce() == 1) {
freecon(user_context); freecon(user_context);
return PAM_AUTH_ERR; return PAM_AUTH_ERR;
@@ -389,7 +577,7 @@ @@ -389,7 +579,7 @@
} else { } else {
if (debug) if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
@ -441,7 +443,7 @@
} }
#ifdef HAVE_SETKEYCREATECON #ifdef HAVE_SETKEYCREATECON
ret = setkeycreatecon(user_context); ret = setkeycreatecon(user_context);
@@ -402,7 +590,7 @@ @@ -402,7 +592,7 @@
if (ret) { if (ret) {
pam_syslog(pamh, LOG_ERR, pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s key creation context %s.", "Error! Unable to set %s key creation context %s.",
@ -450,7 +452,7 @@
if (security_getenforce() == 1) { if (security_getenforce() == 1) {
freecon(user_context); freecon(user_context);
return PAM_AUTH_ERR; return PAM_AUTH_ERR;
@@ -410,7 +598,7 @@ @@ -410,7 +600,7 @@
} else { } else {
if (debug) if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",

View File

@ -0,0 +1,16 @@
--- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.pwmodify 2006-12-20 12:08:59.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-02-21 21:01:48.000000000 +0100
@@ -1077,13 +1077,6 @@
user);
return PAM_USER_UNKNOWN;
}
- if (!_unix_shadowed(pwd) &&
- (strchr(pwd->pw_passwd, '*') != NULL)) {
- pam_syslog(pamh, LOG_DEBUG,
- "user \"%s\" does not have modifiable password",
- user);
- return PAM_USER_UNKNOWN;
- }
}
/*

View File

@ -0,0 +1,126 @@
--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-02-21 21:17:29.000000000 +0100
@@ -694,7 +694,7 @@
}
}
} else {
- int salt_len;
+ size_t salt_len;
strip_hpux_aging(salt);
salt_len = strlen(salt);
if (!salt_len) {
@@ -706,19 +706,19 @@
D(("user has empty password - access denied"));
retval = PAM_AUTH_ERR;
}
- } else if (!p || (*salt == '*')) {
+ } else if (!p || *salt == '*' || *salt == '!') {
retval = PAM_AUTH_ERR;
} else {
if (!strncmp(salt, "$1$", 3)) {
pp = Goodcrypt_md5(p, salt);
- if (strcmp(pp, salt) != 0) {
+ if (pp && strcmp(pp, salt) != 0) {
_pam_delete(pp);
pp = Brokencrypt_md5(p, salt);
}
} else if (*salt != '$' && salt_len >= 13) {
pp = bigcrypt(p, salt);
- if (strlen(pp) > salt_len) {
- pp[salt_len] = '\0';
+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
+ _pam_overwrite(pp + salt_len);
}
} else {
/*
@@ -732,7 +732,7 @@
/* the moment of truth -- do we agree with the password? */
D(("comparing state of pp[%s] and salt[%s]", pp, salt));
- if (strcmp(pp, salt) == 0) {
+ if (pp && strcmp(pp, salt) == 0) {
retval = PAM_SUCCESS;
} else {
retval = PAM_AUTH_ERR;
--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-02-21 21:18:57.000000000 +0100
@@ -159,7 +159,7 @@
char *salt = NULL;
char *pp = NULL;
int retval = PAM_AUTH_ERR;
- int salt_len;
+ size_t salt_len;
/* UNIX passwords area */
setpwent();
@@ -205,6 +205,8 @@
return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
}
if (p == NULL || strlen(p) == 0) {
+ _pam_overwrite(salt);
+ _pam_drop(salt);
return PAM_AUTHTOK_ERR;
}
@@ -212,11 +214,13 @@
retval = PAM_AUTH_ERR;
if (!strncmp(salt, "$1$", 3)) {
pp = Goodcrypt_md5(p, salt);
- if (strcmp(pp, salt) == 0) {
+ if (pp && strcmp(pp, salt) == 0) {
retval = PAM_SUCCESS;
} else {
+ _pam_overwrite(pp);
+ _pam_drop(pp);
pp = Brokencrypt_md5(p, salt);
- if (strcmp(pp, salt) == 0)
+ if (pp && strcmp(pp, salt) == 0)
retval = PAM_SUCCESS;
}
} else if (*salt == '$') {
@@ -225,10 +229,10 @@
* libcrypt nows about it? We should try it.
*/
pp = x_strdup (crypt(p, salt));
- if (strcmp(pp, salt) == 0) {
+ if (pp && strcmp(pp, salt) == 0) {
retval = PAM_SUCCESS;
}
- } else if ((*salt == '*') || (salt_len < 13)) {
+ } else if (*salt == '*' || *salt == '!' || salt_len < 13) {
retval = PAM_AUTH_ERR;
} else {
pp = bigcrypt(p, salt);
@@ -239,24 +243,21 @@
* have been truncated for storage relative to the output
* of bigcrypt here. As such we need to compare only the
* stored string with the subset of bigcrypt's result.
- * Bug 521314: the strncmp comparison is for legacy support.
+ * Bug 521314.
*/
- if (strncmp(pp, salt, salt_len) == 0) {
+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
+ _pam_overwrite(pp+salt_len);
+ }
+
+ if (pp && strcmp(pp, salt) == 0) {
retval = PAM_SUCCESS;
}
}
p = NULL; /* no longer needed here */
/* clean up */
- {
- char *tp = pp;
- if (pp != NULL) {
- while (tp && *tp)
- *tp++ = '\0';
- free(pp);
- }
- pp = tp = NULL;
- }
+ _pam_overwrite(pp);
+ _pam_drop(pp);
return retval;
}

View File

@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications Summary: A security tool which provides authentication for applications
Name: pam Name: pam
Version: 0.99.7.1 Version: 0.99.7.1
Release: 2%{?dist} Release: 3%{?dist}
License: GPL or BSD License: GPL or BSD
Group: System Environment/Base Group: System Environment/Base
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@ -27,6 +27,8 @@ Source10: config-util.5
Patch1: pam-0.99.7.0-redhat-modules.patch Patch1: pam-0.99.7.0-redhat-modules.patch
Patch2: pam-0.99.7.1-console-more-displays.patch Patch2: pam-0.99.7.1-console-more-displays.patch
Patch21: pam-0.78-unix-hpux-aging.patch Patch21: pam-0.78-unix-hpux-aging.patch
Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
Patch23: pam-0.99.7.1-unix-bigcrypt.patch
Patch34: pam-0.99.7.0-dbpam.patch Patch34: pam-0.99.7.0-dbpam.patch
Patch70: pam-0.99.2.1-selinux-nofail.patch Patch70: pam-0.99.2.1-selinux-nofail.patch
Patch80: pam-0.99.6.2-selinux-drop-multiple.patch Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
@ -94,6 +96,8 @@ cp %{SOURCE7} .
%patch1 -p1 -b .redhat-modules %patch1 -p1 -b .redhat-modules
%patch2 -p1 -b .displays %patch2 -p1 -b .displays
%patch21 -p1 -b .unix-hpux-aging %patch21 -p1 -b .unix-hpux-aging
%patch22 -p1 -b .pwmodify
%patch23 -p1 -b .bigcrypt
%patch34 -p1 -b .dbpam %patch34 -p1 -b .dbpam
%patch70 -p1 -b .nofail %patch70 -p1 -b .nofail
%patch80 -p1 -b .drop-multiple %patch80 -p1 -b .drop-multiple
@ -106,6 +110,7 @@ cp %{SOURCE7} .
%patch93 -p1 -b .level %patch93 -p1 -b .level
%patch94 -p1 -b .unmnt-override %patch94 -p1 -b .unmnt-override
%patch95 -p1 -b .range %patch95 -p1 -b .range
autoreconf autoreconf
%build %build
@ -397,6 +402,11 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Wed Feb 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-3
- correctly relabel tty in the default case (#229542)
- pam_unix: cleanup of bigcrypt support
- pam_unix: allow modification of '*' passwords to root
* Tue Feb 6 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-2 * Tue Feb 6 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-2
- more X displays as consoles (#227462) - more X displays as consoles (#227462)