- correctly relabel tty in the default case (#229542)
- pam_unix: cleanup of bigcrypt support - pam_unix: allow modification of '*' passwords to root
This commit is contained in:
parent
504a3315ce
commit
71ab958a92
@ -1,5 +1,5 @@
|
|||||||
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2006-12-27 10:59:06.000000000 -0500
|
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2007-02-21 20:38:10.000000000 +0100
|
||||||
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-12-27 10:59:06.000000000 -0500
|
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-02-21 20:38:11.000000000 +0100
|
||||||
@@ -33,6 +33,9 @@
|
@@ -33,6 +33,9 @@
|
||||||
<arg choice="opt">
|
<arg choice="opt">
|
||||||
verbose
|
verbose
|
||||||
@ -28,8 +28,8 @@
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2006-12-27 10:59:06.000000000 -0500
|
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2007-02-21 20:38:10.000000000 +0100
|
||||||
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-03 16:06:21.000000000 -0500
|
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-02-21 20:44:01.000000000 +0100
|
||||||
@@ -63,9 +63,64 @@
|
@@ -63,9 +63,64 @@
|
||||||
#include <selinux/selinux.h>
|
#include <selinux/selinux.h>
|
||||||
#include <selinux/get_context_list.h>
|
#include <selinux/get_context_list.h>
|
||||||
@ -360,7 +360,7 @@
|
|||||||
username == NULL) {
|
username == NULL) {
|
||||||
return PAM_USER_UNKNOWN;
|
return PAM_USER_UNKNOWN;
|
||||||
}
|
}
|
||||||
@@ -319,19 +485,38 @@
|
@@ -319,19 +485,39 @@
|
||||||
&contextlist);
|
&contextlist);
|
||||||
if (debug)
|
if (debug)
|
||||||
pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
|
pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
|
||||||
@ -378,6 +378,7 @@
|
|||||||
+ pam_syslog(pamh, LOG_ERR, _("Out of memory"));
|
+ pam_syslog(pamh, LOG_ERR, _("Out of memory"));
|
||||||
+ return PAM_AUTH_ERR;
|
+ return PAM_AUTH_ERR;
|
||||||
+ }
|
+ }
|
||||||
|
+ user_context = default_user_context;
|
||||||
+ if (select_context && has_tty) {
|
+ if (select_context && has_tty) {
|
||||||
+ user_context = config_context(pamh, default_user_context, debug);
|
+ user_context = config_context(pamh, default_user_context, debug);
|
||||||
+ if (user_context == NULL) {
|
+ if (user_context == NULL) {
|
||||||
@ -404,7 +405,7 @@
|
|||||||
if (security_getenforce() == 1)
|
if (security_getenforce() == 1)
|
||||||
return PAM_AUTH_ERR;
|
return PAM_AUTH_ERR;
|
||||||
else
|
else
|
||||||
@@ -340,7 +525,7 @@
|
@@ -340,7 +526,7 @@
|
||||||
} else {
|
} else {
|
||||||
pam_syslog (pamh, LOG_ERR,
|
pam_syslog (pamh, LOG_ERR,
|
||||||
"Unable to get valid context for %s, No valid tty",
|
"Unable to get valid context for %s, No valid tty",
|
||||||
@ -413,17 +414,18 @@
|
|||||||
if (security_getenforce() == 1)
|
if (security_getenforce() == 1)
|
||||||
return PAM_AUTH_ERR;
|
return PAM_AUTH_ERR;
|
||||||
else
|
else
|
||||||
@@ -371,6 +556,9 @@
|
@@ -371,6 +557,10 @@
|
||||||
ttyn=strdup(tty);
|
ttyn=strdup(tty);
|
||||||
ttyn_context=security_label_tty(pamh,ttyn,user_context);
|
ttyn_context=security_label_tty(pamh,ttyn,user_context);
|
||||||
}
|
}
|
||||||
+ send_audit_message(pamh, 1, default_user_context, user_context);
|
+ send_audit_message(pamh, 1, default_user_context, user_context);
|
||||||
+ freecon(default_user_context);
|
+ if (default_user_context != user_context) {
|
||||||
+
|
+ freecon(default_user_context);
|
||||||
|
+ }
|
||||||
ret = setexeccon(user_context);
|
ret = setexeccon(user_context);
|
||||||
if (ret==0 && verbose) {
|
if (ret==0 && verbose) {
|
||||||
char msg[PATH_MAX];
|
char msg[PATH_MAX];
|
||||||
@@ -381,7 +569,7 @@
|
@@ -381,7 +571,7 @@
|
||||||
if (ret) {
|
if (ret) {
|
||||||
pam_syslog(pamh, LOG_ERR,
|
pam_syslog(pamh, LOG_ERR,
|
||||||
"Error! Unable to set %s executable context %s.",
|
"Error! Unable to set %s executable context %s.",
|
||||||
@ -432,7 +434,7 @@
|
|||||||
if (security_getenforce() == 1) {
|
if (security_getenforce() == 1) {
|
||||||
freecon(user_context);
|
freecon(user_context);
|
||||||
return PAM_AUTH_ERR;
|
return PAM_AUTH_ERR;
|
||||||
@@ -389,7 +577,7 @@
|
@@ -389,7 +579,7 @@
|
||||||
} else {
|
} else {
|
||||||
if (debug)
|
if (debug)
|
||||||
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
|
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
|
||||||
@ -441,7 +443,7 @@
|
|||||||
}
|
}
|
||||||
#ifdef HAVE_SETKEYCREATECON
|
#ifdef HAVE_SETKEYCREATECON
|
||||||
ret = setkeycreatecon(user_context);
|
ret = setkeycreatecon(user_context);
|
||||||
@@ -402,7 +590,7 @@
|
@@ -402,7 +592,7 @@
|
||||||
if (ret) {
|
if (ret) {
|
||||||
pam_syslog(pamh, LOG_ERR,
|
pam_syslog(pamh, LOG_ERR,
|
||||||
"Error! Unable to set %s key creation context %s.",
|
"Error! Unable to set %s key creation context %s.",
|
||||||
@ -450,7 +452,7 @@
|
|||||||
if (security_getenforce() == 1) {
|
if (security_getenforce() == 1) {
|
||||||
freecon(user_context);
|
freecon(user_context);
|
||||||
return PAM_AUTH_ERR;
|
return PAM_AUTH_ERR;
|
||||||
@@ -410,7 +598,7 @@
|
@@ -410,7 +600,7 @@
|
||||||
} else {
|
} else {
|
||||||
if (debug)
|
if (debug)
|
||||||
pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
|
pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
|
||||||
|
16
pam-0.99.7.1-unix-allow-pwmodify.patch
Normal file
16
pam-0.99.7.1-unix-allow-pwmodify.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
--- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.pwmodify 2006-12-20 12:08:59.000000000 +0100
|
||||||
|
+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-02-21 21:01:48.000000000 +0100
|
||||||
|
@@ -1077,13 +1077,6 @@
|
||||||
|
user);
|
||||||
|
return PAM_USER_UNKNOWN;
|
||||||
|
}
|
||||||
|
- if (!_unix_shadowed(pwd) &&
|
||||||
|
- (strchr(pwd->pw_passwd, '*') != NULL)) {
|
||||||
|
- pam_syslog(pamh, LOG_DEBUG,
|
||||||
|
- "user \"%s\" does not have modifiable password",
|
||||||
|
- user);
|
||||||
|
- return PAM_USER_UNKNOWN;
|
||||||
|
- }
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
126
pam-0.99.7.1-unix-bigcrypt.patch
Normal file
126
pam-0.99.7.1-unix-bigcrypt.patch
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100
|
||||||
|
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-02-21 21:17:29.000000000 +0100
|
||||||
|
@@ -694,7 +694,7 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- int salt_len;
|
||||||
|
+ size_t salt_len;
|
||||||
|
strip_hpux_aging(salt);
|
||||||
|
salt_len = strlen(salt);
|
||||||
|
if (!salt_len) {
|
||||||
|
@@ -706,19 +706,19 @@
|
||||||
|
D(("user has empty password - access denied"));
|
||||||
|
retval = PAM_AUTH_ERR;
|
||||||
|
}
|
||||||
|
- } else if (!p || (*salt == '*')) {
|
||||||
|
+ } else if (!p || *salt == '*' || *salt == '!') {
|
||||||
|
retval = PAM_AUTH_ERR;
|
||||||
|
} else {
|
||||||
|
if (!strncmp(salt, "$1$", 3)) {
|
||||||
|
pp = Goodcrypt_md5(p, salt);
|
||||||
|
- if (strcmp(pp, salt) != 0) {
|
||||||
|
+ if (pp && strcmp(pp, salt) != 0) {
|
||||||
|
_pam_delete(pp);
|
||||||
|
pp = Brokencrypt_md5(p, salt);
|
||||||
|
}
|
||||||
|
} else if (*salt != '$' && salt_len >= 13) {
|
||||||
|
pp = bigcrypt(p, salt);
|
||||||
|
- if (strlen(pp) > salt_len) {
|
||||||
|
- pp[salt_len] = '\0';
|
||||||
|
+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
|
||||||
|
+ _pam_overwrite(pp + salt_len);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
@@ -732,7 +732,7 @@
|
||||||
|
/* the moment of truth -- do we agree with the password? */
|
||||||
|
D(("comparing state of pp[%s] and salt[%s]", pp, salt));
|
||||||
|
|
||||||
|
- if (strcmp(pp, salt) == 0) {
|
||||||
|
+ if (pp && strcmp(pp, salt) == 0) {
|
||||||
|
retval = PAM_SUCCESS;
|
||||||
|
} else {
|
||||||
|
retval = PAM_AUTH_ERR;
|
||||||
|
--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2007-02-21 20:30:24.000000000 +0100
|
||||||
|
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-02-21 21:18:57.000000000 +0100
|
||||||
|
@@ -159,7 +159,7 @@
|
||||||
|
char *salt = NULL;
|
||||||
|
char *pp = NULL;
|
||||||
|
int retval = PAM_AUTH_ERR;
|
||||||
|
- int salt_len;
|
||||||
|
+ size_t salt_len;
|
||||||
|
|
||||||
|
/* UNIX passwords area */
|
||||||
|
setpwent();
|
||||||
|
@@ -205,6 +205,8 @@
|
||||||
|
return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
|
||||||
|
}
|
||||||
|
if (p == NULL || strlen(p) == 0) {
|
||||||
|
+ _pam_overwrite(salt);
|
||||||
|
+ _pam_drop(salt);
|
||||||
|
return PAM_AUTHTOK_ERR;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -212,11 +214,13 @@
|
||||||
|
retval = PAM_AUTH_ERR;
|
||||||
|
if (!strncmp(salt, "$1$", 3)) {
|
||||||
|
pp = Goodcrypt_md5(p, salt);
|
||||||
|
- if (strcmp(pp, salt) == 0) {
|
||||||
|
+ if (pp && strcmp(pp, salt) == 0) {
|
||||||
|
retval = PAM_SUCCESS;
|
||||||
|
} else {
|
||||||
|
+ _pam_overwrite(pp);
|
||||||
|
+ _pam_drop(pp);
|
||||||
|
pp = Brokencrypt_md5(p, salt);
|
||||||
|
- if (strcmp(pp, salt) == 0)
|
||||||
|
+ if (pp && strcmp(pp, salt) == 0)
|
||||||
|
retval = PAM_SUCCESS;
|
||||||
|
}
|
||||||
|
} else if (*salt == '$') {
|
||||||
|
@@ -225,10 +229,10 @@
|
||||||
|
* libcrypt nows about it? We should try it.
|
||||||
|
*/
|
||||||
|
pp = x_strdup (crypt(p, salt));
|
||||||
|
- if (strcmp(pp, salt) == 0) {
|
||||||
|
+ if (pp && strcmp(pp, salt) == 0) {
|
||||||
|
retval = PAM_SUCCESS;
|
||||||
|
}
|
||||||
|
- } else if ((*salt == '*') || (salt_len < 13)) {
|
||||||
|
+ } else if (*salt == '*' || *salt == '!' || salt_len < 13) {
|
||||||
|
retval = PAM_AUTH_ERR;
|
||||||
|
} else {
|
||||||
|
pp = bigcrypt(p, salt);
|
||||||
|
@@ -239,24 +243,21 @@
|
||||||
|
* have been truncated for storage relative to the output
|
||||||
|
* of bigcrypt here. As such we need to compare only the
|
||||||
|
* stored string with the subset of bigcrypt's result.
|
||||||
|
- * Bug 521314: the strncmp comparison is for legacy support.
|
||||||
|
+ * Bug 521314.
|
||||||
|
*/
|
||||||
|
- if (strncmp(pp, salt, salt_len) == 0) {
|
||||||
|
+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
|
||||||
|
+ _pam_overwrite(pp+salt_len);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (pp && strcmp(pp, salt) == 0) {
|
||||||
|
retval = PAM_SUCCESS;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
p = NULL; /* no longer needed here */
|
||||||
|
|
||||||
|
/* clean up */
|
||||||
|
- {
|
||||||
|
- char *tp = pp;
|
||||||
|
- if (pp != NULL) {
|
||||||
|
- while (tp && *tp)
|
||||||
|
- *tp++ = '\0';
|
||||||
|
- free(pp);
|
||||||
|
- }
|
||||||
|
- pp = tp = NULL;
|
||||||
|
- }
|
||||||
|
+ _pam_overwrite(pp);
|
||||||
|
+ _pam_drop(pp);
|
||||||
|
|
||||||
|
return retval;
|
||||||
|
}
|
12
pam.spec
12
pam.spec
@ -11,7 +11,7 @@
|
|||||||
Summary: A security tool which provides authentication for applications
|
Summary: A security tool which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 0.99.7.1
|
Version: 0.99.7.1
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPL or BSD
|
License: GPL or BSD
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
|
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
|
||||||
@ -27,6 +27,8 @@ Source10: config-util.5
|
|||||||
Patch1: pam-0.99.7.0-redhat-modules.patch
|
Patch1: pam-0.99.7.0-redhat-modules.patch
|
||||||
Patch2: pam-0.99.7.1-console-more-displays.patch
|
Patch2: pam-0.99.7.1-console-more-displays.patch
|
||||||
Patch21: pam-0.78-unix-hpux-aging.patch
|
Patch21: pam-0.78-unix-hpux-aging.patch
|
||||||
|
Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
|
||||||
|
Patch23: pam-0.99.7.1-unix-bigcrypt.patch
|
||||||
Patch34: pam-0.99.7.0-dbpam.patch
|
Patch34: pam-0.99.7.0-dbpam.patch
|
||||||
Patch70: pam-0.99.2.1-selinux-nofail.patch
|
Patch70: pam-0.99.2.1-selinux-nofail.patch
|
||||||
Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
|
Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
|
||||||
@ -94,6 +96,8 @@ cp %{SOURCE7} .
|
|||||||
%patch1 -p1 -b .redhat-modules
|
%patch1 -p1 -b .redhat-modules
|
||||||
%patch2 -p1 -b .displays
|
%patch2 -p1 -b .displays
|
||||||
%patch21 -p1 -b .unix-hpux-aging
|
%patch21 -p1 -b .unix-hpux-aging
|
||||||
|
%patch22 -p1 -b .pwmodify
|
||||||
|
%patch23 -p1 -b .bigcrypt
|
||||||
%patch34 -p1 -b .dbpam
|
%patch34 -p1 -b .dbpam
|
||||||
%patch70 -p1 -b .nofail
|
%patch70 -p1 -b .nofail
|
||||||
%patch80 -p1 -b .drop-multiple
|
%patch80 -p1 -b .drop-multiple
|
||||||
@ -106,6 +110,7 @@ cp %{SOURCE7} .
|
|||||||
%patch93 -p1 -b .level
|
%patch93 -p1 -b .level
|
||||||
%patch94 -p1 -b .unmnt-override
|
%patch94 -p1 -b .unmnt-override
|
||||||
%patch95 -p1 -b .range
|
%patch95 -p1 -b .range
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -397,6 +402,11 @@ fi
|
|||||||
%doc doc/adg/*.txt doc/adg/html
|
%doc doc/adg/*.txt doc/adg/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-3
|
||||||
|
- correctly relabel tty in the default case (#229542)
|
||||||
|
- pam_unix: cleanup of bigcrypt support
|
||||||
|
- pam_unix: allow modification of '*' passwords to root
|
||||||
|
|
||||||
* Tue Feb 6 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-2
|
* Tue Feb 6 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-2
|
||||||
- more X displays as consoles (#227462)
|
- more X displays as consoles (#227462)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user