- correctly relabel tty in the default case (#229542)

- pam_unix: cleanup of bigcrypt support - pam_unix: allow modification of '*' passwords to root
2007-02-21 20:32:28 +00:00 · 2007-02-21 20:32:28 +00:00 · 71ab958a92
commit 71ab958a92
parent 504a3315ce
4 changed files with 168 additions and 14 deletions
--- a/pam-0.99.6.2-selinux-select-context.patch
+++ b/pam-0.99.6.2-selinux-select-context.patch
@ -1,5 +1,5 @@
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context	2006-12-27 10:59:06.000000000 -0500
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml	2006-12-27 10:59:06.000000000 -0500
+--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context	2007-02-21 20:38:10.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml	2007-02-21 20:38:11.000000000 +0100
@@ -33,6 +33,9 @@
       <arg choice="opt">
 	verbose
@ -28,8 +28,8 @@
     </variablelist>
   </refsect1>
 
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context	2006-12-27 10:59:06.000000000 -0500
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2007-01-03 16:06:21.000000000 -0500
+--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context	2007-02-21 20:38:10.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2007-02-21 20:44:01.000000000 +0100
@@ -63,9 +63,64 @@
 #include <selinux/selinux.h>
 #include <selinux/get_context_list.h>
@ -360,7 +360,7 @@
                    username == NULL) {
     return PAM_USER_UNKNOWN;
   }
-@@ -319,19 +485,38 @@
+@@ -319,19 +485,39 @@
 							     &contextlist);
 	  if (debug)
 		  pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
@ -378,6 +378,7 @@
 +	  pam_syslog(pamh, LOG_ERR, _("Out of memory"));
 +          return PAM_AUTH_ERR;
 +    }
+    user_context = default_user_context;
 +    if (select_context && has_tty) {
 +      user_context = config_context(pamh, default_user_context, debug);
 +      if (user_context == NULL) {
@ -404,7 +405,7 @@
         if (security_getenforce() == 1)
           return PAM_AUTH_ERR;
         else
-@@ -340,7 +525,7 @@
+@@ -340,7 +526,7 @@
     } else {
         pam_syslog (pamh, LOG_ERR,
 		    "Unable to get valid context for %s, No valid tty",
@ -413,17 +414,18 @@
         if (security_getenforce() == 1)
           return PAM_AUTH_ERR;
         else
-@@ -371,6 +556,9 @@
+@@ -371,6 +557,10 @@
     ttyn=strdup(tty);
     ttyn_context=security_label_tty(pamh,ttyn,user_context);
   }
 +  send_audit_message(pamh, 1, default_user_context, user_context);
+  if (default_user_context != user_context) {
 +    freecon(default_user_context);
-+
+  }
   ret = setexeccon(user_context);
   if (ret==0 && verbose) {
     char msg[PATH_MAX];
-@@ -381,7 +569,7 @@
+@@ -381,7 +571,7 @@
   if (ret) {
     pam_syslog(pamh, LOG_ERR,
 	       "Error!  Unable to set %s executable context %s.",
@ -432,7 +434,7 @@
     if (security_getenforce() == 1) {
        freecon(user_context);
        return PAM_AUTH_ERR;
-@@ -389,7 +577,7 @@
+@@ -389,7 +579,7 @@
   } else {
     if (debug)
       pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
@ -441,7 +443,7 @@
   }
 #ifdef HAVE_SETKEYCREATECON
   ret = setkeycreatecon(user_context);
-@@ -402,7 +590,7 @@
+@@ -402,7 +592,7 @@
   if (ret) {
     pam_syslog(pamh, LOG_ERR,
 	       "Error!  Unable to set %s key creation context %s.",
@ -450,7 +452,7 @@
     if (security_getenforce() == 1) {
        freecon(user_context);
        return PAM_AUTH_ERR;
-@@ -410,7 +598,7 @@
+@@ -410,7 +600,7 @@
   } else {
     if (debug)
       pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
--- a/pam-0.99.7.1-unix-allow-pwmodify.patch
+++ b/pam-0.99.7.1-unix-allow-pwmodify.patch
@ -0,0 +1,16 @@
+--- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.pwmodify	2006-12-20 12:08:59.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c	2007-02-21 21:01:48.000000000 +0100
+@@ -1077,13 +1077,6 @@
+ 				user);
+ 			return PAM_USER_UNKNOWN;
+ 		}
+-		if (!_unix_shadowed(pwd) &&
+-		    (strchr(pwd->pw_passwd, '*') != NULL)) {
+-			pam_syslog(pamh, LOG_DEBUG,
+-				"user \"%s\" does not have modifiable password",
+-				user);
+-			return PAM_USER_UNKNOWN;
+-		}
+ 	}
+ 
+ 	/*
--- a/pam-0.99.7.1-unix-bigcrypt.patch
+++ b/pam-0.99.7.1-unix-bigcrypt.patch
@ -0,0 +1,126 @@
+--- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt	2007-02-21 20:30:24.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c	2007-02-21 21:17:29.000000000 +0100
+@@ -694,7 +694,7 @@
+ 			}
+ 		}
+ 	} else {
+-	    int salt_len;
+	    size_t salt_len;
+ 	    strip_hpux_aging(salt);
+ 	    salt_len = strlen(salt);
+ 	    if (!salt_len) {
+@@ -706,19 +706,19 @@
+ 		    D(("user has empty password - access denied"));
+ 		    retval = PAM_AUTH_ERR;
+ 		}
+-	    } else if (!p || (*salt == '*')) {
+	    } else if (!p || *salt == '*' || *salt == '!') {
+ 		retval = PAM_AUTH_ERR;
+ 	    } else {
+ 		if (!strncmp(salt, "$1$", 3)) {
+ 		    pp = Goodcrypt_md5(p, salt);
+-		    if (strcmp(pp, salt) != 0) {
+		    if (pp && strcmp(pp, salt) != 0) {
+ 			_pam_delete(pp);
+ 			pp = Brokencrypt_md5(p, salt);
+ 		    }
+ 		} else if (*salt != '$' && salt_len >= 13) {
+ 		    pp = bigcrypt(p, salt);
+-		    if (strlen(pp) > salt_len) {
+-			pp[salt_len] = '\0';
+		    if (pp && salt_len == 13 && strlen(pp) > salt_len) {
+			_pam_overwrite(pp + salt_len);
+ 		    }
+ 		} else {
+                     /*
+@@ -732,7 +732,7 @@
+ 		/* the moment of truth -- do we agree with the password? */
+ 		D(("comparing state of pp[%s] and salt[%s]", pp, salt));
+ 
+-		if (strcmp(pp, salt) == 0) {
+		if (pp && strcmp(pp, salt) == 0) {
+ 		    retval = PAM_SUCCESS;
+ 		} else {
+ 		    retval = PAM_AUTH_ERR;
+--- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt	2007-02-21 20:30:24.000000000 +0100
+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c	2007-02-21 21:18:57.000000000 +0100
+@@ -159,7 +159,7 @@
+ 	char *salt = NULL;
+ 	char *pp = NULL;
+ 	int retval = PAM_AUTH_ERR;
+-	int salt_len;
+	size_t salt_len;
+ 
+ 	/* UNIX passwords area */
+ 	setpwent();
+@@ -205,6 +205,8 @@
+ 		return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
+ 	}
+ 	if (p == NULL || strlen(p) == 0) {
+		_pam_overwrite(salt);
+		_pam_drop(salt);
+ 		return PAM_AUTHTOK_ERR;
+ 	}
+ 
+@@ -212,11 +214,13 @@
+ 	retval = PAM_AUTH_ERR;
+ 	if (!strncmp(salt, "$1$", 3)) {
+ 		pp = Goodcrypt_md5(p, salt);
+-		if (strcmp(pp, salt) == 0) {
+		if (pp && strcmp(pp, salt) == 0) {
+ 			retval = PAM_SUCCESS;
+ 		} else {
+			_pam_overwrite(pp);
+			_pam_drop(pp);
+ 			pp = Brokencrypt_md5(p, salt);
+-			if (strcmp(pp, salt) == 0)
+			if (pp && strcmp(pp, salt) == 0)
+ 				retval = PAM_SUCCESS;
+ 		}
+ 	} else if (*salt == '$') {
+@@ -225,10 +229,10 @@
+ 		 * libcrypt nows about it? We should try it.
+ 		 */
+ 	        pp = x_strdup (crypt(p, salt));
+-		if (strcmp(pp, salt) == 0) {
+		if (pp && strcmp(pp, salt) == 0) {
+ 			retval = PAM_SUCCESS;
+ 		}
+-	} else if ((*salt == '*') || (salt_len < 13)) {
+	} else if (*salt == '*' || *salt == '!' || salt_len < 13) {
+ 	    retval = PAM_AUTH_ERR;
+ 	} else {
+ 		pp = bigcrypt(p, salt);
+@@ -239,24 +243,21 @@
+ 		 * have been truncated for storage relative to the output
+ 		 * of bigcrypt here. As such we need to compare only the
+ 		 * stored string with the subset of bigcrypt's result.
+-		 * Bug 521314: the strncmp comparison is for legacy support.
+		 * Bug 521314.
+ 		 */
+-		if (strncmp(pp, salt, salt_len) == 0) {
+		if (pp && salt_len == 13 && strlen(pp) > salt_len) {
+		    _pam_overwrite(pp+salt_len);
+		}
+		
+		if (pp && strcmp(pp, salt) == 0) {
+ 			retval = PAM_SUCCESS;
+ 		}
+ 	}
+ 	p = NULL;		/* no longer needed here */
+ 
+ 	/* clean up */
+-	{
+-		char *tp = pp;
+-		if (pp != NULL) {
+-			while (tp && *tp)
+-				*tp++ = '\0';
+-			free(pp);
+-		}
+-		pp = tp = NULL;
+-	}
+	_pam_overwrite(pp);
+	_pam_drop(pp);
+ 
+ 	return retval;
+ }
--- a/pam.spec
+++ b/pam.spec
@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.7.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPL or BSD
 Group: System Environment/Base
 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@ -27,6 +27,8 @@ Source10: config-util.5
 Patch1:  pam-0.99.7.0-redhat-modules.patch
 Patch2:  pam-0.99.7.1-console-more-displays.patch
 Patch21: pam-0.78-unix-hpux-aging.patch
+Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
+Patch23: pam-0.99.7.1-unix-bigcrypt.patch
 Patch34: pam-0.99.7.0-dbpam.patch
 Patch70: pam-0.99.2.1-selinux-nofail.patch
 Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
@ -94,6 +96,8 @@ cp %{SOURCE7} .
 %patch1 -p1 -b .redhat-modules
 %patch2 -p1 -b .displays
 %patch21 -p1 -b .unix-hpux-aging
+%patch22 -p1 -b .pwmodify
+%patch23 -p1 -b .bigcrypt
 %patch34 -p1 -b .dbpam
 %patch70 -p1 -b .nofail
 %patch80 -p1 -b .drop-multiple
@ -106,6 +110,7 @@ cp %{SOURCE7} .
 %patch93 -p1 -b .level
 %patch94 -p1 -b .unmnt-override
 %patch95 -p1 -b .range
+
 autoreconf

 %build
@ -397,6 +402,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html

 %changelog
+* Wed Feb 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-3
+- correctly relabel tty in the default case (#229542)
+- pam_unix: cleanup of bigcrypt support
+- pam_unix: allow modification of '*' passwords to root
+
 * Tue Feb  6 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-2
 - more X displays as consoles (#227462)