rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Multiple fixes.

Browse Source 
- update the audit-grantor patch with the upstream changes
- pam_userdb: correct the example in man page (#1078784)
- pam_limits: check whether the utmp login entry is valid (#1080023)
- pam_console_apply: do not print error if console.perms.d is empty
- pam_limits: nofile refers to open file descriptors (#1111220)
- apply PIE and full RELRO to all binaries built
This commit is contained in:
Tomas Mraz 2014-09-11 09:28:59 +02:00
parent 5c62799319
commit 757d3aed85
10 changed files with 447 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pam-1.1.1-console-errmsg.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c
--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg 2008-12-16 13:37:52.000000000 +0100
+++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c 2014-06-19 13:23:28.948343737 +0200
@@ -65,7 +65,7 @@ parse_files(void)
on system locale */
oldlocale = setlocale(LC_COLLATE, "C");
- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf);
+ rc = glob(PERMS_GLOB, 0, NULL, &globbuf);
setlocale(LC_COLLATE, oldlocale);
if (rc)
return;

31
pam-1.1.6-full-relro.patch
View File

@ -1,31 +0,0 @@
diff -up Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am 2012-09-03 15:22:13.735307976 +0200
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
pam_timestamp_check_SOURCES = pam_timestamp_check.c
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
diff -up Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_unix/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_unix/Makefile.am 2012-09-03 15:21:31.464424910 +0200
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
-unix_update_LDFLAGS = @PIE_LDFLAGS@
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
if ENABLE_REGENERATE_MAN

207
pam-1.1.8-audit-grantor.patch
View File

@ -1,3 +1,43 @@
From 0d29e379601819c7f7ed8de18b54de803a9f4049 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 5 Sep 2014 09:09:37 +0200
Subject: [PATCH] Add grantor field to audit records of libpam.
The grantor field gives audit trail of PAM modules which granted access
for successful return from libpam calls. In case of failed return
the grantor field is set to '?'.
libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
libpam/pam_password.c (pam_chauthtok): Likewise.
libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
add grantor= field to the message if grantors is set.
(_pam_list_grantors): New function creating the string with grantors list.
(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
to list the grantors from the handler list.
(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
(_pam_clear_grantors): New function to clear grantor field of handler.
(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
Call _pam_auditlog() when appropriate.
libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
or just "?" to avoid confusing audit trail.
(_pam_add_handler): Test for NULL return from extract_modulename().
Clear grantor field of handler.
libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
parameter to _pam_auditlog().
---
libpam/pam_account.c | 4 ---
libpam/pam_audit.c | 84 +++++++++++++++++++++++++++++++++++++++++++--------
libpam/pam_auth.c | 8 -----
libpam/pam_dispatch.c | 41 ++++++++++++++++++++-----
libpam/pam_handlers.c | 14 +++++++--
libpam/pam_password.c | 4 ---
libpam/pam_private.h | 3 +-
libpam/pam_session.c | 7 -----
8 files changed, 119 insertions(+), 46 deletions(-)
diff --git a/libpam/pam_account.c b/libpam/pam_account.c diff --git a/libpam/pam_account.c b/libpam/pam_account.c
index 572acc4..3a4fb1f 100644 index 572acc4..3a4fb1f 100644
--- a/libpam/pam_account.c --- a/libpam/pam_account.c
@ -13,25 +53,48 @@ index 572acc4..3a4fb1f 100644
return retval; return retval;
} }
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
index 531746a..63a4ea5 100644 index 531746a..24fb799 100644
--- a/libpam/pam_audit.c --- a/libpam/pam_audit.c
+++ b/libpam/pam_audit.c +++ b/libpam/pam_audit.c
@@ -28,14 +28,15 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, @@ -6,12 +6,12 @@
const char *message, int retval) Authors:
Steve Grubb <sgrubb@redhat.com> */
-#include <stdio.h>
-#include <syslog.h>
#include "pam_private.h"
#include "pam_modutil_private.h"
#ifdef HAVE_LIBAUDIT
+#include <stdio.h>
+#include <syslog.h>
#include <libaudit.h>
#include <pwd.h>
#include <netdb.h>
@@ -25,17 +25,24 @@
static int
_pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
- const char *message, int retval)
+ const char *message, const char *grantors, int retval)
{ {
static int old_errno = -1; static int old_errno = -1;
- int rc; - int rc;
- char buf[32]; - char buf[32];
- + int rc = -ENOMEM;
+ char *buf;
+ const char *grantors_field = " grantors=";
- snprintf(buf, sizeof(buf), "PAM:%s", message); - snprintf(buf, sizeof(buf), "PAM:%s", message);
- + if (grantors == NULL) {
+ grantors = "";
+ grantors_field = "";
+ }
- rc = audit_log_acct_message (audit_fd, type, NULL, buf, - rc = audit_log_acct_message (audit_fd, type, NULL, buf,
- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", - (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS ); - -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
+ int rc = -ENOMEM; + if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) {
+ char *buf = NULL;
+
+ if (asprintf(&buf, "PAM:%s", message) >= 0) {
+ rc = audit_log_acct_message(audit_fd, type, NULL, buf, + rc = audit_log_acct_message(audit_fd, type, NULL, buf,
+ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", + (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
+ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS); + -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);
@ -40,60 +103,49 @@ index 531746a..63a4ea5 100644
/* libaudit sets errno to his own negative error code. This can be /* libaudit sets errno to his own negative error code. This can be
an official errno number, but must not. It can also be a audit an official errno number, but must not. It can also be a audit
@@ -78,12 +79,65 @@ _pam_audit_open(pam_handle_t *pamh) @@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh)
return audit_fd; return audit_fd;
} }
+static char * +static int
+_pam_list_grantors(struct handler *hlist, const char *message, int retval) +_pam_list_grantors(struct handler *hlist, int retval, char **list)
+{ +{
+ char *buf; + *list = NULL;
+ char *list = NULL;
+ +
+ if (retval == PAM_SUCCESS) { + if (retval == PAM_SUCCESS) {
+ struct handler *h; + struct handler *h;
+ char *p = NULL; + char *p = NULL;
+ size_t len = 0; + size_t len = 0;
+ +
+ h = hlist; + for (h = hlist; h != NULL; h = h->next) {
+
+ while (h != NULL) {
+ if (h->grantor) { + if (h->grantor) {
+ len += strlen(h->mod_name) + 1; + len += strlen(h->mod_name) + 1;
+ } + }
+
+ h = h->next;
+ } + }
+ +
+ list = malloc(len); + if (len == 0) {
+ if (list == NULL) { + return 0;
+ return NULL;
+ } + }
+ +
+ h = hlist; + *list = malloc(len);
+ if (*list == NULL) {
+ return -1;
+ }
+ +
+ while (h != NULL) { + for (h = hlist; h != NULL; h = h->next) {
+ if (h->grantor) { + if (h->grantor) {
+ if (p == NULL) { + if (p == NULL) {
+ p = list; + p = *list;
+ } else { + } else {
+ p = stpcpy(p, ","); + p = stpcpy(p, ",");
+ } + }
+ +
+ p = stpcpy(p, h->mod_name); + p = stpcpy(p, h->mod_name);
+ } + }
+
+ h = h->next;
+ } + }
+ } + }
+ +
+ if (asprintf(&buf, "%s grantor=%s", message, list ? list : "?") < 0) { + return 0;
+ free(list);
+ return NULL;
+ }
+
+ free(list);
+ return buf;
+} +}
+ +
int int
@ -103,31 +155,30 @@ index 531746a..63a4ea5 100644
const char *message; const char *message;
int type; int type;
int audit_fd; int audit_fd;
+ char *buf = NULL; + char *grantors;
if ((audit_fd=_pam_audit_open(pamh)) == -1) { if ((audit_fd=_pam_audit_open(pamh)) == -1) {
return PAM_SYSTEM_ERR; return PAM_SYSTEM_ERR;
@@ -134,9 +188,18 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) @@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
retval = PAM_SYSTEM_ERR; retval = PAM_SYSTEM_ERR;
} }
- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0) - if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0)
+ buf = _pam_list_grantors(h, message, retval); + if (_pam_list_grantors(h, retval, &grantors) < 0) {
+ if (buf == NULL) {
+ /* allocation failure */ + /* allocation failure */
+ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m"); + pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m");
+ retval = PAM_SYSTEM_ERR; retval = PAM_SYSTEM_ERR;
+ } + }
+ +
+ if (_pam_audit_writelog(pamh, audit_fd, type, buf ? buf : message, retval) < 0) + if (_pam_audit_writelog(pamh, audit_fd, type, message,
retval = PAM_SYSTEM_ERR; + grantors ? grantors : "?", retval) < 0)
+ retval = PAM_SYSTEM_ERR;
+ free(buf);
+ +
+ free(grantors);
audit_close(audit_fd); audit_close(audit_fd);
return retval; return retval;
} @@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
@@ -149,7 +212,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
* stacks having been run. Assume that this is sshd faking * stacks having been run. Assume that this is sshd faking
* things for an unknown user. * things for an unknown user.
*/ */
@ -136,6 +187,15 @@ index 531746a..63a4ea5 100644
} }
return 0; return 0;
@@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type,
return retval;
}
- rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
+ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval);
audit_close(audit_fd);
diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c
index 5984fa5..1e7bc6e 100644 index 5984fa5..1e7bc6e 100644
--- a/libpam/pam_auth.c --- a/libpam/pam_auth.c
@ -163,7 +223,7 @@ index 5984fa5..1e7bc6e 100644
return retval; return retval;
diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
index eb52c82..ccfc372 100644 index eb52c82..cf632e8 100644
--- a/libpam/pam_dispatch.c --- a/libpam/pam_dispatch.c
+++ b/libpam/pam_dispatch.c +++ b/libpam/pam_dispatch.c
@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, @@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
@ -183,22 +243,31 @@ index eb52c82..ccfc372 100644
} }
break; break;
@@ -308,6 +314,14 @@ decision_made: /* by getting here we have made a decision */ @@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
|| (impression == _PAM_POSITIVE
&& status == PAM_SUCCESS) ) {
if ( retval != PAM_IGNORE || cached_retval == retval ) {
+ if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) {
+ h->grantor = 1;
+ }
impression = _PAM_POSITIVE;
status = retval;
}
@@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */
return status; return status;
} }
+static void _pam_clear_grantors(struct handler *h) +static void _pam_clear_grantors(struct handler *h)
+{ +{
+ while (h != NULL) { + for (; h != NULL; h = h->next) {
+ h->grantor = 0; + h->grantor = 0;
+ h = h->next;
+ } + }
+} +}
+ +
/* /*
* This function translates the module dispatch request into a pointer * This function translates the module dispatch request into a pointer
* to the stack of modules that will actually be run. the * to the stack of modules that will actually be run. the
@@ -318,21 +332,21 @@ decision_made: /* by getting here we have made a decision */ @@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */
int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
{ {
struct handler *h = NULL; struct handler *h = NULL;
@ -223,7 +292,7 @@ index eb52c82..ccfc372 100644
} }
use_cached_chain = _PAM_PLEASE_FREEZE; use_cached_chain = _PAM_PLEASE_FREEZE;
@@ -360,7 +374,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) @@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
break; break;
default: default:
pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
@ -233,7 +302,7 @@ index eb52c82..ccfc372 100644
} }
if (h == NULL) { /* there was no handlers.conf... entry; will use if (h == NULL) { /* there was no handlers.conf... entry; will use
@@ -393,11 +408,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) @@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
pam_syslog(pamh, LOG_ERR, pam_syslog(pamh, LOG_ERR,
"application failed to re-exec stack [%d:%d]", "application failed to re-exec stack [%d:%d]",
pamh->former.choice, choice); pamh->former.choice, choice);
@ -248,7 +317,7 @@ index eb52c82..ccfc372 100644
} }
__PAM_TO_MODULE(pamh); __PAM_TO_MODULE(pamh);
@@ -417,5 +434,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) @@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
pamh->former.choice = PAM_NOT_STACKED; pamh->former.choice = PAM_NOT_STACKED;
} }
@ -263,21 +332,40 @@ index eb52c82..ccfc372 100644
return retval; return retval;
} }
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
index 02714f7..e3f8ff6 100644 index 02714f7..df3a1d9 100644
--- a/libpam/pam_handlers.c --- a/libpam/pam_handlers.c
+++ b/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c
@@ -889,6 +889,7 @@ int _pam_add_handler(pam_handle_t *pamh @@ -611,6 +611,12 @@ extract_modulename(const char *mod_path)
if (dot)
*dot = '\0';
+ if (*retval == '\0' || strcmp(retval, "?") == 0) {
+ /* do not allow empty module name or "?" to avoid confusing audit trail */
+ _pam_drop(retval);
+ return NULL;
+ }
+
return retval;
}
@@ -888,7 +894,9 @@ int _pam_add_handler(pam_handle_t *pamh
(*handler_p)->cached_retval_p = &((*handler_p)->cached_retval);
(*handler_p)->argc = argc; (*handler_p)->argc = argc;
(*handler_p)->argv = argv; /* not a copy */ (*handler_p)->argv = argv; /* not a copy */
(*handler_p)->mod_name = extract_modulename(mod_path); - (*handler_p)->mod_name = extract_modulename(mod_path);
+ if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL)
+ return PAM_ABORT;
+ (*handler_p)->grantor = 0; + (*handler_p)->grantor = 0;
(*handler_p)->next = NULL; (*handler_p)->next = NULL;
/* some of the modules have a second calling function */ /* some of the modules have a second calling function */
@@ -921,6 +922,7 @@ int _pam_add_handler(pam_handle_t *pamh @@ -920,7 +928,9 @@ int _pam_add_handler(pam_handle_t *pamh
} else {
(*handler_p2)->argv = NULL; /* no arguments */ (*handler_p2)->argv = NULL; /* no arguments */
} }
(*handler_p2)->mod_name = extract_modulename(mod_path); - (*handler_p2)->mod_name = extract_modulename(mod_path);
+ if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL)
+ return PAM_ABORT;
+ (*handler_p2)->grantor = 0; + (*handler_p2)->grantor = 0;
(*handler_p2)->next = NULL; (*handler_p2)->next = NULL;
} }
@ -342,3 +430,6 @@ index 512153f..cb393c1 100644
return retval; return retval;
} }
--
1.8.3.1

108
pam-1.1.8-full-relro.patch Normal file
View File

@ -0,0 +1,108 @@
diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200
@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir
pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam
+pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+
securelib_LTLIBRARIES = pam_console.la
sbin_PROGRAMS = pam_console_apply
@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_
configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h
pam_console_la_CFLAGS = $(AM_CFLAGS)
-pam_console_apply_CFLAGS = $(AM_CFLAGS)
+pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
configfile.tab.c: configfile.y
$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
diff -up Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am 2014-09-10 17:16:11.102808189 +0200
@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR)
noinst_HEADERS = faillock.h
-faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
@@ -28,6 +28,7 @@ if HAVE_VERSIONING
pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
securelib_LTLIBRARIES = pam_faillock.la
diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200
@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
-I$(srcdir)/.. @PIE_CFLAGS@
-AM_LDFLAGS = @PIE_LDFLAGS@
+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
LDADD = $(top_builddir)/libpam/libpam.la
securelibfilter_PROGRAMS = upperLOWER
diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200
@@ -30,6 +30,8 @@ endif
sbin_PROGRAMS = mkhomedir_helper
mkhomedir_helper_SOURCES = mkhomedir_helper.c
+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
if ENABLE_REGENERATE_MAN
diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200
@@ -26,6 +26,8 @@ if HAVE_VERSIONING
pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
securelib_LTLIBRARIES = pam_tally2.la
diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
pam_timestamp_check_SOURCES = pam_timestamp_check.c
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
-unix_update_LDFLAGS = @PIE_LDFLAGS@
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
if ENABLE_REGENERATE_MAN

37
pam-1.1.8-lastlog-uninitialized.patch Normal file
View File

@ -0,0 +1,37 @@
diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c
--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2014-08-25 16:44:24.365174752 +0200
@@ -350,6 +350,8 @@ last_login_write(pam_handle_t *pamh, int
return PAM_SERVICE_ERR;
}
+ memset(&last_login, 0, sizeof(last_login));
+
/* set this login date */
D(("set the most recent login time"));
(void) time(&ll_time); /* set the time */
@@ -364,14 +366,12 @@ last_login_write(pam_handle_t *pamh, int
}
/* copy to last_login */
- last_login.ll_host[0] = '\0';
strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1);
/* set the terminal line */
terminal_line = get_tty(pamh);
/* copy to last_login */
- last_login.ll_line[0] = '\0';
strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1);
terminal_line = NULL;
@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
lltime = (time(NULL) - lltime) / (24*60*60);
if (lltime > inactive_days) {
- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied",
+ user, (long) lltime);
return PAM_AUTH_ERR;
}

41
pam-1.1.8-limits-check-process.patch Normal file
View File

@ -0,0 +1,41 @@
diff -up Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c
--- Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c 2014-09-10 16:39:36.263256066 +0200
@@ -27,6 +27,7 @@
#include <errno.h>
#include <syslog.h>
#include <stdarg.h>
+#include <signal.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/resource.h>
@@ -269,16 +270,27 @@ check_logins (pam_handle_t *pamh, const
continue;
}
if (!pl->flag_numsyslogins) {
+ char user[sizeof(ut->UT_USER) + 1];
+ user[0] = '\0';
+ strncat(user, ut->UT_USER, sizeof(ut->UT_USER));
+
if (((pl->login_limit_def == LIMITS_DEF_USER)
|| (pl->login_limit_def == LIMITS_DEF_GROUP)
|| (pl->login_limit_def == LIMITS_DEF_DEFAULT))
- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) {
+ && strcmp(name, user) != 0) {
continue;
}
if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) {
+ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
continue;
}
+ if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) {
+ /* process does not exist anymore */
+ pam_syslog(pamh, LOG_WARNING,
+ "Stale utmp entry (pid %d) for '%s' ignored",
+ ut->ut_pid, user);
+ continue;
+ }
}
if (++count > limit) {
break;

54
pam-1.1.8-limits-docfix.patch Normal file
View File

@ -0,0 +1,54 @@
diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf
--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix 2014-07-14 14:58:05.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf 2014-09-10 16:42:51.254747161 +0200
@@ -32,7 +32,7 @@
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
-# - nofile - max number of open files
+# - nofile - max number of open file descriptors
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml
--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml 2014-09-10 16:44:01.624367933 +0200
@@ -178,7 +178,7 @@
<varlistentry>
<term><option>nofile</option></term>
<listitem>
- <para>maximum number of open files</para>
+ <para>maximum number of open file descriptors</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -214,14 +214,17 @@
<varlistentry>
<term><option>maxlogins</option></term>
<listitem>
- <para>maximum number of logins for this user except
- for this with <emphasis>uid=0</emphasis></para>
+ <para>maximum number of logins for this user (this limit does
+ not apply to user with <emphasis>uid=0</emphasis>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>maxsyslogins</option></term>
<listitem>
- <para>maximum number of all logins on system</para>
+ <para>maximum number of all logins on system; user is not
+ allowed to log-in if total number of all users' logins is
+ greater than specified number (this limit does not apply to
+ user with <emphasis>uid=0</emphasis>)</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -292,7 +295,7 @@
permanent; existing only for the duration of the session.
One exception is the <emphasis>maxlogin</emphasis> option, this one
is system wide. But there is a race, concurrent logins at the same
- time will not always be detect as such but only counted as one.
+ time will not always be detected as such but only counted as one.
</para>
<para>
In the <emphasis>limits</emphasis> configuration file, the

22
pam-1.1.8-man-dbsuffix.patch Normal file
View File

@ -0,0 +1,22 @@
diff -up Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml
--- Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml 2014-09-10 16:28:19.916678273 +0200
@@ -89,7 +89,8 @@
Use the <filename>/path/database</filename> database for
performing lookup. There is no default; the module will
return <emphasis remap='B'>PAM_IGNORE</emphasis> if no
- database is provided.
+ database is provided. Note that the path to the database file
+ should be specified without the <filename>.db</filename> suffix.
</para>
</listitem>
</varlistentry>
@@ -260,7 +261,7 @@
<refsect1 id='pam_userdb-examples'>
<title>EXAMPLES</title>
<programlisting>
-auth sufficient pam_userdb.so icase db=/etc/dbtest.db
+auth sufficient pam_userdb.so icase db=/etc/dbtest
</programlisting>
</refsect1>

5
pam-1.1.8-pwhistory-helper.patch
View File

@ -9,7 +9,7 @@ index 4bb4d6d..9157b91 100644
# #
CLEANFILES = *~ CLEANFILES = *~
@@ -9,25 +10,33 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory @@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory
TESTS = tst-pam_pwhistory TESTS = tst-pam_pwhistory
@ -42,8 +42,9 @@ index 4bb4d6d..9157b91 100644
pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
+sbin_PROGRAMS = pwhistory_helper +sbin_PROGRAMS = pwhistory_helper
+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" +pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c +pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c
+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ +pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
+ +
if ENABLE_REGENERATE_MAN if ENABLE_REGENERATE_MAN

24
pam.spec
View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications Summary: An extensible library which provides authentication for applications
Name: pam Name: pam
Version: 1.1.8 Version: 1.1.8
Release: 16%{?dist} Release: 17%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ # The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway. # - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -36,9 +36,11 @@ Patch8: pam-1.1.1-faillock.patch
Patch9: pam-1.1.6-noflex.patch Patch9: pam-1.1.6-noflex.patch
Patch10: pam-1.1.3-nouserenv.patch Patch10: pam-1.1.3-nouserenv.patch
Patch13: pam-1.1.6-limits-user.patch Patch13: pam-1.1.6-limits-user.patch
Patch15: pam-1.1.6-full-relro.patch Patch15: pam-1.1.8-full-relro.patch
# FIPS related - non upstreamable # FIPS related - non upstreamable
Patch20: pam-1.1.5-unix-no-fallback.patch Patch20: pam-1.1.5-unix-no-fallback.patch
Patch27: pam-1.1.8-lastlog-uninitialized.patch
Patch28: pam-1.1.1-console-errmsg.patch
# Upstreamed partially # Upstreamed partially
Patch29: pam-1.1.8-pwhistory-helper.patch Patch29: pam-1.1.8-pwhistory-helper.patch
Patch31: pam-1.1.6-use-links.patch Patch31: pam-1.1.6-use-links.patch
@ -50,6 +52,9 @@ Patch36: pam-1.1.8-cve-2014-2583.patch
Patch37: pam-1.1.8-loginuid-container.patch Patch37: pam-1.1.8-loginuid-container.patch
Patch38: pam-1.1.8-opasswd-tolerant.patch Patch38: pam-1.1.8-opasswd-tolerant.patch
Patch39: pam-1.1.8-audit-grantor.patch Patch39: pam-1.1.8-audit-grantor.patch
Patch40: pam-1.1.8-man-dbsuffix.patch
Patch41: pam-1.1.8-limits-check-process.patch
Patch42: pam-1.1.8-limits-docfix.patch
%define _pamlibdir %{_libdir} %define _pamlibdir %{_libdir}
%define _moduledir %{_libdir}/security %define _moduledir %{_libdir}/security
@ -124,6 +129,8 @@ cp %{SOURCE18} .
%patch13 -p1 -b .limits %patch13 -p1 -b .limits
%patch15 -p1 -b .relro %patch15 -p1 -b .relro
%patch20 -p1 -b .no-fallback %patch20 -p1 -b .no-fallback
%patch27 -p1 -b .uninitialized
%patch28 -p1 -b .errmsg
%patch29 -p1 -b .pwhhelper %patch29 -p1 -b .pwhhelper
%patch31 -p1 -b .links %patch31 -p1 -b .links
%patch32 -p1 -b .tty-audit-init %patch32 -p1 -b .tty-audit-init
@ -134,6 +141,9 @@ cp %{SOURCE18} .
%patch37 -p1 -b .container %patch37 -p1 -b .container
%patch38 -p1 -b .opasswd-tolerant %patch38 -p1 -b .opasswd-tolerant
%patch39 -p1 -b .grantor %patch39 -p1 -b .grantor
%patch40 -p1 -b .dbsuffix
%patch41 -p1 -b .check-process
%patch42 -p1 -b .docfix
%build %build
autoreconf -i autoreconf -i
@ -255,7 +265,7 @@ done
%post %post
/sbin/ldconfig /sbin/ldconfig
if [ ! -e /var/log/tallylog ] ; then if [ ! -e /var/log/tallylog ] ; then
install -m 600 /dev/null /var/log/tallylog /usr/bin/install -m 600 /dev/null /var/log/tallylog
fi fi
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
@ -384,6 +394,14 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Thu Sep 11 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-17
- update the audit-grantor patch with the upstream changes
- pam_userdb: correct the example in man page (#1078784)
- pam_limits: check whether the utmp login entry is valid (#1080023)
- pam_console_apply: do not print error if console.perms.d is empty
- pam_limits: nofile refers to open file descriptors (#1111220)
- apply PIE and full RELRO to all binaries built
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.8-16 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.8-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild