Multiple fixes.
- update the audit-grantor patch with the upstream changes - pam_userdb: correct the example in man page (#1078784) - pam_limits: check whether the utmp login entry is valid (#1080023) - pam_console_apply: do not print error if console.perms.d is empty - pam_limits: nofile refers to open file descriptors (#1111220) - apply PIE and full RELRO to all binaries built
This commit is contained in:
parent
5c62799319
commit
757d3aed85
12
pam-1.1.1-console-errmsg.patch
Normal file
12
pam-1.1.1-console-errmsg.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c
|
||||
--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg 2008-12-16 13:37:52.000000000 +0100
|
||||
+++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c 2014-06-19 13:23:28.948343737 +0200
|
||||
@@ -65,7 +65,7 @@ parse_files(void)
|
||||
on system locale */
|
||||
oldlocale = setlocale(LC_COLLATE, "C");
|
||||
|
||||
- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf);
|
||||
+ rc = glob(PERMS_GLOB, 0, NULL, &globbuf);
|
||||
setlocale(LC_COLLATE, oldlocale);
|
||||
if (rc)
|
||||
return;
|
@ -1,31 +0,0 @@
|
||||
diff -up Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am
|
||||
--- Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
|
||||
+++ Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am 2012-09-03 15:22:13.735307976 +0200
|
||||
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
|
||||
pam_timestamp_check_SOURCES = pam_timestamp_check.c
|
||||
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
|
||||
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
|
||||
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
|
||||
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
diff -up Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_unix/Makefile.am
|
||||
--- Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
|
||||
+++ Linux-PAM-1.1.6/modules/pam_unix/Makefile.am 2012-09-03 15:21:31.464424910 +0200
|
||||
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
|
||||
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
|
||||
passverify.c
|
||||
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
|
||||
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
|
||||
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
|
||||
|
||||
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
|
||||
passverify.c
|
||||
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
|
||||
-unix_update_LDFLAGS = @PIE_LDFLAGS@
|
||||
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
|
||||
|
||||
if ENABLE_REGENERATE_MAN
|
@ -1,3 +1,43 @@
|
||||
From 0d29e379601819c7f7ed8de18b54de803a9f4049 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Fri, 5 Sep 2014 09:09:37 +0200
|
||||
Subject: [PATCH] Add grantor field to audit records of libpam.
|
||||
|
||||
The grantor field gives audit trail of PAM modules which granted access
|
||||
for successful return from libpam calls. In case of failed return
|
||||
the grantor field is set to '?'.
|
||||
libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
|
||||
libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
|
||||
libpam/pam_password.c (pam_chauthtok): Likewise.
|
||||
libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
|
||||
libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
|
||||
add grantor= field to the message if grantors is set.
|
||||
(_pam_list_grantors): New function creating the string with grantors list.
|
||||
(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
|
||||
to list the grantors from the handler list.
|
||||
(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
|
||||
(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
|
||||
libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
|
||||
(_pam_clear_grantors): New function to clear grantor field of handler.
|
||||
(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
|
||||
Call _pam_auditlog() when appropriate.
|
||||
libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
|
||||
or just "?" to avoid confusing audit trail.
|
||||
(_pam_add_handler): Test for NULL return from extract_modulename().
|
||||
Clear grantor field of handler.
|
||||
libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
|
||||
parameter to _pam_auditlog().
|
||||
---
|
||||
libpam/pam_account.c | 4 ---
|
||||
libpam/pam_audit.c | 84 +++++++++++++++++++++++++++++++++++++++++++--------
|
||||
libpam/pam_auth.c | 8 -----
|
||||
libpam/pam_dispatch.c | 41 ++++++++++++++++++++-----
|
||||
libpam/pam_handlers.c | 14 +++++++--
|
||||
libpam/pam_password.c | 4 ---
|
||||
libpam/pam_private.h | 3 +-
|
||||
libpam/pam_session.c | 7 -----
|
||||
8 files changed, 119 insertions(+), 46 deletions(-)
|
||||
|
||||
diff --git a/libpam/pam_account.c b/libpam/pam_account.c
|
||||
index 572acc4..3a4fb1f 100644
|
||||
--- a/libpam/pam_account.c
|
||||
@ -13,25 +53,48 @@ index 572acc4..3a4fb1f 100644
|
||||
return retval;
|
||||
}
|
||||
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
|
||||
index 531746a..63a4ea5 100644
|
||||
index 531746a..24fb799 100644
|
||||
--- a/libpam/pam_audit.c
|
||||
+++ b/libpam/pam_audit.c
|
||||
@@ -28,14 +28,15 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
|
||||
const char *message, int retval)
|
||||
@@ -6,12 +6,12 @@
|
||||
Authors:
|
||||
Steve Grubb <sgrubb@redhat.com> */
|
||||
|
||||
-#include <stdio.h>
|
||||
-#include <syslog.h>
|
||||
#include "pam_private.h"
|
||||
#include "pam_modutil_private.h"
|
||||
|
||||
#ifdef HAVE_LIBAUDIT
|
||||
+#include <stdio.h>
|
||||
+#include <syslog.h>
|
||||
#include <libaudit.h>
|
||||
#include <pwd.h>
|
||||
#include <netdb.h>
|
||||
@@ -25,17 +25,24 @@
|
||||
|
||||
static int
|
||||
_pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
|
||||
- const char *message, int retval)
|
||||
+ const char *message, const char *grantors, int retval)
|
||||
{
|
||||
static int old_errno = -1;
|
||||
- int rc;
|
||||
- char buf[32];
|
||||
-
|
||||
+ int rc = -ENOMEM;
|
||||
+ char *buf;
|
||||
+ const char *grantors_field = " grantors=";
|
||||
|
||||
- snprintf(buf, sizeof(buf), "PAM:%s", message);
|
||||
-
|
||||
+ if (grantors == NULL) {
|
||||
+ grantors = "";
|
||||
+ grantors_field = "";
|
||||
+ }
|
||||
|
||||
- rc = audit_log_acct_message (audit_fd, type, NULL, buf,
|
||||
- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
|
||||
- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
|
||||
+ int rc = -ENOMEM;
|
||||
+ char *buf = NULL;
|
||||
+
|
||||
+ if (asprintf(&buf, "PAM:%s", message) >= 0) {
|
||||
+ if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) {
|
||||
+ rc = audit_log_acct_message(audit_fd, type, NULL, buf,
|
||||
+ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
|
||||
+ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);
|
||||
@ -40,60 +103,49 @@ index 531746a..63a4ea5 100644
|
||||
|
||||
/* libaudit sets errno to his own negative error code. This can be
|
||||
an official errno number, but must not. It can also be a audit
|
||||
@@ -78,12 +79,65 @@ _pam_audit_open(pam_handle_t *pamh)
|
||||
@@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh)
|
||||
return audit_fd;
|
||||
}
|
||||
|
||||
+static char *
|
||||
+_pam_list_grantors(struct handler *hlist, const char *message, int retval)
|
||||
+static int
|
||||
+_pam_list_grantors(struct handler *hlist, int retval, char **list)
|
||||
+{
|
||||
+ char *buf;
|
||||
+ char *list = NULL;
|
||||
+ *list = NULL;
|
||||
+
|
||||
+ if (retval == PAM_SUCCESS) {
|
||||
+ struct handler *h;
|
||||
+ char *p = NULL;
|
||||
+ size_t len = 0;
|
||||
+
|
||||
+ h = hlist;
|
||||
+
|
||||
+ while (h != NULL) {
|
||||
+ for (h = hlist; h != NULL; h = h->next) {
|
||||
+ if (h->grantor) {
|
||||
+ len += strlen(h->mod_name) + 1;
|
||||
+ }
|
||||
+
|
||||
+ h = h->next;
|
||||
+ }
|
||||
+
|
||||
+ list = malloc(len);
|
||||
+ if (list == NULL) {
|
||||
+ return NULL;
|
||||
+ if (len == 0) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ h = hlist;
|
||||
+ *list = malloc(len);
|
||||
+ if (*list == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ while (h != NULL) {
|
||||
+ for (h = hlist; h != NULL; h = h->next) {
|
||||
+ if (h->grantor) {
|
||||
+ if (p == NULL) {
|
||||
+ p = list;
|
||||
+ p = *list;
|
||||
+ } else {
|
||||
+ p = stpcpy(p, ",");
|
||||
+ }
|
||||
+
|
||||
+ p = stpcpy(p, h->mod_name);
|
||||
+ }
|
||||
+
|
||||
+ h = h->next;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (asprintf(&buf, "%s grantor=%s", message, list ? list : "?") < 0) {
|
||||
+ free(list);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ free(list);
|
||||
+ return buf;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
int
|
||||
@ -103,31 +155,30 @@ index 531746a..63a4ea5 100644
|
||||
const char *message;
|
||||
int type;
|
||||
int audit_fd;
|
||||
+ char *buf = NULL;
|
||||
+ char *grantors;
|
||||
|
||||
if ((audit_fd=_pam_audit_open(pamh)) == -1) {
|
||||
return PAM_SYSTEM_ERR;
|
||||
@@ -134,9 +188,18 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
|
||||
@@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
|
||||
retval = PAM_SYSTEM_ERR;
|
||||
}
|
||||
|
||||
- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0)
|
||||
+ buf = _pam_list_grantors(h, message, retval);
|
||||
+ if (buf == NULL) {
|
||||
+ if (_pam_list_grantors(h, retval, &grantors) < 0) {
|
||||
+ /* allocation failure */
|
||||
+ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m");
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
retval = PAM_SYSTEM_ERR;
|
||||
+ }
|
||||
+
|
||||
+ if (_pam_audit_writelog(pamh, audit_fd, type, buf ? buf : message, retval) < 0)
|
||||
retval = PAM_SYSTEM_ERR;
|
||||
|
||||
+ free(buf);
|
||||
+ if (_pam_audit_writelog(pamh, audit_fd, type, message,
|
||||
+ grantors ? grantors : "?", retval) < 0)
|
||||
+ retval = PAM_SYSTEM_ERR;
|
||||
+
|
||||
+ free(grantors);
|
||||
|
||||
audit_close(audit_fd);
|
||||
return retval;
|
||||
}
|
||||
@@ -149,7 +212,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
|
||||
@@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
|
||||
* stacks having been run. Assume that this is sshd faking
|
||||
* things for an unknown user.
|
||||
*/
|
||||
@ -136,6 +187,15 @@ index 531746a..63a4ea5 100644
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type,
|
||||
return retval;
|
||||
}
|
||||
|
||||
- rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
|
||||
+ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval);
|
||||
|
||||
audit_close(audit_fd);
|
||||
|
||||
diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c
|
||||
index 5984fa5..1e7bc6e 100644
|
||||
--- a/libpam/pam_auth.c
|
||||
@ -163,7 +223,7 @@ index 5984fa5..1e7bc6e 100644
|
||||
|
||||
return retval;
|
||||
diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
|
||||
index eb52c82..ccfc372 100644
|
||||
index eb52c82..cf632e8 100644
|
||||
--- a/libpam/pam_dispatch.c
|
||||
+++ b/libpam/pam_dispatch.c
|
||||
@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
|
||||
@ -183,22 +243,31 @@ index eb52c82..ccfc372 100644
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -308,6 +314,14 @@ decision_made: /* by getting here we have made a decision */
|
||||
@@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
|
||||
|| (impression == _PAM_POSITIVE
|
||||
&& status == PAM_SUCCESS) ) {
|
||||
if ( retval != PAM_IGNORE || cached_retval == retval ) {
|
||||
+ if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) {
|
||||
+ h->grantor = 1;
|
||||
+ }
|
||||
impression = _PAM_POSITIVE;
|
||||
status = retval;
|
||||
}
|
||||
@@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */
|
||||
return status;
|
||||
}
|
||||
|
||||
+static void _pam_clear_grantors(struct handler *h)
|
||||
+{
|
||||
+ while (h != NULL) {
|
||||
+ for (; h != NULL; h = h->next) {
|
||||
+ h->grantor = 0;
|
||||
+ h = h->next;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* This function translates the module dispatch request into a pointer
|
||||
* to the stack of modules that will actually be run. the
|
||||
@@ -318,21 +332,21 @@ decision_made: /* by getting here we have made a decision */
|
||||
@@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */
|
||||
int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
{
|
||||
struct handler *h = NULL;
|
||||
@ -223,7 +292,7 @@ index eb52c82..ccfc372 100644
|
||||
}
|
||||
|
||||
use_cached_chain = _PAM_PLEASE_FREEZE;
|
||||
@@ -360,7 +374,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
@@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
break;
|
||||
default:
|
||||
pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
|
||||
@ -233,7 +302,7 @@ index eb52c82..ccfc372 100644
|
||||
}
|
||||
|
||||
if (h == NULL) { /* there was no handlers.conf... entry; will use
|
||||
@@ -393,11 +408,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
@@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
"application failed to re-exec stack [%d:%d]",
|
||||
pamh->former.choice, choice);
|
||||
@ -248,7 +317,7 @@ index eb52c82..ccfc372 100644
|
||||
}
|
||||
|
||||
__PAM_TO_MODULE(pamh);
|
||||
@@ -417,5 +434,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
@@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
|
||||
pamh->former.choice = PAM_NOT_STACKED;
|
||||
}
|
||||
|
||||
@ -263,21 +332,40 @@ index eb52c82..ccfc372 100644
|
||||
return retval;
|
||||
}
|
||||
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
|
||||
index 02714f7..e3f8ff6 100644
|
||||
index 02714f7..df3a1d9 100644
|
||||
--- a/libpam/pam_handlers.c
|
||||
+++ b/libpam/pam_handlers.c
|
||||
@@ -889,6 +889,7 @@ int _pam_add_handler(pam_handle_t *pamh
|
||||
@@ -611,6 +611,12 @@ extract_modulename(const char *mod_path)
|
||||
if (dot)
|
||||
*dot = '\0';
|
||||
|
||||
+ if (*retval == '\0' || strcmp(retval, "?") == 0) {
|
||||
+ /* do not allow empty module name or "?" to avoid confusing audit trail */
|
||||
+ _pam_drop(retval);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -888,7 +894,9 @@ int _pam_add_handler(pam_handle_t *pamh
|
||||
(*handler_p)->cached_retval_p = &((*handler_p)->cached_retval);
|
||||
(*handler_p)->argc = argc;
|
||||
(*handler_p)->argv = argv; /* not a copy */
|
||||
(*handler_p)->mod_name = extract_modulename(mod_path);
|
||||
- (*handler_p)->mod_name = extract_modulename(mod_path);
|
||||
+ if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL)
|
||||
+ return PAM_ABORT;
|
||||
+ (*handler_p)->grantor = 0;
|
||||
(*handler_p)->next = NULL;
|
||||
|
||||
/* some of the modules have a second calling function */
|
||||
@@ -921,6 +922,7 @@ int _pam_add_handler(pam_handle_t *pamh
|
||||
@@ -920,7 +928,9 @@ int _pam_add_handler(pam_handle_t *pamh
|
||||
} else {
|
||||
(*handler_p2)->argv = NULL; /* no arguments */
|
||||
}
|
||||
(*handler_p2)->mod_name = extract_modulename(mod_path);
|
||||
- (*handler_p2)->mod_name = extract_modulename(mod_path);
|
||||
+ if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL)
|
||||
+ return PAM_ABORT;
|
||||
+ (*handler_p2)->grantor = 0;
|
||||
(*handler_p2)->next = NULL;
|
||||
}
|
||||
@ -342,3 +430,6 @@ index 512153f..cb393c1 100644
|
||||
return retval;
|
||||
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
108
pam-1.1.8-full-relro.patch
Normal file
108
pam-1.1.8-full-relro.patch
Normal file
@ -0,0 +1,108 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200
|
||||
@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir
|
||||
|
||||
pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam
|
||||
|
||||
+pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
+
|
||||
securelib_LTLIBRARIES = pam_console.la
|
||||
sbin_PROGRAMS = pam_console_apply
|
||||
|
||||
@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_
|
||||
configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h
|
||||
|
||||
pam_console_la_CFLAGS = $(AM_CFLAGS)
|
||||
-pam_console_apply_CFLAGS = $(AM_CFLAGS)
|
||||
+pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
|
||||
configfile.tab.c: configfile.y
|
||||
$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am 2014-09-10 17:16:11.102808189 +0200
|
||||
@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR)
|
||||
|
||||
noinst_HEADERS = faillock.h
|
||||
|
||||
-faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
|
||||
+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
|
||||
pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
|
||||
|
||||
pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
|
||||
@@ -28,6 +28,7 @@ if HAVE_VERSIONING
|
||||
pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
|
||||
+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
|
||||
|
||||
securelib_LTLIBRARIES = pam_faillock.la
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200
|
||||
@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
|
||||
|
||||
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
|
||||
-I$(srcdir)/.. @PIE_CFLAGS@
|
||||
-AM_LDFLAGS = @PIE_LDFLAGS@
|
||||
+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
LDADD = $(top_builddir)/libpam/libpam.la
|
||||
|
||||
securelibfilter_PROGRAMS = upperLOWER
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200
|
||||
@@ -30,6 +30,8 @@ endif
|
||||
|
||||
sbin_PROGRAMS = mkhomedir_helper
|
||||
mkhomedir_helper_SOURCES = mkhomedir_helper.c
|
||||
+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
|
||||
if ENABLE_REGENERATE_MAN
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200
|
||||
@@ -26,6 +26,8 @@ if HAVE_VERSIONING
|
||||
pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
|
||||
+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
|
||||
|
||||
securelib_LTLIBRARIES = pam_tally2.la
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200
|
||||
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
|
||||
pam_timestamp_check_SOURCES = pam_timestamp_check.c
|
||||
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
|
||||
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
|
||||
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
|
||||
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
|
||||
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am
|
||||
--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200
|
||||
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
|
||||
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
|
||||
passverify.c
|
||||
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
|
||||
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
|
||||
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
|
||||
|
||||
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
|
||||
passverify.c
|
||||
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
|
||||
-unix_update_LDFLAGS = @PIE_LDFLAGS@
|
||||
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
|
||||
|
||||
if ENABLE_REGENERATE_MAN
|
37
pam-1.1.8-lastlog-uninitialized.patch
Normal file
37
pam-1.1.8-lastlog-uninitialized.patch
Normal file
@ -0,0 +1,37 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c
|
||||
--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2014-08-25 16:44:24.365174752 +0200
|
||||
@@ -350,6 +350,8 @@ last_login_write(pam_handle_t *pamh, int
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
|
||||
+ memset(&last_login, 0, sizeof(last_login));
|
||||
+
|
||||
/* set this login date */
|
||||
D(("set the most recent login time"));
|
||||
(void) time(&ll_time); /* set the time */
|
||||
@@ -364,14 +366,12 @@ last_login_write(pam_handle_t *pamh, int
|
||||
}
|
||||
|
||||
/* copy to last_login */
|
||||
- last_login.ll_host[0] = '\0';
|
||||
strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1);
|
||||
|
||||
/* set the terminal line */
|
||||
terminal_line = get_tty(pamh);
|
||||
|
||||
/* copy to last_login */
|
||||
- last_login.ll_line[0] = '\0';
|
||||
strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1);
|
||||
terminal_line = NULL;
|
||||
|
||||
@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
||||
lltime = (time(NULL) - lltime) / (24*60*60);
|
||||
|
||||
if (lltime > inactive_days) {
|
||||
- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
|
||||
+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied",
|
||||
+ user, (long) lltime);
|
||||
return PAM_AUTH_ERR;
|
||||
}
|
||||
|
41
pam-1.1.8-limits-check-process.patch
Normal file
41
pam-1.1.8-limits-check-process.patch
Normal file
@ -0,0 +1,41 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c
|
||||
--- Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c 2014-09-10 16:39:36.263256066 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
#include <errno.h>
|
||||
#include <syslog.h>
|
||||
#include <stdarg.h>
|
||||
+#include <signal.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/resource.h>
|
||||
@@ -269,16 +270,27 @@ check_logins (pam_handle_t *pamh, const
|
||||
continue;
|
||||
}
|
||||
if (!pl->flag_numsyslogins) {
|
||||
+ char user[sizeof(ut->UT_USER) + 1];
|
||||
+ user[0] = '\0';
|
||||
+ strncat(user, ut->UT_USER, sizeof(ut->UT_USER));
|
||||
+
|
||||
if (((pl->login_limit_def == LIMITS_DEF_USER)
|
||||
|| (pl->login_limit_def == LIMITS_DEF_GROUP)
|
||||
|| (pl->login_limit_def == LIMITS_DEF_DEFAULT))
|
||||
- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) {
|
||||
+ && strcmp(name, user) != 0) {
|
||||
continue;
|
||||
}
|
||||
if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
|
||||
- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) {
|
||||
+ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
|
||||
continue;
|
||||
}
|
||||
+ if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) {
|
||||
+ /* process does not exist anymore */
|
||||
+ pam_syslog(pamh, LOG_WARNING,
|
||||
+ "Stale utmp entry (pid %d) for '%s' ignored",
|
||||
+ ut->ut_pid, user);
|
||||
+ continue;
|
||||
+ }
|
||||
}
|
||||
if (++count > limit) {
|
||||
break;
|
54
pam-1.1.8-limits-docfix.patch
Normal file
54
pam-1.1.8-limits-docfix.patch
Normal file
@ -0,0 +1,54 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf
|
||||
--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix 2014-07-14 14:58:05.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf 2014-09-10 16:42:51.254747161 +0200
|
||||
@@ -32,7 +32,7 @@
|
||||
# - data - max data size (KB)
|
||||
# - fsize - maximum filesize (KB)
|
||||
# - memlock - max locked-in-memory address space (KB)
|
||||
-# - nofile - max number of open files
|
||||
+# - nofile - max number of open file descriptors
|
||||
# - rss - max resident set size (KB)
|
||||
# - stack - max stack size (KB)
|
||||
# - cpu - max CPU time (MIN)
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml
|
||||
--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml 2014-09-10 16:44:01.624367933 +0200
|
||||
@@ -178,7 +178,7 @@
|
||||
<varlistentry>
|
||||
<term><option>nofile</option></term>
|
||||
<listitem>
|
||||
- <para>maximum number of open files</para>
|
||||
+ <para>maximum number of open file descriptors</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
@@ -214,14 +214,17 @@
|
||||
<varlistentry>
|
||||
<term><option>maxlogins</option></term>
|
||||
<listitem>
|
||||
- <para>maximum number of logins for this user except
|
||||
- for this with <emphasis>uid=0</emphasis></para>
|
||||
+ <para>maximum number of logins for this user (this limit does
|
||||
+ not apply to user with <emphasis>uid=0</emphasis>)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><option>maxsyslogins</option></term>
|
||||
<listitem>
|
||||
- <para>maximum number of all logins on system</para>
|
||||
+ <para>maximum number of all logins on system; user is not
|
||||
+ allowed to log-in if total number of all users' logins is
|
||||
+ greater than specified number (this limit does not apply to
|
||||
+ user with <emphasis>uid=0</emphasis>)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
@@ -292,7 +295,7 @@
|
||||
permanent; existing only for the duration of the session.
|
||||
One exception is the <emphasis>maxlogin</emphasis> option, this one
|
||||
is system wide. But there is a race, concurrent logins at the same
|
||||
- time will not always be detect as such but only counted as one.
|
||||
+ time will not always be detected as such but only counted as one.
|
||||
</para>
|
||||
<para>
|
||||
In the <emphasis>limits</emphasis> configuration file, the
|
22
pam-1.1.8-man-dbsuffix.patch
Normal file
22
pam-1.1.8-man-dbsuffix.patch
Normal file
@ -0,0 +1,22 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml
|
||||
--- Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml 2014-09-10 16:28:19.916678273 +0200
|
||||
@@ -89,7 +89,8 @@
|
||||
Use the <filename>/path/database</filename> database for
|
||||
performing lookup. There is no default; the module will
|
||||
return <emphasis remap='B'>PAM_IGNORE</emphasis> if no
|
||||
- database is provided.
|
||||
+ database is provided. Note that the path to the database file
|
||||
+ should be specified without the <filename>.db</filename> suffix.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -260,7 +261,7 @@
|
||||
<refsect1 id='pam_userdb-examples'>
|
||||
<title>EXAMPLES</title>
|
||||
<programlisting>
|
||||
-auth sufficient pam_userdb.so icase db=/etc/dbtest.db
|
||||
+auth sufficient pam_userdb.so icase db=/etc/dbtest
|
||||
</programlisting>
|
||||
</refsect1>
|
||||
|
@ -9,7 +9,7 @@ index 4bb4d6d..9157b91 100644
|
||||
#
|
||||
|
||||
CLEANFILES = *~
|
||||
@@ -9,25 +10,33 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory
|
||||
@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory
|
||||
|
||||
TESTS = tst-pam_pwhistory
|
||||
|
||||
@ -42,8 +42,9 @@ index 4bb4d6d..9157b91 100644
|
||||
pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
|
||||
|
||||
+sbin_PROGRAMS = pwhistory_helper
|
||||
+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\"
|
||||
+pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\" @PIE_CFLAGS@
|
||||
+pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c
|
||||
+pwhistory_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
||||
+pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
|
||||
+
|
||||
if ENABLE_REGENERATE_MAN
|
||||
|
24
pam.spec
24
pam.spec
@ -3,7 +3,7 @@
|
||||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.1.8
|
||||
Release: 16%{?dist}
|
||||
Release: 17%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
@ -36,9 +36,11 @@ Patch8: pam-1.1.1-faillock.patch
|
||||
Patch9: pam-1.1.6-noflex.patch
|
||||
Patch10: pam-1.1.3-nouserenv.patch
|
||||
Patch13: pam-1.1.6-limits-user.patch
|
||||
Patch15: pam-1.1.6-full-relro.patch
|
||||
Patch15: pam-1.1.8-full-relro.patch
|
||||
# FIPS related - non upstreamable
|
||||
Patch20: pam-1.1.5-unix-no-fallback.patch
|
||||
Patch27: pam-1.1.8-lastlog-uninitialized.patch
|
||||
Patch28: pam-1.1.1-console-errmsg.patch
|
||||
# Upstreamed partially
|
||||
Patch29: pam-1.1.8-pwhistory-helper.patch
|
||||
Patch31: pam-1.1.6-use-links.patch
|
||||
@ -50,6 +52,9 @@ Patch36: pam-1.1.8-cve-2014-2583.patch
|
||||
Patch37: pam-1.1.8-loginuid-container.patch
|
||||
Patch38: pam-1.1.8-opasswd-tolerant.patch
|
||||
Patch39: pam-1.1.8-audit-grantor.patch
|
||||
Patch40: pam-1.1.8-man-dbsuffix.patch
|
||||
Patch41: pam-1.1.8-limits-check-process.patch
|
||||
Patch42: pam-1.1.8-limits-docfix.patch
|
||||
|
||||
%define _pamlibdir %{_libdir}
|
||||
%define _moduledir %{_libdir}/security
|
||||
@ -124,6 +129,8 @@ cp %{SOURCE18} .
|
||||
%patch13 -p1 -b .limits
|
||||
%patch15 -p1 -b .relro
|
||||
%patch20 -p1 -b .no-fallback
|
||||
%patch27 -p1 -b .uninitialized
|
||||
%patch28 -p1 -b .errmsg
|
||||
%patch29 -p1 -b .pwhhelper
|
||||
%patch31 -p1 -b .links
|
||||
%patch32 -p1 -b .tty-audit-init
|
||||
@ -134,6 +141,9 @@ cp %{SOURCE18} .
|
||||
%patch37 -p1 -b .container
|
||||
%patch38 -p1 -b .opasswd-tolerant
|
||||
%patch39 -p1 -b .grantor
|
||||
%patch40 -p1 -b .dbsuffix
|
||||
%patch41 -p1 -b .check-process
|
||||
%patch42 -p1 -b .docfix
|
||||
|
||||
%build
|
||||
autoreconf -i
|
||||
@ -255,7 +265,7 @@ done
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
if [ ! -e /var/log/tallylog ] ; then
|
||||
install -m 600 /dev/null /var/log/tallylog
|
||||
/usr/bin/install -m 600 /dev/null /var/log/tallylog
|
||||
fi
|
||||
|
||||
%postun -p /sbin/ldconfig
|
||||
@ -384,6 +394,14 @@ fi
|
||||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Thu Sep 11 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-17
|
||||
- update the audit-grantor patch with the upstream changes
|
||||
- pam_userdb: correct the example in man page (#1078784)
|
||||
- pam_limits: check whether the utmp login entry is valid (#1080023)
|
||||
- pam_console_apply: do not print error if console.perms.d is empty
|
||||
- pam_limits: nofile refers to open file descriptors (#1111220)
|
||||
- apply PIE and full RELRO to all binaries built
|
||||
|
||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.8-16
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user