- pam_xauth: set the approprate context when creating .xauth files
(#531530)
This commit is contained in:
Tomáš Mráz
parent
85de84fad6
commit
76f4b127d2
92
pam-1.1.0-xauth-context.patch
Normal file
92
pam-1.1.0-xauth-context.patch
Normal file
@ -0,0 +1,92 @@
|
||||
diff -up Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am
|
||||
--- Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context 2006-06-09 18:44:08.000000000 +0200
|
||||
+++ Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am 2009-10-29 14:34:18.000000000 +0100
|
||||
@@ -16,7 +16,7 @@ secureconfdir = $(SCONFIGDIR)
|
||||
|
||||
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
|
||||
AM_LDFLAGS = -no-undefined -avoid-version -module \
|
||||
- -L$(top_builddir)/libpam -lpam
|
||||
+ -L$(top_builddir)/libpam -lpam @LIBSELINUX@
|
||||
if HAVE_VERSIONING
|
||||
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
|
||||
endif
|
||||
diff -up Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c
|
||||
--- Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context 2009-04-09 10:07:29.000000000 +0200
|
||||
+++ Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c 2009-10-29 16:13:21.000000000 +0100
|
||||
@@ -57,6 +57,12 @@
|
||||
#include <security/pam_modutil.h>
|
||||
#include <security/pam_ext.h>
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/label.h>
|
||||
+#include <sys/stat.h>
|
||||
+#endif
|
||||
+
|
||||
#define DATANAME "pam_xauth_cookie_file"
|
||||
#define XAUTHENV "XAUTHORITY"
|
||||
#define HOMEENV "HOME"
|
||||
@@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||
getuid(), getgid(),
|
||||
xauth, "-f", cookiefile, "nlist", display,
|
||||
NULL) == 0) {
|
||||
+ int save_errno;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ security_context_t context = NULL;
|
||||
+#endif
|
||||
/* Check that we got a cookie. If not, we get creative. */
|
||||
if (((cookie == NULL) || (strlen(cookie) == 0)) &&
|
||||
((strncmp(display, "localhost:", 10) == 0) ||
|
||||
@@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||
/* Generate a new file to hold the data. */
|
||||
euid = geteuid();
|
||||
setfsuid(tpwd->pw_uid);
|
||||
- fd = mkstemp(xauthority + strlen(XAUTHENV) + 1);
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (is_selinux_enabled() > 0) {
|
||||
+ struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
||||
+ if (ctx != NULL) {
|
||||
+ if (selabel_lookup(ctx, &context,
|
||||
+ xauthority + sizeof(XAUTHENV), S_IFREG) != 0) {
|
||||
+ pam_syslog(pamh, LOG_WARNING,
|
||||
+ "could not get SELinux label for '%s'",
|
||||
+ xauthority + sizeof(XAUTHENV));
|
||||
+ }
|
||||
+ selabel_close(ctx);
|
||||
+ if (setfscreatecon(context)) {
|
||||
+ pam_syslog(pamh, LOG_WARNING,
|
||||
+ "setfscreatecon(%s) failed: %m", context);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ fd = mkstemp(xauthority + sizeof(XAUTHENV));
|
||||
+ save_errno = errno;
|
||||
+ if (context != NULL) {
|
||||
+ free(context);
|
||||
+ setfscreatecon(NULL);
|
||||
+ }
|
||||
+#else
|
||||
+ fd = mkstemp(xauthority + sizeof(XAUTHENV));
|
||||
+ save_errno = errno;
|
||||
+#endif
|
||||
+
|
||||
setfsuid(euid);
|
||||
if (fd == -1) {
|
||||
+ errno = save_errno;
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
"error creating temporary file `%s': %m",
|
||||
- xauthority + strlen(XAUTHENV) + 1);
|
||||
+ xauthority + sizeof(XAUTHENV));
|
||||
retval = PAM_SESSION_ERR;
|
||||
goto cleanup;
|
||||
}
|
||||
@@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||
/* Get a copy of the filename to save as a data item for
|
||||
* removal at session-close time. */
|
||||
free(cookiefile);
|
||||
- cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1);
|
||||
+ cookiefile = strdup(xauthority + sizeof(XAUTHENV));
|
||||
|
||||
/* Save the filename. */
|
||||
if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) {
|
||||
7
pam.spec
7
pam.spec
@ -3,7 +3,7 @@
|
||||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.1.0
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
|
||||
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
|
||||
License: BSD and GPLv2+
|
||||
@ -26,6 +26,7 @@ Patch2: pam-1.0.91-std-noclose.patch
|
||||
Patch3: pam-1.1.0-cracklib-authtok.patch
|
||||
Patch4: pam-1.1.0-console-nochmod.patch
|
||||
Patch5: pam-1.1.0-notally.patch
|
||||
Patch6: pam-1.1.0-xauth-context.patch
|
||||
|
||||
%define _sbindir /sbin
|
||||
%define _moduledir /%{_lib}/security
|
||||
@ -91,6 +92,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
||||
%patch3 -p1 -b .authtok
|
||||
%patch4 -p1 -b .nochmod
|
||||
%patch5 -p1 -b .notally
|
||||
%patch6 -p1 -b .xauth-context
|
||||
|
||||
libtoolize -f
|
||||
autoreconf
|
||||
@ -323,6 +325,9 @@ fi
|
||||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Thu Oct 29 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-6
|
||||
- pam_xauth: set the approprate context when creating .xauth files (#531530)
|
||||
|
||||
* Tue Sep 1 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-5
|
||||
- do not change permissions with pam_console_apply
|
||||
- drop obsolete pam_tally module and the faillog file (#461258)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user