rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- pam_xauth: set the approprate context when creating .xauth files

Browse Source 
(#531530)
This commit is contained in:
Tomáš Mráz 2009-10-29 15:54:52 +00:00
parent 85de84fad6
commit 76f4b127d2
2 changed files with 98 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
pam-1.1.0-xauth-context.patch Normal file
View File

@ -0,0 +1,92 @@
diff -up Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am
--- Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context 2006-06-09 18:44:08.000000000 +0200
+++ Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am 2009-10-29 14:34:18.000000000 +0100
@@ -16,7 +16,7 @@ secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
AM_LDFLAGS = -no-undefined -avoid-version -module \
- -L$(top_builddir)/libpam -lpam
+ -L$(top_builddir)/libpam -lpam @LIBSELINUX@
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
diff -up Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c
--- Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context 2009-04-09 10:07:29.000000000 +0200
+++ Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c 2009-10-29 16:13:21.000000000 +0100
@@ -57,6 +57,12 @@
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+#include <sys/stat.h>
+#endif
+
#define DATANAME "pam_xauth_cookie_file"
#define XAUTHENV "XAUTHORITY"
#define HOMEENV "HOME"
@@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh,
getuid(), getgid(),
xauth, "-f", cookiefile, "nlist", display,
NULL) == 0) {
+ int save_errno;
+#ifdef WITH_SELINUX
+ security_context_t context = NULL;
+#endif
/* Check that we got a cookie. If not, we get creative. */
if (((cookie == NULL) || (strlen(cookie) == 0)) &&
((strncmp(display, "localhost:", 10) == 0) ||
@@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh,
/* Generate a new file to hold the data. */
euid = geteuid();
setfsuid(tpwd->pw_uid);
- fd = mkstemp(xauthority + strlen(XAUTHENV) + 1);
+
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled() > 0) {
+ struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (ctx != NULL) {
+ if (selabel_lookup(ctx, &context,
+ xauthority + sizeof(XAUTHENV), S_IFREG) != 0) {
+ pam_syslog(pamh, LOG_WARNING,
+ "could not get SELinux label for '%s'",
+ xauthority + sizeof(XAUTHENV));
+ }
+ selabel_close(ctx);
+ if (setfscreatecon(context)) {
+ pam_syslog(pamh, LOG_WARNING,
+ "setfscreatecon(%s) failed: %m", context);
+ }
+ }
+ }
+ fd = mkstemp(xauthority + sizeof(XAUTHENV));
+ save_errno = errno;
+ if (context != NULL) {
+ free(context);
+ setfscreatecon(NULL);
+ }
+#else
+ fd = mkstemp(xauthority + sizeof(XAUTHENV));
+ save_errno = errno;
+#endif
+
setfsuid(euid);
if (fd == -1) {
+ errno = save_errno;
pam_syslog(pamh, LOG_ERR,
"error creating temporary file `%s': %m",
- xauthority + strlen(XAUTHENV) + 1);
+ xauthority + sizeof(XAUTHENV));
retval = PAM_SESSION_ERR;
goto cleanup;
}
@@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh,
/* Get a copy of the filename to save as a data item for
* removal at session-close time. */
free(cookiefile);
- cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1);
+ cookiefile = strdup(xauthority + sizeof(XAUTHENV));
/* Save the filename. */
if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) {

7
pam.spec
View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications Summary: An extensible library which provides authentication for applications
Name: pam Name: pam
Version: 1.1.0 Version: 1.1.0
Release: 5%{?dist} Release: 6%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
License: BSD and GPLv2+ License: BSD and GPLv2+
@ -26,6 +26,7 @@ Patch2: pam-1.0.91-std-noclose.patch
Patch3: pam-1.1.0-cracklib-authtok.patch Patch3: pam-1.1.0-cracklib-authtok.patch
Patch4: pam-1.1.0-console-nochmod.patch Patch4: pam-1.1.0-console-nochmod.patch
Patch5: pam-1.1.0-notally.patch Patch5: pam-1.1.0-notally.patch
Patch6: pam-1.1.0-xauth-context.patch
%define _sbindir /sbin %define _sbindir /sbin
%define _moduledir /%{_lib}/security %define _moduledir /%{_lib}/security
@ -91,6 +92,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch3 -p1 -b .authtok %patch3 -p1 -b .authtok
%patch4 -p1 -b .nochmod %patch4 -p1 -b .nochmod
%patch5 -p1 -b .notally %patch5 -p1 -b .notally
%patch6 -p1 -b .xauth-context
libtoolize -f libtoolize -f
autoreconf autoreconf
@ -323,6 +325,9 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Thu Oct 29 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-6
- pam_xauth: set the approprate context when creating .xauth files (#531530)
* Tue Sep 1 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-5 * Tue Sep 1 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-5
- do not change permissions with pam_console_apply - do not change permissions with pam_console_apply
- drop obsolete pam_tally module and the faillog file (#461258) - drop obsolete pam_tally module and the faillog file (#461258)