From 82f97fb404f94a3b309736a6c55c40b7f6f38f3c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 10 Mar 2014 15:36:16 +0100 Subject: [PATCH] rename the 90-nproc.conf to 20-nproc.conf (#1071618) - canonicalize user name in pam_selinux (#1071010) - refresh the pam-redhat tarball --- 90-nproc.conf => 20-nproc.conf | 0 pam-1.1.0-console-fixes.patch | 72 ----------------------- pam-1.1.3-console-abstract.patch | 82 --------------------------- pam-1.1.8-canonicalize-username.patch | 21 +++++++ pam.spec | 20 ++++--- sources | 2 +- 6 files changed, 34 insertions(+), 163 deletions(-) rename 90-nproc.conf => 20-nproc.conf (100%) delete mode 100644 pam-1.1.0-console-fixes.patch delete mode 100644 pam-1.1.3-console-abstract.patch create mode 100644 pam-1.1.8-canonicalize-username.patch diff --git a/90-nproc.conf b/20-nproc.conf similarity index 100% rename from 90-nproc.conf rename to 20-nproc.conf diff --git a/pam-1.1.0-console-fixes.patch b/pam-1.1.0-console-fixes.patch deleted file mode 100644 index fa5e79c..0000000 --- a/pam-1.1.0-console-fixes.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c ---- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix 2009-11-02 08:45:24.000000000 +0100 -+++ Linux-PAM-1.1.0/modules/pam_console/handlers.c 2009-11-02 08:50:19.000000000 +0100 -@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle - const char *flagptr; - const char **argv; - int i = 0; -- argv = malloc(sizeof(*argv)*nparams+2); -- -+ argv = malloc(sizeof(*argv)*(nparams+2)); -+ - if (argv == NULL) - return; -- -+ - argv[i++] = handler->executable; -- -+ - for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) { - switch (testflag(flagptr)) { - case HF_LOGFAIL: -@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru - } - - sighandler = signal(SIGCHLD, SIG_DFL); -- -+ - child = fork(); - switch (child) { - case -1: -@@ -246,30 +246,32 @@ execute_handler(pam_handle_t *pamh, stru - if (!wait_exit) { - switch(fork()) { - case 0: -- exit(0); -+ if(setsid() == -1) { -+ _exit(255); -+ } -+ break; - case -1: -- exit(255); -+ _exit(255); - default: -- if(setsid() == -1) { -- exit(255); -- } -+ _exit(0); - } - } - if (set_uid) { - struct passwd *pw; - pw = getpwnam(user); - if (pw == NULL) -- exit(255); -+ _exit(255); - if (setgid(pw->pw_gid) == -1 || -+ setgroups(0, NULL) == -1 || - setuid(pw->pw_uid) == -1) -- exit(255); -+ _exit(255); - } - call_exec(handler, nparams, user, tty); -- exit(255); -+ _exit(255); - default: - break; - } -- -+ - waitpid(child, &rv, 0); - - if (sighandler != SIG_ERR) diff --git a/pam-1.1.3-console-abstract.patch b/pam-1.1.3-console-abstract.patch deleted file mode 100644 index 283edc5..0000000 --- a/pam-1.1.3-console-abstract.patch +++ /dev/null @@ -1,82 +0,0 @@ -diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c ---- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract 2008-12-16 13:37:52.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c 2010-11-01 17:01:55.000000000 +0100 -@@ -34,6 +34,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - #include -@@ -136,6 +138,32 @@ check_one_console_name(const char *name, - } - - static int -+try_xsocket(const char *path, size_t len) { -+ int fd; -+ union { -+ struct sockaddr sa; -+ struct sockaddr_un su; -+ } addr; -+ -+ fd = socket(AF_UNIX, SOCK_STREAM, 0); -+ if (fd < 0) -+ return 0; -+ -+ memset(&addr, 0, sizeof(addr)); -+ addr.su.sun_family = AF_UNIX; -+ -+ if (len > sizeof(addr.su.sun_path)) -+ return 0; -+ memcpy(addr.su.sun_path, path, len); -+ if (connect(fd, &addr.sa, sizeof(addr.su) - (sizeof(addr.su.sun_path) - len)) == 0) { -+ close(fd); -+ return 1; -+ } -+ close(fd); -+ return 0; -+} -+ -+static int - check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) { - int found = 0; - int statted = 0; -@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c - if (!statted && (consolename[0] == ':')) { - int l; - char *dot = NULL; -- strcpy(full_path, "/tmp/.X11-unix/X"); -- l = sizeof(full_path) - 1 - strlen(full_path); -+ char *path = full_path + 1; -+ -+ full_path[0] = '\0'; -+ strcpy(path, "/tmp/.X11-unix/X"); -+ l = sizeof(full_path) - 2 - strlen(path); - dot = strchr(consolename + 1, '.'); - if (dot != NULL) { - l = (l < dot - consolename - 1) ? l : dot - consolename - 1; - } -- strncat(full_path, consolename + 1, l); -+ strncat(path, consolename + 1, l); - full_path[sizeof(full_path) - 1] = '\0'; -- _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"", -- full_path); -- if (lstat(full_path, &st) != -1) { -+ _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"", -+ path); -+ -+ /* this will work because st.st_uid is 0 */ -+ if (try_xsocket(full_path, strlen(path)+1)) { -+ statted = 1; -+ } else if (try_xsocket(path, strlen(path))) { - statted = 1; - } - else if (!on_set) { /* there is no X11 socket in case of X11 crash */ - _pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename); -- statted = 1; /* this will work because st.st_uid is 0 */ -+ statted = 1; - } - } - diff --git a/pam-1.1.8-canonicalize-username.patch b/pam-1.1.8-canonicalize-username.patch new file mode 100644 index 0000000..a3786be --- /dev/null +++ b/pam-1.1.8-canonicalize-username.patch @@ -0,0 +1,21 @@ +diff -up Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c +--- Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize 2013-06-18 16:11:21.000000000 +0200 ++++ Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c 2014-03-06 12:03:54.429639972 +0100 +@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh, + char *level = NULL; + security_context_t *contextlist = NULL; + int num_contexts = 0; ++ const struct passwd *pwd; + + if (!(username = get_item(pamh, PAM_USER))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name"); + return PAM_USER_UNKNOWN; + } + ++ if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) { ++ username = pwd->pw_name; ++ } /* ignore error and keep using original username */ ++ + /* compute execute context */ + #ifdef HAVE_GETSEUSER + if (!(service = get_item(pamh, PAM_SERVICE))) { diff --git a/pam.spec b/pam.spec index 697049d..7fbcecb 100644 --- a/pam.spec +++ b/pam.spec @@ -1,9 +1,9 @@ -%define pam_redhat_version 0.99.10-1 +%define pam_redhat_version 0.99.11 Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.8 -Release: 4%{?dist} +Release: 7%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -23,7 +23,7 @@ Source10: config-util.pamd Source11: dlopen.sh Source12: system-auth.5 Source13: config-util.5 -Source14: 90-nproc.conf +Source14: 20-nproc.conf Source15: pamtmp.conf Source16: postlogin.pamd Source17: postlogin.5 @@ -31,11 +31,9 @@ Patch1: pam-1.0.90-redhat-modules.patch Patch2: pam-1.1.6-std-noclose.patch Patch4: pam-1.1.0-console-nochmod.patch Patch5: pam-1.1.0-notally.patch -Patch7: pam-1.1.0-console-fixes.patch Patch8: pam-1.1.1-faillock.patch Patch9: pam-1.1.6-noflex.patch Patch10: pam-1.1.3-nouserenv.patch -Patch11: pam-1.1.3-console-abstract.patch Patch12: pam-1.1.3-faillock-screensaver.patch Patch13: pam-1.1.6-limits-user.patch Patch15: pam-1.1.6-full-relro.patch @@ -46,6 +44,7 @@ Patch29: pam-1.1.6-pwhistory-helper.patch Patch31: pam-1.1.6-use-links.patch Patch32: pam-1.1.7-tty-audit-init.patch Patch33: pam-1.1.8-translation-updates.patch +Patch34: pam-1.1.8-canonicalize-username.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -58,6 +57,7 @@ Patch33: pam-1.1.8-translation-updates.patch %if %{?WITH_AUDIT:0}%{!?WITH_AUDIT:1} %define WITH_AUDIT 1 %endif +%global _performance_build 1 Requires: cracklib-dicts >= 2.8 Requires: libpwquality >= 0.9.9 @@ -111,11 +111,9 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch2 -p1 -b .std-noclose %patch4 -p1 -b .nochmod %patch5 -p1 -b .notally -%patch7 -p1 -b .console-fixes %patch8 -p1 -b .faillock %patch9 -p1 -b .noflex %patch10 -p1 -b .nouserenv -%patch11 -p1 -b .abstract %patch12 -p1 -b .screensaver %patch13 -p1 -b .limits %patch15 -p1 -b .relro @@ -124,6 +122,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch31 -p1 -b .links %patch32 -p1 -b .tty-audit-init %patch33 -p2 -b .translations +%patch34 -p1 -b .canonicalize %build autoreconf -i @@ -341,7 +340,7 @@ fi %config(noreplace) %{_secconfdir}/group.conf %config(noreplace) %{_secconfdir}/limits.conf %dir %{_secconfdir}/limits.d -%config(noreplace) %{_secconfdir}/limits.d/90-nproc.conf +%config(noreplace) %{_secconfdir}/limits.d/20-nproc.conf %config(noreplace) %{_secconfdir}/namespace.conf %dir %{_secconfdir}/namespace.d %attr(755,root,root) %config(noreplace) %{_secconfdir}/namespace.init @@ -372,6 +371,11 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Mon Mar 10 2014 Tomáš Mráz 1.1.8-5 +- rename the 90-nproc.conf to 20-nproc.conf (#1071618) +- canonicalize user name in pam_selinux (#1071010) +- refresh the pam-redhat tarball + * Mon Dec 16 2013 Tomáš Mráz 1.1.8-4 - raise the default soft nproc limit to 4096 diff --git a/sources b/sources index 7a742ae..44739bf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -c115640346a987356f6b76ec1d425185 pam-redhat-0.99.10-1.tar.bz2 35b6091af95981b1b2cd60d813b5e4ee Linux-PAM-1.1.8.tar.bz2 +29eab110f57e8d60471081a6278a5a92 pam-redhat-0.99.11.tar.bz2