rename the 90-nproc.conf to 20-nproc.conf (#1071618)

- canonicalize user name in pam_selinux (#1071010) - refresh the pam-redhat tarball
2014-03-10 15:36:16 +01:00 · 2014-03-10 15:36:16 +01:00 · 82f97fb404
commit 82f97fb404
parent 919ce1131e
6 changed files with 34 additions and 163 deletions
--- a/20-nproc.conf
+++ b/20-nproc.conf
--- a/pam-1.1.0-console-fixes.patch
+++ b/pam-1.1.0-console-fixes.patch
@ -1,72 +0,0 @@
 diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c
 --- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix	2009-11-02 08:45:24.000000000 +0100
 +++ Linux-PAM-1.1.0/modules/pam_console/handlers.c	2009-11-02 08:50:19.000000000 +0100
@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle
         const char *flagptr;
         const char **argv;
         int i = 0;
 -        argv = malloc(sizeof(*argv)*nparams+2);
 -        
 +        argv = malloc(sizeof(*argv)*(nparams+2));
 +
         if (argv == NULL)
                 return;
 -        
 +
         argv[i++] = handler->executable;
 -        
 +
         for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) {
                 switch (testflag(flagptr)) {
                 case HF_LOGFAIL:
@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru
         }
 	sighandler = signal(SIGCHLD, SIG_DFL);
 -        
 +
         child = fork();
         switch (child) {
         case -1:
@@ -246,30 +246,32 @@ execute_handler(pam_handle_t *pamh, stru
                 if (!wait_exit) {
 			switch(fork()) {
 			case 0:
 -				exit(0);
 +				if(setsid() == -1) {
 +					_exit(255);
 +				}
 +				break;
 			case -1:
 -				exit(255);
 +				_exit(255);
 			default:
 -                    		if(setsid() == -1) {
 -                            		exit(255);
 -				}
 +				_exit(0);
 			}
                 }
                 if (set_uid) {
                         struct passwd *pw;
                         pw = getpwnam(user);
                         if (pw == NULL)
 -                                exit(255);
 +                                _exit(255);
                         if (setgid(pw->pw_gid) == -1 ||
 +                            setgroups(0, NULL) == -1 ||
                             setuid(pw->pw_uid) == -1)
 -                                exit(255);
 +                                _exit(255);
                 }
                 call_exec(handler, nparams, user, tty);
 -                exit(255);
 +                _exit(255);
         default:
                 break;
         }
 -        
 +
         waitpid(child, &rv, 0);
 	if (sighandler != SIG_ERR)
--- a/pam-1.1.3-console-abstract.patch
+++ b/pam-1.1.3-console-abstract.patch
@ -1,82 +0,0 @@
 diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c
 --- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract	2008-12-16 13:37:52.000000000 +0100
 +++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c	2010-11-01 17:01:55.000000000 +0100
@@ -34,6 +34,8 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/param.h>
 +#include <sys/socket.h>
 +#include <sys/un.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <stdio.h>
@@ -136,6 +138,32 @@ check_one_console_name(const char *name,
 }
 static int
 +try_xsocket(const char *path, size_t len) {
 +    int fd;
 +    union {
 +       struct sockaddr    sa;
 +       struct sockaddr_un su;
 +    } addr;
 +
 +    fd = socket(AF_UNIX, SOCK_STREAM, 0);
 +    if (fd < 0)
 +        return 0;
 +
 +    memset(&addr, 0, sizeof(addr));
 +    addr.su.sun_family = AF_UNIX;
 +
 +    if (len > sizeof(addr.su.sun_path))
 +        return 0;
 +    memcpy(addr.su.sun_path, path, len);
 +    if (connect(fd, &addr.sa, sizeof(addr.su) - (sizeof(addr.su.sun_path) - len)) == 0) {
 +        close(fd);
 +        return 1;
 +    }
 +    close(fd);
 +    return 0;
 +}
 +
 +static int
 check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) {
     int found = 0;
     int statted = 0;
@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c
     if (!statted && (consolename[0] == ':')) {
         int l;
         char *dot = NULL;
 -        strcpy(full_path, "/tmp/.X11-unix/X");
 -        l = sizeof(full_path) - 1 - strlen(full_path);
 +        char *path = full_path + 1;
 +        
 +        full_path[0] = '\0';
 +        strcpy(path, "/tmp/.X11-unix/X");
 +        l = sizeof(full_path) - 2 - strlen(path);
         dot = strchr(consolename + 1, '.');
         if (dot != NULL) {
             l = (l < dot - consolename - 1) ? l : dot - consolename - 1;
         }
 -        strncat(full_path, consolename + 1, l);
 +        strncat(path, consolename + 1, l);
 	full_path[sizeof(full_path) - 1] = '\0';
 -        _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"",
 -		 full_path);
 -        if (lstat(full_path, &st) != -1) {
 +        _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"",
 +		 path);
 +
 +        /* this will work because st.st_uid is 0 */
 +        if (try_xsocket(full_path, strlen(path)+1)) {
 +           statted = 1;
 +        } else if (try_xsocket(path, strlen(path))) {
            statted = 1;
         }
         else if (!on_set) {  /* there is no X11 socket in case of X11 crash */
             _pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename);
 -            statted = 1; /* this will work because st.st_uid is 0 */
 +            statted = 1; 
         }
     }
--- a/pam-1.1.8-canonicalize-username.patch
+++ b/pam-1.1.8-canonicalize-username.patch
@ -0,0 +1,21 @@
 diff -up Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c
 --- Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize	2013-06-18 16:11:21.000000000 +0200
 +++ Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c	2014-03-06 12:03:54.429639972 +0100
@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh,
   char *level = NULL;
   security_context_t *contextlist = NULL;
   int num_contexts = 0;
 +  const struct passwd *pwd;
   if (!(username = get_item(pamh, PAM_USER))) {
     pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name");
     return PAM_USER_UNKNOWN;
   }
 +  if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) {
 +    username = pwd->pw_name;
 +  } /* ignore error and keep using original username */
 +
   /* compute execute context */
 #ifdef HAVE_GETSEUSER
   if (!(service = get_item(pamh, PAM_SERVICE))) {
--- a/pam.spec
+++ b/pam.spec
@ -1,9 +1,9 @@
-%define pam_redhat_version 0.99.10-1
+%define pam_redhat_version 0.99.11
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.8
-Release: 4%{?dist}
+Release: 7%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -23,7 +23,7 @@ Source10: config-util.pamd
 Source11: dlopen.sh
 Source12: system-auth.5
 Source13: config-util.5
-Source14: 90-nproc.conf
+Source14: 20-nproc.conf
 Source15: pamtmp.conf
 Source16: postlogin.pamd
 Source17: postlogin.5
@ -31,11 +31,9 @@ Patch1:  pam-1.0.90-redhat-modules.patch
 Patch2:  pam-1.1.6-std-noclose.patch
 Patch4:  pam-1.1.0-console-nochmod.patch
 Patch5:  pam-1.1.0-notally.patch
 Patch7:  pam-1.1.0-console-fixes.patch
 Patch8:  pam-1.1.1-faillock.patch
 Patch9:  pam-1.1.6-noflex.patch
 Patch10: pam-1.1.3-nouserenv.patch
 Patch11: pam-1.1.3-console-abstract.patch
 Patch12: pam-1.1.3-faillock-screensaver.patch
 Patch13: pam-1.1.6-limits-user.patch
 Patch15: pam-1.1.6-full-relro.patch
@ -46,6 +44,7 @@ Patch29: pam-1.1.6-pwhistory-helper.patch
 Patch31: pam-1.1.6-use-links.patch
 Patch32: pam-1.1.7-tty-audit-init.patch
 Patch33: pam-1.1.8-translation-updates.patch
 Patch34: pam-1.1.8-canonicalize-username.patch
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@ -58,6 +57,7 @@ Patch33: pam-1.1.8-translation-updates.patch
 %if %{?WITH_AUDIT:0}%{!?WITH_AUDIT:1}
 %define WITH_AUDIT 1
 %endif
 %global _performance_build 1
 Requires: cracklib-dicts >= 2.8
 Requires: libpwquality >= 0.9.9
@ -111,11 +111,9 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch2 -p1 -b .std-noclose
 %patch4 -p1 -b .nochmod
 %patch5 -p1 -b .notally
 %patch7 -p1 -b .console-fixes
 %patch8 -p1 -b .faillock
 %patch9 -p1 -b .noflex
 %patch10 -p1 -b .nouserenv
 %patch11 -p1 -b .abstract
 %patch12 -p1 -b .screensaver
 %patch13 -p1 -b .limits
 %patch15 -p1 -b .relro
@ -124,6 +122,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch31 -p1 -b .links
 %patch32 -p1 -b .tty-audit-init
 %patch33 -p2 -b .translations
 %patch34 -p1 -b .canonicalize
 %build
 autoreconf -i
@ -341,7 +340,7 @@ fi
 %config(noreplace) %{_secconfdir}/group.conf
 %config(noreplace) %{_secconfdir}/limits.conf
 %dir %{_secconfdir}/limits.d
-%config(noreplace) %{_secconfdir}/limits.d/90-nproc.conf
+%config(noreplace) %{_secconfdir}/limits.d/20-nproc.conf
 %config(noreplace) %{_secconfdir}/namespace.conf
 %dir %{_secconfdir}/namespace.d
 %attr(755,root,root) %config(noreplace) %{_secconfdir}/namespace.init
@ -372,6 +371,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 %changelog
 * Mon Mar 10 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-5
 - rename the 90-nproc.conf to 20-nproc.conf (#1071618)
 - canonicalize user name in pam_selinux (#1071010)
 - refresh the pam-redhat tarball
 * Mon Dec 16 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.8-4
 - raise the default soft nproc limit to 4096
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 c115640346a987356f6b76ec1d425185  pam-redhat-0.99.10-1.tar.bz2
 35b6091af95981b1b2cd60d813b5e4ee  Linux-PAM-1.1.8.tar.bz2
 29eab110f57e8d60471081a6278a5a92  pam-redhat-0.99.11.tar.bz2