rename the 90-nproc.conf to 20-nproc.conf (#1071618)
- canonicalize user name in pam_selinux (#1071010) - refresh the pam-redhat tarball
This commit is contained in:
Tomas Mraz
parent
919ce1131e
commit
82f97fb404
@ -1,72 +0,0 @@
|
||||
diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c
|
||||
--- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix 2009-11-02 08:45:24.000000000 +0100
|
||||
+++ Linux-PAM-1.1.0/modules/pam_console/handlers.c 2009-11-02 08:50:19.000000000 +0100
|
||||
@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle
|
||||
const char *flagptr;
|
||||
const char **argv;
|
||||
int i = 0;
|
||||
- argv = malloc(sizeof(*argv)*nparams+2);
|
||||
-
|
||||
+ argv = malloc(sizeof(*argv)*(nparams+2));
|
||||
+
|
||||
if (argv == NULL)
|
||||
return;
|
||||
-
|
||||
+
|
||||
argv[i++] = handler->executable;
|
||||
-
|
||||
+
|
||||
for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) {
|
||||
switch (testflag(flagptr)) {
|
||||
case HF_LOGFAIL:
|
||||
@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru
|
||||
}
|
||||
|
||||
sighandler = signal(SIGCHLD, SIG_DFL);
|
||||
-
|
||||
+
|
||||
child = fork();
|
||||
switch (child) {
|
||||
case -1:
|
||||
@@ -246,30 +246,32 @@ execute_handler(pam_handle_t *pamh, stru
|
||||
if (!wait_exit) {
|
||||
switch(fork()) {
|
||||
case 0:
|
||||
- exit(0);
|
||||
+ if(setsid() == -1) {
|
||||
+ _exit(255);
|
||||
+ }
|
||||
+ break;
|
||||
case -1:
|
||||
- exit(255);
|
||||
+ _exit(255);
|
||||
default:
|
||||
- if(setsid() == -1) {
|
||||
- exit(255);
|
||||
- }
|
||||
+ _exit(0);
|
||||
}
|
||||
}
|
||||
if (set_uid) {
|
||||
struct passwd *pw;
|
||||
pw = getpwnam(user);
|
||||
if (pw == NULL)
|
||||
- exit(255);
|
||||
+ _exit(255);
|
||||
if (setgid(pw->pw_gid) == -1 ||
|
||||
+ setgroups(0, NULL) == -1 ||
|
||||
setuid(pw->pw_uid) == -1)
|
||||
- exit(255);
|
||||
+ _exit(255);
|
||||
}
|
||||
call_exec(handler, nparams, user, tty);
|
||||
- exit(255);
|
||||
+ _exit(255);
|
||||
default:
|
||||
break;
|
||||
}
|
||||
-
|
||||
+
|
||||
waitpid(child, &rv, 0);
|
||||
|
||||
if (sighandler != SIG_ERR)
|
||||
@ -1,82 +0,0 @@
|
||||
diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c
|
||||
--- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract 2008-12-16 13:37:52.000000000 +0100
|
||||
+++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c 2010-11-01 17:01:55.000000000 +0100
|
||||
@@ -34,6 +34,8 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/param.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <sys/un.h>
|
||||
#include <fcntl.h>
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
@@ -136,6 +138,32 @@ check_one_console_name(const char *name,
|
||||
}
|
||||
|
||||
static int
|
||||
+try_xsocket(const char *path, size_t len) {
|
||||
+ int fd;
|
||||
+ union {
|
||||
+ struct sockaddr sa;
|
||||
+ struct sockaddr_un su;
|
||||
+ } addr;
|
||||
+
|
||||
+ fd = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
+ if (fd < 0)
|
||||
+ return 0;
|
||||
+
|
||||
+ memset(&addr, 0, sizeof(addr));
|
||||
+ addr.su.sun_family = AF_UNIX;
|
||||
+
|
||||
+ if (len > sizeof(addr.su.sun_path))
|
||||
+ return 0;
|
||||
+ memcpy(addr.su.sun_path, path, len);
|
||||
+ if (connect(fd, &addr.sa, sizeof(addr.su) - (sizeof(addr.su.sun_path) - len)) == 0) {
|
||||
+ close(fd);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ close(fd);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) {
|
||||
int found = 0;
|
||||
int statted = 0;
|
||||
@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c
|
||||
if (!statted && (consolename[0] == ':')) {
|
||||
int l;
|
||||
char *dot = NULL;
|
||||
- strcpy(full_path, "/tmp/.X11-unix/X");
|
||||
- l = sizeof(full_path) - 1 - strlen(full_path);
|
||||
+ char *path = full_path + 1;
|
||||
+
|
||||
+ full_path[0] = '\0';
|
||||
+ strcpy(path, "/tmp/.X11-unix/X");
|
||||
+ l = sizeof(full_path) - 2 - strlen(path);
|
||||
dot = strchr(consolename + 1, '.');
|
||||
if (dot != NULL) {
|
||||
l = (l < dot - consolename - 1) ? l : dot - consolename - 1;
|
||||
}
|
||||
- strncat(full_path, consolename + 1, l);
|
||||
+ strncat(path, consolename + 1, l);
|
||||
full_path[sizeof(full_path) - 1] = '\0';
|
||||
- _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"",
|
||||
- full_path);
|
||||
- if (lstat(full_path, &st) != -1) {
|
||||
+ _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"",
|
||||
+ path);
|
||||
+
|
||||
+ /* this will work because st.st_uid is 0 */
|
||||
+ if (try_xsocket(full_path, strlen(path)+1)) {
|
||||
+ statted = 1;
|
||||
+ } else if (try_xsocket(path, strlen(path))) {
|
||||
statted = 1;
|
||||
}
|
||||
else if (!on_set) { /* there is no X11 socket in case of X11 crash */
|
||||
_pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename);
|
||||
- statted = 1; /* this will work because st.st_uid is 0 */
|
||||
+ statted = 1;
|
||||
}
|
||||
}
|
||||
|
||||
21
pam-1.1.8-canonicalize-username.patch
Normal file
21
pam-1.1.8-canonicalize-username.patch
Normal file
@ -0,0 +1,21 @@
|
||||
diff -up Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c
|
||||
--- Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize 2013-06-18 16:11:21.000000000 +0200
|
||||
+++ Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c 2014-03-06 12:03:54.429639972 +0100
|
||||
@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh,
|
||||
char *level = NULL;
|
||||
security_context_t *contextlist = NULL;
|
||||
int num_contexts = 0;
|
||||
+ const struct passwd *pwd;
|
||||
|
||||
if (!(username = get_item(pamh, PAM_USER))) {
|
||||
pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name");
|
||||
return PAM_USER_UNKNOWN;
|
||||
}
|
||||
|
||||
+ if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) {
|
||||
+ username = pwd->pw_name;
|
||||
+ } /* ignore error and keep using original username */
|
||||
+
|
||||
/* compute execute context */
|
||||
#ifdef HAVE_GETSEUSER
|
||||
if (!(service = get_item(pamh, PAM_SERVICE))) {
|
||||
20
pam.spec
20
pam.spec
@ -1,9 +1,9 @@
|
||||
%define pam_redhat_version 0.99.10-1
|
||||
%define pam_redhat_version 0.99.11
|
||||
|
||||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.1.8
|
||||
Release: 4%{?dist}
|
||||
Release: 7%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
@ -23,7 +23,7 @@ Source10: config-util.pamd
|
||||
Source11: dlopen.sh
|
||||
Source12: system-auth.5
|
||||
Source13: config-util.5
|
||||
Source14: 90-nproc.conf
|
||||
Source14: 20-nproc.conf
|
||||
Source15: pamtmp.conf
|
||||
Source16: postlogin.pamd
|
||||
Source17: postlogin.5
|
||||
@ -31,11 +31,9 @@ Patch1: pam-1.0.90-redhat-modules.patch
|
||||
Patch2: pam-1.1.6-std-noclose.patch
|
||||
Patch4: pam-1.1.0-console-nochmod.patch
|
||||
Patch5: pam-1.1.0-notally.patch
|
||||
Patch7: pam-1.1.0-console-fixes.patch
|
||||
Patch8: pam-1.1.1-faillock.patch
|
||||
Patch9: pam-1.1.6-noflex.patch
|
||||
Patch10: pam-1.1.3-nouserenv.patch
|
||||
Patch11: pam-1.1.3-console-abstract.patch
|
||||
Patch12: pam-1.1.3-faillock-screensaver.patch
|
||||
Patch13: pam-1.1.6-limits-user.patch
|
||||
Patch15: pam-1.1.6-full-relro.patch
|
||||
@ -46,6 +44,7 @@ Patch29: pam-1.1.6-pwhistory-helper.patch
|
||||
Patch31: pam-1.1.6-use-links.patch
|
||||
Patch32: pam-1.1.7-tty-audit-init.patch
|
||||
Patch33: pam-1.1.8-translation-updates.patch
|
||||
Patch34: pam-1.1.8-canonicalize-username.patch
|
||||
|
||||
%define _pamlibdir %{_libdir}
|
||||
%define _moduledir %{_libdir}/security
|
||||
@ -58,6 +57,7 @@ Patch33: pam-1.1.8-translation-updates.patch
|
||||
%if %{?WITH_AUDIT:0}%{!?WITH_AUDIT:1}
|
||||
%define WITH_AUDIT 1
|
||||
%endif
|
||||
%global _performance_build 1
|
||||
|
||||
Requires: cracklib-dicts >= 2.8
|
||||
Requires: libpwquality >= 0.9.9
|
||||
@ -111,11 +111,9 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
||||
%patch2 -p1 -b .std-noclose
|
||||
%patch4 -p1 -b .nochmod
|
||||
%patch5 -p1 -b .notally
|
||||
%patch7 -p1 -b .console-fixes
|
||||
%patch8 -p1 -b .faillock
|
||||
%patch9 -p1 -b .noflex
|
||||
%patch10 -p1 -b .nouserenv
|
||||
%patch11 -p1 -b .abstract
|
||||
%patch12 -p1 -b .screensaver
|
||||
%patch13 -p1 -b .limits
|
||||
%patch15 -p1 -b .relro
|
||||
@ -124,6 +122,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
|
||||
%patch31 -p1 -b .links
|
||||
%patch32 -p1 -b .tty-audit-init
|
||||
%patch33 -p2 -b .translations
|
||||
%patch34 -p1 -b .canonicalize
|
||||
|
||||
%build
|
||||
autoreconf -i
|
||||
@ -341,7 +340,7 @@ fi
|
||||
%config(noreplace) %{_secconfdir}/group.conf
|
||||
%config(noreplace) %{_secconfdir}/limits.conf
|
||||
%dir %{_secconfdir}/limits.d
|
||||
%config(noreplace) %{_secconfdir}/limits.d/90-nproc.conf
|
||||
%config(noreplace) %{_secconfdir}/limits.d/20-nproc.conf
|
||||
%config(noreplace) %{_secconfdir}/namespace.conf
|
||||
%dir %{_secconfdir}/namespace.d
|
||||
%attr(755,root,root) %config(noreplace) %{_secconfdir}/namespace.init
|
||||
@ -372,6 +371,11 @@ fi
|
||||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Mon Mar 10 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-5
|
||||
- rename the 90-nproc.conf to 20-nproc.conf (#1071618)
|
||||
- canonicalize user name in pam_selinux (#1071010)
|
||||
- refresh the pam-redhat tarball
|
||||
|
||||
* Mon Dec 16 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.8-4
|
||||
- raise the default soft nproc limit to 4096
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user