rename the 90-nproc.conf to 20-nproc.conf (#1071618)

- canonicalize user name in pam_selinux (#1071010)
- refresh the pam-redhat tarball
This commit is contained in:
Tomas Mraz 2014-03-10 15:36:16 +01:00
parent 919ce1131e
commit 82f97fb404
6 changed files with 34 additions and 163 deletions

View File

@ -1,72 +0,0 @@
diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c
--- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix 2009-11-02 08:45:24.000000000 +0100
+++ Linux-PAM-1.1.0/modules/pam_console/handlers.c 2009-11-02 08:50:19.000000000 +0100
@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle
const char *flagptr;
const char **argv;
int i = 0;
- argv = malloc(sizeof(*argv)*nparams+2);
-
+ argv = malloc(sizeof(*argv)*(nparams+2));
+
if (argv == NULL)
return;
-
+
argv[i++] = handler->executable;
-
+
for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) {
switch (testflag(flagptr)) {
case HF_LOGFAIL:
@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru
}
sighandler = signal(SIGCHLD, SIG_DFL);
-
+
child = fork();
switch (child) {
case -1:
@@ -246,30 +246,32 @@ execute_handler(pam_handle_t *pamh, stru
if (!wait_exit) {
switch(fork()) {
case 0:
- exit(0);
+ if(setsid() == -1) {
+ _exit(255);
+ }
+ break;
case -1:
- exit(255);
+ _exit(255);
default:
- if(setsid() == -1) {
- exit(255);
- }
+ _exit(0);
}
}
if (set_uid) {
struct passwd *pw;
pw = getpwnam(user);
if (pw == NULL)
- exit(255);
+ _exit(255);
if (setgid(pw->pw_gid) == -1 ||
+ setgroups(0, NULL) == -1 ||
setuid(pw->pw_uid) == -1)
- exit(255);
+ _exit(255);
}
call_exec(handler, nparams, user, tty);
- exit(255);
+ _exit(255);
default:
break;
}
-
+
waitpid(child, &rv, 0);
if (sighandler != SIG_ERR)

View File

@ -1,82 +0,0 @@
diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c
--- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract 2008-12-16 13:37:52.000000000 +0100
+++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c 2010-11-01 17:01:55.000000000 +0100
@@ -34,6 +34,8 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/un.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
@@ -136,6 +138,32 @@ check_one_console_name(const char *name,
}
static int
+try_xsocket(const char *path, size_t len) {
+ int fd;
+ union {
+ struct sockaddr sa;
+ struct sockaddr_un su;
+ } addr;
+
+ fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (fd < 0)
+ return 0;
+
+ memset(&addr, 0, sizeof(addr));
+ addr.su.sun_family = AF_UNIX;
+
+ if (len > sizeof(addr.su.sun_path))
+ return 0;
+ memcpy(addr.su.sun_path, path, len);
+ if (connect(fd, &addr.sa, sizeof(addr.su) - (sizeof(addr.su.sun_path) - len)) == 0) {
+ close(fd);
+ return 1;
+ }
+ close(fd);
+ return 0;
+}
+
+static int
check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) {
int found = 0;
int statted = 0;
@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c
if (!statted && (consolename[0] == ':')) {
int l;
char *dot = NULL;
- strcpy(full_path, "/tmp/.X11-unix/X");
- l = sizeof(full_path) - 1 - strlen(full_path);
+ char *path = full_path + 1;
+
+ full_path[0] = '\0';
+ strcpy(path, "/tmp/.X11-unix/X");
+ l = sizeof(full_path) - 2 - strlen(path);
dot = strchr(consolename + 1, '.');
if (dot != NULL) {
l = (l < dot - consolename - 1) ? l : dot - consolename - 1;
}
- strncat(full_path, consolename + 1, l);
+ strncat(path, consolename + 1, l);
full_path[sizeof(full_path) - 1] = '\0';
- _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"",
- full_path);
- if (lstat(full_path, &st) != -1) {
+ _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"",
+ path);
+
+ /* this will work because st.st_uid is 0 */
+ if (try_xsocket(full_path, strlen(path)+1)) {
+ statted = 1;
+ } else if (try_xsocket(path, strlen(path))) {
statted = 1;
}
else if (!on_set) { /* there is no X11 socket in case of X11 crash */
_pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename);
- statted = 1; /* this will work because st.st_uid is 0 */
+ statted = 1;
}
}

View File

@ -0,0 +1,21 @@
diff -up Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c
--- Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c 2014-03-06 12:03:54.429639972 +0100
@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh,
char *level = NULL;
security_context_t *contextlist = NULL;
int num_contexts = 0;
+ const struct passwd *pwd;
if (!(username = get_item(pamh, PAM_USER))) {
pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name");
return PAM_USER_UNKNOWN;
}
+ if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) {
+ username = pwd->pw_name;
+ } /* ignore error and keep using original username */
+
/* compute execute context */
#ifdef HAVE_GETSEUSER
if (!(service = get_item(pamh, PAM_SERVICE))) {

View File

@ -1,9 +1,9 @@
%define pam_redhat_version 0.99.10-1
%define pam_redhat_version 0.99.11
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.8
Release: 4%{?dist}
Release: 7%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -23,7 +23,7 @@ Source10: config-util.pamd
Source11: dlopen.sh
Source12: system-auth.5
Source13: config-util.5
Source14: 90-nproc.conf
Source14: 20-nproc.conf
Source15: pamtmp.conf
Source16: postlogin.pamd
Source17: postlogin.5
@ -31,11 +31,9 @@ Patch1: pam-1.0.90-redhat-modules.patch
Patch2: pam-1.1.6-std-noclose.patch
Patch4: pam-1.1.0-console-nochmod.patch
Patch5: pam-1.1.0-notally.patch
Patch7: pam-1.1.0-console-fixes.patch
Patch8: pam-1.1.1-faillock.patch
Patch9: pam-1.1.6-noflex.patch
Patch10: pam-1.1.3-nouserenv.patch
Patch11: pam-1.1.3-console-abstract.patch
Patch12: pam-1.1.3-faillock-screensaver.patch
Patch13: pam-1.1.6-limits-user.patch
Patch15: pam-1.1.6-full-relro.patch
@ -46,6 +44,7 @@ Patch29: pam-1.1.6-pwhistory-helper.patch
Patch31: pam-1.1.6-use-links.patch
Patch32: pam-1.1.7-tty-audit-init.patch
Patch33: pam-1.1.8-translation-updates.patch
Patch34: pam-1.1.8-canonicalize-username.patch
%define _pamlibdir %{_libdir}
%define _moduledir %{_libdir}/security
@ -58,6 +57,7 @@ Patch33: pam-1.1.8-translation-updates.patch
%if %{?WITH_AUDIT:0}%{!?WITH_AUDIT:1}
%define WITH_AUDIT 1
%endif
%global _performance_build 1
Requires: cracklib-dicts >= 2.8
Requires: libpwquality >= 0.9.9
@ -111,11 +111,9 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch2 -p1 -b .std-noclose
%patch4 -p1 -b .nochmod
%patch5 -p1 -b .notally
%patch7 -p1 -b .console-fixes
%patch8 -p1 -b .faillock
%patch9 -p1 -b .noflex
%patch10 -p1 -b .nouserenv
%patch11 -p1 -b .abstract
%patch12 -p1 -b .screensaver
%patch13 -p1 -b .limits
%patch15 -p1 -b .relro
@ -124,6 +122,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch31 -p1 -b .links
%patch32 -p1 -b .tty-audit-init
%patch33 -p2 -b .translations
%patch34 -p1 -b .canonicalize
%build
autoreconf -i
@ -341,7 +340,7 @@ fi
%config(noreplace) %{_secconfdir}/group.conf
%config(noreplace) %{_secconfdir}/limits.conf
%dir %{_secconfdir}/limits.d
%config(noreplace) %{_secconfdir}/limits.d/90-nproc.conf
%config(noreplace) %{_secconfdir}/limits.d/20-nproc.conf
%config(noreplace) %{_secconfdir}/namespace.conf
%dir %{_secconfdir}/namespace.d
%attr(755,root,root) %config(noreplace) %{_secconfdir}/namespace.init
@ -372,6 +371,11 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Mon Mar 10 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-5
- rename the 90-nproc.conf to 20-nproc.conf (#1071618)
- canonicalize user name in pam_selinux (#1071010)
- refresh the pam-redhat tarball
* Mon Dec 16 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.8-4
- raise the default soft nproc limit to 4096

View File

@ -1,2 +1,2 @@
c115640346a987356f6b76ec1d425185 pam-redhat-0.99.10-1.tar.bz2
35b6091af95981b1b2cd60d813b5e4ee Linux-PAM-1.1.8.tar.bz2
29eab110f57e8d60471081a6278a5a92 pam-redhat-0.99.11.tar.bz2