From 858c76dcd31c87f289ee33be475636238e234684 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 22 Mar 2013 17:44:40 +0100 Subject: [PATCH] Multiple bug fixes and cleanups. - do not fail if btmp file is corrupted (#906852) - fix strict aliasing warnings in build - UsrMove - use authtok_type with pam_pwquality in system-auth - remove manual_context handling from pam_selinux (#876976) - other minor specfile cleanups --- pam-1.1.6-lastlog-retval.patch | 15 +++++ pam-1.1.6-selinux-manualctx.patch | 97 +++++++++++++++++++++++++++++++ pam-1.1.6-strict-aliasing.patch | 28 +++++++++ pam.spec | 69 +++++++++++++--------- password-auth.pamd | 2 +- system-auth.pamd | 2 +- 6 files changed, 182 insertions(+), 31 deletions(-) create mode 100644 pam-1.1.6-lastlog-retval.patch create mode 100644 pam-1.1.6-selinux-manualctx.patch create mode 100644 pam-1.1.6-strict-aliasing.patch diff --git a/pam-1.1.6-lastlog-retval.patch b/pam-1.1.6-lastlog-retval.patch new file mode 100644 index 0000000..3c385f6 --- /dev/null +++ b/pam-1.1.6-lastlog-retval.patch @@ -0,0 +1,15 @@ +diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c +index 50e5a59..bd454ff 100644 +--- a/modules/pam_lastlog/pam_lastlog.c ++++ b/modules/pam_lastlog/pam_lastlog.c +@@ -479,6 +479,10 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt + } + } + ++ if (retval != 0) ++ pam_syslog(pamh, LOG_WARNING, "corruption detected in %s", _PATH_BTMP); ++ retval = PAM_SUCCESS; ++ + if (failed) { + /* we want the date? */ + if (announce & LASTLOG_DATE) { diff --git a/pam-1.1.6-selinux-manualctx.patch b/pam-1.1.6-selinux-manualctx.patch new file mode 100644 index 0000000..b9afeab --- /dev/null +++ b/pam-1.1.6-selinux-manualctx.patch @@ -0,0 +1,97 @@ +diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c +--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx 2012-09-03 15:23:21.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-11-30 21:03:40.000000000 +0100 +@@ -161,81 +161,6 @@ query_response (pam_handle_t *pamh, cons + return rc; + } + +-static security_context_t +-manual_context (pam_handle_t *pamh, const char *user, int debug) +-{ +- security_context_t newcon=NULL; +- context_t new_context; +- int mls_enabled = is_selinux_mls_enabled(); +- char *type=NULL; +- char *response=NULL; +- +- while (1) { +- if (query_response(pamh, +- _("Would you like to enter a security context? [N] "), NULL, +- &response, debug) != PAM_SUCCESS) +- return NULL; +- +- if ((response[0] == 'y') || (response[0] == 'Y')) +- { +- if (mls_enabled) +- new_context = context_new ("user:role:type:level"); +- else +- new_context = context_new ("user:role:type"); +- +- if (!new_context) +- goto fail_set; +- +- if (context_user_set (new_context, user)) +- goto fail_set; +- +- _pam_drop(response); +- /* Allow the user to enter each field of the context individually */ +- if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS && +- response[0] != '\0') { +- if (context_role_set (new_context, response)) +- goto fail_set; +- if (get_default_type(response, &type)) +- goto fail_set; +- if (context_type_set (new_context, type)) +- goto fail_set; +- _pam_drop(type); +- } +- _pam_drop(response); +- +- if (mls_enabled) +- { +- if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS && +- response[0] != '\0') { +- if (context_range_set (new_context, response)) +- goto fail_set; +- } +- _pam_drop(response); +- } +- +- /* Get the string value of the context and see if it is valid. */ +- if (!security_check_context(context_str(new_context))) { +- newcon = strdup(context_str(new_context)); +- context_free (new_context); +- return newcon; +- } +- else +- send_text(pamh,_("Not a valid security context"),debug); +- +- context_free (new_context); +- } +- else { +- _pam_drop(response); +- return NULL; +- } +- } /* end while */ +- fail_set: +- free(type); +- _pam_drop(response); +- context_free (new_context); +- return NULL; +-} +- + static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) + { + struct av_decision avd; +@@ -606,11 +531,6 @@ compute_exec_context(pam_handle_t *pamh, + data->exec_context = context_from_env(pamh, data->default_user_context, + env_params, use_current_range, + debug); +- } else { +- if (seuser) { +- data->exec_context = manual_context(pamh, seuser, debug); +- free(seuser); +- } + } + + if (!data->exec_context) { diff --git a/pam-1.1.6-strict-aliasing.patch b/pam-1.1.6-strict-aliasing.patch new file mode 100644 index 0000000..1409b24 --- /dev/null +++ b/pam-1.1.6-strict-aliasing.patch @@ -0,0 +1,28 @@ +diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c +index ce4f7d6..dc95ab1 100644 +--- a/modules/pam_namespace/md5.c ++++ b/modules/pam_namespace/md5.c +@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) + byteReverse(ctx->in, 14); + + /* Append length in bits and transform */ +- ((uint32 *) ctx->in)[14] = ctx->bits[0]; +- ((uint32 *) ctx->in)[15] = ctx->bits[1]; ++ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); + + MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse((unsigned char *) ctx->buf, 4); +diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c +index 7881db5..94f0485 100644 +--- a/modules/pam_unix/md5.c ++++ b/modules/pam_unix/md5.c +@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx) + byteReverse(ctx->in, 14); + + /* Append length in bits and transform */ +- ((uint32 *) ctx->in)[14] = ctx->bits[0]; +- ((uint32 *) ctx->in)[15] = ctx->bits[1]; ++ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32)); + + MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in); + byteReverse((unsigned char *) ctx->buf, 4); diff --git a/pam.spec b/pam.spec index d322fd2..15669de 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.6 -Release: 8%{?dist} +Release: 9%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -52,9 +52,15 @@ Patch23: pam-1.1.6-autoupdate.patch Patch24: pam-1.1.6-namespace-mntopts.patch # Upstreamed Patch25: pam-1.1.6-crypt-null-check.patch +# Upstreamed +Patch26: pam-1.1.6-lastlog-retval.patch +# Sent to upstream for review +Patch27: pam-1.1.6-strict-aliasing.patch +# Upstreamed +Patch28: pam-1.1.6-selinux-manualctx.patch -%define _sbindir /sbin -%define _moduledir /%{_lib}/security +%define _pamlibdir %{_libdir} +%define _moduledir %{_libdir}/security %define _secconfdir %{_sysconfdir}/security %define _pamconfdir %{_sysconfdir}/pam.d @@ -65,7 +71,6 @@ Patch25: pam-1.1.6-crypt-null-check.patch %define WITH_AUDIT 1 %endif -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: cracklib-dicts >= 2.8 Requires: libpwquality >= 0.9.9 Requires(post): coreutils, /sbin/ldconfig @@ -88,7 +93,7 @@ BuildRequires: libdb-devel BuildRequires: linuxdoc-tools, w3m, libxslt BuildRequires: docbook-style-xsl, docbook-dtds -URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html +URL: http://www.linux-pam.org/ %description PAM (Pluggable Authentication Modules) is a system security tool that @@ -133,11 +138,15 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch23 -p1 -b .autoupdate %patch24 -p1 -b .mntopts %patch25 -p1 -b .null-check +%patch26 -p1 -b .retval +%patch27 -p1 -b .strict-aliasing +%patch28 -p1 -b .manualctx + %build autoreconf -i %configure \ - --libdir=/%{_lib} \ + --libdir=%{_pamlibdir} \ --includedir=%{_includedir}/security \ --disable-static \ --disable-prelude \ @@ -152,8 +161,6 @@ make # we do not use _smp_mflags because the build of sources in yacc/flex fails %install -rm -rf $RPM_BUILD_ROOT - mkdir -p doc/txts for readme in modules/pam_*/README ; do cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` @@ -200,22 +207,24 @@ done # Remove .la files and make new .so links -- this depends on the value # of _libdir not changing, and *not* being /usr/lib. -install -d -m 755 $RPM_BUILD_ROOT%{_libdir} for lib in libpam libpamc libpam_misc ; do -pushd $RPM_BUILD_ROOT%{_libdir} -ln -sf ../../%{_lib}/${lib}.so.*.* ${lib}.so -popd -rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.so -rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.la +rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.la done rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la +%if "%{_pamlibdir}" != "%{_libdir}" +install -d -m 755 $RPM_BUILD_ROOT%{_libdir} +for lib in libpam libpamc libpam_misc ; do +pushd $RPM_BUILD_ROOT%{_libdir} +ln -sf %{_pamlibdir}/${lib}.so.*.* ${lib}.so +popd +rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.so +done +%endif + # Duplicate doc file sets. rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam -# Create /lib/security in case it isn't the same as %{_moduledir}. -install -m755 -d $RPM_BUILD_ROOT/lib/security - # Install the file for autocreation of /var/run subdirectories on boot install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf @@ -242,18 +251,15 @@ done # Check for module problems. Specifically, check that every module we just # installed can actually be loaded by a minimal PAM-aware application. -/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib} +/sbin/ldconfig -n $RPM_BUILD_ROOT%{_pamlibdir} for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do - if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \ - %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then + if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pamlibdir} \ + %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT%{_libdir} ${module} ; then echo ERROR module: ${module} cannot be loaded. exit 1 fi done -%clean -rm -rf $RPM_BUILD_ROOT - %post /sbin/ldconfig if [ ! -e /var/log/tallylog ] ; then @@ -276,9 +282,9 @@ fi %doc doc/txts %doc doc/sag/*.txt doc/sag/html %doc doc/specs/rfc86.0.txt -/%{_lib}/libpam.so.* -/%{_lib}/libpamc.so.* -/%{_lib}/libpam_misc.so.* +%{_pamlibdir}/libpam.so.* +%{_pamlibdir}/libpamc.so.* +%{_pamlibdir}/libpam_misc.so.* %{_sbindir}/pam_console_apply %{_sbindir}/pam_tally2 %{_sbindir}/faillock @@ -286,9 +292,6 @@ fi %attr(4755,root,root) %{_sbindir}/unix_chkpwd %attr(0700,root,root) %{_sbindir}/unix_update %attr(0755,root,root) %{_sbindir}/mkhomedir_helper -%if %{_lib} != lib -%dir /lib/security -%endif %dir %{_moduledir} %{_moduledir}/pam_access.so %{_moduledir}/pam_chroot.so @@ -386,6 +389,14 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Mar 22 2013 Tomáš Mráz 1.1.6-9 +- do not fail if btmp file is corrupted (#906852) +- fix strict aliasing warnings in build +- UsrMove +- use authtok_type with pam_pwquality in system-auth +- remove manual_context handling from pam_selinux (#876976) +- other minor specfile cleanups + * Tue Mar 19 2013 Tomáš Mráz 1.1.6-8 - check NULL return from crypt() calls (#915316) diff --git a/password-auth.pamd b/password-auth.pamd index 5e33723..6020c9d 100644 --- a/password-auth.pamd +++ b/password-auth.pamd @@ -7,7 +7,7 @@ auth required pam_deny.so account required pam_unix.so -password requisite pam_pwquality.so try_first_pass retry=3 type= +password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so diff --git a/system-auth.pamd b/system-auth.pamd index 5e33723..6020c9d 100644 --- a/system-auth.pamd +++ b/system-auth.pamd @@ -7,7 +7,7 @@ auth required pam_deny.so account required pam_unix.so -password requisite pam_pwquality.so try_first_pass retry=3 type= +password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so