Multiple bug fixes and cleanups.

- do not fail if btmp file is corrupted (#906852)
- fix strict aliasing warnings in build
- UsrMove
- use authtok_type with pam_pwquality in system-auth
- remove manual_context handling from pam_selinux (#876976)
- other minor specfile cleanups
This commit is contained in:
Tomas Mraz 2013-03-22 17:44:40 +01:00
parent b38262e712
commit 858c76dcd3
6 changed files with 182 additions and 31 deletions

View File

@ -0,0 +1,15 @@
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index 50e5a59..bd454ff 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -479,6 +479,10 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
}
}
+ if (retval != 0)
+ pam_syslog(pamh, LOG_WARNING, "corruption detected in %s", _PATH_BTMP);
+ retval = PAM_SUCCESS;
+
if (failed) {
/* we want the date? */
if (announce & LASTLOG_DATE) {

View File

@ -0,0 +1,97 @@
diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx 2012-09-03 15:23:21.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-11-30 21:03:40.000000000 +0100
@@ -161,81 +161,6 @@ query_response (pam_handle_t *pamh, cons
return rc;
}
-static security_context_t
-manual_context (pam_handle_t *pamh, const char *user, int debug)
-{
- security_context_t newcon=NULL;
- context_t new_context;
- int mls_enabled = is_selinux_mls_enabled();
- char *type=NULL;
- char *response=NULL;
-
- while (1) {
- if (query_response(pamh,
- _("Would you like to enter a security context? [N] "), NULL,
- &response, debug) != PAM_SUCCESS)
- return NULL;
-
- if ((response[0] == 'y') || (response[0] == 'Y'))
- {
- if (mls_enabled)
- new_context = context_new ("user:role:type:level");
- else
- new_context = context_new ("user:role:type");
-
- if (!new_context)
- goto fail_set;
-
- if (context_user_set (new_context, user))
- goto fail_set;
-
- _pam_drop(response);
- /* Allow the user to enter each field of the context individually */
- if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS &&
- response[0] != '\0') {
- if (context_role_set (new_context, response))
- goto fail_set;
- if (get_default_type(response, &type))
- goto fail_set;
- if (context_type_set (new_context, type))
- goto fail_set;
- _pam_drop(type);
- }
- _pam_drop(response);
-
- if (mls_enabled)
- {
- if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS &&
- response[0] != '\0') {
- if (context_range_set (new_context, response))
- goto fail_set;
- }
- _pam_drop(response);
- }
-
- /* Get the string value of the context and see if it is valid. */
- if (!security_check_context(context_str(new_context))) {
- newcon = strdup(context_str(new_context));
- context_free (new_context);
- return newcon;
- }
- else
- send_text(pamh,_("Not a valid security context"),debug);
-
- context_free (new_context);
- }
- else {
- _pam_drop(response);
- return NULL;
- }
- } /* end while */
- fail_set:
- free(type);
- _pam_drop(response);
- context_free (new_context);
- return NULL;
-}
-
static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
{
struct av_decision avd;
@@ -606,11 +531,6 @@ compute_exec_context(pam_handle_t *pamh,
data->exec_context = context_from_env(pamh, data->default_user_context,
env_params, use_current_range,
debug);
- } else {
- if (seuser) {
- data->exec_context = manual_context(pamh, seuser, debug);
- free(seuser);
- }
}
if (!data->exec_context) {

View File

@ -0,0 +1,28 @@
diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c
index ce4f7d6..dc95ab1 100644
--- a/modules/pam_namespace/md5.c
+++ b/modules/pam_namespace/md5.c
@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
byteReverse(ctx->in, 14);
/* Append length in bits and transform */
- ((uint32 *) ctx->in)[14] = ctx->bits[0];
- ((uint32 *) ctx->in)[15] = ctx->bits[1];
+ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
byteReverse((unsigned char *) ctx->buf, 4);
diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c
index 7881db5..94f0485 100644
--- a/modules/pam_unix/md5.c
+++ b/modules/pam_unix/md5.c
@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
byteReverse(ctx->in, 14);
/* Append length in bits and transform */
- ((uint32 *) ctx->in)[14] = ctx->bits[0];
- ((uint32 *) ctx->in)[15] = ctx->bits[1];
+ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
byteReverse((unsigned char *) ctx->buf, 4);

View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications Summary: An extensible library which provides authentication for applications
Name: pam Name: pam
Version: 1.1.6 Version: 1.1.6
Release: 8%{?dist} Release: 9%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ # The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway. # - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -52,9 +52,15 @@ Patch23: pam-1.1.6-autoupdate.patch
Patch24: pam-1.1.6-namespace-mntopts.patch Patch24: pam-1.1.6-namespace-mntopts.patch
# Upstreamed # Upstreamed
Patch25: pam-1.1.6-crypt-null-check.patch Patch25: pam-1.1.6-crypt-null-check.patch
# Upstreamed
Patch26: pam-1.1.6-lastlog-retval.patch
# Sent to upstream for review
Patch27: pam-1.1.6-strict-aliasing.patch
# Upstreamed
Patch28: pam-1.1.6-selinux-manualctx.patch
%define _sbindir /sbin %define _pamlibdir %{_libdir}
%define _moduledir /%{_lib}/security %define _moduledir %{_libdir}/security
%define _secconfdir %{_sysconfdir}/security %define _secconfdir %{_sysconfdir}/security
%define _pamconfdir %{_sysconfdir}/pam.d %define _pamconfdir %{_sysconfdir}/pam.d
@ -65,7 +71,6 @@ Patch25: pam-1.1.6-crypt-null-check.patch
%define WITH_AUDIT 1 %define WITH_AUDIT 1
%endif %endif
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: cracklib-dicts >= 2.8 Requires: cracklib-dicts >= 2.8
Requires: libpwquality >= 0.9.9 Requires: libpwquality >= 0.9.9
Requires(post): coreutils, /sbin/ldconfig Requires(post): coreutils, /sbin/ldconfig
@ -88,7 +93,7 @@ BuildRequires: libdb-devel
BuildRequires: linuxdoc-tools, w3m, libxslt BuildRequires: linuxdoc-tools, w3m, libxslt
BuildRequires: docbook-style-xsl, docbook-dtds BuildRequires: docbook-style-xsl, docbook-dtds
URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html URL: http://www.linux-pam.org/
%description %description
PAM (Pluggable Authentication Modules) is a system security tool that PAM (Pluggable Authentication Modules) is a system security tool that
@ -133,11 +138,15 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch23 -p1 -b .autoupdate %patch23 -p1 -b .autoupdate
%patch24 -p1 -b .mntopts %patch24 -p1 -b .mntopts
%patch25 -p1 -b .null-check %patch25 -p1 -b .null-check
%patch26 -p1 -b .retval
%patch27 -p1 -b .strict-aliasing
%patch28 -p1 -b .manualctx
%build %build
autoreconf -i autoreconf -i
%configure \ %configure \
--libdir=/%{_lib} \ --libdir=%{_pamlibdir} \
--includedir=%{_includedir}/security \ --includedir=%{_includedir}/security \
--disable-static \ --disable-static \
--disable-prelude \ --disable-prelude \
@ -152,8 +161,6 @@ make
# we do not use _smp_mflags because the build of sources in yacc/flex fails # we do not use _smp_mflags because the build of sources in yacc/flex fails
%install %install
rm -rf $RPM_BUILD_ROOT
mkdir -p doc/txts mkdir -p doc/txts
for readme in modules/pam_*/README ; do for readme in modules/pam_*/README ; do
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
@ -200,22 +207,24 @@ done
# Remove .la files and make new .so links -- this depends on the value # Remove .la files and make new .so links -- this depends on the value
# of _libdir not changing, and *not* being /usr/lib. # of _libdir not changing, and *not* being /usr/lib.
install -d -m 755 $RPM_BUILD_ROOT%{_libdir}
for lib in libpam libpamc libpam_misc ; do for lib in libpam libpamc libpam_misc ; do
pushd $RPM_BUILD_ROOT%{_libdir} rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.la
ln -sf ../../%{_lib}/${lib}.so.*.* ${lib}.so
popd
rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.so
rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.la
done done
rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la
%if "%{_pamlibdir}" != "%{_libdir}"
install -d -m 755 $RPM_BUILD_ROOT%{_libdir}
for lib in libpam libpamc libpam_misc ; do
pushd $RPM_BUILD_ROOT%{_libdir}
ln -sf %{_pamlibdir}/${lib}.so.*.* ${lib}.so
popd
rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.so
done
%endif
# Duplicate doc file sets. # Duplicate doc file sets.
rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
# Create /lib/security in case it isn't the same as %{_moduledir}.
install -m755 -d $RPM_BUILD_ROOT/lib/security
# Install the file for autocreation of /var/run subdirectories on boot # Install the file for autocreation of /var/run subdirectories on boot
install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf
@ -242,18 +251,15 @@ done
# Check for module problems. Specifically, check that every module we just # Check for module problems. Specifically, check that every module we just
# installed can actually be loaded by a minimal PAM-aware application. # installed can actually be loaded by a minimal PAM-aware application.
/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib} /sbin/ldconfig -n $RPM_BUILD_ROOT%{_pamlibdir}
for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do
if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \ if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pamlibdir} \
%{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT%{_libdir} ${module} ; then
echo ERROR module: ${module} cannot be loaded. echo ERROR module: ${module} cannot be loaded.
exit 1 exit 1
fi fi
done done
%clean
rm -rf $RPM_BUILD_ROOT
%post %post
/sbin/ldconfig /sbin/ldconfig
if [ ! -e /var/log/tallylog ] ; then if [ ! -e /var/log/tallylog ] ; then
@ -276,9 +282,9 @@ fi
%doc doc/txts %doc doc/txts
%doc doc/sag/*.txt doc/sag/html %doc doc/sag/*.txt doc/sag/html
%doc doc/specs/rfc86.0.txt %doc doc/specs/rfc86.0.txt
/%{_lib}/libpam.so.* %{_pamlibdir}/libpam.so.*
/%{_lib}/libpamc.so.* %{_pamlibdir}/libpamc.so.*
/%{_lib}/libpam_misc.so.* %{_pamlibdir}/libpam_misc.so.*
%{_sbindir}/pam_console_apply %{_sbindir}/pam_console_apply
%{_sbindir}/pam_tally2 %{_sbindir}/pam_tally2
%{_sbindir}/faillock %{_sbindir}/faillock
@ -286,9 +292,6 @@ fi
%attr(4755,root,root) %{_sbindir}/unix_chkpwd %attr(4755,root,root) %{_sbindir}/unix_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update %attr(0700,root,root) %{_sbindir}/unix_update
%attr(0755,root,root) %{_sbindir}/mkhomedir_helper %attr(0755,root,root) %{_sbindir}/mkhomedir_helper
%if %{_lib} != lib
%dir /lib/security
%endif
%dir %{_moduledir} %dir %{_moduledir}
%{_moduledir}/pam_access.so %{_moduledir}/pam_access.so
%{_moduledir}/pam_chroot.so %{_moduledir}/pam_chroot.so
@ -386,6 +389,14 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Fri Mar 22 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-9
- do not fail if btmp file is corrupted (#906852)
- fix strict aliasing warnings in build
- UsrMove
- use authtok_type with pam_pwquality in system-auth
- remove manual_context handling from pam_selinux (#876976)
- other minor specfile cleanups
* Tue Mar 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-8 * Tue Mar 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-8
- check NULL return from crypt() calls (#915316) - check NULL return from crypt() calls (#915316)

View File

@ -7,7 +7,7 @@ auth required pam_deny.so
account required pam_unix.so account required pam_unix.so
password requisite pam_pwquality.so try_first_pass retry=3 type= password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so password required pam_deny.so

View File

@ -7,7 +7,7 @@ auth required pam_deny.so
account required pam_unix.so account required pam_unix.so
password requisite pam_pwquality.so try_first_pass retry=3 type= password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so password required pam_deny.so