From 8955a466b5ca2d8cceb3a2cb300308799a37b88a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Mon, 8 Sep 2008 11:01:44 +0000 Subject: [PATCH] - pam_loginuid: uids are unsigned (#460241) - new minor upstream release - use external db4 - drop tests for not pulling in libpthread (as NPTL should be safe) --- .cvsignore | 3 +- Linux-PAM-1.0.1.tar.bz2.sign | 8 -- Linux-PAM-1.0.2.tar.bz2.sign | 8 ++ pam-0.99.3.0-tally-fail-close.patch | 26 ------- pam-0.99.8.1-dbpam.patch | 11 --- ...=> pam-1.0.1-cracklib-try-first-pass.patch | 23 +++--- pam-1.0.1-selinux-restore-execcon.patch | 32 -------- pam-1.0.1-tally-fail-close.patch | 27 +++++++ pam.spec | 74 ++++--------------- sources | 3 +- 10 files changed, 63 insertions(+), 152 deletions(-) delete mode 100644 Linux-PAM-1.0.1.tar.bz2.sign create mode 100644 Linux-PAM-1.0.2.tar.bz2.sign delete mode 100644 pam-0.99.3.0-tally-fail-close.patch delete mode 100644 pam-0.99.8.1-dbpam.patch rename pam-0.99.3.0-cracklib-try-first-pass.patch => pam-1.0.1-cracklib-try-first-pass.patch (59%) delete mode 100644 pam-1.0.1-selinux-restore-execcon.patch create mode 100644 pam-1.0.1-tally-fail-close.patch diff --git a/.cvsignore b/.cvsignore index ed02a50..649c80a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,5 +1,4 @@ *.src.rpm *.tar.bz2 pam-redhat-0.99.9-1.tar.bz2 -Linux-PAM-1.0.1.tar.bz2 -db-4.7.25.tar.gz +Linux-PAM-1.0.2.tar.bz2 diff --git a/Linux-PAM-1.0.1.tar.bz2.sign b/Linux-PAM-1.0.1.tar.bz2.sign deleted file mode 100644 index 7c3e8d2..0000000 --- a/Linux-PAM-1.0.1.tar.bz2.sign +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.7 (GNU/Linux) -Comment: See http://www.kernel.org/signature.html for info - -iD8DBQBIBc9XyGugalF9Dw4RAjh7AJ9qe5Ul/wwxmVxx1mo5XCITTn5M9gCfZXzR -n0RI6KnK3u/LICHHV2zYkZA= -=JRIX ------END PGP SIGNATURE----- diff --git a/Linux-PAM-1.0.2.tar.bz2.sign b/Linux-PAM-1.0.2.tar.bz2.sign new file mode 100644 index 0000000..5348578 --- /dev/null +++ b/Linux-PAM-1.0.2.tar.bz2.sign @@ -0,0 +1,8 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) +Comment: See http://www.kernel.org/signature.html for info + +iD8DBQBIt8Q3yGugalF9Dw4RAnJQAJ9hxQ8qCSTFxs0hKZnT1iuPIld0VwCfV4pa +mxTaEK08wwAQ2bYjsDhh01s= +=rPNX +-----END PGP SIGNATURE----- diff --git a/pam-0.99.3.0-tally-fail-close.patch b/pam-0.99.3.0-tally-fail-close.patch deleted file mode 100644 index db37398..0000000 --- a/pam-0.99.3.0-tally-fail-close.patch +++ /dev/null @@ -1,26 +0,0 @@ ---- Linux-PAM-0.99.3.0/modules/pam_tally/pam_tally.c.fail-close 2005-09-21 15:35:29.000000000 +0200 -+++ Linux-PAM-0.99.3.0/modules/pam_tally/pam_tally.c 2006-05-04 13:31:59.000000000 +0200 -@@ -318,6 +318,7 @@ - } - lstat_ret = fstat(fileno(*TALLY),&fileinfo); - fclose(*TALLY); -+ *TALLY = NULL; - } - - if ( lstat_ret ) { -@@ -348,6 +349,7 @@ - if ( fseek( *TALLY, uid * sizeof(struct faillog), SEEK_SET ) ) { - pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename); - fclose(*TALLY); -+ *TALLY = NULL; - return PAM_AUTH_ERR; - } - -@@ -394,6 +396,7 @@ - } - - if ( fclose(*TALLY) ) { -+ *TALLY = NULL; - pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s", filename); - return PAM_AUTH_ERR; - } diff --git a/pam-0.99.8.1-dbpam.patch b/pam-0.99.8.1-dbpam.patch deleted file mode 100644 index dfb7344..0000000 --- a/pam-0.99.8.1-dbpam.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Linux-PAM-0.99.8.1/configure.in.dbpam 2007-07-23 13:59:20.000000000 +0200 -+++ Linux-PAM-0.99.8.1/configure.in 2007-07-23 14:06:54.000000000 +0200 -@@ -355,7 +355,7 @@ - AC_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.])) - if test x"$WITH_DB" != xno ; then - if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then -- AC_CHECK_LIB([db$with_db_uniquename], [db_create$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="") -+ AC_CHECK_LIB([db], [db_create$with_db_uniquename], LIBDB="-ldb", LIBDB="") - if test -z "$LIBDB" ; then - AC_CHECK_LIB([db$with_db_uniquename], [dbm_store$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="") - fi diff --git a/pam-0.99.3.0-cracklib-try-first-pass.patch b/pam-1.0.1-cracklib-try-first-pass.patch similarity index 59% rename from pam-0.99.3.0-cracklib-try-first-pass.patch rename to pam-1.0.1-cracklib-try-first-pass.patch index 337bc04..3407fdf 100644 --- a/pam-0.99.3.0-cracklib-try-first-pass.patch +++ b/pam-1.0.1-cracklib-try-first-pass.patch @@ -1,15 +1,16 @@ ---- Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c.try-first-pass 2006-01-08 10:49:05.000000000 +0100 -+++ Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c 2006-02-24 10:42:53.000000000 +0100 -@@ -93,6 +93,7 @@ - int low_credit; +diff -up Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c.try-first-pass Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c +--- Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c.try-first-pass 2008-03-05 21:21:38.000000000 +0100 ++++ Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c 2008-09-05 21:35:18.000000000 +0200 +@@ -98,6 +98,7 @@ struct cracklib_options { int oth_credit; + int min_class; int use_authtok; + int try_first_pass; char prompt_type[BUFSIZ]; - char cracklib_dictpath[PATH_MAX]; + const char *cracklib_dictpath; }; -@@ -158,6 +159,10 @@ - opt->oth_credit = 0; +@@ -169,6 +170,10 @@ _pam_parse (pam_handle_t *pamh, struct c + opt->min_class = 4 ; } else if (!strncmp(*argv,"use_authtok",11)) { opt->use_authtok = 1; + } else if (!strncmp(*argv,"use_first_pass",14)) { @@ -17,9 +18,9 @@ + } else if (!strncmp(*argv,"try_first_pass",14)) { + opt->try_first_pass = 1; } else if (!strncmp(*argv,"dictpath=",9)) { - strncpy(opt->cracklib_dictpath, *argv+9, - sizeof(opt->cracklib_dictpath) - 1); -@@ -559,7 +564,7 @@ + opt->cracklib_dictpath = *argv+9; + if (!*(opt->cracklib_dictpath)) { +@@ -619,7 +624,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand * set PAM_AUTHTOK and return */ @@ -28,7 +29,7 @@ const void *item = NULL; retval = pam_get_item(pamh, PAM_AUTHTOK, &item); -@@ -570,11 +575,13 @@ +@@ -630,11 +635,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand } else if (item != NULL) { /* we have a password! */ token1 = x_strdup(item); item = NULL; diff --git a/pam-1.0.1-selinux-restore-execcon.patch b/pam-1.0.1-selinux-restore-execcon.patch deleted file mode 100644 index 4052ec4..0000000 --- a/pam-1.0.1-selinux-restore-execcon.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c.restore-execcon Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c ---- Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c.restore-execcon 2008-03-20 18:06:32.000000000 +0100 -+++ Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c 2008-04-22 21:11:34.000000000 +0200 -@@ -702,21 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh, - free(ttyn); - ttyn=NULL; - } -- if (prev_user_context) { -- if (setexeccon(prev_user_context)) { -+ -+ if (setexeccon(prev_user_context)) { - pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.", -- prev_user_context); -+ prev_user_context ? prev_user_context : ""); - if (security_getenforce() == 1) - status = PAM_AUTH_ERR; - else - status = PAM_SUCCESS; -- } -+ } else if (debug) -+ pam_syslog(pamh, LOG_NOTICE, "Executable context back to original"); -+ -+ if (prev_user_context) { - freecon(prev_user_context); - prev_user_context = NULL; - } - -- if (debug) -- pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal"); -- - return status; - } diff --git a/pam-1.0.1-tally-fail-close.patch b/pam-1.0.1-tally-fail-close.patch new file mode 100644 index 0000000..0c810f2 --- /dev/null +++ b/pam-1.0.1-tally-fail-close.patch @@ -0,0 +1,27 @@ +diff -up Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c.fail-close Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c +--- Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c.fail-close 2007-11-20 11:58:11.000000000 +0100 ++++ Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c 2008-09-05 21:54:31.000000000 +0200 +@@ -325,6 +325,7 @@ get_tally(pam_handle_t *pamh, tally_t *t + } + lstat_ret = fstat(fileno(*TALLY),&fileinfo); + fclose(*TALLY); ++ *TALLY = NULL; + } + + if ( lstat_ret ) { +@@ -355,6 +356,7 @@ get_tally(pam_handle_t *pamh, tally_t *t + if ( fseeko( *TALLY, (off_t) uid * sizeof(struct faillog), SEEK_SET ) ) { + pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename); + fclose(*TALLY); ++ *TALLY = NULL; + return PAM_AUTH_ERR; + } + +@@ -403,6 +405,7 @@ set_tally(pam_handle_t *pamh, tally_t ta + } + + if ( fclose(*TALLY) ) { ++ *TALLY = NULL; + pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s", filename); + return PAM_AUTH_ERR; + } diff --git a/pam.spec b/pam.spec index 44ab308..72dab51 100644 --- a/pam.spec +++ b/pam.spec @@ -1,11 +1,9 @@ -%define db_version 4.7.25 -%define db_conflicting_version 4.8.0 %define pam_redhat_version 0.99.9-1 Summary: A security tool which provides authentication for applications Name: pam -Version: 1.0.1 -Release: 5%{?dist} +Version: 1.0.2 +Release: 1%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # pam_rhosts_auth module is BSD with advertising @@ -14,7 +12,6 @@ Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2 -Source4: http://download.oracle.com/berkeley-db/db-%{db_version}.tar.gz Source5: other.pamd Source6: system-auth.pamd Source7: config-util.pamd @@ -23,15 +20,13 @@ Source9: system-auth.5 Source10: config-util.5 Source11: 90-nproc.conf Patch1: pam-0.99.7.0-redhat-modules.patch -Patch4: pam-0.99.8.1-dbpam.patch Patch5: pam-1.0.1-autoreconf.patch Patch10: pam-1.0.0-sepermit-screensaver.patch -Patch11: pam-1.0.1-selinux-restore-execcon.patch Patch12: pam-1.0.0-selinux-env-params.patch Patch21: pam-0.99.10.0-unix-audit-failed.patch Patch22: pam-1.0.1-unix-prompts.patch -Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch -Patch32: pam-0.99.3.0-tally-fail-close.patch +Patch31: pam-1.0.1-cracklib-try-first-pass.patch +Patch32: pam-1.0.1-tally-fail-close.patch Patch41: pam-1.0.1-namespace-create.patch %define _sbindir /sbin @@ -64,19 +59,13 @@ Requires: libselinux >= 1.33.2 %endif BuildRequires: glibc >= 2.3.90-37 Requires: glibc >= 2.3.90-37 +BuildRequires: db4-devel # Following deps are necessary only to build the pam library documentation. BuildRequires: linuxdoc-tools, w3m, libxslt BuildRequires: docbook-style-xsl, docbook-dtds URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html -# We internalize libdb to get a non-threaded copy, but we should at least try -# to coexist with the system's copy of libdb, which will be used to make the -# files for use by pam_userdb (either by db_load or Perl's DB_File module). -# The non-threaded db4 is necessary so we do not break single threaded -# services when they call pam_userdb.so module. -Conflicts: db4 >= %{db_conflicting_version} - %description PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set authentication policy without @@ -95,16 +84,14 @@ contains header files and static libraries used for building both PAM-aware applications and modules for use with PAM. %prep -%setup -q -n Linux-PAM-%{version} -a 2 -a 4 +%setup -q -n Linux-PAM-%{version} -a 2 # Add custom modules. mv pam-redhat-%{pam_redhat_version}/* modules %patch1 -p1 -b .redhat-modules -%patch4 -p1 -b .dbpam %patch5 -p1 -b .autoreconf %patch10 -p1 -b .screensaver -%patch11 -p1 -b .restore-execcon %patch12 -p0 -b .env-params %patch21 -p1 -b .audit-failed %patch22 -p1 -b .prompts @@ -115,48 +102,16 @@ mv pam-redhat-%{pam_redhat_version}/* modules autoreconf %build -CFLAGS="-fPIC $RPM_OPT_FLAGS" ; export CFLAGS - -topdir=`pwd`/pam-instroot -test -d ${topdir} || mkdir ${topdir} -test -d ${topdir}/include || mkdir ${topdir}/include -test -d ${topdir}/%{_lib} || mkdir ${topdir}/%{_lib} - -pushd db-%{db_version}/build_unix -echo db_cv_mutex=UNIX/fcntl > config.cache -../dist/configure -C \ - --disable-compat185 \ - --disable-cxx \ - --disable-diagnostic \ - --disable-dump185 \ - --disable-java \ - --disable-rpc \ - --disable-tcl \ - --disable-shared \ - --with-pic \ - --with-uniquename=_pam \ - --with-mutex="UNIX/fcntl" \ - --prefix=${topdir} \ - --includedir=${topdir}/include \ - --libdir=${topdir}/%{_lib} -make -make install -popd - -CPPFLAGS=-I${topdir}/include ; export CPPFLAGS -export LIBNAME="%{_lib}" -LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS %configure \ --libdir=/%{_lib} \ --includedir=%{_includedir}/security \ - --enable-isadir=../..%{_moduledir} \ %if ! %{WITH_SELINUX} --disable-selinux \ %endif %if ! %{WITH_AUDIT} --disable-audit \ %endif - --with-db-uniquename=_pam + --enable-isadir=../..%{_moduledir} make # we do not use _smp_mflags because the build of sources in yacc/flex fails @@ -242,14 +197,6 @@ for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do echo ERROR module: ${module} cannot be loaded. exit 1 fi -# And for good measure, make sure that none of the modules pull in threading -# libraries, which if loaded in a non-threaded application, can cause Very -# Bad Things to happen. - if env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \ - LD_PRELOAD=$RPM_BUILD_ROOT%{_libdir}/libpam.so ldd -r ${module} | fgrep -q libpthread ; then - echo ERROR module: ${module} pulls threading libraries. - exit 1 - fi done %clean @@ -380,6 +327,13 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Mon Sep 8 2008 Tomas Mraz 1.0.2-1 +- pam_loginuid: uids are unsigned (#460241) +- new minor upstream release +- use external db4 +- drop tests for not pulling in libpthread (as NPTL should + be safe) + * Wed Jul 9 2008 Tomas Mraz 1.0.1-5 - update internal db4 diff --git a/sources b/sources index 4181908..65ea264 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ 26152d9c691715756b514dbf9cab9cd8 pam-redhat-0.99.9-1.tar.bz2 -1c75f81bd44c5da93014992820917847 Linux-PAM-1.0.1.tar.bz2 -ec2b87e833779681a0c3a814aa71359e db-4.7.25.tar.gz +fc5e35645b75befae28c88b711b28ffb Linux-PAM-1.0.2.tar.bz2