rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- pam_loginuid: uids are unsigned (#460241)

Browse Source 
- new minor upstream release
- use external db4
- drop tests for not pulling in libpthread (as NPTL should be safe)
This commit is contained in:
Tomáš Mráz 2008-09-08 11:01:44 +00:00
parent 7d29dd0246
commit 8955a466b5
10 changed files with 63 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.cvsignore
View File

@ -1,5 +1,4 @@
*.src.rpm *.src.rpm
*.tar.bz2 *.tar.bz2
pam-redhat-0.99.9-1.tar.bz2 pam-redhat-0.99.9-1.tar.bz2
Linux-PAM-1.0.1.tar.bz2 Linux-PAM-1.0.2.tar.bz2
db-4.7.25.tar.gz

8
Linux-PAM-1.0.1.tar.bz2.sign
View File

@ -1,8 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: See http://www.kernel.org/signature.html for info
iD8DBQBIBc9XyGugalF9Dw4RAjh7AJ9qe5Ul/wwxmVxx1mo5XCITTn5M9gCfZXzR
n0RI6KnK3u/LICHHV2zYkZA=
=JRIX
-----END PGP SIGNATURE-----

8
Linux-PAM-1.0.2.tar.bz2.sign Normal file
View File

@ -0,0 +1,8 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: See http://www.kernel.org/signature.html for info
iD8DBQBIt8Q3yGugalF9Dw4RAnJQAJ9hxQ8qCSTFxs0hKZnT1iuPIld0VwCfV4pa
mxTaEK08wwAQ2bYjsDhh01s=
=rPNX
-----END PGP SIGNATURE-----

26
pam-0.99.3.0-tally-fail-close.patch
View File

@ -1,26 +0,0 @@
--- Linux-PAM-0.99.3.0/modules/pam_tally/pam_tally.c.fail-close 2005-09-21 15:35:29.000000000 +0200
+++ Linux-PAM-0.99.3.0/modules/pam_tally/pam_tally.c 2006-05-04 13:31:59.000000000 +0200
@@ -318,6 +318,7 @@
}
lstat_ret = fstat(fileno(*TALLY),&fileinfo);
fclose(*TALLY);
+ *TALLY = NULL;
}
if ( lstat_ret ) {
@@ -348,6 +349,7 @@
if ( fseek( *TALLY, uid * sizeof(struct faillog), SEEK_SET ) ) {
pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename);
fclose(*TALLY);
+ *TALLY = NULL;
return PAM_AUTH_ERR;
}
@@ -394,6 +396,7 @@
}
if ( fclose(*TALLY) ) {
+ *TALLY = NULL;
pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s", filename);
return PAM_AUTH_ERR;
}

11
pam-0.99.8.1-dbpam.patch
View File

@ -1,11 +0,0 @@
--- Linux-PAM-0.99.8.1/configure.in.dbpam 2007-07-23 13:59:20.000000000 +0200
+++ Linux-PAM-0.99.8.1/configure.in 2007-07-23 14:06:54.000000000 +0200
@@ -355,7 +355,7 @@
AC_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.]))
if test x"$WITH_DB" != xno ; then
if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then
- AC_CHECK_LIB([db$with_db_uniquename], [db_create$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="")
+ AC_CHECK_LIB([db], [db_create$with_db_uniquename], LIBDB="-ldb", LIBDB="")
if test -z "$LIBDB" ; then
AC_CHECK_LIB([db$with_db_uniquename], [dbm_store$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="")
fi

23
pam-0.99.3.0-cracklib-try-first-pass.patch → pam-1.0.1-cracklib-try-first-pass.patch
View File

@ -1,15 +1,16 @@
--- Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c.try-first-pass 2006-01-08 10:49:05.000000000 +0100 diff -up Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c.try-first-pass Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c
+++ Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c 2006-02-24 10:42:53.000000000 +0100 --- Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c.try-first-pass 2008-03-05 21:21:38.000000000 +0100
@@ -93,6 +93,7 @@ +++ Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c 2008-09-05 21:35:18.000000000 +0200
int low_credit; @@ -98,6 +98,7 @@ struct cracklib_options {
int oth_credit; int oth_credit;
int min_class;
int use_authtok; int use_authtok;
+ int try_first_pass; + int try_first_pass;
char prompt_type[BUFSIZ]; char prompt_type[BUFSIZ];
char cracklib_dictpath[PATH_MAX]; const char *cracklib_dictpath;
}; };
@@ -158,6 +159,10 @@ @@ -169,6 +170,10 @@ _pam_parse (pam_handle_t *pamh, struct c
opt->oth_credit = 0; opt->min_class = 4 ;
} else if (!strncmp(*argv,"use_authtok",11)) { } else if (!strncmp(*argv,"use_authtok",11)) {
opt->use_authtok = 1; opt->use_authtok = 1;
+ } else if (!strncmp(*argv,"use_first_pass",14)) { + } else if (!strncmp(*argv,"use_first_pass",14)) {
@ -17,9 +18,9 @@
+ } else if (!strncmp(*argv,"try_first_pass",14)) { + } else if (!strncmp(*argv,"try_first_pass",14)) {
+ opt->try_first_pass = 1; + opt->try_first_pass = 1;
} else if (!strncmp(*argv,"dictpath=",9)) { } else if (!strncmp(*argv,"dictpath=",9)) {
strncpy(opt->cracklib_dictpath, *argv+9, opt->cracklib_dictpath = *argv+9;
sizeof(opt->cracklib_dictpath) - 1); if (!*(opt->cracklib_dictpath)) {
@@ -559,7 +564,7 @@ @@ -619,7 +624,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
* set PAM_AUTHTOK and return * set PAM_AUTHTOK and return
*/ */
@ -28,7 +29,7 @@
const void *item = NULL; const void *item = NULL;
retval = pam_get_item(pamh, PAM_AUTHTOK, &item); retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
@@ -570,11 +575,13 @@ @@ -630,11 +635,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
} else if (item != NULL) { /* we have a password! */ } else if (item != NULL) { /* we have a password! */
token1 = x_strdup(item); token1 = x_strdup(item);
item = NULL; item = NULL;

32
pam-1.0.1-selinux-restore-execcon.patch
View File

@ -1,32 +0,0 @@
diff -up Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c.restore-execcon Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c
--- Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c.restore-execcon 2008-03-20 18:06:32.000000000 +0100
+++ Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c 2008-04-22 21:11:34.000000000 +0200
@@ -702,21 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh,
free(ttyn);
ttyn=NULL;
}
- if (prev_user_context) {
- if (setexeccon(prev_user_context)) {
+
+ if (setexeccon(prev_user_context)) {
pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.",
- prev_user_context);
+ prev_user_context ? prev_user_context : "");
if (security_getenforce() == 1)
status = PAM_AUTH_ERR;
else
status = PAM_SUCCESS;
- }
+ } else if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "Executable context back to original");
+
+ if (prev_user_context) {
freecon(prev_user_context);
prev_user_context = NULL;
}
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal");
-
return status;
}

27
pam-1.0.1-tally-fail-close.patch Normal file
View File

@ -0,0 +1,27 @@
diff -up Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c.fail-close Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c
--- Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c.fail-close 2007-11-20 11:58:11.000000000 +0100
+++ Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c 2008-09-05 21:54:31.000000000 +0200
@@ -325,6 +325,7 @@ get_tally(pam_handle_t *pamh, tally_t *t
}
lstat_ret = fstat(fileno(*TALLY),&fileinfo);
fclose(*TALLY);
+ *TALLY = NULL;
}
if ( lstat_ret ) {
@@ -355,6 +356,7 @@ get_tally(pam_handle_t *pamh, tally_t *t
if ( fseeko( *TALLY, (off_t) uid * sizeof(struct faillog), SEEK_SET ) ) {
pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename);
fclose(*TALLY);
+ *TALLY = NULL;
return PAM_AUTH_ERR;
}
@@ -403,6 +405,7 @@ set_tally(pam_handle_t *pamh, tally_t ta
}
if ( fclose(*TALLY) ) {
+ *TALLY = NULL;
pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s", filename);
return PAM_AUTH_ERR;
}

74
pam.spec
View File

@ -1,11 +1,9 @@
%define db_version 4.7.25
%define db_conflicting_version 4.8.0
%define pam_redhat_version 0.99.9-1 %define pam_redhat_version 0.99.9-1
Summary: A security tool which provides authentication for applications Summary: A security tool which provides authentication for applications
Name: pam Name: pam
Version: 1.0.1 Version: 1.0.2
Release: 5%{?dist} Release: 1%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
# pam_rhosts_auth module is BSD with advertising # pam_rhosts_auth module is BSD with advertising
@ -14,7 +12,6 @@ Group: System Environment/Base
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2
Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign
Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2 Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2
Source4: http://download.oracle.com/berkeley-db/db-%{db_version}.tar.gz
Source5: other.pamd Source5: other.pamd
Source6: system-auth.pamd Source6: system-auth.pamd
Source7: config-util.pamd Source7: config-util.pamd
@ -23,15 +20,13 @@ Source9: system-auth.5
Source10: config-util.5 Source10: config-util.5
Source11: 90-nproc.conf Source11: 90-nproc.conf
Patch1: pam-0.99.7.0-redhat-modules.patch Patch1: pam-0.99.7.0-redhat-modules.patch
Patch4: pam-0.99.8.1-dbpam.patch
Patch5: pam-1.0.1-autoreconf.patch Patch5: pam-1.0.1-autoreconf.patch
Patch10: pam-1.0.0-sepermit-screensaver.patch Patch10: pam-1.0.0-sepermit-screensaver.patch
Patch11: pam-1.0.1-selinux-restore-execcon.patch
Patch12: pam-1.0.0-selinux-env-params.patch Patch12: pam-1.0.0-selinux-env-params.patch
Patch21: pam-0.99.10.0-unix-audit-failed.patch Patch21: pam-0.99.10.0-unix-audit-failed.patch
Patch22: pam-1.0.1-unix-prompts.patch Patch22: pam-1.0.1-unix-prompts.patch
Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch Patch31: pam-1.0.1-cracklib-try-first-pass.patch
Patch32: pam-0.99.3.0-tally-fail-close.patch Patch32: pam-1.0.1-tally-fail-close.patch
Patch41: pam-1.0.1-namespace-create.patch Patch41: pam-1.0.1-namespace-create.patch
%define _sbindir /sbin %define _sbindir /sbin
@ -64,19 +59,13 @@ Requires: libselinux >= 1.33.2
%endif %endif
BuildRequires: glibc >= 2.3.90-37 BuildRequires: glibc >= 2.3.90-37
Requires: glibc >= 2.3.90-37 Requires: glibc >= 2.3.90-37
BuildRequires: db4-devel
# Following deps are necessary only to build the pam library documentation. # Following deps are necessary only to build the pam library documentation.
BuildRequires: linuxdoc-tools, w3m, libxslt BuildRequires: linuxdoc-tools, w3m, libxslt
BuildRequires: docbook-style-xsl, docbook-dtds BuildRequires: docbook-style-xsl, docbook-dtds
URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html
# We internalize libdb to get a non-threaded copy, but we should at least try
# to coexist with the system's copy of libdb, which will be used to make the
# files for use by pam_userdb (either by db_load or Perl's DB_File module).
# The non-threaded db4 is necessary so we do not break single threaded
# services when they call pam_userdb.so module.
Conflicts: db4 >= %{db_conflicting_version}
%description %description
PAM (Pluggable Authentication Modules) is a system security tool that PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policy without allows system administrators to set authentication policy without
@ -95,16 +84,14 @@ contains header files and static libraries used for building both
PAM-aware applications and modules for use with PAM. PAM-aware applications and modules for use with PAM.
%prep %prep
%setup -q -n Linux-PAM-%{version} -a 2 -a 4 %setup -q -n Linux-PAM-%{version} -a 2
# Add custom modules. # Add custom modules.
mv pam-redhat-%{pam_redhat_version}/* modules mv pam-redhat-%{pam_redhat_version}/* modules
%patch1 -p1 -b .redhat-modules %patch1 -p1 -b .redhat-modules
%patch4 -p1 -b .dbpam
%patch5 -p1 -b .autoreconf %patch5 -p1 -b .autoreconf
%patch10 -p1 -b .screensaver %patch10 -p1 -b .screensaver
%patch11 -p1 -b .restore-execcon
%patch12 -p0 -b .env-params %patch12 -p0 -b .env-params
%patch21 -p1 -b .audit-failed %patch21 -p1 -b .audit-failed
%patch22 -p1 -b .prompts %patch22 -p1 -b .prompts
@ -115,48 +102,16 @@ mv pam-redhat-%{pam_redhat_version}/* modules
autoreconf autoreconf
%build %build
CFLAGS="-fPIC $RPM_OPT_FLAGS" ; export CFLAGS
topdir=`pwd`/pam-instroot
test -d ${topdir} || mkdir ${topdir}
test -d ${topdir}/include || mkdir ${topdir}/include
test -d ${topdir}/%{_lib} || mkdir ${topdir}/%{_lib}
pushd db-%{db_version}/build_unix
echo db_cv_mutex=UNIX/fcntl > config.cache
../dist/configure -C \
--disable-compat185 \
--disable-cxx \
--disable-diagnostic \
--disable-dump185 \
--disable-java \
--disable-rpc \
--disable-tcl \
--disable-shared \
--with-pic \
--with-uniquename=_pam \
--with-mutex="UNIX/fcntl" \
--prefix=${topdir} \
--includedir=${topdir}/include \
--libdir=${topdir}/%{_lib}
make
make install
popd
CPPFLAGS=-I${topdir}/include ; export CPPFLAGS
export LIBNAME="%{_lib}"
LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS
%configure \ %configure \
--libdir=/%{_lib} \ --libdir=/%{_lib} \
--includedir=%{_includedir}/security \ --includedir=%{_includedir}/security \
--enable-isadir=../..%{_moduledir} \
%if ! %{WITH_SELINUX} %if ! %{WITH_SELINUX}
--disable-selinux \ --disable-selinux \
%endif %endif
%if ! %{WITH_AUDIT} %if ! %{WITH_AUDIT}
--disable-audit \ --disable-audit \
%endif %endif
--with-db-uniquename=_pam --enable-isadir=../..%{_moduledir}
make make
# we do not use _smp_mflags because the build of sources in yacc/flex fails # we do not use _smp_mflags because the build of sources in yacc/flex fails
@ -242,14 +197,6 @@ for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do
echo ERROR module: ${module} cannot be loaded. echo ERROR module: ${module} cannot be loaded.
exit 1 exit 1
fi fi
# And for good measure, make sure that none of the modules pull in threading
# libraries, which if loaded in a non-threaded application, can cause Very
# Bad Things to happen.
if env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \
LD_PRELOAD=$RPM_BUILD_ROOT%{_libdir}/libpam.so ldd -r ${module} | fgrep -q libpthread ; then
echo ERROR module: ${module} pulls threading libraries.
exit 1
fi
done done
%clean %clean
@ -380,6 +327,13 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Mon Sep 8 2008 Tomas Mraz <tmraz@redhat.com> 1.0.2-1
- pam_loginuid: uids are unsigned (#460241)
- new minor upstream release
- use external db4
- drop tests for not pulling in libpthread (as NPTL should
be safe)
* Wed Jul 9 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-5 * Wed Jul 9 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-5
- update internal db4 - update internal db4

3
sources
View File

@ -1,3 +1,2 @@
26152d9c691715756b514dbf9cab9cd8 pam-redhat-0.99.9-1.tar.bz2 26152d9c691715756b514dbf9cab9cd8 pam-redhat-0.99.9-1.tar.bz2
1c75f81bd44c5da93014992820917847 Linux-PAM-1.0.1.tar.bz2 fc5e35645b75befae28c88b711b28ffb Linux-PAM-1.0.2.tar.bz2
ec2b87e833779681a0c3a814aa71359e db-4.7.25.tar.gz