- pam_loginuid: uids are unsigned (#460241)
- new minor upstream release - use external db4 - drop tests for not pulling in libpthread (as NPTL should be safe)
This commit is contained in:
		
							parent
							
								
									7d29dd0246
								
							
						
					
					
						commit
						8955a466b5
					
				| @ -1,5 +1,4 @@ | ||||
| *.src.rpm | ||||
| *.tar.bz2 | ||||
| pam-redhat-0.99.9-1.tar.bz2 | ||||
| Linux-PAM-1.0.1.tar.bz2 | ||||
| db-4.7.25.tar.gz | ||||
| Linux-PAM-1.0.2.tar.bz2 | ||||
|  | ||||
| @ -1,8 +0,0 @@ | ||||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v1.4.7 (GNU/Linux) | ||||
| Comment: See http://www.kernel.org/signature.html for info | ||||
| 
 | ||||
| iD8DBQBIBc9XyGugalF9Dw4RAjh7AJ9qe5Ul/wwxmVxx1mo5XCITTn5M9gCfZXzR | ||||
| n0RI6KnK3u/LICHHV2zYkZA= | ||||
| =JRIX | ||||
| -----END PGP SIGNATURE----- | ||||
							
								
								
									
										8
									
								
								Linux-PAM-1.0.2.tar.bz2.sign
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								Linux-PAM-1.0.2.tar.bz2.sign
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,8 @@ | ||||
| -----BEGIN PGP SIGNATURE----- | ||||
| Version: GnuPG v1.4.9 (GNU/Linux) | ||||
| Comment: See http://www.kernel.org/signature.html for info | ||||
| 
 | ||||
| iD8DBQBIt8Q3yGugalF9Dw4RAnJQAJ9hxQ8qCSTFxs0hKZnT1iuPIld0VwCfV4pa | ||||
| mxTaEK08wwAQ2bYjsDhh01s= | ||||
| =rPNX | ||||
| -----END PGP SIGNATURE----- | ||||
| @ -1,26 +0,0 @@ | ||||
| --- Linux-PAM-0.99.3.0/modules/pam_tally/pam_tally.c.fail-close	2005-09-21 15:35:29.000000000 +0200
 | ||||
| +++ Linux-PAM-0.99.3.0/modules/pam_tally/pam_tally.c	2006-05-04 13:31:59.000000000 +0200
 | ||||
| @@ -318,6 +318,7 @@
 | ||||
|        } | ||||
|        lstat_ret = fstat(fileno(*TALLY),&fileinfo); | ||||
|        fclose(*TALLY); | ||||
| +      *TALLY = NULL;
 | ||||
|      } | ||||
|   | ||||
|      if ( lstat_ret ) { | ||||
| @@ -348,6 +349,7 @@
 | ||||
|      if ( fseek( *TALLY, uid * sizeof(struct faillog), SEEK_SET ) ) { | ||||
|            pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename); | ||||
|            fclose(*TALLY); | ||||
| +          *TALLY = NULL;
 | ||||
|            return PAM_AUTH_ERR; | ||||
|      } | ||||
|   | ||||
| @@ -394,6 +396,7 @@
 | ||||
|        } | ||||
|   | ||||
|      if ( fclose(*TALLY) ) { | ||||
| +      *TALLY = NULL;
 | ||||
|        pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s", filename); | ||||
|        return PAM_AUTH_ERR; | ||||
|      } | ||||
| @ -1,11 +0,0 @@ | ||||
| --- Linux-PAM-0.99.8.1/configure.in.dbpam	2007-07-23 13:59:20.000000000 +0200
 | ||||
| +++ Linux-PAM-0.99.8.1/configure.in	2007-07-23 14:06:54.000000000 +0200
 | ||||
| @@ -355,7 +355,7 @@
 | ||||
|  	AC_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.])) | ||||
|  if test x"$WITH_DB" != xno ; then | ||||
|          if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then | ||||
| -              AC_CHECK_LIB([db$with_db_uniquename], [db_create$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="")
 | ||||
| +              AC_CHECK_LIB([db], [db_create$with_db_uniquename], LIBDB="-ldb", LIBDB="")
 | ||||
|                if test -z "$LIBDB" ; then | ||||
|                    AC_CHECK_LIB([db$with_db_uniquename], [dbm_store$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="") | ||||
|                fi | ||||
| @ -1,15 +1,16 @@ | ||||
| --- Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c.try-first-pass	2006-01-08 10:49:05.000000000 +0100
 | ||||
| +++ Linux-PAM-0.99.3.0/modules/pam_cracklib/pam_cracklib.c	2006-02-24 10:42:53.000000000 +0100
 | ||||
| @@ -93,6 +93,7 @@
 | ||||
|  	int low_credit; | ||||
| diff -up Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c.try-first-pass Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c
 | ||||
| --- Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c.try-first-pass	2008-03-05 21:21:38.000000000 +0100
 | ||||
| +++ Linux-PAM-1.0.1/modules/pam_cracklib/pam_cracklib.c	2008-09-05 21:35:18.000000000 +0200
 | ||||
| @@ -98,6 +98,7 @@ struct cracklib_options {
 | ||||
|  	int oth_credit; | ||||
|          int min_class; | ||||
|  	int use_authtok; | ||||
| +	int try_first_pass;
 | ||||
|  	char prompt_type[BUFSIZ]; | ||||
|          char cracklib_dictpath[PATH_MAX]; | ||||
|          const char *cracklib_dictpath; | ||||
|  }; | ||||
| @@ -158,6 +159,10 @@
 | ||||
|  		 opt->oth_credit = 0; | ||||
| @@ -169,6 +170,10 @@ _pam_parse (pam_handle_t *pamh, struct c
 | ||||
|                       opt->min_class = 4 ; | ||||
|  	 } else if (!strncmp(*argv,"use_authtok",11)) { | ||||
|  		 opt->use_authtok = 1; | ||||
| +	 } else if (!strncmp(*argv,"use_first_pass",14)) {
 | ||||
| @ -17,9 +18,9 @@ | ||||
| +	 } else if (!strncmp(*argv,"try_first_pass",14)) {
 | ||||
| +		 opt->try_first_pass = 1;
 | ||||
|  	 } else if (!strncmp(*argv,"dictpath=",9)) { | ||||
|  	     strncpy(opt->cracklib_dictpath, *argv+9, | ||||
|  		     sizeof(opt->cracklib_dictpath) - 1); | ||||
| @@ -559,7 +564,7 @@
 | ||||
|  	     opt->cracklib_dictpath = *argv+9; | ||||
|  	     if (!*(opt->cracklib_dictpath)) { | ||||
| @@ -619,7 +624,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
 | ||||
|           * set PAM_AUTHTOK and return | ||||
|           */ | ||||
|   | ||||
| @ -28,7 +29,7 @@ | ||||
|  	    const void *item = NULL; | ||||
|   | ||||
|  	    retval = pam_get_item(pamh, PAM_AUTHTOK, &item); | ||||
| @@ -570,11 +575,13 @@
 | ||||
| @@ -630,11 +635,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
 | ||||
|  	    } else if (item != NULL) {      /* we have a password! */ | ||||
|  		token1 = x_strdup(item); | ||||
|  		item = NULL; | ||||
| @ -1,32 +0,0 @@ | ||||
| diff -up Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c.restore-execcon Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c
 | ||||
| --- Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c.restore-execcon	2008-03-20 18:06:32.000000000 +0100
 | ||||
| +++ Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c	2008-04-22 21:11:34.000000000 +0200
 | ||||
| @@ -702,21 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh,
 | ||||
|      free(ttyn); | ||||
|      ttyn=NULL; | ||||
|    } | ||||
| -  if (prev_user_context) {
 | ||||
| -    if (setexeccon(prev_user_context)) {
 | ||||
| +
 | ||||
| +  if (setexeccon(prev_user_context)) {
 | ||||
|        pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.", | ||||
| -	       prev_user_context);
 | ||||
| +	       prev_user_context ? prev_user_context : "");
 | ||||
|        if (security_getenforce() == 1) | ||||
|           status = PAM_AUTH_ERR; | ||||
|        else | ||||
|           status = PAM_SUCCESS; | ||||
| -    }
 | ||||
| +  } else if (debug)
 | ||||
| +      pam_syslog(pamh, LOG_NOTICE, "Executable context back to original");
 | ||||
| +
 | ||||
| +  if (prev_user_context) {
 | ||||
|      freecon(prev_user_context); | ||||
|      prev_user_context = NULL; | ||||
|    } | ||||
|   | ||||
| -  if (debug)
 | ||||
| -    pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal");
 | ||||
| -
 | ||||
|    return status; | ||||
|  } | ||||
							
								
								
									
										27
									
								
								pam-1.0.1-tally-fail-close.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								pam-1.0.1-tally-fail-close.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,27 @@ | ||||
| diff -up Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c.fail-close Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c
 | ||||
| --- Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c.fail-close	2007-11-20 11:58:11.000000000 +0100
 | ||||
| +++ Linux-PAM-1.0.1/modules/pam_tally/pam_tally.c	2008-09-05 21:54:31.000000000 +0200
 | ||||
| @@ -325,6 +325,7 @@ get_tally(pam_handle_t *pamh, tally_t *t
 | ||||
|        } | ||||
|        lstat_ret = fstat(fileno(*TALLY),&fileinfo); | ||||
|        fclose(*TALLY); | ||||
| +      *TALLY = NULL;
 | ||||
|      } | ||||
|   | ||||
|      if ( lstat_ret ) { | ||||
| @@ -355,6 +356,7 @@ get_tally(pam_handle_t *pamh, tally_t *t
 | ||||
|      if ( fseeko( *TALLY, (off_t) uid * sizeof(struct faillog), SEEK_SET ) ) { | ||||
|            pam_syslog(pamh, LOG_ALERT, "fseek failed for %s", filename); | ||||
|            fclose(*TALLY); | ||||
| +          *TALLY = NULL;
 | ||||
|            return PAM_AUTH_ERR; | ||||
|      } | ||||
|   | ||||
| @@ -403,6 +405,7 @@ set_tally(pam_handle_t *pamh, tally_t ta
 | ||||
|      } | ||||
|   | ||||
|      if ( fclose(*TALLY) ) { | ||||
| +      *TALLY = NULL;
 | ||||
|        pam_syslog(pamh, LOG_ALERT, "update (fclose) failed for %s", filename); | ||||
|        return PAM_AUTH_ERR; | ||||
|      } | ||||
							
								
								
									
										74
									
								
								pam.spec
									
									
									
									
									
								
							
							
						
						
									
										74
									
								
								pam.spec
									
									
									
									
									
								
							| @ -1,11 +1,9 @@ | ||||
| %define db_version 4.7.25 | ||||
| %define db_conflicting_version 4.8.0 | ||||
| %define pam_redhat_version 0.99.9-1 | ||||
| 
 | ||||
| Summary: A security tool which provides authentication for applications | ||||
| Name: pam | ||||
| Version: 1.0.1 | ||||
| Release: 5%{?dist} | ||||
| Version: 1.0.2 | ||||
| Release: 1%{?dist} | ||||
| # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant | ||||
| # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, | ||||
| # pam_rhosts_auth module is BSD with advertising | ||||
| @ -14,7 +12,6 @@ Group: System Environment/Base | ||||
| Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2 | ||||
| Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign | ||||
| Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2 | ||||
| Source4: http://download.oracle.com/berkeley-db/db-%{db_version}.tar.gz | ||||
| Source5: other.pamd | ||||
| Source6: system-auth.pamd | ||||
| Source7: config-util.pamd | ||||
| @ -23,15 +20,13 @@ Source9: system-auth.5 | ||||
| Source10: config-util.5 | ||||
| Source11: 90-nproc.conf | ||||
| Patch1:  pam-0.99.7.0-redhat-modules.patch | ||||
| Patch4:  pam-0.99.8.1-dbpam.patch | ||||
| Patch5:  pam-1.0.1-autoreconf.patch | ||||
| Patch10: pam-1.0.0-sepermit-screensaver.patch | ||||
| Patch11: pam-1.0.1-selinux-restore-execcon.patch | ||||
| Patch12: pam-1.0.0-selinux-env-params.patch | ||||
| Patch21: pam-0.99.10.0-unix-audit-failed.patch | ||||
| Patch22: pam-1.0.1-unix-prompts.patch | ||||
| Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch | ||||
| Patch32: pam-0.99.3.0-tally-fail-close.patch | ||||
| Patch31: pam-1.0.1-cracklib-try-first-pass.patch | ||||
| Patch32: pam-1.0.1-tally-fail-close.patch | ||||
| Patch41: pam-1.0.1-namespace-create.patch | ||||
| 
 | ||||
| %define _sbindir /sbin | ||||
| @ -64,19 +59,13 @@ Requires: libselinux >= 1.33.2 | ||||
| %endif | ||||
| BuildRequires: glibc >= 2.3.90-37 | ||||
| Requires: glibc >= 2.3.90-37 | ||||
| BuildRequires: db4-devel | ||||
| # Following deps are necessary only to build the pam library documentation. | ||||
| BuildRequires: linuxdoc-tools, w3m, libxslt | ||||
| BuildRequires: docbook-style-xsl, docbook-dtds | ||||
| 
 | ||||
| URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html | ||||
| 
 | ||||
| # We internalize libdb to get a non-threaded copy, but we should at least try | ||||
| # to coexist with the system's copy of libdb, which will be used to make the | ||||
| # files for use by pam_userdb (either by db_load or Perl's DB_File module). | ||||
| # The non-threaded db4 is necessary so we do not break single threaded | ||||
| # services when they call pam_userdb.so module. | ||||
| Conflicts: db4 >= %{db_conflicting_version} | ||||
| 
 | ||||
| %description | ||||
| PAM (Pluggable Authentication Modules) is a system security tool that | ||||
| allows system administrators to set authentication policy without | ||||
| @ -95,16 +84,14 @@ contains header files and static libraries used for building both | ||||
| PAM-aware applications and modules for use with PAM. | ||||
| 
 | ||||
| %prep | ||||
| %setup -q -n Linux-PAM-%{version} -a 2 -a 4 | ||||
| %setup -q -n Linux-PAM-%{version} -a 2 | ||||
| 
 | ||||
| # Add custom modules. | ||||
| mv pam-redhat-%{pam_redhat_version}/* modules | ||||
| 
 | ||||
| %patch1 -p1 -b .redhat-modules | ||||
| %patch4 -p1 -b .dbpam | ||||
| %patch5 -p1 -b .autoreconf | ||||
| %patch10 -p1 -b .screensaver | ||||
| %patch11 -p1 -b .restore-execcon | ||||
| %patch12 -p0 -b .env-params | ||||
| %patch21 -p1 -b .audit-failed | ||||
| %patch22 -p1 -b .prompts | ||||
| @ -115,48 +102,16 @@ mv pam-redhat-%{pam_redhat_version}/* modules | ||||
| autoreconf | ||||
| 
 | ||||
| %build | ||||
| CFLAGS="-fPIC $RPM_OPT_FLAGS" ; export CFLAGS | ||||
| 
 | ||||
| topdir=`pwd`/pam-instroot | ||||
| test -d ${topdir}         || mkdir ${topdir} | ||||
| test -d ${topdir}/include || mkdir ${topdir}/include | ||||
| test -d ${topdir}/%{_lib} || mkdir ${topdir}/%{_lib} | ||||
| 
 | ||||
| pushd db-%{db_version}/build_unix | ||||
| echo db_cv_mutex=UNIX/fcntl > config.cache | ||||
| ../dist/configure -C \ | ||||
| 	--disable-compat185 \ | ||||
| 	--disable-cxx \ | ||||
| 	--disable-diagnostic \ | ||||
| 	--disable-dump185 \ | ||||
| 	--disable-java \ | ||||
| 	--disable-rpc \ | ||||
| 	--disable-tcl \ | ||||
| 	--disable-shared \ | ||||
| 	--with-pic \ | ||||
| 	--with-uniquename=_pam \ | ||||
| 	--with-mutex="UNIX/fcntl" \ | ||||
| 	--prefix=${topdir} \ | ||||
| 	--includedir=${topdir}/include \ | ||||
| 	--libdir=${topdir}/%{_lib} | ||||
| make | ||||
| make install | ||||
| popd | ||||
| 
 | ||||
| CPPFLAGS=-I${topdir}/include ; export CPPFLAGS | ||||
| export LIBNAME="%{_lib}" | ||||
| LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS | ||||
| %configure \ | ||||
| 	--libdir=/%{_lib} \ | ||||
| 	--includedir=%{_includedir}/security \ | ||||
| 	--enable-isadir=../..%{_moduledir} \ | ||||
| %if ! %{WITH_SELINUX} | ||||
| 	--disable-selinux \ | ||||
| %endif | ||||
| %if ! %{WITH_AUDIT} | ||||
| 	--disable-audit \ | ||||
| %endif | ||||
| 	--with-db-uniquename=_pam | ||||
| 	--enable-isadir=../..%{_moduledir} | ||||
| make | ||||
| # we do not use _smp_mflags because the build of sources in yacc/flex fails | ||||
| 
 | ||||
| @ -242,14 +197,6 @@ for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do | ||||
| 		echo ERROR module: ${module} cannot be loaded. | ||||
| 		exit 1 | ||||
| 	fi | ||||
| # And for good measure, make sure that none of the modules pull in threading | ||||
| # libraries, which if loaded in a non-threaded application, can cause Very | ||||
| # Bad Things to happen. | ||||
| 	if env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \ | ||||
| 	       LD_PRELOAD=$RPM_BUILD_ROOT%{_libdir}/libpam.so ldd -r ${module} | fgrep -q libpthread ; then | ||||
| 		echo ERROR module: ${module} pulls threading libraries. | ||||
| 		exit 1 | ||||
| 	fi | ||||
| done | ||||
| 
 | ||||
| %clean | ||||
| @ -380,6 +327,13 @@ fi | ||||
| %doc doc/adg/*.txt doc/adg/html | ||||
| 
 | ||||
| %changelog | ||||
| * Mon Sep  8 2008 Tomas Mraz <tmraz@redhat.com> 1.0.2-1 | ||||
| - pam_loginuid: uids are unsigned (#460241) | ||||
| - new minor upstream release | ||||
| - use external db4 | ||||
| - drop tests for not pulling in libpthread (as NPTL should | ||||
|   be safe) | ||||
| 
 | ||||
| * Wed Jul  9 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-5 | ||||
| - update internal db4 | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user