From 8fa0463a67880d37f817dba6937e2764e328fbee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Mon, 6 Aug 2007 12:31:50 +0000 Subject: [PATCH] - updated db4 to 4.6.18 (#249740) - added user and new instance parameters to namespace init - document the new features of pam_namespace - do not log an audit error when uid != 0 (#249870) --- .cvsignore | 2 +- pam-0.99.7.1-namespace-temp-logon.patch | 94 +++++++++++++++++-------- pam-0.99.8.1-audit-no-log.patch | 27 +++++++ pam-0.99.8.1-namespace-init.patch | 91 ++++++++++++++++++++++++ pam.spec | 16 ++++- sources | 2 +- 6 files changed, 196 insertions(+), 36 deletions(-) create mode 100644 pam-0.99.8.1-audit-no-log.patch create mode 100644 pam-0.99.8.1-namespace-init.patch diff --git a/.cvsignore b/.cvsignore index 357da6c..8db1b7f 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,5 +1,5 @@ -db-4.5.20.tar.gz *.src.rpm *.tar.bz2 pam-redhat-0.99.8-1.tar.bz2 Linux-PAM-0.99.8.1.tar.bz2 +db-4.6.18.tar.gz diff --git a/pam-0.99.7.1-namespace-temp-logon.patch b/pam-0.99.7.1-namespace-temp-logon.patch index d39c75a..f42ae0f 100644 --- a/pam-0.99.7.1-namespace-temp-logon.patch +++ b/pam-0.99.7.1-namespace-temp-logon.patch @@ -1,5 +1,36 @@ ---- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.h.temp-logon 2007-06-01 15:29:11.000000000 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.h 2007-06-01 15:29:11.000000000 +0200 +diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.conf.5.xml.temp-logon Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.conf.5.xml +--- Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.conf.5.xml.temp-logon 2007-06-18 12:46:47.000000000 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.conf.5.xml 2007-08-06 13:16:56.000000000 +0200 +@@ -72,10 +72,13 @@ + + + The third field, method, is the method +- used for polyinstantiation. It can take 3 different values; "user" ++ used for polyinstantiation. It can take these values; "user" + for polyinstantiation based on user name, "level" for +- polyinstantiation based on process MLS level and user name, and "context" for +- polyinstantiation based on process security context and user name ++ polyinstantiation based on process MLS level and user name, "context" for ++ polyinstantiation based on process security context and user name, ++ "tmpfs" for mounting tmpfs filesystem as an instance dir, and ++ "tmpdir" for creating temporary directory as an instance dir which is ++ removed when the user's session is closed. + Methods "context" and "level" are only available with SELinux. This + field cannot be blank. + +@@ -84,7 +87,8 @@ + The fourth field, list_of_uids, is + a comma separated list of user names for whom the polyinstantiation + is not performed. If left blank, polyinstantiation will be performed +- for all users. ++ for all users. If the list is preceded with a single "~" character, ++ polyinstantiation is performed only for users in the list. + + + +diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.h.temp-logon Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.h +--- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.h.temp-logon 2007-06-18 12:46:47.000000000 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.h 2007-08-06 11:41:46.000000000 +0200 @@ -90,6 +90,7 @@ #define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ @@ -8,7 +39,7 @@ /* * Polyinstantiation method options, based on user, security context -@@ -100,6 +101,8 @@ +@@ -100,6 +101,8 @@ enum polymethod { USER, CONTEXT, LEVEL, @@ -17,7 +48,7 @@ }; /* -@@ -128,6 +131,7 @@ +@@ -128,6 +131,7 @@ struct polydir_s { enum polymethod method; /* method used to polyinstantiate */ unsigned int num_uids; /* number of override uids */ uid_t *uid; /* list of override uids */ @@ -25,9 +56,10 @@ struct polydir_s *next; /* pointer to the next polydir entry */ }; ---- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.temp-logon 2007-06-01 15:29:11.000000000 +0200 -+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-06-01 15:33:30.000000000 +0200 -@@ -43,6 +43,7 @@ +diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c.temp-logon Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c +--- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c.temp-logon 2007-06-18 12:46:47.000000000 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c 2007-08-06 11:41:46.000000000 +0200 +@@ -43,6 +43,7 @@ static int copy_ent(const struct polydir strcpy(pent->instance_prefix, ent->instance_prefix); pent->method = ent->method; pent->num_uids = ent->num_uids; @@ -35,7 +67,7 @@ if (ent->num_uids) { uid_t *pptr, *eptr; -@@ -120,6 +121,10 @@ +@@ -120,6 +121,10 @@ static void del_polydir_list(struct poly } } @@ -46,7 +78,7 @@ /* * Called from parse_config_file, this function processes a single line -@@ -140,6 +145,7 @@ +@@ -140,6 +145,7 @@ static int process_line(char *line, cons poly.uid = NULL; poly.num_uids = 0; @@ -54,7 +86,7 @@ /* * skip the leading white space -@@ -223,24 +229,13 @@ +@@ -223,24 +229,13 @@ static int process_line(char *line, cons } /* @@ -80,7 +112,7 @@ } strcpy(poly.dir, dir); strcpy(poly.instance_prefix, instance_prefix); -@@ -248,6 +243,18 @@ +@@ -248,6 +243,18 @@ static int process_line(char *line, cons poly.method = NONE; if (strcmp(method, "user") == 0) poly.method = USER; @@ -99,7 +131,7 @@ #ifdef WITH_SELINUX if (strcmp(method, "level") == 0) { -@@ -266,12 +273,24 @@ +@@ -266,12 +273,24 @@ static int process_line(char *line, cons #endif @@ -125,7 +157,7 @@ * If the line in namespace.conf for a directory to polyinstantiate * contains a list of override users (users for whom polyinstantiation * is not performed), read the user ids, convert names into uids, and -@@ -281,7 +300,11 @@ +@@ -281,7 +300,11 @@ static int process_line(char *line, cons uid_t *uidptr; const char *ustr, *sstr; int count, i; @@ -138,7 +170,7 @@ for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++) sstr = strchr(ustr, ','); -@@ -419,6 +442,7 @@ +@@ -419,6 +442,7 @@ static int parse_config_file(struct inst * directory's list of override uids. If the uid is one of the override * uids for the polyinstantiated directory, polyinstantiation is not * performed for that user for that directory. @@ -146,7 +178,7 @@ */ static int ns_override(struct polydir_s *polyptr, struct instance_data *idata, uid_t uid) -@@ -432,11 +456,11 @@ +@@ -432,11 +456,11 @@ static int ns_override(struct polydir_s for (i = 0; i < polyptr->num_uids; i++) { if (uid == polyptr->uid[i]) { @@ -160,7 +192,7 @@ } /* -@@ -622,6 +646,12 @@ +@@ -622,6 +646,12 @@ static int poly_name(const struct polydi #endif /* WITH_SELINUX */ @@ -173,7 +205,7 @@ default: if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_ERR, "Unknown method"); -@@ -725,7 +755,7 @@ +@@ -725,7 +755,7 @@ static int check_inst_parent(char *ipath * execute it and pass directory to polyinstantiate and instance * directory as arguments. */ @@ -182,7 +214,7 @@ struct instance_data *idata) { pid_t rc, pid; -@@ -791,11 +821,11 @@ +@@ -791,11 +821,11 @@ out: * Create polyinstantiated instance directory (ipath). */ #ifdef WITH_SELINUX @@ -196,7 +228,7 @@ struct instance_data *idata) #endif { -@@ -834,7 +864,17 @@ +@@ -834,7 +864,17 @@ static int create_dirs(const struct poly * attributes to match that of the original directory that is being * polyinstantiated. */ @@ -215,7 +247,7 @@ if (errno == EEXIST) goto inst_init; else { -@@ -920,13 +960,12 @@ +@@ -920,13 +960,12 @@ inst_init: * security attributes, and performs bind mount to setup the process * namespace. */ @@ -230,7 +262,7 @@ #ifdef WITH_SELINUX security_context_t instcontext = NULL, origcontext = NULL; #endif -@@ -935,9 +974,15 @@ +@@ -935,9 +974,15 @@ static int ns_setup(const struct polydir pam_syslog(idata->pamh, LOG_DEBUG, "Set namespace for directory %s", polyptr->dir); @@ -249,7 +281,7 @@ /* * Obtain the name of instance pathname based on the -@@ -1043,6 +1088,58 @@ +@@ -1043,6 +1088,58 @@ static int cwd_in(char *dir, struct inst return retval; } @@ -308,7 +340,7 @@ /* * This function checks to see if polyinstantiation is needed for any -@@ -1111,13 +1208,22 @@ +@@ -1111,13 +1208,22 @@ static int setup_namespace(struct instan * disassociate from the parent namespace. */ if (need_poly) { @@ -333,7 +365,7 @@ /* * Again cycle through all polyinstantiated directories, this time, -@@ -1144,7 +1250,8 @@ +@@ -1144,7 +1250,8 @@ static int setup_namespace(struct instan * umount */ if ((changing_dir = cwd_in(pptr->dir, idata)) < 0) { @@ -343,7 +375,7 @@ } else if (changing_dir) { if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "changing cwd"); -@@ -1172,8 +1279,10 @@ +@@ -1172,8 +1279,10 @@ static int setup_namespace(struct instan int saved_errno = errno; pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m", pptr->dir); @@ -356,7 +388,7 @@ } else if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", pptr->dir); -@@ -1185,7 +1294,9 @@ +@@ -1185,7 +1294,9 @@ static int setup_namespace(struct instan break; } } @@ -367,7 +399,7 @@ return retval; } -@@ -1224,8 +1335,10 @@ +@@ -1224,8 +1335,10 @@ static int orig_namespace(struct instanc } else if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Unmount of %s succeeded", pptr->dir); @@ -379,7 +411,7 @@ return 0; } -@@ -1350,7 +1463,8 @@ +@@ -1350,7 +1463,8 @@ PAM_EXTERN int pam_sm_open_session(pam_h } else if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "Nothing to polyinstantiate"); @@ -389,7 +421,7 @@ return retval; } -@@ -1365,6 +1479,7 @@ +@@ -1365,6 +1479,7 @@ PAM_EXTERN int pam_sm_close_session(pam_ struct instance_data idata; char *user_name; struct passwd *pwd; @@ -397,7 +429,7 @@ /* init instance data */ idata.flags = 0; -@@ -1428,16 +1543,12 @@ +@@ -1428,16 +1543,12 @@ PAM_EXTERN int pam_sm_close_session(pam_ strncat(idata.user, user_name, sizeof(idata.user) - 1); idata.uid = pwd->pw_uid; @@ -420,7 +452,7 @@ if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d", -@@ -1452,7 +1563,9 @@ +@@ -1452,7 +1563,9 @@ PAM_EXTERN int pam_sm_close_session(pam_ pam_syslog(idata.pamh, LOG_DEBUG, "resetting namespace ok for pid %d", getpid()); } diff --git a/pam-0.99.8.1-audit-no-log.patch b/pam-0.99.8.1-audit-no-log.patch new file mode 100644 index 0000000..0d0cc33 --- /dev/null +++ b/pam-0.99.8.1-audit-no-log.patch @@ -0,0 +1,27 @@ +diff -up Linux-PAM-0.99.8.1/libpam/pam_audit.c.no-log Linux-PAM-0.99.8.1/libpam/pam_audit.c +--- Linux-PAM-0.99.8.1/libpam/pam_audit.c.no-log 2007-07-18 10:53:35.000000000 +0200 ++++ Linux-PAM-0.99.8.1/libpam/pam_audit.c 2007-08-06 11:38:08.000000000 +0200 +@@ -42,18 +42,16 @@ _pam_audit_writelog(pam_handle_t *pamh, + best to fix it. */ + errno = -rc; + ++ pamh->audit_state |= PAMAUDIT_LOGGED; ++ + if (rc < 0 && errno != old_errno) + { + old_errno = errno; ++ if (rc == -EPERM && getuid () != 0) ++ return 0; + pam_syslog (pamh, LOG_CRIT, "audit_log_acct_message() failed: %m"); + } +- +- pamh->audit_state |= PAMAUDIT_LOGGED; +- +- if (rc == -EPERM && getuid () != 0) +- return 0; +- else +- return rc; ++ return rc; + } + + int diff --git a/pam-0.99.8.1-namespace-init.patch b/pam-0.99.8.1-namespace-init.patch new file mode 100644 index 0000000..95ce1d3 --- /dev/null +++ b/pam-0.99.8.1-namespace-init.patch @@ -0,0 +1,91 @@ +diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c.ns-init Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c +--- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c.ns-init 2007-08-06 13:57:56.000000000 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c 2007-08-06 14:06:52.000000000 +0200 +@@ -672,7 +672,7 @@ static int poly_name(const struct polydi + hash = NULL; + } else { + char *newname; +- if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash), ++ if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash), + *i_name, hash) < 0) { + goto fail; + } +@@ -756,7 +756,7 @@ static int check_inst_parent(char *ipath + * directory as arguments. + */ + static int inst_init(const struct polydir_s *polyptr, const char *ipath, +- struct instance_data *idata) ++ struct instance_data *idata, int newdir) + { + pid_t rc, pid; + sighandler_t osighand = NULL; +@@ -786,7 +786,7 @@ static int inst_init(const struct polydi + } + #endif + if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT, +- polyptr->dir, ipath, (char *)NULL) < 0) ++ polyptr->dir, ipath, newdir?"1":"0", idata->user, (char *)NULL) < 0) + exit(1); + } else if (pid > 0) { + while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) && +@@ -831,6 +831,7 @@ static int create_dirs(struct polydir_s + { + struct stat statbuf, newstatbuf; + int rc, fd; ++ int newdir = 0; + + /* + * stat the directory to polyinstantiate, so its owner-group-mode +@@ -884,6 +885,7 @@ static int create_dirs(struct polydir_s + } + } + ++ newdir = 1; + /* Open a descriptor to it to prevent races */ + fd = open(ipath, O_DIRECTORY | O_RDONLY); + if (fd < 0) { +@@ -948,7 +950,7 @@ static int create_dirs(struct polydir_s + */ + + inst_init: +- rc = inst_init(polyptr, ipath, idata); ++ rc = inst_init(polyptr, ipath, idata, newdir); + return rc; + } + +@@ -981,7 +983,7 @@ static int ns_setup(struct polydir_s *po + return PAM_SESSION_ERR; + } + /* we must call inst_init after the mount in this case */ +- return inst_init(polyptr, "tmpfs", idata); ++ return inst_init(polyptr, "tmpfs", idata, 1); + } + + /* +diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.8.xml.ns-init Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.8.xml +--- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.8.xml.ns-init 2007-06-18 12:46:47.000000000 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.8.xml 2007-08-06 13:57:56.000000000 +0200 +@@ -60,7 +60,9 @@ + script /etc/security/namespace.init exists, it + is used to initialize the namespace every time a new instance + directory is setup. The script receives the polyinstantiated +- directory path and the instance directory path as its arguments. ++ directory path, the instance directory path, flag whether the instance ++ directory was newly created (0 for no, 1 for yes), and the user name ++ as its arguments. + + + +diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init.ns-init Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init +--- Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init.ns-init 2007-06-18 12:46:47.000000000 +0200 ++++ Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init 2007-08-06 13:57:56.000000000 +0200 +@@ -1,6 +1,8 @@ + #!/bin/sh -p + # This is only a boilerplate for the instance initialization script. +-# It receives polydir path as $1 and the instance path as $2. ++# It receives polydir path as $1, the instance path as $2, ++# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, ++# and user name in $4. + # + # If you intend to polyinstantiate /tmp and you also want to use the X windows + # environment, you will have to use this script to bind mount the socket that diff --git a/pam.spec b/pam.spec index 4fe1c5b..769f4a4 100644 --- a/pam.spec +++ b/pam.spec @@ -4,14 +4,14 @@ %define _sysconfdir /etc %define pwdb_version 0.62 -%define db_version 4.5.20 -%define db_conflicting_version 4.6.0 +%define db_version 4.6.18 +%define db_conflicting_version 4.7.0 %define pam_redhat_version 0.99.8-1 Summary: A security tool which provides authentication for applications Name: pam Version: 0.99.8.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL or BSD Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 @@ -26,11 +26,13 @@ Source9: system-auth.5 Source10: config-util.5 Patch1: pam-0.99.7.0-redhat-modules.patch Patch4: pam-0.99.8.1-dbpam.patch +Patch5: pam-0.99.8.1-audit-no-log.patch Patch24: pam-0.99.8.1-unix-update-helper.patch Patch25: pam-0.99.7.1-unix-hpux-aging.patch Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch Patch32: pam-0.99.3.0-tally-fail-close.patch Patch40: pam-0.99.7.1-namespace-temp-logon.patch +Patch41: pam-0.99.8.1-namespace-init.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: cracklib, cracklib-dicts >= 2.8 @@ -85,11 +87,13 @@ cp %{SOURCE7} . %patch1 -p1 -b .redhat-modules %patch4 -p1 -b .dbpam +%patch5 -p1 -b .no-log %patch24 -p1 -b .update-helper %patch25 -p1 -b .unix-hpux-aging %patch31 -p1 -b .try-first-pass %patch32 -p1 -b .fail-close %patch40 -p1 -b .temp-logon +%patch41 -p1 -b .ns-init autoreconf @@ -380,6 +384,12 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Tue Jul 31 2007 Tomas Mraz 0.99.8.1-3 +- updated db4 to 4.6.18 (#249740) +- added user and new instance parameters to namespace init +- document the new features of pam_namespace +- do not log an audit error when uid != 0 (#249870) + * Wed Jul 25 2007 Jeremy Katz - 0.99.8.1-2 - rebuild for toolchain bug diff --git a/sources b/sources index 02424fc..5ac5732 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -b0f1c777708cb8e9d37fb47e7ed3312d db-4.5.20.tar.gz 2a23dc703b550223206021ff03b1e434 pam-redhat-0.99.8-1.tar.bz2 a6472db4afe13850cb401922211bba4e Linux-PAM-0.99.8.1.tar.bz2 +95768bd92fd48951a427fbab37b9088f db-4.6.18.tar.gz