rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- updated db4 to 4.6.18 (#249740)

Browse Source 
- added user and new instance parameters to namespace init
- document the new features of pam_namespace
- do not log an audit error when uid != 0 (#249870)
This commit is contained in:
Tomáš Mráz 2007-08-06 12:31:50 +00:00
parent f6d27e9e3a
commit 8fa0463a67
6 changed files with 196 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1,5 +1,5 @@
db-4.5.20.tar.gz
*.src.rpm
*.tar.bz2
pam-redhat-0.99.8-1.tar.bz2
Linux-PAM-0.99.8.1.tar.bz2
db-4.6.18.tar.gz

94
pam-0.99.7.1-namespace-temp-logon.patch
View File

@ -1,5 +1,36 @@
--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.h.temp-logon 2007-06-01 15:29:11.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.h 2007-06-01 15:29:11.000000000 +0200
diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.conf.5.xml.temp-logon Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.conf.5.xml
--- Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.conf.5.xml.temp-logon 2007-06-18 12:46:47.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.conf.5.xml 2007-08-06 13:16:56.000000000 +0200
@@ -72,10 +72,13 @@
<para>
The third field, <replaceable>method</replaceable>, is the method
- used for polyinstantiation. It can take 3 different values; "user"
+ used for polyinstantiation. It can take these values; "user"
for polyinstantiation based on user name, "level" for
- polyinstantiation based on process MLS level and user name, and "context" for
- polyinstantiation based on process security context and user name
+ polyinstantiation based on process MLS level and user name, "context" for
+ polyinstantiation based on process security context and user name,
+ "tmpfs" for mounting tmpfs filesystem as an instance dir, and
+ "tmpdir" for creating temporary directory as an instance dir which is
+ removed when the user's session is closed.
Methods "context" and "level" are only available with SELinux. This
field cannot be blank.
</para>
@@ -84,7 +87,8 @@
The fourth field, <replaceable>list_of_uids</replaceable>, is
a comma separated list of user names for whom the polyinstantiation
is not performed. If left blank, polyinstantiation will be performed
- for all users.
+ for all users. If the list is preceded with a single "~" character,
+ polyinstantiation is performed only for users in the list.
</para>
<para>
diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.h.temp-logon Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.h
--- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.h.temp-logon 2007-06-18 12:46:47.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.h 2007-08-06 11:41:46.000000000 +0200
@@ -90,6 +90,7 @@
#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
@ -8,7 +39,7 @@
/*
* Polyinstantiation method options, based on user, security context
@@ -100,6 +101,8 @@
@@ -100,6 +101,8 @@ enum polymethod {
USER,
CONTEXT,
LEVEL,
@ -17,7 +48,7 @@
};
/*
@@ -128,6 +131,7 @@
@@ -128,6 +131,7 @@ struct polydir_s {
enum polymethod method; /* method used to polyinstantiate */
unsigned int num_uids; /* number of override uids */
uid_t *uid; /* list of override uids */
@ -25,9 +56,10 @@
struct polydir_s *next; /* pointer to the next polydir entry */
};
--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.temp-logon 2007-06-01 15:29:11.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-06-01 15:33:30.000000000 +0200
@@ -43,6 +43,7 @@
diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c.temp-logon Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c
--- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c.temp-logon 2007-06-18 12:46:47.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c 2007-08-06 11:41:46.000000000 +0200
@@ -43,6 +43,7 @@ static int copy_ent(const struct polydir
strcpy(pent->instance_prefix, ent->instance_prefix);
pent->method = ent->method;
pent->num_uids = ent->num_uids;
@ -35,7 +67,7 @@
if (ent->num_uids) {
uid_t *pptr, *eptr;
@@ -120,6 +121,10 @@
@@ -120,6 +121,10 @@ static void del_polydir_list(struct poly
}
}
@ -46,7 +78,7 @@
/*
* Called from parse_config_file, this function processes a single line
@@ -140,6 +145,7 @@
@@ -140,6 +145,7 @@ static int process_line(char *line, cons
poly.uid = NULL;
poly.num_uids = 0;
@ -54,7 +86,7 @@
/*
* skip the leading white space
@@ -223,24 +229,13 @@
@@ -223,24 +229,13 @@ static int process_line(char *line, cons
}
/*
@ -80,7 +112,7 @@
}
strcpy(poly.dir, dir);
strcpy(poly.instance_prefix, instance_prefix);
@@ -248,6 +243,18 @@
@@ -248,6 +243,18 @@ static int process_line(char *line, cons
poly.method = NONE;
if (strcmp(method, "user") == 0)
poly.method = USER;
@ -99,7 +131,7 @@
#ifdef WITH_SELINUX
if (strcmp(method, "level") == 0) {
@@ -266,12 +273,24 @@
@@ -266,12 +273,24 @@ static int process_line(char *line, cons
#endif
@ -125,7 +157,7 @@
* If the line in namespace.conf for a directory to polyinstantiate
* contains a list of override users (users for whom polyinstantiation
* is not performed), read the user ids, convert names into uids, and
@@ -281,7 +300,11 @@
@@ -281,7 +300,11 @@ static int process_line(char *line, cons
uid_t *uidptr;
const char *ustr, *sstr;
int count, i;
@ -138,7 +170,7 @@
for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++)
sstr = strchr(ustr, ',');
@@ -419,6 +442,7 @@
@@ -419,6 +442,7 @@ static int parse_config_file(struct inst
* directory's list of override uids. If the uid is one of the override
* uids for the polyinstantiated directory, polyinstantiation is not
* performed for that user for that directory.
@ -146,7 +178,7 @@
*/
static int ns_override(struct polydir_s *polyptr, struct instance_data *idata,
uid_t uid)
@@ -432,11 +456,11 @@
@@ -432,11 +456,11 @@ static int ns_override(struct polydir_s
for (i = 0; i < polyptr->num_uids; i++) {
if (uid == polyptr->uid[i]) {
@ -160,7 +192,7 @@
}
/*
@@ -622,6 +646,12 @@
@@ -622,6 +646,12 @@ static int poly_name(const struct polydi
#endif /* WITH_SELINUX */
@ -173,7 +205,7 @@
default:
if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
@@ -725,7 +755,7 @@
@@ -725,7 +755,7 @@ static int check_inst_parent(char *ipath
* execute it and pass directory to polyinstantiate and instance
* directory as arguments.
*/
@ -182,7 +214,7 @@
struct instance_data *idata)
{
pid_t rc, pid;
@@ -791,11 +821,11 @@
@@ -791,11 +821,11 @@ out:
* Create polyinstantiated instance directory (ipath).
*/
#ifdef WITH_SELINUX
@ -196,7 +228,7 @@
struct instance_data *idata)
#endif
{
@@ -834,7 +864,17 @@
@@ -834,7 +864,17 @@ static int create_dirs(const struct poly
* attributes to match that of the original directory that is being
* polyinstantiated.
*/
@ -215,7 +247,7 @@
if (errno == EEXIST)
goto inst_init;
else {
@@ -920,13 +960,12 @@
@@ -920,13 +960,12 @@ inst_init:
* security attributes, and performs bind mount to setup the process
* namespace.
*/
@ -230,7 +262,7 @@
#ifdef WITH_SELINUX
security_context_t instcontext = NULL, origcontext = NULL;
#endif
@@ -935,9 +974,15 @@
@@ -935,9 +974,15 @@ static int ns_setup(const struct polydir
pam_syslog(idata->pamh, LOG_DEBUG,
"Set namespace for directory %s", polyptr->dir);
@ -249,7 +281,7 @@
/*
* Obtain the name of instance pathname based on the
@@ -1043,6 +1088,58 @@
@@ -1043,6 +1088,58 @@ static int cwd_in(char *dir, struct inst
return retval;
}
@ -308,7 +340,7 @@
/*
* This function checks to see if polyinstantiation is needed for any
@@ -1111,13 +1208,22 @@
@@ -1111,13 +1208,22 @@ static int setup_namespace(struct instan
* disassociate from the parent namespace.
*/
if (need_poly) {
@ -333,7 +365,7 @@
/*
* Again cycle through all polyinstantiated directories, this time,
@@ -1144,7 +1250,8 @@
@@ -1144,7 +1250,8 @@ static int setup_namespace(struct instan
* umount
*/
if ((changing_dir = cwd_in(pptr->dir, idata)) < 0) {
@ -343,7 +375,7 @@
} else if (changing_dir) {
if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "changing cwd");
@@ -1172,8 +1279,10 @@
@@ -1172,8 +1279,10 @@ static int setup_namespace(struct instan
int saved_errno = errno;
pam_syslog(idata->pamh, LOG_ERR, "Unmount of %s failed, %m",
pptr->dir);
@ -356,7 +388,7 @@
} else if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s",
pptr->dir);
@@ -1185,7 +1294,9 @@
@@ -1185,7 +1294,9 @@ static int setup_namespace(struct instan
break;
}
}
@ -367,7 +399,7 @@
return retval;
}
@@ -1224,8 +1335,10 @@
@@ -1224,8 +1335,10 @@ static int orig_namespace(struct instanc
} else if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "Unmount of %s succeeded",
pptr->dir);
@ -379,7 +411,7 @@
return 0;
}
@@ -1350,7 +1463,8 @@
@@ -1350,7 +1463,8 @@ PAM_EXTERN int pam_sm_open_session(pam_h
} else if (idata.flags & PAMNS_DEBUG)
pam_syslog(idata.pamh, LOG_DEBUG, "Nothing to polyinstantiate");
@ -389,7 +421,7 @@
return retval;
}
@@ -1365,6 +1479,7 @@
@@ -1365,6 +1479,7 @@ PAM_EXTERN int pam_sm_close_session(pam_
struct instance_data idata;
char *user_name;
struct passwd *pwd;
@ -397,7 +429,7 @@
/* init instance data */
idata.flags = 0;
@@ -1428,16 +1543,12 @@
@@ -1428,16 +1543,12 @@ PAM_EXTERN int pam_sm_close_session(pam_
strncat(idata.user, user_name, sizeof(idata.user) - 1);
idata.uid = pwd->pw_uid;
@ -420,7 +452,7 @@
if (idata.flags & PAMNS_DEBUG)
pam_syslog(idata.pamh, LOG_DEBUG, "Resetting namespace for pid %d",
@@ -1452,7 +1563,9 @@
@@ -1452,7 +1563,9 @@ PAM_EXTERN int pam_sm_close_session(pam_
pam_syslog(idata.pamh, LOG_DEBUG,
"resetting namespace ok for pid %d", getpid());
}

27
pam-0.99.8.1-audit-no-log.patch Normal file
View File

@ -0,0 +1,27 @@
diff -up Linux-PAM-0.99.8.1/libpam/pam_audit.c.no-log Linux-PAM-0.99.8.1/libpam/pam_audit.c
--- Linux-PAM-0.99.8.1/libpam/pam_audit.c.no-log 2007-07-18 10:53:35.000000000 +0200
+++ Linux-PAM-0.99.8.1/libpam/pam_audit.c 2007-08-06 11:38:08.000000000 +0200
@@ -42,18 +42,16 @@ _pam_audit_writelog(pam_handle_t *pamh,
best to fix it. */
errno = -rc;
+ pamh->audit_state |= PAMAUDIT_LOGGED;
+
if (rc < 0 && errno != old_errno)
{
old_errno = errno;
+ if (rc == -EPERM && getuid () != 0)
+ return 0;
pam_syslog (pamh, LOG_CRIT, "audit_log_acct_message() failed: %m");
}
-
- pamh->audit_state |= PAMAUDIT_LOGGED;
-
- if (rc == -EPERM && getuid () != 0)
- return 0;
- else
- return rc;
+ return rc;
}
int

91
pam-0.99.8.1-namespace-init.patch Normal file
View File

@ -0,0 +1,91 @@
diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c.ns-init Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c
--- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c.ns-init 2007-08-06 13:57:56.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.c 2007-08-06 14:06:52.000000000 +0200
@@ -672,7 +672,7 @@ static int poly_name(const struct polydi
hash = NULL;
} else {
char *newname;
- if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash),
+ if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-(int)strlen(hash),
*i_name, hash) < 0) {
goto fail;
}
@@ -756,7 +756,7 @@ static int check_inst_parent(char *ipath
* directory as arguments.
*/
static int inst_init(const struct polydir_s *polyptr, const char *ipath,
- struct instance_data *idata)
+ struct instance_data *idata, int newdir)
{
pid_t rc, pid;
sighandler_t osighand = NULL;
@@ -786,7 +786,7 @@ static int inst_init(const struct polydi
}
#endif
if (execl(NAMESPACE_INIT_SCRIPT, NAMESPACE_INIT_SCRIPT,
- polyptr->dir, ipath, (char *)NULL) < 0)
+ polyptr->dir, ipath, newdir?"1":"0", idata->user, (char *)NULL) < 0)
exit(1);
} else if (pid > 0) {
while (((rc = waitpid(pid, &status, 0)) == (pid_t)-1) &&
@@ -831,6 +831,7 @@ static int create_dirs(struct polydir_s
{
struct stat statbuf, newstatbuf;
int rc, fd;
+ int newdir = 0;
/*
* stat the directory to polyinstantiate, so its owner-group-mode
@@ -884,6 +885,7 @@ static int create_dirs(struct polydir_s
}
}
+ newdir = 1;
/* Open a descriptor to it to prevent races */
fd = open(ipath, O_DIRECTORY | O_RDONLY);
if (fd < 0) {
@@ -948,7 +950,7 @@ static int create_dirs(struct polydir_s
*/
inst_init:
- rc = inst_init(polyptr, ipath, idata);
+ rc = inst_init(polyptr, ipath, idata, newdir);
return rc;
}
@@ -981,7 +983,7 @@ static int ns_setup(struct polydir_s *po
return PAM_SESSION_ERR;
}
/* we must call inst_init after the mount in this case */
- return inst_init(polyptr, "tmpfs", idata);
+ return inst_init(polyptr, "tmpfs", idata, 1);
}
/*
diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.8.xml.ns-init Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.8.xml
--- Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.8.xml.ns-init 2007-06-18 12:46:47.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_namespace/pam_namespace.8.xml 2007-08-06 13:57:56.000000000 +0200
@@ -60,7 +60,9 @@
script <filename>/etc/security/namespace.init</filename> exists, it
is used to initialize the namespace every time a new instance
directory is setup. The script receives the polyinstantiated
- directory path and the instance directory path as its arguments.
+ directory path, the instance directory path, flag whether the instance
+ directory was newly created (0 for no, 1 for yes), and the user name
+ as its arguments.
</para>
<para>
diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init.ns-init Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init
--- Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init.ns-init 2007-06-18 12:46:47.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init 2007-08-06 13:57:56.000000000 +0200
@@ -1,6 +1,8 @@
#!/bin/sh -p
# This is only a boilerplate for the instance initialization script.
-# It receives polydir path as $1 and the instance path as $2.
+# It receives polydir path as $1, the instance path as $2,
+# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
+# and user name in $4.
#
# If you intend to polyinstantiate /tmp and you also want to use the X windows
# environment, you will have to use this script to bind mount the socket that

16
pam.spec
View File

@ -4,14 +4,14 @@
%define _sysconfdir /etc
%define pwdb_version 0.62
%define db_version 4.5.20
%define db_conflicting_version 4.6.0
%define db_version 4.6.18
%define db_conflicting_version 4.7.0
%define pam_redhat_version 0.99.8-1
Summary: A security tool which provides authentication for applications
Name: pam
Version: 0.99.8.1
Release: 2%{?dist}
Release: 3%{?dist}
License: GPL or BSD
Group: System Environment/Base
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@ -26,11 +26,13 @@ Source9: system-auth.5
Source10: config-util.5
Patch1: pam-0.99.7.0-redhat-modules.patch
Patch4: pam-0.99.8.1-dbpam.patch
Patch5: pam-0.99.8.1-audit-no-log.patch
Patch24: pam-0.99.8.1-unix-update-helper.patch
Patch25: pam-0.99.7.1-unix-hpux-aging.patch
Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
Patch32: pam-0.99.3.0-tally-fail-close.patch
Patch40: pam-0.99.7.1-namespace-temp-logon.patch
Patch41: pam-0.99.8.1-namespace-init.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: cracklib, cracklib-dicts >= 2.8
@ -85,11 +87,13 @@ cp %{SOURCE7} .
%patch1 -p1 -b .redhat-modules
%patch4 -p1 -b .dbpam
%patch5 -p1 -b .no-log
%patch24 -p1 -b .update-helper
%patch25 -p1 -b .unix-hpux-aging
%patch31 -p1 -b .try-first-pass
%patch32 -p1 -b .fail-close
%patch40 -p1 -b .temp-logon
%patch41 -p1 -b .ns-init
autoreconf
@ -380,6 +384,12 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Tue Jul 31 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-3
- updated db4 to 4.6.18 (#249740)
- added user and new instance parameters to namespace init
- document the new features of pam_namespace
- do not log an audit error when uid != 0 (#249870)
* Wed Jul 25 2007 Jeremy Katz <katzj@redhat.com> - 0.99.8.1-2
- rebuild for toolchain bug

2
sources
View File

@ -1,3 +1,3 @@
b0f1c777708cb8e9d37fb47e7ed3312d db-4.5.20.tar.gz
2a23dc703b550223206021ff03b1e434 pam-redhat-0.99.8-1.tar.bz2
a6472db4afe13850cb401922211bba4e Linux-PAM-0.99.8.1.tar.bz2
95768bd92fd48951a427fbab37b9088f db-4.6.18.tar.gz