pam_tty_audit: if kernel audit is disabled return PAM_IGNORE

pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD
2020-05-14 13:17:06 +02:00 · 2020-05-14 13:17:06 +02:00 · 9d21ac175c
commit 9d21ac175c
parent 403090086b
3 changed files with 120 additions and 1 deletions
--- a/pam-1.3.1-audit-error.patch
+++ b/pam-1.3.1-audit-error.patch
@ -0,0 +1,35 @@
 From b429ea18b1c9c8953df5169c6a453b4255a6f23d Mon Sep 17 00:00:00 2001
 From: Iker Pedrosa <ikerpedrosam@gmail.com>
 Date: Thu, 27 Feb 2020 11:48:47 +0100
 Subject: [PATCH] pam_tty_audit: if kernel audit is disabled return PAM_IGNORE
 If kernel audit is disabled the socket open will return
 EPROTONOSUPPORT.
 Return PAM_IGNORE from pam_tty_audit and log a warning
 in this situation so login is not blocked by the module.
 ---
 modules/pam_tty_audit/pam_tty_audit.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
 index 7dbcada2..589c60a2 100644
 --- a/modules/pam_tty_audit/pam_tty_audit.c
 +++ b/modules/pam_tty_audit/pam_tty_audit.c
@@ -351,6 +351,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
   fd = nl_open ();
   if (fd == -1
 +      && errno == EPROTONOSUPPORT)
 +    {
 +      pam_syslog (pamh, LOG_WARNING, "unable to open audit socket, audit not "
 +                  "supported; tty_audit skipped");
 +      free (old_status);
 +      return PAM_IGNORE;
 +    }
 +  else if (fd == -1
       || nl_send (fd, AUDIT_TTY_GET, 0, NULL, 0) != 0
       || nl_recv (fd, AUDIT_TTY_GET, old_status, sizeof (*old_status)) != 0)
     {
 -- 
 2.25.2
--- a/pam-1.3.1-pam-modutil-close-write.patch
+++ b/pam-1.3.1-pam-modutil-close-write.patch
@ -0,0 +1,74 @@
 From b6f73810a2e7afd02a231e2dfa14b05752c83db7 Mon Sep 17 00:00:00 2001
 From: "Dmitry V. Levin" <ldv@altlinux.org>
 Date: Wed, 26 Feb 2020 19:20:58 +0000
 Subject: [PATCH] pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of
 PAM_MODUTIL_PIPE_FD
 When pam_modutil_sanitize_helper_fds() is invoked with
 PAM_MODUTIL_PIPE_FD to provide a dummy pipe descriptor for stdout
 or stderr, it closes the read end of the newly created dummy pipe.
 The negative side effect of this approach is that any write to such
 descriptor triggers a SIGPIPE.  Avoid this by closing the write end of
 the dummy pipe and using its read end as a dummy pipe descriptor for
 output.  Any read from such descriptor returns 0, and any write just
 fails with EBADF, which should work better with unprepared writers.
 * libpam/pam_modutil_sanitize.c (redirect_out_pipe): Remove.
 (redirect_out): Call redirect_in_pipe instead of redirect_out_pipe.
 Fixes: b0ec5d1e ("Introduce pam_modutil_sanitize_helper_fds")
 ---
 libpam/pam_modutil_sanitize.c | 30 +-----------------------------
 1 file changed, 1 insertion(+), 29 deletions(-)
 diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c
 index 605c859d..58b9537c 100644
 --- a/libpam/pam_modutil_sanitize.c
 +++ b/libpam/pam_modutil_sanitize.c
@@ -46,34 +46,6 @@ redirect_in_pipe(pam_handle_t *pamh, int fd, const char *name)
 	return fd;
 }
 -/*
 - * Creates a pipe, closes its read end, redirects fd to its write end.
 - * Returns fd on success, -1 otherwise.
 - */
 -static int
 -redirect_out_pipe(pam_handle_t *pamh, int fd, const char *name)
 -{
 -	int out[2];
 -
 -	if (pipe(out) < 0) {
 -		pam_syslog(pamh, LOG_ERR, "Could not create pipe: %m");
 -		return -1;
 -	}
 -
 -	close(out[0]);
 -
 -	if (out[1] == fd)
 -		return fd;
 -
 -	if (dup2(out[1], fd) != fd) {
 -		pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", name);
 -		fd = -1;
 -	}
 -
 -	close(out[1]);
 -	return fd;
 -}
 -
 /*
  * Opens /dev/null for writing, redirects fd there.
  * Returns fd on success, -1 otherwise.
@@ -106,7 +78,7 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode,
 {
 	switch (mode) {
 		case PAM_MODUTIL_PIPE_FD:
 -			if (redirect_out_pipe(pamh, fd, name) < 0)
 +			if (redirect_in_pipe(pamh, fd, name) < 0)
 				return -1;
 			break;
 		case PAM_MODUTIL_NULL_FD:
 -- 
 2.25.3
--- a/pam.spec
+++ b/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 25%{?dist}
+Release: 26%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -63,6 +63,10 @@ Patch51: pam-1.3.1-authtok-verify-fix.patch
 Patch52: pam-1.3.1-add-pam_usertype.patch
 Patch53: pam-1.3.1-add-pam_usertype-fix-backport.patch
 Patch54: pam-1.3.1-pam_selinux-check-unknown-objects.patch
 # Upstreamed
 Patch55: pam-1.3.1-audit-error.patch
 # Upstreamed
 Patch56: pam-1.3.1-pam-modutil-close-write.patch
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@ -167,6 +171,8 @@ cp %{SOURCE18} .
 %patch52 -p1 -b .add-pam_usertype
 %patch53 -p1 -b .add-pam_usertype-backport
 %patch54 -p1 -b .pam_selinux-check-unknown-objects
 %patch55 -p1 -b .audit-error
 %patch56 -p1 -b .pam-modutil-close-write
 autoreconf -i
@ -419,6 +425,10 @@ done
 %doc doc/sag/*.txt doc/sag/html
 %changelog
 * Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-26
 - pam_tty_audit: if kernel audit is disabled return PAM_IGNORE (#1775357)
 - pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD (#1791970)
 * Thu Apr 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-25
 - docs: splitted documentation in subpackage -docs