- do not ask for blank password when SELinux confined (#254044)

- initialize homedirs in namespace init script (original patch by dwalsh)
This commit is contained in:
Tomáš Mráz 2007-08-24 13:15:01 +00:00
parent a47d5ca5e4
commit 9e1a698edf
3 changed files with 103 additions and 1 deletions

View File

@ -0,0 +1,29 @@
diff -up Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init.namespace_homedir Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init
--- Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init.namespace_homedir 2007-08-23 15:49:45.000000000 -0400
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init 2007-08-23 15:51:56.000000000 -0400
@@ -1,6 +1,23 @@
#!/bin/sh -p
-# This is only a boilerplate for the instance initialization script.
-# It receives polydir path as $1 and the instance path as $2.
+# It receives polydir path as $1 and the instance path as $2,
+# $3 is an indicatory whether $2 is a newly created directory,
+# $4 is the user who is logging in.
+#
+# The following section will copy the contents of /etc/skel if this is a
+# newly created home directory.
+if [ "$3" = 1 ]; then
+ user="$4"
+ passwd=$(getent passwd "$user")
+ homedir=$(echo "$passwd" | cut -f6 -d":")
+ if [ "$1" = "$homedir" ]; then
+ gid=$(echo "$passwd" | cut -f4 -d":")
+ cp -aT /etc/skel "$homedir"
+ [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
+ chown -R "$user":"$gid" "$homedir"
+ mode=$(awk '/^UMASK/{gsub("#.*$", "", $2); printf "%o", and(0777,compl(strtonum("0" $2))); exit}' /etc/login.defs)
+ chmod ${mode:-700} "$homedir"
+ fi
+fi
#
# If you intend to polyinstantiate /tmp and you also want to use the X windows
# environment, you will have to use this script to bind mount the socket that

View File

@ -0,0 +1,65 @@
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c
--- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass 2007-08-22 18:45:17.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c 2007-08-24 10:21:54.000000000 +0200
@@ -48,7 +48,7 @@ int main(int argc, char *argv[])
char pass[MAXPASS + 1];
char *option;
int npass, nullok;
- int force_failure = 0;
+ int blankpass = 0;
int retval = PAM_AUTH_ERR;
char *user;
char *passwords[] = { pass };
@@ -113,6 +113,10 @@ int main(int argc, char *argv[])
if (npass != 1) { /* is it a valid password? */
_log_err(LOG_DEBUG, "no valid password supplied");
}
+
+ if (*pass == '\0') {
+ blankpass = 1;
+ }
retval = _unix_verify_password(user, pass, nullok);
@@ -120,8 +124,11 @@ int main(int argc, char *argv[])
/* return pass or fail */
- if ((retval != PAM_SUCCESS) || force_failure) {
- _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
+ if (retval != PAM_SUCCESS) {
+ /* don't log if it is a test for blank password */
+ if (!blankpass) {
+ _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
+ }
return PAM_AUTH_ERR;
} else {
return PAM_SUCCESS;
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/support.c
--- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass 2007-08-22 18:45:17.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c 2007-08-24 10:38:09.000000000 +0200
@@ -36,6 +36,9 @@
#define SELINUX_ENABLED 0
#endif
+static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ unsigned int ctrl, const char *user);
+
/* this is a front-end for module-application conversations */
int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
@@ -441,6 +444,14 @@ _unix_blankpasswd (pam_handle_t *pamh, u
* if shadowing is enabled
*/
spwdent = pam_modutil_getspnam(pamh, name);
+ if (spwdent == NULL && (geteuid() || SELINUX_ENABLED)) {
+ /* we are not root perhaps this is the reason? Run helper */
+ D(("running helper binary"));
+ if (_unix_run_helper_binary(pamh, "", ctrl, name) == PAM_SUCCESS)
+ return 1;
+ else
+ return 0;
+ }
}
if (spwdent)
salt = x_strdup(spwdent->sp_pwdp);

View File

@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications
Name: pam
Version: 0.99.8.1
Release: 5%{?dist}
Release: 6%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
# pam_rhosts_auth module is BSD with advertising
@ -33,12 +33,14 @@ Patch4: pam-0.99.8.1-dbpam.patch
Patch5: pam-0.99.8.1-audit-no-log.patch
Patch24: pam-0.99.8.1-unix-update-helper.patch
Patch25: pam-0.99.7.1-unix-hpux-aging.patch
Patch26: pam-0.99.8.1-unix-blankpass.patch
Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
Patch32: pam-0.99.3.0-tally-fail-close.patch
Patch40: pam-0.99.7.1-namespace-temp-logon.patch
Patch41: pam-0.99.8.1-namespace-init.patch
Patch42: pam-0.99.8.1-console-hal-handled.patch
Patch43: pam-0.99.8.1-console-mfd-scanners.patch
Patch44: pam-0.99.7.1-namespace-homedir.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: cracklib, cracklib-dicts >= 2.8
@ -97,12 +99,14 @@ cp %{SOURCE7} .
%patch5 -p1 -b .no-log
%patch24 -p1 -b .update-helper
%patch25 -p1 -b .unix-hpux-aging
%patch26 -p1 -b .blankpass
%patch31 -p1 -b .try-first-pass
%patch32 -p1 -b .fail-close
%patch40 -p1 -b .temp-logon
%patch41 -p1 -b .ns-init
%patch42 -p1 -b .hal-handled
%patch43 -p1 -b .mfd-scanners
%patch44 -p1 -b .homedir
autoreconf
@ -393,6 +397,10 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Fri Aug 24 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-6
- do not ask for blank password when SELinux confined (#254044)
- initialize homedirs in namespace init script (original patch by dwalsh)
* Wed Aug 22 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-5
- most devices are now handled by HAL and not pam_console (patch by davidz)
- license tag fix