- do not ask for blank password when SELinux confined (#254044)

- initialize homedirs in namespace init script (original patch by dwalsh)

pam-0.99.7.1-namespace-homedir.patch

@@ -0,0 +1,29 @@
+diff -up Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init.namespace_homedir Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init
+--- Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init.namespace_homedir	2007-08-23 15:49:45.000000000 -0400
++++ Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init	2007-08-23 15:51:56.000000000 -0400
+@@ -1,6 +1,23 @@
+ #!/bin/sh -p
+-# This is only a boilerplate for the instance initialization script.
+-# It receives polydir path as $1 and the instance path as $2.
++# It receives polydir path as $1 and the instance path as $2,
++# $3 is an indicatory whether $2 is a newly created directory,
++# $4 is the user who is logging in.
++#
++# The following section will copy the contents of /etc/skel if this is a
++# newly created home directory.
++if [ "$3" = 1 ]; then
++        user="$4"
++        passwd=$(getent passwd "$user")
++        homedir=$(echo "$passwd" | cut -f6 -d":")
++        if [ "$1" = "$homedir" ]; then
++                gid=$(echo "$passwd" | cut -f4 -d":")
++                cp -aT /etc/skel "$homedir"
++                [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
++                chown -R "$user":"$gid" "$homedir"
++                mode=$(awk '/^UMASK/{gsub("#.*$", "", $2); printf "%o", and(0777,compl(strtonum("0" $2))); exit}' /etc/login.defs)
++                chmod ${mode:-700} "$homedir"
++        fi
++fi
+ #
+ # If you intend to polyinstantiate /tmp and you also want to use the X windows
+ # environment, you will have to use this script to bind mount the socket that

pam-0.99.8.1-unix-blankpass.patch

@@ -0,0 +1,65 @@
+diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c
+--- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass	2007-08-22 18:45:17.000000000 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c	2007-08-24 10:21:54.000000000 +0200
+@@ -48,7 +48,7 @@ int main(int argc, char *argv[])
+ 	char pass[MAXPASS + 1];
+ 	char *option;
+ 	int npass, nullok;
+-	int force_failure = 0;
++	int blankpass = 0;
+ 	int retval = PAM_AUTH_ERR;
+ 	char *user;
+ 	char *passwords[] = { pass };
+@@ -113,6 +113,10 @@ int main(int argc, char *argv[])
+ 	if (npass != 1) {	/* is it a valid password? */
+ 		_log_err(LOG_DEBUG, "no valid password supplied");
+ 	}
++	
++	if (*pass == '\0') {
++		blankpass = 1;
++	}
+ 
+ 	retval = _unix_verify_password(user, pass, nullok);
+ 
+@@ -120,8 +124,11 @@ int main(int argc, char *argv[])
+ 
+ 	/* return pass or fail */
+ 
+-	if ((retval != PAM_SUCCESS) || force_failure) {
+-	    _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
++	if (retval != PAM_SUCCESS) {
++	    /* don't log if it is a test for blank password */
++	    if (!blankpass) {
++		_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
++	    }
+ 	    return PAM_AUTH_ERR;
+ 	} else {
+ 	    return PAM_SUCCESS;
+diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/support.c
+--- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass	2007-08-22 18:45:17.000000000 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c	2007-08-24 10:38:09.000000000 +0200
+@@ -36,6 +36,9 @@
+ #define SELINUX_ENABLED 0
+ #endif
+ 
++static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
++				   unsigned int ctrl, const char *user);
++
+ /* this is a front-end for module-application conversations */
+ 
+ int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
+@@ -441,6 +444,14 @@ _unix_blankpasswd (pam_handle_t *pamh, u
+ 			 * if shadowing is enabled
+ 			 */
+ 			spwdent = pam_modutil_getspnam(pamh, name);
++			if (spwdent == NULL && (geteuid() || SELINUX_ENABLED)) {
++				/* we are not root perhaps this is the reason? Run helper */
++				D(("running helper binary"));
++				if (_unix_run_helper_binary(pamh, "", ctrl, name) == PAM_SUCCESS)
++					return 1;
++				else
++					return 0;
++			}
+ 		}
+ 		if (spwdent)
+ 			salt = x_strdup(spwdent->sp_pwdp);

pam.spec

@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.8.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -33,12 +33,14 @@ Patch4:  pam-0.99.8.1-dbpam.patch
 Patch5:  pam-0.99.8.1-audit-no-log.patch
 Patch24: pam-0.99.8.1-unix-update-helper.patch
 Patch25: pam-0.99.7.1-unix-hpux-aging.patch
+Patch26: pam-0.99.8.1-unix-blankpass.patch
 Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch32: pam-0.99.3.0-tally-fail-close.patch
 Patch40: pam-0.99.7.1-namespace-temp-logon.patch
 Patch41: pam-0.99.8.1-namespace-init.patch
 Patch42: pam-0.99.8.1-console-hal-handled.patch
 Patch43: pam-0.99.8.1-console-mfd-scanners.patch
+Patch44: pam-0.99.7.1-namespace-homedir.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -97,12 +99,14 @@ cp %{SOURCE7} .
 %patch5 -p1 -b .no-log
 %patch24 -p1 -b .update-helper
 %patch25 -p1 -b .unix-hpux-aging
+%patch26 -p1 -b .blankpass
 %patch31 -p1 -b .try-first-pass
 %patch32 -p1 -b .fail-close
 %patch40 -p1 -b .temp-logon
 %patch41 -p1 -b .ns-init
 %patch42 -p1 -b .hal-handled
 %patch43 -p1 -b .mfd-scanners
+%patch44 -p1 -b .homedir
 
 autoreconf
 
@@ -393,6 +397,10 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Fri Aug 24 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-6
+- do not ask for blank password when SELinux confined (#254044)
+- initialize homedirs in namespace init script (original patch by dwalsh)
+
 * Wed Aug 22 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-5
 - most devices are now handled by HAL and not pam_console (patch by davidz)
 - license tag fix