- do not ask for blank password when SELinux confined (#254044)
- initialize homedirs in namespace init script (original patch by dwalsh)
This commit is contained in:
parent
a47d5ca5e4
commit
9e1a698edf
29
pam-0.99.7.1-namespace-homedir.patch
Normal file
29
pam-0.99.7.1-namespace-homedir.patch
Normal file
@ -0,0 +1,29 @@
|
||||
diff -up Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init.namespace_homedir Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init.namespace_homedir 2007-08-23 15:49:45.000000000 -0400
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init 2007-08-23 15:51:56.000000000 -0400
|
||||
@@ -1,6 +1,23 @@
|
||||
#!/bin/sh -p
|
||||
-# This is only a boilerplate for the instance initialization script.
|
||||
-# It receives polydir path as $1 and the instance path as $2.
|
||||
+# It receives polydir path as $1 and the instance path as $2,
|
||||
+# $3 is an indicatory whether $2 is a newly created directory,
|
||||
+# $4 is the user who is logging in.
|
||||
+#
|
||||
+# The following section will copy the contents of /etc/skel if this is a
|
||||
+# newly created home directory.
|
||||
+if [ "$3" = 1 ]; then
|
||||
+ user="$4"
|
||||
+ passwd=$(getent passwd "$user")
|
||||
+ homedir=$(echo "$passwd" | cut -f6 -d":")
|
||||
+ if [ "$1" = "$homedir" ]; then
|
||||
+ gid=$(echo "$passwd" | cut -f4 -d":")
|
||||
+ cp -aT /etc/skel "$homedir"
|
||||
+ [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
|
||||
+ chown -R "$user":"$gid" "$homedir"
|
||||
+ mode=$(awk '/^UMASK/{gsub("#.*$", "", $2); printf "%o", and(0777,compl(strtonum("0" $2))); exit}' /etc/login.defs)
|
||||
+ chmod ${mode:-700} "$homedir"
|
||||
+ fi
|
||||
+fi
|
||||
#
|
||||
# If you intend to polyinstantiate /tmp and you also want to use the X windows
|
||||
# environment, you will have to use this script to bind mount the socket that
|
65
pam-0.99.8.1-unix-blankpass.patch
Normal file
65
pam-0.99.8.1-unix-blankpass.patch
Normal file
@ -0,0 +1,65 @@
|
||||
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c
|
||||
--- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass 2007-08-22 18:45:17.000000000 +0200
|
||||
+++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c 2007-08-24 10:21:54.000000000 +0200
|
||||
@@ -48,7 +48,7 @@ int main(int argc, char *argv[])
|
||||
char pass[MAXPASS + 1];
|
||||
char *option;
|
||||
int npass, nullok;
|
||||
- int force_failure = 0;
|
||||
+ int blankpass = 0;
|
||||
int retval = PAM_AUTH_ERR;
|
||||
char *user;
|
||||
char *passwords[] = { pass };
|
||||
@@ -113,6 +113,10 @@ int main(int argc, char *argv[])
|
||||
if (npass != 1) { /* is it a valid password? */
|
||||
_log_err(LOG_DEBUG, "no valid password supplied");
|
||||
}
|
||||
+
|
||||
+ if (*pass == '\0') {
|
||||
+ blankpass = 1;
|
||||
+ }
|
||||
|
||||
retval = _unix_verify_password(user, pass, nullok);
|
||||
|
||||
@@ -120,8 +124,11 @@ int main(int argc, char *argv[])
|
||||
|
||||
/* return pass or fail */
|
||||
|
||||
- if ((retval != PAM_SUCCESS) || force_failure) {
|
||||
- _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
|
||||
+ if (retval != PAM_SUCCESS) {
|
||||
+ /* don't log if it is a test for blank password */
|
||||
+ if (!blankpass) {
|
||||
+ _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
|
||||
+ }
|
||||
return PAM_AUTH_ERR;
|
||||
} else {
|
||||
return PAM_SUCCESS;
|
||||
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/support.c
|
||||
--- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass 2007-08-22 18:45:17.000000000 +0200
|
||||
+++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c 2007-08-24 10:38:09.000000000 +0200
|
||||
@@ -36,6 +36,9 @@
|
||||
#define SELINUX_ENABLED 0
|
||||
#endif
|
||||
|
||||
+static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
|
||||
+ unsigned int ctrl, const char *user);
|
||||
+
|
||||
/* this is a front-end for module-application conversations */
|
||||
|
||||
int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
|
||||
@@ -441,6 +444,14 @@ _unix_blankpasswd (pam_handle_t *pamh, u
|
||||
* if shadowing is enabled
|
||||
*/
|
||||
spwdent = pam_modutil_getspnam(pamh, name);
|
||||
+ if (spwdent == NULL && (geteuid() || SELINUX_ENABLED)) {
|
||||
+ /* we are not root perhaps this is the reason? Run helper */
|
||||
+ D(("running helper binary"));
|
||||
+ if (_unix_run_helper_binary(pamh, "", ctrl, name) == PAM_SUCCESS)
|
||||
+ return 1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+ }
|
||||
}
|
||||
if (spwdent)
|
||||
salt = x_strdup(spwdent->sp_pwdp);
|
10
pam.spec
10
pam.spec
@ -11,7 +11,7 @@
|
||||
Summary: A security tool which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 0.99.8.1
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
|
||||
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
|
||||
# pam_rhosts_auth module is BSD with advertising
|
||||
@ -33,12 +33,14 @@ Patch4: pam-0.99.8.1-dbpam.patch
|
||||
Patch5: pam-0.99.8.1-audit-no-log.patch
|
||||
Patch24: pam-0.99.8.1-unix-update-helper.patch
|
||||
Patch25: pam-0.99.7.1-unix-hpux-aging.patch
|
||||
Patch26: pam-0.99.8.1-unix-blankpass.patch
|
||||
Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
|
||||
Patch32: pam-0.99.3.0-tally-fail-close.patch
|
||||
Patch40: pam-0.99.7.1-namespace-temp-logon.patch
|
||||
Patch41: pam-0.99.8.1-namespace-init.patch
|
||||
Patch42: pam-0.99.8.1-console-hal-handled.patch
|
||||
Patch43: pam-0.99.8.1-console-mfd-scanners.patch
|
||||
Patch44: pam-0.99.7.1-namespace-homedir.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: cracklib, cracklib-dicts >= 2.8
|
||||
@ -97,12 +99,14 @@ cp %{SOURCE7} .
|
||||
%patch5 -p1 -b .no-log
|
||||
%patch24 -p1 -b .update-helper
|
||||
%patch25 -p1 -b .unix-hpux-aging
|
||||
%patch26 -p1 -b .blankpass
|
||||
%patch31 -p1 -b .try-first-pass
|
||||
%patch32 -p1 -b .fail-close
|
||||
%patch40 -p1 -b .temp-logon
|
||||
%patch41 -p1 -b .ns-init
|
||||
%patch42 -p1 -b .hal-handled
|
||||
%patch43 -p1 -b .mfd-scanners
|
||||
%patch44 -p1 -b .homedir
|
||||
|
||||
autoreconf
|
||||
|
||||
@ -393,6 +397,10 @@ fi
|
||||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Fri Aug 24 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-6
|
||||
- do not ask for blank password when SELinux confined (#254044)
|
||||
- initialize homedirs in namespace init script (original patch by dwalsh)
|
||||
|
||||
* Wed Aug 22 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-5
|
||||
- most devices are now handled by HAL and not pam_console (patch by davidz)
|
||||
- license tag fix
|
||||
|
Loading…
Reference in New Issue
Block a user