rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- pam_console: always decrement use count (#230823)

Browse Source 
- pam_namespace: use raw context for poly dir name (#227345)
- pam_namespace: truncate long poly dir name (append hash) (#230120)
- we don't patch any po files anymore
This commit is contained in:
Tomáš Mráz 2007-03-23 11:02:35 +00:00
parent 71ab958a92
commit a28e30cbc4
3 changed files with 282 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

206
pam-0.99.6.2-namespace-dirnames.patch Normal file
View File

@ -0,0 +1,206 @@
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.dirnames 2007-02-26 23:31:26.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2007-02-27 00:40:04.000000000 +0100
@@ -89,6 +89,8 @@
#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
+#define NAMESPACE_MAX_DIR_LEN 80
+
/*
* Polyinstantiation method options, based on user, security context
* or both
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.dirnames 2007-02-26 23:31:26.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2007-02-27 00:39:51.000000000 +0100
@@ -436,6 +436,36 @@
return 0;
}
+/*
+ * md5hash generates a hash of the passed in instance directory name.
+ */
+static char *md5hash(const char *instname, struct instance_data *idata)
+{
+ int i;
+ char *md5inst = NULL;
+ char *to;
+ unsigned char inst_digest[MD5_DIGEST_LENGTH];
+
+ /*
+ * Create MD5 hashes for instance pathname.
+ */
+
+ MD5((const unsigned char *)instname, strlen(instname), inst_digest);
+
+ if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) {
+ pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer");
+ return NULL;
+ }
+
+ to = md5inst;
+ for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
+ snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]);
+ to += 2;
+ }
+
+ return md5inst;
+}
+
#ifdef WITH_SELINUX
static int form_context(const struct polydir_s *polyptr,
security_context_t *i_context, security_context_t *origcon,
@@ -547,12 +577,21 @@
#endif
{
int rc;
+ char *hash = NULL;
+#ifdef WITH_SELINUX
+ security_context_t rawcon = NULL;
+#endif
-# ifdef WITH_SELINUX
- rc = form_context(polyptr, i_context, origcon, idata);
+ *i_name = NULL;
+#ifdef WITH_SELINUX
+ *i_context = NULL;
+ *origcon = NULL;
+ if ((rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) {
+ return rc;
+ }
#endif
- rc = PAM_SUCCESS;
+ rc = PAM_SESSION_ERR;
/*
* Set the name of the polyinstantiated instance dir based on the
* polyinstantiation method.
@@ -561,16 +600,20 @@
case USER:
if (asprintf(i_name, "%s", idata->user) < 0) {
*i_name = NULL;
- rc = PAM_SESSION_ERR;
- }
+ goto fail;
+ }
break;
#ifdef WITH_SELINUX
case LEVEL:
case CONTEXT:
- if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) {
+ if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) {
+ pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context");
+ goto fail;
+ }
+ if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) {
*i_name = NULL;
- rc = PAM_SESSION_ERR;
+ goto fail;
}
break;
@@ -579,12 +622,48 @@
default:
if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
- rc = PAM_SESSION_ERR;
+ goto fail;
}
- if ((idata->flags & PAMNS_DEBUG) && rc == PAM_SUCCESS)
+ if (idata->flags & PAMNS_DEBUG)
pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name);
+ if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) {
+ hash = md5hash(*i_name, idata);
+ if (hash == NULL) {
+ goto fail;
+ }
+ if (idata->flags & PAMNS_GEN_HASH) {
+ free(*i_name);
+ *i_name = hash;
+ hash = NULL;
+ } else {
+ char *newname;
+ if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash),
+ *i_name, hash) < 0) {
+ goto fail;
+ }
+ free(*i_name);
+ *i_name = newname;
+ }
+ }
+ rc = PAM_SUCCESS;
+
+fail:
+ free(hash);
+#ifdef WITH_SELINUX
+ freecon(rawcon);
+#endif
+ if (rc != PAM_SUCCESS) {
+#ifdef WITH_SELINUX
+ freecon(*i_context);
+ *i_context = NULL;
+ freecon(*origcon);
+ *origcon = NULL;
+#endif
+ free(*i_name);
+ *i_name = NULL;
+ }
return rc;
}
@@ -832,39 +911,6 @@
/*
- * md5hash generates a hash of the passed in instance directory name.
- */
-static int md5hash(char **instname, struct instance_data *idata)
-{
- int i;
- char *md5inst = NULL;
- char *to;
- unsigned char inst_digest[MD5_DIGEST_LENGTH];
-
- /*
- * Create MD5 hashes for instance pathname.
- */
-
- MD5((unsigned char *)*instname, strlen(*instname), inst_digest);
-
- if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) {
- pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer");
- return PAM_SESSION_ERR;
- }
-
- to = md5inst;
- for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
- snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]);
- to += 3;
- }
-
- free(*instname);
- *instname = md5inst;
-
- return PAM_SUCCESS;
-}
-
-/*
* This function performs the namespace setup for a particular directory
* that is being polyinstantiated. It creates an MD5 hash of instance
* directory, calls create_dirs to create it with appropriate
@@ -914,14 +960,6 @@
#endif
}
- if (idata->flags & PAMNS_GEN_HASH) {
- retval = md5hash(&instname, idata);
- if (retval < 0) {
- pam_syslog(idata->pamh, LOG_ERR, "Error generating md5 hash");
- goto error_out;
- }
- }
-
if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0)
goto error_out;

65
pam-0.99.7.1-console-decrement.patch Normal file
View File

@ -0,0 +1,65 @@
--- Linux-PAM-0.99.7.1/modules/pam_console/pam_console.c.decrement 2006-05-10 11:32:40.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_console/pam_console.c 2007-03-23 11:14:53.000000000 +0100
@@ -19,7 +19,7 @@
*
* /var/run/console/<username> is used for reference counting
* and to make console authentication easy -- if it exists, then
- * <username> has console access.
+ * <username> is logged on console.
*
* A system startup script should remove /var/run/console/console.lock
* and everything in /var/run/console/
@@ -560,7 +560,7 @@
*/
int fd;
int count = 0;
- int err;
+ int err = PAM_SUCCESS;
int delete_consolelock = 0;
const char *username = NULL, *user_prompt;
char *lockfile = NULL;
@@ -605,7 +605,8 @@
_pam_log(pamh, LOG_ERR, FALSE,
"\"impossible\" fstat error on %s", consolelock);
close(fd);
- err = PAM_SESSION_ERR; goto return_error;
+ err = PAM_SESSION_ERR;
+ goto decrement;
}
consoleuser = _do_malloc(st.st_size+1);
if (st.st_size) {
@@ -614,7 +615,7 @@
"\"impossible\" read error on %s", consolelock);
err = PAM_SESSION_ERR;
close(fd);
- goto return_error;
+ goto decrement;
}
consoleuser[st.st_size] = '\0';
}
@@ -627,23 +628,19 @@
*/
console_run_handlers(pamh, FALSE, username, tty);
}
- } else {
- /* didn't open file */
- err = PAM_SESSION_ERR;
- goto return_error;
}
}
+decrement:
count = use_count(pamh, lockfile, -1, 1);
if (count < 1 && delete_consolelock) {
if (unlink(consolelock)) {
_pam_log(pamh, LOG_ERR, FALSE,
"\"impossible\" unlink error on %s", consolelock);
- err = PAM_SESSION_ERR; goto return_error;
+ err = PAM_SESSION_ERR;
}
}
- err = PAM_SUCCESS;
return_error:
if (lockfile) free(lockfile);
if (consoleuser) free (consoleuser);

16
pam.spec
View File

@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications
Name: pam
Version: 0.99.7.1
Release: 3%{?dist}
Release: 4%{?dist}
License: GPL or BSD
Group: System Environment/Base
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@ -26,6 +26,7 @@ Source9: system-auth.5
Source10: config-util.5
Patch1: pam-0.99.7.0-redhat-modules.patch
Patch2: pam-0.99.7.1-console-more-displays.patch
Patch3: pam-0.99.7.1-console-decrement.patch
Patch21: pam-0.78-unix-hpux-aging.patch
Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
Patch23: pam-0.99.7.1-unix-bigcrypt.patch
@ -41,6 +42,7 @@ Patch92: pam-0.99.6.2-selinux-select-context.patch
Patch93: pam-0.99.7.0-namespace-level.patch
Patch94: pam-0.99.7.0-namespace-unmnt-override.patch
Patch95: pam-0.99.6.2-selinux-use-current-range.patch
Patch96: pam-0.99.6.2-namespace-dirnames.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: cracklib, cracklib-dicts >= 2.8
@ -95,6 +97,7 @@ cp %{SOURCE7} .
%patch1 -p1 -b .redhat-modules
%patch2 -p1 -b .displays
%patch3 -p1 -b .decrement
%patch21 -p1 -b .unix-hpux-aging
%patch22 -p1 -b .pwmodify
%patch23 -p1 -b .bigcrypt
@ -110,6 +113,7 @@ cp %{SOURCE7} .
%patch93 -p1 -b .level
%patch94 -p1 -b .unmnt-override
%patch95 -p1 -b .range
%patch96 -p1 -b .dirnames
autoreconf
@ -149,10 +153,6 @@ LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS
--libdir=/%{_lib} \
--includedir=%{_includedir}/security \
--enable-isadir=../../%{_lib}/security
# we must explicitely update-gmo as we patch a po file
pushd po
make update-gmo
popd
make
%install
@ -402,6 +402,12 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Fri Mar 23 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-4
- pam_console: always decrement use count (#230823)
- pam_namespace: use raw context for poly dir name (#227345)
- pam_namespace: truncate long poly dir name (append hash) (#230120)
- we don't patch any po files anymore
* Wed Feb 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-3
- correctly relabel tty in the default case (#229542)
- pam_unix: cleanup of bigcrypt support