From a28e30cbc4d8e9e668ba9438d41f6dfeba3ec743 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Fri, 23 Mar 2007 11:02:35 +0000 Subject: [PATCH] - pam_console: always decrement use count (#230823) - pam_namespace: use raw context for poly dir name (#227345) - pam_namespace: truncate long poly dir name (append hash) (#230120) - we don't patch any po files anymore --- pam-0.99.6.2-namespace-dirnames.patch | 206 ++++++++++++++++++++++++++ pam-0.99.7.1-console-decrement.patch | 65 ++++++++ pam.spec | 16 +- 3 files changed, 282 insertions(+), 5 deletions(-) create mode 100644 pam-0.99.6.2-namespace-dirnames.patch create mode 100644 pam-0.99.7.1-console-decrement.patch diff --git a/pam-0.99.6.2-namespace-dirnames.patch b/pam-0.99.6.2-namespace-dirnames.patch new file mode 100644 index 0000000..6e224d0 --- /dev/null +++ b/pam-0.99.6.2-namespace-dirnames.patch @@ -0,0 +1,206 @@ +--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.dirnames 2007-02-26 23:31:26.000000000 +0100 ++++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2007-02-27 00:40:04.000000000 +0100 +@@ -89,6 +89,8 @@ + #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ + #define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ + ++#define NAMESPACE_MAX_DIR_LEN 80 ++ + /* + * Polyinstantiation method options, based on user, security context + * or both +--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.dirnames 2007-02-26 23:31:26.000000000 +0100 ++++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2007-02-27 00:39:51.000000000 +0100 +@@ -436,6 +436,36 @@ + return 0; + } + ++/* ++ * md5hash generates a hash of the passed in instance directory name. ++ */ ++static char *md5hash(const char *instname, struct instance_data *idata) ++{ ++ int i; ++ char *md5inst = NULL; ++ char *to; ++ unsigned char inst_digest[MD5_DIGEST_LENGTH]; ++ ++ /* ++ * Create MD5 hashes for instance pathname. ++ */ ++ ++ MD5((const unsigned char *)instname, strlen(instname), inst_digest); ++ ++ if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) { ++ pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer"); ++ return NULL; ++ } ++ ++ to = md5inst; ++ for (i = 0; i < MD5_DIGEST_LENGTH; i++) { ++ snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]); ++ to += 2; ++ } ++ ++ return md5inst; ++} ++ + #ifdef WITH_SELINUX + static int form_context(const struct polydir_s *polyptr, + security_context_t *i_context, security_context_t *origcon, +@@ -547,12 +577,21 @@ + #endif + { + int rc; ++ char *hash = NULL; ++#ifdef WITH_SELINUX ++ security_context_t rawcon = NULL; ++#endif + +-# ifdef WITH_SELINUX +- rc = form_context(polyptr, i_context, origcon, idata); ++ *i_name = NULL; ++#ifdef WITH_SELINUX ++ *i_context = NULL; ++ *origcon = NULL; ++ if ((rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) { ++ return rc; ++ } + #endif +- rc = PAM_SUCCESS; + ++ rc = PAM_SESSION_ERR; + /* + * Set the name of the polyinstantiated instance dir based on the + * polyinstantiation method. +@@ -561,16 +600,20 @@ + case USER: + if (asprintf(i_name, "%s", idata->user) < 0) { + *i_name = NULL; +- rc = PAM_SESSION_ERR; +- } ++ goto fail; ++ } + break; + + #ifdef WITH_SELINUX + case LEVEL: + case CONTEXT: +- if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) { ++ if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) { ++ pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context"); ++ goto fail; ++ } ++ if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) { + *i_name = NULL; +- rc = PAM_SESSION_ERR; ++ goto fail; + } + break; + +@@ -579,12 +622,48 @@ + default: + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_ERR, "Unknown method"); +- rc = PAM_SESSION_ERR; ++ goto fail; + } + +- if ((idata->flags & PAMNS_DEBUG) && rc == PAM_SUCCESS) ++ if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name); + ++ if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) { ++ hash = md5hash(*i_name, idata); ++ if (hash == NULL) { ++ goto fail; ++ } ++ if (idata->flags & PAMNS_GEN_HASH) { ++ free(*i_name); ++ *i_name = hash; ++ hash = NULL; ++ } else { ++ char *newname; ++ if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash), ++ *i_name, hash) < 0) { ++ goto fail; ++ } ++ free(*i_name); ++ *i_name = newname; ++ } ++ } ++ rc = PAM_SUCCESS; ++ ++fail: ++ free(hash); ++#ifdef WITH_SELINUX ++ freecon(rawcon); ++#endif ++ if (rc != PAM_SUCCESS) { ++#ifdef WITH_SELINUX ++ freecon(*i_context); ++ *i_context = NULL; ++ freecon(*origcon); ++ *origcon = NULL; ++#endif ++ free(*i_name); ++ *i_name = NULL; ++ } + return rc; + } + +@@ -832,39 +911,6 @@ + + + /* +- * md5hash generates a hash of the passed in instance directory name. +- */ +-static int md5hash(char **instname, struct instance_data *idata) +-{ +- int i; +- char *md5inst = NULL; +- char *to; +- unsigned char inst_digest[MD5_DIGEST_LENGTH]; +- +- /* +- * Create MD5 hashes for instance pathname. +- */ +- +- MD5((unsigned char *)*instname, strlen(*instname), inst_digest); +- +- if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) { +- pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer"); +- return PAM_SESSION_ERR; +- } +- +- to = md5inst; +- for (i = 0; i < MD5_DIGEST_LENGTH; i++) { +- snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]); +- to += 3; +- } +- +- free(*instname); +- *instname = md5inst; +- +- return PAM_SUCCESS; +-} +- +-/* + * This function performs the namespace setup for a particular directory + * that is being polyinstantiated. It creates an MD5 hash of instance + * directory, calls create_dirs to create it with appropriate +@@ -914,14 +960,6 @@ + #endif + } + +- if (idata->flags & PAMNS_GEN_HASH) { +- retval = md5hash(&instname, idata); +- if (retval < 0) { +- pam_syslog(idata->pamh, LOG_ERR, "Error generating md5 hash"); +- goto error_out; +- } +- } +- + if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0) + goto error_out; + diff --git a/pam-0.99.7.1-console-decrement.patch b/pam-0.99.7.1-console-decrement.patch new file mode 100644 index 0000000..345055d --- /dev/null +++ b/pam-0.99.7.1-console-decrement.patch @@ -0,0 +1,65 @@ +--- Linux-PAM-0.99.7.1/modules/pam_console/pam_console.c.decrement 2006-05-10 11:32:40.000000000 +0200 ++++ Linux-PAM-0.99.7.1/modules/pam_console/pam_console.c 2007-03-23 11:14:53.000000000 +0100 +@@ -19,7 +19,7 @@ + * + * /var/run/console/ is used for reference counting + * and to make console authentication easy -- if it exists, then +- * has console access. ++ * is logged on console. + * + * A system startup script should remove /var/run/console/console.lock + * and everything in /var/run/console/ +@@ -560,7 +560,7 @@ + */ + int fd; + int count = 0; +- int err; ++ int err = PAM_SUCCESS; + int delete_consolelock = 0; + const char *username = NULL, *user_prompt; + char *lockfile = NULL; +@@ -605,7 +605,8 @@ + _pam_log(pamh, LOG_ERR, FALSE, + "\"impossible\" fstat error on %s", consolelock); + close(fd); +- err = PAM_SESSION_ERR; goto return_error; ++ err = PAM_SESSION_ERR; ++ goto decrement; + } + consoleuser = _do_malloc(st.st_size+1); + if (st.st_size) { +@@ -614,7 +615,7 @@ + "\"impossible\" read error on %s", consolelock); + err = PAM_SESSION_ERR; + close(fd); +- goto return_error; ++ goto decrement; + } + consoleuser[st.st_size] = '\0'; + } +@@ -627,23 +628,19 @@ + */ + console_run_handlers(pamh, FALSE, username, tty); + } +- } else { +- /* didn't open file */ +- err = PAM_SESSION_ERR; +- goto return_error; + } + } + ++decrement: + count = use_count(pamh, lockfile, -1, 1); + if (count < 1 && delete_consolelock) { + if (unlink(consolelock)) { + _pam_log(pamh, LOG_ERR, FALSE, + "\"impossible\" unlink error on %s", consolelock); +- err = PAM_SESSION_ERR; goto return_error; ++ err = PAM_SESSION_ERR; + } + } + +- err = PAM_SUCCESS; + return_error: + if (lockfile) free(lockfile); + if (consoleuser) free (consoleuser); diff --git a/pam.spec b/pam.spec index 23d95aa..4e50980 100644 --- a/pam.spec +++ b/pam.spec @@ -11,7 +11,7 @@ Summary: A security tool which provides authentication for applications Name: pam Version: 0.99.7.1 -Release: 3%{?dist} +Release: 4%{?dist} License: GPL or BSD Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 @@ -26,6 +26,7 @@ Source9: system-auth.5 Source10: config-util.5 Patch1: pam-0.99.7.0-redhat-modules.patch Patch2: pam-0.99.7.1-console-more-displays.patch +Patch3: pam-0.99.7.1-console-decrement.patch Patch21: pam-0.78-unix-hpux-aging.patch Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch Patch23: pam-0.99.7.1-unix-bigcrypt.patch @@ -41,6 +42,7 @@ Patch92: pam-0.99.6.2-selinux-select-context.patch Patch93: pam-0.99.7.0-namespace-level.patch Patch94: pam-0.99.7.0-namespace-unmnt-override.patch Patch95: pam-0.99.6.2-selinux-use-current-range.patch +Patch96: pam-0.99.6.2-namespace-dirnames.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: cracklib, cracklib-dicts >= 2.8 @@ -95,6 +97,7 @@ cp %{SOURCE7} . %patch1 -p1 -b .redhat-modules %patch2 -p1 -b .displays +%patch3 -p1 -b .decrement %patch21 -p1 -b .unix-hpux-aging %patch22 -p1 -b .pwmodify %patch23 -p1 -b .bigcrypt @@ -110,6 +113,7 @@ cp %{SOURCE7} . %patch93 -p1 -b .level %patch94 -p1 -b .unmnt-override %patch95 -p1 -b .range +%patch96 -p1 -b .dirnames autoreconf @@ -149,10 +153,6 @@ LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS --libdir=/%{_lib} \ --includedir=%{_includedir}/security \ --enable-isadir=../../%{_lib}/security -# we must explicitely update-gmo as we patch a po file -pushd po -make update-gmo -popd make %install @@ -402,6 +402,12 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Mar 23 2007 Tomas Mraz 0.99.7.1-4 +- pam_console: always decrement use count (#230823) +- pam_namespace: use raw context for poly dir name (#227345) +- pam_namespace: truncate long poly dir name (append hash) (#230120) +- we don't patch any po files anymore + * Wed Feb 21 2007 Tomas Mraz 0.99.7.1-3 - correctly relabel tty in the default case (#229542) - pam_unix: cleanup of bigcrypt support