- pam_console: always decrement use count (#230823)

- pam_namespace: use raw context for poly dir name (#227345)
- pam_namespace: truncate long poly dir name (append hash) (#230120)
- we don't patch any po files anymore

pam-0.99.6.2-namespace-dirnames.patch

@@ -0,0 +1,206 @@
+--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.dirnames	2007-02-26 23:31:26.000000000 +0100
++++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h	2007-02-27 00:40:04.000000000 +0100
+@@ -89,6 +89,8 @@
+ #define PAMNS_IGN_INST_PARENT_MODE  0x00008000 /* Ignore instance parent mode */
+ #define PAMNS_NO_UNMOUNT_ON_CLOSE  0x00010000 /* no unmount at session close */
+ 
++#define NAMESPACE_MAX_DIR_LEN 80
++
+ /*
+  * Polyinstantiation method options, based on user, security context
+  * or both
+--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.dirnames	2007-02-26 23:31:26.000000000 +0100
++++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c	2007-02-27 00:39:51.000000000 +0100
+@@ -436,6 +436,36 @@
+     return 0;
+ }
+ 
++/*
++ * md5hash generates a hash of the passed in instance directory name.
++ */
++static char *md5hash(const char *instname, struct instance_data *idata)
++{
++    int i;
++    char *md5inst = NULL;
++    char *to;
++    unsigned char inst_digest[MD5_DIGEST_LENGTH];
++
++    /*
++     * Create MD5 hashes for instance pathname.
++     */
++
++    MD5((const unsigned char *)instname, strlen(instname), inst_digest);
++
++    if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) {
++        pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer");
++        return NULL;
++    }
++
++    to = md5inst;
++    for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
++        snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]);
++        to += 2;
++    }
++
++    return md5inst;
++}
++
+ #ifdef WITH_SELINUX
+ static int form_context(const struct polydir_s *polyptr,
+ 		security_context_t *i_context, security_context_t *origcon,
+@@ -547,12 +577,21 @@
+ #endif
+ {
+     int rc;
++    char *hash = NULL;
++#ifdef WITH_SELINUX
++    security_context_t rawcon = NULL;
++#endif
+ 
+-# ifdef WITH_SELINUX
+-    rc = form_context(polyptr, i_context, origcon, idata);
++    *i_name = NULL;
++#ifdef WITH_SELINUX
++    *i_context = NULL;
++    *origcon = NULL;
++    if ((rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) {
++	return rc;
++    }
+ #endif
+-    rc = PAM_SUCCESS;
+ 
++    rc = PAM_SESSION_ERR;
+     /*
+      * Set the name of the polyinstantiated instance dir based on the
+      * polyinstantiation method.
+@@ -561,16 +600,20 @@
+         case USER:
+ 	    if (asprintf(i_name, "%s", idata->user) < 0) {
+ 		*i_name = NULL;
+-		rc = PAM_SESSION_ERR;
+-	    }
++		goto fail;
++	    }	    
+     	    break;
+ 
+ #ifdef WITH_SELINUX
+     	case LEVEL:
+         case CONTEXT:
+-	    if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) {
++	    if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) {
++		pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context");
++		goto fail;
++	    }    	     
++	    if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) {
+ 		*i_name = NULL;
+-		rc = PAM_SESSION_ERR;
++		goto fail;
+ 	    }
+     	    break;
+ 
+@@ -579,12 +622,48 @@
+     	default:
+     	    if (idata->flags & PAMNS_DEBUG)
+     	        pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
+-    	    rc = PAM_SESSION_ERR;
++    	    goto fail;
+     }
+ 
+-    if ((idata->flags & PAMNS_DEBUG) && rc == PAM_SUCCESS)
++    if (idata->flags & PAMNS_DEBUG)
+         pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name);
+ 
++    if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) {
++        hash = md5hash(*i_name, idata);
++        if (hash == NULL) {
++    	    goto fail;
++        }
++        if (idata->flags & PAMNS_GEN_HASH) {
++    	    free(*i_name);
++	    *i_name = hash;
++	    hash = NULL;
++        } else {
++    	    char *newname;
++    	    if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash),
++    		*i_name, hash) < 0) {
++    		goto fail;
++    	    }
++    	    free(*i_name);
++    	    *i_name = newname;
++        }
++    }
++    rc = PAM_SUCCESS;
++    
++fail:
++    free(hash);
++#ifdef WITH_SELINUX
++    freecon(rawcon);
++#endif
++    if (rc != PAM_SUCCESS) {
++#ifdef WITH_SELINUX
++	freecon(*i_context);
++	*i_context = NULL;
++	freecon(*origcon);
++	*origcon = NULL;
++#endif
++	free(*i_name);
++	*i_name = NULL;
++    }
+     return rc;
+ }
+ 
+@@ -832,39 +911,6 @@
+ 
+ 
+ /*
+- * md5hash generates a hash of the passed in instance directory name.
+- */
+-static int md5hash(char **instname, struct instance_data *idata)
+-{
+-    int i;
+-    char *md5inst = NULL;
+-    char *to;
+-    unsigned char inst_digest[MD5_DIGEST_LENGTH];
+-
+-    /*
+-     * Create MD5 hashes for instance pathname.
+-     */
+-
+-    MD5((unsigned char *)*instname, strlen(*instname), inst_digest);
+-
+-    if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) {
+-        pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer");
+-        return PAM_SESSION_ERR;
+-    }
+-
+-    to = md5inst;
+-    for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
+-        snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]);
+-        to += 3;
+-    }
+-
+-    free(*instname);
+-    *instname = md5inst;
+-
+-    return PAM_SUCCESS;
+-}
+-
+-/*
+  * This function performs the namespace setup for a particular directory
+  * that is being polyinstantiated. It creates an MD5 hash of instance 
+  * directory, calls create_dirs to create it with appropriate
+@@ -914,14 +960,6 @@
+ #endif
+     }
+ 
+-    if (idata->flags & PAMNS_GEN_HASH) {
+-        retval = md5hash(&instname, idata);
+-        if (retval < 0) {
+-            pam_syslog(idata->pamh, LOG_ERR, "Error generating md5 hash");
+-            goto error_out;
+-        }
+-    }
+-
+     if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0)
+ 	goto error_out;
+ 

pam-0.99.7.1-console-decrement.patch

@@ -0,0 +1,65 @@
+--- Linux-PAM-0.99.7.1/modules/pam_console/pam_console.c.decrement	2006-05-10 11:32:40.000000000 +0200
++++ Linux-PAM-0.99.7.1/modules/pam_console/pam_console.c	2007-03-23 11:14:53.000000000 +0100
+@@ -19,7 +19,7 @@
+  *
+  * /var/run/console/<username> is used for reference counting
+  * and to make console authentication easy -- if it exists, then
+- * <username> has console access.
++ * <username> is logged on console.
+  *
+  * A system startup script should remove /var/run/console/console.lock
+  * and everything in /var/run/console/
+@@ -560,7 +560,7 @@
+    */
+     int fd;
+     int count = 0;
+-    int err;
++    int err = PAM_SUCCESS;
+     int delete_consolelock = 0;
+     const char *username = NULL, *user_prompt;
+     char *lockfile = NULL;
+@@ -605,7 +605,8 @@
+ 		_pam_log(pamh, LOG_ERR, FALSE,
+ 			"\"impossible\" fstat error on %s", consolelock);
+ 		close(fd);
+-		err = PAM_SESSION_ERR; goto return_error;
++		err = PAM_SESSION_ERR;
++		goto decrement;
+ 	    }
+ 	    consoleuser = _do_malloc(st.st_size+1);
+ 	    if (st.st_size) {
+@@ -614,7 +615,7 @@
+ 			    "\"impossible\" read error on %s", consolelock);
+ 		    err = PAM_SESSION_ERR; 
+ 		    close(fd);
+-		    goto return_error;
++		    goto decrement;
+ 		}
+ 		consoleuser[st.st_size] = '\0';
+ 	    }
+@@ -627,23 +628,19 @@
+ 		 */
+ 	 	console_run_handlers(pamh, FALSE, username, tty);
+ 	    }
+-	} else {
+-	    /* didn't open file */
+-	    err = PAM_SESSION_ERR; 
+-	    goto return_error;
+ 	}
+     }
+ 
++decrement:
+     count = use_count(pamh, lockfile, -1, 1);
+     if (count < 1 && delete_consolelock) {
+ 	if (unlink(consolelock)) {
+ 	    _pam_log(pamh, LOG_ERR, FALSE,
+ 		     "\"impossible\" unlink error on %s", consolelock);
+-	    err = PAM_SESSION_ERR; goto return_error;
++	    err = PAM_SESSION_ERR;
+ 	}
+     }
+ 
+-    err = PAM_SUCCESS;
+ return_error:
+     if (lockfile) free(lockfile);
+     if (consoleuser) free (consoleuser);

pam.spec

@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.7.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPL or BSD
 Group: System Environment/Base
 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -26,6 +26,7 @@ Source9: system-auth.5
 Source10: config-util.5
 Patch1:  pam-0.99.7.0-redhat-modules.patch
 Patch2:  pam-0.99.7.1-console-more-displays.patch
+Patch3:  pam-0.99.7.1-console-decrement.patch
 Patch21: pam-0.78-unix-hpux-aging.patch
 Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
 Patch23: pam-0.99.7.1-unix-bigcrypt.patch
@@ -41,6 +42,7 @@ Patch92: pam-0.99.6.2-selinux-select-context.patch
 Patch93: pam-0.99.7.0-namespace-level.patch
 Patch94: pam-0.99.7.0-namespace-unmnt-override.patch
 Patch95: pam-0.99.6.2-selinux-use-current-range.patch
+Patch96: pam-0.99.6.2-namespace-dirnames.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -95,6 +97,7 @@ cp %{SOURCE7} .
 
 %patch1 -p1 -b .redhat-modules
 %patch2 -p1 -b .displays
+%patch3 -p1 -b .decrement
 %patch21 -p1 -b .unix-hpux-aging
 %patch22 -p1 -b .pwmodify
 %patch23 -p1 -b .bigcrypt
@@ -110,6 +113,7 @@ cp %{SOURCE7} .
 %patch93 -p1 -b .level
 %patch94 -p1 -b .unmnt-override
 %patch95 -p1 -b .range
+%patch96 -p1 -b .dirnames
 
 autoreconf
 
@@ -149,10 +153,6 @@ LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS
 	--libdir=/%{_lib} \
 	--includedir=%{_includedir}/security \
 	--enable-isadir=../../%{_lib}/security
-# we must explicitely update-gmo as we patch a po file
-pushd po
-make update-gmo
-popd
 make
 
 %install
@@ -402,6 +402,12 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Fri Mar 23 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-4
+- pam_console: always decrement use count (#230823)
+- pam_namespace: use raw context for poly dir name (#227345)
+- pam_namespace: truncate long poly dir name (append hash) (#230120)
+- we don't patch any po files anymore
+
 * Wed Feb 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-3
 - correctly relabel tty in the default case (#229542)
 - pam_unix: cleanup of bigcrypt support