From a4d4d782814572c5569dffaa98b65ec13ac12031 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 5 Nov 2010 19:03:35 +0100 Subject: [PATCH] - fix a mistake in the abstract X-socket connect - make pam_faillock work with screensaver --- pam-1.1.3-console-abstract.patch | 2 +- pam-1.1.3-faillock-screensaver.patch | 165 +++++++++++++++++++++++++++ pam.spec | 8 +- 3 files changed, 173 insertions(+), 2 deletions(-) create mode 100644 pam-1.1.3-faillock-screensaver.patch diff --git a/pam-1.1.3-console-abstract.patch b/pam-1.1.3-console-abstract.patch index ed14ddd..283edc5 100644 --- a/pam-1.1.3-console-abstract.patch +++ b/pam-1.1.3-console-abstract.patch @@ -31,7 +31,7 @@ diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1. + if (len > sizeof(addr.su.sun_path)) + return 0; + memcpy(addr.su.sun_path, path, len); -+ if (connect(fd, &addr.sa, sizeof(addr.su)) == 0) { ++ if (connect(fd, &addr.sa, sizeof(addr.su) - (sizeof(addr.su.sun_path) - len)) == 0) { + close(fd); + return 1; + } diff --git a/pam-1.1.3-faillock-screensaver.patch b/pam-1.1.3-faillock-screensaver.patch new file mode 100644 index 0000000..1b56a90 --- /dev/null +++ b/pam-1.1.3-faillock-screensaver.patch @@ -0,0 +1,165 @@ +diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c +--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-05 18:13:28.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-05 18:13:28.000000000 +0100 +@@ -41,13 +41,14 @@ + #include + #include + #include ++#include + #include + #include + + #include "faillock.h" + + int +-open_tally (const char *dir, const char *user, int create) ++open_tally (const char *dir, const char *user, uid_t uid, int create) + { + char *path; + int flags = O_RDWR; +@@ -69,8 +70,16 @@ open_tally (const char *dir, const char + + fd = open(path, flags, 0600); + +- if (fd != -1) ++ if (fd != -1) { ++ struct stat st; ++ + while (flock(fd, LOCK_EX) == -1 && errno == EINTR); ++ if (fstat(fd, &st) == 0) { ++ if (st.st_uid != uid) { ++ fchown(fd, uid, -1); ++ } ++ } ++ } + + return fd; + } +diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h +--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-05 18:13:28.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-05 18:27:23.000000000 +0100 +@@ -45,6 +45,7 @@ + #define _FAILLOCK_H + + #include ++#include + + #define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ + #define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ +@@ -65,7 +66,7 @@ struct tally_data { + + #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" + +-int open_tally(const char *dir, const char *user, int create); ++int open_tally(const char *dir, const char *user, uid_t uid, int create); + int read_tally(int fd, struct tally_data *tallies); + int update_tally(int fd, struct tally_data *tallies); + #endif +diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c +--- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-05 18:13:28.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-05 18:13:28.000000000 +0100 +@@ -106,8 +106,11 @@ do_user(struct options *opts, const char + int fd; + int rv; + struct tally_data tallies; ++ struct passwd *pwd; + +- fd = open_tally(opts->dir, user, 0); ++ pwd = getpwnam(user); ++ ++ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); + + if (fd == -1) { + if (errno == ENOENT) { +@@ -134,9 +137,8 @@ do_user(struct options *opts, const char + #ifdef HAVE_LIBAUDIT + } + if ((audit_fd=audit_open()) >= 0) { +- struct passwd *pwd; + +- if ((pwd=getpwnam(user)) != NULL) { ++ if (pwd != NULL) { + snprintf(buf, sizeof(buf), "faillock reset uid=%u", + pwd->pw_uid); + audit_log_user_message(audit_fd, AUDIT_USER_ACCT, +diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c +--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-05 18:13:28.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-05 18:13:28.000000000 +0100 +@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o + + opts->now = time(NULL); + +- tfd = open_tally(opts->dir, opts->user, 0); ++ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); + + *fd = tfd; + +@@ -289,9 +289,14 @@ reset_tally(pam_handle_t *pamh, struct o + { + int rv; + +- while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); +- if (rv == -1) { +- pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ if (*fd == -1) { ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); ++ } ++ else { ++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); ++ if (rv == -1) { ++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ } + } + } + +@@ -306,7 +311,7 @@ write_tally(pam_handle_t *pamh, struct o + const void *source = NULL; + + if (*fd == -1) { +- *fd = open_tally(opts->dir, opts->user, 1); ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); + } + if (*fd == -1) { + if (errno == EACCES) { +@@ -461,7 +466,7 @@ pam_sm_authenticate(pam_handle_t *pamh, + + case FAILLOCK_ACTION_AUTHSUCC: + rv = check_tally(pamh, &opts, &tallies, &fd); +- if (rv == PAM_SUCCESS && fd != -1) { ++ if (rv == PAM_SUCCESS) { + reset_tally(pamh, &opts, &fd); + } + break; +@@ -509,10 +514,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int + return rv; + } + +- check_tally(pamh, &opts, &tallies, &fd); +- if (fd != -1) { +- reset_tally(pamh, &opts, &fd); +- } ++ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ ++ reset_tally(pamh, &opts, &fd); + + tally_cleanup(&tallies, fd); + +diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml +--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-05 18:13:28.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-05 18:13:28.000000000 +0100 +@@ -277,13 +277,9 @@ + from the pam_tally2 module setup. + + +- There is no setuid wrapper for access to the data file such as when the +- pam_faillock.so module is called from +- a screensaver. As this would make it impossible to share PAM configuration +- with such services the following workaround is used: If the data file +- cannot be opened because of insufficient permissions +- (EACCES) the module returns +- PAM_SUCCESS. ++ The individual files with the failure records are created as owned by ++ the user. This allows pam_faillock.so module ++ to work correctly when it is called from a screensaver. + + + diff --git a/pam.spec b/pam.spec index 6e989b0..d4f32fa 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.3 -Release: 1%{?dist} +Release: 2%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ @@ -30,6 +30,7 @@ Patch8: pam-1.1.1-faillock.patch Patch9: pam-1.1.2-noflex.patch Patch10: pam-1.1.3-nouserenv.patch Patch11: pam-1.1.3-console-abstract.patch +Patch12: pam-1.1.3-faillock-screensaver.patch %define _sbindir /sbin %define _moduledir /%{_lib}/security @@ -99,6 +100,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch9 -p1 -b .noflex %patch10 -p1 -b .nouserenv %patch11 -p1 -b .abstract +%patch12 -p1 -b .screensaver libtoolize -f autoreconf @@ -343,6 +345,10 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Nov 5 2010 Tomas Mraz 1.1.3-2 +- fix a mistake in the abstract X-socket connect +- make pam_faillock work with screensaver + * Mon Nov 1 2010 Tomas Mraz 1.1.3-1 - upgrade to new upstream release fixing CVE-2010-3316 CVE-2010-3435 CVE-2010-3853