rpms
/
pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- add config for autocreation of subdirectories in /var/run (#656655) 

- automatically enable kernel console in pam_securetty
This commit is contained in:
Tomas Mraz 2010-11-25 18:14:01 +01:00
parent fdfa166654
commit a526ddfed4
3 changed files with 135 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
pam-1.1.3-securetty-console.patch Normal file
View File

@ -0,0 +1,120 @@
Index: modules/pam_securetty/pam_securetty.8.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml,v
retrieving revision 1.4
retrieving revision 1.6
diff -u -p -r1.4 -r1.6
--- modules/pam_securetty/pam_securetty.8.xml 18 Aug 2008 13:29:25 -0000 1.4
+++ modules/pam_securetty/pam_securetty.8.xml 25 Nov 2010 16:58:59 -0000 1.6
@@ -33,7 +33,9 @@
user is logging in on a "secure" tty, as defined by the listing
in <filename>/etc/securetty</filename>. pam_securetty also checks
to make sure that <filename>/etc/securetty</filename> is a plain
- file and not world writable.
+ file and not world writable. It will also allow root logins on
+ the tty specified with <option>console=</option> switch on the
+ kernel command line.
</para>
<para>
This module has no effect on non-root users and requires that the
@@ -61,6 +63,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>noconsole</option>
+ </term>
+ <listitem>
+ <para>
+ Do not automatically allow root logins on the kernel console
+ device, as specified on the kernel command line, if it is
+ not also specified in the <filename>/etc/securetty</filename> file.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
Index: modules/pam_securetty/pam_securetty.c
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -p -r1.14 -r1.15
--- modules/pam_securetty/pam_securetty.c 10 Sep 2009 10:19:58 -0000 1.14
+++ modules/pam_securetty/pam_securetty.c 24 Nov 2010 12:28:01 -0000 1.15
@@ -2,6 +2,7 @@
#define SECURETTY_FILE "/etc/securetty"
#define TTY_PREFIX "/dev/"
+#define CMDLINE_FILE "/proc/cmdline"
/*
* by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
@@ -22,6 +23,7 @@
#include <pwd.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
/*
* here, we make a definition for the externally accessible function
@@ -38,6 +40,7 @@
#include <security/pam_ext.h>
#define PAM_DEBUG_ARG 0x0001
+#define PAM_NOCONSOLE_ARG 0x0002
static int
_pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
@@ -51,6 +54,8 @@ _pam_parse (const pam_handle_t *pamh, in
if (!strcmp(*argv,"debug"))
ctrl |= PAM_DEBUG_ARG;
+ else if (!strcmp(*argv, "noconsole"))
+ ctrl |= PAM_NOCONSOLE_ARG;
else {
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
}
@@ -144,6 +149,40 @@ securetty_perform_check (pam_handle_t *p
}
fclose(ttyfile);
+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+ FILE *cmdlinefile;
+
+ /* Allow access from the kernel console, if enabled */
+ cmdlinefile = fopen(CMDLINE_FILE, "r");
+
+ if (cmdlinefile != NULL) {
+ char line[LINE_MAX], *p;
+
+ line[0] = 0;
+ fgets(line, sizeof(line), cmdlinefile);
+ fclose(cmdlinefile);
+
+ for (p = line; p; p = strstr(p+1, "console=")) {
+ char *e;
+
+ /* Test whether this is a beginning of a word? */
+ if (p > line && p[-1] != ' ')
+ continue;
+
+ /* Ist this our console? */
+ if (strncmp(p + 8, uttyname, strlen(uttyname)))
+ continue;
+
+ /* Is there any garbage after the TTY name? */
+ e = p + 8 + strlen(uttyname);
+ if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) {
+ retval = 0;
+ break;
+ }
+ }
+ }
+ }
+
if (retval) {
pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
uttyname);

13
pam.spec
View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.3
Release: 4%{?dist}
Release: 5%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
License: BSD and GPLv2+
@ -21,6 +21,7 @@ Source11: dlopen.sh
Source12: system-auth.5
Source13: config-util.5
Source14: 90-nproc.conf
Source15: pamtmp.conf
Patch1: pam-1.0.90-redhat-modules.patch
Patch2: pam-1.0.91-std-noclose.patch
Patch4: pam-1.1.0-console-nochmod.patch
@ -31,6 +32,7 @@ Patch9: pam-1.1.2-noflex.patch
Patch10: pam-1.1.3-nouserenv.patch
Patch11: pam-1.1.3-console-abstract.patch
Patch12: pam-1.1.3-faillock-screensaver.patch
Patch13: pam-1.1.3-securetty-console.patch
%define _sbindir /sbin
%define _moduledir /%{_lib}/security
@ -101,6 +103,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch10 -p1 -b .nouserenv
%patch11 -p1 -b .abstract
%patch12 -p1 -b .screensaver
%patch13 -p0 -b .console
libtoolize -f
autoreconf
@ -180,6 +183,9 @@ rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
# Create /lib/security in case it isn't the same as %{_moduledir}.
install -m755 -d $RPM_BUILD_ROOT/lib/security
# Install the file for autocreation of /var/run subdirectories on boot
install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_sysconfdir}/tmpfiles.d/pamtmp.conf
%find_lang Linux-PAM
%check
@ -331,6 +337,7 @@ fi
%endif
%ghost %verify(not md5 size mtime) /var/log/tallylog
%dir /var/run/faillock
%config(noreplace) %{_sysconfdir}/tmpfiles.d/pamtmp.conf
%{_mandir}/man5/*
%{_mandir}/man8/*
@ -345,6 +352,10 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Thu Nov 25 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-5
- add config for autocreation of subdirectories in /var/run (#656655)
- automatically enable kernel console in pam_securetty
* Wed Nov 10 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-4
- fix memory leak in pam_faillock

3
pamtmp.conf Normal file
View File

@ -0,0 +1,3 @@
d /var/run/console 0755 root root -
d /var/run/faillock 0755 root root -
d /var/run/sepermit 0755 root root -