rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- when SELinux enabled always run the helper binary instead of direct

Browse Source 
shadow access (#293181)
This commit is contained in:
Tomáš Mráz 2007-09-18 20:23:57 +00:00
parent 66eb83163f
commit ac8e934c7b
3 changed files with 1460 additions and 1398 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
pam-0.99.8.1-unix-blankpass.patch
View File

@ -1,7 +1,7 @@
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c
--- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass 2007-08-22 18:45:17.000000000 +0200 --- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass 2007-09-18 13:50:40.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c 2007-08-24 10:21:54.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c 2007-09-18 13:50:40.000000000 +0200
@@ -48,7 +48,7 @@ int main(int argc, char *argv[]) @@ -50,7 +50,7 @@ int main(int argc, char *argv[])
char pass[MAXPASS + 1]; char pass[MAXPASS + 1];
char *option; char *option;
int npass, nullok; int npass, nullok;
@ -10,7 +10,7 @@ diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0
int retval = PAM_AUTH_ERR; int retval = PAM_AUTH_ERR;
char *user; char *user;
char *passwords[] = { pass }; char *passwords[] = { pass };
@@ -113,6 +113,10 @@ int main(int argc, char *argv[]) @@ -115,6 +115,10 @@ int main(int argc, char *argv[])
if (npass != 1) { /* is it a valid password? */ if (npass != 1) { /* is it a valid password? */
_log_err(LOG_DEBUG, "no valid password supplied"); _log_err(LOG_DEBUG, "no valid password supplied");
} }
@ -21,7 +21,7 @@ diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0
retval = _unix_verify_password(user, pass, nullok); retval = _unix_verify_password(user, pass, nullok);
@@ -120,8 +124,11 @@ int main(int argc, char *argv[]) @@ -122,8 +126,11 @@ int main(int argc, char *argv[])
/* return pass or fail */ /* return pass or fail */
@ -36,11 +36,11 @@ diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0
} else { } else {
return PAM_SUCCESS; return PAM_SUCCESS;
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/support.c diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/support.c
--- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass 2007-08-22 18:45:17.000000000 +0200 --- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass 2007-09-18 13:50:40.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c 2007-08-24 10:38:09.000000000 +0200 +++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c 2007-09-18 17:56:57.000000000 +0200
@@ -36,6 +36,9 @@ @@ -38,6 +38,9 @@
#define SELINUX_ENABLED 0
#endif const char app_name[]="pam_unix";
+static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, +static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+ unsigned int ctrl, const char *user); + unsigned int ctrl, const char *user);
@ -48,18 +48,17 @@ diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.
/* this is a front-end for module-application conversations */ /* this is a front-end for module-application conversations */
int _make_remark(pam_handle_t * pamh, unsigned int ctrl, int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
@@ -441,6 +444,14 @@ _unix_blankpasswd (pam_handle_t *pamh, u @@ -442,6 +445,13 @@ _unix_blankpasswd (pam_handle_t *pamh, u
* ...and shadow password file entry for this user,
* if shadowing is enabled * if shadowing is enabled
*/ */
spwdent = pam_modutil_getspnam(pamh, name); + if (geteuid() || SELINUX_ENABLED) {
+ if (spwdent == NULL && (geteuid() || SELINUX_ENABLED)) { + /* We do not have direct access to shadow. Run helper. */
+ /* we are not root perhaps this is the reason? Run helper */
+ D(("running helper binary")); + D(("running helper binary"));
+ if (_unix_run_helper_binary(pamh, "", ctrl, name) == PAM_SUCCESS) + if (_unix_run_helper_binary(pamh, "", ctrl, name) == PAM_SUCCESS)
+ return 1; + return 1;
+ else + return 0;
+ return 0;
+ } + }
spwdent = pam_modutil_getspnam(pamh, name);
} }
if (spwdent) if (spwdent)
salt = x_strdup(spwdent->sp_pwdp);

2819
pam-0.99.8.1-unix-update-helper.patch
View File

File diff suppressed because it is too large Load Diff

6
pam.spec
View File

@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications Summary: A security tool which provides authentication for applications
Name: pam Name: pam
Version: 0.99.8.1 Version: 0.99.8.1
Release: 6%{?dist} Release: 7%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
# pam_rhosts_auth module is BSD with advertising # pam_rhosts_auth module is BSD with advertising
@ -397,6 +397,10 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Tue Sep 18 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-7
- when SELinux enabled always run the helper binary instead of
direct shadow access (#293181)
* Fri Aug 24 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-6 * Fri Aug 24 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-6
- do not ask for blank password when SELinux confined (#254044) - do not ask for blank password when SELinux confined (#254044)
- initialize homedirs in namespace init script (original patch by dwalsh) - initialize homedirs in namespace init script (original patch by dwalsh)