diff --git a/pam-1.1.1-faillock.patch b/pam-1.1.1-faillock.patch index eaee896..5f4bfc6 100644 --- a/pam-1.1.1-faillock.patch +++ b/pam-1.1.1-faillock.patch @@ -1,6 +1,6 @@ diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in ---- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/configure.in.faillock 2010-10-20 15:46:34.000000000 +0200 ++++ Linux-PAM-1.1.1/configure.in 2011-01-25 18:24:43.000000000 +0100 @@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil modules/pam_access/Makefile modules/pam_cracklib/Makefile \ modules/pam_debug/Makefile modules/pam_deny/Makefile \ @@ -11,8 +11,8 @@ diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in modules/pam_ftp/Makefile modules/pam_group/Makefile \ modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml ---- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200 -+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200 +--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,38 @@ + + + diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am ---- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-10-20 15:46:34.000000000 +0200 ++++ Linux-PAM-1.1.1/modules/Makefile.am 2011-01-25 18:24:43.000000000 +0100 @@ -3,7 +3,7 @@ # @@ -65,9 +65,9 @@ diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Ma pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ pam_listfile pam_localuser pam_loginuid pam_mail \ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,147 @@ +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2011-01-25 18:24:56.000000000 +0100 +@@ -0,0 +1,158 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -111,13 +111,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1. +#include +#include +#include ++#include +#include +#include + +#include "faillock.h" + +int -+open_tally (const char *dir, const char *user, int create) ++open_tally (const char *dir, const char *user, uid_t uid, int create) +{ + char *path; + int flags = O_RDWR; @@ -144,8 +145,18 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1. + + fd = open(path, flags, 0600); + -+ if (fd != -1) ++ free(path); ++ ++ if (fd != -1) { ++ struct stat st; ++ + while (flock(fd, LOCK_EX) == -1 && errno == EINTR); ++ if (fstat(fd, &st) == 0) { ++ if (st.st_uid != uid) { ++ fchown(fd, uid, -1); ++ } ++ } ++ } + + return fd; +} @@ -216,9 +227,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1. + return 0; +} diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,72 @@ +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2011-01-25 18:24:56.000000000 +0100 +@@ -0,0 +1,73 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -266,6 +277,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1. +#define _FAILLOCK_H + +#include ++#include + +#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ +#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ @@ -286,14 +298,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1. + +#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" + -+int open_tally(const char *dir, const char *user, int create); ++int open_tally(const char *dir, const char *user, uid_t uid, int create); +int read_tally(int fd, struct tally_data *tallies); +int update_tally(int fd, struct tally_data *tallies); +#endif + diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,123 @@ + + diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c ---- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,233 @@ +--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2011-01-25 18:24:56.000000000 +0100 +@@ -0,0 +1,235 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -532,8 +544,11 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo + int fd; + int rv; + struct tally_data tallies; ++ struct passwd *pwd; + -+ fd = open_tally(opts->dir, user, 0); ++ pwd = getpwnam(user); ++ ++ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); + + if (fd == -1) { + if (errno == ENOENT) { @@ -560,9 +575,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo +#ifdef HAVE_LIBAUDIT + } + if ((audit_fd=audit_open()) >= 0) { -+ struct passwd *pwd; + -+ if ((pwd=getpwnam(user)) != NULL) { ++ if (pwd != NULL) { + snprintf(buf, sizeof(buf), "faillock reset uid=%u", + pwd->pw_uid); + audit_log_user_message(audit_fd, AUDIT_USER_ACCT, @@ -656,8 +670,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo +} + diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am ---- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,43 @@ +# +# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk @@ -703,9 +717,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1 +-include $(top_srcdir)/Make.xml.rules +endif diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,550 @@ +--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2011-01-25 18:24:56.000000000 +0100 +@@ -0,0 +1,556 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -921,7 +935,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + + opts->now = time(NULL); + -+ tfd = open_tally(opts->dir, opts->user, 0); ++ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); + + *fd = tfd; + @@ -972,6 +986,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ + char buf[64]; + int audit_fd; ++ const void *rhost = NULL, *tty = NULL; + + audit_fd = audit_open(); + /* If there is an error & audit support is in the kernel report error */ @@ -979,9 +994,11 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + errno == EAFNOSUPPORT)) + return PAM_SYSTEM_ERR; + ++ (void)pam_get_item(pamh, PAM_TTY, &tty); ++ (void)pam_get_item(pamh, PAM_RHOST, &rhost); + snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -+ NULL, NULL, NULL, 1); ++ rhost, NULL, tty, 1); + } +#endif + opts->flags |= FAILLOCK_FLAG_UNLOCKED; @@ -997,9 +1014,14 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- +{ + int rv; + -+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ if (*fd == -1) { ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); ++ } ++ else { ++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); ++ if (rv == -1) { ++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); ++ } + } +} + @@ -1014,7 +1036,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + const void *source = NULL; + + if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, 1); ++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); + } + if (*fd == -1) { + if (errno == EACCES) { @@ -1171,7 +1193,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + + case FAILLOCK_ACTION_AUTHSUCC: + rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS && fd != -1) { ++ if (rv == PAM_SUCCESS) { + reset_tally(pamh, &opts, &fd); + } + break; @@ -1219,10 +1241,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + return rv; + } + -+ check_tally(pamh, &opts, &tallies, &fd); -+ if (fd != -1) { -+ reset_tally(pamh, &opts, &fd); -+ } ++ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ ++ reset_tally(pamh, &opts, &fd); + + tally_cleanup(&tallies, fd); + @@ -1257,9 +1277,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- +#endif /* #ifdef PAM_STATIC */ + diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,396 @@ +--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2011-01-25 18:24:56.000000000 +0100 +@@ -0,0 +1,392 @@ + + @@ -1539,13 +1559,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- + from the pam_tally2 module setup. + + -+ There is no setuid wrapper for access to the data file such as when the -+ pam_faillock.so module is called from -+ a screensaver. As this would make it impossible to share PAM configuration -+ with such services the following workaround is used: If the data file -+ cannot be opened because of insufficient permissions -+ (EACCES) the module returns -+ PAM_SUCCESS. ++ The individual files with the failure records are created as owned by ++ the user. This allows pam_faillock.so module ++ to work correctly when it is called from a screensaver. + + + Note that using the module in without the @@ -1657,8 +1673,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- + + diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,46 @@ + + diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock ---- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200 +--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2011-01-25 18:24:43.000000000 +0100 ++++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2011-01-25 18:24:43.000000000 +0100 @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_faillock.so diff --git a/pam-1.1.3-faillock-screensaver.patch b/pam-1.1.3-faillock-screensaver.patch deleted file mode 100644 index 249d285..0000000 --- a/pam-1.1.3-faillock-screensaver.patch +++ /dev/null @@ -1,167 +0,0 @@ -diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c ---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100 -@@ -41,13 +41,14 @@ - #include - #include - #include -+#include - #include - #include - - #include "faillock.h" - - int --open_tally (const char *dir, const char *user, int create) -+open_tally (const char *dir, const char *user, uid_t uid, int create) - { - char *path; - int flags = O_RDWR; -@@ -69,8 +70,18 @@ open_tally (const char *dir, const char - - fd = open(path, flags, 0600); - -- if (fd != -1) -+ free(path); -+ -+ if (fd != -1) { -+ struct stat st; -+ - while (flock(fd, LOCK_EX) == -1 && errno == EINTR); -+ if (fstat(fd, &st) == 0) { -+ if (st.st_uid != uid) { -+ fchown(fd, uid, -1); -+ } -+ } -+ } - - return fd; - } -diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h ---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100 -@@ -45,6 +45,7 @@ - #define _FAILLOCK_H - - #include -+#include - - #define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ - #define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ -@@ -65,7 +66,7 @@ struct tally_data { - - #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" - --int open_tally(const char *dir, const char *user, int create); -+int open_tally(const char *dir, const char *user, uid_t uid, int create); - int read_tally(int fd, struct tally_data *tallies); - int update_tally(int fd, struct tally_data *tallies); - #endif -diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c ---- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100 -@@ -106,8 +106,11 @@ do_user(struct options *opts, const char - int fd; - int rv; - struct tally_data tallies; -+ struct passwd *pwd; - -- fd = open_tally(opts->dir, user, 0); -+ pwd = getpwnam(user); -+ -+ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); - - if (fd == -1) { - if (errno == ENOENT) { -@@ -134,9 +137,8 @@ do_user(struct options *opts, const char - #ifdef HAVE_LIBAUDIT - } - if ((audit_fd=audit_open()) >= 0) { -- struct passwd *pwd; - -- if ((pwd=getpwnam(user)) != NULL) { -+ if (pwd != NULL) { - snprintf(buf, sizeof(buf), "faillock reset uid=%u", - pwd->pw_uid); - audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100 -@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o - - opts->now = time(NULL); - -- tfd = open_tally(opts->dir, opts->user, 0); -+ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); - - *fd = tfd; - -@@ -289,9 +289,14 @@ reset_tally(pam_handle_t *pamh, struct o - { - int rv; - -- while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -- if (rv == -1) { -- pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); -+ } -+ else { -+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ } - } - } - -@@ -306,7 +311,7 @@ write_tally(pam_handle_t *pamh, struct o - const void *source = NULL; - - if (*fd == -1) { -- *fd = open_tally(opts->dir, opts->user, 1); -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); - } - if (*fd == -1) { - if (errno == EACCES) { -@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh, - - case FAILLOCK_ACTION_AUTHSUCC: - rv = check_tally(pamh, &opts, &tallies, &fd); -- if (rv == PAM_SUCCESS && fd != -1) { -+ if (rv == PAM_SUCCESS) { - reset_tally(pamh, &opts, &fd); - } - break; -@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int - return rv; - } - -- check_tally(pamh, &opts, &tallies, &fd); -- if (fd != -1) { -- reset_tally(pamh, &opts, &fd); -- } -+ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ -+ reset_tally(pamh, &opts, &fd); - - tally_cleanup(&tallies, fd); - -diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100 -@@ -277,13 +277,9 @@ - from the pam_tally2 module setup. - - -- There is no setuid wrapper for access to the data file such as when the -- pam_faillock.so module is called from -- a screensaver. As this would make it impossible to share PAM configuration -- with such services the following workaround is used: If the data file -- cannot be opened because of insufficient permissions -- (EACCES) the module returns -- PAM_SUCCESS. -+ The individual files with the failure records are created as owned by -+ the user. This allows pam_faillock.so module -+ to work correctly when it is called from a screensaver. - - - Note that using the module in without the diff --git a/pam-1.1.8-audit-grantor.patch b/pam-1.1.8-audit-grantor.patch new file mode 100644 index 0000000..f131fd3 --- /dev/null +++ b/pam-1.1.8-audit-grantor.patch @@ -0,0 +1,344 @@ +diff --git a/libpam/pam_account.c b/libpam/pam_account.c +index 572acc4..3a4fb1f 100644 +--- a/libpam/pam_account.c ++++ b/libpam/pam_account.c +@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags); +-#endif +- + return retval; + } +diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c +index 531746a..63a4ea5 100644 +--- a/libpam/pam_audit.c ++++ b/libpam/pam_audit.c +@@ -28,14 +28,15 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, + const char *message, int retval) + { + static int old_errno = -1; +- int rc; +- char buf[32]; +- +- snprintf(buf, sizeof(buf), "PAM:%s", message); +- +- rc = audit_log_acct_message (audit_fd, type, NULL, buf, +- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", +- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS ); ++ int rc = -ENOMEM; ++ char *buf = NULL; ++ ++ if (asprintf(&buf, "PAM:%s", message) >= 0) { ++ rc = audit_log_acct_message(audit_fd, type, NULL, buf, ++ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?", ++ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS); ++ free(buf); ++ } + + /* libaudit sets errno to his own negative error code. This can be + an official errno number, but must not. It can also be a audit +@@ -78,12 +79,65 @@ _pam_audit_open(pam_handle_t *pamh) + return audit_fd; + } + ++static char * ++_pam_list_grantors(struct handler *hlist, const char *message, int retval) ++{ ++ char *buf; ++ char *list = NULL; ++ ++ if (retval == PAM_SUCCESS) { ++ struct handler *h; ++ char *p = NULL; ++ size_t len = 0; ++ ++ h = hlist; ++ ++ while (h != NULL) { ++ if (h->grantor) { ++ len += strlen(h->mod_name) + 1; ++ } ++ ++ h = h->next; ++ } ++ ++ list = malloc(len); ++ if (list == NULL) { ++ return NULL; ++ } ++ ++ h = hlist; ++ ++ while (h != NULL) { ++ if (h->grantor) { ++ if (p == NULL) { ++ p = list; ++ } else { ++ p = stpcpy(p, ","); ++ } ++ ++ p = stpcpy(p, h->mod_name); ++ } ++ ++ h = h->next; ++ } ++ } ++ ++ if (asprintf(&buf, "%s grantor=%s", message, list ? list : "?") < 0) { ++ free(list); ++ return NULL; ++ } ++ ++ free(list); ++ return buf; ++} ++ + int +-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) ++_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h) + { + const char *message; + int type; + int audit_fd; ++ char *buf = NULL; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { + return PAM_SYSTEM_ERR; +@@ -134,9 +188,18 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) + retval = PAM_SYSTEM_ERR; + } + +- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0) ++ buf = _pam_list_grantors(h, message, retval); ++ if (buf == NULL) { ++ /* allocation failure */ ++ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m"); ++ retval = PAM_SYSTEM_ERR; ++ } ++ ++ if (_pam_audit_writelog(pamh, audit_fd, type, buf ? buf : message, retval) < 0) + retval = PAM_SYSTEM_ERR; + ++ free(buf); ++ + audit_close(audit_fd); + return retval; + } +@@ -149,7 +212,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED) + * stacks having been run. Assume that this is sshd faking + * things for an unknown user. + */ +- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0); ++ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL); + } + + return 0; +diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c +index 5984fa5..1e7bc6e 100644 +--- a/libpam/pam_auth.c ++++ b/libpam/pam_auth.c +@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags) + prelude_send_alert(pamh, retval); + #endif + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags); +-#endif +- + return retval; + } + +@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_SETCRED); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags); +-#endif +- + D(("pam_setcred exit")); + + return retval; +diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c +index eb52c82..ccfc372 100644 +--- a/libpam/pam_dispatch.c ++++ b/libpam/pam_dispatch.c +@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, + status = retval; + } + } +- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) { +- goto decision_made; ++ if ( impression == _PAM_POSITIVE ) { ++ if ( retval == PAM_SUCCESS ) { ++ h->grantor = 1; ++ } ++ ++ if ( action == _PAM_ACTION_DONE ) { ++ goto decision_made; ++ } + } + break; + +@@ -308,6 +314,14 @@ decision_made: /* by getting here we have made a decision */ + return status; + } + ++static void _pam_clear_grantors(struct handler *h) ++{ ++ while (h != NULL) { ++ h->grantor = 0; ++ h = h->next; ++ } ++} ++ + /* + * This function translates the module dispatch request into a pointer + * to the stack of modules that will actually be run. the +@@ -318,21 +332,21 @@ decision_made: /* by getting here we have made a decision */ + int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + { + struct handler *h = NULL; +- int retval, use_cached_chain; ++ int retval = PAM_SYSTEM_ERR, use_cached_chain; + _pam_boolean resumed; + + IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR); + + if (__PAM_FROM_MODULE(pamh)) { + D(("called from a module!?")); +- return PAM_SYSTEM_ERR; ++ goto end; + } + + /* Load all modules, resolve all symbols */ + + if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "unable to dispatch function"); +- return retval; ++ goto end; + } + + use_cached_chain = _PAM_PLEASE_FREEZE; +@@ -360,7 +374,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + break; + default: + pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); +- return PAM_ABORT; ++ retval = PAM_ABORT; ++ goto end; + } + + if (h == NULL) { /* there was no handlers.conf... entry; will use +@@ -393,11 +408,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + pam_syslog(pamh, LOG_ERR, + "application failed to re-exec stack [%d:%d]", + pamh->former.choice, choice); +- return PAM_ABORT; ++ retval = PAM_ABORT; ++ goto end; + } + resumed = PAM_TRUE; + } else { + resumed = PAM_FALSE; ++ _pam_clear_grantors(h); + } + + __PAM_TO_MODULE(pamh); +@@ -417,5 +434,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) + pamh->former.choice = PAM_NOT_STACKED; + } + ++end: ++ ++#ifdef HAVE_LIBAUDIT ++ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) { ++ retval = _pam_auditlog(pamh, choice, retval, flags, h); ++ } ++#endif ++ + return retval; + } +diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c +index 02714f7..e3f8ff6 100644 +--- a/libpam/pam_handlers.c ++++ b/libpam/pam_handlers.c +@@ -889,6 +889,7 @@ int _pam_add_handler(pam_handle_t *pamh + (*handler_p)->argc = argc; + (*handler_p)->argv = argv; /* not a copy */ + (*handler_p)->mod_name = extract_modulename(mod_path); ++ (*handler_p)->grantor = 0; + (*handler_p)->next = NULL; + + /* some of the modules have a second calling function */ +@@ -921,6 +922,7 @@ int _pam_add_handler(pam_handle_t *pamh + (*handler_p2)->argv = NULL; /* no arguments */ + } + (*handler_p2)->mod_name = extract_modulename(mod_path); ++ (*handler_p2)->grantor = 0; + (*handler_p2)->next = NULL; + } + +diff --git a/libpam/pam_password.c b/libpam/pam_password.c +index 75db5e5..592e01f 100644 +--- a/libpam/pam_password.c ++++ b/libpam/pam_password.c +@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) + D(("will resume when ready", retval)); + } + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags); +-#endif +- + return retval; + } +diff --git a/libpam/pam_private.h b/libpam/pam_private.h +index 134dc72..d93283c 100644 +--- a/libpam/pam_private.h ++++ b/libpam/pam_private.h +@@ -55,6 +55,7 @@ struct handler { + struct handler *next; + char *mod_name; + int stack_level; ++ int grantor; + }; + + #define PAM_HT_MODULE 0 +@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \ + do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0) + + #ifdef HAVE_LIBAUDIT +-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags); ++extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h); + extern int _pam_audit_end(pam_handle_t *pamh, int pam_status); + #endif + +diff --git a/libpam/pam_session.c b/libpam/pam_session.c +index 512153f..cb393c1 100644 +--- a/libpam/pam_session.c ++++ b/libpam/pam_session.c +@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags) + } + retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags); +-#endif + return retval; + } + +@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags) + + retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); + +-#ifdef HAVE_LIBAUDIT +- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags); +-#endif +- + return retval; + + } diff --git a/pam.spec b/pam.spec index 048ec94..389d6aa 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.8 -Release: 14%{?dist} +Release: 15%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -35,7 +35,6 @@ Patch5: pam-1.1.0-notally.patch Patch8: pam-1.1.1-faillock.patch Patch9: pam-1.1.6-noflex.patch Patch10: pam-1.1.3-nouserenv.patch -Patch12: pam-1.1.3-faillock-screensaver.patch Patch13: pam-1.1.6-limits-user.patch Patch15: pam-1.1.6-full-relro.patch # FIPS related - non upstreamable @@ -50,6 +49,7 @@ Patch35: pam-1.1.8-cve-2013-7041.patch Patch36: pam-1.1.8-cve-2014-2583.patch Patch37: pam-1.1.8-loginuid-container.patch Patch38: pam-1.1.8-opasswd-tolerant.patch +Patch39: pam-1.1.8-audit-grantor.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -121,7 +121,6 @@ cp %{SOURCE18} . %patch8 -p1 -b .faillock %patch9 -p1 -b .noflex %patch10 -p1 -b .nouserenv -%patch12 -p1 -b .screensaver %patch13 -p1 -b .limits %patch15 -p1 -b .relro %patch20 -p1 -b .no-fallback @@ -134,6 +133,7 @@ cp %{SOURCE18} . %patch36 -p1 -b .timestamp-ruser %patch37 -p1 -b .container %patch38 -p1 -b .opasswd-tolerant +%patch39 -p1 -b .grantor %build autoreconf -i @@ -384,6 +384,10 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Wed Aug 13 2014 Tomáš Mráz 1.1.8-15 +- audit the module names that granted access +- pam_faillock: update to latest version + * Wed Jul 30 2014 Tom Callaway - 1.1.8-14 - fix license handling