From bbd6bf031fb6a4b9184a03713bf5e6e3de44fd7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Wed, 24 Jan 2007 12:14:29 +0000 Subject: [PATCH] - upgrade to new upstream version resolving CVE-2007-0003 - pam_namespace: unmount poly dir for override users --- .cvsignore | 2 +- Linux-PAM-0.99.7.1.tar.bz2.sign | 8 ++ pam-0.99.7.0-namespace-unmnt-override.patch | 125 ++++++++++++++++++++ pam.spec | 16 +-- sources | 2 +- 5 files changed, 144 insertions(+), 9 deletions(-) create mode 100644 Linux-PAM-0.99.7.1.tar.bz2.sign create mode 100644 pam-0.99.7.0-namespace-unmnt-override.patch diff --git a/.cvsignore b/.cvsignore index 23e5905..07b5925 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,5 +1,5 @@ db-4.5.20.tar.gz *.src.rpm *.tar.bz2 -Linux-PAM-0.99.7.0.tar.bz2 pam-redhat-0.99.7-1.tar.bz2 +Linux-PAM-0.99.7.1.tar.bz2 diff --git a/Linux-PAM-0.99.7.1.tar.bz2.sign b/Linux-PAM-0.99.7.1.tar.bz2.sign new file mode 100644 index 0000000..5fe6660 --- /dev/null +++ b/Linux-PAM-0.99.7.1.tar.bz2.sign @@ -0,0 +1,8 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.6 (GNU/Linux) +Comment: See http://www.kernel.org/signature.html for info + +iD8DBQBFtgDAyGugalF9Dw4RArOyAJ0duc7/WqnlX1+LfjYsUOQsJhICOgCfdWDb +aMzAtzhCqvu+IxJTFwXx/kk= +=I+NT +-----END PGP SIGNATURE----- diff --git a/pam-0.99.7.0-namespace-unmnt-override.patch b/pam-0.99.7.0-namespace-unmnt-override.patch new file mode 100644 index 0000000..204c289 --- /dev/null +++ b/pam-0.99.7.0-namespace-unmnt-override.patch @@ -0,0 +1,125 @@ +--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.unmnt-override 2007-01-22 14:06:31.000000000 +0100 ++++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-23 16:41:57.000000000 +0100 +@@ -417,17 +417,18 @@ + * uids for the polyinstantiated directory, polyinstantiation is not + * performed for that user for that directory. + */ +-static int ns_override(struct polydir_s *polyptr, struct instance_data *idata) ++static int ns_override(struct polydir_s *polyptr, struct instance_data *idata, ++ uid_t uid) + { + unsigned int i; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Checking for ns override in dir %s for uid %d", +- polyptr->dir, idata->uid); ++ polyptr->dir, uid); + + for (i = 0; i < polyptr->num_uids; i++) { +- if (idata->uid == polyptr->uid[i]) { ++ if (uid == polyptr->uid[i]) { + return 1; + } + } +@@ -1013,21 +1014,46 @@ + int retval = 0, need_poly = 0, changing_dir = 0; + char *cptr, *fptr, poly_parent[PATH_MAX]; + struct polydir_s *pptr; ++ uid_t req_uid; ++ const void *ruser_name; ++ struct passwd *pwd; + + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d", + getpid()); + ++ retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name); ++ if (ruser_name == NULL || retval != PAM_SUCCESS) { ++ retval = PAM_SUCCESS; ++ req_uid = getuid(); ++ } else { ++ pwd = pam_modutil_getpwnam(idata->pamh, ruser_name); ++ if (pwd != NULL) { ++ req_uid = pwd->pw_uid; ++ } else { ++ req_uid = getuid(); ++ } ++ } ++ + /* + * Cycle through all polyinstantiated directory entries to see if + * polyinstantiation is needed at all. + */ + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { +- if (ns_override(pptr, idata)) { +- if (idata->flags & PAMNS_DEBUG) +- pam_syslog(idata->pamh, LOG_DEBUG, ++ if (ns_override(pptr, idata, idata->uid)) { ++ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { ++ if (idata->flags & PAMNS_DEBUG) ++ pam_syslog(idata->pamh, LOG_DEBUG, + "Overriding poly for user %d for dir %s", + idata->uid, pptr->dir); ++ } else { ++ if (idata->flags & PAMNS_DEBUG) ++ pam_syslog(idata->pamh, LOG_DEBUG, ++ "Need unmount ns for user %d for dir %s", ++ idata->uid, pptr->dir); ++ need_poly = 1; ++ break; ++ } + continue; + } else { + if (idata->flags & PAMNS_DEBUG) +@@ -1057,15 +1083,20 @@ + * call ns_setup to setup polyinstantiation for a particular entry. + */ + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { +- if (ns_override(pptr, idata)) +- continue; +- else { +- if (idata->flags & PAMNS_DEBUG) ++ enum unmnt_op dir_unmnt = unmnt; ++ if (ns_override(pptr, idata, idata->uid)) { ++ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { ++ continue; ++ } else { ++ dir_unmnt = UNMNT_ONLY; ++ } ++ } ++ if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Setting poly ns for user %d for dir %s", + idata->uid, pptr->dir); + +- if ((unmnt == UNMNT_REMNT) || (unmnt == UNMNT_ONLY)) { ++ if ((dir_unmnt == UNMNT_REMNT) || (dir_unmnt == UNMNT_ONLY)) { + /* + * Check to see if process current directory is in the + * bind mounted instance_parent directory that we are trying to +@@ -1105,13 +1136,12 @@ + } else if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", + pptr->dir); +- } ++ } + +- if (unmnt != UNMNT_ONLY) { ++ if (dir_unmnt != UNMNT_ONLY) { + retval = ns_setup(pptr, idata); + if (retval != PAM_SUCCESS) + break; +- } + } + } + +@@ -1138,7 +1168,7 @@ + * appropriate polyinstantiated instance directories. + */ + for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { +- if (ns_override(pptr, idata)) ++ if (ns_override(pptr, idata, idata->uid)) + continue; + else { + if (idata->flags & PAMNS_DEBUG) diff --git a/pam.spec b/pam.spec index f498359..9d7cd35 100644 --- a/pam.spec +++ b/pam.spec @@ -10,8 +10,8 @@ Summary: A security tool which provides authentication for applications Name: pam -Version: 0.99.7.0 -Release: 2%{?dist} +Version: 0.99.7.1 +Release: 1%{?dist} License: GPL or BSD Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 @@ -25,9 +25,7 @@ Source8: dlopen.sh Source9: system-auth.5 Source10: config-util.5 Patch1: pam-0.99.7.0-redhat-modules.patch -Patch2: pam-0.99.7.0-selinux-build.patch Patch21: pam-0.78-unix-hpux-aging.patch -Patch22: pam-0.99.7.0-unix-minsalt.patch Patch34: pam-0.99.7.0-dbpam.patch Patch70: pam-0.99.2.1-selinux-nofail.patch Patch80: pam-0.99.6.2-selinux-drop-multiple.patch @@ -38,6 +36,7 @@ Patch86: pam-0.99.7.0-namespace-no-unmount.patch Patch87: pam-0.99.6.2-namespace-preserve-uid.patch Patch92: pam-0.99.6.2-selinux-select-context.patch Patch93: pam-0.99.7.0-namespace-level.patch +Patch94: pam-0.99.7.0-namespace-unmnt-override.patch Patch95: pam-0.99.6.2-selinux-use-current-range.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -92,9 +91,7 @@ cp %{SOURCE6} . cp %{SOURCE7} . %patch1 -p1 -b .redhat-modules -%patch2 -p1 -b .build %patch21 -p1 -b .unix-hpux-aging -%patch22 -p1 -b .minsalt %patch34 -p1 -b .dbpam %patch70 -p1 -b .nofail %patch80 -p1 -b .drop-multiple @@ -105,6 +102,7 @@ cp %{SOURCE7} . %patch87 -p1 -b .preserve-uid %patch92 -p1 -b .select-context %patch93 -p1 -b .level +%patch94 -p1 -b .unmnt-override %patch95 -p1 -b .range autoreconf @@ -397,9 +395,13 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Wed Jan 24 2007 Tomas Mraz 0.99.7.1-1 +- upgrade to new upstream version resolving CVE-2007-0003 +- pam_namespace: unmount poly dir for override users + * Mon Jan 22 2007 Tomas Mraz 0.99.7.0-2 - add back min salt length requirement which was erroneously removed - upstream + upstream (CVE-2007-0003) * Fri Jan 19 2007 Tomas Mraz 0.99.7.0-1 - upgrade to new upstream version diff --git a/sources b/sources index 50e84b8..d583211 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ b0f1c777708cb8e9d37fb47e7ed3312d db-4.5.20.tar.gz -e4c9e503ac6af0efdd6031a46bdf506f Linux-PAM-0.99.7.0.tar.bz2 66845048120c71205bd3363264f2bfe7 pam-redhat-0.99.7-1.tar.bz2 +385458dfb4633071594e255a6ebec9da Linux-PAM-0.99.7.1.tar.bz2