From c8a6aadf1019a5efa66691eb5a63a6740c575473 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 7 Aug 2013 18:24:04 +0200 Subject: [PATCH] use links instead of w3m to create txt documentation - recognize login session in pam_sepermit to prevent gdm from locking (#969174) - add support for disabling password logging in pam_tty_audit --- pam-1.1.6-sepermit-user.patch | 58 +++++++++++++++++++ pam-1.1.6-tty-audit-echo.patch | 100 +++++++++++++++++++++++++++++++++ pam-1.1.6-use-links.patch | 15 +++++ pam.spec | 16 +++++- 4 files changed, 187 insertions(+), 2 deletions(-) create mode 100644 pam-1.1.6-sepermit-user.patch create mode 100644 pam-1.1.6-tty-audit-echo.patch create mode 100644 pam-1.1.6-use-links.patch diff --git a/pam-1.1.6-sepermit-user.patch b/pam-1.1.6-sepermit-user.patch new file mode 100644 index 0000000..9a003ee --- /dev/null +++ b/pam-1.1.6-sepermit-user.patch @@ -0,0 +1,58 @@ +diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am +--- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit 2013-07-24 12:55:08.822987098 -0400 ++++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am 2013-07-24 12:55:11.653004214 -0400 +@@ -24,7 +24,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/inclu + -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \ + -D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\" + +-pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ ++pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -lsystemd-login + pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module + if HAVE_VERSIONING + pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +diff -up Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c +--- Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit 2012-08-15 07:08:43.000000000 -0400 ++++ Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c 2013-07-24 13:17:24.088061506 -0400 +@@ -65,6 +65,7 @@ + #include + + #include ++#include + + #define MODULE "pam_sepermit" + #define OPT_DELIM ":" +@@ -187,6 +188,25 @@ sepermit_unlock(pam_handle_t *pamh, void + } + + static int ++check_user_session(pam_handle_t *pamh) { ++ char *session = NULL; ++ char *class = NULL; ++ int rc; ++ ++ if (sd_pid_get_session(0, &session)) ++ return -1; ++ rc = sd_session_get_class(session, &class); ++ pam_syslog(pamh, LOG_ERR, "Session %s", session); ++ if (rc == 0) { ++ rc = strcmp(class, "user"); ++ pam_syslog(pamh, LOG_ERR, "Class %s", class); ++ } ++ free(session); ++ free(class); ++ return rc; ++} ++ ++static int + sepermit_lock(pam_handle_t *pamh, const char *user, int debug) + { + char buf[PATH_MAX]; +@@ -319,7 +339,7 @@ sepermit_match(pam_handle_t *pamh, const + if (*sense == PAM_SUCCESS) { + if (ignore) + *sense = PAM_IGNORE; +- if (geteuid() == 0 && exclusive) ++ if (geteuid() == 0 && exclusive && check_user_session(pamh) != 0) + if (sepermit_lock(pamh, user, debug) < 0) + *sense = PAM_AUTH_ERR; + } diff --git a/pam-1.1.6-tty-audit-echo.patch b/pam-1.1.6-tty-audit-echo.patch new file mode 100644 index 0000000..754591a --- /dev/null +++ b/pam-1.1.6-tty-audit-echo.patch @@ -0,0 +1,100 @@ +diff -up Linux-PAM-1.1.6/configure.in.tty-audit-echo Linux-PAM-1.1.6/configure.in +--- Linux-PAM-1.1.6/configure.in.tty-audit-echo 2013-08-07 15:41:08.245745447 +0200 ++++ Linux-PAM-1.1.6/configure.in 2013-08-07 18:13:04.358958936 +0200 +@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then + fi + if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then + AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.]) ++ ++ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [], ++ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]), ++ [[#include ]]) + fi + else + LIBAUDIT="" +diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml +--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml 2013-08-07 18:08:55.310028229 +0200 +@@ -77,6 +77,19 @@ + + + ++ ++ ++ ++ ++ ++ ++ Log keystrokes when ECHO mode is off but ICANON mode is active. ++ This is the mode in which the tty is placed during password entry. ++ By default, passwords are not logged. This option may not be ++ available on older kernels (3.9?). ++ ++ ++ + + + +@@ -161,6 +174,8 @@ session required pam_tty_audit.so disabl + + pam_tty_audit was written by Miloslav Trmač + <mitr@redhat.com>. ++ The log_passwd option was added by Richard Guy Briggs ++ <rgb@redhat.com>. + + + +diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c +--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200 ++++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c 2013-08-07 18:09:29.428694493 +0200 +@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh, + struct audit_tty_status *old_status, new_status; + const char *user; + int i, fd, open_only; ++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD ++ int log_passwd; ++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ + + (void)flags; + +@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh, + + command = CMD_NONE; + open_only = 0; ++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD ++ log_passwd = 0; ++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ + for (i = 0; i < argc; i++) + { + if (strncmp (argv[i], "enable=", 7) == 0 +@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh, + } + else if (strcmp (argv[i], "open_only") == 0) + open_only = 1; ++ else if (strcmp (argv[i], "log_passwd") == 0) ++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD ++ log_passwd = 1; ++#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ ++ pam_syslog (pamh, LOG_WARNING, ++ "The log_passwd option was not available at compile time."); ++#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel." ++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ + else + { + pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]); +@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh, + } + + new_status.enabled = (command == CMD_ENABLE ? 1 : 0); +- if (old_status->enabled == new_status.enabled) ++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD ++ new_status.log_passwd = log_passwd; ++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ ++ if (old_status->enabled == new_status.enabled ++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD ++ && old_status->log_passwd == new_status.log_passwd ++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */ ++ ) + { + open_only = 1; /* to clean up old_status */ + goto ok_fd; diff --git a/pam-1.1.6-use-links.patch b/pam-1.1.6-use-links.patch new file mode 100644 index 0000000..2c56c6f --- /dev/null +++ b/pam-1.1.6-use-links.patch @@ -0,0 +1,15 @@ +diff -up Linux-PAM-1.1.6/configure.in.links Linux-PAM-1.1.6/configure.in +--- Linux-PAM-1.1.6/configure.in.links 2013-04-24 13:13:36.000000000 +0200 ++++ Linux-PAM-1.1.6/configure.in 2013-08-07 14:08:03.818055990 +0200 +@@ -548,9 +548,9 @@ JH_CHECK_XML_CATALOG([-//OASIS//DTD DocB + JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl], + [DocBook XSL Stylesheets], [], enable_docu=no) + +-AC_PATH_PROG([BROWSER], [w3m]) ++AC_PATH_PROG([BROWSER], [links]) + if test ! -z "$BROWSER"; then +- BROWSER="$BROWSER -T text/html -dump" ++ BROWSER="$BROWSER -no-numbering -no-references -dump" + else + enable_docu=no + fi diff --git a/pam.spec b/pam.spec index c2903d1..441dd1a 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.6 -Release: 13%{?dist} +Release: 14%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -60,6 +60,9 @@ Patch27: pam-1.1.6-strict-aliasing.patch Patch28: pam-1.1.6-selinux-manualctx.patch Patch29: pam-1.1.6-pwhistory-helper.patch Patch30: pam-1.1.6-rootok-audit.patch +Patch31: pam-1.1.6-use-links.patch +Patch32: pam-1.1.6-sepermit-user.patch +Patch33: pam-1.1.6-tty-audit-echo.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -91,8 +94,9 @@ Requires: libselinux >= 1.33.2 %endif Requires: glibc >= 2.3.90-37 BuildRequires: libdb-devel +BuildRequires: systemd-devel # Following deps are necessary only to build the pam library documentation. -BuildRequires: linuxdoc-tools, w3m, libxslt +BuildRequires: linuxdoc-tools, elinks, libxslt BuildRequires: docbook-style-xsl, docbook-dtds URL: http://www.linux-pam.org/ @@ -145,6 +149,9 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch28 -p1 -b .manualctx %patch29 -p1 -b .pwhhelper %patch30 -p1 -b .audit +%patch31 -p1 -b .links +%patch32 -p1 -b .sepermit-user +%patch33 -p1 -b .tty-audit-echo %build @@ -393,6 +400,11 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Wed Aug 7 2013 Tomáš Mráz 1.1.6-14 +- use links instead of w3m to create txt documentation +- recognize login session in pam_sepermit to prevent gdm from locking (#969174) +- add support for disabling password logging in pam_tty_audit + * Sat Aug 03 2013 Fedora Release Engineering - 1.1.6-13 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild