use links instead of w3m to create txt documentation

- recognize login session in pam_sepermit to prevent gdm from locking (#969174)
- add support for disabling password logging in pam_tty_audit
This commit is contained in:
Tomas Mraz 2013-08-07 18:24:04 +02:00
parent aeefedee72
commit c8a6aadf10
4 changed files with 187 additions and 2 deletions

View File

@ -0,0 +1,58 @@
diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit 2013-07-24 12:55:08.822987098 -0400
+++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am 2013-07-24 12:55:11.653004214 -0400
@@ -24,7 +24,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/inclu
-D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \
-D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\"
-pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@
+pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -lsystemd-login
pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module
if HAVE_VERSIONING
pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
diff -up Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c
--- Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit 2012-08-15 07:08:43.000000000 -0400
+++ Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c 2013-07-24 13:17:24.088061506 -0400
@@ -65,6 +65,7 @@
#include <security/pam_ext.h>
#include <selinux/selinux.h>
+#include <systemd/sd-login.h>
#define MODULE "pam_sepermit"
#define OPT_DELIM ":"
@@ -187,6 +188,25 @@ sepermit_unlock(pam_handle_t *pamh, void
}
static int
+check_user_session(pam_handle_t *pamh) {
+ char *session = NULL;
+ char *class = NULL;
+ int rc;
+
+ if (sd_pid_get_session(0, &session))
+ return -1;
+ rc = sd_session_get_class(session, &class);
+ pam_syslog(pamh, LOG_ERR, "Session %s", session);
+ if (rc == 0) {
+ rc = strcmp(class, "user");
+ pam_syslog(pamh, LOG_ERR, "Class %s", class);
+ }
+ free(session);
+ free(class);
+ return rc;
+}
+
+static int
sepermit_lock(pam_handle_t *pamh, const char *user, int debug)
{
char buf[PATH_MAX];
@@ -319,7 +339,7 @@ sepermit_match(pam_handle_t *pamh, const
if (*sense == PAM_SUCCESS) {
if (ignore)
*sense = PAM_IGNORE;
- if (geteuid() == 0 && exclusive)
+ if (geteuid() == 0 && exclusive && check_user_session(pamh) != 0)
if (sepermit_lock(pamh, user, debug) < 0)
*sense = PAM_AUTH_ERR;
}

View File

@ -0,0 +1,100 @@
diff -up Linux-PAM-1.1.6/configure.in.tty-audit-echo Linux-PAM-1.1.6/configure.in
--- Linux-PAM-1.1.6/configure.in.tty-audit-echo 2013-08-07 15:41:08.245745447 +0200
+++ Linux-PAM-1.1.6/configure.in 2013-08-07 18:13:04.358958936 +0200
@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then
fi
if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
+
+ AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
+ AC_MSG_WARN([audit_tty_status.log_passwd is not available. The log_passwd option is disabled.]),
+ [[#include <libaudit.h>]])
fi
else
LIBAUDIT=""
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml 2013-08-07 18:08:55.310028229 +0200
@@ -77,6 +77,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>log_passwd</option>
+ </term>
+ <listitem>
+ <para>
+ Log keystrokes when ECHO mode is off but ICANON mode is active.
+ This is the mode in which the tty is placed during password entry.
+ By default, passwords are not logged. This option may not be
+ available on older kernels (3.9?).
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -161,6 +174,8 @@ session required pam_tty_audit.so disabl
<para>
pam_tty_audit was written by Miloslav Trma&ccaron;
&lt;mitr@redhat.com&gt;.
+ The log_passwd option was added by Richard Guy Briggs
+ &lt;rgb@redhat.com&gt;.
</para>
</refsect1>
diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c
--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c 2013-08-07 18:09:29.428694493 +0200
@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh,
struct audit_tty_status *old_status, new_status;
const char *user;
int i, fd, open_only;
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ int log_passwd;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
(void)flags;
@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh,
command = CMD_NONE;
open_only = 0;
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 0;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
for (i = 0; i < argc; i++)
{
if (strncmp (argv[i], "enable=", 7) == 0
@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh,
}
else if (strcmp (argv[i], "open_only") == 0)
open_only = 1;
+ else if (strcmp (argv[i], "log_passwd") == 0)
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ log_passwd = 1;
+#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ pam_syslog (pamh, LOG_WARNING,
+ "The log_passwd option was not available at compile time.");
+#warning "pam_tty_audit: The log_passwd option is not available. Please upgrade your headers/kernel."
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
else
{
pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
}
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
- if (old_status->enabled == new_status.enabled)
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ new_status.log_passwd = log_passwd;
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ if (old_status->enabled == new_status.enabled
+#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ && old_status->log_passwd == new_status.log_passwd
+#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ )
{
open_only = 1; /* to clean up old_status */
goto ok_fd;

15
pam-1.1.6-use-links.patch Normal file
View File

@ -0,0 +1,15 @@
diff -up Linux-PAM-1.1.6/configure.in.links Linux-PAM-1.1.6/configure.in
--- Linux-PAM-1.1.6/configure.in.links 2013-04-24 13:13:36.000000000 +0200
+++ Linux-PAM-1.1.6/configure.in 2013-08-07 14:08:03.818055990 +0200
@@ -548,9 +548,9 @@ JH_CHECK_XML_CATALOG([-//OASIS//DTD DocB
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
[DocBook XSL Stylesheets], [], enable_docu=no)
-AC_PATH_PROG([BROWSER], [w3m])
+AC_PATH_PROG([BROWSER], [links])
if test ! -z "$BROWSER"; then
- BROWSER="$BROWSER -T text/html -dump"
+ BROWSER="$BROWSER -no-numbering -no-references -dump"
else
enable_docu=no
fi

View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications Summary: An extensible library which provides authentication for applications
Name: pam Name: pam
Version: 1.1.6 Version: 1.1.6
Release: 13%{?dist} Release: 14%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ # The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway. # - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -60,6 +60,9 @@ Patch27: pam-1.1.6-strict-aliasing.patch
Patch28: pam-1.1.6-selinux-manualctx.patch Patch28: pam-1.1.6-selinux-manualctx.patch
Patch29: pam-1.1.6-pwhistory-helper.patch Patch29: pam-1.1.6-pwhistory-helper.patch
Patch30: pam-1.1.6-rootok-audit.patch Patch30: pam-1.1.6-rootok-audit.patch
Patch31: pam-1.1.6-use-links.patch
Patch32: pam-1.1.6-sepermit-user.patch
Patch33: pam-1.1.6-tty-audit-echo.patch
%define _pamlibdir %{_libdir} %define _pamlibdir %{_libdir}
%define _moduledir %{_libdir}/security %define _moduledir %{_libdir}/security
@ -91,8 +94,9 @@ Requires: libselinux >= 1.33.2
%endif %endif
Requires: glibc >= 2.3.90-37 Requires: glibc >= 2.3.90-37
BuildRequires: libdb-devel BuildRequires: libdb-devel
BuildRequires: systemd-devel
# Following deps are necessary only to build the pam library documentation. # Following deps are necessary only to build the pam library documentation.
BuildRequires: linuxdoc-tools, w3m, libxslt BuildRequires: linuxdoc-tools, elinks, libxslt
BuildRequires: docbook-style-xsl, docbook-dtds BuildRequires: docbook-style-xsl, docbook-dtds
URL: http://www.linux-pam.org/ URL: http://www.linux-pam.org/
@ -145,6 +149,9 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch28 -p1 -b .manualctx %patch28 -p1 -b .manualctx
%patch29 -p1 -b .pwhhelper %patch29 -p1 -b .pwhhelper
%patch30 -p1 -b .audit %patch30 -p1 -b .audit
%patch31 -p1 -b .links
%patch32 -p1 -b .sepermit-user
%patch33 -p1 -b .tty-audit-echo
%build %build
@ -393,6 +400,11 @@ fi
%doc doc/adg/*.txt doc/adg/html %doc doc/adg/*.txt doc/adg/html
%changelog %changelog
* Wed Aug 7 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-14
- use links instead of w3m to create txt documentation
- recognize login session in pam_sepermit to prevent gdm from locking (#969174)
- add support for disabling password logging in pam_tty_audit
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.6-13 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.6-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild