- Use %%{?_smp_mflags}
- Use the four-parameter version of %%defattr - Be more paranoid about dropping privileges - Set PAM_TTY
This commit is contained in:
parent
2cb6804215
commit
f19b5b86a1
100
usermode-1.102-PAM_TTY.patch
Normal file
100
usermode-1.102-PAM_TTY.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User Miloslav Trmač <mitr@redhat.com>
|
||||||
|
# Date 1265372688 -3600
|
||||||
|
# Node ID 9a7b1e69d0a8213092caf45beb52c07a8d334ea3
|
||||||
|
# Parent 8a897830e2d8745a72eb4236f02a981cfdc95528
|
||||||
|
Set PAM_TTY if known.
|
||||||
|
|
||||||
|
2010-02-05 Miloslav Trmač <mitr@redhat.com>
|
||||||
|
|
||||||
|
* userhelper.c (set_pam_items): New function.
|
||||||
|
(passwd, chfn, wrap): Use pam_set_items.
|
||||||
|
|
||||||
|
diff -r 8a897830e2d8 -r 9a7b1e69d0a8 ChangeLog
|
||||||
|
--- a/ChangeLog Thu Feb 04 23:00:17 2010 +0100
|
||||||
|
+++ b/ChangeLog Fri Feb 05 13:24:48 2010 +0100
|
||||||
|
@@ -1,3 +1,8 @@
|
||||||
|
+2010-02-05 Miloslav Trmač <mitr@redhat.com>
|
||||||
|
+
|
||||||
|
+ * userhelper.c (set_pam_items): New function.
|
||||||
|
+ (passwd, chfn, wrap): Use pam_set_items.
|
||||||
|
+
|
||||||
|
2010-02-04 Miloslav Trmač <mitr@redhat.com>
|
||||||
|
|
||||||
|
* userhelper.c (become_super): Check for failures of the system
|
||||||
|
diff -r 8a897830e2d8 -r 9a7b1e69d0a8 userhelper.c
|
||||||
|
--- a/userhelper.c Thu Feb 04 23:00:17 2010 +0100
|
||||||
|
+++ b/userhelper.c Fri Feb 05 13:24:48 2010 +0100
|
||||||
|
@@ -1102,6 +1102,31 @@
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Set various attributes of DATA, including the requesting user USER. */
|
||||||
|
+static void
|
||||||
|
+set_pam_items(struct app_data *data, const char *user)
|
||||||
|
+{
|
||||||
|
+ int retval;
|
||||||
|
+ char *tty;
|
||||||
|
+
|
||||||
|
+ retval = pam_set_item(data->pamh, PAM_RUSER, user);
|
||||||
|
+ if (retval != PAM_SUCCESS) {
|
||||||
|
+ debug_msg("userhelper: pam_set_item(PAM_RUSER) failed\n");
|
||||||
|
+ fail_exit(data, retval);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ tty = ttyname(STDIN_FILENO);
|
||||||
|
+ if (tty != NULL) {
|
||||||
|
+ if (strncmp(tty, "/dev/", 5) == 0)
|
||||||
|
+ tty += 5;
|
||||||
|
+ retval = pam_set_item(data->pamh, PAM_TTY, tty);
|
||||||
|
+ if (retval != PAM_SUCCESS) {
|
||||||
|
+ debug_msg("userhelper: pam_set_item(PAM_TTY) failed\n");
|
||||||
|
+ fail_exit(data, retval);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Change the user's password using the indicated conversation function and
|
||||||
|
* application data (which includes the ability to cancel if the user requests
|
||||||
|
* it. For this task, we don't retry on failure. */
|
||||||
|
@@ -1118,11 +1143,7 @@
|
||||||
|
fail_exit(conv->appdata_ptr, retval);
|
||||||
|
}
|
||||||
|
|
||||||
|
- retval = pam_set_item(data->pamh, PAM_RUSER, user);
|
||||||
|
- if (retval != PAM_SUCCESS) {
|
||||||
|
- debug_msg("userhelper: pam_set_item(PAM_RUSER) failed\n");
|
||||||
|
- fail_exit(conv->appdata_ptr, retval);
|
||||||
|
- }
|
||||||
|
+ set_pam_items(data, user);
|
||||||
|
|
||||||
|
debug_msg("userhelper: changing password for \"%s\"\n", user);
|
||||||
|
retval = pam_chauthtok(data->pamh, 0);
|
||||||
|
@@ -1195,12 +1216,7 @@
|
||||||
|
fail_exit(conv->appdata_ptr, retval);
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Set the requesting user. */
|
||||||
|
- retval = pam_set_item(data->pamh, PAM_RUSER, user);
|
||||||
|
- if (retval != PAM_SUCCESS) {
|
||||||
|
- debug_msg("userhelper: pam_set_item(PAM_RUSER) failed\n");
|
||||||
|
- fail_exit(conv->appdata_ptr, retval);
|
||||||
|
- }
|
||||||
|
+ set_pam_items(data, user);
|
||||||
|
|
||||||
|
/* Try to authenticate the user. */
|
||||||
|
do {
|
||||||
|
@@ -1742,12 +1758,7 @@
|
||||||
|
fail_exit(conv->appdata_ptr, retval);
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Set the requesting user. */
|
||||||
|
- retval = pam_set_item(data->pamh, PAM_RUSER, user);
|
||||||
|
- if (retval != PAM_SUCCESS) {
|
||||||
|
- debug_msg("userhelper: pam_set_item(PAM_RUSER) failed\n");
|
||||||
|
- fail_exit(conv->appdata_ptr, retval);
|
||||||
|
- }
|
||||||
|
+ set_pam_items(data, user);
|
||||||
|
|
||||||
|
/* Try to authenticate the user. */
|
||||||
|
do {
|
94
usermode-1.102-paranoia.patch
Normal file
94
usermode-1.102-paranoia.patch
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User Miloslav Trmač <mitr@redhat.com>
|
||||||
|
# Date 1265320817 -3600
|
||||||
|
# Node ID 8a897830e2d8745a72eb4236f02a981cfdc95528
|
||||||
|
# Parent 0dcd3edc6d56d65d8f02b31a9c807b1c152232c5
|
||||||
|
Be more paranoid about manipulating user/group IDs.
|
||||||
|
|
||||||
|
2010-02-04 Miloslav Trmač <mitr@redhat.com>
|
||||||
|
|
||||||
|
* userhelper.c (become_super): Check for failures of the system
|
||||||
|
calls in addition to verifying the expected results.
|
||||||
|
(become_normal): Check for failures of the system
|
||||||
|
calls in addition to verifying the expected results. Call setregid()
|
||||||
|
as well. Verify the real gid/uid values.
|
||||||
|
|
||||||
|
diff -r 0dcd3edc6d56 -r 8a897830e2d8 ChangeLog
|
||||||
|
--- a/ChangeLog Sun Dec 06 17:02:50 2009 +0000
|
||||||
|
+++ b/ChangeLog Thu Feb 04 23:00:17 2010 +0100
|
||||||
|
@@ -1,3 +1,11 @@
|
||||||
|
+2010-02-04 Miloslav Trmač <mitr@redhat.com>
|
||||||
|
+
|
||||||
|
+ * userhelper.c (become_super): Check for failures of the system
|
||||||
|
+ calls in addition to verifying the expected results.
|
||||||
|
+ (become_normal): Check for failures of the system
|
||||||
|
+ calls in addition to verifying the expected results. Call setregid()
|
||||||
|
+ as well. Verify the real gid/uid values.
|
||||||
|
+
|
||||||
|
2009-10-05 Miloslav Trmač <mitr@redhat.com>
|
||||||
|
|
||||||
|
* configure.ac: Release 1.102.
|
||||||
|
diff -r 0dcd3edc6d56 -r 8a897830e2d8 userhelper.c
|
||||||
|
--- a/userhelper.c Sun Dec 06 17:02:50 2009 +0000
|
||||||
|
+++ b/userhelper.c Thu Feb 04 23:00:17 2010 +0100
|
||||||
|
@@ -985,17 +985,20 @@
|
||||||
|
static void
|
||||||
|
become_super(void)
|
||||||
|
{
|
||||||
|
- /* Become the superuser. */
|
||||||
|
- setgroups(0, NULL);
|
||||||
|
- setregid(0, 0);
|
||||||
|
- setreuid(0, 0);
|
||||||
|
- /* Yes, setuid() and friends can fail, even for superusers. */
|
||||||
|
+ /* Become the superuser.
|
||||||
|
+ Yes, setuid() and friends can fail, even for superusers. */
|
||||||
|
+ if (setgroups(0, NULL) != 0 ||
|
||||||
|
+ setregid(0, 0) != 0 ||
|
||||||
|
+ setreuid(0, 0) != 0) {
|
||||||
|
+ debug_msg("userhelper: set*id() failure: %s\n",
|
||||||
|
+ strerror(errno));
|
||||||
|
+ exit(ERR_EXEC_FAILED);
|
||||||
|
+ }
|
||||||
|
if ((geteuid() != 0) ||
|
||||||
|
(getuid() != 0) ||
|
||||||
|
(getegid() != 0) ||
|
||||||
|
(getgid() != 0)) {
|
||||||
|
- debug_msg("userhelper: set*id() failure: %s\n",
|
||||||
|
- strerror(errno));
|
||||||
|
+ debug_msg("userhelper: set*id() didn't work\n");
|
||||||
|
exit(ERR_EXEC_FAILED);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1003,17 +1006,26 @@
|
||||||
|
static void
|
||||||
|
become_normal(const char *user)
|
||||||
|
{
|
||||||
|
- /* Join the groups of the user who invoked us. */
|
||||||
|
- initgroups(user, getgid());
|
||||||
|
+ gid_t gid;
|
||||||
|
+ uid_t uid;
|
||||||
|
+
|
||||||
|
+ gid = getgid();
|
||||||
|
+ uid = getuid();
|
||||||
|
+ /* Become the user who invoked us. */
|
||||||
|
+ if (initgroups(user, gid) != 0 ||
|
||||||
|
+ setregid(gid, gid) != 0 ||
|
||||||
|
+ setreuid(uid, uid) != 0) {
|
||||||
|
+ debug_msg("userhelper: set*id() failure: %s\n",
|
||||||
|
+ strerror(errno));
|
||||||
|
+ exit(ERR_EXEC_FAILED);
|
||||||
|
+ }
|
||||||
|
/* Verify that we're back to normal. */
|
||||||
|
- if (getegid() != getgid()) {
|
||||||
|
+ if (getegid() != gid || getgid() != gid) {
|
||||||
|
debug_msg("userhelper: still setgid()\n");
|
||||||
|
exit(ERR_EXEC_FAILED);
|
||||||
|
}
|
||||||
|
- /* Become the user who invoked us. */
|
||||||
|
- setreuid(getuid(), getuid());
|
||||||
|
/* Yes, setuid() can fail. */
|
||||||
|
- if (geteuid() != getuid()) {
|
||||||
|
+ if (geteuid() != uid || getuid() != uid) {
|
||||||
|
debug_msg("userhelper: still setuid()\n");
|
||||||
|
exit(ERR_EXEC_FAILED);
|
||||||
|
}
|
@ -1,11 +1,15 @@
|
|||||||
Summary: Tools for certain user account management tasks
|
Summary: Tools for certain user account management tasks
|
||||||
Name: usermode
|
Name: usermode
|
||||||
Version: 1.102
|
Version: 1.102
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
URL: https://fedorahosted.org/usermode/
|
URL: https://fedorahosted.org/usermode/
|
||||||
Source: https://fedorahosted.org/releases/u/s/usermode/usermode-%{version}.tar.bz2
|
Source: https://fedorahosted.org/releases/u/s/usermode/usermode-%{version}.tar.bz2
|
||||||
|
# Committed upstream
|
||||||
|
Patch0: usermode-1.102-paranoia.patch
|
||||||
|
# Committed upstream
|
||||||
|
Patch1: usermode-1.102-PAM_TTY.patch
|
||||||
Requires: pam, passwd, util-linux
|
Requires: pam, passwd, util-linux
|
||||||
BuildRequires: desktop-file-utils, gettext, glib2-devel, gtk2-devel, intltool
|
BuildRequires: desktop-file-utils, gettext, glib2-devel, gtk2-devel, intltool
|
||||||
BuildRequires: libblkid-devel, libSM-devel, libselinux-devel, libuser-devel
|
BuildRequires: libblkid-devel, libSM-devel, libselinux-devel, libuser-devel
|
||||||
@ -35,11 +39,13 @@ graphical tools for certain account management tasks.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch0 -p1 -b .paranoia
|
||||||
|
%patch1 -p1 -b .PAM_TTY
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --with-selinux
|
%configure --with-selinux
|
||||||
|
|
||||||
make
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
%install
|
%install
|
||||||
rm -rf $RPM_BUILD_ROOT
|
rm -rf $RPM_BUILD_ROOT
|
||||||
@ -74,7 +80,7 @@ done
|
|||||||
rm -rf $RPM_BUILD_ROOT
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
%files -f %{name}.lang
|
%files -f %{name}.lang
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root,-)
|
||||||
%doc COPYING ChangeLog NEWS README
|
%doc COPYING ChangeLog NEWS README
|
||||||
%attr(4711,root,root) /usr/sbin/userhelper
|
%attr(4711,root,root) /usr/sbin/userhelper
|
||||||
%{_bindir}/consolehelper
|
%{_bindir}/consolehelper
|
||||||
@ -94,7 +100,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%config(noreplace) /etc/security/console.apps/poweroff
|
%config(noreplace) /etc/security/console.apps/poweroff
|
||||||
|
|
||||||
%files gtk
|
%files gtk
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root,-)
|
||||||
%{_bindir}/usermount
|
%{_bindir}/usermount
|
||||||
%{_mandir}/man1/usermount.1*
|
%{_mandir}/man1/usermount.1*
|
||||||
%{_bindir}/userformat
|
%{_bindir}/userformat
|
||||||
@ -112,6 +118,12 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_datadir}/applications/*
|
%{_datadir}/applications/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 5 2010 Miloslav Trmač <mitr@redhat.com> - 1.102-2
|
||||||
|
- Use %%{?_smp_mflags}
|
||||||
|
- Use the four-parameter version of %%defattr
|
||||||
|
- Be more paranoid about dropping privileges
|
||||||
|
- Set PAM_TTY
|
||||||
|
|
||||||
* Mon Oct 5 2009 Miloslav Trmač <mitr@redhat.com> - 1.102-1
|
* Mon Oct 5 2009 Miloslav Trmač <mitr@redhat.com> - 1.102-1
|
||||||
- Update to usermode-1.102
|
- Update to usermode-1.102
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user