- Fixed pam patch from Steve Grubb (bug #154946).

2005-04-15 16:46:39 +00:00 · 2005-04-15 16:46:39 +00:00 · e87740cc63
parent eea395d90c
commit e87740cc63
2 changed files with 82 additions and 54 deletions
--- a/coreutils-pam.patch
+++ b/coreutils-pam.patch
@ -1,5 +1,5 @@
--- coreutils-5.2.0/src/Makefile.am.pam	2004-02-23 17:40:54.000000000 +0000
-+++ coreutils-5.2.0/src/Makefile.am	2004-02-23 17:40:54.000000000 +0000
+--- coreutils-5.2.1/src/Makefile.am.pam	2005-04-15 17:03:44.000000000 +0100
+++ coreutils-5.2.1/src/Makefile.am	2005-04-15 17:03:44.000000000 +0100
@@ -66,7 +66,7 @@
 
 uptime_LDADD = $(LDADD) $(GETLOADAVG_LIBS)
@ -9,8 +9,8 @@
 
 $(PROGRAMS): ../lib/libfetish.a
 
--- coreutils-5.2.0/src/su.c	2004-02-23 17:40:54.000000000 +0000
-+++ coreutils-5.2.1/src/su.c	2004-12-06 15:47:07.082619911 +0000
+--- coreutils-5.2.1/src/su.c.pam	2005-04-15 17:03:44.000000000 +0100
+++ coreutils-5.2.1/src/su.c	2005-04-15 17:04:52.000000000 +0100
@@ -38,6 +38,16 @@
    restricts who can su to UID 0 accounts.  RMS considers that to
    be fascist.
@ -28,7 +28,7 @@
    Options:
    -, -l, --login	Make the subshell a login shell.
 			Unset all environment variables except
-@@ -81,6 +91,14 @@
+@@ -81,6 +91,15 @@
    prototype (returning `int') in <unistd.h>.  */
 #define getusershell _getusershell_sys_proto_
 
@ -36,6 +36,7 @@
 +# include <signal.h>
 +# include <sys/wait.h>
 +# include <sys/fsuid.h>
+# include <unistd.h>
 +# include <security/pam_appl.h>
 +# include <security/pam_misc.h>
 +#endif /* USE_PAM */
@ -43,7 +44,7 @@
 #include "system.h"
 #include "dirname.h"
 
-@@ -150,7 +168,9 @@
+@@ -150,7 +169,9 @@
 /* The user to become if none is specified.  */
 #define DEFAULT_USER "root"
 
@ -53,7 +54,7 @@
 char *getpass ();
 char *getusershell ();
 void endusershell ();
-@@ -158,8 +178,12 @@
+@@ -158,8 +179,12 @@
 
 extern char **environ;
 
@ -67,7 +68,7 @@
 
 /* The name this program was run with.  */
 char *program_name;
-@@ -271,7 +295,22 @@
+@@ -271,7 +296,22 @@
 }
 #endif
 
@ -90,12 +91,13 @@
    Return 1 if the user gives the correct password for entry PW,
    0 if not.  Return 1 without asking for a password if run by UID 0
    or if PW has an empty password.  */
-@@ -279,6 +318,34 @@
+@@ -279,6 +319,42 @@
 static int
 correct_password (const struct passwd *pw)
 {
 +#ifdef USE_PAM
 +  struct passwd *caller;
+  char *tty_name, *ttyn;
 +  retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh);
 +  PAM_BAIL_P;
 +
@ -110,6 +112,13 @@
 +	  PAM_BAIL_P;
 +  }
 +
+  ttyn = ttyname(0);
+  if (strncmp(ttyn, "/dev/", 5) == 0)
+       tty_name = ttyn+5;
+  else
+       tty_name = ttyn;
+  retval = pam_set_item(pamh, PAM_TTY, tty_name);
+  PAM_BAIL_P;
 +  retval = pam_authenticate(pamh, 0);
 +  PAM_BAIL_P;
 +  retval = pam_acct_mgmt(pamh, 0);
@ -125,7 +134,7 @@
   char *unencrypted, *encrypted, *correct;
 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
   /* Shadow passwd stuff for SVR3 and maybe other systems.  */
-@@ -303,6 +370,7 @@
+@@ -303,6 +379,7 @@
   encrypted = crypt (unencrypted, correct);
   memset (unencrypted, 0, strlen (unencrypted));
   return strcmp (encrypted, correct) == 0;
@ -133,7 +142,7 @@
 }
 
 /* Update `environ' for the new shell based on PW, with SHELL being
-@@ -312,16 +380,24 @@
+@@ -312,16 +389,24 @@
 modify_environment (const struct passwd *pw, const char *shell)
 {
   char *term;
@ -159,18 +168,22 @@
       xputenv (concat ("HOME", "=", pw->pw_dir));
       xputenv (concat ("SHELL", "=", shell));
       xputenv (concat ("USER", "=", pw->pw_name));
-@@ -358,22 +434,73 @@
+@@ -354,8 +439,13 @@
+ {
+ #ifdef HAVE_INITGROUPS
+   errno = 0;
+-  if (initgroups (pw->pw_name, pw->pw_gid) == -1)
+  if (initgroups (pw->pw_name, pw->pw_gid) == -1) {
+#ifdef USE_PAM
+    pam_close_session(pamh, 0);
+    pam_end(pamh, PAM_ABORT);
+#endif
     error (EXIT_FAIL, errno, _("cannot set groups"));
+  }
   endgrent ();
 #endif
-+#ifdef USE_PAM
-+  retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
-+  if (retval != PAM_SUCCESS)
-+    error (1, 0, pam_strerror(pamh, retval));
-+#endif /* USE_PAM */
   if (setgid (pw->pw_gid))
-     error (EXIT_FAIL, errno, _("cannot set group id"));
-   if (setuid (pw->pw_uid))
+@@ -364,16 +454,69 @@
     error (EXIT_FAIL, errno, _("cannot set user id"));
 }
 
@ -226,6 +239,13 @@
 +  if(pam_copyenv(pamh) != PAM_SUCCESS)
 +     fprintf (stderr, "error copying PAM environment\n");
 +  
+  /* Credentials should be set in the parent */ 
+  if (pam_setcred(pamh, PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
+    pam_close_session(pamh, 0);
+    fprintf(stderr, "could not set PAM credentials\n");
+    exit(1);
+  }
+
 +  child = fork();
 +  if (child == 0) {  /* child shell */
 +  change_identity (pw);
@ -234,7 +254,7 @@
 
   if (additional_args)
     args = xmalloc (sizeof (char *)
-@@ -385,6 +512,9 @@
+@@ -385,6 +528,9 @@
       char *arg0;
       char *shell_basename;
 
@ -244,13 +264,16 @@
       shell_basename = base_name (shell);
       arg0 = xmalloc (strlen (shell_basename) + 2);
       arg0[0] = '-';
-@@ -411,6 +541,61 @@
+@@ -411,6 +557,66 @@
     error (0, errno, "%s", shell);
     exit (exit_status);
   }
 +#ifdef USE_PAM
 +  } else if (child == -1) {
 +      fprintf(stderr, "can not fork user shell: %s", strerror(errno));
+      pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
+      pam_close_session(pamh, 0);
+      pam_end(pamh, PAM_ABORT);
 +      exit(1);
 +  }
 +  /* parent only */
@ -291,6 +314,8 @@
 +    fprintf(stderr, "\nSession terminated, killing shell...");
 +    kill (child, SIGTERM);
 +  }
+  /* Not checking retval on this because we need to call close session */
+  pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
 +  retval = pam_close_session(pamh, 0);
 +  PAM_BAIL_P;
 +  retval = pam_end(pamh, PAM_SUCCESS);
@ -306,7 +331,9 @@
 }
 
 /* Return 1 if SHELL is a restricted shell (one not returned by
-@@ -588,7 +773,8 @@
+@@ -586,9 +792,10 @@
+     }
+   modify_environment (pw, shell);
 
 +
 +#ifndef USE_PAM
@ -318,37 +345,9 @@
 -  run_shell (shell, command, additional_args);
 +  run_shell (shell, command, additional_args, pw);
 }
--- coreutils-5.2.0/configure.ac.pam	2004-02-23 17:40:54.000000000 +0000
-+++ coreutils-5.2.0/configure.ac	2004-02-23 17:40:54.000000000 +0000
-@@ -7,6 +7,13 @@
- 
- AM_INIT_AUTOMAKE([1.8 gnits dist-bzip2])
- 
-+dnl Give the chance to enable PAM
-+AC_ARG_ENABLE(pam, dnl
-+[  --enable-pam              Enable use of the PAM libraries],
-+[AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM])
-+LIB_PAM="-ldl -lpam -lpam_misc"
-+AC_SUBST(LIB_PAM)])
-+
- gl_DEFAULT_POSIX2_VERSION
- gl_USE_SYSTEM_EXTENSIONS
- jm_PERL
--- coreutils-5.2.0/config.hin.pam	2004-02-23 17:40:54.000000000 +0000
-+++ coreutils-5.2.0/config.hin	2004-02-23 17:40:54.000000000 +0000
-@@ -1365,6 +1365,9 @@
- /* Define if you want access control list support. */
- #undef USE_ACL
- 
-+/* Define if you want to use PAM */
-+#undef USE_PAM
-+
- /* Version number of package */
- #undef VERSION
- 
--- coreutils-5.2.1/doc/coreutils.texi.pam	2004-05-18 11:41:14.026354659 +0100
-+++ coreutils-5.2.1/doc/coreutils.texi	2004-05-18 11:48:27.056915340 +0100
-@@ -11855,8 +11855,11 @@
+--- coreutils-5.2.1/doc/coreutils.texi.pam	2005-04-15 17:03:44.000000000 +0100
+++ coreutils-5.2.1/doc/coreutils.texi	2005-04-15 17:03:44.000000000 +0100
+@@ -11850,8 +11850,11 @@
 @findex syslog
 @command{su} can optionally be compiled to use @code{syslog} to report
 failed, and optionally successful, @command{su} attempts.  (If the system
@ -362,7 +361,7 @@
 
 The program accepts the following options.  Also see @ref{Common options}.
 
-@@ -11937,33 +11940,6 @@
+@@ -11932,33 +11935,6 @@
 the exit status of the subshell otherwise
 @end display
 
@ -396,3 +395,31 @@
 @node Process control
 @chapter Process control
 
+--- coreutils-5.2.1/configure.ac.pam	2005-04-15 17:03:44.000000000 +0100
+++ coreutils-5.2.1/configure.ac	2005-04-15 17:03:44.000000000 +0100
+@@ -7,6 +7,13 @@
+ 
+ AM_INIT_AUTOMAKE([1.8 gnits dist-bzip2])
+ 
+dnl Give the chance to enable PAM
+AC_ARG_ENABLE(pam, dnl
+[  --enable-pam              Enable use of the PAM libraries],
+[AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM])
+LIB_PAM="-ldl -lpam -lpam_misc"
+AC_SUBST(LIB_PAM)])
+
+ gl_DEFAULT_POSIX2_VERSION
+ gl_USE_SYSTEM_EXTENSIONS
+ jm_PERL
+--- coreutils-5.2.1/config.hin.pam	2005-04-15 17:03:44.000000000 +0100
+++ coreutils-5.2.1/config.hin	2005-04-15 17:03:44.000000000 +0100
+@@ -1365,6 +1365,9 @@
+ /* Define if you want access control list support. */
+ #undef USE_ACL
+ 
+/* Define if you want to use PAM */
+#undef USE_PAM
+
+ /* Version number of package */
+ #undef VERSION
+ 
--- a/coreutils.spec
+++ b/coreutils.spec
@ -256,6 +256,7 @@ fi

 %changelog
 * Fri Apr  8 2005 Tim Waugh <twaugh@redhat.com>
+- Fixed pam patch from Steve Grubb (bug #154946).
 - Use better upstream patch for "stale utmp".

 * Tue Mar 29 2005 Tim Waugh <twaugh@redhat.com> 5.2.1-44