- update to Linux-PAM-0.78

- #140451 parse passwd entries correctly and test for failure
This commit is contained in:
Tomáš Mráz 2004-11-23 15:32:59 +00:00
parent 0da465a133
commit 056a40e611
6 changed files with 107 additions and 118 deletions

View File

@ -1,5 +1,4 @@
Linux-PAM-0.77.tar.bz2
db-4.2.52.tar.gz
pam-redhat-0.77-5.tar.gz
pwdb-0.62.tar.gz pwdb-0.62.tar.gz
db-4.3.21.tar.gz db-4.3.21.tar.gz
Linux-PAM-0.78.tar.bz2
pam-redhat-0.78-1.tar.gz

View File

@ -1,5 +1,5 @@
#%PAM-1.0 #%PAM-1.0
auth required /lib/security/$ISA/pam_deny.so auth required pam_deny.so
account required /lib/security/$ISA/pam_deny.so account required pam_deny.so
password required /lib/security/$ISA/pam_deny.so password required pam_deny.so
session required /lib/security/$ISA/pam_deny.so session required pam_deny.so

View File

@ -0,0 +1,76 @@
o For non-extensible-style hashes, strip off anything after the 13th character
which would not be valid as part of a hash. On HP/UX, this clips off a comma
followed by encoded aging information.
The real problem is a complete lack of any standard for storing password
aging information (actually, for anything having to do with password aging)
for users across operating systems, but there's nothing we can do about that
here.
--- Linux-PAM-0.78/modules/pam_unix/support.c.unix-hpux-aging 2004-10-06 16:05:17.000000000 +0200
+++ Linux-PAM-0.78/modules/pam_unix/support.c 2004-11-23 14:55:27.885063264 +0100
@@ -611,6 +611,21 @@
return retval;
}
+static void strip_hpux_aging(char *p)
+{
+ const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+ "0123456789./";
+ if ((*p != '$') && (strlen(p) > 13)) {
+ for (p += 13; *p != '\0'; p++) {
+ if (strchr(valid, *p) == NULL) {
+ *p = '\0';
+ break;
+ }
+ }
+ }
+}
+
int _unix_verify_password(pam_handle_t * pamh, const char *name
,const char *p, unsigned int ctrl)
{
@@ -712,7 +727,9 @@
retval = PAM_AUTHINFO_UNAVAIL;
}
} else {
- int salt_len = strlen(salt);
+ int salt_len;
+ strip_hpux_aging(salt);
+ salt_len = strlen(salt);
if (!salt_len) {
/* the stored password is NULL */
if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
--- Linux-PAM-0.78/modules/pam_unix/unix_chkpwd.c.unix-hpux-aging 2004-11-18 14:41:20.000000000 +0100
+++ Linux-PAM-0.78/modules/pam_unix/unix_chkpwd.c 2004-11-23 15:03:43.979169586 +0100
@@ -112,6 +112,21 @@
(void) sigaction(SIGQUIT, &action, NULL);
}
+static void strip_hpux_aging(char *p)
+{
+ const char *valid = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "abcdefghijklmnopqrstuvwxyz"
+ "0123456789./";
+ if ((*p != '$') && (strlen(p) > 13)) {
+ for (p += 13; *p != '\0'; p++) {
+ if (strchr(valid, *p) == NULL) {
+ *p = '\0';
+ break;
+ }
+ }
+ }
+}
+
static int _unix_verify_password(const char *name, const char *p, int nullok)
{
struct passwd *pwd = NULL;
@@ -159,6 +174,7 @@
return retval;
}
+ strip_hpux_aging(salt);
salt_len = strlen(salt);
if (salt_len == 0)
return (nullok == 0) ? UNIX_FAILED : UNIX_PASSED;

113
pam.spec
View File

@ -1,5 +1,4 @@
%define WITH_SELINUX 1 %define WITH_SELINUX 1
%define build6x 0
%define _sbindir /sbin %define _sbindir /sbin
%define _sysconfdir /etc %define _sysconfdir /etc
@ -9,76 +8,35 @@
Summary: A security tool which provides authentication for applications. Summary: A security tool which provides authentication for applications.
Name: pam Name: pam
Version: 0.77 Version: 0.78
Release: 67 Release: 1
License: GPL or BSD License: GPL or BSD
Group: System Environment/Base Group: System Environment/Base
Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
Source1: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2.sign Source1: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2.sign
Source2: pam-redhat-%{version}-5.tar.gz Source2: pam-redhat-%{version}-1.tar.gz
Source3: pwdb-%{pwdb_version}.tar.gz Source3: pwdb-%{pwdb_version}.tar.gz
Source4: db-%{db_version}.tar.gz Source4: db-%{db_version}.tar.gz
Source5: other.pamd Source5: other.pamd
Source6: system-auth.pamd Source6: system-auth.pamd
Source7: install-sh
Source8: dlopen.sh Source8: dlopen.sh
Patch0: pam-0.77-modutil-thread.patch
Patch1: pam-0.77-include_path.patch
Patch2: pam-0.77-build.patch
Patch3: pam-0.75-linkage.patch
Patch4: pam-0.75-prompt.patch Patch4: pam-0.75-prompt.patch
Patch5: pam-0.75-return.patch
Patch6: pam-0.75-security.patch
Patch7: pam-0.77-string.patch
Patch8: pam-0.77-userdb.patch
Patch9: pam-0.75-group-reinit.patch
Patch10: pam-0.77-lastlog-utmp.patch Patch10: pam-0.77-lastlog-utmp.patch
Patch11: pam-0.77-securetty-fail.patch Patch21: pam-0.78-unix-hpux-aging.patch
Patch12: pam-0.75-time.patch
Patch13: pam-0.77-issue.patch
Patch14: pam-0.77-doc-rhl.patch
Patch15: pam-0.77-bigcrypt-main.patch
Patch16: pam-0.77-cracklib-init.patch
Patch17: pam-0.77-filter-comments.patch
Patch18: pam-0.75-unix-loop.patch
Patch19: pam-0.77-unix-preserve.patch
Patch20: pam-0.77-unix-brokenshadow.patch
Patch21: pam-0.77-unix-hpux-aging.patch
Patch22: pam-0.77-unix-nis.patch
Patch23: pam-0.77-unix-nullok.patch
Patch24: pam-0.77-issue-heap.patch
Patch25: pam-0.75-listfile-tty.patch
Patch26: pam-0.77-misc-err.patch
Patch27: pam-0.77-unix-aixhash.patch
Patch28: pam-0.75-sgml2latex.patch Patch28: pam-0.75-sgml2latex.patch
Patch29: pam-0.77-multicrack.patch Patch29: pam-0.78-multicrack.patch
Patch30: pam-0.75-isa.patch
Patch31: pam-0.77-utmp-dev.patch
Patch32: pam-0.77-pwdb-static.patch
Patch33: pam-0.77-nss-reentrant.patch
Patch34: pam-0.77-dbpam.patch Patch34: pam-0.77-dbpam.patch
Patch35: pam-0.77-sigchld.patch Patch40: pam-0.78-grubb-leak.patch
Patch36: pam-0.77-skip-aconf-install.patch Patch60: pam-0.78-selinux.patch
Patch37: pam-0.77-log-changes.patch
Patch38: pam-0.77-64bit.patch
Patch40: pam-0.77-grubb_leak.patch
Patch60: pam-selinux.patch
Patch61: pam-pwdbselinux.patch Patch61: pam-pwdbselinux.patch
Patch62: pam-0.77-closefd.patch
Patch63: pam-0.77-consolelock.patch Patch63: pam-0.77-consolelock.patch
Patch70: pam-0.77-pwd-lock.patch
Patch71: pam-0.77-nullok-override.patch
Patch72: pam-0.77-remove-getgrlist.patch
Patch73: pam-0.77-succif-quiet.patch
Patch74: pam-0.77-env-noabort.patch
Patch75: pam-0.77-stack-convoverwrite.patch Patch75: pam-0.77-stack-convoverwrite.patch
Patch76: pam-0.77-console-addperms.patch Patch76: pam-0.77-console-addperms.patch
Patch78: pam-0.77-console-manfix.patch Patch78: pam-0.77-console-manfix.patch
Patch79: pam-0.77-limits-logins.patch
Patch80: pam-0.77-console-xcrash.patch Patch80: pam-0.77-console-xcrash.patch
Patch81: pam-0.77-stack-memleaks.patch Patch81: pam-0.77-stack-memleaks.patch
Patch82: pam-0.77-timestamp-test-login.patch Patch82: pam-0.77-timestamp-test-login.patch
Patch83: pam-0.77-unix-logfail.patch Patch84: pam-0.77-unix-passwd-parse.patch
BuildRoot: %{_tmppath}/%{name}-root BuildRoot: %{_tmppath}/%{name}-root
Requires: cracklib, cracklib-dicts, glib2, initscripts >= 3.94 Requires: cracklib, cracklib-dicts, glib2, initscripts >= 3.94
@ -118,67 +76,26 @@ PAM-aware applications and modules for use with PAM.
%setup -q -n Linux-PAM-%{version} -a 2 -a 3 -a 4 %setup -q -n Linux-PAM-%{version} -a 2 -a 3 -a 4
cp $RPM_SOURCE_DIR/other.pamd . cp $RPM_SOURCE_DIR/other.pamd .
cp $RPM_SOURCE_DIR/system-auth.pamd . cp $RPM_SOURCE_DIR/system-auth.pamd .
cp $RPM_SOURCE_DIR/install-sh .
%patch0 -p1 -b .modutil-thread
%patch1 -p1 -b .include_path
%patch2 -p1 -b .build
%patch3 -p1 -b .linkage
%patch4 -p1 -b .prompt %patch4 -p1 -b .prompt
%patch5 -p1 -b .return
%patch6 -p1 -b .security
%patch7 -p1 -b .string
%patch8 -p1 -b .userdb
%patch9 -p1 -b .group-reinit
%patch10 -p1 -b .lastlog-utmp %patch10 -p1 -b .lastlog-utmp
%patch11 -p1 -b .securetty-fail
%patch12 -p1 -b .time
%patch13 -p1 -b .issue
%patch14 -p1 -b .doc-rhl
%patch15 -p1 -b .bigcrypt-main
%patch16 -p1 -b .cracklib-init
%patch17 -p1 -b .filter-comments
%patch18 -p1 -b .unix-loop
%patch19 -p1 -b .unix-preserve
%patch20 -p1 -b .unix-brokenshadow
%patch21 -p1 -b .unix-hpux-aging %patch21 -p1 -b .unix-hpux-aging
%patch22 -p1 -b .unix-nis
%patch23 -p1 -b .unix-nullok
%patch24 -p1 -b .issue-heap
%patch25 -p1 -b .listfile-tty
%patch26 -p1 -b .misc-err
%patch27 -p1 -b .unix-aixhash
%patch28 -p1 -b .doc %patch28 -p1 -b .doc
%patch29 -p1 -b .multicrack %patch29 -p1 -b .multicrack
%patch30 -p1 -b .isa
%patch31 -p1 -b .utmp-dev
%patch32 -p1 -b .pwdb-static
%patch33 -p1 -b .nss-reentrant
%patch34 -p1 -b .dbpam %patch34 -p1 -b .dbpam
%patch35 -p1 -b .sigchld %patch40 -p1 -b .grubb-leak
%patch36 -p1 -b .skip-aconf-install
%patch37 -p1 -b .log-changes
%patch38 -p1 -b .64bit
%if %{WITH_SELINUX} %if %{WITH_SELINUX}
%patch60 -p1 -b .selinux %patch60 -p1 -b .selinux
%patch61 -p1 -b .pwdbselinux %patch61 -p1 -b .pwdbselinux
%endif %endif
%patch40 -p1 -b .grubb_leak
%patch62 -p1 -b .closefd
%patch63 -p1 -b .consolelock %patch63 -p1 -b .consolelock
%patch70 -p1 -b .pwd-lock
%patch71 -p1 -b .nullok-override
%patch72 -p1 -b .remove-getgrlist
%patch73 -p1 -b .succif-quiet
%patch74 -p1 -b .env-noabort
%patch75 -p1 -b .stack-convoverwrite %patch75 -p1 -b .stack-convoverwrite
%patch76 -p1 -b .add-perms %patch76 -p1 -b .add-perms
%patch78 -p1 -b .man-fix %patch78 -p1 -b .man-fix
%patch79 -p1 -b .logins
%patch80 -p1 -b .xcrash %patch80 -p1 -b .xcrash
%patch81 -p1 -b .mem-leak %patch81 -p1 -b .mem-leak
%patch82 -p1 -b .test-login %patch82 -p1 -b .test-login
%patch83 -p1 -b .logfail %patch84 -p1 -b .passwd-parse
for readme in modules/pam_*/README ; do for readme in modules/pam_*/README ; do
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'` cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
@ -301,7 +218,6 @@ done
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%if ! %{build6x}
%pre %pre
# Figure whether or not we're using shadow/md5 passwords if we're upgrading. # Figure whether or not we're using shadow/md5 passwords if we're upgrading.
if [ -f %{_sysconfdir}/pam.d/other ] ; then if [ -f %{_sysconfdir}/pam.d/other ] ; then
@ -325,11 +241,7 @@ if [ -f %{_sysconfdir}/pam.d/other ] ; then
fi fi
fi fi
exit 0 exit 0
%endif
%if %{build6x}
%post -p /sbin/ldconfig
%else
%post %post
/sbin/ldconfig /sbin/ldconfig
if [ ! -f /etc/shadow ] ; then if [ ! -f /etc/shadow ] ; then
@ -351,7 +263,6 @@ if [ "$USEMD5" = "no" ] ; then
rm -f $tmp rm -f $tmp
fi fi
fi fi
%endif
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
@ -448,6 +359,10 @@ fi
%{_libdir}/libpam_misc.so %{_libdir}/libpam_misc.so
%changelog %changelog
* Tue Nov 23 2004 Tomas Mraz <tmraz@redhat.com> 0.78-1
- update to Linux-PAM-0.78
- #140451 parse passwd entries correctly and test for failure
* Fri Nov 12 2004 Jeff Johnson <jbj@jbj.org> 0.77-67 * Fri Nov 12 2004 Jeff Johnson <jbj@jbj.org> 0.77-67
- rebuild against db-4.3.21. - rebuild against db-4.3.21.

View File

@ -1,5 +1,4 @@
1163834de9a0eebaca5d074dcc83b6a9 Linux-PAM-0.77.tar.bz2
cbc77517c9278cdb47613ce8cb55779f db-4.2.52.tar.gz
5e6b2a67d8dfaac6c1961e8d53f26029 pam-redhat-0.77-5.tar.gz
1a1fd0312040ef37aa741d09465774b4 pwdb-0.62.tar.gz 1a1fd0312040ef37aa741d09465774b4 pwdb-0.62.tar.gz
014950aaadd531f6f9064c81a2018423 db-4.3.21.tar.gz 014950aaadd531f6f9064c81a2018423 db-4.3.21.tar.gz
34938b4f2449d4d3b2ffdbf354257205 Linux-PAM-0.78.tar.bz2
d0392692ef4ea28ef3f5c59bec050d30 pam-redhat-0.78-1.tar.gz

View File

@ -1,15 +1,15 @@
#%PAM-1.0 #%PAM-1.0
# This file is auto-generated. # This file is auto-generated.
# User changes will be destroyed the next time authconfig is run. # User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so auth required pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so auth required pam_deny.so
account required /lib/security/$ISA/pam_unix.so account required pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 password required pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so password required pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required pam_limits.so
session required /lib/security/$ISA/pam_unix.so session required pam_unix.so