Multiple bug fixes and cleanups.

- do not fail if btmp file is corrupted (#906852) - fix strict aliasing warnings in build - UsrMove - use authtok_type with pam_pwquality in system-auth - remove manual_context handling from pam_selinux (#876976) - other minor specfile cleanups
2013-03-22 17:44:40 +01:00 · 2013-03-22 17:44:40 +01:00 · 858c76dcd3
commit 858c76dcd3
parent b38262e712
6 changed files with 182 additions and 31 deletions
--- a/pam-1.1.6-lastlog-retval.patch
+++ b/pam-1.1.6-lastlog-retval.patch
@ -0,0 +1,15 @@
+diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
+index 50e5a59..bd454ff 100644
+--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
+@@ -479,6 +479,10 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
+ 	}
+     }
+ 
+    if (retval != 0)
+	pam_syslog(pamh, LOG_WARNING, "corruption detected in %s", _PATH_BTMP);
+    retval = PAM_SUCCESS;
+
+     if (failed) {
+ 	/* we want the date? */
+ 	if (announce & LASTLOG_DATE) {
--- a/pam-1.1.6-selinux-manualctx.patch
+++ b/pam-1.1.6-selinux-manualctx.patch
@ -0,0 +1,97 @@
+diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx	2012-09-03 15:23:21.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c	2012-11-30 21:03:40.000000000 +0100
+@@ -161,81 +161,6 @@ query_response (pam_handle_t *pamh, cons
+   return rc;
+ }
+ 
+-static security_context_t
+-manual_context (pam_handle_t *pamh, const char *user, int debug)
+-{
+-  security_context_t newcon=NULL;
+-  context_t new_context;
+-  int mls_enabled = is_selinux_mls_enabled();
+-  char *type=NULL;
+-  char *response=NULL;
+-
+-  while (1) {
+-    if (query_response(pamh,
+-		   _("Would you like to enter a security context? [N] "), NULL,
+-		   &response, debug) != PAM_SUCCESS)
+-	return NULL;
+-
+-    if ((response[0] == 'y') || (response[0] == 'Y'))
+-      {
+-	if (mls_enabled)
+-	  new_context = context_new ("user:role:type:level");
+-	else
+-	  new_context = context_new ("user:role:type");
+-
+-	if (!new_context)
+-              goto fail_set;
+-
+-	if (context_user_set (new_context, user))
+-              goto fail_set;
+-
+-	_pam_drop(response);
+-	/* Allow the user to enter each field of the context individually */
+-	if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS &&
+-	    response[0] != '\0') {
+-	   if (context_role_set (new_context, response))
+-              goto fail_set;
+-	   if (get_default_type(response, &type))
+-              goto fail_set;
+-	   if (context_type_set (new_context, type))
+-              goto fail_set;
+-	   _pam_drop(type);
+-	}
+-	_pam_drop(response);
+-
+-	if (mls_enabled)
+-	  {
+-	    if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS &&
+-		response[0] != '\0') {
+-	      if (context_range_set (new_context, response))
+-		goto fail_set;
+-	    }
+-	    _pam_drop(response);
+-	  }
+-
+-	/* Get the string value of the context and see if it is valid. */
+-	if (!security_check_context(context_str(new_context))) {
+-	  newcon = strdup(context_str(new_context));
+-	  context_free (new_context);
+-	  return newcon;
+-	}
+-	else
+-	  send_text(pamh,_("Not a valid security context"),debug);
+-
+-        context_free (new_context);
+-      }
+-    else {
+-      _pam_drop(response);
+-      return NULL;
+-    }
+-  } /* end while */
+- fail_set:
+-  free(type);
+-  _pam_drop(response);
+-  context_free (new_context);
+-  return NULL;
+-}
+-
+ static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
+ {
+   struct av_decision avd;
+@@ -606,11 +531,6 @@ compute_exec_context(pam_handle_t *pamh,
+       data->exec_context = context_from_env(pamh, data->default_user_context,
+ 					    env_params, use_current_range,
+ 					    debug);
+-  } else {
+-    if (seuser) {
+-      data->exec_context = manual_context(pamh, seuser, debug);
+-      free(seuser);
+-    }
+   }
+ 
+   if (!data->exec_context) {
--- a/pam-1.1.6-strict-aliasing.patch
+++ b/pam-1.1.6-strict-aliasing.patch
@ -0,0 +1,28 @@
+diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c
+index ce4f7d6..dc95ab1 100644
+--- a/modules/pam_namespace/md5.c
+++ b/modules/pam_namespace/md5.c
+@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
+ 	byteReverse(ctx->in, 14);
+ 
+ 	/* Append length in bits and transform */
+-	((uint32 *) ctx->in)[14] = ctx->bits[0];
+-	((uint32 *) ctx->in)[15] = ctx->bits[1];
+	memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
+ 
+ 	MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ 	byteReverse((unsigned char *) ctx->buf, 4);
+diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c
+index 7881db5..94f0485 100644
+--- a/modules/pam_unix/md5.c
+++ b/modules/pam_unix/md5.c
+@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
+ 	byteReverse(ctx->in, 14);
+ 
+ 	/* Append length in bits and transform */
+-	((uint32 *) ctx->in)[14] = ctx->bits[0];
+-	((uint32 *) ctx->in)[15] = ctx->bits[1];
+	memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
+ 
+ 	MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ 	byteReverse((unsigned char *) ctx->buf, 4);
--- a/pam.spec
+++ b/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.6
-Release: 8%{?dist}
+Release: 9%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -52,9 +52,15 @@ Patch23: pam-1.1.6-autoupdate.patch
 Patch24: pam-1.1.6-namespace-mntopts.patch
 # Upstreamed
 Patch25: pam-1.1.6-crypt-null-check.patch
+# Upstreamed
+Patch26: pam-1.1.6-lastlog-retval.patch
+# Sent to upstream for review
+Patch27: pam-1.1.6-strict-aliasing.patch
+# Upstreamed
+Patch28: pam-1.1.6-selinux-manualctx.patch

-%define _sbindir /sbin
-%define _moduledir /%{_lib}/security
+%define _pamlibdir %{_libdir}
+%define _moduledir %{_libdir}/security
 %define _secconfdir %{_sysconfdir}/security
 %define _pamconfdir %{_sysconfdir}/pam.d

@ -65,7 +71,6 @@ Patch25: pam-1.1.6-crypt-null-check.patch
 %define WITH_AUDIT 1
 %endif

-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: cracklib-dicts >= 2.8
 Requires: libpwquality >= 0.9.9
 Requires(post): coreutils, /sbin/ldconfig
@ -88,7 +93,7 @@ BuildRequires: libdb-devel
 BuildRequires: linuxdoc-tools, w3m, libxslt
 BuildRequires: docbook-style-xsl, docbook-dtds

-URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html
+URL: http://www.linux-pam.org/

 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
@ -133,11 +138,15 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch23 -p1 -b .autoupdate
 %patch24 -p1 -b .mntopts
 %patch25 -p1 -b .null-check
+%patch26 -p1 -b .retval
+%patch27 -p1 -b .strict-aliasing
+%patch28 -p1 -b .manualctx
+

 %build
 autoreconf -i
 %configure \
-	--libdir=/%{_lib} \
+	--libdir=%{_pamlibdir} \
 	--includedir=%{_includedir}/security \
 	--disable-static \
 	--disable-prelude \
@ -152,8 +161,6 @@ make
 # we do not use _smp_mflags because the build of sources in yacc/flex fails

 %install
-rm -rf $RPM_BUILD_ROOT
-
 mkdir -p doc/txts
 for readme in modules/pam_*/README ; do
 	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
@ -200,22 +207,24 @@ done

 # Remove .la files and make new .so links -- this depends on the value
 # of _libdir not changing, and *not* being /usr/lib.
-install -d -m 755 $RPM_BUILD_ROOT%{_libdir}
 for lib in libpam libpamc libpam_misc ; do
-pushd $RPM_BUILD_ROOT%{_libdir}
-ln -sf ../../%{_lib}/${lib}.so.*.* ${lib}.so
-popd
-rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.so
-rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.la
+rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.la
 done
 rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la

+%if "%{_pamlibdir}" != "%{_libdir}"
+install -d -m 755 $RPM_BUILD_ROOT%{_libdir}
+for lib in libpam libpamc libpam_misc ; do
+pushd $RPM_BUILD_ROOT%{_libdir}
+ln -sf %{_pamlibdir}/${lib}.so.*.* ${lib}.so
+popd
+rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.so
+done
+%endif
+
 # Duplicate doc file sets.
 rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam

-# Create /lib/security in case it isn't the same as %{_moduledir}.
-install -m755 -d $RPM_BUILD_ROOT/lib/security
-
 # Install the file for autocreation of /var/run subdirectories on boot
 install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf

@ -242,18 +251,15 @@ done

 # Check for module problems.  Specifically, check that every module we just
 # installed can actually be loaded by a minimal PAM-aware application.
-/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
+/sbin/ldconfig -n $RPM_BUILD_ROOT%{_pamlibdir}
 for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do
-	if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \
-		 %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then
+	if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pamlibdir} \
+		 %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT%{_libdir} ${module} ; then
 		echo ERROR module: ${module} cannot be loaded.
 		exit 1
 	fi
 done

-%clean
-rm -rf $RPM_BUILD_ROOT
-
 %post
 /sbin/ldconfig
 if [ ! -e /var/log/tallylog ] ; then
@ -276,9 +282,9 @@ fi
 %doc doc/txts
 %doc doc/sag/*.txt doc/sag/html
 %doc doc/specs/rfc86.0.txt
-/%{_lib}/libpam.so.*
-/%{_lib}/libpamc.so.*
-/%{_lib}/libpam_misc.so.*
+%{_pamlibdir}/libpam.so.*
+%{_pamlibdir}/libpamc.so.*
+%{_pamlibdir}/libpam_misc.so.*
 %{_sbindir}/pam_console_apply
 %{_sbindir}/pam_tally2
 %{_sbindir}/faillock
@ -286,9 +292,6 @@ fi
 %attr(4755,root,root) %{_sbindir}/unix_chkpwd
 %attr(0700,root,root) %{_sbindir}/unix_update
 %attr(0755,root,root) %{_sbindir}/mkhomedir_helper
-%if %{_lib} != lib
-%dir /lib/security
-%endif
 %dir %{_moduledir}
 %{_moduledir}/pam_access.so
 %{_moduledir}/pam_chroot.so
@ -386,6 +389,14 @@ fi
 %doc doc/adg/*.txt doc/adg/html

 %changelog
+* Fri Mar 22 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-9
+- do not fail if btmp file is corrupted (#906852)
+- fix strict aliasing warnings in build
+- UsrMove
+- use authtok_type with pam_pwquality in system-auth
+- remove manual_context handling from pam_selinux (#876976)
+- other minor specfile cleanups
+
 * Tue Mar 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-8
 - check NULL return from crypt() calls (#915316)

--- a/password-auth.pamd
+++ b/password-auth.pamd
@ -7,7 +7,7 @@ auth        required      pam_deny.so

 account     required      pam_unix.so

-password    requisite     pam_pwquality.so try_first_pass retry=3 type=
+password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type=
 password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
 password    required      pam_deny.so

--- a/system-auth.pamd
+++ b/system-auth.pamd
@ -7,7 +7,7 @@ auth        required      pam_deny.so

 account     required      pam_unix.so

-password    requisite     pam_pwquality.so try_first_pass retry=3 type=
+password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type=
 password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
 password    required      pam_deny.so