rpms/pam
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new upstream release

Browse Source
This commit is contained in:
Tomas Mraz 2012-08-17 15:24:18 +02:00
parent a0cd63d48e
commit 8a0ba11ae1
13 changed files with 114 additions and 1221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
pam-1.1.2-noflex.patch
View File

@ -1,27 +0,0 @@
diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am
--- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100
+++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200
@@ -2,7 +2,7 @@
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
#
-SUBDIRS = man specs sag adg mwg
+SUBDIRS = man sag adg mwg
CLEANFILES = *~
diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am
--- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200
+++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200
@@ -5,9 +5,9 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
if STATIC_MODULES
-SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests
+SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests
else
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
endif
CLEANFILES = *~

373
pam-1.1.5-cracklib-gecoscheck.patch
View File

@ -1,373 +0,0 @@
From 422c19520fb814cfd8edd84d7989f4c52acbfa03 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Mon, 30 Apr 2012 15:03:32 +0200
Subject: [PATCH] pam_cracklib: Add maxclassrepeat, gecoscheck checks and
remove unused difignore.
modules/pam_cracklib/pam_cracklib.c (_pam_parse): Recognize the maxclassrepeat, gecoscheck options. Ignore difignore option.
(simple): Add the check for the same class repetition.
(usercheck): Refactor into wordcheck().
(gecoscheck): New test for words from the GECOS field.
(password_check): Call the gecoscheck().
(pam_sm_chauthtok): Drop the diff_ignore from options struct.
modules/pam_cracklib/pam_cracklib.8.xml: Document the maxclassrepeat and gecoscheck checks, update the documentation of the difok test.
---
modules/pam_cracklib/pam_cracklib.8.xml | 66 +++++++++-------
modules/pam_cracklib/pam_cracklib.c | 129 +++++++++++++++++++++++++------
2 files changed, 142 insertions(+), 53 deletions(-)
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml
index 29e00c0..5022c75 100644
--- a/modules/pam_cracklib/pam_cracklib.8.xml
+++ b/modules/pam_cracklib/pam_cracklib.8.xml
@@ -77,17 +77,10 @@
<para>
Is the new password too much like the old one?
This is primarily controlled by one argument,
- <option>difok</option> which is a number of characters
- that if different between the old and new are enough to accept
- the new password, this defaults to 10 or 1/2 the size of the
- new password whichever is smaller.
- </para>
- <para>
- To avoid the lockup associated with trying to change a long and
- complicated password, <option>difignore</option> is available.
- This argument can be used to specify the minimum length a new
- password needs to be before the <option>difok</option> value is
- ignored. The default value for <option>difignore</option> is 23.
+ <option>difok</option> which is a number of character changes
+ (inserts, removals, or replacements) between the old and new
+ password that are enough to accept the new password.
+ This defaults to 5 changes.
</para>
</listitem>
</varlistentry>
@@ -96,7 +89,8 @@
<listitem>
<para>
Is the new password too small?
- This is controlled by 5 arguments <option>minlen</option>,
+ This is controlled by 6 arguments <option>minlen</option>,
+ <option>maxclassrepeat</option>,
<option>dcredit</option>, <option>ucredit</option>,
<option>lcredit</option>, and <option>ocredit</option>. See the section
on the arguments for the details of how these work and there defaults.
@@ -204,24 +198,9 @@
<listitem>
<para>
This argument will change the default of
- <emphasis>5</emphasis> for the number of characters in
- the new password that must not be present in the old
- password. In addition, if 1/2 of the characters in the
- new password are different then the new password will
- be accepted anyway.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>
- <option>difignore=<replaceable>N</replaceable></option>
- </term>
- <listitem>
- <para>
- How many characters should the password have before
- difok will be ignored. The default is
- <emphasis>23</emphasis>.
+ <emphasis>5</emphasis> for the number of character
+ changes in the new password that differentiate it
+ from the old password.
</para>
</listitem>
</varlistentry>
@@ -370,6 +349,19 @@
<varlistentry>
<term>
+ <option>maxclassrepeat=<replaceable>N</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Reject passwords which contain more than N consecutive
+ characters of the same class. The default is 0 which means
+ that this check is disabled.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
<option>reject_username</option>
</term>
<listitem>
@@ -383,6 +375,20 @@
<varlistentry>
<term>
+ <option>gecoscheck</option>
+ </term>
+ <listitem>
+ <para>
+ Check whether the words from the GECOS field (usualy full name
+ of the user) longer than 3 characters in straight or reversed
+ form are contained in the new password. If any such word is
+ found the new password is rejected.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
<option>use_authtok</option>
</term>
<listitem>
diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
index 1955b83..96ee995 100644
--- a/modules/pam_cracklib/pam_cracklib.c
+++ b/modules/pam_cracklib/pam_cracklib.c
@@ -51,6 +51,8 @@
#include <sys/stat.h>
#include <ctype.h>
#include <limits.h>
+#include <pwd.h>
+#include <security/pam_modutil.h>
#ifdef HAVE_CRACK_H
#include <crack.h>
@@ -92,7 +94,6 @@ extern char *FascistCheck(char *pw, const char *dictpath);
struct cracklib_options {
int retry_times;
int diff_ok;
- int diff_ignore;
int min_length;
int dig_credit;
int up_credit;
@@ -100,19 +101,21 @@ struct cracklib_options {
int oth_credit;
int min_class;
int max_repeat;
+ int max_class_repeat;
int reject_user;
+ int gecos_check;
const char *cracklib_dictpath;
};
#define CO_RETRY_TIMES 1
#define CO_DIFF_OK 5
-#define CO_DIFF_IGNORE 23
#define CO_MIN_LENGTH 9
# define CO_MIN_LENGTH_BASE 5
#define CO_DIG_CREDIT 1
#define CO_UP_CREDIT 1
#define CO_LOW_CREDIT 1
#define CO_OTH_CREDIT 1
+#define CO_MIN_WORD_LENGTH 4
static int
_pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
@@ -139,9 +142,7 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
if (!ep || (opt->diff_ok < 0))
opt->diff_ok = CO_DIFF_OK;
} else if (!strncmp(*argv,"difignore=",10)) {
- opt->diff_ignore = strtol(*argv+10,&ep,10);
- if (!ep || (opt->diff_ignore < 0))
- opt->diff_ignore = CO_DIFF_IGNORE;
+ /* just ignore */
} else if (!strncmp(*argv,"minlen=",7)) {
opt->min_length = strtol(*argv+7,&ep,10);
if (!ep || (opt->min_length < CO_MIN_LENGTH_BASE))
@@ -172,8 +173,14 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
opt->max_repeat = strtol(*argv+10,&ep,10);
if (!ep)
opt->max_repeat = 0;
+ } else if (!strncmp(*argv,"maxclassrepeat=",15)) {
+ opt->max_class_repeat = strtol(*argv+15,&ep,10);
+ if (!ep)
+ opt->max_class_repeat = 0;
} else if (!strncmp(*argv,"reject_username",15)) {
opt->reject_user = 1;
+ } else if (!strncmp(*argv,"gecoscheck",10)) {
+ opt->gecos_check = 1;
} else if (!strncmp(*argv,"authtok_type",12)) {
/* for pam_get_authtok, ignore */;
} else if (!strncmp(*argv,"use_authtok",11)) {
@@ -357,16 +364,45 @@ static int simple(struct cracklib_options *opt, const char *new)
int others = 0;
int size;
int i;
+ enum { NONE, DIGIT, UCASE, LCASE, OTHER } prevclass = NONE;
+ int sameclass = 0;
for (i = 0;new[i];i++) {
- if (isdigit (new[i]))
+ if (isdigit (new[i])) {
digits++;
- else if (isupper (new[i]))
+ if (prevclass != DIGIT) {
+ prevclass = DIGIT;
+ sameclass = 1;
+ } else
+ sameclass++;
+ }
+ else if (isupper (new[i])) {
uppers++;
- else if (islower (new[i]))
+ if (prevclass != UCASE) {
+ prevclass = UCASE;
+ sameclass = 1;
+ } else
+ sameclass++;
+ }
+ else if (islower (new[i])) {
lowers++;
- else
+ if (prevclass != LCASE) {
+ prevclass = LCASE;
+ sameclass = 1;
+ } else
+ sameclass++;
+ }
+ else {
others++;
+ if (prevclass != OTHER) {
+ prevclass = OTHER;
+ sameclass = 1;
+ } else
+ sameclass++;
+ }
+ if (opt->max_class_repeat > 1 && sameclass > opt->max_class_repeat) {
+ return 1;
+ }
}
/*
@@ -439,21 +475,17 @@ static int consecutive(struct cracklib_options *opt, const char *new)
return 0;
}
-static int usercheck(struct cracklib_options *opt, const char *new,
- char *user)
+static int wordcheck(const char *new, char *word)
{
char *f, *b;
- if (!opt->reject_user)
- return 0;
-
- if (strstr(new, user) != NULL)
+ if (strstr(new, word) != NULL)
return 1;
- /* now reverse the username, we can do that in place
+ /* now reverse the word, we can do that in place
as it is strdup-ed */
- f = user;
- b = user+strlen(user)-1;
+ f = word;
+ b = word+strlen(word)-1;
while (f < b) {
char c;
@@ -464,11 +496,20 @@ static int usercheck(struct cracklib_options *opt, const char *new,
++f;
}
- if (strstr(new, user) != NULL)
+ if (strstr(new, word) != NULL)
return 1;
return 0;
}
+static int usercheck(struct cracklib_options *opt, const char *new,
+ char *user)
+{
+ if (!opt->reject_user)
+ return 0;
+
+ return wordcheck(new, user);
+}
+
static char * str_lower(char *string)
{
char *cp;
@@ -481,7 +522,50 @@ static char * str_lower(char *string)
return string;
}
-static const char *password_check(struct cracklib_options *opt,
+static int gecoscheck(pam_handle_t *pamh, struct cracklib_options *opt, const char *new,
+ const char *user)
+{
+ struct passwd *pwd;
+ char *list;
+ char *p;
+ char *next;
+
+ if (!opt->gecos_check)
+ return 0;
+
+ if ((pwd = pam_modutil_getpwnam(pamh, user)) == NULL) {
+ return 0;
+ }
+
+ list = strdup(pwd->pw_gecos);
+
+ if (list == NULL || *list == '\0') {
+ free(list);
+ return 0;
+ }
+
+ for (p = list;;p = next + 1) {
+ next = strchr(p, ' ');
+ if (next)
+ *next = '\0';
+
+ if (strlen(p) >= CO_MIN_WORD_LENGTH) {
+ str_lower(p);
+ if (wordcheck(new, p)) {
+ free(list);
+ return 1;
+ }
+ }
+
+ if (!next)
+ break;
+ }
+
+ free(list);
+ return 0;
+}
+
+static const char *password_check(pam_handle_t *pamh, struct cracklib_options *opt,
const char *old, const char *new,
const char *user)
{
@@ -535,7 +619,7 @@ static const char *password_check(struct cracklib_options *opt,
if (!msg && consecutive(opt, new))
msg = _("contains too many same characters consecutively");
- if (!msg && usercheck(opt, newmono, usermono))
+ if (!msg && (usercheck(opt, newmono, usermono) || gecoscheck(pamh, opt, newmono, user)))
msg = _("contains the user name in some form");
free(usermono);
@@ -584,7 +668,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh,
* if one wanted to hardwire authentication token strength
* checking this would be the place
*/
- msg = password_check(opt, pass_old, pass_new, user);
+ msg = password_check(pamh, opt, pass_old, pass_new, user);
if (msg) {
if (ctrl & PAM_DEBUG_ARG)
@@ -611,7 +695,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
memset(&options, 0, sizeof(options));
options.retry_times = CO_RETRY_TIMES;
options.diff_ok = CO_DIFF_OK;
- options.diff_ignore = CO_DIFF_IGNORE;
options.min_length = CO_MIN_LENGTH;
options.dig_credit = CO_DIG_CREDIT;
options.up_credit = CO_UP_CREDIT;
--
1.7.7.6

30
pam-1.1.5-install-empty.patch
View File

@ -1,30 +0,0 @@
diff -up Linux-PAM-1.1.5/modules/pam_namespace/Makefile.am.empty Linux-PAM-1.1.5/modules/pam_namespace/Makefile.am
--- Linux-PAM-1.1.5/modules/pam_namespace/Makefile.am.empty 2011-06-21 11:04:56.000000000 +0200
+++ Linux-PAM-1.1.5/modules/pam_namespace/Makefile.am 2012-05-09 12:23:20.691384345 +0200
@@ -38,7 +38,9 @@ if HAVE_UNSHARE
secureconf_DATA = namespace.conf
secureconf_SCRIPTS = namespace.init
- namespaced_DATA =
+
+install-data-local:
+ mkdir -p $(DESTDIR)$(namespaceddir)
endif
diff -up Linux-PAM-1.1.5/modules/pam_sepermit/Makefile.am.empty Linux-PAM-1.1.5/modules/pam_sepermit/Makefile.am
--- Linux-PAM-1.1.5/modules/pam_sepermit/Makefile.am.empty 2011-06-21 11:04:56.000000000 +0200
+++ Linux-PAM-1.1.5/modules/pam_sepermit/Makefile.am 2012-05-09 12:23:14.291243402 +0200
@@ -32,9 +32,10 @@ endif
if HAVE_LIBSELINUX
secureconf_DATA = sepermit.conf
- sepermitlock_DATA =
-
securelib_LTLIBRARIES = pam_sepermit.la
+
+install-data-local:
+ mkdir -p $(DESTDIR)$(sepermitlockdir)
endif
if ENABLE_REGENERATE_MAN
noinst_DATA = README pam_sepermit.8 sepermit.conf.5

391
pam-1.1.5-lastlog-inactive.patch
View File

@ -1,391 +0,0 @@
diff -up Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml.inactive Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml
--- Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml.inactive 2011-06-21 11:04:56.000000000 +0200
+++ Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml 2012-05-09 11:35:42.810209582 +0200
@@ -12,7 +12,7 @@
<refnamediv id="pam_lastlog-name">
<refname>pam_lastlog</refname>
- <refpurpose>PAM module to display date of last login</refpurpose>
+ <refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose>
</refnamediv>
<refsynopsisdiv>
@@ -45,6 +45,9 @@
<arg choice="opt">
showfailed
</arg>
+ <arg choice="opt">
+ inactive=&lt;days&gt;
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -61,6 +64,12 @@
Some applications may perform this function themselves. In such
cases, this module is not necessary.
</para>
+ <para>
+ If the module is called in the auth or account phase, the accounts that
+ were not used recently enough will be disallowed to log in. The
+ check is not performed for the root account so the root is never
+ locked out.
+ </para>
</refsect1>
<refsect1 id="pam_lastlog-options">
@@ -165,13 +174,30 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>inactive=&lt;days&gt;</option>
+ </term>
+ <listitem>
+ <para>
+ This option is specific for the auth or account phase. It
+ specifies the number of days after the last login of the user
+ when the user will be locked out by the module. The default
+ value is 90.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1 id="pam_lastlog-types">
<title>MODULE TYPES PROVIDED</title>
<para>
- Only the <option>session</option> module type is provided.
+ The <option>auth</option> and <option>account</option> module type
+ allows to lock out users which did not login recently enough.
+ The <option>session</option> module type is provided for displaying
+ the information about the last login and/or updating the lastlog and
+ wtmp files.
</para>
</refsect1>
@@ -207,6 +233,27 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ User locked out in the auth or account phase due to
+ inactivity.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_IGNORE</term>
+ <listitem>
+ <para>
+ There was an error during reading the lastlog file
+ in the auth or account phase and thus inactivity
+ of the user cannot be determined.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</para>
</refsect1>
@@ -220,6 +267,13 @@
<programlisting>
session required pam_lastlog.so nowtmp
</programlisting>
+ <para>
+ To reject the user if he did not login during the previous 50 days
+ the following line can be used:
+ </para>
+ <programlisting>
+ auth required pam_lastlog.so inactive=50
+ </programlisting>
</refsect1>
<refsect1 id="pam_lastlog-files">
@@ -254,6 +308,9 @@
<para>
pam_lastlog was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
</para>
+ <para>
+ Inactive account lock out added by Tomáš Mráz &lt;tm@t8m.info&gt;.
+ </para>
</refsect1>
</refentry>
diff -up Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c.inactive Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c
--- Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c.inactive 2011-06-21 11:04:56.000000000 +0200
+++ Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c 2012-05-09 11:35:22.363759805 +0200
@@ -56,6 +56,9 @@ struct lastlog {
#define DEFAULT_HOST "" /* "[no.where]" */
#define DEFAULT_TERM "" /* "tt???" */
+#define DEFAULT_INACTIVE_DAYS 90
+#define MAX_INACTIVE_DAYS 100000
+
/*
* here, we make a definition for the externally accessible function
* in this file (this definition is required for static a module
@@ -64,6 +67,8 @@ struct lastlog {
*/
#define PAM_SM_SESSION
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
#include <security/pam_modules.h>
#include <security/_pam_macros.h>
@@ -83,7 +88,45 @@ struct lastlog {
#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
static int
-_pam_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
+_pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
+ time_t *inactive)
+{
+ int ctrl = 0;
+
+ *inactive = DEFAULT_INACTIVE_DAYS;
+
+ /* does the appliction require quiet? */
+ if (flags & PAM_SILENT) {
+ ctrl |= LASTLOG_QUIET;
+ }
+
+ /* step through arguments */
+ for (; argc-- > 0; ++argv) {
+ char *ep = NULL;
+ long l;
+
+ if (!strcmp(*argv,"debug")) {
+ ctrl |= LASTLOG_DEBUG;
+ } else if (!strcmp(*argv,"silent")) {
+ ctrl |= LASTLOG_QUIET;
+ } else if (!strncmp(*argv,"inactive=", 9)) {
+ l = strtol(*argv+9, &ep, 10);
+ if (ep != *argv+9 && l > 0 && l < MAX_INACTIVE_DAYS)
+ *inactive = l;
+ else {
+ pam_syslog(pamh, LOG_ERR, "bad option value: %s", *argv);
+ }
+ } else {
+ pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
+ }
+ }
+
+ D(("ctrl = %o", ctrl));
+ return ctrl;
+}
+
+static int
+_pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE);
@@ -145,6 +188,44 @@ get_tty(pam_handle_t *pamh)
}
static int
+last_login_open(pam_handle_t *pamh, int announce, uid_t uid)
+{
+ int last_fd;
+
+ /* obtain the last login date and all the relevant info */
+ last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY);
+ if (last_fd < 0) {
+ if (errno == ENOENT && (announce & LASTLOG_UPDATE)) {
+ last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT,
+ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ if (last_fd < 0) {
+ pam_syslog(pamh, LOG_ERR,
+ "unable to create %s: %m", _PATH_LASTLOG);
+ D(("unable to create %s file", _PATH_LASTLOG));
+ return -1;
+ }
+ pam_syslog(pamh, LOG_WARNING,
+ "file %s created", _PATH_LASTLOG);
+ D(("file %s created", _PATH_LASTLOG));
+ } else {
+ pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG);
+ D(("unable to open %s file", _PATH_LASTLOG));
+ return -1;
+ }
+ }
+
+ if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) {
+ pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG);
+ D(("unable to lseek %s file", _PATH_LASTLOG));
+ close(last_fd);
+ return -1;
+ }
+
+ return last_fd;
+}
+
+
+static int
last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t *lltime)
{
struct flock last_lock;
@@ -338,31 +419,9 @@ last_login_date(pam_handle_t *pamh, int
int last_fd;
/* obtain the last login date and all the relevant info */
- last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY);
+ last_fd = last_login_open(pamh, announce, uid);
if (last_fd < 0) {
- if (errno == ENOENT) {
- last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT,
- S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- if (last_fd < 0) {
- pam_syslog(pamh, LOG_ERR,
- "unable to create %s: %m", _PATH_LASTLOG);
- D(("unable to create %s file", _PATH_LASTLOG));
- return PAM_SERVICE_ERR;
- }
- pam_syslog(pamh, LOG_WARNING,
- "file %s created", _PATH_LASTLOG);
- D(("file %s created", _PATH_LASTLOG));
- } else {
- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG);
- D(("unable to open %s file", _PATH_LASTLOG));
- return PAM_SERVICE_ERR;
- }
- }
-
- if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) {
- pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG);
- D(("unable to lseek %s file", _PATH_LASTLOG));
- return PAM_SERVICE_ERR;
+ return PAM_SERVICE_ERR;
}
retval = last_login_read(pamh, announce, last_fd, uid, lltime);
@@ -502,7 +561,91 @@ cleanup:
return retval;
}
-/* --- authentication management functions (only) --- */
+/* --- authentication (locking out inactive users) functions --- */
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+{
+ int retval, ctrl;
+ const char *user = NULL;
+ const struct passwd *pwd;
+ uid_t uid;
+ time_t lltime = 0;
+ time_t inactive_days = 0;
+ int last_fd;
+
+ /*
+ * Lock out the user if he did not login recently enough.
+ */
+
+ ctrl = _pam_auth_parse(pamh, flags, argc, argv, &inactive_days);
+
+ /* which user? */
+
+ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
+ || *user == '\0') {
+ pam_syslog(pamh, LOG_ERR, "cannot determine the user's name");
+ return PAM_USER_UNKNOWN;
+ }
+
+ /* what uid? */
+
+ pwd = pam_modutil_getpwnam (pamh, user);
+ if (pwd == NULL) {
+ pam_syslog(pamh, LOG_ERR, "user unknown");
+ return PAM_USER_UNKNOWN;
+ }
+ uid = pwd->pw_uid;
+ pwd = NULL; /* tidy up */
+
+ if (uid == 0)
+ return PAM_SUCCESS;
+
+ /* obtain the last login date and all the relevant info */
+ last_fd = last_login_open(pamh, ctrl, uid);
+ if (last_fd < 0) {
+ return PAM_IGNORE;
+ }
+
+ retval = last_login_read(pamh, ctrl|LASTLOG_QUIET, last_fd, uid, &lltime);
+ close(last_fd);
+
+ if (retval != PAM_SUCCESS) {
+ D(("error while reading lastlog file"));
+ return PAM_IGNORE;
+ }
+
+ if (lltime == 0) { /* user never logged in before */
+ if (ctrl & LASTLOG_DEBUG)
+ pam_syslog(pamh, LOG_DEBUG, "user never logged in - pass");
+ return PAM_SUCCESS;
+ }
+
+ lltime = (time(NULL) - lltime) / (24*60*60);
+
+ if (lltime > inactive_days) {
+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
+ return PAM_AUTH_ERR;
+ }
+
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
+ int argc UNUSED, const char **argv UNUSED)
+{
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+{
+ return pam_sm_authenticate(pamh, flags, argc, argv);
+}
+
+/* --- session management functions --- */
PAM_EXTERN int
pam_sm_open_session(pam_handle_t *pamh, int flags,
@@ -519,7 +662,7 @@ pam_sm_open_session(pam_handle_t *pamh,
* last login info and then updates the lastlog for that user.
*/
- ctrl = _pam_parse(pamh, flags, argc, argv);
+ ctrl = _pam_session_parse(pamh, flags, argc, argv);
/* which user? */
@@ -560,7 +703,7 @@ pam_sm_close_session (pam_handle_t *pamh
{
const char *terminal_line;
- if (!(_pam_parse(pamh, flags, argc, argv) & LASTLOG_WTMP))
+ if (!(_pam_session_parse(pamh, flags, argc, argv) & LASTLOG_WTMP))
return PAM_SUCCESS;
terminal_line = get_tty(pamh);
@@ -577,9 +720,9 @@ pam_sm_close_session (pam_handle_t *pamh
struct pam_module _pam_lastlog_modstruct = {
"pam_lastlog",
- NULL,
- NULL,
- NULL,
+ pam_sm_authenticate,
+ pam_sm_setcred,
+ pam_sm_acct_mgmt,
pam_sm_open_session,
pam_sm_close_session,
NULL,

93
pam-1.1.5-namespace-no-unmount.patch
View File

@ -1,93 +0,0 @@
diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
index 6ec3ad2..f0f80d3 100644
--- a/modules/pam_namespace/pam_namespace.8.xml
+++ b/modules/pam_namespace/pam_namespace.8.xml
@@ -44,7 +44,7 @@
ignore_instance_parent_mode
</arg>
<arg choice="opt">
- no_unmount_on_close
+ unmount_on_close
</arg>
<arg choice="opt">
use_current_context
@@ -195,16 +195,17 @@
<varlistentry>
<term>
- <option>no_unmount_on_close</option>
+ <option>unmount_on_close</option>
</term>
<listitem>
<para>
- For certain trusted programs such as newrole, open session
- is called from a child process while the parent performs
- close session and pam end functions. For these commands
- use this option to instruct pam_close_session to not
- unmount the bind mounted polyinstantiated directory in the
- parent.
+ Explicitly unmount the polyinstantiated directories instead
+ of relying on automatic namespace destruction after the last
+ process in a namespace exits. This option should be used
+ only in case it is ensured by other means that there cannot be
+ any processes running in the private namespace left after the
+ session close. It is also useful only in case there are
+ multiple pam session calls in sequence from the same process.
</para>
</listitem>
</varlistentry>
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index 470f493..a40f05e 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -2108,24 +2108,26 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
idata.flags |= PAMNS_DEBUG;
if (strcmp(argv[i], "ignore_config_error") == 0)
idata.flags |= PAMNS_IGN_CONFIG_ERR;
- if (strcmp(argv[i], "no_unmount_on_close") == 0)
- idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE;
+ if (strcmp(argv[i], "unmount_on_close") == 0)
+ idata.flags |= PAMNS_UNMOUNT_ON_CLOSE;
}
if (idata.flags & PAMNS_DEBUG)
pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");
/*
- * For certain trusted programs such as newrole, open session
- * is called from a child process while the parent perfoms
- * close session and pam end functions. For these commands
- * pam_close_session should not perform the unmount of the
- * polyinstantiatied directory because it will result in
- * undoing of parents polyinstantiatiaion. These commands
- * will invoke pam_namespace with the "no_unmount_on_close"
- * argument.
+ * Normally the unmount is implicitly done when the last
+ * process in the private namespace exits.
+ * If it is ensured that there are no child processes left in
+ * the private namespace by other means and if there are
+ * multiple sessions opened and closed sequentially by the
+ * same process, the "unmount_on_close" option might be
+ * used to unmount the polydirs explicitly.
*/
- if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {
+ if (!(idata.flags & PAMNS_UNMOUNT_ON_CLOSE)) {
+ pam_set_data(idata.pamh, NAMESPACE_POLYDIR_DATA, NULL, NULL);
+ pam_set_data(idata.pamh, NAMESPACE_PROTECT_DATA, NULL, NULL);
+
if (idata.flags & PAMNS_DEBUG)
pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");
return PAM_SUCCESS;
diff --git a/modules/pam_namespace/pam_namespace.h b/modules/pam_namespace/pam_namespace.h
index 6bca31c..1d0c11c 100644
--- a/modules/pam_namespace/pam_namespace.h
+++ b/modules/pam_namespace/pam_namespace.h
@@ -101,7 +101,7 @@
#define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */
#define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */
#define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
-#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
+#define PAMNS_UNMOUNT_ON_CLOSE 0x00010000 /* Unmount at session close */
#define PAMNS_USE_CURRENT_CONTEXT 0x00020000 /* use getcon instead of getexeccon */
#define PAMNS_USE_DEFAULT_CONTEXT 0x00040000 /* use get_default_context instead of getexeccon */
#define PAMNS_MOUNT_PRIVATE 0x00080000 /* Make the polydir mounts private */

114
pam-1.1.5-namespace-rslave.patch
View File

@ -1,114 +0,0 @@
diff -up Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.8.xml.rslave Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.8.xml
--- Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.8.xml.rslave 2011-06-21 11:04:56.000000000 +0200
+++ Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.8.xml 2012-01-31 16:40:36.495716240 +0100
@@ -246,12 +246,18 @@
This option can be used on systems where the / mount point or
its submounts are made shared (for example with a
<command>mount --make-rshared /</command> command).
- The module will make the polyinstantiated directory mount points
- private. Normally the pam_namespace will try to detect the
+ The module will mark the whole directory tree so any mount and
+ unmount operations in the polyinstantiation namespace are private.
+ Normally the pam_namespace will try to detect the
shared / mount point and make the polyinstantiated directories
private automatically. This option has to be used just when
only a subtree is shared and / is not.
</para>
+ <para>
+ Note that mounts and unmounts done in the private namespace will not
+ affect the parent namespace if this option is used or when the
+ shared / mount point is autodetected.
+ </para>
</listitem>
</varlistentry>
diff -up Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.c.rslave Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.c
--- Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.c.rslave 2011-06-21 11:04:56.000000000 +0200
+++ Linux-PAM-1.1.5/modules/pam_namespace/pam_namespace.c 2012-01-31 16:42:07.762506791 +0100
@@ -1003,7 +1003,7 @@ static int protect_mount(int dfd, const
return 0;
}
-static int protect_dir(const char *path, mode_t mode, int do_mkdir, int always,
+static int protect_dir(const char *path, mode_t mode, int do_mkdir,
struct instance_data *idata)
{
char *p = strdup(path);
@@ -1082,7 +1082,7 @@ static int protect_dir(const char *path,
}
}
- if ((flags & O_NOFOLLOW) || always) {
+ if (flags & O_NOFOLLOW) {
/* we are inside user-owned dir - protect */
if (protect_mount(rv, p, idata) == -1) {
save_errno = errno;
@@ -1124,7 +1124,7 @@ static int check_inst_parent(char *ipath
if (trailing_slash)
*trailing_slash = '\0';
- dfd = protect_dir(inst_parent, 0, 1, 0, idata);
+ dfd = protect_dir(inst_parent, 0, 1, idata);
if (dfd == -1 || fstat(dfd, &instpbuf) < 0) {
pam_syslog(idata->pamh, LOG_ERR,
@@ -1259,7 +1259,7 @@ static int create_polydir(struct polydir
}
#endif
- rc = protect_dir(dir, mode, 1, idata->flags & PAMNS_MOUNT_PRIVATE, idata);
+ rc = protect_dir(dir, mode, 1, idata);
if (rc == -1) {
pam_syslog(idata->pamh, LOG_ERR,
"Error creating directory %s: %m", dir);
@@ -1447,7 +1447,7 @@ static int ns_setup(struct polydir_s *po
pam_syslog(idata->pamh, LOG_DEBUG,
"Set namespace for directory %s", polyptr->dir);
- retval = protect_dir(polyptr->dir, 0, 0, idata->flags & PAMNS_MOUNT_PRIVATE, idata);
+ retval = protect_dir(polyptr->dir, 0, 0, idata);
if (retval < 0 && errno != ENOENT) {
pam_syslog(idata->pamh, LOG_ERR, "Polydir %s access error: %m",
@@ -1534,22 +1534,6 @@ static int ns_setup(struct polydir_s *po
goto error_out;
}
- if (idata->flags & PAMNS_MOUNT_PRIVATE) {
- /*
- * Make the polyinstantiated dir private mount. This depends
- * on making the dir a mount point in the protect_dir call.
- */
- if (mount(polyptr->dir, polyptr->dir, NULL, MS_PRIVATE|MS_REC, NULL) < 0) {
- pam_syslog(idata->pamh, LOG_ERR, "Error making %s a private mount, %m",
- polyptr->dir);
- goto error_out;
- }
- if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG,
- "Polyinstantiated directory %s made as private mount", polyptr->dir);
-
- }
-
/*
* Bind mount instance directory on top of the polyinstantiated
* directory to provide an instance of polyinstantiated directory
@@ -1720,6 +1704,18 @@ static int setup_namespace(struct instan
"Unable to unshare from parent namespace, %m");
return PAM_SESSION_ERR;
}
+ if (idata->flags & PAMNS_MOUNT_PRIVATE) {
+ /* Remount / as SLAVE so that nothing mounted in the namespace
+ shows up in the parent */
+ if (mount("/", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
+ pam_syslog(idata->pamh, LOG_ERR,
+ "Failed to mark / as a slave mount point, %m");
+ return PAM_SESSION_ERR;
+ }
+ if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_DEBUG,
+ "The / mount point was marked as slave");
+ }
} else {
del_polydir_list(idata->polydirs_ptr);
return PAM_SUCCESS;

53
pam-1.1.5-unix-crypt.patch
View File

@ -1,53 +0,0 @@
From 1329c68b19daa6d5793dd672db73ebe85465eea9 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Wed, 11 Apr 2012 21:13:14 +0200
Subject: [PATCH] Check for crypt() failure returning NULL.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Adjust syslog message.
* modules/pam_unix/passverify.c (create_password_hash): Check for crypt()
returning NULL.
---
modules/pam_unix/pam_unix_passwd.c | 2 +-
modules/pam_unix/passverify.c | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index e9059d3..9e1302d 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -800,7 +800,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
tpass = create_password_hash(pamh, pass_new, ctrl, rounds);
if (tpass == NULL) {
pam_syslog(pamh, LOG_CRIT,
- "out of memory for password");
+ "crypt() failure or out of memory for password");
pass_new = pass_old = NULL; /* tidy up */
unlock_pwdf();
return PAM_BUF_ERR;
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 5289955..4840bb2 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -424,7 +424,7 @@ PAMH_ARG_DECL(char * create_password_hash,
}
#endif
sp = crypt(password, salt);
- if (strncmp(algoid, sp, strlen(algoid)) != 0) {
+ if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
/* libxcrypt/libc doesn't know the algorithm, use MD5 */
pam_syslog(pamh, LOG_ERR,
"Algo %s not supported by the crypto backend, "
@@ -432,7 +432,9 @@ PAMH_ARG_DECL(char * create_password_hash,
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
- memset(sp, '\0', strlen(sp));
+ if(sp) {
+ memset(sp, '\0', strlen(sp));
+ }
return crypt_md5_wrapper(password);
}
--
1.7.7.6

59
pam-1.1.5-unix-remember.patch
View File

@ -1,59 +0,0 @@
From 0baf28fa03dfa46482e13390fd9a7545c30ccd7f Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 3 Jan 2012 12:30:43 +0100
Subject: [PATCH] Fix matching of usernames in the pam_unix remember feature.
* modules/pam_unix/pam_unix_passwd.c (check_old_password): Make
sure we match only the whole username in opasswd entry.
* modules/pam_unix/passverify.c (save_old_password): Likewise make
sure we match only the whole username in opasswd entry.
---
modules/pam_unix/pam_unix_passwd.c | 4 +++-
modules/pam_unix/passverify.c | 3 ++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 6ba2c2e..498a81c 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -280,13 +280,15 @@ static int check_old_password(const char *forwho, const char *newpass)
char *s_luser, *s_uid, *s_npas, *s_pas;
int retval = PAM_SUCCESS;
FILE *opwfile;
+ size_t len = strlen(forwho);
opwfile = fopen(OLD_PASSWORDS_FILE, "r");
if (opwfile == NULL)
return PAM_ABORT;
while (fgets(buf, 16380, opwfile)) {
- if (!strncmp(buf, forwho, strlen(forwho))) {
+ if (!strncmp(buf, forwho, len) && (buf[len] == ':' ||
+ buf[len] == ',')) {
char *sptr;
buf[strlen(buf) - 1] = '\0';
s_luser = strtok_r(buf, ":,", &sptr);
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 089f4b8..5289955 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -562,6 +562,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
int found = 0;
struct passwd *pwd = NULL;
struct stat st;
+ size_t len = strlen(forwho);
#ifdef WITH_SELINUX
security_context_t prev_context=NULL;
#endif
@@ -629,7 +630,7 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
}
while (fgets(buf, 16380, opwfile)) {
- if (!strncmp(buf, forwho, strlen(forwho))) {
+ if (!strncmp(buf, forwho, len) && strchr(":,\n", buf[len]) != NULL) {
char *sptr = NULL;
found = 1;
if (howmany == 0)
--
1.7.7.6

24
pam-1.1.6-install-empty.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am.empty Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am.empty 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am 2012-08-17 15:08:33.487322476 +0200
@@ -40,7 +40,7 @@ if HAVE_UNSHARE
secureconf_SCRIPTS = namespace.init
install-data-local:
- mkdir -p $(namespaceddir)
+ mkdir -p $(DESTDIR)$(namespaceddir)
endif
diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.empty Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am
--- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.empty 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am 2012-08-17 15:08:13.692856948 +0200
@@ -35,7 +35,7 @@ if HAVE_LIBSELINUX
securelib_LTLIBRARIES = pam_sepermit.la
install-data-local:
- mkdir -p $(sepermitlockdir)
+ mkdir -p $(DESTDIR)$(sepermitlockdir)
endif
if ENABLE_REGENERATE_MAN
noinst_DATA = README pam_sepermit.8 sepermit.conf.5

24
pam-1.1.6-noflex.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up Linux-PAM-1.1.6/doc/Makefile.am.noflex Linux-PAM-1.1.6/doc/Makefile.am
--- Linux-PAM-1.1.6/doc/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/doc/Makefile.am 2012-08-17 14:13:11.904949748 +0200
@@ -2,7 +2,7 @@
# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
#
-SUBDIRS = man specs sag adg mwg
+SUBDIRS = man sag adg mwg
CLEANFILES = *~
diff -up Linux-PAM-1.1.6/Makefile.am.noflex Linux-PAM-1.1.6/Makefile.am
--- Linux-PAM-1.1.6/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/Makefile.am 2012-08-17 14:15:36.705359892 +0200
@@ -4,7 +4,7 @@
AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
CLEANFILES = *~

110
pam-1.0.91-std-noclose.patch → pam-1.1.6-std-noclose.patch
View File

@ -1,7 +1,7 @@
diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c
--- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100
+++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100
@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int
diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c
--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2012-08-17 13:25:20.684075361 +0200
@@ -133,13 +133,21 @@ create_homedir (pam_handle_t *pamh, opti
if (child == 0) {
int i;
struct rlimit rlim;
@ -21,59 +21,13 @@ diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linu
rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
close(i);
close(i);
}
}
diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c
--- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100
+++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100
@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h
/* reopen stdin as pipe */
dup2(fds[0], STDIN_FILENO);
+ /* and replace also the stdout/err as the helper will
+ not write anything there */
+ dup2(fds[1], STDOUT_FILENO);
+ dup2(fds[1], STDERR_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
if (rlim.rlim_max >= MAX_FD_NO)
rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
- if (i != STDIN_FILENO)
- close(i);
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}
diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100
+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100
@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h
/* reopen stdin as pipe */
dup2(fds[0], STDIN_FILENO);
+ /* and replace also the stdout/err as the helper will
+ not write anything there */
+ dup2(fds[1], STDOUT_FILENO);
+ dup2(fds[1], STDERR_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
if (rlim.rlim_max >= MAX_FD_NO)
rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
- if (i != STDIN_FILENO)
- close(i);
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}
diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100
+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100
@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t
diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2012-08-17 13:22:51.664560481 +0200
@@ -105,16 +105,18 @@ int _unix_run_verify_binary(pam_handle_t
/* reopen stdout as pipe */
dup2(fds[1], STDOUT_FILENO);
@ -96,3 +50,49 @@ diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM
}
}
diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2012-08-17 14:10:38.917346789 +0200
@@ -210,13 +210,16 @@ static int _unix_run_update_binary(pam_h
/* reopen stdin as pipe */
dup2(fds[0], STDIN_FILENO);
+ /* and replace also the stdout/err as the helper will
+ not write anything there */
+ dup2(fds[1], STDOUT_FILENO);
+ dup2(fds[1], STDERR_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
if (rlim.rlim_max >= MAX_FD_NO)
rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
- if (i != STDIN_FILENO)
- close(i);
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}
diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c
--- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2012-08-17 14:12:10.833511475 +0200
@@ -469,13 +469,16 @@ static int _unix_run_helper_binary(pam_h
/* reopen stdin as pipe */
dup2(fds[0], STDIN_FILENO);
+ /* and replace also the stdout/err as the helper will
+ not write anything there */
+ dup2(fds[1], STDOUT_FILENO);
+ dup2(fds[1], STDERR_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
if (rlim.rlim_max >= MAX_FD_NO)
rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
- if (i != STDIN_FILENO)
- close(i);
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}

35
pam.spec
View File

@ -2,14 +2,14 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.5
Release: 9%{?dist}
Version: 1.1.6
Release: 1%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
License: BSD and GPLv2+
Group: System Environment/Base
Source0: https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-%{version}.tar.bz2
Source0: http://www.linux-pam.org/library/Linux-PAM-%{version}.tar.bz2
# This is the old location that might be revived in future:
#Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2
#Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign
@ -28,32 +28,20 @@ Source15: pamtmp.conf
Source16: postlogin.pamd
Source17: postlogin.5
Patch1: pam-1.0.90-redhat-modules.patch
Patch2: pam-1.0.91-std-noclose.patch
Patch2: pam-1.1.6-std-noclose.patch
Patch4: pam-1.1.0-console-nochmod.patch
Patch5: pam-1.1.0-notally.patch
Patch7: pam-1.1.0-console-fixes.patch
Patch8: pam-1.1.1-faillock.patch
Patch9: pam-1.1.2-noflex.patch
Patch9: pam-1.1.6-noflex.patch
Patch10: pam-1.1.3-nouserenv.patch
Patch11: pam-1.1.3-console-abstract.patch
Patch12: pam-1.1.3-faillock-screensaver.patch
Patch13: pam-1.1.5-limits-user.patch
# Committed to upstream git
Patch14: pam-1.1.5-namespace-rslave.patch
# Committed to upstream git
Patch15: pam-1.1.5-namespace-no-unmount.patch
# Committed to upstream git
Patch16: pam-1.1.5-lastlog-inactive.patch
# Committed to upstream git
Patch17: pam-1.1.5-cracklib-gecoscheck.patch
# Committed to upstream git
Patch18: pam-1.1.5-unix-remember.patch
# Committed to upstream git
Patch19: pam-1.1.5-unix-crypt.patch
# FIPS related - non upstreamable
Patch20: pam-1.1.5-unix-no-fallback.patch
# Will be upstreamed
Patch21: pam-1.1.5-install-empty.patch
# Upstreamed
Patch21: pam-1.1.6-install-empty.patch
#
Patch22: pam-1.1.5-unix-build.patch
@ -128,12 +116,6 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch11 -p1 -b .abstract
%patch12 -p1 -b .screensaver
%patch13 -p1 -b .limits
%patch14 -p1 -b .rslave
%patch15 -p1 -b .no-unmount
%patch16 -p1 -b .inactive
%patch17 -p1 -b .gecoscheck
%patch18 -p1 -b .remember
%patch19 -p1 -b .crypt
%patch20 -p1 -b .no-fallback
%patch21 -p1 -b .empty
%patch22 -p1 -b .build
@ -391,6 +373,9 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Fri Aug 17 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.6-1
- new upstream release
* Thu Aug 9 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.5-9
- make the pam_lastlog module in postlogin 'optional' (#846843)

2
sources
View File

@ -1,2 +1,2 @@
c115640346a987356f6b76ec1d425185 pam-redhat-0.99.10-1.tar.bz2
927ee5585bdec5256c75117e9348aa47 Linux-PAM-1.1.5.tar.bz2
7b73e58b7ce79ffa321d408de06db2c4 Linux-PAM-1.1.6.tar.bz2