From a526ddfed4d5a3d99f33c5f8222e9bff55c560b8 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 25 Nov 2010 18:14:01 +0100
Subject: [PATCH] - add config for autocreation of subdirectories in /var/run
 (#656655) - automatically enable kernel console in pam_securetty

---
 pam-1.1.3-securetty-console.patch | 120 ++++++++++++++++++++++++++++++
 pam.spec                          |  13 +++-
 pamtmp.conf                       |   3 +
 3 files changed, 135 insertions(+), 1 deletion(-)
 create mode 100644 pam-1.1.3-securetty-console.patch
 create mode 100644 pamtmp.conf

diff --git a/pam-1.1.3-securetty-console.patch b/pam-1.1.3-securetty-console.patch
new file mode 100644
index 0000000..94fa6ec
--- /dev/null
+++ b/pam-1.1.3-securetty-console.patch
@@ -0,0 +1,120 @@
+Index: modules/pam_securetty/pam_securetty.8.xml
+===================================================================
+RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml,v
+retrieving revision 1.4
+retrieving revision 1.6
+diff -u -p -r1.4 -r1.6
+--- modules/pam_securetty/pam_securetty.8.xml	18 Aug 2008 13:29:25 -0000	1.4
++++ modules/pam_securetty/pam_securetty.8.xml	25 Nov 2010 16:58:59 -0000	1.6
+@@ -33,7 +33,9 @@
+       user is logging in on a "secure" tty, as defined by the listing
+       in <filename>/etc/securetty</filename>. pam_securetty also checks
+       to make sure that <filename>/etc/securetty</filename> is a plain
+-      file and not world writable.
++      file and not world writable. It will also allow root logins on
++      the tty specified with <option>console=</option> switch on the
++      kernel command line.
+     </para>
+     <para>
+       This module has no effect on non-root users and requires that the
+@@ -61,6 +63,18 @@
+           </para>
+         </listitem>
+       </varlistentry>
++      <varlistentry>
++        <term>
++          <option>noconsole</option>
++        </term>
++        <listitem>
++          <para>
++            Do not automatically allow root logins on the kernel console
++            device, as specified on the kernel command line, if it is
++            not also specified in the <filename>/etc/securetty</filename> file.
++          </para>
++        </listitem>
++      </varlistentry>
+     </variablelist>
+   </refsect1>
+ 
+Index: modules/pam_securetty/pam_securetty.c
+===================================================================
+RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v
+retrieving revision 1.14
+retrieving revision 1.15
+diff -u -p -r1.14 -r1.15
+--- modules/pam_securetty/pam_securetty.c	10 Sep 2009 10:19:58 -0000	1.14
++++ modules/pam_securetty/pam_securetty.c	24 Nov 2010 12:28:01 -0000	1.15
+@@ -2,6 +2,7 @@
+ 
+ #define SECURETTY_FILE "/etc/securetty"
+ #define TTY_PREFIX     "/dev/"
++#define CMDLINE_FILE   "/proc/cmdline"
+ 
+ /*
+  * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
+@@ -22,6 +23,7 @@
+ #include <pwd.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <limits.h>
+ 
+ /*
+  * here, we make a definition for the externally accessible function
+@@ -38,6 +40,7 @@
+ #include <security/pam_ext.h>
+ 
+ #define PAM_DEBUG_ARG       0x0001
++#define PAM_NOCONSOLE_ARG   0x0002
+ 
+ static int
+ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
+@@ -51,6 +54,8 @@ _pam_parse (const pam_handle_t *pamh, in
+ 
+ 	if (!strcmp(*argv,"debug"))
+ 	    ctrl |= PAM_DEBUG_ARG;
++        else if (!strcmp(*argv, "noconsole"))
++            ctrl |= PAM_NOCONSOLE_ARG;
+ 	else {
+ 	    pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
+ 	}
+@@ -144,6 +149,40 @@ securetty_perform_check (pam_handle_t *p
+     }
+     fclose(ttyfile);
+ 
++    if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
++        FILE *cmdlinefile;
++
++        /* Allow access from the kernel console, if enabled */
++        cmdlinefile = fopen(CMDLINE_FILE, "r");
++
++        if (cmdlinefile != NULL) {
++            char line[LINE_MAX], *p;
++
++            line[0] = 0;
++            fgets(line, sizeof(line), cmdlinefile);
++            fclose(cmdlinefile);
++
++            for (p = line; p; p = strstr(p+1, "console=")) {
++                char *e;
++
++                /* Test whether this is a beginning of a word? */
++                if (p > line && p[-1] != ' ')
++                    continue;
++
++                /* Ist this our console? */
++                if (strncmp(p + 8, uttyname, strlen(uttyname)))
++                    continue;
++
++                /* Is there any garbage after the TTY name? */
++                e = p + 8 + strlen(uttyname);
++                if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) {
++                    retval = 0;
++                    break;
++                }
++            }
++        }
++    }
++
+     if (retval) {
+ 	    pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
+ 		     uttyname);
diff --git a/pam.spec b/pam.spec
index 14db32c..0a534a5 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 License: BSD and GPLv2+
@@ -21,6 +21,7 @@ Source11: dlopen.sh
 Source12: system-auth.5
 Source13: config-util.5
 Source14: 90-nproc.conf
+Source15: pamtmp.conf
 Patch1:  pam-1.0.90-redhat-modules.patch
 Patch2:  pam-1.0.91-std-noclose.patch
 Patch4:  pam-1.1.0-console-nochmod.patch
@@ -31,6 +32,7 @@ Patch9:  pam-1.1.2-noflex.patch
 Patch10: pam-1.1.3-nouserenv.patch
 Patch11: pam-1.1.3-console-abstract.patch
 Patch12: pam-1.1.3-faillock-screensaver.patch
+Patch13: pam-1.1.3-securetty-console.patch
 
 %define _sbindir /sbin
 %define _moduledir /%{_lib}/security
@@ -101,6 +103,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch10 -p1 -b .nouserenv
 %patch11 -p1 -b .abstract
 %patch12 -p1 -b .screensaver
+%patch13 -p0 -b .console
 
 libtoolize -f
 autoreconf
@@ -180,6 +183,9 @@ rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
 # Create /lib/security in case it isn't the same as %{_moduledir}.
 install -m755 -d $RPM_BUILD_ROOT/lib/security
 
+# Install the file for autocreation of /var/run subdirectories on boot
+install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_sysconfdir}/tmpfiles.d/pamtmp.conf
+
 %find_lang Linux-PAM
 
 %check
@@ -331,6 +337,7 @@ fi
 %endif
 %ghost %verify(not md5 size mtime) /var/log/tallylog
 %dir /var/run/faillock
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/pamtmp.conf
 %{_mandir}/man5/*
 %{_mandir}/man8/*
 
@@ -345,6 +352,10 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Thu Nov 25 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-5
+- add config for autocreation of subdirectories in /var/run (#656655)
+- automatically enable kernel console in pam_securetty
+
 * Wed Nov 10 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-4
 - fix memory leak in pam_faillock
 
diff --git a/pamtmp.conf b/pamtmp.conf
new file mode 100644
index 0000000..61f4c3e
--- /dev/null
+++ b/pamtmp.conf
@@ -0,0 +1,3 @@
+d /var/run/console 0755 root root -
+d /var/run/faillock 0755 root root -
+d /var/run/sepermit 0755 root root -