[pam_ssh/el4] update to 1.97
Dmitry Butskoy
buc at fedoraproject.org
Wed Aug 31 12:55:06 UTC 2011
commit 10023aac846cf371449aea56b72d3afb3962e487
Author: Dmitry Butskoy <Dmitry at Butskoy.name>
Date: Wed Aug 31 16:54:19 2011 +0400
update to 1.97
pam_ssh-1.91-getpwnam.patch | 70 ------------
pam_ssh-1.91-include_syslog.diff | 10 --
pam_ssh-1.91-man_agent_files.diff | 13 ---
pam_ssh-1.92-include_pam.patch | 11 --
pam_ssh-1.97-setgid.patch | 13 +++
....91-var_run.patch => pam_ssh-1.97-var_run.patch | 79 +++++++-------
pam_ssh.spec | 113 +++++++++++++++-----
sources | 2 +-
8 files changed, 140 insertions(+), 171 deletions(-)
---
diff --git a/pam_ssh-1.97-setgid.patch b/pam_ssh-1.97-setgid.patch
new file mode 100644
index 0000000..71566f6
--- /dev/null
+++ b/pam_ssh-1.97-setgid.patch
@@ -0,0 +1,13 @@
+diff -Nrbu pam_ssh-1.97/pam_ssh.c pam_ssh-1.97-OK/pam_ssh.c
+--- pam_ssh-1.97/pam_ssh.c 2011-06-07 16:34:48.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.c 2011-06-07 16:36:07.000000000 +0400
+@@ -688,7 +688,8 @@
+ _exit(EX_OSERR);
+ /* NOTREACHED */
+ case PAM_SUCCESS:
+- if (setuid(pwent->pw_uid) == -1) {
++ if (initgroups(pwent->pw_name, pwent->pw_gid) == -1 ||
++ setgid(pwent->pw_gid) == -1 || setuid(pwent->pw_uid) == -1) {
+ pam_ssh_log(LOG_ERR,
+ "can't drop privileges: %m",
+ pwent->pw_uid);
diff --git a/pam_ssh-1.91-var_run.patch b/pam_ssh-1.97-var_run.patch
similarity index 59%
rename from pam_ssh-1.91-var_run.patch
rename to pam_ssh-1.97-var_run.patch
index d12c404..94342a7 100644
--- a/pam_ssh-1.91-var_run.patch
+++ b/pam_ssh-1.97-var_run.patch
@@ -1,37 +1,43 @@
-diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
---- pam_ssh-1.91/pam_ssh.c 2005-08-16 19:22:54.000000000 +0400
-+++ pam_ssh-1.91-OK/pam_ssh.c 2005-08-16 19:22:03.000000000 +0400
-@@ -109,6 +109,7 @@
- #define PAM_OPT_BLANK_PASSPHRASE_NAME "allow_blank_passphrase"
+diff -Nrbu pam_ssh-1.97/pam_ssh.8 pam_ssh-1.97-OK/pam_ssh.8
+--- pam_ssh-1.97/pam_ssh.8 2008-05-12 22:57:12.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.8 2010-12-13 19:54:24.000000000 +0300
+@@ -148,6 +148,10 @@
+ SSH2 RSA keys
+ .It Pa $HOME/.ssh2/id_dsa_*
+ SSH2 DSA keys
++.It Pa /var/run/pam_ssh/<user>*
++ssh-agent environment information. The files are owned by the superuser but
++readable by the users. The location is Fedora specific, in the original package
++these files are in $HOME/.ssh/agent-*
+ .El
+ .Sh SEE ALSO
+ .Xr ssh-agent 1 ,
+diff -Nrbu pam_ssh-1.97/pam_ssh.c pam_ssh-1.97-OK/pam_ssh.c
+--- pam_ssh-1.97/pam_ssh.c 2008-05-12 22:57:12.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.c 2010-12-13 20:19:36.000000000 +0300
+@@ -114,6 +114,7 @@
+ #define PAM_OPT_NULLOK_NAME "nullok"
#define SEP_KEYFILES ","
#define SSH_CLIENT_DIR ".ssh"
+#define STATE_DIR "/var/run/" MODULE_NAME
enum {
#if HAVE_OPENPAM || HAVE_PAM_STRUCT_OPTIONS || !HAVE_PAM_STD_OPTION
-@@ -489,7 +490,6 @@
+@@ -540,7 +541,6 @@
char env_string[BUFSIZ]; /* environment string */
char *env_value; /* envariable value */
int env_write; /* env file descriptor */
- char hname[MAXHOSTNAMELEN]; /* local hostname */
- int no_link; /* link per-agent file? */
char *per_agent; /* to store env */
char *per_session; /* per-session filename */
-@@ -502,7 +502,6 @@
-
- log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
-
-- /* dump output of ssh-agent in ~/.ssh */
- if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
- return retval;
- if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
-@@ -521,17 +520,16 @@
+ const struct passwd *pwent; /* user's passwd entry */
+@@ -583,17 +583,16 @@
* Technique: Create an environment file containing
* information about the agent. Only one file is created, but
* it may be given many names. One name is given for the
- * agent itself, agent-<host>. Another name is given for each
- * session, agent-<host>-<display> or agent-<host>-<tty>. We
-+ * agent itself, /var/run/pam_ssh/<user>. Another name is given
++ * agent itself, /var/run/pam_ssh/<user>. Another name is given
+ * for each session, <user>-<display> or <user>-<tty>. We
* delete the per-session filename on session close, and when
* the link count goes to unity on the per-agent file, we
@@ -47,24 +53,21 @@ diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
== -1) {
pam_ssh_log(LOG_CRIT, "out of memory");
openpam_restore_cred(pamh);
-@@ -555,9 +553,14 @@
-
- env_write = child_pid = no_link = start_agent = 0;
- env_read = NULL;
-- if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR))
-- < 0 && !(env_read = fopen(per_agent, "r")))
-+
-+ openpam_restore_cred(pamh);
-+ if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY,
-+ S_IRUSR | S_IRGRP | S_IROTH)) < 0 &&
-+ !(env_read = fopen(per_agent, "r")))
- no_link = 1;
-+ openpam_borrow_cred(pamh, pwent);
-+
- if (!env_read) {
- start_agent = 1;
- if (pipe(child_pipe) < 0) {
-@@ -790,7 +793,7 @@
+@@ -644,7 +643,12 @@
+ }
+
+ if (start_agent) {
+- if ((env_write = open(per_agent, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR)) < 0) {
++ openpam_restore_cred(pamh);
++ if (stat(STATE_DIR, &stat_buf) < 0)
++ mkdir(STATE_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
++ env_write = open(per_agent, O_CREAT | O_WRONLY, S_IRUSR | S_IRGRP | S_IROTH);
++ openpam_borrow_cred(pamh, pwent);
++ if (env_write < 0) {
+ pam_ssh_log(LOG_ERR, "can't write to %s", per_agent);
+ free(per_agent);
+ openpam_restore_cred(pamh);
+@@ -880,7 +884,7 @@
for (cp = tty_nodir; (cp = strchr(cp, '/')); )
*cp = '_';
@@ -73,7 +76,7 @@ diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
tty_nodir) == -1) {
pam_ssh_log(LOG_CRIT, "out of memory");
free(tty_nodir);
-@@ -809,10 +812,10 @@
+@@ -899,10 +903,10 @@
return retval;
}
@@ -85,7 +88,7 @@ diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
return PAM_SUCCESS;
}
-@@ -842,8 +845,11 @@
+@@ -932,8 +936,11 @@
}
if (pam_get_data(pamh, "ssh_agent_env_session",
@@ -98,7 +101,7 @@ diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
/* Retrieve per-agent filename and check link count. If it's
greater than unity, other sessions are still using this
-@@ -858,7 +864,9 @@
+@@ -948,7 +955,9 @@
openpam_restore_cred(pamh);
return PAM_SUCCESS;
}
diff --git a/pam_ssh.spec b/pam_ssh.spec
index 7883f9c..811e215 100644
--- a/pam_ssh.spec
+++ b/pam_ssh.spec
@@ -1,25 +1,18 @@
+Summary: PAM module for use with SSH keys and ssh-agent
Name: pam_ssh
-Version: 1.92
+Version: 1.97
Release: 7%{?dist}
-Summary: PAM module for use with SSH keys and ssh-agent
-Source: http://downloads.sourceforge.net/pam-ssh/pam_ssh-%{version}.tar.bz2
-URL: http://sourceforge.net/projects/pam-ssh/
-Patch0: pam_ssh-1.91-getpwnam.patch
-# put agent files in /var/run instead of the home directory to avoid
-# complications when run from different hosts
-Patch1: pam_ssh-1.91-var_run.patch
-# corresponding man page
-Patch2: pam_ssh-1.91-man_agent_files.diff
-# include the syslog header
-Patch4: pam_ssh-1.91-include_syslog.diff
-# include a pam header
-Patch5: pam_ssh-1.92-include_pam.patch
-
+Group: System Environment/Base
License: BSD
+URL: http://sourceforge.net/projects/pam-ssh/
+Source0: http://downloads.sourceforge.net/pam-ssh/pam_ssh-%{version}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: pam-devel, openssh-clients, openssl-devel, libtool
Requires: openssh-clients
-BuildRequires: pam-devel, openssh-clients, openssl-devel
-Group: System Environment/Base
+Conflicts: selinux-policy-targeted < 3.0.8-55
+Patch0: pam_ssh-1.97-var_run.patch
+Patch1: pam_ssh-1.97-setgid.patch
+
%description
This PAM module provides single sign-on behavior for UNIX using SSH keys.
@@ -29,43 +22,107 @@ process is started and keys are added. The same agent is used for the
following PAM sessions. In any case the appropriate environment variables
are set in the session phase.
+
%prep
%setup -q
%patch0 -p1
%patch1 -p1
-%patch2 -p0 -b .man_agent_files
-%patch4 -p1
-%patch5 -p1 -b .include_pam
-chmod a-x pam_ssh.c
-touch -r pam_ssh.8.man_agent_files pam_ssh.8
+
+# re-run autoconf utils to libtoolize properly
+autoreconf -f -si
+
%build
%configure --with-pam-dir=/%{_lib}/security/
make clean
-make %{?_smp_mflags}
+
+# only needed symbols should be exported
+cat >>pam_ssh.sym <<EOF
+pam_sm_acct_mgmt
+pam_sm_authenticate
+pam_sm_chauthtok
+pam_sm_close_session
+pam_sm_open_session
+pam_sm_setcred
+EOF
+
+make %{?_smp_mflags} LDFLAGS='-export-symbols pam_ssh.sym'
+
%install
rm -rf $RPM_BUILD_ROOT
-make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p'
+make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p"
install -d -m 755 $RPM_BUILD_ROOT%{_localstatedir}/run/pam_ssh
-rm $RPM_BUILD_ROOT/%{_lib}/security/pam_ssh.la
+rm -f $RPM_BUILD_ROOT/%{_lib}/security/*.la
+
%clean
rm -rf $RPM_BUILD_ROOT
+
%files
%defattr(-,root,root,-)
+/%{_lib}/security/*.so
+%ghost %dir %{_localstatedir}/run/pam_ssh
%doc AUTHORS NEWS README ChangeLog TODO COPYING
-/%{_lib}/security/pam_ssh.so
-%{_mandir}/man8/pam_ssh.8*
-%dir %{_localstatedir}/run/pam_ssh
+%{_mandir}/*/*
+
%changelog
+* Tue Jun 7 2011 Dmitry Butskoy <Dmitry at Butskoy.name> - 1.97-7
+- Drop root group privileges properly before executing ssh-agent (#711170)
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.97-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Jan 5 2011 Dmitry Butskoy <Dmitry at Butskoy.name> - 1.97-5
+- export only pam_sm_* symbols from the module
+ (else it could cause cross linking when used under sshd daemon)
+
+* Mon Dec 13 2010 Dmitry Butskoy <Dmitry at Butskoy.name> - 1.97-4
+- auto-create state dir under /var/run (#656657)
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz at redhat.com> - 1.97-3
+- rebuilt with new openssl
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.97-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jul 15 2009 Dmitry Butskoy <Dmitry at Butskoy.name> - 1.97-1
+- update to 1.97
+- drop no more needed patches
+- specfile cleanup
+- run autoreconf to re-libtoolize properly
+
+* Thu Mar 26 2009 Dmitry Butskoy <Dmitry at Butskoy.name> - 1.92-10
+- Always use standard "Password:" prompt for the first password's inquire
+ in a PAM chain (#492153)
+
+* Thu Feb 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.92-9.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Jan 16 2009 Manuel "lonely wolf" Wolfshant <wolfy at nobugconsulting.ro> 1.92-8.1
+- rebuild for newer openssl
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng at fedoraproject.org> - 1.92-8
+- Autorebuild for GCC 4.3
+
* Thu Dec 27 2007 Patrice Dumas <pertusus at free.fr> 1.92-7
- keep timestamps
+* Mon Dec 10 2007 Patrice Dumas <pertusus at free.fr> 1.92-6
+- remove selinux policy module support, since it is in main selinux
+- Conflicts: selinux-policy-targeted < 3.0.8-55 since it seems to be
+ the first package with included selinux policy
+
+* Mon Dec 10 2007 Patrice Dumas <pertusus at free.fr> 1.92-5
+- correct a typo in selinux %%postun script
+
+* Thu Nov 15 2007 Martin Ebourne <martin at zepler.org> - 1.92-3
+- Added SELinux policy module
+
* Thu Aug 23 2007 Patrice Dumas <pertusus at free.fr> 1.92-2
- update to 1.92
- Fix #253959, CVE-2007-0844
diff --git a/sources b/sources
index 84bb83f..9bb10b3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-3861f20572183adfadef8c77270e6165 pam_ssh-1.92.tar.bz2
+ef114d67b4951c88a62893437f850784 pam_ssh-1.97.tar.bz2
More information about the scm-commits
mailing list