[cvs] Set PAM_TTY and PAM_RHOST on PAM authentication

Petr Pisar ppisar at fedoraproject.org
Thu Mar 10 16:21:32 UTC 2011 

commit db81c434f7440ade3d40a5f1f10994ba33525b4f
Author: Petr Písař <ppisar at redhat.com>
Date:   Thu Mar 10 17:20:30 2011 +0100

    Set PAM_TTY and PAM_RHOST on PAM authentication

 ...M_TTY-and-PAM_RHOST-on-PAM-authentication.patch |   96 ++++++++++++++++++++
 cvs.spec                                           |    7 ++-
 2 files changed, 102 insertions(+), 1 deletions(-)
---
diff --git a/cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch b/cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch
new file mode 100644
index 0000000..1fe195e
--- /dev/null
+++ b/cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch
@@ -0,0 +1,96 @@
+From 923dc05d68031a217684aba87acdadc7f711c88a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Thu, 10 Mar 2011 15:16:04 +0100
+Subject: [PATCH] Set PAM_TTY and PAM_RHOST on PAM authentication
+
+When loging to server, PAM can make decision on client network address, so set
+it appropriately. Also some modules require non-empy console name, thus set
+PAM_TTY to cvs PAM service name (`cvs').
+
+PAM failure is reported back to client.
+
+This code is back-ported from from upstream developemt tree (r1.489).
+`peer' and `len' types fixed to cover any address family.
+---
+ src/server.c |   47 ++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 46 insertions(+), 1 deletions(-)
+
+diff --git a/src/server.c b/src/server.c
+index 0505ab9..bc6f0d0 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -5799,18 +5799,61 @@ error 0 %s: no such user\n", username);
+ #if PAM_SUPPORT
+         pam_handle_t *pamh = NULL;
+         struct pam_conv conv;
++        char *pam_stage = "start";
++        struct sockaddr_storage peer;
++        socklen_t len;
++        char host[NI_MAXHOST];
+         int retval;
+ 
++        /* get the client's ip address */
++        len = sizeof (peer);
++        if (getpeername (STDIN_FILENO, (struct sockaddr *)&peer, &len) < 0)
++        {
++            printf ("E Fatal error, aborting.\n\
++error %s getpeername failed\n", strerror (errno));
++            exit (EXIT_FAILURE);
++        }
++
++        /* convert the ip address to text */
++        if (getnameinfo((struct sockaddr *)&peer, len, host, NI_MAXHOST,
++                    NULL, 0, NI_NUMERICHOST) < 0)
++        {
++            printf ("E Fatal error, aborting.\n\
++error %s getnameinfo failed\n", strerror (errno));
++            exit (EXIT_FAILURE);
++        }
++
+         conv.conv = silent_conv;
+         conv.appdata_ptr = password;
+ 
+-        retval = pam_start("cvs", username, &conv, &pamh);
++#define PAM_SERVICE_NAME "cvs"
++        retval = pam_start(PAM_SERVICE_NAME, username, &conv, &pamh);
++
++        /* sets a dummy tty name which pam modules can check for */
++        if (retval == PAM_SUCCESS)
++        {
++            pam_stage = "set dummy tty";
++            retval = pam_set_item (pamh, PAM_TTY, PAM_SERVICE_NAME);
++        }
++#undef PAM_SERVICE_NAME
++
++        if (retval == PAM_SUCCESS)
++        {
++            pam_stage = "set remote host ip";
++            retval = pam_set_item (pamh, PAM_RHOST, host);
++        }
+ 
+         if (retval == PAM_SUCCESS)
++        {
++            pam_stage = "authenticate";
+             retval = pam_authenticate(pamh, 0); /* is user really user? */
++        }
+ 
+         if (retval == PAM_SUCCESS)
++        {
++            pam_stage = "account";
+             retval = pam_acct_mgmt(pamh, 0);    /* permitted access? */
++        }
+ 
+         /* This is where we have been authorized or not. */
+ 
+@@ -5818,6 +5861,8 @@ error 0 %s: no such user\n", username);
+             host_user = xstrdup (username);
+         } else {
+             host_user = NULL;
++            printf ("E PAM %s error: %s\n",
++                 pam_stage, pam_strerror (pamh, retval));
+         }
+ 
+         if (pam_end(pamh,retval) != PAM_SUCCESS) {   /* close Linux-PAM */
+-- 
+1.7.4
+
diff --git a/cvs.spec b/cvs.spec
index 04a09e6..b58daf7 100644
--- a/cvs.spec
+++ b/cvs.spec
@@ -5,7 +5,7 @@
 
 Name: cvs
 Version: 1.11.23
-Release: 14%{?dist}
+Release: 15%{?dist}
 Summary: Concurrent Versions System
 Group: Development/Tools
 URL: http://cvs.nongnu.org/
@@ -53,6 +53,7 @@ Patch21: cvs-1.11.23-cve-2010-3846.patch
 Patch22: cvs-1.11.23-remove_undefined_date_from_cvs_1_header.patch
 Patch23: cvs-1.11.23-sanity.patch
 Patch24: cvs-1.11.23-make_make_check_sanity_testing_verbose.patch
+Patch25: cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch
 
 # Don't let find provides to add csh to automatic requires
 %filter_requires_in ^%{_datadir}/%{name}/contrib/sccs2rcs$
@@ -112,6 +113,7 @@ pages in PDF.
 %patch22 -p1 -b .undefined_date
 %patch23 -p1 -b .sanity
 %patch24 -p1 -b .verbose_sanity
+%patch25 -p1 -b .set_pam_rhost
 
 # Apply a patch to the generated files, OR
 # run autoreconf and require autoconf >= 2.58, automake >= 1.7.9
@@ -199,6 +201,9 @@ exit 0
 
 
 %changelog
+* Thu Mar 10 2011 Petr Pisar <ppisar at redhat.com> - 1.11.23-15
+- Set PAM_TTY and PAM_RHOST on PAM authentication
+
 * Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.11.23-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

More information about the scm-commits mailing list