[cvs] Set PAM_TTY and PAM_RHOST on PAM authentication
Petr Pisar
ppisar at fedoraproject.org
Thu Mar 10 16:21:32 UTC 2011
commit db81c434f7440ade3d40a5f1f10994ba33525b4f
Author: Petr Písař <ppisar at redhat.com>
Date: Thu Mar 10 17:20:30 2011 +0100
Set PAM_TTY and PAM_RHOST on PAM authentication
...M_TTY-and-PAM_RHOST-on-PAM-authentication.patch | 96 ++++++++++++++++++++
cvs.spec | 7 ++-
2 files changed, 102 insertions(+), 1 deletions(-)
---
diff --git a/cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch b/cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch
new file mode 100644
index 0000000..1fe195e
--- /dev/null
+++ b/cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch
@@ -0,0 +1,96 @@
+From 923dc05d68031a217684aba87acdadc7f711c88a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Thu, 10 Mar 2011 15:16:04 +0100
+Subject: [PATCH] Set PAM_TTY and PAM_RHOST on PAM authentication
+
+When loging to server, PAM can make decision on client network address, so set
+it appropriately. Also some modules require non-empy console name, thus set
+PAM_TTY to cvs PAM service name (`cvs').
+
+PAM failure is reported back to client.
+
+This code is back-ported from from upstream developemt tree (r1.489).
+`peer' and `len' types fixed to cover any address family.
+---
+ src/server.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 46 insertions(+), 1 deletions(-)
+
+diff --git a/src/server.c b/src/server.c
+index 0505ab9..bc6f0d0 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -5799,18 +5799,61 @@ error 0 %s: no such user\n", username);
+ #if PAM_SUPPORT
+ pam_handle_t *pamh = NULL;
+ struct pam_conv conv;
++ char *pam_stage = "start";
++ struct sockaddr_storage peer;
++ socklen_t len;
++ char host[NI_MAXHOST];
+ int retval;
+
++ /* get the client's ip address */
++ len = sizeof (peer);
++ if (getpeername (STDIN_FILENO, (struct sockaddr *)&peer, &len) < 0)
++ {
++ printf ("E Fatal error, aborting.\n\
++error %s getpeername failed\n", strerror (errno));
++ exit (EXIT_FAILURE);
++ }
++
++ /* convert the ip address to text */
++ if (getnameinfo((struct sockaddr *)&peer, len, host, NI_MAXHOST,
++ NULL, 0, NI_NUMERICHOST) < 0)
++ {
++ printf ("E Fatal error, aborting.\n\
++error %s getnameinfo failed\n", strerror (errno));
++ exit (EXIT_FAILURE);
++ }
++
+ conv.conv = silent_conv;
+ conv.appdata_ptr = password;
+
+- retval = pam_start("cvs", username, &conv, &pamh);
++#define PAM_SERVICE_NAME "cvs"
++ retval = pam_start(PAM_SERVICE_NAME, username, &conv, &pamh);
++
++ /* sets a dummy tty name which pam modules can check for */
++ if (retval == PAM_SUCCESS)
++ {
++ pam_stage = "set dummy tty";
++ retval = pam_set_item (pamh, PAM_TTY, PAM_SERVICE_NAME);
++ }
++#undef PAM_SERVICE_NAME
++
++ if (retval == PAM_SUCCESS)
++ {
++ pam_stage = "set remote host ip";
++ retval = pam_set_item (pamh, PAM_RHOST, host);
++ }
+
+ if (retval == PAM_SUCCESS)
++ {
++ pam_stage = "authenticate";
+ retval = pam_authenticate(pamh, 0); /* is user really user? */
++ }
+
+ if (retval == PAM_SUCCESS)
++ {
++ pam_stage = "account";
+ retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
++ }
+
+ /* This is where we have been authorized or not. */
+
+@@ -5818,6 +5861,8 @@ error 0 %s: no such user\n", username);
+ host_user = xstrdup (username);
+ } else {
+ host_user = NULL;
++ printf ("E PAM %s error: %s\n",
++ pam_stage, pam_strerror (pamh, retval));
+ }
+
+ if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
+--
+1.7.4
+
diff --git a/cvs.spec b/cvs.spec
index 04a09e6..b58daf7 100644
--- a/cvs.spec
+++ b/cvs.spec
@@ -5,7 +5,7 @@
Name: cvs
Version: 1.11.23
-Release: 14%{?dist}
+Release: 15%{?dist}
Summary: Concurrent Versions System
Group: Development/Tools
URL: http://cvs.nongnu.org/
@@ -53,6 +53,7 @@ Patch21: cvs-1.11.23-cve-2010-3846.patch
Patch22: cvs-1.11.23-remove_undefined_date_from_cvs_1_header.patch
Patch23: cvs-1.11.23-sanity.patch
Patch24: cvs-1.11.23-make_make_check_sanity_testing_verbose.patch
+Patch25: cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch
# Don't let find provides to add csh to automatic requires
%filter_requires_in ^%{_datadir}/%{name}/contrib/sccs2rcs$
@@ -112,6 +113,7 @@ pages in PDF.
%patch22 -p1 -b .undefined_date
%patch23 -p1 -b .sanity
%patch24 -p1 -b .verbose_sanity
+%patch25 -p1 -b .set_pam_rhost
# Apply a patch to the generated files, OR
# run autoreconf and require autoconf >= 2.58, automake >= 1.7.9
@@ -199,6 +201,9 @@ exit 0
%changelog
+* Thu Mar 10 2011 Petr Pisar <ppisar at redhat.com> - 1.11.23-15
+- Set PAM_TTY and PAM_RHOST on PAM authentication
+
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.11.23-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
More information about the scm-commits
mailing list