[gdm/f16] Lock down the pam config,

Ray Strode rstrode at fedoraproject.org
Tue Aug 9 18:41:51 UTC 2011 

commit 69c2c9ba3c3a2fec4a2bd7f808e7bf8d129178c6
Author: Ray Strode <rstrode at redhat.com>
Date:   Tue Aug 9 14:40:51 2011 -0400

    Lock down the pam config,
    
    We don't want to run the greeter
    with unconfined/elevated privileges
    
    Resolves: #729302

 ...register-in-PAM-in-addition-to-ConsoleKit.patch |    3 +--
 gdm-welcome-pam                                    |    6 +-----
 gdm.spec                                           |    7 ++++++-
 3 files changed, 8 insertions(+), 8 deletions(-)
---
diff --git a/0001-welcome-register-in-PAM-in-addition-to-ConsoleKit.patch b/0001-welcome-register-in-PAM-in-addition-to-ConsoleKit.patch
index 301163d..e023064 100644
--- a/0001-welcome-register-in-PAM-in-addition-to-ConsoleKit.patch
+++ b/0001-welcome-register-in-PAM-in-addition-to-ConsoleKit.patch
@@ -232,12 +232,11 @@ new file mode 100644
 index 0000000..8d2ea85
 --- /dev/null
 +++ b/data/gdm-welcome
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,4 @@
 +#%PAM-1.0
 +session    optional    pam_keyinit.so force revoke
 +session    include     system-auth
 +session    required    pam_loginuid.so
-+session    optional    pam_console.so
 -- 
 1.7.6
 
diff --git a/gdm-welcome-pam b/gdm-welcome-pam
index 96fcfe3..17f323e 100644
--- a/gdm-welcome-pam
+++ b/gdm-welcome-pam
@@ -1,15 +1,11 @@
- #%PAM-1.0
+#%PAM-1.0
 auth       required    pam_env.so
 auth       required    pam_permit.so
 auth       include     postlogin
 account    required    pam_nologin.so
 account    include     system-auth
 password   include     system-auth
-session    required    pam_selinux.so close
 session    required    pam_loginuid.so
-session    optional    pam_console.so
-session    required    pam_selinux.so open
 session    optional    pam_keyinit.so force revoke
-session    required    pam_namespace.so
 session    include     system-auth
 session    include     postlogin
diff --git a/gdm.spec b/gdm.spec
index 28c2766..b72ea4b 100644
--- a/gdm.spec
+++ b/gdm.spec
@@ -15,7 +15,7 @@
 Summary: The GNOME Display Manager
 Name: gdm
 Version: 3.1.2
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 1
 License: GPLv2+
 Group: User Interface/X
@@ -369,6 +369,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
 %{_libdir}/gdm/simple-greeter/extensions/libfingerprint.so
 
 %changelog
+* Tue Aug 09 2011 Ray Strode <rstrode at redhat.com> 3.1.2-5
+- Lock down the pam config, so we don't run the greeter
+  with unconfined/elevated privileges
+  Resolves: #729302
+
 * Wed Aug  3 2011 Lennart Poettering <lpoetter at redhat.com> - 1:3.1.2-4
 - Register welcome pseudo-session in PAM

More information about the scm-commits mailing list