[pam_ssh/el5] upgrade to 1.97
Dmitry Butskoy
buc at fedoraproject.org
Wed Aug 31 12:16:05 UTC 2011
commit 10155a3015a801c4c2f805557c5c15a2a4a1d662
Author: Dmitry Butskoy <Dmitry at Butskoy.name>
Date: Wed Aug 31 16:15:10 2011 +0400
upgrade to 1.97
nobranch | 1 -
pam_ssh-1.91-getpwnam.patch | 70 -----------------
pam_ssh-1.91-include_syslog.diff | 10 ---
pam_ssh-1.91-man_agent_files.diff | 13 ---
pam_ssh-1.92-include_pam.patch | 11 ---
pam_ssh-1.97-setgid.patch | 13 +++
....91-var_run.patch => pam_ssh-1.97-var_run.patch | 79 ++++++++++----------
7 files changed, 54 insertions(+), 143 deletions(-)
---
diff --git a/pam_ssh-1.97-setgid.patch b/pam_ssh-1.97-setgid.patch
new file mode 100644
index 0000000..71566f6
--- /dev/null
+++ b/pam_ssh-1.97-setgid.patch
@@ -0,0 +1,13 @@
+diff -Nrbu pam_ssh-1.97/pam_ssh.c pam_ssh-1.97-OK/pam_ssh.c
+--- pam_ssh-1.97/pam_ssh.c 2011-06-07 16:34:48.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.c 2011-06-07 16:36:07.000000000 +0400
+@@ -688,7 +688,8 @@
+ _exit(EX_OSERR);
+ /* NOTREACHED */
+ case PAM_SUCCESS:
+- if (setuid(pwent->pw_uid) == -1) {
++ if (initgroups(pwent->pw_name, pwent->pw_gid) == -1 ||
++ setgid(pwent->pw_gid) == -1 || setuid(pwent->pw_uid) == -1) {
+ pam_ssh_log(LOG_ERR,
+ "can't drop privileges: %m",
+ pwent->pw_uid);
diff --git a/pam_ssh-1.91-var_run.patch b/pam_ssh-1.97-var_run.patch
similarity index 59%
rename from pam_ssh-1.91-var_run.patch
rename to pam_ssh-1.97-var_run.patch
index d12c404..94342a7 100644
--- a/pam_ssh-1.91-var_run.patch
+++ b/pam_ssh-1.97-var_run.patch
@@ -1,37 +1,43 @@
-diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
---- pam_ssh-1.91/pam_ssh.c 2005-08-16 19:22:54.000000000 +0400
-+++ pam_ssh-1.91-OK/pam_ssh.c 2005-08-16 19:22:03.000000000 +0400
-@@ -109,6 +109,7 @@
- #define PAM_OPT_BLANK_PASSPHRASE_NAME "allow_blank_passphrase"
+diff -Nrbu pam_ssh-1.97/pam_ssh.8 pam_ssh-1.97-OK/pam_ssh.8
+--- pam_ssh-1.97/pam_ssh.8 2008-05-12 22:57:12.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.8 2010-12-13 19:54:24.000000000 +0300
+@@ -148,6 +148,10 @@
+ SSH2 RSA keys
+ .It Pa $HOME/.ssh2/id_dsa_*
+ SSH2 DSA keys
++.It Pa /var/run/pam_ssh/<user>*
++ssh-agent environment information. The files are owned by the superuser but
++readable by the users. The location is Fedora specific, in the original package
++these files are in $HOME/.ssh/agent-*
+ .El
+ .Sh SEE ALSO
+ .Xr ssh-agent 1 ,
+diff -Nrbu pam_ssh-1.97/pam_ssh.c pam_ssh-1.97-OK/pam_ssh.c
+--- pam_ssh-1.97/pam_ssh.c 2008-05-12 22:57:12.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.c 2010-12-13 20:19:36.000000000 +0300
+@@ -114,6 +114,7 @@
+ #define PAM_OPT_NULLOK_NAME "nullok"
#define SEP_KEYFILES ","
#define SSH_CLIENT_DIR ".ssh"
+#define STATE_DIR "/var/run/" MODULE_NAME
enum {
#if HAVE_OPENPAM || HAVE_PAM_STRUCT_OPTIONS || !HAVE_PAM_STD_OPTION
-@@ -489,7 +490,6 @@
+@@ -540,7 +541,6 @@
char env_string[BUFSIZ]; /* environment string */
char *env_value; /* envariable value */
int env_write; /* env file descriptor */
- char hname[MAXHOSTNAMELEN]; /* local hostname */
- int no_link; /* link per-agent file? */
char *per_agent; /* to store env */
char *per_session; /* per-session filename */
-@@ -502,7 +502,6 @@
-
- log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
-
-- /* dump output of ssh-agent in ~/.ssh */
- if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
- return retval;
- if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
-@@ -521,17 +520,16 @@
+ const struct passwd *pwent; /* user's passwd entry */
+@@ -583,17 +583,16 @@
* Technique: Create an environment file containing
* information about the agent. Only one file is created, but
* it may be given many names. One name is given for the
- * agent itself, agent-<host>. Another name is given for each
- * session, agent-<host>-<display> or agent-<host>-<tty>. We
-+ * agent itself, /var/run/pam_ssh/<user>. Another name is given
++ * agent itself, /var/run/pam_ssh/<user>. Another name is given
+ * for each session, <user>-<display> or <user>-<tty>. We
* delete the per-session filename on session close, and when
* the link count goes to unity on the per-agent file, we
@@ -47,24 +53,21 @@ diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
== -1) {
pam_ssh_log(LOG_CRIT, "out of memory");
openpam_restore_cred(pamh);
-@@ -555,9 +553,14 @@
-
- env_write = child_pid = no_link = start_agent = 0;
- env_read = NULL;
-- if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR))
-- < 0 && !(env_read = fopen(per_agent, "r")))
-+
-+ openpam_restore_cred(pamh);
-+ if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY,
-+ S_IRUSR | S_IRGRP | S_IROTH)) < 0 &&
-+ !(env_read = fopen(per_agent, "r")))
- no_link = 1;
-+ openpam_borrow_cred(pamh, pwent);
-+
- if (!env_read) {
- start_agent = 1;
- if (pipe(child_pipe) < 0) {
-@@ -790,7 +793,7 @@
+@@ -644,7 +643,12 @@
+ }
+
+ if (start_agent) {
+- if ((env_write = open(per_agent, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR)) < 0) {
++ openpam_restore_cred(pamh);
++ if (stat(STATE_DIR, &stat_buf) < 0)
++ mkdir(STATE_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
++ env_write = open(per_agent, O_CREAT | O_WRONLY, S_IRUSR | S_IRGRP | S_IROTH);
++ openpam_borrow_cred(pamh, pwent);
++ if (env_write < 0) {
+ pam_ssh_log(LOG_ERR, "can't write to %s", per_agent);
+ free(per_agent);
+ openpam_restore_cred(pamh);
+@@ -880,7 +884,7 @@
for (cp = tty_nodir; (cp = strchr(cp, '/')); )
*cp = '_';
@@ -73,7 +76,7 @@ diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
tty_nodir) == -1) {
pam_ssh_log(LOG_CRIT, "out of memory");
free(tty_nodir);
-@@ -809,10 +812,10 @@
+@@ -899,10 +903,10 @@
return retval;
}
@@ -85,7 +88,7 @@ diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
return PAM_SUCCESS;
}
-@@ -842,8 +845,11 @@
+@@ -932,8 +936,11 @@
}
if (pam_get_data(pamh, "ssh_agent_env_session",
@@ -98,7 +101,7 @@ diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
/* Retrieve per-agent filename and check link count. If it's
greater than unity, other sessions are still using this
-@@ -858,7 +864,9 @@
+@@ -948,7 +955,9 @@
openpam_restore_cred(pamh);
return PAM_SUCCESS;
}
More information about the scm-commits
mailing list