[pam] link setuid binaries with full relro (#853158)
Tomáš Mráz
tmraz at fedoraproject.org
Mon Sep 3 13:37:31 UTC 2012
commit 010ed2b4524bb51b04aab9858638e54b6201f819
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Mon Sep 3 15:24:00 2012 +0200
link setuid binaries with full relro (#853158)
- add rhost and tty to auditing data in modules (#677664)
pam-1.1.6-audit-data.patch | 173 ++++++++++++++++++++++++++++++++++++++++++++
pam-1.1.6-full-relro.patch | 31 ++++++++
pam.spec | 10 +++-
3 files changed, 213 insertions(+), 1 deletions(-)
---
diff --git a/pam-1.1.6-audit-data.patch b/pam-1.1.6-audit-data.patch
new file mode 100644
index 0000000..c41f513
--- /dev/null
+++ b/pam-1.1.6-audit-data.patch
@@ -0,0 +1,173 @@
+diff -up Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata Linux-PAM-1.1.6/modules/pam_faillock/main.c
+--- Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata 2012-09-03 15:18:19.077405822 +0200
++++ Linux-PAM-1.1.6/modules/pam_faillock/main.c 2012-09-03 15:18:19.082405927 +0200
+@@ -42,6 +42,7 @@
+ #include <errno.h>
+ #include <pwd.h>
+ #include <time.h>
++#include <unistd.h>
+ #ifdef HAVE_LIBAUDIT
+ #include <libaudit.h>
+ #endif
+@@ -142,7 +143,7 @@ do_user(struct options *opts, const char
+ snprintf(buf, sizeof(buf), "faillock reset uid=%u",
+ pwd->pw_uid);
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+- buf, NULL, NULL, NULL, rv == 0);
++ buf, NULL, NULL, ttyname(fileno(stdin)), rv == 0);
+ }
+ close(audit_fd);
+ }
+diff -up Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata 2012-09-03 15:18:19.077405822 +0200
++++ Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c 2012-09-03 15:18:19.083405948 +0200
+@@ -264,6 +264,7 @@ check_tally(pam_handle_t *pamh, struct o
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ char buf[64];
+ int audit_fd;
++ const void *rhost = NULL, *tty = NULL;
+
+ audit_fd = audit_open();
+ /* If there is an error & audit support is in the kernel report error */
+@@ -271,9 +272,11 @@ check_tally(pam_handle_t *pamh, struct o
+ errno == EAFNOSUPPORT))
+ return PAM_SYSTEM_ERR;
+
++ (void)pam_get_item(pamh, PAM_TTY, &tty);
++ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+- NULL, NULL, NULL, 1);
++ rhost, NULL, tty, 1);
+ }
+ #endif
+ opts->flags |= FAILLOCK_FLAG_UNLOCKED;
+@@ -378,6 +381,7 @@ write_tally(pam_handle_t *pamh, struct o
+ #ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd;
++ const void *tty = NULL, *rhost = NULL;
+
+ audit_fd = audit_open();
+ /* If there is an error & audit support is in the kernel report error */
+@@ -385,13 +389,15 @@ write_tally(pam_handle_t *pamh, struct o
+ errno == EAFNOSUPPORT))
+ return PAM_SYSTEM_ERR;
+
++ (void)pam_get_item(pamh, PAM_TTY, &tty);
++ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+- NULL, NULL, NULL, 1);
++ rhost, NULL, tty, 1);
+
+ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
+- NULL, NULL, NULL, 1);
++ rhost, NULL, tty, 1);
+ }
+ close(audit_fd);
+ #endif
+diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-09-03 15:18:19.083405948 +0200
+@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pam
+ int audit_fd = audit_open();
+ security_context_t default_raw=NULL;
+ security_context_t selected_raw=NULL;
++ const void *tty = NULL, *rhost = NULL;
+ rc = -1;
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pam
+ pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
+ return rc;
+ }
++ (void)pam_get_item(pamh, PAM_TTY, &tty);
++ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+ pam_syslog(pamh, LOG_ERR, "Error translating default context.");
+ default_raw = NULL;
+@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pam
+ goto out;
+ }
+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+- msg, NULL, NULL, NULL, success) <= 0) {
++ msg, rhost, NULL, tty, success) <= 0) {
+ pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
+ goto out;
+ }
+diff -up Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c
+--- Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c 2012-09-03 15:20:06.071641000 +0200
+@@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldt
+ #ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd = -1;
++ const void *rhost = NULL, *tty = NULL;
+ #endif
+
+ if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
+@@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldt
+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT))
+ return PAM_SYSTEM_ERR;
++ (void)pam_get_item(pamh, PAM_TTY, &tty);
++ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ #endif
+ if (opts->deny != 0 && /* deny==0 means no deny */
+ tally->fail_cnt > opts->deny && /* tally>deny means exceeded */
+@@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldt
+ /* First say that max number was hit. */
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+- NULL, NULL, NULL, 1);
++ rhost, NULL, tty, 1);
+ }
+ #endif
+ if (uid) {
+@@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldt
+ #ifdef HAVE_LIBAUDIT
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+- NULL, NULL, NULL, 1);
++ rhost, NULL, tty, 1);
+ #endif
+ rv = PAM_SUCCESS;
+ goto cleanup;
+@@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldt
+ #ifdef HAVE_LIBAUDIT
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+- NULL, NULL, NULL, 1);
++ rhost, NULL, tty, 1);
+ #endif
+ rv = PAM_SUCCESS;
+ goto cleanup;
+@@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldt
+ if (tally->fail_cnt == opts->deny+1) {
+ /* First say that max number was hit. */
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
+- NULL, NULL, NULL, 1);
++ rhost, NULL, tty, 1);
+ }
+ #endif
+
+@@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv )
+ int audit_fd = audit_open();
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+- buf, NULL, NULL, NULL, 1);
++ buf, NULL, NULL, ttyname(fileno(stdin)), 1);
+ if (audit_fd >=0)
+ close(audit_fd);
+ #endif
+@@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv )
+ int audit_fd = audit_open();
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+- buf, NULL, NULL, NULL, 1);
++ buf, NULL, NULL, ttyname(fileno(stdin)), 1);
+ if (audit_fd >=0)
+ close(audit_fd);
+ #endif
diff --git a/pam-1.1.6-full-relro.patch b/pam-1.1.6-full-relro.patch
new file mode 100644
index 0000000..30cb79b
--- /dev/null
+++ b/pam-1.1.6-full-relro.patch
@@ -0,0 +1,31 @@
+diff -up Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am
+--- Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am 2012-09-03 15:22:13.735307976 +0200
+@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
+ pam_timestamp_check_SOURCES = pam_timestamp_check.c
+ pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+ pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
+-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
++pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+
+ hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
+ hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
+diff -up Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_unix/Makefile.am
+--- Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_unix/Makefile.am 2012-09-03 15:21:31.464424910 +0200
+@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
+ unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
+ passverify.c
+ unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
+-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
++unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
+
+ unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
+ passverify.c
+ unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
+-unix_update_LDFLAGS = @PIE_LDFLAGS@
++unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
+
+ if ENABLE_REGENERATE_MAN
diff --git a/pam.spec b/pam.spec
index b0b0d8c..eb1858e 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.6
-Release: 1%{?dist}
+Release: 2%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -38,6 +38,8 @@ Patch10: pam-1.1.3-nouserenv.patch
Patch11: pam-1.1.3-console-abstract.patch
Patch12: pam-1.1.3-faillock-screensaver.patch
Patch13: pam-1.1.5-limits-user.patch
+Patch14: pam-1.1.6-audit-data.patch
+Patch15: pam-1.1.6-full-relro.patch
# FIPS related - non upstreamable
Patch20: pam-1.1.5-unix-no-fallback.patch
# Upstreamed
@@ -116,6 +118,8 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch11 -p1 -b .abstract
%patch12 -p1 -b .screensaver
%patch13 -p1 -b .limits
+%patch14 -p1 -b .audata
+%patch15 -p1 -b .relro
%patch20 -p1 -b .no-fallback
%patch21 -p1 -b .empty
%patch22 -p1 -b .build
@@ -373,6 +377,10 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
+* Mon Sep 3 2012 Tomas Mraz <tmraz at redhat.com> 1.1.6-2
+- link setuid binaries with full relro (#853158)
+- add rhost and tty to auditing data in modules (#677664)
+
* Fri Aug 17 2012 Tomas Mraz <tmraz at redhat.com> - 1.1.6-1
- new upstream release
More information about the scm-commits
mailing list