[pam] Multiple bug fixes and cleanups.
Tomáš Mráz
tmraz at fedoraproject.org
Fri Mar 22 16:44:45 UTC 2013
commit 858c76dcd31c87f289ee33be475636238e234684
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri Mar 22 17:44:40 2013 +0100
Multiple bug fixes and cleanups.
- do not fail if btmp file is corrupted (#906852)
- fix strict aliasing warnings in build
- UsrMove
- use authtok_type with pam_pwquality in system-auth
- remove manual_context handling from pam_selinux (#876976)
- other minor specfile cleanups
pam-1.1.6-lastlog-retval.patch | 15 ++++++
pam-1.1.6-selinux-manualctx.patch | 97 +++++++++++++++++++++++++++++++++++++
pam-1.1.6-strict-aliasing.patch | 28 +++++++++++
pam.spec | 65 ++++++++++++++----------
password-auth.pamd | 2 +-
system-auth.pamd | 2 +-
6 files changed, 180 insertions(+), 29 deletions(-)
---
diff --git a/pam-1.1.6-lastlog-retval.patch b/pam-1.1.6-lastlog-retval.patch
new file mode 100644
index 0000000..3c385f6
--- /dev/null
+++ b/pam-1.1.6-lastlog-retval.patch
@@ -0,0 +1,15 @@
+diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
+index 50e5a59..bd454ff 100644
+--- a/modules/pam_lastlog/pam_lastlog.c
++++ b/modules/pam_lastlog/pam_lastlog.c
+@@ -479,6 +479,10 @@ last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t llt
+ }
+ }
+
++ if (retval != 0)
++ pam_syslog(pamh, LOG_WARNING, "corruption detected in %s", _PATH_BTMP);
++ retval = PAM_SUCCESS;
++
+ if (failed) {
+ /* we want the date? */
+ if (announce & LASTLOG_DATE) {
diff --git a/pam-1.1.6-selinux-manualctx.patch b/pam-1.1.6-selinux-manualctx.patch
new file mode 100644
index 0000000..b9afeab
--- /dev/null
+++ b/pam-1.1.6-selinux-manualctx.patch
@@ -0,0 +1,97 @@
+diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.manualctx 2012-09-03 15:23:21.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c 2012-11-30 21:03:40.000000000 +0100
+@@ -161,81 +161,6 @@ query_response (pam_handle_t *pamh, cons
+ return rc;
+ }
+
+-static security_context_t
+-manual_context (pam_handle_t *pamh, const char *user, int debug)
+-{
+- security_context_t newcon=NULL;
+- context_t new_context;
+- int mls_enabled = is_selinux_mls_enabled();
+- char *type=NULL;
+- char *response=NULL;
+-
+- while (1) {
+- if (query_response(pamh,
+- _("Would you like to enter a security context? [N] "), NULL,
+- &response, debug) != PAM_SUCCESS)
+- return NULL;
+-
+- if ((response[0] == 'y') || (response[0] == 'Y'))
+- {
+- if (mls_enabled)
+- new_context = context_new ("user:role:type:level");
+- else
+- new_context = context_new ("user:role:type");
+-
+- if (!new_context)
+- goto fail_set;
+-
+- if (context_user_set (new_context, user))
+- goto fail_set;
+-
+- _pam_drop(response);
+- /* Allow the user to enter each field of the context individually */
+- if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS &&
+- response[0] != '\0') {
+- if (context_role_set (new_context, response))
+- goto fail_set;
+- if (get_default_type(response, &type))
+- goto fail_set;
+- if (context_type_set (new_context, type))
+- goto fail_set;
+- _pam_drop(type);
+- }
+- _pam_drop(response);
+-
+- if (mls_enabled)
+- {
+- if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS &&
+- response[0] != '\0') {
+- if (context_range_set (new_context, response))
+- goto fail_set;
+- }
+- _pam_drop(response);
+- }
+-
+- /* Get the string value of the context and see if it is valid. */
+- if (!security_check_context(context_str(new_context))) {
+- newcon = strdup(context_str(new_context));
+- context_free (new_context);
+- return newcon;
+- }
+- else
+- send_text(pamh,_("Not a valid security context"),debug);
+-
+- context_free (new_context);
+- }
+- else {
+- _pam_drop(response);
+- return NULL;
+- }
+- } /* end while */
+- fail_set:
+- free(type);
+- _pam_drop(response);
+- context_free (new_context);
+- return NULL;
+-}
+-
+ static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
+ {
+ struct av_decision avd;
+@@ -606,11 +531,6 @@ compute_exec_context(pam_handle_t *pamh,
+ data->exec_context = context_from_env(pamh, data->default_user_context,
+ env_params, use_current_range,
+ debug);
+- } else {
+- if (seuser) {
+- data->exec_context = manual_context(pamh, seuser, debug);
+- free(seuser);
+- }
+ }
+
+ if (!data->exec_context) {
diff --git a/pam-1.1.6-strict-aliasing.patch b/pam-1.1.6-strict-aliasing.patch
new file mode 100644
index 0000000..1409b24
--- /dev/null
+++ b/pam-1.1.6-strict-aliasing.patch
@@ -0,0 +1,28 @@
+diff --git a/modules/pam_namespace/md5.c b/modules/pam_namespace/md5.c
+index ce4f7d6..dc95ab1 100644
+--- a/modules/pam_namespace/md5.c
++++ b/modules/pam_namespace/md5.c
+@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
+ byteReverse(ctx->in, 14);
+
+ /* Append length in bits and transform */
+- ((uint32 *) ctx->in)[14] = ctx->bits[0];
+- ((uint32 *) ctx->in)[15] = ctx->bits[1];
++ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
+
+ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ byteReverse((unsigned char *) ctx->buf, 4);
+diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c
+index 7881db5..94f0485 100644
+--- a/modules/pam_unix/md5.c
++++ b/modules/pam_unix/md5.c
+@@ -142,8 +142,7 @@ void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
+ byteReverse(ctx->in, 14);
+
+ /* Append length in bits and transform */
+- ((uint32 *) ctx->in)[14] = ctx->bits[0];
+- ((uint32 *) ctx->in)[15] = ctx->bits[1];
++ memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
+
+ MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
+ byteReverse((unsigned char *) ctx->buf, 4);
diff --git a/pam.spec b/pam.spec
index d322fd2..15669de 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.6
-Release: 8%{?dist}
+Release: 9%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -52,9 +52,15 @@ Patch23: pam-1.1.6-autoupdate.patch
Patch24: pam-1.1.6-namespace-mntopts.patch
# Upstreamed
Patch25: pam-1.1.6-crypt-null-check.patch
+# Upstreamed
+Patch26: pam-1.1.6-lastlog-retval.patch
+# Sent to upstream for review
+Patch27: pam-1.1.6-strict-aliasing.patch
+# Upstreamed
+Patch28: pam-1.1.6-selinux-manualctx.patch
-%define _sbindir /sbin
-%define _moduledir /%{_lib}/security
+%define _pamlibdir %{_libdir}
+%define _moduledir %{_libdir}/security
%define _secconfdir %{_sysconfdir}/security
%define _pamconfdir %{_sysconfdir}/pam.d
@@ -65,7 +71,6 @@ Patch25: pam-1.1.6-crypt-null-check.patch
%define WITH_AUDIT 1
%endif
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: cracklib-dicts >= 2.8
Requires: libpwquality >= 0.9.9
Requires(post): coreutils, /sbin/ldconfig
@@ -88,7 +93,7 @@ BuildRequires: libdb-devel
BuildRequires: linuxdoc-tools, w3m, libxslt
BuildRequires: docbook-style-xsl, docbook-dtds
-URL: http://www.us.kernel.org/pub/linux/libs/pam/index.html
+URL: http://www.linux-pam.org/
%description
PAM (Pluggable Authentication Modules) is a system security tool that
@@ -133,11 +138,15 @@ mv pam-redhat-%{pam_redhat_version}/* modules
%patch23 -p1 -b .autoupdate
%patch24 -p1 -b .mntopts
%patch25 -p1 -b .null-check
+%patch26 -p1 -b .retval
+%patch27 -p1 -b .strict-aliasing
+%patch28 -p1 -b .manualctx
+
%build
autoreconf -i
%configure \
- --libdir=/%{_lib} \
+ --libdir=%{_pamlibdir} \
--includedir=%{_includedir}/security \
--disable-static \
--disable-prelude \
@@ -152,8 +161,6 @@ make
# we do not use _smp_mflags because the build of sources in yacc/flex fails
%install
-rm -rf $RPM_BUILD_ROOT
-
mkdir -p doc/txts
for readme in modules/pam_*/README ; do
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
@@ -200,22 +207,24 @@ done
# Remove .la files and make new .so links -- this depends on the value
# of _libdir not changing, and *not* being /usr/lib.
+for lib in libpam libpamc libpam_misc ; do
+rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.la
+done
+rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la
+
+%if "%{_pamlibdir}" != "%{_libdir}"
install -d -m 755 $RPM_BUILD_ROOT%{_libdir}
for lib in libpam libpamc libpam_misc ; do
pushd $RPM_BUILD_ROOT%{_libdir}
-ln -sf ../../%{_lib}/${lib}.so.*.* ${lib}.so
+ln -sf %{_pamlibdir}/${lib}.so.*.* ${lib}.so
popd
-rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.so
-rm -f $RPM_BUILD_ROOT/%{_lib}/${lib}.la
+rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.so
done
-rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la
+%endif
# Duplicate doc file sets.
rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
-# Create /lib/security in case it isn't the same as %{_moduledir}.
-install -m755 -d $RPM_BUILD_ROOT/lib/security
-
# Install the file for autocreation of /var/run subdirectories on boot
install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf
@@ -242,18 +251,15 @@ done
# Check for module problems. Specifically, check that every module we just
# installed can actually be loaded by a minimal PAM-aware application.
-/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}
+/sbin/ldconfig -n $RPM_BUILD_ROOT%{_pamlibdir}
for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do
- if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib} \
- %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT/%{_libdir} ${module} ; then
+ if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pamlibdir} \
+ %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT%{_libdir} ${module} ; then
echo ERROR module: ${module} cannot be loaded.
exit 1
fi
done
-%clean
-rm -rf $RPM_BUILD_ROOT
-
%post
/sbin/ldconfig
if [ ! -e /var/log/tallylog ] ; then
@@ -276,9 +282,9 @@ fi
%doc doc/txts
%doc doc/sag/*.txt doc/sag/html
%doc doc/specs/rfc86.0.txt
-/%{_lib}/libpam.so.*
-/%{_lib}/libpamc.so.*
-/%{_lib}/libpam_misc.so.*
+%{_pamlibdir}/libpam.so.*
+%{_pamlibdir}/libpamc.so.*
+%{_pamlibdir}/libpam_misc.so.*
%{_sbindir}/pam_console_apply
%{_sbindir}/pam_tally2
%{_sbindir}/faillock
@@ -286,9 +292,6 @@ fi
%attr(4755,root,root) %{_sbindir}/unix_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update
%attr(0755,root,root) %{_sbindir}/mkhomedir_helper
-%if %{_lib} != lib
-%dir /lib/security
-%endif
%dir %{_moduledir}
%{_moduledir}/pam_access.so
%{_moduledir}/pam_chroot.so
@@ -386,6 +389,14 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
+* Fri Mar 22 2013 Tomáš Mráz <tmraz at redhat.com> 1.1.6-9
+- do not fail if btmp file is corrupted (#906852)
+- fix strict aliasing warnings in build
+- UsrMove
+- use authtok_type with pam_pwquality in system-auth
+- remove manual_context handling from pam_selinux (#876976)
+- other minor specfile cleanups
+
* Tue Mar 19 2013 Tomáš Mráz <tmraz at redhat.com> 1.1.6-8
- check NULL return from crypt() calls (#915316)
diff --git a/password-auth.pamd b/password-auth.pamd
index 5e33723..6020c9d 100644
--- a/password-auth.pamd
+++ b/password-auth.pamd
@@ -7,7 +7,7 @@ auth required pam_deny.so
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass retry=3 type=
+password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
diff --git a/system-auth.pamd b/system-auth.pamd
index 5e33723..6020c9d 100644
--- a/system-auth.pamd
+++ b/system-auth.pamd
@@ -7,7 +7,7 @@ auth required pam_deny.so
account required pam_unix.so
-password requisite pam_pwquality.so try_first_pass retry=3 type=
+password requisite pam_pwquality.so try_first_pass retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
More information about the scm-commits
mailing list