[proftpd] Fix for retaining root privs for PAM session closure (#951728)
Paul Howarth
pghmcfc at fedoraproject.org
Tue Apr 16 18:45:06 UTC 2013
commit 9f2fb5f2fa5ae0f9cc576ca985f97bc2a8f3e22a
Author: Paul Howarth <paul at city-fan.org>
Date: Tue Apr 16 19:43:00 2013 +0100
Fix for retaining root privs for PAM session closure (#951728)
Make sure we can switch back to root before closing PAM sessions so that
they're closed properly and don't pollute the system logs with dbus reject
messages (#951728, upstream bug #3929)
pam-close-bug3929.patch | 55 +++++++++++++++++++++++++++++++++++++++++++++++
proftpd.spec | 12 +++++++++-
2 files changed, 66 insertions(+), 1 deletions(-)
---
diff --git a/pam-close-bug3929.patch b/pam-close-bug3929.patch
new file mode 100644
index 0000000..0a27c72
--- /dev/null
+++ b/pam-close-bug3929.patch
@@ -0,0 +1,55 @@
+Index: modules/mod_auth_pam.c
+===================================================================
+RCS file: /cvsroot/proftp/proftpd/modules/mod_auth_pam.c,v
+retrieving revision 1.27
+diff -u -r1.27 mod_auth_pam.c
+--- modules/mod_auth_pam.c 26 Feb 2013 23:12:31 -0000 1.27
++++ modules/mod_auth_pam.c 16 Apr 2013 16:53:54 -0000
+@@ -171,7 +171,7 @@
+ };
+
+ static void auth_pam_exit_ev(const void *event_data, void *user_data) {
+- int pam_error = 0;
++ int pam_error = 0, disable_id_switching;
+
+ /* Sanity check.
+ */
+@@ -182,6 +182,16 @@
+ * friends.
+ */
+ pr_signals_block();
++
++ /* If ID switching has been disabled, we need to re-enable it; some
++ * (spurious, IMHO) PAM errors can happen if pam_close_session(3) is called
++ * without proper root privs (Bug#3929).
++ */
++ disable_id_switching = session.disable_id_switching;
++ if (disable_id_switching) {
++ session.disable_id_switching = FALSE;
++ }
++
+ PRIVS_ROOT
+
+ /* Give up our credentials, close our session, and finally close out this
+@@ -209,6 +219,12 @@
+ pamh = NULL;
+ #endif
+
++ PRIVS_RELINQUISH
++ pr_signals_unblock();
++
++ /* Restore any "ID switching disabled" setting. */
++ session.disable_id_switching = disable_id_switching;
++
+ if (pam_user != NULL) {
+ memset(pam_user, '\0', pam_user_len);
+ free(pam_user);
+@@ -216,8 +232,6 @@
+ pam_user_len = 0;
+ }
+
+- PRIVS_RELINQUISH
+- pr_signals_unblock();
+ }
+
+ MODRET pam_auth(cmd_rec *cmd) {
diff --git a/proftpd.spec b/proftpd.spec
index f8697f1..e363034 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -41,7 +41,7 @@
%define _hardened_build 1
#global prever rc3
-%global rpmrel 1
+%global rpmrel 2
Summary: Flexible, stable and highly-configurable FTP server
Name: proftpd
@@ -62,6 +62,7 @@ Source11: http://www.castaglia.org/proftpd/modules/proftpd-mod-geoip-0.3.tar.gz
# (they are disabled by default); it is not included as part of the built package and should therefore
# not fall foul of the rules against library bundling
Source13: http://search.cpan.org/CPAN/authors/id/C/CL/CLEMBURG/Test-Unit-0.14.tar.gz
+Patch1: pam-close-bug3929.patch
Patch2: proftpd.conf-no-memcached.patch
Patch4: proftpd-1.3.4rc1-mod_vroot-test.patch
Patch5: proftpd-1.3.4-utf8.patch
@@ -202,6 +203,10 @@ cp -p mod_vroot/t/modules/mod_vroot.t tests/t/modules/
cp -p mod_geoip/mod_geoip.c contrib/
cp -p mod_geoip/mod_geoip.html doc/contrib/
+# Make sure we can close PAM sessions as root (#951728)
+# http://bugs.proftpd.org/show_bug.cgi?id=3929
+%patch1 -b .pam-privs
+
# Copy default config file into place
cp -p %{SOURCE1} proftpd.conf
@@ -527,6 +532,11 @@ fi
%{_mandir}/man1/ftpwho.1*
%changelog
+* Tue Apr 16 2013 Paul Howarth <paul at city-fan.org> 1.3.4c-2
+- Make sure we can switch back to root before closing PAM sessions so that
+ they're closed properly and don't pollute the system logs with dbus reject
+ messages (#951728, upstream bug #3929)
+
* Thu Mar 7 2013 Paul Howarth <paul at city-fan.org> 1.3.4c-1
- Update to 1.3.4c
- Added Spanish translation
More information about the scm-commits
mailing list