Djam/pam
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/pam.git synced 2025-02-23 08:22:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

New version 1.3.0

Browse source 
Re-diff patches
This commit is contained in:
Andrey Bondrov 2016-09-19 17:31:47 +10:00
parent 99c795ee00
commit 0c0a8a017b
27 changed files with 376 additions and 1685 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.abf.yml
View file

@ -1,3 +1,3 @@
sources: sources:
Linux-PAM-1.1.8.tar.bz2: f8ce53c67363f78d520392fa1c253c4978058be1 Linux-PAM-1.3.0.tar.bz2: e956252e81d824c35a60c9b50919ca0767f8a8ec
pam-redhat-0.99.10-1.tar.bz2: 09e618edc5dcda9a6eb435a31db742afca673ae1 pam-redhat-0.99.11.tar.bz2: 42206fe8319723ef23ab646b2eab496c86de3f5b

12
Linux-PAM-0.99.11-pbuild-rh.patch Normal file
View file

@ -0,0 +1,12 @@
diff -urN Linux-PAM-1.3.0/modules/pam_console/Makefile.am Linux-PAM-1.3.0-patched/modules/pam_console/Makefile.am
--- Linux-PAM-1.3.0/modules/pam_console/Makefile.am 2014-02-01 00:17:53.000000000 +1100
+++ Linux-PAM-1.3.0-patched/modules/pam_console/Makefile.am 2016-09-19 17:27:50.713209337 +1000
@@ -50,6 +50,8 @@
pam_console_la_CFLAGS = $(AM_CFLAGS)
pam_console_apply_CFLAGS = $(AM_CFLAGS)
+configfile.tab.h: configfile.tab.c
+
configfile.tab.c: configfile.y
$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
sh $(srcdir)/sed-static $@

67
Linux-PAM-1.1.1-xauth-groups.patch
View file

@ -1,67 +0,0 @@
--- a/modules/pam_xauth/pam_xauth.c 2010-10-08 13:56:11.000000000 +0200
+++ b/modules/pam_xauth/pam_xauth.c.oden 2010-11-03 11:23:06.714312576 +0100
@@ -90,7 +90,7 @@ static const char * const xauthpaths[] =
* given input on stdin, and storing any output it generates. */
static int
run_coprocess(pam_handle_t *pamh, const char *input, char **output,
- uid_t uid, gid_t gid, const char *command, ...)
+ uid_t uid, gid_t gid, const char *name, const char *command, ...)
{
int ipipe[2], opipe[2], i;
char buf[LINE_MAX];
@@ -141,6 +141,12 @@ run_coprocess(pam_handle_t *pamh, const
pam_syslog (pamh, LOG_ERR, "setgroups() failed: %m");
_exit (err);
}
+
+ /* Mandriva Linux specific:
+ * we need to set the extra groups because in high security levels
+ * access to /usr/X11R6/bin dir is controlled by a group */
+ initgroups(name, gid);
+
if (setuid(uid) == -1)
{
int err = errno;
@@ -148,6 +154,7 @@ run_coprocess(pam_handle_t *pamh, const
(unsigned long) geteuid ());
_exit (err);
}
+
/* Initialize the argument list. */
memset(args, 0, sizeof(args));
/* Set the pipe descriptors up as stdin and stdout, and close
@@ -173,6 +180,7 @@ run_coprocess(pam_handle_t *pamh, const
}
/* Run the command. */
execv(command, args);
+ syslog(LOG_ERR, "pam_xauth: execvp of %s failed: %m", command);
/* Never reached. */
_exit(1);
}
@@ -508,7 +516,7 @@ pam_sm_open_session (pam_handle_t *pamh,
(unsigned long) getuid(), (unsigned long) getgid());
}
if (run_coprocess(pamh, NULL, &cookie,
- getuid(), getgid(),
+ getuid(), getgid(), rpwd->pw_name,
xauth, "-f", cookiefile, "nlist", display,
NULL) == 0) {
#ifdef WITH_SELINUX
@@ -567,7 +575,7 @@ pam_sm_open_session (pam_handle_t *pamh,
(unsigned long) getgid());
}
run_coprocess(pamh, NULL, &cookie,
- getuid(), getgid(),
+ getuid(), getgid(), rpwd->pw_name,
xauth, "-f", cookiefile,
"nlist", t, NULL);
}
@@ -709,7 +717,7 @@ pam_sm_open_session (pam_handle_t *pamh,
(unsigned long) tpwd->pw_gid);
}
run_coprocess(pamh, cookie, &tmp,
- tpwd->pw_uid, tpwd->pw_gid,
+ tpwd->pw_uid, tpwd->pw_gid, tpwd->pw_name,
xauth, "-f", cookiefile, "nmerge", "-", NULL);
/* We don't need to keep a copy of these around any more. */

71
pam-1.1.0-console-fixes.patch
View file

@ -1,71 +0,0 @@
diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c
--- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix 2009-11-02 08:45:24.000000000 +0100
+++ Linux-PAM-1.1.0/modules/pam_console/handlers.c 2009-11-02 08:50:19.000000000 +0100
@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle
const char *flagptr;
const char **argv;
int i = 0;
- argv = malloc(sizeof(*argv)*nparams+2);
-
+ argv = malloc(sizeof(*argv)*(nparams+2));
+
if (argv == NULL)
return;
-
+
argv[i++] = handler->executable;
-
+
for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) {
switch (testflag(flagptr)) {
case HF_LOGFAIL:
@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru
}
sighandler = signal(SIGCHLD, SIG_DFL);
-
+
child = fork();
switch (child) {
case -1:
@@ -246,30 +246,31 @@ execute_handler(pam_handle_t *pamh, stru
if (!wait_exit) {
switch(fork()) {
case 0:
- exit(0);
+ if(setsid() == -1) {
+ _exit(255);
+ }
+ break;
case -1:
- exit(255);
+ _exit(255);
default:
- if(setsid() == -1) {
- exit(255);
- }
+ _exit(0);
}
}
if (set_uid) {
struct passwd *pw;
pw = getpwnam(user);
if (pw == NULL)
- exit(255);
+ _exit(255);
if (setgid(pw->pw_gid) == -1 ||
setuid(pw->pw_uid) == -1)
- exit(255);
+ _exit(255);
}
call_exec(handler, nparams, user, tty);
- exit(255);
+ _exit(255);
default:
break;
}
-
+
waitpid(child, &rv, 0);
if (sighandler != SIG_ERR)

82
pam-1.1.3-console-abstract.patch
View file

@ -1,82 +0,0 @@
diff -up Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract Linux-PAM-1.1.3/modules/pam_console/pam_console.c
--- Linux-PAM-1.1.3/modules/pam_console/pam_console.c.abstract 2008-12-16 13:37:52.000000000 +0100
+++ Linux-PAM-1.1.3/modules/pam_console/pam_console.c 2010-11-01 17:01:55.000000000 +0100
@@ -34,6 +34,8 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/un.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
@@ -136,6 +138,32 @@ check_one_console_name(const char *name,
}
static int
+try_xsocket(const char *path, size_t len) {
+ int fd;
+ union {
+ struct sockaddr sa;
+ struct sockaddr_un su;
+ } addr;
+
+ fd = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (fd < 0)
+ return 0;
+
+ memset(&addr, 0, sizeof(addr));
+ addr.su.sun_family = AF_UNIX;
+
+ if (len > sizeof(addr.su.sun_path))
+ return 0;
+ memcpy(addr.su.sun_path, path, len);
+ if (connect(fd, &addr.sa, sizeof(addr.su)) == 0) {
+ close(fd);
+ return 1;
+ }
+ close(fd);
+ return 0;
+}
+
+static int
check_console_name(pam_handle_t *pamh, const char *consolename, int nonroot_ok, int on_set) {
int found = 0;
int statted = 0;
@@ -186,22 +214,29 @@ check_console_name(pam_handle_t *pamh, c
if (!statted && (consolename[0] == ':')) {
int l;
char *dot = NULL;
- strcpy(full_path, "/tmp/.X11-unix/X");
- l = sizeof(full_path) - 1 - strlen(full_path);
+ char *path = full_path + 1;
+
+ full_path[0] = '\0';
+ strcpy(path, "/tmp/.X11-unix/X");
+ l = sizeof(full_path) - 2 - strlen(path);
dot = strchr(consolename + 1, '.');
if (dot != NULL) {
l = (l < dot - consolename - 1) ? l : dot - consolename - 1;
}
- strncat(full_path, consolename + 1, l);
+ strncat(path, consolename + 1, l);
full_path[sizeof(full_path) - 1] = '\0';
- _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible console \"%s\"",
- full_path);
- if (lstat(full_path, &st) != -1) {
+ _pam_log(pamh, LOG_DEBUG, TRUE, "checking possible X socket \"%s\"",
+ path);
+
+ /* this will work because st.st_uid is 0 */
+ if (try_xsocket(full_path, strlen(path)+1)) {
+ statted = 1;
+ } else if (try_xsocket(path, strlen(path))) {
statted = 1;
}
else if (!on_set) { /* there is no X11 socket in case of X11 crash */
_pam_log(pamh, LOG_DEBUG, TRUE, "can't find X11 socket to examine for %s probably due to X crash", consolename);
- statted = 1; /* this will work because st.st_uid is 0 */
+ statted = 1;
}
}

98
pam-1.1.6-std-noclose.patch
View file

@ -1,98 +0,0 @@
diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c
--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2012-08-17 13:25:20.684075361 +0200
@@ -133,13 +133,21 @@ create_homedir (pam_handle_t *pamh, opti
if (child == 0) {
int i;
struct rlimit rlim;
+ int dummyfds[2];
static char *envp[] = { NULL };
char *args[] = { NULL, NULL, NULL, NULL, NULL };
+ /* replace std file descriptors with a dummy pipe */
+ if (pipe(dummyfds) == 0) {
+ dup2(dummyfds[0], STDIN_FILENO);
+ dup2(dummyfds[1], STDOUT_FILENO);
+ dup2(dummyfds[1], STDERR_FILENO);
+ }
+
if (getrlimit(RLIMIT_NOFILE, &rlim)==0) {
if (rlim.rlim_max >= MAX_FD_NO)
rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
close(i);
}
}
diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2012-08-17 13:22:51.664560481 +0200
@@ -105,16 +105,18 @@ int _unix_run_verify_binary(pam_handle_t
/* reopen stdout as pipe */
dup2(fds[1], STDOUT_FILENO);
+ /* and replace also the stdin, stderr so we do not exec the helper with
+ tty as stdin, it will not read anything from there anyway */
+ dup2(fds[0], STDIN_FILENO);
+ dup2(fds[1], STDERR_FILENO);
/* XXX - should really tidy up PAM here too */
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
if (rlim.rlim_max >= MAX_FD_NO)
rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
- if (i != STDOUT_FILENO) {
- close(i);
- }
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}
diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2012-08-17 14:10:38.917346789 +0200
@@ -210,13 +210,16 @@ static int _unix_run_update_binary(pam_h
/* reopen stdin as pipe */
dup2(fds[0], STDIN_FILENO);
+ /* and replace also the stdout/err as the helper will
+ not write anything there */
+ dup2(fds[1], STDOUT_FILENO);
+ dup2(fds[1], STDERR_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
if (rlim.rlim_max >= MAX_FD_NO)
rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
- if (i != STDIN_FILENO)
- close(i);
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}
diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c
--- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2012-08-17 14:12:10.833511475 +0200
@@ -469,13 +469,16 @@ static int _unix_run_helper_binary(pam_h
/* reopen stdin as pipe */
dup2(fds[0], STDIN_FILENO);
+ /* and replace also the stdout/err as the helper will
+ not write anything there */
+ dup2(fds[1], STDOUT_FILENO);
+ dup2(fds[1], STDERR_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
if (rlim.rlim_max >= MAX_FD_NO)
rlim.rlim_max = MAX_FD_NO;
- for (i=0; i < (int)rlim.rlim_max; i++) {
- if (i != STDIN_FILENO)
- close(i);
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}

48
pam-1.1.7-tty-audit-init.patch
View file

@ -1,48 +0,0 @@
diff -up Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c
--- Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init 2013-08-28 10:53:40.000000000 +0200
+++ Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c 2013-10-04 14:51:19.944994905 +0200
@@ -36,6 +36,7 @@
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE. */
+#include "config.h"
#include <errno.h>
#include <fnmatch.h>
#include <stdlib.h>
@@ -108,7 +109,7 @@ nl_recv (int fd, unsigned type, void *bu
struct msghdr msg;
struct nlmsghdr nlm;
struct iovec iov[2];
- ssize_t res;
+ ssize_t res, resdiff;
again:
iov[0].iov_base = &nlm;
@@ -160,12 +161,17 @@ nl_recv (int fd, unsigned type, void *bu
res = recvmsg (fd, &msg, 0);
if (res == -1)
return -1;
- if ((size_t)res != NLMSG_LENGTH (size)
+ resdiff = NLMSG_LENGTH(size) - (size_t)res;
+ if (resdiff < 0
|| nlm.nlmsg_type != type)
{
errno = EIO;
return -1;
}
+ else if (resdiff > 0)
+ {
+ memset((char *)buf + res, 0, resdiff);
+ }
return 0;
}
@@ -275,6 +281,8 @@ pam_sm_open_session (pam_handle_t *pamh,
return PAM_SESSION_ERR;
}
+ memcpy(&new_status, old_status, sizeof(new_status));
+
new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
new_status.log_passwd = log_passwd;

435
pam-1.1.8-audit-grantor.patch
View file

@ -1,435 +0,0 @@
From 0d29e379601819c7f7ed8de18b54de803a9f4049 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 5 Sep 2014 09:09:37 +0200
Subject: [PATCH] Add grantor field to audit records of libpam.
The grantor field gives audit trail of PAM modules which granted access
for successful return from libpam calls. In case of failed return
the grantor field is set to '?'.
libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
libpam/pam_password.c (pam_chauthtok): Likewise.
libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
add grantor= field to the message if grantors is set.
(_pam_list_grantors): New function creating the string with grantors list.
(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
to list the grantors from the handler list.
(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
(_pam_clear_grantors): New function to clear grantor field of handler.
(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
Call _pam_auditlog() when appropriate.
libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
or just "?" to avoid confusing audit trail.
(_pam_add_handler): Test for NULL return from extract_modulename().
Clear grantor field of handler.
libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
parameter to _pam_auditlog().
---
libpam/pam_account.c | 4 ---
libpam/pam_audit.c | 84 +++++++++++++++++++++++++++++++++++++++++++--------
libpam/pam_auth.c | 8 -----
libpam/pam_dispatch.c | 41 ++++++++++++++++++++-----
libpam/pam_handlers.c | 14 +++++++--
libpam/pam_password.c | 4 ---
libpam/pam_private.h | 3 +-
libpam/pam_session.c | 7 -----
8 files changed, 119 insertions(+), 46 deletions(-)
diff --git a/libpam/pam_account.c b/libpam/pam_account.c
index 572acc4..3a4fb1f 100644
--- a/libpam/pam_account.c
+++ b/libpam/pam_account.c
@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags)
retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT);
-#ifdef HAVE_LIBAUDIT
- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags);
-#endif
-
return retval;
}
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
index 531746a..24fb799 100644
--- a/libpam/pam_audit.c
+++ b/libpam/pam_audit.c
@@ -6,12 +6,12 @@
Authors:
Steve Grubb <sgrubb@redhat.com> */
-#include <stdio.h>
-#include <syslog.h>
#include "pam_private.h"
#include "pam_modutil_private.h"
#ifdef HAVE_LIBAUDIT
+#include <stdio.h>
+#include <syslog.h>
#include <libaudit.h>
#include <pwd.h>
#include <netdb.h>
@@ -25,17 +25,24 @@
static int
_pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
- const char *message, int retval)
+ const char *message, const char *grantors, int retval)
{
static int old_errno = -1;
- int rc;
- char buf[32];
+ int rc = -ENOMEM;
+ char *buf;
+ const char *grantors_field = " grantors=";
- snprintf(buf, sizeof(buf), "PAM:%s", message);
+ if (grantors == NULL) {
+ grantors = "";
+ grantors_field = "";
+ }
- rc = audit_log_acct_message (audit_fd, type, NULL, buf,
- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
+ if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) {
+ rc = audit_log_acct_message(audit_fd, type, NULL, buf,
+ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
+ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);
+ free(buf);
+ }
/* libaudit sets errno to his own negative error code. This can be
an official errno number, but must not. It can also be a audit
@@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh)
return audit_fd;
}
+static int
+_pam_list_grantors(struct handler *hlist, int retval, char **list)
+{
+ *list = NULL;
+
+ if (retval == PAM_SUCCESS) {
+ struct handler *h;
+ char *p = NULL;
+ size_t len = 0;
+
+ for (h = hlist; h != NULL; h = h->next) {
+ if (h->grantor) {
+ len += strlen(h->mod_name) + 1;
+ }
+ }
+
+ if (len == 0) {
+ return 0;
+ }
+
+ *list = malloc(len);
+ if (*list == NULL) {
+ return -1;
+ }
+
+ for (h = hlist; h != NULL; h = h->next) {
+ if (h->grantor) {
+ if (p == NULL) {
+ p = *list;
+ } else {
+ p = stpcpy(p, ",");
+ }
+
+ p = stpcpy(p, h->mod_name);
+ }
+ }
+ }
+
+ return 0;
+}
+
int
-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h)
{
const char *message;
int type;
int audit_fd;
+ char *grantors;
if ((audit_fd=_pam_audit_open(pamh)) == -1) {
return PAM_SYSTEM_ERR;
@@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
retval = PAM_SYSTEM_ERR;
}
- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0)
+ if (_pam_list_grantors(h, retval, &grantors) < 0) {
+ /* allocation failure */
+ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m");
retval = PAM_SYSTEM_ERR;
+ }
+
+ if (_pam_audit_writelog(pamh, audit_fd, type, message,
+ grantors ? grantors : "?", retval) < 0)
+ retval = PAM_SYSTEM_ERR;
+
+ free(grantors);
audit_close(audit_fd);
return retval;
@@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
* stacks having been run. Assume that this is sshd faking
* things for an unknown user.
*/
- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0);
+ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL);
}
return 0;
@@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type,
return retval;
}
- rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
+ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval);
audit_close(audit_fd);
diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c
index 5984fa5..1e7bc6e 100644
--- a/libpam/pam_auth.c
+++ b/libpam/pam_auth.c
@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags)
prelude_send_alert(pamh, retval);
#endif
-#ifdef HAVE_LIBAUDIT
- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
-#endif
-
return retval;
}
@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags)
retval = _pam_dispatch(pamh, flags, PAM_SETCRED);
-#ifdef HAVE_LIBAUDIT
- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags);
-#endif
-
D(("pam_setcred exit"));
return retval;
diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
index eb52c82..cf632e8 100644
--- a/libpam/pam_dispatch.c
+++ b/libpam/pam_dispatch.c
@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
status = retval;
}
}
- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) {
- goto decision_made;
+ if ( impression == _PAM_POSITIVE ) {
+ if ( retval == PAM_SUCCESS ) {
+ h->grantor = 1;
+ }
+
+ if ( action == _PAM_ACTION_DONE ) {
+ goto decision_made;
+ }
}
break;
@@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
|| (impression == _PAM_POSITIVE
&& status == PAM_SUCCESS) ) {
if ( retval != PAM_IGNORE || cached_retval == retval ) {
+ if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) {
+ h->grantor = 1;
+ }
impression = _PAM_POSITIVE;
status = retval;
}
@@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */
return status;
}
+static void _pam_clear_grantors(struct handler *h)
+{
+ for (; h != NULL; h = h->next) {
+ h->grantor = 0;
+ }
+}
+
/*
* This function translates the module dispatch request into a pointer
* to the stack of modules that will actually be run. the
@@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */
int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
{
struct handler *h = NULL;
- int retval, use_cached_chain;
+ int retval = PAM_SYSTEM_ERR, use_cached_chain;
_pam_boolean resumed;
IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR);
if (__PAM_FROM_MODULE(pamh)) {
D(("called from a module!?"));
- return PAM_SYSTEM_ERR;
+ goto end;
}
/* Load all modules, resolve all symbols */
if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) {
pam_syslog(pamh, LOG_ERR, "unable to dispatch function");
- return retval;
+ goto end;
}
use_cached_chain = _PAM_PLEASE_FREEZE;
@@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
break;
default:
pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
- return PAM_ABORT;
+ retval = PAM_ABORT;
+ goto end;
}
if (h == NULL) { /* there was no handlers.conf... entry; will use
@@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
pam_syslog(pamh, LOG_ERR,
"application failed to re-exec stack [%d:%d]",
pamh->former.choice, choice);
- return PAM_ABORT;
+ retval = PAM_ABORT;
+ goto end;
}
resumed = PAM_TRUE;
} else {
resumed = PAM_FALSE;
+ _pam_clear_grantors(h);
}
__PAM_TO_MODULE(pamh);
@@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
pamh->former.choice = PAM_NOT_STACKED;
}
+end:
+
+#ifdef HAVE_LIBAUDIT
+ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) {
+ retval = _pam_auditlog(pamh, choice, retval, flags, h);
+ }
+#endif
+
return retval;
}
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
index 02714f7..df3a1d9 100644
--- a/libpam/pam_handlers.c
+++ b/libpam/pam_handlers.c
@@ -611,6 +611,12 @@ extract_modulename(const char *mod_path)
if (dot)
*dot = '\0';
+ if (*retval == '\0' || strcmp(retval, "?") == 0) {
+ /* do not allow empty module name or "?" to avoid confusing audit trail */
+ _pam_drop(retval);
+ return NULL;
+ }
+
return retval;
}
@@ -888,7 +894,9 @@ int _pam_add_handler(pam_handle_t *pamh
(*handler_p)->cached_retval_p = &((*handler_p)->cached_retval);
(*handler_p)->argc = argc;
(*handler_p)->argv = argv; /* not a copy */
- (*handler_p)->mod_name = extract_modulename(mod_path);
+ if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL)
+ return PAM_ABORT;
+ (*handler_p)->grantor = 0;
(*handler_p)->next = NULL;
/* some of the modules have a second calling function */
@@ -920,7 +928,9 @@ int _pam_add_handler(pam_handle_t *pamh
} else {
(*handler_p2)->argv = NULL; /* no arguments */
}
- (*handler_p2)->mod_name = extract_modulename(mod_path);
+ if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL)
+ return PAM_ABORT;
+ (*handler_p2)->grantor = 0;
(*handler_p2)->next = NULL;
}
diff --git a/libpam/pam_password.c b/libpam/pam_password.c
index 75db5e5..592e01f 100644
--- a/libpam/pam_password.c
+++ b/libpam/pam_password.c
@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags)
D(("will resume when ready", retval));
}
-#ifdef HAVE_LIBAUDIT
- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
-#endif
-
return retval;
}
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
index 134dc72..d93283c 100644
--- a/libpam/pam_private.h
+++ b/libpam/pam_private.h
@@ -55,6 +55,7 @@ struct handler {
struct handler *next;
char *mod_name;
int stack_level;
+ int grantor;
};
#define PAM_HT_MODULE 0
@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \
do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
#ifdef HAVE_LIBAUDIT
-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags);
+extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h);
extern int _pam_audit_end(pam_handle_t *pamh, int pam_status);
#endif
diff --git a/libpam/pam_session.c b/libpam/pam_session.c
index 512153f..cb393c1 100644
--- a/libpam/pam_session.c
+++ b/libpam/pam_session.c
@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags)
}
retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);
-#ifdef HAVE_LIBAUDIT
- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags);
-#endif
return retval;
}
@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags)
retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
-#ifdef HAVE_LIBAUDIT
- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags);
-#endif
-
return retval;
}
--
1.8.3.1

53
pam-1.1.8-audit-user-mgmt.patch
View file

@ -1,53 +0,0 @@
--- a/modules/pam_faillock/main.c.audit-user-mgmt 2014-10-17 12:09:12.928490104 +0200
+++ b/modules/pam_faillock/main.c 2014-10-17 12:09:43.001169008 +0200
@@ -127,7 +127,6 @@ do_user(struct options *opts, const char
}
if (opts->reset) {
#ifdef HAVE_LIBAUDIT
- char buf[64];
int audit_fd;
#endif
@@ -141,10 +140,8 @@ do_user(struct options *opts, const char
if ((audit_fd=audit_open()) >= 0) {
if (pwd != NULL) {
- snprintf(buf, sizeof(buf), "faillock reset uid=%u",
- pwd->pw_uid);
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, rv == 0);
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
+ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0);
}
close(audit_fd);
}
--- a/modules/pam_tally2/pam_tally2.c.audit-user-mgmt 2013-06-18 16:11:21.000000000 +0200
+++ b/modules/pam_tally2/pam_tally2.c 2014-10-17 12:09:12.965490940 +0200
@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv )
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd = audit_open();
- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
+ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset);
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
+ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1);
if (audit_fd >=0)
close(audit_fd);
#endif
@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv )
}
else if ( !cline_reset ) {
#ifdef HAVE_LIBAUDIT
- char buf[64];
int audit_fd = audit_open();
- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
+ "pam_tally2-reset-all-accts reset=0", "*", -1,
+ NULL, NULL, ttyname(STDIN_FILENO), 1);
if (audit_fd >=0)
close(audit_fd);
#endif

21
pam-1.1.8-canonicalize-username.patch
View file

@ -1,21 +0,0 @@
diff -up Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c
--- Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c 2014-03-06 12:03:54.429639972 +0100
@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh,
char *level = NULL;
security_context_t *contextlist = NULL;
int num_contexts = 0;
+ const struct passwd *pwd;
if (!(username = get_item(pamh, PAM_USER))) {
pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name");
return PAM_USER_UNKNOWN;
}
+ if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) {
+ username = pwd->pw_name;
+ } /* ignore error and keep using original username */
+
/* compute execute context */
#ifdef HAVE_GETSEUSER
if (!(service = get_item(pamh, PAM_SERVICE))) {

108
pam-1.1.8-full-relro.patch
View file

@ -1,108 +0,0 @@
diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200
@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir
pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam
+pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+
securelib_LTLIBRARIES = pam_console.la
sbin_PROGRAMS = pam_console_apply
@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_
configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h
pam_console_la_CFLAGS = $(AM_CFLAGS)
-pam_console_apply_CFLAGS = $(AM_CFLAGS)
+pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
configfile.tab.c: configfile.y
$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
diff -up Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am 2014-09-10 17:16:11.102808189 +0200
@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR)
noinst_HEADERS = faillock.h
-faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
@@ -28,6 +28,7 @@ if HAVE_VERSIONING
pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
securelib_LTLIBRARIES = pam_faillock.la
diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
+++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200
@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
-I$(srcdir)/.. @PIE_CFLAGS@
-AM_LDFLAGS = @PIE_LDFLAGS@
+AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
LDADD = $(top_builddir)/libpam/libpam.la
securelibfilter_PROGRAMS = upperLOWER
diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200
@@ -30,6 +30,8 @@ endif
sbin_PROGRAMS = mkhomedir_helper
mkhomedir_helper_SOURCES = mkhomedir_helper.c
+mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
if ENABLE_REGENERATE_MAN
diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200
@@ -26,6 +26,8 @@ if HAVE_VERSIONING
pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
+pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
securelib_LTLIBRARIES = pam_tally2.la
diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200
@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
pam_timestamp_check_SOURCES = pam_timestamp_check.c
pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
+pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am
--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200
@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
+unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
passverify.c
unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
-unix_update_LDFLAGS = @PIE_LDFLAGS@
+unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
if ENABLE_REGENERATE_MAN

37
pam-1.1.8-lastlog-uninitialized.patch
View file

@ -1,37 +0,0 @@
diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c
--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2014-08-25 16:44:24.365174752 +0200
@@ -350,6 +350,8 @@ last_login_write(pam_handle_t *pamh, int
return PAM_SERVICE_ERR;
}
+ memset(&last_login, 0, sizeof(last_login));
+
/* set this login date */
D(("set the most recent login time"));
(void) time(&ll_time); /* set the time */
@@ -364,14 +366,12 @@ last_login_write(pam_handle_t *pamh, int
}
/* copy to last_login */
- last_login.ll_host[0] = '\0';
strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1);
/* set the terminal line */
terminal_line = get_tty(pamh);
/* copy to last_login */
- last_login.ll_line[0] = '\0';
strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1);
terminal_line = NULL;
@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
lltime = (time(NULL) - lltime) / (24*60*60);
if (lltime > inactive_days) {
- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied",
+ user, (long) lltime);
return PAM_AUTH_ERR;
}

41
pam-1.1.8-limits-check-process.patch
View file

@ -1,41 +0,0 @@
diff -up Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c
--- Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c 2014-09-10 16:39:36.263256066 +0200
@@ -27,6 +27,7 @@
#include <errno.h>
#include <syslog.h>
#include <stdarg.h>
+#include <signal.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/resource.h>
@@ -269,16 +270,27 @@ check_logins (pam_handle_t *pamh, const
continue;
}
if (!pl->flag_numsyslogins) {
+ char user[sizeof(ut->UT_USER) + 1];
+ user[0] = '\0';
+ strncat(user, ut->UT_USER, sizeof(ut->UT_USER));
+
if (((pl->login_limit_def == LIMITS_DEF_USER)
|| (pl->login_limit_def == LIMITS_DEF_GROUP)
|| (pl->login_limit_def == LIMITS_DEF_DEFAULT))
- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) {
+ && strcmp(name, user) != 0) {
continue;
}
if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) {
+ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
continue;
}
+ if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) {
+ /* process does not exist anymore */
+ pam_syslog(pamh, LOG_WARNING,
+ "Stale utmp entry (pid %d) for '%s' ignored",
+ ut->ut_pid, user);
+ continue;
+ }
}
if (++count > limit) {
break;

54
pam-1.1.8-limits-docfix.patch
View file

@ -1,54 +0,0 @@
diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf
--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix 2014-07-14 14:58:05.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf 2014-09-10 16:42:51.254747161 +0200
@@ -32,7 +32,7 @@
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
-# - nofile - max number of open files
+# - nofile - max number of open file descriptors
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml
--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml 2014-09-10 16:44:01.624367933 +0200
@@ -178,7 +178,7 @@
<varlistentry>
<term><option>nofile</option></term>
<listitem>
- <para>maximum number of open files</para>
+ <para>maximum number of open file descriptors</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -214,14 +214,17 @@
<varlistentry>
<term><option>maxlogins</option></term>
<listitem>
- <para>maximum number of logins for this user except
- for this with <emphasis>uid=0</emphasis></para>
+ <para>maximum number of logins for this user (this limit does
+ not apply to user with <emphasis>uid=0</emphasis>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>maxsyslogins</option></term>
<listitem>
- <para>maximum number of all logins on system</para>
+ <para>maximum number of all logins on system; user is not
+ allowed to log-in if total number of all users' logins is
+ greater than specified number (this limit does not apply to
+ user with <emphasis>uid=0</emphasis>)</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -292,7 +295,7 @@
permanent; existing only for the duration of the session.
One exception is the <emphasis>maxlogin</emphasis> option, this one
is system wide. But there is a race, concurrent logins at the same
- time will not always be detect as such but only counted as one.
+ time will not always be detected as such but only counted as one.
</para>
<para>
In the <emphasis>limits</emphasis> configuration file, the

151
pam-1.1.8-loginuid-container.patch
View file

@ -1,151 +0,0 @@
diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.container Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c
--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.container 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c 2014-01-27 17:24:53.000000000 +0100
@@ -47,25 +47,56 @@
/*
* This function writes the loginuid to the /proc system. It returns
- * 0 on success and 1 on failure.
+ * PAM_SUCCESS on success,
+ * PAM_IGNORE when /proc/self/loginuid does not exist,
+ * PAM_SESSION_ERR in case of any other error.
*/
static int set_loginuid(pam_handle_t *pamh, uid_t uid)
{
- int fd, count, rc = 0;
- char loginuid[24];
+ int fd, count, rc = PAM_SESSION_ERR;
+ char loginuid[24], buf[24];
+ static const char host_uid_map[] = " 0 0 4294967295\n";
+ char uid_map[sizeof(host_uid_map)];
+
+ /* loginuid in user namespaces currently isn't writable and in some
+ case, not even readable, so consider any failure as ignorable (but try
+ anyway, in case we hit a kernel which supports it). */
+ fd = open("/proc/self/uid_map", O_RDONLY);
+ if (fd >= 0) {
+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
+ if (strncmp(uid_map, host_uid_map, count) != 0)
+ rc = PAM_IGNORE;
+ close(fd);
+ }
- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
+ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
if (fd < 0) {
- if (errno != ENOENT) {
- rc = 1;
- pam_syslog(pamh, LOG_ERR,
- "Cannot open /proc/self/loginuid: %m");
+ if (errno == ENOENT) {
+ rc = PAM_IGNORE;
+ }
+ if (rc != PAM_IGNORE) {
+ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
+ "/proc/self/loginuid");
}
return rc;
}
- if (pam_modutil_write(fd, loginuid, count) != count)
- rc = 1;
+
+ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+ if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
+ memcmp(buf, loginuid, count) == 0) {
+ rc = PAM_SUCCESS;
+ goto done; /* already correct */
+ }
+ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
+ pam_modutil_write(fd, loginuid, count) == count) {
+ rc = PAM_SUCCESS;
+ } else {
+ if (rc != PAM_IGNORE) {
+ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
+ "/proc/self/loginuid");
+ }
+ }
+ done:
close(fd);
return rc;
}
@@ -165,6 +196,7 @@ _pam_loginuid(pam_handle_t *pamh, int fl
{
const char *user = NULL;
struct passwd *pwd;
+ int ret;
#ifdef HAVE_LIBAUDIT
int require_auditd = 0;
#endif
@@ -183,9 +215,14 @@ _pam_loginuid(pam_handle_t *pamh, int fl
return PAM_SESSION_ERR;
}
- if (set_loginuid(pamh, pwd->pw_uid)) {
- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n");
- return PAM_SESSION_ERR;
+ ret = set_loginuid(pamh, pwd->pw_uid);
+ switch (ret) {
+ case PAM_SUCCESS:
+ case PAM_IGNORE:
+ break;
+ default:
+ pam_syslog(pamh, LOG_ERR, "set_loginuid failed");
+ return ret;
}
#ifdef HAVE_LIBAUDIT
@@ -195,11 +232,12 @@ _pam_loginuid(pam_handle_t *pamh, int fl
argv++;
}
- if (require_auditd)
- return check_auditd();
- else
+ if (require_auditd) {
+ int rc = check_auditd();
+ return rc != PAM_SUCCESS ? rc : ret;
+ } else
#endif
- return PAM_SUCCESS;
+ return ret;
}
/*
diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml.container Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml
--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml.container 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.8.xml 2014-05-22 11:33:14.000000000 +0200
@@ -69,14 +69,31 @@
<para>
<variablelist>
<varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ The loginuid value is set and auditd is running if check requested.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_IGNORE</term>
+ <listitem>
+ <para>
+ The /proc/self/loginuid file is not present on the system or the
+ login process runs inside uid namespace and kernel does not support
+ overwriting loginuid.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>PAM_SESSION_ERR</term>
<listitem>
<para>
- An error occurred during session management.
+ Any other error prevented setting loginuid or auditd is not running.
</para>
</listitem>
</varlistentry>
-
</variablelist>
</para>
</refsect1>

22
pam-1.1.8-man-dbsuffix.patch
View file

@ -1,22 +0,0 @@
diff -up Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml
--- Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix 2013-06-18 16:11:21.000000000 +0200
+++ Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml 2014-09-10 16:28:19.916678273 +0200
@@ -89,7 +89,8 @@
Use the <filename>/path/database</filename> database for
performing lookup. There is no default; the module will
return <emphasis remap='B'>PAM_IGNORE</emphasis> if no
- database is provided.
+ database is provided. Note that the path to the database file
+ should be specified without the <filename>.db</filename> suffix.
</para>
</listitem>
</varlistentry>
@@ -260,7 +261,7 @@
<refsect1 id='pam_userdb-examples'>
<title>EXAMPLES</title>
<programlisting>
-auth sufficient pam_userdb.so icase db=/etc/dbtest.db
+auth sufficient pam_userdb.so icase db=/etc/dbtest
</programlisting>
</refsect1>

50
pam-1.1.8-opasswd-tolerant.patch
View file

@ -1,50 +0,0 @@
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
index 836d713..c36628e 100644
--- a/modules/pam_pwhistory/opasswd.c
+++ b/modules/pam_pwhistory/opasswd.c
@@ -82,10 +82,15 @@ parse_entry (char *line, opwd *data)
{
const char delimiters[] = ":";
char *endptr;
+ char *count;
data->user = strsep (&line, delimiters);
data->uid = strsep (&line, delimiters);
- data->count = strtol (strsep (&line, delimiters), &endptr, 10);
+ count = strsep (&line, delimiters);
+ if (data->user == NULL || data->uid == NULL || count == NULL)
+ return 1;
+
+ data->count = strtol (count, &endptr, 10);
if (endptr != NULL && *endptr != '\0')
return 1;
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 4840bb2..7f7bc49 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -639,11 +639,23 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
continue;
buf[strlen(buf) - 1] = '\0';
s_luser = strtok_r(buf, ":", &sptr);
+ if (s_luser == NULL) {
+ found = 0;
+ continue;
+ }
s_uid = strtok_r(NULL, ":", &sptr);
+ if (s_uid == NULL) {
+ found = 0;
+ continue;
+ }
s_npas = strtok_r(NULL, ":", &sptr);
+ if (s_npas == NULL) {
+ found = 0;
+ continue;
+ }
s_pas = strtok_r(NULL, ":", &sptr);
npas = strtol(s_npas, NULL, 10) + 1;
- while (npas > howmany) {
+ while (npas > howmany && s_pas != NULL) {
s_pas = strpbrk(s_pas, ",");
if (s_pas != NULL)
s_pas++;

11
pam-1.1.8-pbuild.patch
View file

@ -1,11 +0,0 @@
diff -ur Linux-PAM-1.1.8.old/modules/pam_console/Makefile.am Linux-PAM-1.1.8/modules/pam_console/Makefile.am
--- Linux-PAM-1.1.8.old/modules/pam_console/Makefile.am 2015-01-21 13:49:13.000000000 +0300
+++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2015-01-21 13:54:33.000000000 +0300
@@ -51,6 +51,7 @@
pam_console_la_CFLAGS = $(AM_CFLAGS)
pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+configfile.tab.h: configfile.tab.c
configfile.tab.c: configfile.y
$(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
sh $(srcdir)/sed-static $@

56
pam-1.2.0-fix-running-in-containers.patch Normal file
View file

@ -0,0 +1,56 @@
--- Linux-PAM-1_2_0/libpam/pam_audit.c.omv~ 2015-06-11 17:17:49.768740173 +0200
+++ Linux-PAM-1_2_0/libpam/pam_audit.c 2015-06-11 17:18:27.654412940 +0200
@@ -70,9 +70,10 @@ _pam_audit_open(pam_handle_t *pamh)
audit_fd = audit_open();
if (audit_fd < 0) {
/* You get these error codes only when the kernel doesn't have
- * audit compiled in. */
+ * audit compiled in. EPERM happens when running inside a container
+ * (e.g. systemd-nspawn, docker) */
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
- errno == EAFNOSUPPORT)
+ errno == EAFNOSUPPORT || errno == EPERM)
return -2;
/* this should only fail in case of extreme resource shortage,
--- Linux-PAM-1_2_0/modules/pam_loginuid/pam_loginuid.c.omv~ 2015-06-11 17:19:12.543025498 +0200
+++ Linux-PAM-1_2_0/modules/pam_loginuid/pam_loginuid.c 2015-06-11 17:19:44.274751787 +0200
@@ -117,9 +117,10 @@ static int check_auditd(void)
/* This is here to let people that build their own kernel
and disable the audit system get in. You get these error
codes only when the kernel doesn't have audit
- compiled in. */
+ compiled in. EPERM is when running inside systemd-nspawn
+ or docker. */
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
- errno == EAFNOSUPPORT)
+ errno == EAFNOSUPPORT || errno == EPERM)
return PAM_SUCCESS;
return PAM_SESSION_ERR;
}
--- Linux-PAM-1_2_0/modules/pam_tally2/pam_tally2.c.omv~ 2015-06-11 17:18:49.540224003 +0200
+++ Linux-PAM-1_2_0/modules/pam_tally2/pam_tally2.c 2015-06-11 17:19:05.000090583 +0200
@@ -517,7 +517,7 @@ tally_check (tally_t oldcnt, time_t oldt
audit_fd = audit_open();
/* If there is an error & audit support is in the kernel report error */
if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
- errno == EAFNOSUPPORT))
+ errno == EAFNOSUPPORT || errno == EPERM))
return PAM_SYSTEM_ERR;
(void)pam_get_item(pamh, PAM_TTY, &tty);
(void)pam_get_item(pamh, PAM_RHOST, &rhost);
--- Linux-PAM-1_2_0/modules/pam_unix/unix_chkpwd.c.omv~ 2015-06-11 17:20:06.152563149 +0200
+++ Linux-PAM-1_2_0/modules/pam_unix/unix_chkpwd.c 2015-06-11 17:20:29.964357904 +0200
@@ -66,9 +66,10 @@ static int _audit_log(int type, const ch
audit_fd = audit_open();
if (audit_fd < 0) {
/* You get these error codes only when the kernel doesn't have
- * audit compiled in. */
+ * audit compiled in. EPERM is when running inside docker or
+ * systemd-nspawn. */
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
- errno == EAFNOSUPPORT)
+ errno == EAFNOSUPPORT || errno == EPERM)
return PAM_SUCCESS;
helper_log_err(LOG_CRIT, "audit_open() failed: %m");

30
pam-1.0.90-redhat-modules.patch → pam-1.2.0-redhat-modules.patch
View file

@ -1,18 +1,7 @@
diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am diff -up Linux-PAM-1.2.0/configure.ac.redhat-modules Linux-PAM-1.2.0/configure.ac
--- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100 --- Linux-PAM-1.2.0/configure.ac.redhat-modules 2015-03-25 16:50:10.000000000 +0100
+++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100 +++ Linux-PAM-1.2.0/configure.ac 2015-05-15 15:46:50.996074677 +0200
@@ -3,6 +3,7 @@ @@ -616,6 +616,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
#
SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
+ pam_chroot pam_console pam_postgresok \
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \
diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in
--- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100
+++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100
@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
po/Makefile.in \ po/Makefile.in \
modules/Makefile \ modules/Makefile \
@ -21,3 +10,14 @@ diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure
modules/pam_access/Makefile modules/pam_cracklib/Makefile \ modules/pam_access/Makefile modules/pam_cracklib/Makefile \
modules/pam_debug/Makefile modules/pam_deny/Makefile \ modules/pam_debug/Makefile modules/pam_deny/Makefile \
modules/pam_echo/Makefile modules/pam_env/Makefile \ modules/pam_echo/Makefile modules/pam_env/Makefile \
diff -up Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules Linux-PAM-1.2.0/modules/Makefile.am
--- Linux-PAM-1.2.0/modules/Makefile.am.redhat-modules 2015-03-24 13:02:32.000000000 +0100
+++ Linux-PAM-1.2.0/modules/Makefile.am 2015-05-15 15:46:50.995074654 +0200
@@ -3,6 +3,7 @@
#
SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
+ pam_chroot pam_console pam_postgresok \
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \

73
pam-1.2.0-unix-no-fallback.patch Normal file
View file

@ -0,0 +1,73 @@
diff -up Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml
--- Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml.no-fallback 2015-04-27 16:38:03.000000000 +0200
+++ Linux-PAM-1.2.0/modules/pam_unix/pam_unix.8.xml 2015-05-15 15:54:21.524440864 +0200
@@ -284,11 +284,10 @@
<listitem>
<para>
When a user changes their password next,
- encrypt it with the SHA256 algorithm. If the
- SHA256 algorithm is not known to the <citerefentry>
+ encrypt it with the SHA256 algorithm. The
+ SHA256 algorithm must be supported by the <citerefentry>
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function,
- fall back to MD5.
+ </citerefentry> function.
</para>
</listitem>
</varlistentry>
@@ -299,11 +298,10 @@
<listitem>
<para>
When a user changes their password next,
- encrypt it with the SHA512 algorithm. If the
- SHA512 algorithm is not known to the <citerefentry>
+ encrypt it with the SHA512 algorithm. The
+ SHA512 algorithm must be supported by the <citerefentry>
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function,
- fall back to MD5.
+ </citerefentry> function.
</para>
</listitem>
</varlistentry>
@@ -314,11 +312,10 @@
<listitem>
<para>
When a user changes their password next,
- encrypt it with the blowfish algorithm. If the
- blowfish algorithm is not known to the <citerefentry>
+ encrypt it with the blowfish algorithm. The
+ blowfish algorithm must be supported by the <citerefentry>
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> function,
- fall back to MD5.
+ </citerefentry> function.
</para>
</listitem>
</varlistentry>
diff -up Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.2.0/modules/pam_unix/passverify.c
--- Linux-PAM-1.2.0/modules/pam_unix/passverify.c.no-fallback 2015-05-15 15:54:21.525440887 +0200
+++ Linux-PAM-1.2.0/modules/pam_unix/passverify.c 2015-05-15 15:57:23.138613273 +0200
@@ -437,10 +437,9 @@ PAMH_ARG_DECL(char * create_password_has
sp = crypt(password, salt);
#endif
if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
- /* libxcrypt/libc doesn't know the algorithm, use MD5 */
+ /* libxcrypt/libc doesn't know the algorithm, error out */
pam_syslog(pamh, LOG_ERR,
- "Algo %s not supported by the crypto backend, "
- "falling back to MD5\n",
+ "Algo %s not supported by the crypto backend.\n",
on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
@@ -450,7 +449,7 @@ PAMH_ARG_DECL(char * create_password_has
#ifdef HAVE_CRYPT_R
free(cdata);
#endif
- return crypt_md5_wrapper(password);
+ return NULL;
}
sp = x_strdup(sp);
#ifdef HAVE_CRYPT_R

135
pam-1.1.1-faillock.patch → pam-1.2.1-faillock.patch
View file

@ -1,7 +1,7 @@
diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in diff -up Linux-PAM-1.2.1/configure.ac.faillock Linux-PAM-1.2.1/configure.ac
--- Linux-PAM-1.1.1/configure.in.faillock 2010-10-20 15:46:34.000000000 +0200 --- Linux-PAM-1.2.1/configure.ac.faillock 2015-06-25 10:42:21.477374752 +0200
+++ Linux-PAM-1.1.1/configure.in 2011-01-25 18:24:43.000000000 +0100 +++ Linux-PAM-1.2.1/configure.ac 2015-06-25 10:42:21.501375246 +0200
@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil @@ -621,7 +621,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
modules/pam_access/Makefile modules/pam_cracklib/Makefile \ modules/pam_access/Makefile modules/pam_cracklib/Makefile \
modules/pam_debug/Makefile modules/pam_deny/Makefile \ modules/pam_debug/Makefile modules/pam_deny/Makefile \
modules/pam_echo/Makefile modules/pam_env/Makefile \ modules/pam_echo/Makefile modules/pam_env/Makefile \
@ -10,9 +10,9 @@ diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
modules/pam_ftp/Makefile modules/pam_group/Makefile \ modules/pam_ftp/Makefile modules/pam_group/Makefile \
modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml diff -up Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.2.1/doc/sag/pam_faillock.xml
--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2011-01-25 18:24:43.000000000 +0100 +++ Linux-PAM-1.2.1/doc/sag/pam_faillock.xml 2015-06-25 10:42:21.482374855 +0200
@@ -0,0 +1,38 @@ @@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='UTF-8'?> +<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" +<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
@ -52,9 +52,9 @@ diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/s
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> + href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
+ </section> + </section>
+</section> +</section>
diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am diff -up Linux-PAM-1.2.1/modules/Makefile.am.faillock Linux-PAM-1.2.1/modules/Makefile.am
--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-10-20 15:46:34.000000000 +0200 --- Linux-PAM-1.2.1/modules/Makefile.am.faillock 2015-06-25 10:42:21.480374814 +0200
+++ Linux-PAM-1.1.1/modules/Makefile.am 2011-01-25 18:24:43.000000000 +0100 +++ Linux-PAM-1.2.1/modules/Makefile.am 2015-06-25 10:42:21.482374855 +0200
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
# #
@ -64,9 +64,9 @@ diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Ma
pam_env pam_exec pam_faildelay pam_filter pam_ftp \ pam_env pam_exec pam_faildelay pam_filter pam_ftp \
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \ pam_listfile pam_localuser pam_loginuid pam_mail \
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.c
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2011-01-25 18:24:56.000000000 +0100 +++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.c 2015-06-25 10:42:21.482374855 +0200
@@ -0,0 +1,158 @@ @@ -0,0 +1,158 @@
+/* +/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
@ -226,9 +226,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.
+ +
+ return 0; + return 0;
+} +}
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.h
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2011-01-25 18:24:56.000000000 +0100 +++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.h 2015-06-25 10:42:21.482374855 +0200
@@ -0,0 +1,73 @@ @@ -0,0 +1,73 @@
+/* +/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
@ -303,9 +303,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.
+int update_tally(int fd, struct tally_data *tallies); +int update_tally(int fd, struct tally_data *tallies);
+#endif +#endif
+ +
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2011-01-25 18:24:43.000000000 +0100 +++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml 2015-06-25 10:42:21.482374855 +0200
@@ -0,0 +1,123 @@ @@ -0,0 +1,123 @@
+<?xml version="1.0" encoding='UTF-8'?> +<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
@ -430,10 +430,10 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-
+ </refsect1> + </refsect1>
+ +
+</refentry> +</refentry>
diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c diff -up Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/main.c
--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2011-01-25 18:24:56.000000000 +0100 +++ Linux-PAM-1.2.1/modules/pam_faillock/main.c 2015-06-25 10:42:21.503375287 +0200
@@ -0,0 +1,235 @@ @@ -0,0 +1,232 @@
+/* +/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
+ * + *
@ -563,7 +563,6 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
+ } + }
+ if (opts->reset) { + if (opts->reset) {
+#ifdef HAVE_LIBAUDIT +#ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd; + int audit_fd;
+#endif +#endif
+ +
@ -577,10 +576,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
+ if ((audit_fd=audit_open()) >= 0) { + if ((audit_fd=audit_open()) >= 0) {
+ +
+ if (pwd != NULL) { + if (pwd != NULL) {
+ snprintf(buf, sizeof(buf), "faillock reset uid=%u", + audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
+ pwd->pw_uid); + "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0);
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+ buf, NULL, NULL, NULL, rv == 0);
+ } + }
+ close(audit_fd); + close(audit_fd);
+ } + }
@ -669,10 +666,10 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
+ return do_user(&opts, opts.user); + return do_user(&opts, opts.user);
+} +}
+ +
diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am diff -up Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am
--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock 2015-06-25 10:42:21.482374855 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2011-01-25 18:24:43.000000000 +0100 +++ Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am 2015-06-25 10:42:21.494375102 +0200
@@ -0,0 +1,43 @@ @@ -0,0 +1,44 @@
+# +#
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> +# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2008 Red Hat, Inc. +# Copyright (c) 2008 Red Hat, Inc.
@ -694,7 +691,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1
+ +
+noinst_HEADERS = faillock.h +noinst_HEADERS = faillock.h
+ +
+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+ +
+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module +pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
@ -703,6 +700,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1
+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+endif +endif
+ +
+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) +faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+ +
+securelib_LTLIBRARIES = pam_faillock.la +securelib_LTLIBRARIES = pam_faillock.la
@ -716,10 +714,10 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1
+README: pam_faillock.8.xml +README: pam_faillock.8.xml
+-include $(top_srcdir)/Make.xml.rules +-include $(top_srcdir)/Make.xml.rules
+endif +endif
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock 2015-06-25 10:42:21.483374875 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2011-01-25 18:24:56.000000000 +0100 +++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c 2015-10-16 14:07:38.451616869 +0200
@@ -0,0 +1,556 @@ @@ -0,0 +1,571 @@
+/* +/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
+ * + *
@ -847,17 +845,26 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
+ } + }
+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) { + else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
+ unsigned int temp; + unsigned int temp;
+ if (sscanf(argv[i]+12, "%u", &temp) != 1 || +
+ if (strcmp(argv[i]+12, "never") == 0) {
+ opts->unlock_time = 0;
+ }
+ else if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) { + temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR, + pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for unlock_time argument"); + "Bad number supplied for unlock_time argument");
+ } else { + }
+ else {
+ opts->unlock_time = temp; + opts->unlock_time = temp;
+ } + }
+ } + }
+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { + else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
+ unsigned int temp; + unsigned int temp;
+ if (sscanf(argv[i]+17, "%u", &temp) != 1 || +
+ if (strcmp(argv[i]+17, "never") == 0) {
+ opts->root_unlock_time = 0;
+ }
+ else if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) { + temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR, + pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for root_unlock_time argument"); + "Bad number supplied for root_unlock_time argument");
@ -980,8 +987,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
+ } + }
+ +
+ if (opts->deny && failures >= opts->deny) { + if (opts->deny && failures >= opts->deny) {
+ if ((opts->uid && latest_time + opts->unlock_time < opts->now) || + if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
+ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) { + (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
+#ifdef HAVE_LIBAUDIT +#ifdef HAVE_LIBAUDIT
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ + if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ char buf[64]; + char buf[64];
@ -1145,12 +1152,18 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
+ left = opts->latest_time + opts->root_unlock_time - opts->now; + left = opts->latest_time + opts->root_unlock_time - opts->now;
+ } + }
+ +
+ left /= 60; /* minutes */ + if (left > 0) {
+ left = (left + 59)/60; /* minutes */
+ +
+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), + pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
+ opts->failures); + opts->failures);
+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); + pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
+ } + }
+ else {
+ pam_info(pamh, _("Account locked due to %d failed logins"),
+ opts->failures);
+ }
+ }
+} +}
+ +
+static void +static void
@ -1276,10 +1289,10 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
+ +
+#endif /* #ifdef PAM_STATIC */ +#endif /* #ifdef PAM_STATIC */
+ +
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2016-04-04 16:37:38.696260359 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2011-01-25 18:24:56.000000000 +0100 +++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml 2016-04-28 17:09:04.679596165 +0200
@@ -0,0 +1,392 @@ @@ -0,0 +1,408 @@
+<?xml version="1.0" encoding='UTF-8'?> +<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
@ -1481,8 +1494,24 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
+ <para> + <para>
+ The access will be reenabled after + The access will be reenabled after
+ <replaceable>n</replaceable> seconds after the lock out. + <replaceable>n</replaceable> seconds after the lock out.
+ The value 0 has the same meaning as value
+ <emphasis>never</emphasis> - the access
+ will not be reenabled without resetting the faillock
+ entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.
+ The default is 600 (10 minutes). + The default is 600 (10 minutes).
+ </para> + </para>
+ <para>
+ Note that the default directory that <emphasis>pam_faillock</emphasis>
+ uses is usually cleared on system boot so the access will be also reenabled
+ after system reboot. If that is undesirable a different tally directory
+ must be set with the <option>dir</option> option.
+ </para>
+ <para>
+ Also note that it is usually undesirable to permanently lock
+ out the users as they can become easily a target of denial of service
+ attack unless the usernames are random and kept secret to potential
+ attackers.
+ </para>
+ </listitem> + </listitem>
+ </varlistentry> + </varlistentry>
+ <varlistentry> + <varlistentry>
@ -1672,9 +1701,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
+ </refsect1> + </refsect1>
+ +
+</refentry> +</refentry>
diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml diff -up Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/README.xml
--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock 2015-06-25 10:42:21.483374875 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2011-01-25 18:24:43.000000000 +0100 +++ Linux-PAM-1.2.1/modules/pam_faillock/README.xml 2015-06-25 10:42:21.483374875 +0200
@@ -0,0 +1,46 @@ @@ -0,0 +1,46 @@
+<?xml version="1.0" encoding='UTF-8'?> +<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
@ -1722,9 +1751,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.
+ </section> + </section>
+ +
+</article> +</article>
diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock diff -up Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock
--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2011-01-25 18:24:43.000000000 +0100 --- Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock 2015-06-25 10:42:21.483374875 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2011-01-25 18:24:43.000000000 +0100 +++ Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock 2015-06-25 10:42:21.483374875 +0200
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
+#!/bin/sh +#!/bin/sh
+../../tests/tst-dlopen .libs/pam_faillock.so +../../tests/tst-dlopen .libs/pam_faillock.so

11
pam-1.1.8-browser.patch → pam-1.3.0-browser.patch
View file

@ -1,6 +1,7 @@
--- a/configure.in.old 2013-09-18 16:30:13.000000000 +0400 diff -urN Linux-PAM-1.3.0/configure.ac Linux-PAM-1.3.0-patched/configure.ac
+++ b/configure.in 2015-01-21 19:36:59.000000000 +0300 --- Linux-PAM-1.3.0/configure.ac 2016-04-28 21:21:59.000000000 +1000
@@ -552,9 +552,9 @@ +++ Linux-PAM-1.3.0-patched/configure.ac 2016-09-19 17:20:03.612168890 +1000
@@ -554,9 +554,9 @@
JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl], JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
[DocBook XSL Stylesheets], [], enable_docu=no) [DocBook XSL Stylesheets], [], enable_docu=no)
@ -10,5 +11,5 @@
- BROWSER="$BROWSER -T text/html -dump" - BROWSER="$BROWSER -T text/html -dump"
+ BROWSER="$BROWSER" + BROWSER="$BROWSER"
else else
enable_docu=no AC_PATH_PROG([BROWSER], [links])
fi if test ! -z "$BROWSER"; then

213
pam-1.1.8-pwhistory-helper.patch → pam-1.3.0-pwhistory-helper.patch
View file

@ -1,7 +1,6 @@
diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am
index 4bb4d6d..9157b91 100644 --- Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am.pwhhelper 2016-03-24 12:45:42.000000000 +0100
--- a/modules/pam_pwhistory/Makefile.am +++ Linux-PAM-1.3.0/modules/pam_pwhistory/Makefile.am 2016-05-06 15:18:42.307637933 +0200
+++ b/modules/pam_pwhistory/Makefile.am
@@ -1,5 +1,6 @@ @@ -1,5 +1,6 @@
# #
# Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de> # Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
@ -9,7 +8,7 @@ index 4bb4d6d..9157b91 100644
# #
CLEANFILES = *~ CLEANFILES = *~
@@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory @@ -9,25 +10,34 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-
TESTS = tst-pam_pwhistory TESTS = tst-pam_pwhistory
@ -50,10 +49,9 @@ index 4bb4d6d..9157b91 100644
if ENABLE_REGENERATE_MAN if ENABLE_REGENERATE_MAN
noinst_DATA = README noinst_DATA = README
README: pam_pwhistory.8.xml README: pam_pwhistory.8.xml
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c
index 836d713..e319ff3 100644 --- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c.pwhhelper 2016-03-24 12:45:42.000000000 +0100
--- a/modules/pam_pwhistory/opasswd.c +++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.c 2016-05-06 15:18:42.307637933 +0200
+++ b/modules/pam_pwhistory/opasswd.c
@@ -1,5 +1,6 @@ @@ -1,5 +1,6 @@
/* /*
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de> * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
@ -112,7 +110,7 @@ index 836d713..e319ff3 100644
static int static int
parse_entry (char *line, opwd *data) parse_entry (char *line, opwd *data)
@@ -112,8 +135,8 @@ compare_password(const char *newpass, const char *oldpass) @@ -117,8 +140,8 @@ compare_password(const char *newpass, co
} }
/* Check, if the new password is already in the opasswd file. */ /* Check, if the new password is already in the opasswd file. */
@ -123,7 +121,7 @@ index 836d713..e319ff3 100644
const char *newpass, int debug) const char *newpass, int debug)
{ {
int retval = PAM_SUCCESS; int retval = PAM_SUCCESS;
@@ -123,6 +146,11 @@ check_old_pass (pam_handle_t *pamh, const char *user, @@ -128,6 +151,11 @@ check_old_pass (pam_handle_t *pamh, cons
opwd entry; opwd entry;
int found = 0; int found = 0;
@ -135,7 +133,7 @@ index 836d713..e319ff3 100644
if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
{ {
if (errno != ENOENT) if (errno != ENOENT)
@@ -208,9 +236,9 @@ check_old_pass (pam_handle_t *pamh, const char *user, @@ -213,9 +241,9 @@ check_old_pass (pam_handle_t *pamh, cons
return retval; return retval;
} }
@ -148,7 +146,7 @@ index 836d713..e319ff3 100644
{ {
char opasswd_tmp[] = TMP_PASSWORDS_FILE; char opasswd_tmp[] = TMP_PASSWORDS_FILE;
struct stat opasswd_stat; struct stat opasswd_stat;
@@ -221,10 +249,35 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, @@ -226,10 +254,35 @@ save_old_pass (pam_handle_t *pamh, const
char *buf = NULL; char *buf = NULL;
size_t buflen = 0; size_t buflen = 0;
int found = 0; int found = 0;
@ -184,7 +182,7 @@ index 836d713..e319ff3 100644
if (oldpass == NULL || *oldpass == '\0') if (oldpass == NULL || *oldpass == '\0')
return PAM_SUCCESS; return PAM_SUCCESS;
@@ -447,7 +500,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, @@ -452,7 +505,7 @@ save_old_pass (pam_handle_t *pamh, const
{ {
char *out; char *out;
@ -193,10 +191,9 @@ index 836d713..e319ff3 100644
{ {
retval = PAM_AUTHTOK_ERR; retval = PAM_AUTHTOK_ERR;
if (oldpf) if (oldpf)
diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h
index db3e656..1b08699 100644 --- Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h.pwhhelper 2016-03-24 12:45:42.000000000 +0100
--- a/modules/pam_pwhistory/opasswd.h +++ Linux-PAM-1.3.0/modules/pam_pwhistory/opasswd.h 2016-05-06 15:18:42.307637933 +0200
+++ b/modules/pam_pwhistory/opasswd.h
@@ -1,5 +1,6 @@ @@ -1,5 +1,6 @@
/* /*
* Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de> * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
@ -242,10 +239,9 @@ index db3e656..1b08699 100644
+save_old_pass, const char *user, int howmany, int debug); +save_old_pass, const char *user, int howmany, int debug);
#endif /* __OPASSWD_H__ */ #endif /* __OPASSWD_H__ */
diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c
index 654edd3..d6c5c47 100644 --- Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c.pwhhelper 2016-04-04 11:22:28.000000000 +0200
--- a/modules/pam_pwhistory/pam_pwhistory.c +++ Linux-PAM-1.3.0/modules/pam_pwhistory/pam_pwhistory.c 2016-05-06 15:19:31.610785512 +0200
+++ b/modules/pam_pwhistory/pam_pwhistory.c
@@ -1,6 +1,7 @@ @@ -1,6 +1,7 @@
/* /*
* Copyright (c) 2008, 2012 Thorsten Kukuk * Copyright (c) 2008, 2012 Thorsten Kukuk
@ -278,7 +274,7 @@ index 654edd3..d6c5c47 100644
struct options_t { struct options_t {
int debug; int debug;
@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) @@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const
pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv); pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
} }
@ -463,23 +459,22 @@ index 654edd3..d6c5c47 100644
/* This module saves the current crypted password in /etc/security/opasswd /* This module saves the current crypted password in /etc/security/opasswd
and then compares the new password with all entries in this file. */ and then compares the new password with all entries in this file. */
@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options) @@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const
PAM_EXTERN int int
pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
{ {
- struct passwd *pwd; - struct passwd *pwd;
const char *newpass; const char *newpass;
const char *user; const char *user;
int retval, tries; int retval, tries;
@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) @@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
return PAM_SUCCESS; return PAM_SUCCESS;
} }
- pwd = pam_modutil_getpwnam (pamh, user); - pwd = pam_modutil_getpwnam (pamh, user);
- if (pwd == NULL) - if (pwd == NULL)
- return PAM_USER_UNKNOWN; - return PAM_USER_UNKNOWN;
+ retval = save_old_pass (pamh, user, options.remember, options.debug); -
- if ((strcmp(pwd->pw_passwd, "x") == 0) || - if ((strcmp(pwd->pw_passwd, "x") == 0) ||
- ((pwd->pw_passwd[0] == '#') && - ((pwd->pw_passwd[0] == '#') &&
- (pwd->pw_passwd[1] == '#') && - (pwd->pw_passwd[1] == '#') &&
@ -488,8 +483,7 @@ index 654edd3..d6c5c47 100644
- struct spwd *spw = pam_modutil_getspnam (pamh, user); - struct spwd *spw = pam_modutil_getspnam (pamh, user);
- if (spw == NULL) - if (spw == NULL)
- return PAM_USER_UNKNOWN; - return PAM_USER_UNKNOWN;
+ if (retval == PAM_PWHISTORY_RUN_HELPER) + retval = save_old_pass (pamh, user, options.remember, options.debug);
+ retval = run_save_helper(pamh, user, options.remember, options.debug);
- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp, - retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
- options.remember, options.debug); - options.remember, options.debug);
@ -503,12 +497,15 @@ index 654edd3..d6c5c47 100644
- if (retval != PAM_SUCCESS) - if (retval != PAM_SUCCESS)
- return retval; - return retval;
- } - }
+ if (retval == PAM_PWHISTORY_RUN_HELPER)
+ retval = run_save_helper(pamh, user, options.remember, options.debug);
+
+ if (retval != PAM_SUCCESS) + if (retval != PAM_SUCCESS)
+ return retval; + return retval;
newpass = NULL; newpass = NULL;
tries = 0; tries = 0;
@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv) @@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, in
if (options.debug) if (options.debug)
pam_syslog (pamh, LOG_DEBUG, "check against old password file"); pam_syslog (pamh, LOG_DEBUG, "check against old password file");
@ -522,85 +519,9 @@ index 654edd3..d6c5c47 100644
{ {
if (getuid() || options.enforce_for_root || if (getuid() || options.enforce_for_root ||
(flags & PAM_CHANGE_EXPIRED_AUTHTOK)) (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
diff --git a/modules/pam_pwhistory/pwhistory_helper.8.xml b/modules/pam_pwhistory/pwhistory_helper.8.xml diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c
new file mode 100644 --- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c.pwhhelper 2016-05-06 15:18:42.308637957 +0200
index 0000000..a030176 +++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.c 2016-05-06 15:18:42.308637957 +0200
--- /dev/null
+++ b/modules/pam_pwhistory/pwhistory_helper.8.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pwhistory_helper">
+
+ <refmeta>
+ <refentrytitle>pwhistory_helper</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pwhistory_helper-name">
+ <refname>pwhistory_helper</refname>
+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
+ <command>pwhistory_helper</command>
+ <arg choice="opt">
+ ...
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pwhistory_helper-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
+ from passwd or shadow file to the opasswd file and checks a password
+ supplied by user against the existing hashes in the opasswd file.
+ </para>
+
+ <para>
+ The purpose of the helper is to enable tighter confinement of
+ login and password changing services. The helper is thus called only
+ when SELinux is enabled on the system.
+ </para>
+
+ <para>
+ The interface of the helper - command line options, and input/output
+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
+ module and it should not be called directly from applications.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pwhistory_helper-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pwhistory_helper-author'>
+ <title>AUTHOR</title>
+ <para>
+ Written by Tomas Mraz based on the code originally in
+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
+ </para>
+ </refsect1>
+
+</refentry>
diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c
new file mode 100644
index 0000000..b07ab81
--- /dev/null
+++ b/modules/pam_pwhistory/pwhistory_helper.c
@@ -0,0 +1,209 @@ @@ -0,0 +1,209 @@
+/* +/*
+ * Copyright (c) 2013 Red Hat, Inc. + * Copyright (c) 2013 Red Hat, Inc.
@ -811,3 +732,75 @@ index 0000000..b07ab81
+ return PAM_SYSTEM_ERR; + return PAM_SYSTEM_ERR;
+} +}
+ +
diff -up Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml
--- Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml.pwhhelper 2016-05-06 15:18:42.308637957 +0200
+++ Linux-PAM-1.3.0/modules/pam_pwhistory/pwhistory_helper.8.xml 2016-05-06 15:18:42.308637957 +0200
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pwhistory_helper">
+
+ <refmeta>
+ <refentrytitle>pwhistory_helper</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pwhistory_helper-name">
+ <refname>pwhistory_helper</refname>
+ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
+ <command>pwhistory_helper</command>
+ <arg choice="opt">
+ ...
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pwhistory_helper-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ <emphasis>pwhistory_helper</emphasis> is a helper program for the
+ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
+ from passwd or shadow file to the opasswd file and checks a password
+ supplied by user against the existing hashes in the opasswd file.
+ </para>
+
+ <para>
+ The purpose of the helper is to enable tighter confinement of
+ login and password changing services. The helper is thus called only
+ when SELinux is enabled on the system.
+ </para>
+
+ <para>
+ The interface of the helper - command line options, and input/output
+ data format are internal to the <emphasis>pam_pwhistory</emphasis>
+ module and it should not be called directly from applications.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pwhistory_helper-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pwhistory_helper-author'>
+ <title>AUTHOR</title>
+ <para>
+ Written by Tomas Mraz based on the code originally in
+ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
+ </para>
+ </refsect1>
+
+</refentry>

52
pam-CVE-2013-7041.patch
View file

@ -1,52 +0,0 @@
From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Fri, 24 Jan 2014 22:18:32 +0000
Subject: [PATCH] pam_userdb: fix password hash comparison
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
passwords support in pam_userdb, hashes are compared case-insensitively.
This bug leads to accepting hashes for completely different passwords in
addition to those that should be accepted.
Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
modern password hashes with different lengths and settings, did not
update the hash comparison accordingly, which leads to accepting
computed hashes longer than stored hashes when the latter is a prefix
of the former.
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
hash whose length differs from the stored hash length.
Compare computed and stored hashes case-sensitively.
Fixes CVE-2013-7041.
Bug-Debian: http://bugs.debian.org/731368
---
modules/pam_userdb/pam_userdb.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
index de8b5b1..ff040e6 100644
--- a/modules/pam_userdb/pam_userdb.c
+++ b/modules/pam_userdb/pam_userdb.c
@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
} else {
cryptpw = crypt (pass, data.dptr);
- if (cryptpw) {
- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
+ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
+ compare = memcmp(data.dptr, cryptpw, data.dsize);
} else {
compare = -2;
if (ctrl & PAM_DEBUG_ARG) {
- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+ if (cryptpw)
+ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
+ else
+ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
}
};
--
1.8.3.1

56
pam-CVE-2014-2583.patch
View file

@ -1,56 +0,0 @@
From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Wed, 26 Mar 2014 22:17:23 +0000
Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
(ticket #27)
pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
the timestamp pathname it creates, so extra care should be taken to
avoid potential directory traversal issues.
* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
"." and ".." tty values as invalid.
(get_ruser): Treat "." and ".." ruser values, as well as any ruser
value containing '/', as invalid.
Fixes CVE-2014-2583.
Reported-by: Sebastian Krahmer <krahmer@suse.de>
---
modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
index 5193733..b3f08b1 100644
--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -158,7 +158,7 @@ check_tty(const char *tty)
tty = strrchr(tty, '/') + 1;
}
/* Make sure the tty wasn't actually a directory (no basename). */
- if (strlen(tty) == 0) {
+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
return NULL;
}
return tty;
@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
if (pwd != NULL) {
ruser = pwd->pw_name;
}
+ } else {
+ /*
+ * This ruser is used by format_timestamp_name as a component
+ * of constructed timestamp pathname, so ".", "..", and '/'
+ * are disallowed to avoid potential path traversal issues.
+ */
+ if (!strcmp(ruser, ".") ||
+ !strcmp(ruser, "..") ||
+ strchr(ruser, '/')) {
+ ruser = NULL;
+ }
}
if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
*ruserbuf = '\0';
--
1.8.3.1

38
pam.spec
View file

@ -10,12 +10,12 @@
%bcond_without selinux %bcond_without selinux
%define pam_redhat_version 0.99.10-1 %define pam_redhat_version 0.99.11
Summary: A security tool which provides authentication for applications Summary: A security tool which provides authentication for applications
Name: pam Name: pam
Version: 1.1.8 Version: 1.3.0
Release: 31 Release: 1
Epoch: 1 Epoch: 1
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
@ -41,38 +41,23 @@ Source501: pam_tty_audit.8
Source502: README Source502: README
# RedHat patches # RedHat patches
Patch1: pam-1.0.90-redhat-modules.patch Patch1: pam-1.2.0-redhat-modules.patch
Patch2: pam-1.1.6-std-noclose.patch Patch2: pam-1.2.0-fix-running-in-containers.patch
Patch3: pam-1.2.0-unix-no-fallback.patch
Patch4: pam-1.1.0-console-nochmod.patch Patch4: pam-1.1.0-console-nochmod.patch
Patch5: pam-1.1.0-notally.patch Patch5: pam-1.1.0-notally.patch
Patch7: pam-1.1.0-console-fixes.patch
Patch9: pam-1.1.6-noflex.patch Patch9: pam-1.1.6-noflex.patch
Patch10: pam-1.1.3-nouserenv.patch Patch10: pam-1.1.3-nouserenv.patch
Patch11: pam-1.1.3-console-abstract.patch
Patch13: pam-1.1.5-limits-user.patch Patch13: pam-1.1.5-limits-user.patch
Patch14: pam-1.1.1-faillock.patch Patch14: pam-1.2.1-faillock.patch
Patch22: pam-1.1.7-unix-build.patch Patch22: pam-1.1.7-unix-build.patch
Patch32: pam-1.1.7-tty-audit-init.patch Patch43: pam-1.3.0-pwhistory-helper.patch
Patch33: pam-1.1.8-audit-grantor.patch
Patch34: pam-1.1.8-audit-user-mgmt.patch
Patch35: pam-1.1.8-canonicalize-username.patch
Patch36: pam-1.1.8-full-relro.patch
Patch37: pam-1.1.8-lastlog-uninitialized.patch
Patch38: pam-1.1.8-limits-check-process.patch
Patch39: pam-1.1.8-limits-docfix.patch
Patch40: pam-1.1.8-loginuid-container.patch
Patch41: pam-1.1.8-man-dbsuffix.patch
Patch42: pam-1.1.8-opasswd-tolerant.patch
Patch43: pam-1.1.8-pwhistory-helper.patch
# ROSA specific sources/patches # ROSA specific sources/patches
# (fl) fix infinite loop # (fl) fix infinite loop
Patch507: pam-0.74-loop.patch Patch507: pam-0.74-loop.patch
# (fc) 0.75-29mdk don't complain when / is owned by root.adm # (fc) 0.75-29mdk don't complain when / is owned by root.adm
Patch508: Linux-PAM-0.99.3.0-pamtimestampadm.patch Patch508: Linux-PAM-0.99.3.0-pamtimestampadm.patch
# (fl) pam_xauth: set extra groups because in high security levels
# access to /usr/X11R6/bin dir is controlled by a group
##Patch512: Linux-PAM-1.1.1-xauth-groups.patch
# (tv/blino) add defaults for nice/rtprio in /etc/security/limits.conf # (tv/blino) add defaults for nice/rtprio in /etc/security/limits.conf
Patch517: Linux-PAM-0.99.3.0-enable_rt.patch Patch517: Linux-PAM-0.99.3.0-enable_rt.patch
@ -81,15 +66,14 @@ Patch700: pam_fix_static_pam_console.patch
Patch701: pam-1.1.0-console-nopermsd.patch Patch701: pam-1.1.0-console-nopermsd.patch
# (proyvind): add missing constant that went with rpc removal from glibc 2.14 # (proyvind): add missing constant that went with rpc removal from glibc 2.14
Patch702: Linux-PAM-1.1.4-add-now-missing-nis-constant.patch Patch702: Linux-PAM-1.1.4-add-now-missing-nis-constant.patch
Patch703: Linux-PAM-0.99.11-pbuild-rh.patch
# (akdengi) add user to default group users which need for Samba # (akdengi) add user to default group users which need for Samba
Patch801: Linux-PAM-1.1.4-group_add_users.patch Patch801: Linux-PAM-1.1.4-group_add_users.patch
Patch802: pam-CVE-2014-2583.patch
Patch803: pam-CVE-2013-7041.patch
Patch804: pam-1.1.8-pbuild.patch
# (din) use html2text instead of w3m # (din) use html2text instead of w3m
Patch805: pam-1.1.8-browser.patch Patch805: pam-1.3.0-browser.patch
%if %{with selinux} %if %{with selinux}
BuildRequires: selinux-devel >= 2.1.6-7 BuildRequires: selinux-devel >= 2.1.6-7