Accepting request 53149 from home:lnussel:Factory

OBS-URL: https://build.opensuse.org/request/show/53149
OBS-URL: https://build.opensuse.org/package/show/Base:System/coreutils?expand=0&rev=21

coreutils-6.8.0-pie.patch

@@ -1,192 +0,0 @@
-Index: lib/Makefile.am
-===================================================================
---- lib/Makefile.am.orig	2010-10-11 19:35:11.000000000 +0200
-+++ lib/Makefile.am	2010-11-11 16:24:42.950085976 +0100
-@@ -17,7 +17,7 @@
- 
- include gnulib.mk
- 
--AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS)
-+AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -fpie
- 
- libcoreutils_a_SOURCES += \
-   buffer-lcm.c buffer-lcm.h
-Index: lib/Makefile.in
-===================================================================
---- lib/Makefile.in.orig	2010-11-11 16:21:01.630976009 +0100
-+++ lib/Makefile.in	2010-11-11 16:25:20.640746300 +0100
-@@ -1505,7 +1505,7 @@ MAINTAINERCLEANFILES = iconv_open-aix.h
- 	iconv_open-irix.h iconv_open-osf.h iconv_open-solaris.h \
- 	parse-datetime.c
- AM_CPPFLAGS = 
--AM_CFLAGS = $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS)
-+AM_CFLAGS = $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -fpie
- libcoreutils_a_SOURCES = set-mode-acl.c copy-acl.c file-has-acl.c \
- 	areadlink.c areadlink-with-size.c areadlinkat.c argv-iter.c \
- 	argv-iter.h base64.h base64.c bitrotate.h c-ctype.h c-ctype.c \
-Index: src/Makefile.am
-===================================================================
---- src/Makefile.am.orig	2010-11-11 16:21:01.674983785 +0100
-+++ src/Makefile.am	2010-11-11 16:21:01.839012773 +0100
-@@ -354,6 +354,10 @@ uptime_LDADD += $(GETLOADAVG_LIBS)
- # for crypt
- su_SOURCES = su.c getdef.c
- su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS)
-+su_CFLAGS = -fpie
-+su_LDFLAGS = -pie -Wl,-z,relro,-z,now
-+timeout_CFLAGS = -fpie
-+timeout_LDFLAGS = -pie -Wl,-z,relro,-z,now
- 
- # for various ACL functions
- copy_LDADD += $(LIB_ACL)
-Index: src/Makefile.in
-===================================================================
---- src/Makefile.in.orig	2010-11-11 16:21:01.674983786 +0100
-+++ src/Makefile.in	2010-11-11 16:24:16.137347873 +0100
-@@ -553,10 +553,12 @@ stdbuf_DEPENDENCIES = $(am__DEPENDENCIES
- stty_SOURCES = stty.c
- stty_OBJECTS = stty.$(OBJEXT)
- stty_DEPENDENCIES = $(am__DEPENDENCIES_2)
--am_su_OBJECTS = su.$(OBJEXT) getdef.$(OBJEXT)
-+am_su_OBJECTS = su-su.$(OBJEXT) su-getdef.$(OBJEXT)
- su_OBJECTS = $(am_su_OBJECTS)
- su_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \
- 	$(am__DEPENDENCIES_1)
-+su_LINK = $(CCLD) $(su_CFLAGS) $(CFLAGS) $(su_LDFLAGS) $(LDFLAGS) -o \
-+	$@
- sum_SOURCES = sum.c
- sum_OBJECTS = sum.$(OBJEXT)
- sum_DEPENDENCIES = $(am__DEPENDENCIES_2)
-@@ -575,9 +577,12 @@ tee_DEPENDENCIES = $(am__DEPENDENCIES_2)
- test_SOURCES = test.c
- test_OBJECTS = test.$(OBJEXT)
- test_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1)
--am_timeout_OBJECTS = timeout.$(OBJEXT) operand2sig.$(OBJEXT)
-+am_timeout_OBJECTS = timeout-timeout.$(OBJEXT) \
-+	timeout-operand2sig.$(OBJEXT)
- timeout_OBJECTS = $(am_timeout_OBJECTS)
- timeout_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1)
-+timeout_LINK = $(CCLD) $(timeout_CFLAGS) $(CFLAGS) $(timeout_LDFLAGS) \
-+	$(LDFLAGS) -o $@
- touch_SOURCES = touch.c
- touch_OBJECTS = touch.$(OBJEXT)
- touch_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1)
-@@ -1783,6 +1788,10 @@ stty_LDADD = $(LDADD)
- # for crypt
- su_SOURCES = su.c getdef.c
- su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS)
-+su_CFLAGS = -fpie
-+su_LDFLAGS = -pie
-+timeout_CFLAGS = -fpie
-+timeout_LDFLAGS = -pie
- sum_LDADD = $(LDADD)
- sync_LDADD = $(LDADD)
- tac_LDADD = $(LDADD)
-@@ -2317,7 +2326,7 @@ stty$(EXEEXT): $(stty_OBJECTS) $(stty_DE
- 	$(AM_V_CCLD)$(LINK) $(stty_OBJECTS) $(stty_LDADD) $(LIBS)
- su$(EXEEXT): $(su_OBJECTS) $(su_DEPENDENCIES) $(EXTRA_su_DEPENDENCIES) 
- 	@rm -f su$(EXEEXT)
--	$(AM_V_CCLD)$(LINK) $(su_OBJECTS) $(su_LDADD) $(LIBS)
-+	$(AM_V_CCLD)$(su_LINK) $(su_OBJECTS) $(su_LDADD) $(LIBS)
- sum$(EXEEXT): $(sum_OBJECTS) $(sum_DEPENDENCIES) $(EXTRA_sum_DEPENDENCIES) 
- 	@rm -f sum$(EXEEXT)
- 	$(AM_V_CCLD)$(LINK) $(sum_OBJECTS) $(sum_LDADD) $(LIBS)
-@@ -2338,7 +2347,7 @@ test$(EXEEXT): $(test_OBJECTS) $(test_DE
- 	$(AM_V_CCLD)$(LINK) $(test_OBJECTS) $(test_LDADD) $(LIBS)
- timeout$(EXEEXT): $(timeout_OBJECTS) $(timeout_DEPENDENCIES) $(EXTRA_timeout_DEPENDENCIES) 
- 	@rm -f timeout$(EXEEXT)
--	$(AM_V_CCLD)$(LINK) $(timeout_OBJECTS) $(timeout_LDADD) $(LIBS)
-+	$(AM_V_CCLD)$(timeout_LINK) $(timeout_OBJECTS) $(timeout_LDADD) $(LIBS)
- touch$(EXEEXT): $(touch_OBJECTS) $(touch_DEPENDENCIES) $(EXTRA_touch_DEPENDENCIES) 
- 	@rm -f touch$(EXEEXT)
- 	$(AM_V_CCLD)$(LINK) $(touch_OBJECTS) $(touch_LDADD) $(LIBS)
-@@ -2428,7 +2437,6 @@ distclean-compile:
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/find-mount-point.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fmt.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fold.Po@am__quote@
--@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getdef.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getlimits.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-copy.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-cp-hash.Po@am__quote@
-@@ -2492,14 +2500,16 @@ distclean-compile:
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stat.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stdbuf.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stty.Po@am__quote@
--@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/su.Po@am__quote@
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/su-getdef.Po@am__quote@
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/su-su.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sum.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sync.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tac.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tail.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tee.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test.Po@am__quote@
--@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeout.Po@am__quote@
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeout-operand2sig.Po@am__quote@
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeout-timeout.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/touch.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tr.Po@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/true.Po@am__quote@
-@@ -2688,6 +2698,62 @@ sha512sum-md5sum.obj: md5sum.c
- @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sha512sum_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha512sum-md5sum.obj `if test -f 'md5sum.c'; then $(CYGPATH_W) 'md5sum.c'; else $(CYGPATH_W) '$(srcdir)/md5sum.c'; fi`
- 
-+su-su.o: su.c
-+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-su.o -MD -MP -MF $(DEPDIR)/su-su.Tpo -c -o su-su.o `test -f 'su.c' || echo '$(srcdir)/'`su.c
-+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/su-su.Tpo $(DEPDIR)/su-su.Po
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='su.c' object='su-su.o' libtool=no @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-su.o `test -f 'su.c' || echo '$(srcdir)/'`su.c
-+
-+su-su.obj: su.c
-+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-su.obj -MD -MP -MF $(DEPDIR)/su-su.Tpo -c -o su-su.obj `if test -f 'su.c'; then $(CYGPATH_W) 'su.c'; else $(CYGPATH_W) '$(srcdir)/su.c'; fi`
-+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/su-su.Tpo $(DEPDIR)/su-su.Po
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='su.c' object='su-su.obj' libtool=no @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-su.obj `if test -f 'su.c'; then $(CYGPATH_W) 'su.c'; else $(CYGPATH_W) '$(srcdir)/su.c'; fi`
-+
-+su-getdef.o: getdef.c
-+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-getdef.o -MD -MP -MF $(DEPDIR)/su-getdef.Tpo -c -o su-getdef.o `test -f 'getdef.c' || echo '$(srcdir)/'`getdef.c
-+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/su-getdef.Tpo $(DEPDIR)/su-getdef.Po
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='getdef.c' object='su-getdef.o' libtool=no @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-getdef.o `test -f 'getdef.c' || echo '$(srcdir)/'`getdef.c
-+
-+su-getdef.obj: getdef.c
-+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-getdef.obj -MD -MP -MF $(DEPDIR)/su-getdef.Tpo -c -o su-getdef.obj `if test -f 'getdef.c'; then $(CYGPATH_W) 'getdef.c'; else $(CYGPATH_W) '$(srcdir)/getdef.c'; fi`
-+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/su-getdef.Tpo $(DEPDIR)/su-getdef.Po
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='getdef.c' object='su-getdef.obj' libtool=no @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-getdef.obj `if test -f 'getdef.c'; then $(CYGPATH_W) 'getdef.c'; else $(CYGPATH_W) '$(srcdir)/getdef.c'; fi`
-+
-+timeout-timeout.o: timeout.c
-+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-timeout.o -MD -MP -MF $(DEPDIR)/timeout-timeout.Tpo -c -o timeout-timeout.o `test -f 'timeout.c' || echo '$(srcdir)/'`timeout.c
-+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/timeout-timeout.Tpo $(DEPDIR)/timeout-timeout.Po
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='timeout.c' object='timeout-timeout.o' libtool=no @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-timeout.o `test -f 'timeout.c' || echo '$(srcdir)/'`timeout.c
-+
-+timeout-timeout.obj: timeout.c
-+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-timeout.obj -MD -MP -MF $(DEPDIR)/timeout-timeout.Tpo -c -o timeout-timeout.obj `if test -f 'timeout.c'; then $(CYGPATH_W) 'timeout.c'; else $(CYGPATH_W) '$(srcdir)/timeout.c'; fi`
-+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/timeout-timeout.Tpo $(DEPDIR)/timeout-timeout.Po
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='timeout.c' object='timeout-timeout.obj' libtool=no @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-timeout.obj `if test -f 'timeout.c'; then $(CYGPATH_W) 'timeout.c'; else $(CYGPATH_W) '$(srcdir)/timeout.c'; fi`
-+
-+timeout-operand2sig.o: operand2sig.c
-+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-operand2sig.o -MD -MP -MF $(DEPDIR)/timeout-operand2sig.Tpo -c -o timeout-operand2sig.o `test -f 'operand2sig.c' || echo '$(srcdir)/'`operand2sig.c
-+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/timeout-operand2sig.Tpo $(DEPDIR)/timeout-operand2sig.Po
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='operand2sig.c' object='timeout-operand2sig.o' libtool=no @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-operand2sig.o `test -f 'operand2sig.c' || echo '$(srcdir)/'`operand2sig.c
-+
-+timeout-operand2sig.obj: operand2sig.c
-+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-operand2sig.obj -MD -MP -MF $(DEPDIR)/timeout-operand2sig.Tpo -c -o timeout-operand2sig.obj `if test -f 'operand2sig.c'; then $(CYGPATH_W) 'operand2sig.c'; else $(CYGPATH_W) '$(srcdir)/operand2sig.c'; fi`
-+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/timeout-operand2sig.Tpo $(DEPDIR)/timeout-operand2sig.Po
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='operand2sig.c' object='timeout-operand2sig.obj' libtool=no @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-operand2sig.obj `if test -f 'operand2sig.c'; then $(CYGPATH_W) 'operand2sig.c'; else $(CYGPATH_W) '$(srcdir)/operand2sig.c'; fi`
-+
- ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
- 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- 	unique=`for i in $$list; do \

coreutils-8.6-compile-su-with-fpie.diff

@@ -0,0 +1,42 @@
+From d1a49cccf99373293a88f5bce74857d5bb813e46 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@suse.de>
+Date: Tue, 17 Aug 2010 09:21:22 +0200
+Subject: [PATCH 7/7] compile su with -fpie
+
+---
+ lib/Makefile.am |    2 +-
+ src/Makefile.am |    5 +++++
+ 2 files changed, 6 insertions(+), 1 deletions(-)
+
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index b4a591b..059928e 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -17,7 +17,7 @@
+ 
+ include gnulib.mk
+ 
+-AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS)
++AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -fpie
+ 
+ libcoreutils_a_SOURCES += \
+   buffer-lcm.c buffer-lcm.h
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 484f6c2..17600af 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -355,6 +355,11 @@ uptime_LDADD += $(GETLOADAVG_LIBS)
+ su_SOURCES = su.c getdef.c
+ su_LDADD += $(LIB_CRYPT) $(PAM_LIBS)
+ 
++su_CFLAGS = -fpie
++su_LDFLAGS = -pie
++timeout_CFLAGS = -fpie
++timeout_LDFLAGS = -pie
++
+ # for various ACL functions
+ copy_LDADD += $(LIB_ACL)
+ ls_LDADD += $(LIB_ACL)
+-- 
+1.7.1
+

coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff

@@ -0,0 +1,374 @@
+From d776b1b67eb1bc1b815426fdf22f38b25ef1e2df Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Mon, 9 Aug 2010 16:03:12 +0200
+Subject: [PATCH 5/7] honor settings in /etc/default/su resp /etc/login.defs
+
+---
+ src/Makefile.am |    1 +
+ src/getdef.c    |  259 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ src/getdef.h    |   29 ++++++
+ src/su.c        |   13 +++-
+ 4 files changed, 300 insertions(+), 2 deletions(-)
+ create mode 100644 src/getdef.c
+ create mode 100644 src/getdef.h
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index bc27274..484f6c2 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -352,6 +352,7 @@ factor_LDADD += $(LIB_GMP)
+ uptime_LDADD += $(GETLOADAVG_LIBS)
+ 
+ # for crypt and pam
++su_SOURCES = su.c getdef.c
+ su_LDADD += $(LIB_CRYPT) $(PAM_LIBS)
+ 
+ # for various ACL functions
+diff --git a/src/getdef.c b/src/getdef.c
+new file mode 100644
+index 0000000..e1872cf
+--- /dev/null
++++ b/src/getdef.c
+@@ -0,0 +1,259 @@
++/* Copyright (C) 2003, 2004, 2005 Thorsten Kukuk
++   Author: Thorsten Kukuk <kukuk@suse.de>
++
++   This program is free software; you can redistribute it and/or modify
++   it under the terms of the GNU General Public License version 2 as
++   published by the Free Software Foundation.
++
++   This program is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++   GNU General Public License for more details.
++
++   You should have received a copy of the GNU General Public License
++   along with this program; if not, write to the Free Software Foundation,
++   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.  */
++
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#define _GNU_SOURCE
++
++#include <errno.h>
++#include <ctype.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <limits.h>
++
++#include "getdef.h"
++
++struct item {
++  char *name;         /* Name of the option.  */
++  char *value;        /* Value of the option.  */
++  struct item *next;  /* Pointer to next option.  */
++};
++
++static struct item *list = NULL;
++
++void
++free_getdef_data (void)
++{
++  struct item *ptr;
++
++  ptr = list;
++  while (ptr != NULL)
++    {
++      struct item *tmp;
++      tmp = ptr->next;
++      free (ptr->name);
++      free (ptr->value);
++      free (ptr);
++      ptr = tmp;
++    }
++
++  list = NULL;
++}
++
++/* Add a new entry to the list.  */
++static void
++store (const char *name, const char *value)
++{
++  struct item *new = malloc (sizeof (struct item));
++
++  if (new == NULL)
++    abort ();
++
++  if (name == NULL)
++    abort ();
++
++  new->name = strdup (name);
++  new->value = strdup (value ?: "");
++  new->next = list;
++  list = new;
++}
++
++/* Search a special entry in the list and return the value.  */
++static const char *
++search (const char *name)
++{
++  struct item *ptr;
++
++  ptr = list;
++  while (ptr != NULL)
++    {
++      if (strcasecmp (name, ptr->name) == 0)
++	return ptr->value;
++      ptr = ptr->next;
++    }
++
++  return NULL;
++}
++
++/* Load the login.defs file (/etc/login.defs).  */
++static void
++load_defaults_internal (const char *filename)
++{
++  FILE *fp;
++  char *buf = NULL;
++  size_t buflen = 0;
++
++  fp = fopen (filename, "r");
++  if (NULL == fp)
++    return;
++
++  while (!feof (fp))
++    {
++      char *tmp, *cp;
++#if defined(HAVE_GETLINE)
++      ssize_t n = getline (&buf, &buflen, fp);
++#elif defined (HAVE_GETDELIM)
++      ssize_t n = getdelim (&buf, &buflen, '\n', fp);
++#else
++      ssize_t n;
++
++      if (buf == NULL)
++        {
++          buflen = 8096;
++          buf = malloc (buflen);
++        }
++      buf[0] = '\0';
++      fgets (buf, buflen - 1, fp);
++      if (buf != NULL)
++        n = strlen (buf);
++      else
++        n = 0;
++#endif /* HAVE_GETLINE / HAVE_GETDELIM */
++      cp = buf;
++
++      if (n < 1)
++        break;
++
++      tmp = strchr (cp, '#');  /* remove comments */
++      if (tmp)
++        *tmp = '\0';
++      while (isspace ((unsigned char) *cp))    /* remove spaces and tabs */
++        ++cp;
++      if (*cp == '\0')        /* ignore empty lines */
++        continue;
++
++      if (cp[strlen (cp) - 1] == '\n')
++        cp[strlen (cp) - 1] = '\0';
++
++      tmp = strsep (&cp, " \t=");
++      if (cp != NULL)
++	while (isspace ((unsigned char) *cp) || *cp == '=')
++	  ++cp;
++
++      store (tmp, cp);
++    }
++  fclose (fp);
++
++  if (buf)
++    free (buf);
++}
++
++static void
++load_defaults (void)
++{
++  load_defaults_internal ("/etc/default/su");
++  load_defaults_internal ("/etc/login.defs");
++}
++
++int
++getdef_bool (const char *name, int dflt)
++{
++  const char *val;
++
++  if (list == NULL)
++    load_defaults ();
++
++  val = search (name);
++
++  if (val == NULL)
++    return dflt;
++
++  return (strcasecmp (val, "yes") == 0);
++}
++
++long
++getdef_num (const char *name, long dflt)
++{
++  const char *val;
++  char *cp;
++  long retval;
++
++  if (list == NULL)
++    load_defaults ();
++
++  val = search (name);
++
++  if (val == NULL)
++    return dflt;
++
++  errno = 0;
++  retval = strtol (val, &cp, 0);
++  if (*cp != '\0'
++      || ((retval == LONG_MAX || retval == LONG_MIN) && errno == ERANGE))
++    {
++      fprintf (stderr,
++	       "%s contains invalid numerical value: %s!\n",
++	       name, val);
++      retval = dflt;
++    }
++  return retval;
++}
++
++unsigned long
++getdef_unum (const char *name, unsigned long dflt)
++{
++  const char *val;
++  char *cp;
++  unsigned long retval;
++
++  if (list == NULL)
++    load_defaults ();
++
++  val = search (name);
++
++  if (val == NULL)
++    return dflt;
++
++  errno = 0;
++  retval = strtoul (val, &cp, 0);
++  if (*cp != '\0' || (retval == ULONG_MAX && errno == ERANGE))
++    {
++      fprintf (stderr,
++	       "%s contains invalid numerical value: %s!\n",
++	       name, val);
++      retval = dflt;
++    }
++  return retval;
++}
++
++const char *
++getdef_str (const char *name, const char *dflt)
++{
++  const char *retval;
++
++  if (list == NULL)
++    load_defaults ();
++
++  retval = search (name);
++
++  return retval ?: dflt;
++}
++
++#if defined(TEST)
++
++int
++main ()
++{
++  printf ("CYPT=%s\n", getdef_str ("cRypt", "no"));
++  printf ("LOG_UNKFAIL_ENAB=%s\n", getdef_str ("log_unkfail_enab",""));
++  printf ("DOESNOTEXIST=%s\n", getdef_str ("DOESNOTEXIST","yes"));
++  return 0;
++}
++
++#endif
+diff --git a/src/getdef.h b/src/getdef.h
+new file mode 100644
+index 0000000..2e86cf9
+--- /dev/null
++++ b/src/getdef.h
+@@ -0,0 +1,29 @@
++/* Copyright (C) 2003, 2005 Thorsten Kukuk
++   Author: Thorsten Kukuk <kukuk@suse.de>
++
++   This program is free software; you can redistribute it and/or modify
++   it under the terms of the GNU General Public License version 2 as
++   published by the Free Software Foundation.
++
++   This program is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++   GNU General Public License for more details.
++
++   You should have received a copy of the GNU General Public License
++   along with this program; if not, write to the Free Software Foundation,
++   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.  */
++
++#ifndef _GETDEF_H_
++
++#define _GETDEF_H_ 1
++
++extern int getdef_bool (const char *name, int dflt);
++extern long getdef_num (const char *name, long dflt);
++extern unsigned long getdef_unum (const char *name, unsigned long dflt);
++extern const char *getdef_str (const char *name, const char *dflt);
++
++/* Free all data allocated by getdef_* calls before.  */
++extern void free_getdef_data (void);
++
++#endif /* _GETDEF_H_ */
+diff --git a/src/su.c b/src/su.c
+index 0071622..eaef195 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -111,6 +111,8 @@
+ # include <paths.h>
+ #endif
+ 
++#include "getdef.h"
++
+ /* The default PATH for simulated logins to non-superuser accounts.  */
+ #define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin"
+ 
+@@ -475,8 +477,8 @@ modify_environment (const struct passwd *pw, const char *shell)
+       xsetenv ("USER", pw->pw_name);
+       xsetenv ("LOGNAME", pw->pw_name);
+       xsetenv ("PATH", (pw->pw_uid
+-                        ? DEFAULT_LOGIN_PATH
+-                        : DEFAULT_ROOT_LOGIN_PATH));
++			? getdef_str ("PATH", DEFAULT_LOGIN_PATH)
++			: getdef_str ("SUPATH", DEFAULT_ROOT_LOGIN_PATH)));
+     }
+   else
+     {
+@@ -486,6 +488,12 @@ modify_environment (const struct passwd *pw, const char *shell)
+         {
+           xsetenv ("HOME", pw->pw_dir);
+           xsetenv ("SHELL", shell);
++	  if (getdef_bool ("ALWAYS_SET_PATH", 0))
++	    xsetenv ("PATH", (pw->pw_uid
++			      ? getdef_str ("PATH",
++					    DEFAULT_LOGIN_PATH)
++			      : getdef_str ("SUPATH",
++					    DEFAULT_ROOT_LOGIN_PATH)));
+           if (pw->pw_uid)
+             {
+               xsetenv ("USER", pw->pw_name);
+@@ -720,6 +728,7 @@ main (int argc, char **argv)
+ #ifdef SYSLOG_FAILURE
+       log_su (pw, false);
+ #endif
++      sleep (getdef_num ("FAIL_DELAY", 1));
+       error (EXIT_CANCELED, 0, _("incorrect password"));
+     }
+ #ifdef SYSLOG_SUCCESS
+-- 
+1.7.1
+

coreutils-8.6-log-all-su-attempts.diff

@@ -0,0 +1,26 @@
+From f2ea0c33d8c25ee40e7fe7a16d0994c8069bc120 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Tue, 17 Aug 2010 13:22:01 +0200
+Subject: [PATCH 3/7] log all su attempts
+
+---
+ src/su.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 1d3d007..2a9e423 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -75,6 +75,9 @@
+ 
+ #if HAVE_SYSLOG_H && HAVE_SYSLOG
+ # include <syslog.h>
++# define SYSLOG_SUCCESS  1
++# define SYSLOG_FAILURE  1
++# define SYSLOG_NON_ROOT 1
+ #else
+ # undef SYSLOG_SUCCESS
+ # undef SYSLOG_FAILURE
+-- 
+1.7.1
+

coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff

@@ -1,8 +1,17 @@
-Index: src/su.c
-===================================================================
---- src/su.c.orig	2010-05-05 14:46:48.000000000 +0200
-+++ src/su.c	2010-05-05 14:48:55.023359308 +0200
-@@ -454,6 +454,117 @@ correct_password (const struct passwd *p
+From b43728c1f0c7abe90e73369542564d3ad4704963 Mon Sep 17 00:00:00 2001
+From: Werner Fink <werner@suse.de>
+Date: Tue, 17 Aug 2010 09:09:55 +0200
+Subject: [PATCH 6/7] make sure /sbin resp /usr/sbin are in PATH
+
+---
+ src/su.c |  127 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 127 insertions(+), 0 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index eaef195..d78f968 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -455,6 +455,117 @@ correct_password (const struct passwd *pw)
  #endif /* !USE_PAM */
  }
  
@@ -120,7 +129,7 @@ Index: src/su.c
  /* Update `environ' for the new shell based on PW, with SHELL being
     the value for the SHELL environment variable.  */
  
-@@ -493,6 +604,22 @@ modify_environment (const struct passwd
+@@ -494,6 +605,22 @@ modify_environment (const struct passwd *pw, const char *shell)
  					    DEFAULT_LOGIN_PATH)
  			      : getdef_str ("SUPATH",
  					    DEFAULT_ROOT_LOGIN_PATH)));
@@ -143,3 +152,6 @@ Index: src/su.c
            if (pw->pw_uid)
              {
                xsetenv ("USER", pw->pw_name);
+-- 
+1.7.1
+

coreutils-8.6-pam-support-for-su.diff

@@ -0,0 +1,405 @@
+From 8b1e75c55ea6be5c8639c98b73ecfa0cf15226ce Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Tue, 17 Aug 2010 13:21:44 +0200
+Subject: [PATCH 1/7] pam support for su
+
+---
+ configure.ac    |   14 +++
+ src/Makefile.am |    4 +-
+ src/su.c        |  266 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 3 files changed, 278 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 4ac30e8..eacd57f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -135,6 +135,20 @@ fi
+ 
+ AC_FUNC_FORK
+ 
++AC_ARG_ENABLE(pam, AS_HELP_STRING([--disable-pam],
++	[Enable PAM support in su (default=auto)]), , [enable_pam=yes])
++if test "x$enable_pam" != xno; then
++  AC_CHECK_LIB([pam], [pam_start], [enable_pam=yes], [enable_pam=no])
++  AC_CHECK_LIB([pam_misc], [misc_conv], [:], [enable_pam=no])
++  if test "x$enable_pam" != xno; then
++    AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM])
++    PAM_LIBS="-lpam -lpam_misc"
++    AC_SUBST(PAM_LIBS)
++  fi
++fi
++AC_MSG_CHECKING([whether to enable PAM support in su])
++AC_MSG_RESULT([$enable_pam])
++
+ optional_bin_progs=
+ AC_CHECK_FUNCS([chroot],
+         gl_ADD_PROG([optional_bin_progs], [chroot]))
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 00c7ff7..bc27274 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -351,8 +351,8 @@ factor_LDADD += $(LIB_GMP)
+ # for getloadavg
+ uptime_LDADD += $(GETLOADAVG_LIBS)
+ 
+-# for crypt
+-su_LDADD += $(LIB_CRYPT)
++# for crypt and pam
++su_LDADD += $(LIB_CRYPT) $(PAM_LIBS)
+ 
+ # for various ACL functions
+ copy_LDADD += $(LIB_ACL)
+diff --git a/src/su.c b/src/su.c
+index f8f5b61..1d3d007 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -37,6 +37,16 @@
+    restricts who can su to UID 0 accounts.  RMS considers that to
+    be fascist.
+ 
++#ifdef USE_PAM
++
++   Actually, with PAM, su has nothing to do with whether or not a
++   wheel group is enforced by su.  RMS tries to restrict your access
++   to a su which implements the wheel group, but PAM considers that
++   to be fascist, and gives the user/sysadmin the opportunity to
++   enforce a wheel group by proper editing of /etc/pam.d/su
++
++#endif
++
+    Compile-time options:
+    -DSYSLOG_SUCCESS	Log successful su's (by default, to root) with syslog.
+    -DSYSLOG_FAILURE	Log failed su's (by default, to root) with syslog.
+@@ -52,6 +62,13 @@
+ #include <sys/types.h>
+ #include <pwd.h>
+ #include <grp.h>
++#ifdef USE_PAM
++#include <security/pam_appl.h>
++#include <security/pam_misc.h>
++#include <signal.h>
++#include <sys/wait.h>
++#include <sys/fsuid.h>
++#endif
+ 
+ #include "system.h"
+ #include "getpass.h"
+@@ -111,7 +128,9 @@
+ /* The user to become if none is specified.  */
+ #define DEFAULT_USER "root"
+ 
++#ifndef USE_PAM
+ char *crypt (char const *key, char const *salt);
++#endif
+ 
+ static void run_shell (char const *, char const *, char **, size_t)
+      ATTRIBUTE_NORETURN;
+@@ -125,6 +144,11 @@ static bool simulate_login;
+ /* If true, change some environment vars to indicate the user su'd to.  */
+ static bool change_environment;
+ 
++#ifdef USE_PAM
++static bool _pam_session_opened;
++static bool _pam_cred_established;
++#endif
++
+ static struct option const longopts[] =
+ {
+   {"command", required_argument, NULL, 'c'},
+@@ -200,7 +224,164 @@ log_su (struct passwd const *pw, bool successful)
+ }
+ #endif
+ 
++#ifdef USE_PAM
++#define PAM_SERVICE_NAME PROGRAM_NAME
++#define PAM_SERVICE_NAME_L PROGRAM_NAME "-l"
++static sig_atomic_t volatile caught_signal = false;
++static pam_handle_t *pamh = NULL;
++static int retval;
++static struct pam_conv conv =
++{
++  misc_conv,
++  NULL
++};
++
++#define PAM_BAIL_P(a) \
++  if (retval) \
++    { \
++      pam_end (pamh, retval); \
++      a; \
++    }
++
++static void
++cleanup_pam (int retcode)
++{
++  if (_pam_session_opened)
++    pam_close_session (pamh, 0);
++
++  if (_pam_cred_established)
++    pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT);
++
++  pam_end(pamh, retcode);
++}
++
++/* Signal handler for parent process.  */
++static void
++su_catch_sig (int sig)
++{
++  caught_signal = true;
++}
++
++/* Export env variables declared by PAM modules.  */
++static void
++export_pamenv (void)
++{
++  char **env;
++
++  /* This is a copy but don't care to free as we exec later anyways.  */
++  env = pam_getenvlist (pamh);
++  while (env && *env)
++    {
++      if (putenv (*env) != 0)
++	xalloc_die ();
++      env++;
++    }
++}
++
++static void
++create_watching_parent (void)
++{
++  pid_t child;
++  sigset_t ourset;
++  int status = 0;
++
++  retval = pam_open_session (pamh, 0);
++  if (retval != PAM_SUCCESS)
++    {
++      cleanup_pam (retval);
++      error (EXIT_FAILURE, 0, _("cannot not open session: %s"),
++	     pam_strerror (pamh, retval));
++    }
++  else
++    _pam_session_opened = 1;
++
++  child = fork ();
++  if (child == (pid_t) -1)
++    {
++      cleanup_pam (PAM_ABORT);
++      error (EXIT_FAILURE, errno, _("cannot create child process"));
++    }
++
++  /* the child proceeds to run the shell */
++  if (child == 0)
++    return;
++
++  /* In the parent watch the child.  */
++
++  /* su without pam support does not have a helper that keeps
++     sitting on any directory so let's go to /.  */
++  if (chdir ("/") != 0)
++    error (0, errno, _("warning: cannot change directory to %s"), "/");
++
++  sigfillset (&ourset);
++  if (sigprocmask (SIG_BLOCK, &ourset, NULL))
++    {
++      error (0, errno, _("cannot block signals"));
++      caught_signal = true;
++    }
++  if (!caught_signal)
++    {
++      struct sigaction action;
++      action.sa_handler = su_catch_sig;
++      sigemptyset (&action.sa_mask);
++      action.sa_flags = 0;
++      sigemptyset (&ourset);
++      if (sigaddset (&ourset, SIGTERM)
++	  || sigaddset (&ourset, SIGALRM)
++	  || sigaction (SIGTERM, &action, NULL)
++	  || sigprocmask (SIG_UNBLOCK, &ourset, NULL))
++	{
++	  error (0, errno, _("cannot set signal handler"));
++	  caught_signal = true;
++	}
++    }
++  if (!caught_signal)
++    {
++      pid_t pid;
++      for (;;)
++	{
++	  pid = waitpid (child, &status, WUNTRACED);
++
++	  if (pid != (pid_t)-1 && WIFSTOPPED (status))
++	    {
++	      kill (getpid (), SIGSTOP);
++	      /* once we get here, we must have resumed */
++	      kill (pid, SIGCONT);
++	    }
++	  else
++	    break;
++	}
++      if (pid != (pid_t)-1)
++	if (WIFSIGNALED (status))
++	  status = WTERMSIG (status) + 128;
++	else
++	  status = WEXITSTATUS (status);
++      else
++	status = 1;
++    }
++  else
++    status = 1;
++
++  if (caught_signal)
++    {
++      fprintf (stderr, _("\nSession terminated, killing shell..."));
++      kill (child, SIGTERM);
++    }
++
++  cleanup_pam (PAM_SUCCESS);
++
++  if (caught_signal)
++    {
++      sleep (2);
++      kill (child, SIGKILL);
++      fprintf (stderr, _(" ...killed.\n"));
++    }
++  exit (status);
++}
++#endif
++
+ /* Ask the user for a password.
++   If PAM is in use, let PAM ask for the password if necessary.
+    Return true if the user gives the correct password for entry PW,
+    false if not.  Return true without asking for a password if run by UID 0
+    or if PW has an empty password.  */
+@@ -208,10 +389,52 @@ log_su (struct passwd const *pw, bool successful)
+ static bool
+ correct_password (const struct passwd *pw)
+ {
++#ifdef USE_PAM
++  const struct passwd *lpw;
++  const char *cp;
++
++  retval = pam_start (simulate_login ? PAM_SERVICE_NAME_L : PAM_SERVICE_NAME,
++		      pw->pw_name, &conv, &pamh);
++  PAM_BAIL_P (return false);
++
++  if (isatty (0) && (cp = ttyname (0)) != NULL)
++    {
++      const char *tty;
++
++      if (strncmp (cp, "/dev/", 5) == 0)
++	tty = cp + 5;
++      else
++	tty = cp;
++      retval = pam_set_item (pamh, PAM_TTY, tty);
++      PAM_BAIL_P (return false);
++    }
++#if 0 /* Manpage discourages use of getlogin.  */
++  cp = getlogin ();
++  if (!(cp && *cp && (lpw = getpwnam (cp)) != NULL && lpw->pw_uid == getuid ()))
++#endif
++  lpw = getpwuid (getuid ());
++  if (lpw && lpw->pw_name)
++    {
++      retval = pam_set_item (pamh, PAM_RUSER, (const void *) lpw->pw_name);
++      PAM_BAIL_P (return false);
++    }
++  retval = pam_authenticate (pamh, 0);
++  PAM_BAIL_P (return false);
++  retval = pam_acct_mgmt (pamh, 0);
++  if (retval == PAM_NEW_AUTHTOK_REQD)
++    {
++      /* Password has expired.  Offer option to change it.  */
++      retval = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
++      PAM_BAIL_P (return false);
++    }
++  PAM_BAIL_P (return false);
++  /* Must be authenticated if this point was reached.  */
++  return true;
++#else /* !USE_PAM */
+   char *unencrypted, *encrypted, *correct;
+ #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
+   /* Shadow passwd stuff for SVR3 and maybe other systems.  */
+-  struct spwd *sp = getspnam (pw->pw_name);
++  const struct spwd *sp = getspnam (pw->pw_name);
+ 
+   endspent ();
+   if (sp)
+@@ -232,6 +455,7 @@ correct_password (const struct passwd *pw)
+   encrypted = crypt (unencrypted, correct);
+   memset (unencrypted, 0, strlen (unencrypted));
+   return STREQ (encrypted, correct);
++#endif /* !USE_PAM */
+ }
+ 
+ /* Update `environ' for the new shell based on PW, with SHELL being
+@@ -274,19 +498,41 @@ modify_environment (const struct passwd *pw, const char *shell)
+             }
+         }
+     }
++
++#ifdef USE_PAM
++  export_pamenv ();
++#endif
+ }
+ 
+ /* Become the user and group(s) specified by PW.  */
+ 
+ static void
+-change_identity (const struct passwd *pw)
++init_groups (const struct passwd *pw)
+ {
+ #ifdef HAVE_INITGROUPS
+   errno = 0;
+   if (initgroups (pw->pw_name, pw->pw_gid) == -1)
+-    error (EXIT_CANCELED, errno, _("cannot set groups"));
++    {
++#ifdef USE_PAM
++      cleanup_pam (PAM_ABORT);
++#endif
++      error (EXIT_FAILURE, errno, _("cannot set groups"));
++    }
+   endgrent ();
+ #endif
++
++#ifdef USE_PAM
++  retval = pam_setcred (pamh, PAM_ESTABLISH_CRED);
++  if (retval != PAM_SUCCESS)
++    error (EXIT_FAILURE, 0, "%s", pam_strerror (pamh, retval));
++  else
++    _pam_cred_established = 1;
++#endif
++}
++
++static void
++change_identity (const struct passwd *pw)
++{
+   if (setgid (pw->pw_gid))
+     error (EXIT_CANCELED, errno, _("cannot set group id"));
+   if (setuid (pw->pw_uid))
+@@ -500,9 +746,21 @@ main (int argc, char **argv)
+       shell = NULL;
+     }
+   shell = xstrdup (shell ? shell : pw->pw_shell);
+-  modify_environment (pw, shell);
++
++  init_groups (pw);
++
++#ifdef USE_PAM
++  create_watching_parent ();
++  /* Now we're in the child.  */
++#endif
+ 
+   change_identity (pw);
++
++  /* Set environment after pam_open_session, which may put KRB5CCNAME
++     into the pam_env, etc.  */
++
++  modify_environment (pw, shell);
++
+   if (simulate_login && chdir (pw->pw_dir) != 0)
+     error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
+ 
+-- 
+1.7.1
+

coreutils-8.6-set-sane-default-path.diff

@@ -0,0 +1,37 @@
+From 3c13edc2b9aeab8f24e60a62ab5e8a8db554486f Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Mon, 9 Aug 2010 16:02:30 +0200
+Subject: [PATCH 4/7] set sane default path
+
+---
+ src/su.c |   12 ++----------
+ 1 files changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 2a9e423..0071622 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -112,18 +112,10 @@
+ #endif
+ 
+ /* The default PATH for simulated logins to non-superuser accounts.  */
+-#ifdef _PATH_DEFPATH
+-# define DEFAULT_LOGIN_PATH _PATH_DEFPATH
+-#else
+-# define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin"
+-#endif
++#define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin"
+ 
+ /* The default PATH for simulated logins to superuser accounts.  */
+-#ifdef _PATH_DEFPATH_ROOT
+-# define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT
+-#else
+-# define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc"
+-#endif
++#define DEFAULT_ROOT_LOGIN_PATH "/usr/sbin:/bin:/usr/bin:/sbin"
+ 
+ /* The shell to run if none is given in the user's passwd entry.  */
+ #define DEFAULT_SHELL "/bin/sh"
+-- 
+1.7.1
+

coreutils-8.6-update-man-page-for-pam.diff

@@ -0,0 +1,64 @@
+From 13ed7b537ae655c6d67965f1486aa2e3b181e574 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Tue, 17 Aug 2010 08:59:35 +0200
+Subject: [PATCH 2/7] update man page for pam
+
+---
+ doc/coreutils.texi |   34 +++++-----------------------------
+ 1 files changed, 5 insertions(+), 29 deletions(-)
+
+diff --git a/doc/coreutils.texi b/doc/coreutils.texi
+index 4d17ed1..27681da 100644
+--- a/doc/coreutils.texi
++++ b/doc/coreutils.texi
+@@ -15172,8 +15172,11 @@ to certain shells, etc.).
+ @findex syslog
+ @command{su} can optionally be compiled to use @code{syslog} to report
+ failed, and optionally successful, @command{su} attempts.  (If the system
+-supports @code{syslog}.)  However, GNU @command{su} does not check if the
+-user is a member of the @code{wheel} group; see below.
++supports @code{syslog}.)
++
++This version of @command{su} has support for using PAM for
++authentication.  You can edit @file{/etc/pam.d/su} resp @file{/etc/pam.d/su-l}
++to customize its behaviour.
+ 
+ The program accepts the following options.  Also see @ref{Common options}.
+ 
+@@ -15254,33 +15257,6 @@ Exit status:
+ the exit status of the subshell otherwise
+ @end display
+ 
+-@cindex wheel group, not supported
+-@cindex group wheel, not supported
+-@cindex fascism
+-@subsection Why GNU @command{su} does not support the @samp{wheel} group
+-
+-(This section is by Richard Stallman.)
+-
+-@cindex Twenex
+-@cindex MIT AI lab
+-Sometimes a few of the users try to hold total power over all the
+-rest.  For example, in 1984, a few users at the MIT AI lab decided to
+-seize power by changing the operator password on the Twenex system and
+-keeping it secret from everyone else.  (I was able to thwart this coup
+-and give power back to the users by patching the kernel, but I
+-wouldn't know how to do that in Unix.)
+-
+-However, occasionally the rulers do tell someone.  Under the usual
+-@command{su} mechanism, once someone learns the root password who
+-sympathizes with the ordinary users, he or she can tell the rest.  The
+-``wheel group'' feature would make this impossible, and thus cement the
+-power of the rulers.
+-
+-I'm on the side of the masses, not that of the rulers.  If you are
+-used to supporting the bosses and sysadmins in whatever they do, you
+-might find this idea strange at first.
+-
+-
+ @node timeout invocation
+ @section @command{timeout}: Run a command with a time limit
+ 
+-- 
+1.7.1
+

coreutils.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Nov 16 10:50:04 UTC 2010 - lnussel@suse.de
+
+- split pam patch into separate independent files so the main
+  feature can be shared with other distros
+- don't hard require coreutils-lang
+
 -------------------------------------------------------------------
 Thu Nov 11 16:33:50 CET 2010 - pth@suse.de
 

coreutils.spec

@@ -44,11 +44,16 @@ Patch5:         coreutils-i18n-uninit.patch
 Patch6:         coreutils-i18n-infloop.patch
 Patch8:         coreutils-sysinfo.patch
 Patch16:        coreutils-invalid-ids.patch
-Patch20:        coreutils-6.8-su.patch
-Patch21:        coreutils-6.8.0-pie.patch
-Patch22:        coreutils-5.3.0-sbin4su.patch
-Patch23:        coreutils-getaddrinfo.patch
-Patch24:        coreutils-ptr_int_casts.patch
+Patch20:        coreutils-8.6-pam-support-for-su.diff
+Patch21:        coreutils-8.6-update-man-page-for-pam.diff
+Patch22:        coreutils-8.6-log-all-su-attempts.diff
+Patch23:        coreutils-8.6-set-sane-default-path.diff
+Patch24:        coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff
+Patch25:        coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
+#
+Patch30:        coreutils-8.6-compile-su-with-fpie.diff
+Patch31:        coreutils-getaddrinfo.patch
+Patch32:        coreutils-ptr_int_casts.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         permissions
 
@@ -114,11 +119,16 @@ Authors:
 %patch2
 %patch8
 %patch16
-%patch20
-%patch21
-%patch22
-%patch23
-%patch24
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+#
+%patch30 -p1
+%patch31
+%patch32
 
 %build
 AUTOPOINT=true autoreconf -fi
@@ -128,7 +138,7 @@ export CFLAGS="%optflags -Wall"
 	    gl_cv_func_printf_directive_n=yes \
 	    gl_cv_func_isnanl_works=yes \
   	    DEFAULT_POSIX2_VERSION=199209
-make %{?_smp_mflags} PAMLIBS="-lpam -ldl" V=1
+make %{?_smp_mflags} V=1
 
 #%check
 #if test $EUID -eq 0; then