From e908c3f93e17907e58d671413900f029be298423bc6e33abf983c741f3ea0006 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= Date: Tue, 16 Nov 2010 13:35:27 +0000 Subject: [PATCH] Accepting request 53149 from home:lnussel:Factory OBS-URL: https://build.opensuse.org/request/show/53149 OBS-URL: https://build.opensuse.org/package/show/Base:System/coreutils?expand=0&rev=21 --- coreutils-6.8-su.patch | 1034 ----------------- coreutils-6.8.0-pie.patch | 192 --- coreutils-8.6-compile-su-with-fpie.diff | 42 + ...in-etc-default-su-resp-etc-login.defs.diff | 374 ++++++ coreutils-8.6-log-all-su-attempts.diff | 26 + ...e-sure-sbin-resp-usr-sbin-are-in-PATH.diff | 24 +- coreutils-8.6-pam-support-for-su.diff | 405 +++++++ coreutils-8.6-set-sane-default-path.diff | 37 + coreutils-8.6-update-man-page-for-pam.diff | 64 + coreutils.changes | 7 + coreutils.spec | 32 +- 11 files changed, 994 insertions(+), 1243 deletions(-) delete mode 100644 coreutils-6.8-su.patch delete mode 100644 coreutils-6.8.0-pie.patch create mode 100644 coreutils-8.6-compile-su-with-fpie.diff create mode 100644 coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff create mode 100644 coreutils-8.6-log-all-su-attempts.diff rename coreutils-5.3.0-sbin4su.patch => coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff (82%) create mode 100644 coreutils-8.6-pam-support-for-su.diff create mode 100644 coreutils-8.6-set-sane-default-path.diff create mode 100644 coreutils-8.6-update-man-page-for-pam.diff diff --git a/coreutils-6.8-su.patch b/coreutils-6.8-su.patch deleted file mode 100644 index d698b38..0000000 --- a/coreutils-6.8-su.patch +++ /dev/null @@ -1,1034 +0,0 @@ -Add pam support in su - -Index: Makefile.in -=================================================================== ---- Makefile.in.orig 2010-10-15 16:31:46.000000000 +0200 -+++ Makefile.in 2010-11-11 16:02:50.366117868 +0100 -@@ -991,6 +991,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: configure -=================================================================== ---- configure.orig 2010-11-11 16:02:50.342113626 +0100 -+++ configure 2010-11-11 16:04:17.257475264 +0100 -@@ -639,6 +639,7 @@ OPTIONAL_BIN_PROGS - INSTALL_SU - LIB_GMP - LIB_CRYPT -+PAM_LIBS - GNULIB_TEST_WARN_CFLAGS - GNULIB_WARN_CFLAGS - WERROR_CFLAGS -@@ -1551,6 +1552,7 @@ enable_xattr - enable_libcap - with_tty_group - enable_gcc_warnings -+enable_pam - with_gmp - enable_install_program - enable_no_install_program -@@ -2203,6 +2205,7 @@ Optional Features: - --disable-xattr do not support extended attributes - --disable-libcap disable libcap support - --enable-gcc-warnings turn on lots of GCC warnings (for developers) -+ --disable-pam Disable PAM support in su (default=auto) - --enable-install-program=PROG_LIST - install the programs in PROG_LIST (comma-separated, - default: none) -@@ -53157,6 +53160,111 @@ $as_echo "#define HAVE_WORKING_FORK 1" > - fi - - -+# Check whether --enable-pam was given. -+if test "${enable_pam+set}" = set; then -+ enableval=$enable_pam; -+else -+ enable_pam=yes -+fi -+ -+if test "x$enable_pam" != xno; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 -+$as_echo_n "checking for pam_start in -lpam... " >&6; } -+if test "${ac_cv_lib_pam_pam_start+set}" = set; then -+ $as_echo_n "(cached) " >&6 -+else -+ ac_check_lib_save_LIBS=$LIBS -+LIBS="-lpam $LIBS" -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+/* Override any GCC internal prototype to avoid an error. -+ Use char because int might match the return type of a GCC -+ builtin and then its argument prototype would still apply. */ -+#ifdef __cplusplus -+extern "C" -+#endif -+char pam_start (); -+int -+main () -+{ -+return pam_start (); -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then -+ ac_cv_lib_pam_pam_start=yes -+else -+ ac_cv_lib_pam_pam_start=no -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+LIBS=$ac_check_lib_save_LIBS -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5 -+$as_echo "$ac_cv_lib_pam_pam_start" >&6; } -+if test "x$ac_cv_lib_pam_pam_start" = x""yes; then -+ enable_pam=yes -+else -+ enable_pam=no -+fi -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for misc_conv in -lpam_misc" >&5 -+$as_echo_n "checking for misc_conv in -lpam_misc... " >&6; } -+if test "${ac_cv_lib_pam_misc_misc_conv+set}" = set; then -+ $as_echo_n "(cached) " >&6 -+else -+ ac_check_lib_save_LIBS=$LIBS -+LIBS="-lpam_misc $LIBS" -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+/* Override any GCC internal prototype to avoid an error. -+ Use char because int might match the return type of a GCC -+ builtin and then its argument prototype would still apply. */ -+#ifdef __cplusplus -+extern "C" -+#endif -+char misc_conv (); -+int -+main () -+{ -+return misc_conv (); -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then -+ ac_cv_lib_pam_misc_misc_conv=yes -+else -+ ac_cv_lib_pam_misc_misc_conv=no -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+LIBS=$ac_check_lib_save_LIBS -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_misc_misc_conv" >&5 -+$as_echo "$ac_cv_lib_pam_misc_misc_conv" >&6; } -+if test "x$ac_cv_lib_pam_misc_misc_conv" = x""yes; then -+ : -+else -+ enable_pam=no -+fi -+ -+ if test "x$enable_pam" != xno; then -+ -+$as_echo "#define USE_PAM 1" >>confdefs.h -+ -+ PAM_LIBS="-lpam -lpam_misc" -+ -+ fi -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable PAM support in su" >&5 -+$as_echo_n "checking whether to enable PAM support in su... " >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_pam" >&5 -+$as_echo "$enable_pam" >&6; } -+ - optional_bin_progs= - for ac_func in chroot - do : -Index: configure.ac -=================================================================== ---- configure.ac.orig 2010-10-13 10:58:27.000000000 +0200 -+++ configure.ac 2010-11-11 16:02:50.442131303 +0100 -@@ -135,6 +135,20 @@ fi - - AC_FUNC_FORK - -+AC_ARG_ENABLE(pam, AS_HELP_STRING([--disable-pam], -+ [Enable PAM support in su (default=auto)]), , [enable_pam=yes]) -+if test "x$enable_pam" != xno; then -+ AC_CHECK_LIB([pam], [pam_start], [enable_pam=yes], [enable_pam=no]) -+ AC_CHECK_LIB([pam_misc], [misc_conv], [:], [enable_pam=no]) -+ if test "x$enable_pam" != xno; then -+ AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM]) -+ PAM_LIBS="-lpam -lpam_misc" -+ AC_SUBST(PAM_LIBS) -+ fi -+fi -+AC_MSG_CHECKING([whether to enable PAM support in su]) -+AC_MSG_RESULT([$enable_pam]) -+ - optional_bin_progs= - AC_CHECK_FUNCS([chroot], - gl_ADD_PROG([optional_bin_progs], [chroot])) -Index: doc/Makefile.in -=================================================================== ---- doc/Makefile.in.orig 2010-10-15 16:31:44.000000000 +0200 -+++ doc/Makefile.in 2010-11-11 16:02:50.442131303 +0100 -@@ -987,6 +987,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: gnulib-tests/Makefile.in -=================================================================== ---- gnulib-tests/Makefile.in.orig 2010-10-15 16:32:45.000000000 +0200 -+++ gnulib-tests/Makefile.in 2010-11-11 16:02:50.490139787 +0100 -@@ -2378,6 +2378,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: lib/Makefile.in -=================================================================== ---- lib/Makefile.in.orig 2010-10-15 16:31:45.000000000 +0200 -+++ lib/Makefile.in 2010-11-11 16:02:50.550150395 +0100 -@@ -1073,6 +1073,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: man/Makefile.in -=================================================================== ---- man/Makefile.in.orig 2010-11-11 16:02:50.294105140 +0100 -+++ man/Makefile.in 2010-11-11 16:02:50.554151102 +0100 -@@ -956,6 +956,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: src/Makefile.am -=================================================================== ---- src/Makefile.am.orig 2010-10-12 13:13:16.000000000 +0200 -+++ src/Makefile.am 2010-11-11 16:02:50.594158172 +0100 -@@ -352,7 +352,8 @@ factor_LDADD += $(LIB_GMP) - uptime_LDADD += $(GETLOADAVG_LIBS) - - # for crypt --su_LDADD += $(LIB_CRYPT) -+su_SOURCES = su.c getdef.c -+su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS) - - # for various ACL functions - copy_LDADD += $(LIB_ACL) -Index: src/Makefile.in -=================================================================== ---- src/Makefile.in.orig 2010-10-15 17:06:15.000000000 +0200 -+++ src/Makefile.in 2010-11-11 16:09:48.436006623 +0100 -@@ -553,9 +553,10 @@ stdbuf_DEPENDENCIES = $(am__DEPENDENCIES - stty_SOURCES = stty.c - stty_OBJECTS = stty.$(OBJEXT) - stty_DEPENDENCIES = $(am__DEPENDENCIES_2) --su_SOURCES = su.c --su_OBJECTS = su.$(OBJEXT) --su_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) -+am_su_OBJECTS = su.$(OBJEXT) getdef.$(OBJEXT) -+su_OBJECTS = $(am_su_OBJECTS) -+su_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ -+ $(am__DEPENDENCIES_1) - sum_SOURCES = sum.c - sum_OBJECTS = sum.$(OBJEXT) - sum_DEPENDENCIES = $(am__DEPENDENCIES_2) -@@ -663,9 +664,9 @@ SOURCES = $(nodist_libver_a_SOURCES) $(_ - $(rmdir_SOURCES) runcon.c seq.c setuidgid.c $(sha1sum_SOURCES) \ - $(sha224sum_SOURCES) $(sha256sum_SOURCES) $(sha384sum_SOURCES) \ - $(sha512sum_SOURCES) shred.c shuf.c sleep.c sort.c split.c \ -- $(stat_SOURCES) stdbuf.c stty.c su.c sum.c sync.c tac.c tail.c \ -- tee.c test.c $(timeout_SOURCES) touch.c tr.c true.c truncate.c \ -- tsort.c tty.c $(uname_SOURCES) unexpand.c uniq.c unlink.c \ -+ $(stat_SOURCES) stdbuf.c stty.c $(su_SOURCES) sum.c sync.c tac.c \ -+ tail.c tee.c test.c $(timeout_SOURCES) touch.c tr.c true.c \ -+ truncate.c tsort.c tty.c $(uname_SOURCES) unexpand.c uniq.c unlink.c \ - uptime.c users.c $(vdir_SOURCES) wc.c who.c whoami.c yes.c - DIST_SOURCES = $(__SOURCES) $(arch_SOURCES) base64.c basename.c cat.c \ - chcon.c $(chgrp_SOURCES) chmod.c $(chown_SOURCES) chroot.c \ -@@ -682,7 +683,7 @@ DIST_SOURCES = $(__SOURCES) $(arch_SOURC - setuidgid.c $(sha1sum_SOURCES) $(sha224sum_SOURCES) \ - $(sha256sum_SOURCES) $(sha384sum_SOURCES) $(sha512sum_SOURCES) \ - shred.c shuf.c sleep.c sort.c split.c $(stat_SOURCES) stdbuf.c \ -- stty.c su.c sum.c sync.c tac.c tail.c tee.c test.c \ -+ stty.c $(su_SOURCES) sum.c sync.c tac.c tail.c tee.c test.c \ - $(timeout_SOURCES) touch.c tr.c true.c truncate.c tsort.c \ - tty.c $(uname_SOURCES) unexpand.c uniq.c unlink.c uptime.c \ - users.c $(vdir_SOURCES) wc.c who.c whoami.c yes.c -@@ -1363,6 +1364,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -@@ -1779,7 +1781,8 @@ stdbuf_LDADD = $(LDADD) $(LIBICONV) - stty_LDADD = $(LDADD) - - # for crypt --su_LDADD = $(LDADD) $(LIB_CRYPT) -+su_SOURCES = su.c getdef.c -+su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS) - sum_LDADD = $(LDADD) - sync_LDADD = $(LDADD) - tac_LDADD = $(LDADD) -@@ -2425,6 +2428,7 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/find-mount-point.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fmt.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fold.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getdef.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getlimits.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-copy.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-cp-hash.Po@am__quote@ -Index: src/getdef.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ src/getdef.c 2010-11-11 16:02:50.662170193 +0100 -@@ -0,0 +1,259 @@ -+/* Copyright (C) 2003, 2004, 2005 Thorsten Kukuk -+ Author: Thorsten Kukuk -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program; if not, write to the Free Software Foundation, -+ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#define _GNU_SOURCE -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "getdef.h" -+ -+struct item { -+ char *name; /* Name of the option. */ -+ char *value; /* Value of the option. */ -+ struct item *next; /* Pointer to next option. */ -+}; -+ -+static struct item *list = NULL; -+ -+void -+free_getdef_data (void) -+{ -+ struct item *ptr; -+ -+ ptr = list; -+ while (ptr != NULL) -+ { -+ struct item *tmp; -+ tmp = ptr->next; -+ free (ptr->name); -+ free (ptr->value); -+ free (ptr); -+ ptr = tmp; -+ } -+ -+ list = NULL; -+} -+ -+/* Add a new entry to the list. */ -+static void -+store (const char *name, const char *value) -+{ -+ struct item *new = malloc (sizeof (struct item)); -+ -+ if (new == NULL) -+ abort (); -+ -+ if (name == NULL) -+ abort (); -+ -+ new->name = strdup (name); -+ new->value = strdup (value ?: ""); -+ new->next = list; -+ list = new; -+} -+ -+/* Search a special entry in the list and return the value. */ -+static const char * -+search (const char *name) -+{ -+ struct item *ptr; -+ -+ ptr = list; -+ while (ptr != NULL) -+ { -+ if (strcasecmp (name, ptr->name) == 0) -+ return ptr->value; -+ ptr = ptr->next; -+ } -+ -+ return NULL; -+} -+ -+/* Load the login.defs file (/etc/login.defs). */ -+static void -+load_defaults_internal (const char *filename) -+{ -+ FILE *fp; -+ char *buf = NULL; -+ size_t buflen = 0; -+ -+ fp = fopen (filename, "r"); -+ if (NULL == fp) -+ return; -+ -+ while (!feof (fp)) -+ { -+ char *tmp, *cp; -+#if defined(HAVE_GETLINE) -+ ssize_t n = getline (&buf, &buflen, fp); -+#elif defined (HAVE_GETDELIM) -+ ssize_t n = getdelim (&buf, &buflen, '\n', fp); -+#else -+ ssize_t n; -+ -+ if (buf == NULL) -+ { -+ buflen = 8096; -+ buf = malloc (buflen); -+ } -+ buf[0] = '\0'; -+ fgets (buf, buflen - 1, fp); -+ if (buf != NULL) -+ n = strlen (buf); -+ else -+ n = 0; -+#endif /* HAVE_GETLINE / HAVE_GETDELIM */ -+ cp = buf; -+ -+ if (n < 1) -+ break; -+ -+ tmp = strchr (cp, '#'); /* remove comments */ -+ if (tmp) -+ *tmp = '\0'; -+ while (isspace ((unsigned char) *cp)) /* remove spaces and tabs */ -+ ++cp; -+ if (*cp == '\0') /* ignore empty lines */ -+ continue; -+ -+ if (cp[strlen (cp) - 1] == '\n') -+ cp[strlen (cp) - 1] = '\0'; -+ -+ tmp = strsep (&cp, " \t="); -+ if (cp != NULL) -+ while (isspace ((unsigned char) *cp) || *cp == '=') -+ ++cp; -+ -+ store (tmp, cp); -+ } -+ fclose (fp); -+ -+ if (buf) -+ free (buf); -+} -+ -+static void -+load_defaults (void) -+{ -+ load_defaults_internal ("/etc/default/su"); -+ load_defaults_internal ("/etc/login.defs"); -+} -+ -+int -+getdef_bool (const char *name, int dflt) -+{ -+ const char *val; -+ -+ if (list == NULL) -+ load_defaults (); -+ -+ val = search (name); -+ -+ if (val == NULL) -+ return dflt; -+ -+ return (strcasecmp (val, "yes") == 0); -+} -+ -+long -+getdef_num (const char *name, long dflt) -+{ -+ const char *val; -+ char *cp; -+ long retval; -+ -+ if (list == NULL) -+ load_defaults (); -+ -+ val = search (name); -+ -+ if (val == NULL) -+ return dflt; -+ -+ errno = 0; -+ retval = strtol (val, &cp, 0); -+ if (*cp != '\0' -+ || ((retval == LONG_MAX || retval == LONG_MIN) && errno == ERANGE)) -+ { -+ fprintf (stderr, -+ "%s contains invalid numerical value: %s!\n", -+ name, val); -+ retval = dflt; -+ } -+ return retval; -+} -+ -+unsigned long -+getdef_unum (const char *name, unsigned long dflt) -+{ -+ const char *val; -+ char *cp; -+ unsigned long retval; -+ -+ if (list == NULL) -+ load_defaults (); -+ -+ val = search (name); -+ -+ if (val == NULL) -+ return dflt; -+ -+ errno = 0; -+ retval = strtoul (val, &cp, 0); -+ if (*cp != '\0' || (retval == ULONG_MAX && errno == ERANGE)) -+ { -+ fprintf (stderr, -+ "%s contains invalid numerical value: %s!\n", -+ name, val); -+ retval = dflt; -+ } -+ return retval; -+} -+ -+const char * -+getdef_str (const char *name, const char *dflt) -+{ -+ const char *retval; -+ -+ if (list == NULL) -+ load_defaults (); -+ -+ retval = search (name); -+ -+ return retval ?: dflt; -+} -+ -+#if defined(TEST) -+ -+int -+main () -+{ -+ printf ("CYPT=%s\n", getdef_str ("cRypt", "no")); -+ printf ("LOG_UNKFAIL_ENAB=%s\n", getdef_str ("log_unkfail_enab","")); -+ printf ("DOESNOTEXIST=%s\n", getdef_str ("DOESNOTEXIST","yes")); -+ return 0; -+} -+ -+#endif -Index: src/getdef.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ src/getdef.h 2010-11-11 16:02:50.678173021 +0100 -@@ -0,0 +1,29 @@ -+/* Copyright (C) 2003, 2005 Thorsten Kukuk -+ Author: Thorsten Kukuk -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program; if not, write to the Free Software Foundation, -+ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -+ -+#ifndef _GETDEF_H_ -+ -+#define _GETDEF_H_ 1 -+ -+extern int getdef_bool (const char *name, int dflt); -+extern long getdef_num (const char *name, long dflt); -+extern unsigned long getdef_unum (const char *name, unsigned long dflt); -+extern const char *getdef_str (const char *name, const char *dflt); -+ -+/* Free all data allocated by getdef_* calls before. */ -+extern void free_getdef_data (void); -+ -+#endif /* _GETDEF_H_ */ -Index: src/su.c -=================================================================== ---- src/su.c.orig 2010-10-11 19:35:11.000000000 +0200 -+++ src/su.c 2010-11-11 16:02:50.694175850 +0100 -@@ -37,6 +37,16 @@ - restricts who can su to UID 0 accounts. RMS considers that to - be fascist. - -+#ifdef USE_PAM -+ -+ Actually, with PAM, su has nothing to do with whether or not a -+ wheel group is enforced by su. RMS tries to restrict your access -+ to a su which implements the wheel group, but PAM considers that -+ to be fascist, and gives the user/sysadmin the opportunity to -+ enforce a wheel group by proper editing of /etc/pam.d/su -+ -+#endif -+ - Compile-time options: - -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog. - -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog. -@@ -52,12 +62,22 @@ - #include - #include - #include -+#ifdef USE_PAM -+#include -+#include -+#include -+#include -+#include -+#endif - - #include "system.h" - #include "getpass.h" - - #if HAVE_SYSLOG_H && HAVE_SYSLOG - # include -+# define SYSLOG_SUCCESS 1 -+# define SYSLOG_FAILURE 1 -+# define SYSLOG_NON_ROOT 1 - #else - # undef SYSLOG_SUCCESS - # undef SYSLOG_FAILURE -@@ -91,19 +111,13 @@ - # include - #endif - -+#include "getdef.h" -+ - /* The default PATH for simulated logins to non-superuser accounts. */ --#ifdef _PATH_DEFPATH --# define DEFAULT_LOGIN_PATH _PATH_DEFPATH --#else --# define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin" --#endif -+#define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin" - - /* The default PATH for simulated logins to superuser accounts. */ --#ifdef _PATH_DEFPATH_ROOT --# define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT --#else --# define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc" --#endif -+#define DEFAULT_ROOT_LOGIN_PATH "/usr/sbin:/bin:/usr/bin:/sbin:/usr/X11R6/bin" - - /* The shell to run if none is given in the user's passwd entry. */ - #define DEFAULT_SHELL "/bin/sh" -@@ -111,8 +125,9 @@ - /* The user to become if none is specified. */ - #define DEFAULT_USER "root" - -+#ifndef USE_PAM - char *crypt (char const *key, char const *salt); -- -+#endif - static void run_shell (char const *, char const *, char **, size_t) - ATTRIBUTE_NORETURN; - -@@ -125,6 +140,13 @@ static bool simulate_login; - /* If true, change some environment vars to indicate the user su'd to. */ - static bool change_environment; - -+#ifdef USE_PAM -+static bool _pam_session_opened; -+static bool _pam_cred_established; -+static void export_pamenv (void); -+static void create_watching_parent (void); -+#endif -+ - static struct option const longopts[] = - { - {"command", required_argument, NULL, 'c'}, -@@ -200,7 +222,162 @@ log_su (struct passwd const *pw, bool su - } - #endif - -+#ifdef USE_PAM -+#define PAM_SERVICE_NAME PROGRAM_NAME -+#define PAM_SERVICE_NAME_L PROGRAM_NAME "-l" -+static bool caught_signal = false; -+static pam_handle_t *pamh = NULL; -+static int retval; -+static struct pam_conv conv = -+{ -+ misc_conv, -+ NULL -+}; -+ -+#define PAM_BAIL_P(a) \ -+ if (retval) \ -+ { \ -+ pam_end (pamh, retval); \ -+ a; \ -+ } -+ -+static void -+cleanup_pam (int retcode) -+{ -+ if (_pam_session_opened) -+ pam_close_session (pamh, 0); -+ -+ if (_pam_cred_established) -+ pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT); -+ -+ pam_end(pamh, retcode); -+} -+ -+/* Signal handler for parent process. */ -+static void -+su_catch_sig (int sig) -+{ -+ caught_signal = true; -+} -+ -+/* Export env variables declared by PAM modules. */ -+static void -+export_pamenv (void) -+{ -+ char **env; -+ -+ /* This is a copy but don't care to free as we exec later anyways. */ -+ env = pam_getenvlist (pamh); -+ while (env && *env) -+ { -+ if (putenv (*env) != 0) -+ xalloc_die (); -+ env++; -+ } -+} -+ -+static void -+create_watching_parent (void) -+{ -+ pid_t child; -+ sigset_t ourset; -+ int status; -+ -+ retval = pam_open_session (pamh, 0); -+ if (retval != PAM_SUCCESS) -+ { -+ cleanup_pam (retval); -+ error (EXIT_FAILURE, 0, _("cannot not open session: %s"), -+ pam_strerror (pamh, retval)); -+ } -+ else -+ _pam_session_opened = 1; -+ -+ child = fork (); -+ if (child == (pid_t) -1) -+ { -+ cleanup_pam (PAM_ABORT); -+ error (EXIT_FAILURE, errno, _("cannot create child process")); -+ } -+ -+ /* the child proceeds to run the shell */ -+ if (child == 0) -+ return; -+ -+ /* In the parent watch the child. */ -+ -+ /* su without pam support does not have a helper that keeps -+ sitting on any directory so let's go to /. */ -+ if (chdir ("/") != 0) -+ error (0, errno, _("warning: cannot change directory to %s"), "/"); -+ -+ sigfillset (&ourset); -+ if (sigprocmask (SIG_BLOCK, &ourset, NULL)) -+ { -+ error (0, errno, _("cannot block signals")); -+ caught_signal = true; -+ } -+ if (!caught_signal) -+ { -+ struct sigaction action; -+ action.sa_handler = su_catch_sig; -+ sigemptyset (&action.sa_mask); -+ action.sa_flags = 0; -+ sigemptyset (&ourset); -+ if (sigaddset (&ourset, SIGTERM) -+ || sigaddset (&ourset, SIGALRM) -+ || sigaction (SIGTERM, &action, NULL) -+ || sigprocmask (SIG_UNBLOCK, &ourset, NULL)) -+ { -+ error (0, errno, _("cannot set signal handler")); -+ caught_signal = true; -+ } -+ } -+ if (!caught_signal) -+ { -+ for (;;) -+ { -+ pid_t pid; -+ -+ pid = waitpid (child, &status, WUNTRACED); -+ -+ if (WIFSTOPPED (status)) -+ { -+ kill (getpid (), SIGSTOP); -+ /* once we get here, we must have resumed */ -+ kill (pid, SIGCONT); -+ } -+ else -+ break; -+ } -+ if (WIFSIGNALED (status)) -+ status = WTERMSIG (status) + 128; -+ else -+ status = WEXITSTATUS (status); -+ } -+ else -+ status = 1; -+ -+ if (caught_signal) -+ { -+ fprintf (stderr, _("\nSession terminated, killing shell...")); -+ kill (child, SIGTERM); -+ } -+ -+ cleanup_pam (PAM_SUCCESS); -+ -+ if (caught_signal) -+ { -+ sleep (2); -+ kill (child, SIGKILL); -+ fprintf (stderr, _(" ...killed.\n")); -+ } -+ exit (status); -+} -+#endif -+ - /* Ask the user for a password. -+ If PAM is in use, let PAM ask for the password if necessary. - Return true if the user gives the correct password for entry PW, - false if not. Return true without asking for a password if run by UID 0 - or if PW has an empty password. */ -@@ -208,10 +385,52 @@ log_su (struct passwd const *pw, bool su - static bool - correct_password (const struct passwd *pw) - { -+#ifdef USE_PAM -+ const struct passwd *lpw; -+ const char *cp; -+ -+ retval = pam_start (simulate_login ? PAM_SERVICE_NAME_L : PAM_SERVICE_NAME, -+ pw->pw_name, &conv, &pamh); -+ PAM_BAIL_P (return false); -+ -+ if (isatty (0) && (cp = ttyname (0)) != NULL) -+ { -+ const char *tty; -+ -+ if (strncmp (cp, "/dev/", 5) == 0) -+ tty = cp + 5; -+ else -+ tty = cp; -+ retval = pam_set_item (pamh, PAM_TTY, tty); -+ PAM_BAIL_P (return false); -+ } -+#if 0 /* Manpage discourages use of getlogin. */ -+ cp = getlogin (); -+ if (!(cp && *cp && (lpw = getpwnam (cp)) != NULL && lpw->pw_uid == getuid ())) -+#endif -+ lpw = getpwuid (getuid ()); -+ if (lpw && lpw->pw_name) -+ { -+ retval = pam_set_item (pamh, PAM_RUSER, (const void *) lpw->pw_name); -+ PAM_BAIL_P (return false); -+ } -+ retval = pam_authenticate (pamh, 0); -+ PAM_BAIL_P (return false); -+ retval = pam_acct_mgmt (pamh, 0); -+ if (retval == PAM_NEW_AUTHTOK_REQD) -+ { -+ /* Password has expired. Offer option to change it. */ -+ retval = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); -+ PAM_BAIL_P (return false); -+ } -+ PAM_BAIL_P (return false); -+ /* Must be authenticated if this point was reached. */ -+ return true; -+#else /* !USE_PAM */ - char *unencrypted, *encrypted, *correct; - #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP - /* Shadow passwd stuff for SVR3 and maybe other systems. */ -- struct spwd *sp = getspnam (pw->pw_name); -+ const struct spwd *sp = getspnam (pw->pw_name); - - endspent (); - if (sp) -@@ -232,6 +451,7 @@ correct_password (const struct passwd *p - encrypted = crypt (unencrypted, correct); - memset (unencrypted, 0, strlen (unencrypted)); - return STREQ (encrypted, correct); -+#endif /* !USE_PAM */ - } - - /* Update `environ' for the new shell based on PW, with SHELL being -@@ -256,8 +476,8 @@ modify_environment (const struct passwd - xsetenv ("USER", pw->pw_name); - xsetenv ("LOGNAME", pw->pw_name); - xsetenv ("PATH", (pw->pw_uid -- ? DEFAULT_LOGIN_PATH -- : DEFAULT_ROOT_LOGIN_PATH)); -+ ? getdef_str ("PATH", DEFAULT_LOGIN_PATH) -+ : getdef_str ("SUPATH", DEFAULT_ROOT_LOGIN_PATH))); - } - else - { -@@ -267,6 +487,12 @@ modify_environment (const struct passwd - { - xsetenv ("HOME", pw->pw_dir); - xsetenv ("SHELL", shell); -+ if (getdef_bool ("ALWAYS_SET_PATH", 0)) -+ xsetenv ("PATH", (pw->pw_uid -+ ? getdef_str ("PATH", -+ DEFAULT_LOGIN_PATH) -+ : getdef_str ("SUPATH", -+ DEFAULT_ROOT_LOGIN_PATH))); - if (pw->pw_uid) - { - xsetenv ("USER", pw->pw_name); -@@ -274,19 +500,41 @@ modify_environment (const struct passwd - } - } - } -+ -+#ifdef USE_PAM -+ export_pamenv (); -+#endif - } - - /* Become the user and group(s) specified by PW. */ - - static void --change_identity (const struct passwd *pw) -+init_groups (const struct passwd *pw) - { - #ifdef HAVE_INITGROUPS - errno = 0; - if (initgroups (pw->pw_name, pw->pw_gid) == -1) -- error (EXIT_CANCELED, errno, _("cannot set groups")); -+ { -+#ifdef USE_PAM -+ cleanup_pam (PAM_ABORT); -+#endif -+ error (EXIT_FAILURE, errno, _("cannot set groups")); -+ } - endgrent (); - #endif -+ -+#ifdef USE_PAM -+ retval = pam_setcred (pamh, PAM_ESTABLISH_CRED); -+ if (retval != PAM_SUCCESS) -+ error (EXIT_FAILURE, 0, "%s", pam_strerror (pamh, retval)); -+ else -+ _pam_cred_established = 1; -+#endif -+} -+ -+static void -+change_identity (const struct passwd *pw) -+{ - if (setgid (pw->pw_gid)) - error (EXIT_CANCELED, errno, _("cannot set group id")); - if (setuid (pw->pw_uid)) -@@ -479,6 +727,7 @@ main (int argc, char **argv) - #ifdef SYSLOG_FAILURE - log_su (pw, false); - #endif -+ sleep (getdef_num ("FAIL_DELAY", 1)); - error (EXIT_CANCELED, 0, _("incorrect password")); - } - #ifdef SYSLOG_SUCCESS -@@ -500,9 +749,21 @@ main (int argc, char **argv) - shell = NULL; - } - shell = xstrdup (shell ? shell : pw->pw_shell); -- modify_environment (pw, shell); -+ -+ init_groups (pw); -+ -+#ifdef USE_PAM -+ create_watching_parent (); -+ /* Now we're in the child. */ -+#endif - - change_identity (pw); -+ -+ /* Set environment after pam_open_session, which may put KRB5CCNAME -+ into the pam_env, etc. */ -+ -+ modify_environment (pw, shell); -+ - if (simulate_login && chdir (pw->pw_dir) != 0) - error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir); - -Index: tests/Makefile.in -=================================================================== ---- tests/Makefile.in.orig 2010-10-15 16:31:45.000000000 +0200 -+++ tests/Makefile.in 2010-11-11 16:02:50.750185750 +0100 -@@ -1045,6 +1045,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ diff --git a/coreutils-6.8.0-pie.patch b/coreutils-6.8.0-pie.patch deleted file mode 100644 index fca2788..0000000 --- a/coreutils-6.8.0-pie.patch +++ /dev/null @@ -1,192 +0,0 @@ -Index: lib/Makefile.am -=================================================================== ---- lib/Makefile.am.orig 2010-10-11 19:35:11.000000000 +0200 -+++ lib/Makefile.am 2010-11-11 16:24:42.950085976 +0100 -@@ -17,7 +17,7 @@ - - include gnulib.mk - --AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -+AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -fpie - - libcoreutils_a_SOURCES += \ - buffer-lcm.c buffer-lcm.h -Index: lib/Makefile.in -=================================================================== ---- lib/Makefile.in.orig 2010-11-11 16:21:01.630976009 +0100 -+++ lib/Makefile.in 2010-11-11 16:25:20.640746300 +0100 -@@ -1505,7 +1505,7 @@ MAINTAINERCLEANFILES = iconv_open-aix.h - iconv_open-irix.h iconv_open-osf.h iconv_open-solaris.h \ - parse-datetime.c - AM_CPPFLAGS = --AM_CFLAGS = $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -+AM_CFLAGS = $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -fpie - libcoreutils_a_SOURCES = set-mode-acl.c copy-acl.c file-has-acl.c \ - areadlink.c areadlink-with-size.c areadlinkat.c argv-iter.c \ - argv-iter.h base64.h base64.c bitrotate.h c-ctype.h c-ctype.c \ -Index: src/Makefile.am -=================================================================== ---- src/Makefile.am.orig 2010-11-11 16:21:01.674983785 +0100 -+++ src/Makefile.am 2010-11-11 16:21:01.839012773 +0100 -@@ -354,6 +354,10 @@ uptime_LDADD += $(GETLOADAVG_LIBS) - # for crypt - su_SOURCES = su.c getdef.c - su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS) -+su_CFLAGS = -fpie -+su_LDFLAGS = -pie -Wl,-z,relro,-z,now -+timeout_CFLAGS = -fpie -+timeout_LDFLAGS = -pie -Wl,-z,relro,-z,now - - # for various ACL functions - copy_LDADD += $(LIB_ACL) -Index: src/Makefile.in -=================================================================== ---- src/Makefile.in.orig 2010-11-11 16:21:01.674983786 +0100 -+++ src/Makefile.in 2010-11-11 16:24:16.137347873 +0100 -@@ -553,10 +553,12 @@ stdbuf_DEPENDENCIES = $(am__DEPENDENCIES - stty_SOURCES = stty.c - stty_OBJECTS = stty.$(OBJEXT) - stty_DEPENDENCIES = $(am__DEPENDENCIES_2) --am_su_OBJECTS = su.$(OBJEXT) getdef.$(OBJEXT) -+am_su_OBJECTS = su-su.$(OBJEXT) su-getdef.$(OBJEXT) - su_OBJECTS = $(am_su_OBJECTS) - su_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -+su_LINK = $(CCLD) $(su_CFLAGS) $(CFLAGS) $(su_LDFLAGS) $(LDFLAGS) -o \ -+ $@ - sum_SOURCES = sum.c - sum_OBJECTS = sum.$(OBJEXT) - sum_DEPENDENCIES = $(am__DEPENDENCIES_2) -@@ -575,9 +577,12 @@ tee_DEPENDENCIES = $(am__DEPENDENCIES_2) - test_SOURCES = test.c - test_OBJECTS = test.$(OBJEXT) - test_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) --am_timeout_OBJECTS = timeout.$(OBJEXT) operand2sig.$(OBJEXT) -+am_timeout_OBJECTS = timeout-timeout.$(OBJEXT) \ -+ timeout-operand2sig.$(OBJEXT) - timeout_OBJECTS = $(am_timeout_OBJECTS) - timeout_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) -+timeout_LINK = $(CCLD) $(timeout_CFLAGS) $(CFLAGS) $(timeout_LDFLAGS) \ -+ $(LDFLAGS) -o $@ - touch_SOURCES = touch.c - touch_OBJECTS = touch.$(OBJEXT) - touch_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) -@@ -1783,6 +1788,10 @@ stty_LDADD = $(LDADD) - # for crypt - su_SOURCES = su.c getdef.c - su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS) -+su_CFLAGS = -fpie -+su_LDFLAGS = -pie -+timeout_CFLAGS = -fpie -+timeout_LDFLAGS = -pie - sum_LDADD = $(LDADD) - sync_LDADD = $(LDADD) - tac_LDADD = $(LDADD) -@@ -2317,7 +2326,7 @@ stty$(EXEEXT): $(stty_OBJECTS) $(stty_DE - $(AM_V_CCLD)$(LINK) $(stty_OBJECTS) $(stty_LDADD) $(LIBS) - su$(EXEEXT): $(su_OBJECTS) $(su_DEPENDENCIES) $(EXTRA_su_DEPENDENCIES) - @rm -f su$(EXEEXT) -- $(AM_V_CCLD)$(LINK) $(su_OBJECTS) $(su_LDADD) $(LIBS) -+ $(AM_V_CCLD)$(su_LINK) $(su_OBJECTS) $(su_LDADD) $(LIBS) - sum$(EXEEXT): $(sum_OBJECTS) $(sum_DEPENDENCIES) $(EXTRA_sum_DEPENDENCIES) - @rm -f sum$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(sum_OBJECTS) $(sum_LDADD) $(LIBS) -@@ -2338,7 +2347,7 @@ test$(EXEEXT): $(test_OBJECTS) $(test_DE - $(AM_V_CCLD)$(LINK) $(test_OBJECTS) $(test_LDADD) $(LIBS) - timeout$(EXEEXT): $(timeout_OBJECTS) $(timeout_DEPENDENCIES) $(EXTRA_timeout_DEPENDENCIES) - @rm -f timeout$(EXEEXT) -- $(AM_V_CCLD)$(LINK) $(timeout_OBJECTS) $(timeout_LDADD) $(LIBS) -+ $(AM_V_CCLD)$(timeout_LINK) $(timeout_OBJECTS) $(timeout_LDADD) $(LIBS) - touch$(EXEEXT): $(touch_OBJECTS) $(touch_DEPENDENCIES) $(EXTRA_touch_DEPENDENCIES) - @rm -f touch$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(touch_OBJECTS) $(touch_LDADD) $(LIBS) -@@ -2428,7 +2437,6 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/find-mount-point.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fmt.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fold.Po@am__quote@ --@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getdef.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getlimits.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-copy.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-cp-hash.Po@am__quote@ -@@ -2492,14 +2500,16 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stat.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stdbuf.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stty.Po@am__quote@ --@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/su.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/su-getdef.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/su-su.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sum.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sync.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tac.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tail.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tee.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test.Po@am__quote@ --@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeout.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeout-operand2sig.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeout-timeout.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/touch.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tr.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/true.Po@am__quote@ -@@ -2688,6 +2698,62 @@ sha512sum-md5sum.obj: md5sum.c - @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ - @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sha512sum_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha512sum-md5sum.obj `if test -f 'md5sum.c'; then $(CYGPATH_W) 'md5sum.c'; else $(CYGPATH_W) '$(srcdir)/md5sum.c'; fi` - -+su-su.o: su.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-su.o -MD -MP -MF $(DEPDIR)/su-su.Tpo -c -o su-su.o `test -f 'su.c' || echo '$(srcdir)/'`su.c -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/su-su.Tpo $(DEPDIR)/su-su.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='su.c' object='su-su.o' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-su.o `test -f 'su.c' || echo '$(srcdir)/'`su.c -+ -+su-su.obj: su.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-su.obj -MD -MP -MF $(DEPDIR)/su-su.Tpo -c -o su-su.obj `if test -f 'su.c'; then $(CYGPATH_W) 'su.c'; else $(CYGPATH_W) '$(srcdir)/su.c'; fi` -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/su-su.Tpo $(DEPDIR)/su-su.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='su.c' object='su-su.obj' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-su.obj `if test -f 'su.c'; then $(CYGPATH_W) 'su.c'; else $(CYGPATH_W) '$(srcdir)/su.c'; fi` -+ -+su-getdef.o: getdef.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-getdef.o -MD -MP -MF $(DEPDIR)/su-getdef.Tpo -c -o su-getdef.o `test -f 'getdef.c' || echo '$(srcdir)/'`getdef.c -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/su-getdef.Tpo $(DEPDIR)/su-getdef.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='getdef.c' object='su-getdef.o' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-getdef.o `test -f 'getdef.c' || echo '$(srcdir)/'`getdef.c -+ -+su-getdef.obj: getdef.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-getdef.obj -MD -MP -MF $(DEPDIR)/su-getdef.Tpo -c -o su-getdef.obj `if test -f 'getdef.c'; then $(CYGPATH_W) 'getdef.c'; else $(CYGPATH_W) '$(srcdir)/getdef.c'; fi` -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/su-getdef.Tpo $(DEPDIR)/su-getdef.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='getdef.c' object='su-getdef.obj' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-getdef.obj `if test -f 'getdef.c'; then $(CYGPATH_W) 'getdef.c'; else $(CYGPATH_W) '$(srcdir)/getdef.c'; fi` -+ -+timeout-timeout.o: timeout.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-timeout.o -MD -MP -MF $(DEPDIR)/timeout-timeout.Tpo -c -o timeout-timeout.o `test -f 'timeout.c' || echo '$(srcdir)/'`timeout.c -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/timeout-timeout.Tpo $(DEPDIR)/timeout-timeout.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='timeout.c' object='timeout-timeout.o' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-timeout.o `test -f 'timeout.c' || echo '$(srcdir)/'`timeout.c -+ -+timeout-timeout.obj: timeout.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-timeout.obj -MD -MP -MF $(DEPDIR)/timeout-timeout.Tpo -c -o timeout-timeout.obj `if test -f 'timeout.c'; then $(CYGPATH_W) 'timeout.c'; else $(CYGPATH_W) '$(srcdir)/timeout.c'; fi` -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/timeout-timeout.Tpo $(DEPDIR)/timeout-timeout.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='timeout.c' object='timeout-timeout.obj' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-timeout.obj `if test -f 'timeout.c'; then $(CYGPATH_W) 'timeout.c'; else $(CYGPATH_W) '$(srcdir)/timeout.c'; fi` -+ -+timeout-operand2sig.o: operand2sig.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-operand2sig.o -MD -MP -MF $(DEPDIR)/timeout-operand2sig.Tpo -c -o timeout-operand2sig.o `test -f 'operand2sig.c' || echo '$(srcdir)/'`operand2sig.c -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/timeout-operand2sig.Tpo $(DEPDIR)/timeout-operand2sig.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='operand2sig.c' object='timeout-operand2sig.o' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-operand2sig.o `test -f 'operand2sig.c' || echo '$(srcdir)/'`operand2sig.c -+ -+timeout-operand2sig.obj: operand2sig.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-operand2sig.obj -MD -MP -MF $(DEPDIR)/timeout-operand2sig.Tpo -c -o timeout-operand2sig.obj `if test -f 'operand2sig.c'; then $(CYGPATH_W) 'operand2sig.c'; else $(CYGPATH_W) '$(srcdir)/operand2sig.c'; fi` -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/timeout-operand2sig.Tpo $(DEPDIR)/timeout-operand2sig.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='operand2sig.c' object='timeout-operand2sig.obj' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-operand2sig.obj `if test -f 'operand2sig.c'; then $(CYGPATH_W) 'operand2sig.c'; else $(CYGPATH_W) '$(srcdir)/operand2sig.c'; fi` -+ - ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ diff --git a/coreutils-8.6-compile-su-with-fpie.diff b/coreutils-8.6-compile-su-with-fpie.diff new file mode 100644 index 0000000..60a0917 --- /dev/null +++ b/coreutils-8.6-compile-su-with-fpie.diff @@ -0,0 +1,42 @@ +From d1a49cccf99373293a88f5bce74857d5bb813e46 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Tue, 17 Aug 2010 09:21:22 +0200 +Subject: [PATCH 7/7] compile su with -fpie + +--- + lib/Makefile.am | 2 +- + src/Makefile.am | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletions(-) + +diff --git a/lib/Makefile.am b/lib/Makefile.am +index b4a591b..059928e 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -17,7 +17,7 @@ + + include gnulib.mk + +-AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) ++AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -fpie + + libcoreutils_a_SOURCES += \ + buffer-lcm.c buffer-lcm.h +diff --git a/src/Makefile.am b/src/Makefile.am +index 484f6c2..17600af 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -355,6 +355,11 @@ uptime_LDADD += $(GETLOADAVG_LIBS) + su_SOURCES = su.c getdef.c + su_LDADD += $(LIB_CRYPT) $(PAM_LIBS) + ++su_CFLAGS = -fpie ++su_LDFLAGS = -pie ++timeout_CFLAGS = -fpie ++timeout_LDFLAGS = -pie ++ + # for various ACL functions + copy_LDADD += $(LIB_ACL) + ls_LDADD += $(LIB_ACL) +-- +1.7.1 + diff --git a/coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff b/coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff new file mode 100644 index 0000000..9770bc8 --- /dev/null +++ b/coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff @@ -0,0 +1,374 @@ +From d776b1b67eb1bc1b815426fdf22f38b25ef1e2df Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Mon, 9 Aug 2010 16:03:12 +0200 +Subject: [PATCH 5/7] honor settings in /etc/default/su resp /etc/login.defs + +--- + src/Makefile.am | 1 + + src/getdef.c | 259 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/getdef.h | 29 ++++++ + src/su.c | 13 +++- + 4 files changed, 300 insertions(+), 2 deletions(-) + create mode 100644 src/getdef.c + create mode 100644 src/getdef.h + +diff --git a/src/Makefile.am b/src/Makefile.am +index bc27274..484f6c2 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -352,6 +352,7 @@ factor_LDADD += $(LIB_GMP) + uptime_LDADD += $(GETLOADAVG_LIBS) + + # for crypt and pam ++su_SOURCES = su.c getdef.c + su_LDADD += $(LIB_CRYPT) $(PAM_LIBS) + + # for various ACL functions +diff --git a/src/getdef.c b/src/getdef.c +new file mode 100644 +index 0000000..e1872cf +--- /dev/null ++++ b/src/getdef.c +@@ -0,0 +1,259 @@ ++/* Copyright (C) 2003, 2004, 2005 Thorsten Kukuk ++ Author: Thorsten Kukuk ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software Foundation, ++ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#define _GNU_SOURCE ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "getdef.h" ++ ++struct item { ++ char *name; /* Name of the option. */ ++ char *value; /* Value of the option. */ ++ struct item *next; /* Pointer to next option. */ ++}; ++ ++static struct item *list = NULL; ++ ++void ++free_getdef_data (void) ++{ ++ struct item *ptr; ++ ++ ptr = list; ++ while (ptr != NULL) ++ { ++ struct item *tmp; ++ tmp = ptr->next; ++ free (ptr->name); ++ free (ptr->value); ++ free (ptr); ++ ptr = tmp; ++ } ++ ++ list = NULL; ++} ++ ++/* Add a new entry to the list. */ ++static void ++store (const char *name, const char *value) ++{ ++ struct item *new = malloc (sizeof (struct item)); ++ ++ if (new == NULL) ++ abort (); ++ ++ if (name == NULL) ++ abort (); ++ ++ new->name = strdup (name); ++ new->value = strdup (value ?: ""); ++ new->next = list; ++ list = new; ++} ++ ++/* Search a special entry in the list and return the value. */ ++static const char * ++search (const char *name) ++{ ++ struct item *ptr; ++ ++ ptr = list; ++ while (ptr != NULL) ++ { ++ if (strcasecmp (name, ptr->name) == 0) ++ return ptr->value; ++ ptr = ptr->next; ++ } ++ ++ return NULL; ++} ++ ++/* Load the login.defs file (/etc/login.defs). */ ++static void ++load_defaults_internal (const char *filename) ++{ ++ FILE *fp; ++ char *buf = NULL; ++ size_t buflen = 0; ++ ++ fp = fopen (filename, "r"); ++ if (NULL == fp) ++ return; ++ ++ while (!feof (fp)) ++ { ++ char *tmp, *cp; ++#if defined(HAVE_GETLINE) ++ ssize_t n = getline (&buf, &buflen, fp); ++#elif defined (HAVE_GETDELIM) ++ ssize_t n = getdelim (&buf, &buflen, '\n', fp); ++#else ++ ssize_t n; ++ ++ if (buf == NULL) ++ { ++ buflen = 8096; ++ buf = malloc (buflen); ++ } ++ buf[0] = '\0'; ++ fgets (buf, buflen - 1, fp); ++ if (buf != NULL) ++ n = strlen (buf); ++ else ++ n = 0; ++#endif /* HAVE_GETLINE / HAVE_GETDELIM */ ++ cp = buf; ++ ++ if (n < 1) ++ break; ++ ++ tmp = strchr (cp, '#'); /* remove comments */ ++ if (tmp) ++ *tmp = '\0'; ++ while (isspace ((unsigned char) *cp)) /* remove spaces and tabs */ ++ ++cp; ++ if (*cp == '\0') /* ignore empty lines */ ++ continue; ++ ++ if (cp[strlen (cp) - 1] == '\n') ++ cp[strlen (cp) - 1] = '\0'; ++ ++ tmp = strsep (&cp, " \t="); ++ if (cp != NULL) ++ while (isspace ((unsigned char) *cp) || *cp == '=') ++ ++cp; ++ ++ store (tmp, cp); ++ } ++ fclose (fp); ++ ++ if (buf) ++ free (buf); ++} ++ ++static void ++load_defaults (void) ++{ ++ load_defaults_internal ("/etc/default/su"); ++ load_defaults_internal ("/etc/login.defs"); ++} ++ ++int ++getdef_bool (const char *name, int dflt) ++{ ++ const char *val; ++ ++ if (list == NULL) ++ load_defaults (); ++ ++ val = search (name); ++ ++ if (val == NULL) ++ return dflt; ++ ++ return (strcasecmp (val, "yes") == 0); ++} ++ ++long ++getdef_num (const char *name, long dflt) ++{ ++ const char *val; ++ char *cp; ++ long retval; ++ ++ if (list == NULL) ++ load_defaults (); ++ ++ val = search (name); ++ ++ if (val == NULL) ++ return dflt; ++ ++ errno = 0; ++ retval = strtol (val, &cp, 0); ++ if (*cp != '\0' ++ || ((retval == LONG_MAX || retval == LONG_MIN) && errno == ERANGE)) ++ { ++ fprintf (stderr, ++ "%s contains invalid numerical value: %s!\n", ++ name, val); ++ retval = dflt; ++ } ++ return retval; ++} ++ ++unsigned long ++getdef_unum (const char *name, unsigned long dflt) ++{ ++ const char *val; ++ char *cp; ++ unsigned long retval; ++ ++ if (list == NULL) ++ load_defaults (); ++ ++ val = search (name); ++ ++ if (val == NULL) ++ return dflt; ++ ++ errno = 0; ++ retval = strtoul (val, &cp, 0); ++ if (*cp != '\0' || (retval == ULONG_MAX && errno == ERANGE)) ++ { ++ fprintf (stderr, ++ "%s contains invalid numerical value: %s!\n", ++ name, val); ++ retval = dflt; ++ } ++ return retval; ++} ++ ++const char * ++getdef_str (const char *name, const char *dflt) ++{ ++ const char *retval; ++ ++ if (list == NULL) ++ load_defaults (); ++ ++ retval = search (name); ++ ++ return retval ?: dflt; ++} ++ ++#if defined(TEST) ++ ++int ++main () ++{ ++ printf ("CYPT=%s\n", getdef_str ("cRypt", "no")); ++ printf ("LOG_UNKFAIL_ENAB=%s\n", getdef_str ("log_unkfail_enab","")); ++ printf ("DOESNOTEXIST=%s\n", getdef_str ("DOESNOTEXIST","yes")); ++ return 0; ++} ++ ++#endif +diff --git a/src/getdef.h b/src/getdef.h +new file mode 100644 +index 0000000..2e86cf9 +--- /dev/null ++++ b/src/getdef.h +@@ -0,0 +1,29 @@ ++/* Copyright (C) 2003, 2005 Thorsten Kukuk ++ Author: Thorsten Kukuk ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software Foundation, ++ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ ++ ++#ifndef _GETDEF_H_ ++ ++#define _GETDEF_H_ 1 ++ ++extern int getdef_bool (const char *name, int dflt); ++extern long getdef_num (const char *name, long dflt); ++extern unsigned long getdef_unum (const char *name, unsigned long dflt); ++extern const char *getdef_str (const char *name, const char *dflt); ++ ++/* Free all data allocated by getdef_* calls before. */ ++extern void free_getdef_data (void); ++ ++#endif /* _GETDEF_H_ */ +diff --git a/src/su.c b/src/su.c +index 0071622..eaef195 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -111,6 +111,8 @@ + # include + #endif + ++#include "getdef.h" ++ + /* The default PATH for simulated logins to non-superuser accounts. */ + #define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin" + +@@ -475,8 +477,8 @@ modify_environment (const struct passwd *pw, const char *shell) + xsetenv ("USER", pw->pw_name); + xsetenv ("LOGNAME", pw->pw_name); + xsetenv ("PATH", (pw->pw_uid +- ? DEFAULT_LOGIN_PATH +- : DEFAULT_ROOT_LOGIN_PATH)); ++ ? getdef_str ("PATH", DEFAULT_LOGIN_PATH) ++ : getdef_str ("SUPATH", DEFAULT_ROOT_LOGIN_PATH))); + } + else + { +@@ -486,6 +488,12 @@ modify_environment (const struct passwd *pw, const char *shell) + { + xsetenv ("HOME", pw->pw_dir); + xsetenv ("SHELL", shell); ++ if (getdef_bool ("ALWAYS_SET_PATH", 0)) ++ xsetenv ("PATH", (pw->pw_uid ++ ? getdef_str ("PATH", ++ DEFAULT_LOGIN_PATH) ++ : getdef_str ("SUPATH", ++ DEFAULT_ROOT_LOGIN_PATH))); + if (pw->pw_uid) + { + xsetenv ("USER", pw->pw_name); +@@ -720,6 +728,7 @@ main (int argc, char **argv) + #ifdef SYSLOG_FAILURE + log_su (pw, false); + #endif ++ sleep (getdef_num ("FAIL_DELAY", 1)); + error (EXIT_CANCELED, 0, _("incorrect password")); + } + #ifdef SYSLOG_SUCCESS +-- +1.7.1 + diff --git a/coreutils-8.6-log-all-su-attempts.diff b/coreutils-8.6-log-all-su-attempts.diff new file mode 100644 index 0000000..492bc06 --- /dev/null +++ b/coreutils-8.6-log-all-su-attempts.diff @@ -0,0 +1,26 @@ +From f2ea0c33d8c25ee40e7fe7a16d0994c8069bc120 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 17 Aug 2010 13:22:01 +0200 +Subject: [PATCH 3/7] log all su attempts + +--- + src/su.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/src/su.c b/src/su.c +index 1d3d007..2a9e423 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -75,6 +75,9 @@ + + #if HAVE_SYSLOG_H && HAVE_SYSLOG + # include ++# define SYSLOG_SUCCESS 1 ++# define SYSLOG_FAILURE 1 ++# define SYSLOG_NON_ROOT 1 + #else + # undef SYSLOG_SUCCESS + # undef SYSLOG_FAILURE +-- +1.7.1 + diff --git a/coreutils-5.3.0-sbin4su.patch b/coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff similarity index 82% rename from coreutils-5.3.0-sbin4su.patch rename to coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff index 3af4168..4329952 100644 --- a/coreutils-5.3.0-sbin4su.patch +++ b/coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff @@ -1,8 +1,17 @@ -Index: src/su.c -=================================================================== ---- src/su.c.orig 2010-05-05 14:46:48.000000000 +0200 -+++ src/su.c 2010-05-05 14:48:55.023359308 +0200 -@@ -454,6 +454,117 @@ correct_password (const struct passwd *p +From b43728c1f0c7abe90e73369542564d3ad4704963 Mon Sep 17 00:00:00 2001 +From: Werner Fink +Date: Tue, 17 Aug 2010 09:09:55 +0200 +Subject: [PATCH 6/7] make sure /sbin resp /usr/sbin are in PATH + +--- + src/su.c | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 127 insertions(+), 0 deletions(-) + +diff --git a/src/su.c b/src/su.c +index eaef195..d78f968 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -455,6 +455,117 @@ correct_password (const struct passwd *pw) #endif /* !USE_PAM */ } @@ -120,7 +129,7 @@ Index: src/su.c /* Update `environ' for the new shell based on PW, with SHELL being the value for the SHELL environment variable. */ -@@ -493,6 +604,22 @@ modify_environment (const struct passwd +@@ -494,6 +605,22 @@ modify_environment (const struct passwd *pw, const char *shell) DEFAULT_LOGIN_PATH) : getdef_str ("SUPATH", DEFAULT_ROOT_LOGIN_PATH))); @@ -143,3 +152,6 @@ Index: src/su.c if (pw->pw_uid) { xsetenv ("USER", pw->pw_name); +-- +1.7.1 + diff --git a/coreutils-8.6-pam-support-for-su.diff b/coreutils-8.6-pam-support-for-su.diff new file mode 100644 index 0000000..71279b2 --- /dev/null +++ b/coreutils-8.6-pam-support-for-su.diff @@ -0,0 +1,405 @@ +From 8b1e75c55ea6be5c8639c98b73ecfa0cf15226ce Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 17 Aug 2010 13:21:44 +0200 +Subject: [PATCH 1/7] pam support for su + +--- + configure.ac | 14 +++ + src/Makefile.am | 4 +- + src/su.c | 266 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 278 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 4ac30e8..eacd57f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -135,6 +135,20 @@ fi + + AC_FUNC_FORK + ++AC_ARG_ENABLE(pam, AS_HELP_STRING([--disable-pam], ++ [Enable PAM support in su (default=auto)]), , [enable_pam=yes]) ++if test "x$enable_pam" != xno; then ++ AC_CHECK_LIB([pam], [pam_start], [enable_pam=yes], [enable_pam=no]) ++ AC_CHECK_LIB([pam_misc], [misc_conv], [:], [enable_pam=no]) ++ if test "x$enable_pam" != xno; then ++ AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM]) ++ PAM_LIBS="-lpam -lpam_misc" ++ AC_SUBST(PAM_LIBS) ++ fi ++fi ++AC_MSG_CHECKING([whether to enable PAM support in su]) ++AC_MSG_RESULT([$enable_pam]) ++ + optional_bin_progs= + AC_CHECK_FUNCS([chroot], + gl_ADD_PROG([optional_bin_progs], [chroot])) +diff --git a/src/Makefile.am b/src/Makefile.am +index 00c7ff7..bc27274 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -351,8 +351,8 @@ factor_LDADD += $(LIB_GMP) + # for getloadavg + uptime_LDADD += $(GETLOADAVG_LIBS) + +-# for crypt +-su_LDADD += $(LIB_CRYPT) ++# for crypt and pam ++su_LDADD += $(LIB_CRYPT) $(PAM_LIBS) + + # for various ACL functions + copy_LDADD += $(LIB_ACL) +diff --git a/src/su.c b/src/su.c +index f8f5b61..1d3d007 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -37,6 +37,16 @@ + restricts who can su to UID 0 accounts. RMS considers that to + be fascist. + ++#ifdef USE_PAM ++ ++ Actually, with PAM, su has nothing to do with whether or not a ++ wheel group is enforced by su. RMS tries to restrict your access ++ to a su which implements the wheel group, but PAM considers that ++ to be fascist, and gives the user/sysadmin the opportunity to ++ enforce a wheel group by proper editing of /etc/pam.d/su ++ ++#endif ++ + Compile-time options: + -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog. + -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog. +@@ -52,6 +62,13 @@ + #include + #include + #include ++#ifdef USE_PAM ++#include ++#include ++#include ++#include ++#include ++#endif + + #include "system.h" + #include "getpass.h" +@@ -111,7 +128,9 @@ + /* The user to become if none is specified. */ + #define DEFAULT_USER "root" + ++#ifndef USE_PAM + char *crypt (char const *key, char const *salt); ++#endif + + static void run_shell (char const *, char const *, char **, size_t) + ATTRIBUTE_NORETURN; +@@ -125,6 +144,11 @@ static bool simulate_login; + /* If true, change some environment vars to indicate the user su'd to. */ + static bool change_environment; + ++#ifdef USE_PAM ++static bool _pam_session_opened; ++static bool _pam_cred_established; ++#endif ++ + static struct option const longopts[] = + { + {"command", required_argument, NULL, 'c'}, +@@ -200,7 +224,164 @@ log_su (struct passwd const *pw, bool successful) + } + #endif + ++#ifdef USE_PAM ++#define PAM_SERVICE_NAME PROGRAM_NAME ++#define PAM_SERVICE_NAME_L PROGRAM_NAME "-l" ++static sig_atomic_t volatile caught_signal = false; ++static pam_handle_t *pamh = NULL; ++static int retval; ++static struct pam_conv conv = ++{ ++ misc_conv, ++ NULL ++}; ++ ++#define PAM_BAIL_P(a) \ ++ if (retval) \ ++ { \ ++ pam_end (pamh, retval); \ ++ a; \ ++ } ++ ++static void ++cleanup_pam (int retcode) ++{ ++ if (_pam_session_opened) ++ pam_close_session (pamh, 0); ++ ++ if (_pam_cred_established) ++ pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT); ++ ++ pam_end(pamh, retcode); ++} ++ ++/* Signal handler for parent process. */ ++static void ++su_catch_sig (int sig) ++{ ++ caught_signal = true; ++} ++ ++/* Export env variables declared by PAM modules. */ ++static void ++export_pamenv (void) ++{ ++ char **env; ++ ++ /* This is a copy but don't care to free as we exec later anyways. */ ++ env = pam_getenvlist (pamh); ++ while (env && *env) ++ { ++ if (putenv (*env) != 0) ++ xalloc_die (); ++ env++; ++ } ++} ++ ++static void ++create_watching_parent (void) ++{ ++ pid_t child; ++ sigset_t ourset; ++ int status = 0; ++ ++ retval = pam_open_session (pamh, 0); ++ if (retval != PAM_SUCCESS) ++ { ++ cleanup_pam (retval); ++ error (EXIT_FAILURE, 0, _("cannot not open session: %s"), ++ pam_strerror (pamh, retval)); ++ } ++ else ++ _pam_session_opened = 1; ++ ++ child = fork (); ++ if (child == (pid_t) -1) ++ { ++ cleanup_pam (PAM_ABORT); ++ error (EXIT_FAILURE, errno, _("cannot create child process")); ++ } ++ ++ /* the child proceeds to run the shell */ ++ if (child == 0) ++ return; ++ ++ /* In the parent watch the child. */ ++ ++ /* su without pam support does not have a helper that keeps ++ sitting on any directory so let's go to /. */ ++ if (chdir ("/") != 0) ++ error (0, errno, _("warning: cannot change directory to %s"), "/"); ++ ++ sigfillset (&ourset); ++ if (sigprocmask (SIG_BLOCK, &ourset, NULL)) ++ { ++ error (0, errno, _("cannot block signals")); ++ caught_signal = true; ++ } ++ if (!caught_signal) ++ { ++ struct sigaction action; ++ action.sa_handler = su_catch_sig; ++ sigemptyset (&action.sa_mask); ++ action.sa_flags = 0; ++ sigemptyset (&ourset); ++ if (sigaddset (&ourset, SIGTERM) ++ || sigaddset (&ourset, SIGALRM) ++ || sigaction (SIGTERM, &action, NULL) ++ || sigprocmask (SIG_UNBLOCK, &ourset, NULL)) ++ { ++ error (0, errno, _("cannot set signal handler")); ++ caught_signal = true; ++ } ++ } ++ if (!caught_signal) ++ { ++ pid_t pid; ++ for (;;) ++ { ++ pid = waitpid (child, &status, WUNTRACED); ++ ++ if (pid != (pid_t)-1 && WIFSTOPPED (status)) ++ { ++ kill (getpid (), SIGSTOP); ++ /* once we get here, we must have resumed */ ++ kill (pid, SIGCONT); ++ } ++ else ++ break; ++ } ++ if (pid != (pid_t)-1) ++ if (WIFSIGNALED (status)) ++ status = WTERMSIG (status) + 128; ++ else ++ status = WEXITSTATUS (status); ++ else ++ status = 1; ++ } ++ else ++ status = 1; ++ ++ if (caught_signal) ++ { ++ fprintf (stderr, _("\nSession terminated, killing shell...")); ++ kill (child, SIGTERM); ++ } ++ ++ cleanup_pam (PAM_SUCCESS); ++ ++ if (caught_signal) ++ { ++ sleep (2); ++ kill (child, SIGKILL); ++ fprintf (stderr, _(" ...killed.\n")); ++ } ++ exit (status); ++} ++#endif ++ + /* Ask the user for a password. ++ If PAM is in use, let PAM ask for the password if necessary. + Return true if the user gives the correct password for entry PW, + false if not. Return true without asking for a password if run by UID 0 + or if PW has an empty password. */ +@@ -208,10 +389,52 @@ log_su (struct passwd const *pw, bool successful) + static bool + correct_password (const struct passwd *pw) + { ++#ifdef USE_PAM ++ const struct passwd *lpw; ++ const char *cp; ++ ++ retval = pam_start (simulate_login ? PAM_SERVICE_NAME_L : PAM_SERVICE_NAME, ++ pw->pw_name, &conv, &pamh); ++ PAM_BAIL_P (return false); ++ ++ if (isatty (0) && (cp = ttyname (0)) != NULL) ++ { ++ const char *tty; ++ ++ if (strncmp (cp, "/dev/", 5) == 0) ++ tty = cp + 5; ++ else ++ tty = cp; ++ retval = pam_set_item (pamh, PAM_TTY, tty); ++ PAM_BAIL_P (return false); ++ } ++#if 0 /* Manpage discourages use of getlogin. */ ++ cp = getlogin (); ++ if (!(cp && *cp && (lpw = getpwnam (cp)) != NULL && lpw->pw_uid == getuid ())) ++#endif ++ lpw = getpwuid (getuid ()); ++ if (lpw && lpw->pw_name) ++ { ++ retval = pam_set_item (pamh, PAM_RUSER, (const void *) lpw->pw_name); ++ PAM_BAIL_P (return false); ++ } ++ retval = pam_authenticate (pamh, 0); ++ PAM_BAIL_P (return false); ++ retval = pam_acct_mgmt (pamh, 0); ++ if (retval == PAM_NEW_AUTHTOK_REQD) ++ { ++ /* Password has expired. Offer option to change it. */ ++ retval = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ PAM_BAIL_P (return false); ++ } ++ PAM_BAIL_P (return false); ++ /* Must be authenticated if this point was reached. */ ++ return true; ++#else /* !USE_PAM */ + char *unencrypted, *encrypted, *correct; + #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP + /* Shadow passwd stuff for SVR3 and maybe other systems. */ +- struct spwd *sp = getspnam (pw->pw_name); ++ const struct spwd *sp = getspnam (pw->pw_name); + + endspent (); + if (sp) +@@ -232,6 +455,7 @@ correct_password (const struct passwd *pw) + encrypted = crypt (unencrypted, correct); + memset (unencrypted, 0, strlen (unencrypted)); + return STREQ (encrypted, correct); ++#endif /* !USE_PAM */ + } + + /* Update `environ' for the new shell based on PW, with SHELL being +@@ -274,19 +498,41 @@ modify_environment (const struct passwd *pw, const char *shell) + } + } + } ++ ++#ifdef USE_PAM ++ export_pamenv (); ++#endif + } + + /* Become the user and group(s) specified by PW. */ + + static void +-change_identity (const struct passwd *pw) ++init_groups (const struct passwd *pw) + { + #ifdef HAVE_INITGROUPS + errno = 0; + if (initgroups (pw->pw_name, pw->pw_gid) == -1) +- error (EXIT_CANCELED, errno, _("cannot set groups")); ++ { ++#ifdef USE_PAM ++ cleanup_pam (PAM_ABORT); ++#endif ++ error (EXIT_FAILURE, errno, _("cannot set groups")); ++ } + endgrent (); + #endif ++ ++#ifdef USE_PAM ++ retval = pam_setcred (pamh, PAM_ESTABLISH_CRED); ++ if (retval != PAM_SUCCESS) ++ error (EXIT_FAILURE, 0, "%s", pam_strerror (pamh, retval)); ++ else ++ _pam_cred_established = 1; ++#endif ++} ++ ++static void ++change_identity (const struct passwd *pw) ++{ + if (setgid (pw->pw_gid)) + error (EXIT_CANCELED, errno, _("cannot set group id")); + if (setuid (pw->pw_uid)) +@@ -500,9 +746,21 @@ main (int argc, char **argv) + shell = NULL; + } + shell = xstrdup (shell ? shell : pw->pw_shell); +- modify_environment (pw, shell); ++ ++ init_groups (pw); ++ ++#ifdef USE_PAM ++ create_watching_parent (); ++ /* Now we're in the child. */ ++#endif + + change_identity (pw); ++ ++ /* Set environment after pam_open_session, which may put KRB5CCNAME ++ into the pam_env, etc. */ ++ ++ modify_environment (pw, shell); ++ + if (simulate_login && chdir (pw->pw_dir) != 0) + error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir); + +-- +1.7.1 + diff --git a/coreutils-8.6-set-sane-default-path.diff b/coreutils-8.6-set-sane-default-path.diff new file mode 100644 index 0000000..d0604db --- /dev/null +++ b/coreutils-8.6-set-sane-default-path.diff @@ -0,0 +1,37 @@ +From 3c13edc2b9aeab8f24e60a62ab5e8a8db554486f Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Mon, 9 Aug 2010 16:02:30 +0200 +Subject: [PATCH 4/7] set sane default path + +--- + src/su.c | 12 ++---------- + 1 files changed, 2 insertions(+), 10 deletions(-) + +diff --git a/src/su.c b/src/su.c +index 2a9e423..0071622 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -112,18 +112,10 @@ + #endif + + /* The default PATH for simulated logins to non-superuser accounts. */ +-#ifdef _PATH_DEFPATH +-# define DEFAULT_LOGIN_PATH _PATH_DEFPATH +-#else +-# define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin" +-#endif ++#define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin" + + /* The default PATH for simulated logins to superuser accounts. */ +-#ifdef _PATH_DEFPATH_ROOT +-# define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT +-#else +-# define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc" +-#endif ++#define DEFAULT_ROOT_LOGIN_PATH "/usr/sbin:/bin:/usr/bin:/sbin" + + /* The shell to run if none is given in the user's passwd entry. */ + #define DEFAULT_SHELL "/bin/sh" +-- +1.7.1 + diff --git a/coreutils-8.6-update-man-page-for-pam.diff b/coreutils-8.6-update-man-page-for-pam.diff new file mode 100644 index 0000000..41ecf6e --- /dev/null +++ b/coreutils-8.6-update-man-page-for-pam.diff @@ -0,0 +1,64 @@ +From 13ed7b537ae655c6d67965f1486aa2e3b181e574 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 17 Aug 2010 08:59:35 +0200 +Subject: [PATCH 2/7] update man page for pam + +--- + doc/coreutils.texi | 34 +++++----------------------------- + 1 files changed, 5 insertions(+), 29 deletions(-) + +diff --git a/doc/coreutils.texi b/doc/coreutils.texi +index 4d17ed1..27681da 100644 +--- a/doc/coreutils.texi ++++ b/doc/coreutils.texi +@@ -15172,8 +15172,11 @@ to certain shells, etc.). + @findex syslog + @command{su} can optionally be compiled to use @code{syslog} to report + failed, and optionally successful, @command{su} attempts. (If the system +-supports @code{syslog}.) However, GNU @command{su} does not check if the +-user is a member of the @code{wheel} group; see below. ++supports @code{syslog}.) ++ ++This version of @command{su} has support for using PAM for ++authentication. You can edit @file{/etc/pam.d/su} resp @file{/etc/pam.d/su-l} ++to customize its behaviour. + + The program accepts the following options. Also see @ref{Common options}. + +@@ -15254,33 +15257,6 @@ Exit status: + the exit status of the subshell otherwise + @end display + +-@cindex wheel group, not supported +-@cindex group wheel, not supported +-@cindex fascism +-@subsection Why GNU @command{su} does not support the @samp{wheel} group +- +-(This section is by Richard Stallman.) +- +-@cindex Twenex +-@cindex MIT AI lab +-Sometimes a few of the users try to hold total power over all the +-rest. For example, in 1984, a few users at the MIT AI lab decided to +-seize power by changing the operator password on the Twenex system and +-keeping it secret from everyone else. (I was able to thwart this coup +-and give power back to the users by patching the kernel, but I +-wouldn't know how to do that in Unix.) +- +-However, occasionally the rulers do tell someone. Under the usual +-@command{su} mechanism, once someone learns the root password who +-sympathizes with the ordinary users, he or she can tell the rest. The +-``wheel group'' feature would make this impossible, and thus cement the +-power of the rulers. +- +-I'm on the side of the masses, not that of the rulers. If you are +-used to supporting the bosses and sysadmins in whatever they do, you +-might find this idea strange at first. +- +- + @node timeout invocation + @section @command{timeout}: Run a command with a time limit + +-- +1.7.1 + diff --git a/coreutils.changes b/coreutils.changes index f9c458a..6217bf9 100644 --- a/coreutils.changes +++ b/coreutils.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Nov 16 10:50:04 UTC 2010 - lnussel@suse.de + +- split pam patch into separate independent files so the main + feature can be shared with other distros +- don't hard require coreutils-lang + ------------------------------------------------------------------- Thu Nov 11 16:33:50 CET 2010 - pth@suse.de diff --git a/coreutils.spec b/coreutils.spec index b968ec0..a4ff8d9 100644 --- a/coreutils.spec +++ b/coreutils.spec @@ -44,11 +44,16 @@ Patch5: coreutils-i18n-uninit.patch Patch6: coreutils-i18n-infloop.patch Patch8: coreutils-sysinfo.patch Patch16: coreutils-invalid-ids.patch -Patch20: coreutils-6.8-su.patch -Patch21: coreutils-6.8.0-pie.patch -Patch22: coreutils-5.3.0-sbin4su.patch -Patch23: coreutils-getaddrinfo.patch -Patch24: coreutils-ptr_int_casts.patch +Patch20: coreutils-8.6-pam-support-for-su.diff +Patch21: coreutils-8.6-update-man-page-for-pam.diff +Patch22: coreutils-8.6-log-all-su-attempts.diff +Patch23: coreutils-8.6-set-sane-default-path.diff +Patch24: coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff +Patch25: coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff +# +Patch30: coreutils-8.6-compile-su-with-fpie.diff +Patch31: coreutils-getaddrinfo.patch +Patch32: coreutils-ptr_int_casts.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: permissions @@ -114,11 +119,16 @@ Authors: %patch2 %patch8 %patch16 -%patch20 -%patch21 -%patch22 -%patch23 -%patch24 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +# +%patch30 -p1 +%patch31 +%patch32 %build AUTOPOINT=true autoreconf -fi @@ -128,7 +138,7 @@ export CFLAGS="%optflags -Wall" gl_cv_func_printf_directive_n=yes \ gl_cv_func_isnanl_works=yes \ DEFAULT_POSIX2_VERSION=199209 -make %{?_smp_mflags} PAMLIBS="-lpam -ldl" V=1 +make %{?_smp_mflags} V=1 #%check #if test $EUID -eq 0; then