pool/pam
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to current git (Linux-PAM-git-20140109.diff, which

Browse Source 
replaces pam_unix.diff and encryption_method_nis.diff)
  - pam_access: fix debug level logging
  - pam_warn: log flags passed to the module
  - pam_securetty: check return value of fgets
  - pam_lastlog: fix format string
  - pam_loginuid: If the correct loginuid is already set, skip writing it

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=131
This commit is contained in:
Thorsten Kukuk 2014-01-09 16:43:05 +00:00 committed by Git OBS Bridge
parent 29c9d812b8
commit 33a265dc7c
5 changed files with 282 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

268
Linux-PAM-git-20140109.diff Normal file
View File

@ -0,0 +1,268 @@
--- old/Linux-PAM-1.1.8/modules/pam_access/pam_access.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_access/pam_access.c 2014-01-09 16:28:39.000000000 +0100
@@ -573,7 +573,7 @@
if (debug)
pam_syslog (pamh, LOG_DEBUG,
- "group_match: grp=%s, user=%s", grptok, usr);
+ "group_match: grp=%s, user=%s", tok, usr);
if (strlen(tok) < 3)
return NO;
--- old/Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_lastlog/pam_lastlog.c 2013-11-28 11:37:54.000000000 +0100
@@ -628,7 +628,8 @@
lltime = (time(NULL) - lltime) / (24*60*60);
if (lltime > inactive_days) {
- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied",
+ user, (long) lltime);
return PAM_AUTH_ERR;
}
--- old/Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_loginuid/pam_loginuid.c 2013-11-28 11:37:54.000000000 +0100
@@ -52,10 +52,10 @@
static int set_loginuid(pam_handle_t *pamh, uid_t uid)
{
int fd, count, rc = 0;
- char loginuid[24];
+ char loginuid[24], buf[24];
count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
+ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
if (fd < 0) {
if (errno != ENOENT) {
rc = 1;
@@ -64,8 +64,13 @@
}
return rc;
}
- if (pam_modutil_write(fd, loginuid, count) != count)
+ if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
+ memcmp(buf, loginuid, count) == 0)
+ goto done; /* already correct */
+ if (lseek(fd, 0, SEEK_SET) == -1 || (ftruncate(fd, 0) == -1 ||
+ pam_modutil_write(fd, loginuid, count) != count))
rc = 1;
+ done:
close(fd);
return rc;
}
--- old/Linux-PAM-1.1.8/modules/pam_securetty/pam_securetty.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_securetty/pam_securetty.c 2013-11-28 11:37:54.000000000 +0100
@@ -159,11 +159,10 @@
if (cmdlinefile != NULL) {
char line[LINE_MAX], *p;
- line[0] = 0;
- fgets(line, sizeof(line), cmdlinefile);
+ p = fgets(line, sizeof(line), cmdlinefile);
fclose(cmdlinefile);
- for (p = line; p; p = strstr(p+1, "console=")) {
+ for (; p; p = strstr(p+1, "console=")) {
char *e;
/* Test whether this is a beginning of a word? */
--- old/Linux-PAM-1.1.8/modules/pam_unix/pam_unix_passwd.c 2013-09-16 11:09:47.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_unix/pam_unix_passwd.c 2013-11-12 13:05:47.000000000 +0100
@@ -614,7 +614,8 @@
if (_unix_blankpasswd(pamh, ctrl, user)) {
return PAM_SUCCESS;
- } else if (off(UNIX__IAMROOT, ctrl)) {
+ } else if (off(UNIX__IAMROOT, ctrl) ||
+ (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
/* instruct user what is happening */
if (asprintf(&Announce, _("Changing password for %s."),
user) < 0) {
@@ -795,6 +796,29 @@
* rebuild the password database file.
*/
+
+ /* if it is a NIS account, check for special hash algo */
+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
+ /* preset encryption method with value from /etc/login.defs */
+ int j;
+ char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
+ if (val) {
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+ if (unix_args[j].token && unix_args[j].is_hash_algo
+ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
+ break;
+ }
+ }
+ if (j >= UNIX_CTRLS_) {
+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
+ } else {
+ ctrl &= unix_args[j].mask; /* for turning things off */
+ ctrl |= unix_args[j].flag; /* for turning things on */
+ }
+ free (val);
+ }
+ }
+
/*
* First we encrypt the new password.
*/
--- old/Linux-PAM-1.1.8/modules/pam_unix/README 2013-09-19 10:02:20.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_unix/README 2014-01-09 16:29:02.000000000 +0100
@@ -36,7 +36,8 @@
The password component of this module performs the task of updating the user's
password. The default encryption hash is taken from the ENCRYPT_METHOD variable
-from /etc/login.defs
+from /etc/login.defs. For NIS accounts, the ENCRYPT_METHOD_NIS variable from /
+etc/login.defs is preferred.
The session component of this module logs when a user logins or leave the
system.
--- old/Linux-PAM-1.1.8/modules/pam_unix/support.c 2013-09-16 11:11:51.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_unix/support.c 2013-11-12 13:05:24.000000000 +0100
@@ -37,8 +37,8 @@
#define SELINUX_ENABLED 0
#endif
-static char *
-search_key (const char *key, const char *filename)
+char *
+_unix_search_key (const char *key, const char *filename)
{
FILE *fp;
char *buf = NULL;
@@ -159,7 +159,7 @@
}
/* preset encryption method with value from /etc/login.defs */
- val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+ val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
if (val) {
for (j = 0; j < UNIX_CTRLS_; ++j) {
if (unix_args[j].token && unix_args[j].is_hash_algo
@@ -177,7 +177,7 @@
/* read number of rounds for crypt algo */
if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
- val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+ val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
if (val) {
*rounds = strtol(val, NULL, 10);
--- old/Linux-PAM-1.1.8/modules/pam_unix/support.h 2013-06-18 16:24:05.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_unix/support.h 2013-11-12 13:05:04.000000000 +0100
@@ -97,8 +97,9 @@
password hash algorithms */
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
+#define UNIX_DES 28 /* DES, default */
/* -------------- */
-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -135,6 +136,7 @@
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
@@ -172,4 +174,5 @@
extern int _unix_run_verify_binary(pam_handle_t *pamh,
unsigned int ctrl, const char *user, int *daysleft);
+extern char *_unix_search_key(const char *key, const char *filename);
#endif /* _PAM_UNIX_SUPPORT_H */
--- old/Linux-PAM-1.1.8/modules/pam_warn/pam_warn.c 2013-06-18 16:11:21.000000000 +0200
+++ new/linux-pam-1.1.8/modules/pam_warn/pam_warn.c 2013-11-28 11:37:54.000000000 +0100
@@ -33,7 +33,7 @@
value = value ? value : default_value ; \
} while (0)
-static void log_items(pam_handle_t *pamh, const char *function)
+static void log_items(pam_handle_t *pamh, const char *function, int flags)
{
const void *service=NULL, *user=NULL, *terminal=NULL,
*rhost=NULL, *ruser=NULL;
@@ -45,8 +45,8 @@
OBTAIN(PAM_RHOST, rhost, "<unknown>");
pam_syslog(pamh, LOG_NOTICE,
- "function=[%s] service=[%s] terminal=[%s] user=[%s]"
- " ruser=[%s] rhost=[%s]\n", function,
+ "function=[%s] flags=%#x service=[%s] terminal=[%s] user=[%s]"
+ " ruser=[%s] rhost=[%s]\n", function, flags,
(const char *) service, (const char *) terminal,
(const char *) user, (const char *) ruser,
(const char *) rhost);
@@ -55,52 +55,52 @@
/* --- authentication management functions (only) --- */
PAM_EXTERN
-int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
+int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN
-int pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
+int pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
/* password updating functions */
PAM_EXTERN
-int pam_sm_chauthtok(pam_handle_t *pamh, int flags UNUSED,
+int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_open_session(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}
PAM_EXTERN int
-pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_close_session(pam_handle_t *pamh, int flags,
int argc UNUSED, const char **argv UNUSED)
{
- log_items(pamh, __FUNCTION__);
+ log_items(pamh, __FUNCTION__, flags);
return PAM_IGNORE;
}

77
encryption_method_nis.diff
View File

@ -1,77 +0,0 @@
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 0cfc0f4..2239206 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -796,6 +796,29 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
* rebuild the password database file.
*/
+
+ /* if it is a NIS account, check for special hash algo */
+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1)) {
+ /* preset encryption method with value from /etc/login.defs */
+ int j;
+ char *val = _unix_search_key ("ENCRYPT_METHOD_NIS", LOGIN_DEFS);
+ if (val) {
+ for (j = 0; j < UNIX_CTRLS_; ++j) {
+ if (unix_args[j].token && unix_args[j].is_hash_algo
+ && !strncasecmp(val, unix_args[j].token, strlen(unix_args[j].token))) {
+ break;
+ }
+ }
+ if (j >= UNIX_CTRLS_) {
+ pam_syslog(pamh, LOG_WARNING, "unrecognized ENCRYPT_METHOD_NIS value [%s]", val);
+ } else {
+ ctrl &= unix_args[j].mask; /* for turning things off */
+ ctrl |= unix_args[j].flag; /* for turning things on */
+ }
+ free (val);
+ }
+ }
+
/*
* First we encrypt the new password.
*/
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 19d72e6..dafa9f0 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -37,8 +37,8 @@
#define SELINUX_ENABLED 0
#endif
-static char *
-search_key (const char *key, const char *filename)
+char *
+_unix_search_key (const char *key, const char *filename)
{
FILE *fp;
char *buf = NULL;
@@ -159,7 +159,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
}
/* preset encryption method with value from /etc/login.defs */
- val = search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
+ val = _unix_search_key ("ENCRYPT_METHOD", LOGIN_DEFS);
if (val) {
for (j = 0; j < UNIX_CTRLS_; ++j) {
if (unix_args[j].token && unix_args[j].is_hash_algo
@@ -177,7 +177,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
/* read number of rounds for crypt algo */
if (rounds && (on(UNIX_SHA256_PASS, ctrl) || on(UNIX_SHA512_PASS, ctrl))) {
- val=search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
+ val=_unix_search_key ("SHA_CRYPT_MAX_ROUNDS", LOGIN_DEFS);
if (val) {
*rounds = strtol(val, NULL, 10);
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 6f5b2eb..a35a8a8 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -174,4 +174,5 @@ extern int _unix_read_password(pam_handle_t * pamh
extern int _unix_run_verify_binary(pam_handle_t *pamh,
unsigned int ctrl, const char *user, int *daysleft);
+extern char *_unix_search_key(const char *key, const char *filename);
#endif /* _PAM_UNIX_SUPPORT_H */

11
pam.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Thu Jan 9 17:31:27 CET 2014 - kukuk@suse.de
- Update to current git (Linux-PAM-git-20140109.diff, which
replaces pam_unix.diff and encryption_method_nis.diff)
- pam_access: fix debug level logging
- pam_warn: log flags passed to the module
- pam_securetty: check return value of fgets
- pam_lastlog: fix format string
- pam_loginuid: If the correct loginuid is already set, skip writing it
-------------------------------------------------------------------
Fri Nov 29 20:25:32 UTC 2013 - schwab@linux-m68k.org

8
pam.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package pam
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -53,8 +53,7 @@ Source7: common-session.pamd
Source8: etc.environment
Source9: baselibs.conf
Patch0: fix-man-links.dif
Patch1: pam_unix.diff
Patch2: encryption_method_nis.diff
Patch1: Linux-PAM-git-20140109.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -99,8 +98,7 @@ building both PAM-aware applications and modules for use with PAM.
%prep
%setup -q -n Linux-PAM-%{version} -b 1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch1 -p2
%build
export CFLAGS="%optflags -DNDEBUG"

37
pam_unix.diff
View File

@ -1,37 +0,0 @@
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 6575938..6f5b2eb 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -97,8 +97,9 @@ typedef struct {
password hash algorithms */
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
+#define UNIX_DES 28 /* DES, default */
/* -------------- */
-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
+/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 9aae3b0..d5f2540 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -614,7 +614,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
if (_unix_blankpasswd(pamh, ctrl, user)) {
return PAM_SUCCESS;
- } else if (off(UNIX__IAMROOT, ctrl)) {
+ } else if (off(UNIX__IAMROOT, ctrl) ||
+ (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, user, 0, 1))) {
/* instruct user what is happening */
if (asprintf(&Announce, _("Changing password for %s."),
user) < 0) {