- Add pam_loginuid-log_write_errors.diff: log significant loginuid

write errors
- pam_xauth-sigpipe.diff: avoid potential SIGPIPE when writing to
  xauth process

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=135

pam.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jan 27 17:05:11 CET 2014 - kukuk@suse.de
+
+- Add pam_loginuid-log_write_errors.diff: log significant loginuid
+  write errors
+- pam_xauth-sigpipe.diff: avoid potential SIGPIPE when writing to
+  xauth process
+
 -------------------------------------------------------------------
 Mon Jan 27 15:14:34 CET 2014 - kukuk@suse.de
 

pam.spec

@@ -53,6 +53,8 @@ Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         fix-man-links.dif
 Patch1:         Linux-PAM-git-20140127.diff
+Patch2:         pam_loginuid-log_write_errors.diff
+Patch3:         pam_xauth-sigpipe.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -98,6 +100,8 @@ building both PAM-aware applications and modules for use with PAM.
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p1
 %patch1 -p2
+%patch2 -p1
+%patch3 -p1
 
 %build
 export CFLAGS="%optflags -DNDEBUG"

pam_loginuid-log_write_errors.diff

@@ -0,0 +1,47 @@
+commit 256b50e1fce2f785f1032a1949dd2d1dbc17e250
+Author: Dmitry V. Levin <ldv@altlinux.org>
+Date:   Sun Jan 19 14:12:59 2014 +0000
+
+    pam_loginuid: log significant loginuid write errors
+    
+    * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
+    during /proc/self/loginuid update that are not ignored.
+
+ modules/pam_loginuid/pam_loginuid.c |   12 +++++++++---
+ 1 files changed, 9 insertions(+), 3 deletions(-)
+---
+diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
+index c476f7b..73c42f9 100644
+--- a/modules/pam_loginuid/pam_loginuid.c
++++ b/modules/pam_loginuid/pam_loginuid.c
+@@ -75,8 +75,8 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
+ 			rc = PAM_IGNORE;
+ 		}
+ 		if (rc != PAM_IGNORE) {
+-			pam_syslog(pamh, LOG_ERR,
+-				   "Cannot open /proc/self/loginuid: %m");
++			pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
++				   "/proc/self/loginuid");
+ 		}
+ 		return rc;
+ 	}
+@@ -88,8 +88,14 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
+ 		goto done;	/* already correct */
+ 	}
+ 	if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
+-	    pam_modutil_write(fd, loginuid, count) == count)
++	    pam_modutil_write(fd, loginuid, count) == count) {
+ 		rc = PAM_SUCCESS;
++	} else {
++		if (rc != PAM_IGNORE) {
++			pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
++				   "/proc/self/loginuid");
++		}
++	}
+  done:
+ 	close(fd);
+ 	return rc;
+_______________________________________________
+linux-pam-commits mailing list
+linux-pam-commits@lists.fedorahosted.org
+https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits

pam_xauth-sigpipe.diff

@@ -0,0 +1,36 @@
+commit 47db675c910a065fa9602753a904b050b0322f29
+Author: Dmitry V. Levin <ldv@altlinux.org>
+Date:   Fri Jan 24 13:38:38 2014 +0000
+
+    pam_xauth: avoid potential SIGPIPE when writing to xauth process
+    
+    Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.
+    
+    * modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
+    close the read end of input pipe after writing to its write end.
+
+ modules/pam_xauth/pam_xauth.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+---
+diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
+index 7075547..c7ce55a 100644
+--- a/modules/pam_xauth/pam_xauth.c
++++ b/modules/pam_xauth/pam_xauth.c
+@@ -179,12 +179,12 @@ run_coprocess(pam_handle_t *pamh, const char *input, char **output,
+ 	}
+ 
+ 	/* We're the parent, so close the other ends of the pipes. */
+-	close(ipipe[0]);
+ 	close(opipe[1]);
+ 	/* Send input to the process (if we have any), then send an EOF. */
+ 	if (input) {
+ 		(void)pam_modutil_write(ipipe[1], input, strlen(input));
+ 	}
++	close(ipipe[0]); /* close here to avoid possible SIGPIPE above */
+ 	close(ipipe[1]);
+ 
+ 	/* Read data output until we run out of stuff to read. */
+_______________________________________________
+linux-pam-commits mailing list
+linux-pam-commits@lists.fedorahosted.org
+https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits