From 9e8981cb0426e4da6f91b596fa0b756b4c4dd287df96c0e27e43467195a58788 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Fri, 10 Jan 2014 10:58:11 +0000 Subject: [PATCH] - Add pam_loginuid-part1.diff: Ignore missing /proc/self/loginuid - Add pam_loginuid-part2.diff: Workaround to run pam_loginuid inside lxc OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=132 --- pam.changes | 6 +++ pam.spec | 4 ++ pam_loginuid-part1.diff | 115 ++++++++++++++++++++++++++++++++++++++++ pam_loginuid-part2.diff | 74 ++++++++++++++++++++++++++ 4 files changed, 199 insertions(+) create mode 100644 pam_loginuid-part1.diff create mode 100644 pam_loginuid-part2.diff diff --git a/pam.changes b/pam.changes index f838e22..19f76b7 100644 --- a/pam.changes +++ b/pam.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jan 10 10:56:24 UTC 2014 - kukuk@suse.com + +- Add pam_loginuid-part1.diff: Ignore missing /proc/self/loginuid +- Add pam_loginuid-part2.diff: Workaround to run pam_loginuid inside lxc + ------------------------------------------------------------------- Thu Jan 9 17:31:27 CET 2014 - kukuk@suse.de diff --git a/pam.spec b/pam.spec index 3896347..4a5dcb9 100644 --- a/pam.spec +++ b/pam.spec @@ -54,6 +54,8 @@ Source8: etc.environment Source9: baselibs.conf Patch0: fix-man-links.dif Patch1: Linux-PAM-git-20140109.diff +Patch2: pam_loginuid-part1.diff +Patch3: pam_loginuid-part2.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -99,6 +101,8 @@ building both PAM-aware applications and modules for use with PAM. %setup -q -n Linux-PAM-%{version} -b 1 %patch0 -p1 %patch1 -p2 +%patch2 -p1 +%patch3 -p1 %build export CFLAGS="%optflags -DNDEBUG" diff --git a/pam_loginuid-part1.diff b/pam_loginuid-part1.diff new file mode 100644 index 0000000..ab621dd --- /dev/null +++ b/pam_loginuid-part1.diff @@ -0,0 +1,115 @@ +commit 5825450540e6620ac331c64345b42fdcbb1d6e87 +Author: Dmitry V. Levin +Date: Wed Jan 8 15:53:30 2014 -0800 + + pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist + + When /proc/self/loginuid does not exist, return PAM_IGNORE instead of + PAM_SUCCESS, so that we can distinguish between "loginuid set + successfully" and "loginuid not set, but this is expected". + + Suggested by Steve Langasek. + + * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return + code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid + does not exist, PAM_SESSION_ERR in case of any other error. + (_pam_loginuid): Forward the PAM error code returned by set_loginuid. + + modules/pam_loginuid/pam_loginuid.c | 43 ++++++++++++++++++++++------------ + 1 files changed, 28 insertions(+), 15 deletions(-) +--- +diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c +index a903845..96f8ffa 100644 +--- a/modules/pam_loginuid/pam_loginuid.c ++++ b/modules/pam_loginuid/pam_loginuid.c +@@ -47,29 +47,35 @@ + + /* + * This function writes the loginuid to the /proc system. It returns +- * 0 on success and 1 on failure. ++ * PAM_SUCCESS on success, ++ * PAM_IGNORE when /proc/self/loginuid does not exist, ++ * PAM_SESSION_ERR in case of any other error. + */ + static int set_loginuid(pam_handle_t *pamh, uid_t uid) + { +- int fd, count, rc = 0; ++ int fd, count, rc = PAM_SESSION_ERR; + char loginuid[24], buf[24]; + + count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); + if (fd < 0) { +- if (errno != ENOENT) { +- rc = 1; ++ if (errno == ENOENT) { ++ rc = PAM_IGNORE; ++ } else { + pam_syslog(pamh, LOG_ERR, + "Cannot open /proc/self/loginuid: %m"); + } + return rc; + } ++ + if (pam_modutil_read(fd, buf, sizeof(buf)) == count && +- memcmp(buf, loginuid, count) == 0) ++ memcmp(buf, loginuid, count) == 0) { ++ rc = PAM_SUCCESS; + goto done; /* already correct */ +- if (lseek(fd, 0, SEEK_SET) == -1 || (ftruncate(fd, 0) == -1 || +- pam_modutil_write(fd, loginuid, count) != count)) +- rc = 1; ++ } ++ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 && ++ pam_modutil_write(fd, loginuid, count) == count) ++ rc = PAM_SUCCESS; + done: + close(fd); + return rc; +@@ -170,6 +176,7 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED, + { + const char *user = NULL; + struct passwd *pwd; ++ int ret; + #ifdef HAVE_LIBAUDIT + int require_auditd = 0; + #endif +@@ -188,9 +195,14 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED, + return PAM_SESSION_ERR; + } + +- if (set_loginuid(pamh, pwd->pw_uid)) { +- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n"); +- return PAM_SESSION_ERR; ++ ret = set_loginuid(pamh, pwd->pw_uid); ++ switch (ret) { ++ case PAM_SUCCESS: ++ case PAM_IGNORE: ++ break; ++ default: ++ pam_syslog(pamh, LOG_ERR, "set_loginuid failed"); ++ return ret; + } + + #ifdef HAVE_LIBAUDIT +@@ -200,11 +212,12 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED, + argv++; + } + +- if (require_auditd) +- return check_auditd(); +- else ++ if (require_auditd) { ++ int rc = check_auditd(); ++ return rc != PAM_SUCCESS ? rc : ret; ++ } else + #endif +- return PAM_SUCCESS; ++ return ret; + } + + /* +_______________________________________________ +linux-pam-commits mailing list +linux-pam-commits@lists.fedorahosted.org +https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits diff --git a/pam_loginuid-part2.diff b/pam_loginuid-part2.diff new file mode 100644 index 0000000..0980f1f --- /dev/null +++ b/pam_loginuid-part2.diff @@ -0,0 +1,74 @@ +commit 24f3a88e7de52fbfcb7b8a1ebdae0cdbef420edf +Author: Stéphane Graber +Date: Tue Jan 7 16:12:03 2014 -0800 + + pam_loginuid: Ignore failure in user namespaces + + When running pam_loginuid in a container using the user namespaces, even + uid 0 isn't allowed to set the loginuid property. + + This change catches the EACCES from opening loginuid, checks if the user + is in the host namespace (by comparing the uid_map with the host's one) + and only if that's the case, sets rc to 1. + + Should uid_map not exist or be unreadable for some reason, it'll be + assumed that the process is running on the host's namespace. + + The initial reason behind this change was failure to ssh into an + unprivileged container (using a 3.13 kernel and current LXC) when using + a standard pam profile for sshd (which requires success from + pam_loginuid). + + I believe this solution doesn't have any drawback and will allow people + to use unprivileged containers normally. An alternative would be to have + all distros set pam_loginuid as optional but that'd be bad for any of + the other potential failure case which people may care about. + + There has also been some discussions to get some of the audit features + tied with the user namespaces but currently none of that has been merged + upstream and the currently proposed implementation doesn't cover + loginuid (nor is it clear how this should even work when loginuid is set + as immutable after initial write). + + Signed-off-by: Steve Langasek + Signed-off-by: Dmitry V. Levin + + modules/pam_loginuid/pam_loginuid.c | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) +--- +diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c +index 96f8ffa..54ae6f0 100644 +--- a/modules/pam_loginuid/pam_loginuid.c ++++ b/modules/pam_loginuid/pam_loginuid.c +@@ -55,13 +55,26 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid) + { + int fd, count, rc = PAM_SESSION_ERR; + char loginuid[24], buf[24]; ++ static const char host_uid_map[] = " 0 0 4294967295\n"; ++ char uid_map[sizeof(host_uid_map)]; + + count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); + if (fd < 0) { + if (errno == ENOENT) { + rc = PAM_IGNORE; +- } else { ++ } else if (errno == EACCES) { ++ fd = open("/proc/self/uid_map", O_RDONLY); ++ if (fd >= 0) { ++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); ++ if (strncmp(uid_map, host_uid_map, count) != 0) ++ rc = PAM_IGNORE; ++ close(fd); ++ } ++ if (rc != PAM_IGNORE) ++ errno = EACCES; ++ } ++ if (rc != PAM_IGNORE) { + pam_syslog(pamh, LOG_ERR, + "Cannot open /proc/self/loginuid: %m"); + } +_______________________________________________ +linux-pam-commits mailing list +linux-pam-commits@lists.fedorahosted.org +https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits