- Add pam_loginuid-part1.diff: Ignore missing /proc/self/loginuid

- Add pam_loginuid-part2.diff: Workaround to run pam_loginuid inside lxc

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=132

pam.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Jan 10 10:56:24 UTC 2014 - kukuk@suse.com
+
+- Add pam_loginuid-part1.diff: Ignore missing /proc/self/loginuid
+- Add pam_loginuid-part2.diff: Workaround to run pam_loginuid inside lxc
+
 -------------------------------------------------------------------
 Thu Jan  9 17:31:27 CET 2014 - kukuk@suse.de
 

pam.spec

@@ -54,6 +54,8 @@ Source8:        etc.environment
 Source9:        baselibs.conf
 Patch0:         fix-man-links.dif
 Patch1:         Linux-PAM-git-20140109.diff
+Patch2:         pam_loginuid-part1.diff
+Patch3:         pam_loginuid-part2.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -99,6 +101,8 @@ building both PAM-aware applications and modules for use with PAM.
 %setup -q -n Linux-PAM-%{version} -b 1
 %patch0 -p1
 %patch1 -p2
+%patch2 -p1
+%patch3 -p1
 
 %build
 export CFLAGS="%optflags -DNDEBUG"

pam_loginuid-part1.diff

@@ -0,0 +1,115 @@
+commit 5825450540e6620ac331c64345b42fdcbb1d6e87
+Author: Dmitry V. Levin <ldv@altlinux.org>
+Date:   Wed Jan 8 15:53:30 2014 -0800
+
+    pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not exist
+    
+    When /proc/self/loginuid does not exist, return PAM_IGNORE instead of
+    PAM_SUCCESS, so that we can distinguish between "loginuid set
+    successfully" and "loginuid not set, but this is expected".
+    
+    Suggested by Steve Langasek.
+    
+    * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return
+    code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid
+    does not exist, PAM_SESSION_ERR in case of any other error.
+    (_pam_loginuid): Forward the PAM error code returned by set_loginuid.
+
+ modules/pam_loginuid/pam_loginuid.c |   43 ++++++++++++++++++++++------------
+ 1 files changed, 28 insertions(+), 15 deletions(-)
+---
+diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
+index a903845..96f8ffa 100644
+--- a/modules/pam_loginuid/pam_loginuid.c
++++ b/modules/pam_loginuid/pam_loginuid.c
+@@ -47,29 +47,35 @@
+ 
+ /*
+  * This function writes the loginuid to the /proc system. It returns
+- * 0 on success and 1 on failure.
++ * PAM_SUCCESS on success,
++ * PAM_IGNORE when /proc/self/loginuid does not exist,
++ * PAM_SESSION_ERR in case of any other error.
+  */
+ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
+ {
+-	int fd, count, rc = 0;
++	int fd, count, rc = PAM_SESSION_ERR;
+ 	char loginuid[24], buf[24];
+ 
+ 	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+ 	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
+ 	if (fd < 0) {
+-		if (errno != ENOENT) {
+-			rc = 1;
++		if (errno == ENOENT) {
++			rc = PAM_IGNORE;
++		} else {
+ 			pam_syslog(pamh, LOG_ERR,
+ 				   "Cannot open /proc/self/loginuid: %m");
+ 		}
+ 		return rc;
+ 	}
++
+ 	if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
+-	    memcmp(buf, loginuid, count) == 0)
++	    memcmp(buf, loginuid, count) == 0) {
++		rc = PAM_SUCCESS;
+ 		goto done;	/* already correct */
+-	if (lseek(fd, 0, SEEK_SET) == -1 || (ftruncate(fd, 0) == -1 ||
+-	    pam_modutil_write(fd, loginuid, count) != count))
+-		rc = 1;
++	}
++	if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
++	    pam_modutil_write(fd, loginuid, count) == count)
++		rc = PAM_SUCCESS;
+  done:
+ 	close(fd);
+ 	return rc;
+@@ -170,6 +176,7 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED,
+ {
+         const char *user = NULL;
+ 	struct passwd *pwd;
++	int ret;
+ #ifdef HAVE_LIBAUDIT
+ 	int require_auditd = 0;
+ #endif
+@@ -188,9 +195,14 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED,
+ 		return PAM_SESSION_ERR;
+ 	}
+ 
+-	if (set_loginuid(pamh, pwd->pw_uid)) {
+-		pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n");
+-		return PAM_SESSION_ERR;
++	ret = set_loginuid(pamh, pwd->pw_uid);
++	switch (ret) {
++		case PAM_SUCCESS:
++		case PAM_IGNORE:
++			break;
++		default:
++			pam_syslog(pamh, LOG_ERR, "set_loginuid failed");
++			return ret;
+ 	}
+ 
+ #ifdef HAVE_LIBAUDIT
+@@ -200,11 +212,12 @@ _pam_loginuid(pam_handle_t *pamh, int flags UNUSED,
+ 		argv++;
+ 	}
+ 
+-	if (require_auditd)
+-		return check_auditd();
+-	else
++	if (require_auditd) {
++		int rc = check_auditd();
++		return rc != PAM_SUCCESS ? rc : ret;
++	} else
+ #endif
+-		return PAM_SUCCESS;
++		return ret;
+ }
+ 
+ /*
+_______________________________________________
+linux-pam-commits mailing list
+linux-pam-commits@lists.fedorahosted.org
+https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits

pam_loginuid-part2.diff

@@ -0,0 +1,74 @@
+commit 24f3a88e7de52fbfcb7b8a1ebdae0cdbef420edf
+Author: Stéphane Graber <stgraber@ubuntu.com>
+Date:   Tue Jan 7 16:12:03 2014 -0800
+
+    pam_loginuid: Ignore failure in user namespaces
+    
+    When running pam_loginuid in a container using the user namespaces, even
+    uid 0 isn't allowed to set the loginuid property.
+    
+    This change catches the EACCES from opening loginuid, checks if the user
+    is in the host namespace (by comparing the uid_map with the host's one)
+    and only if that's the case, sets rc to 1.
+    
+    Should uid_map not exist or be unreadable for some reason, it'll be
+    assumed that the process is running on the host's namespace.
+    
+    The initial reason behind this change was failure to ssh into an
+    unprivileged container (using a 3.13 kernel and current LXC) when using
+    a standard pam profile for sshd (which requires success from
+    pam_loginuid).
+    
+    I believe this solution doesn't have any drawback and will allow people
+    to use unprivileged containers normally. An alternative would be to have
+    all distros set pam_loginuid as optional but that'd be bad for any of
+    the other potential failure case which people may care about.
+    
+    There has also been some discussions to get some of the audit features
+    tied with the user namespaces but currently none of that has been merged
+    upstream and the currently proposed implementation doesn't cover
+    loginuid (nor is it clear how this should even work when loginuid is set
+    as immutable after initial write).
+    
+    Signed-off-by: Steve Langasek <vorlon@debian.org>
+    Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+
+ modules/pam_loginuid/pam_loginuid.c |   15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+---
+diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
+index 96f8ffa..54ae6f0 100644
+--- a/modules/pam_loginuid/pam_loginuid.c
++++ b/modules/pam_loginuid/pam_loginuid.c
+@@ -55,13 +55,26 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
+ {
+ 	int fd, count, rc = PAM_SESSION_ERR;
+ 	char loginuid[24], buf[24];
++	static const char host_uid_map[] = "         0          0 4294967295\n";
++	char uid_map[sizeof(host_uid_map)];
+ 
+ 	count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+ 	fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
+ 	if (fd < 0) {
+ 		if (errno == ENOENT) {
+ 			rc = PAM_IGNORE;
+-		} else {
++		} else if (errno == EACCES) {
++			fd = open("/proc/self/uid_map", O_RDONLY);
++			if (fd >= 0) {
++				count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
++				if (strncmp(uid_map, host_uid_map, count) != 0)
++					rc = PAM_IGNORE;
++				close(fd);
++			}
++			if (rc != PAM_IGNORE)
++				errno = EACCES;
++		}
++		if (rc != PAM_IGNORE) {
+ 			pam_syslog(pamh, LOG_ERR,
+ 				   "Cannot open /proc/self/loginuid: %m");
+ 		}
+_______________________________________________
+linux-pam-commits mailing list
+linux-pam-commits@lists.fedorahosted.org
+https://lists.fedorahosted.org/mailman/listinfo/linux-pam-commits