Accepting request 840210 from Linux-PAM
OBS-URL: https://build.opensuse.org/request/show/840210 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam?expand=0&rev=103
This commit is contained in:
commit
e304469c62
@ -9,10 +9,10 @@ set -o errexit
|
||||
|
||||
echo -n "Checking login.defs variables in pam... " >&2
|
||||
grep -rh LOGIN_DEFS . |
|
||||
sed -n 's/^.*search_key *("\([A-Z0-9_]*\)", *LOGIN_DEFS).*$/\1/p' |
|
||||
sed -n 's/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
|
||||
LC_ALL=C sort -u >pam-login_defs-vars.lst
|
||||
|
||||
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != da39a3ee5e6b4b0d3255bfef95601890afd80709 ; then
|
||||
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 3c6e0020c31609690b69ef391654df930b74151d ; then
|
||||
|
||||
echo "does not match!" >&2
|
||||
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
|
||||
|
106
pam-xauth_ownership.patch
Normal file
106
pam-xauth_ownership.patch
Normal file
@ -0,0 +1,106 @@
|
||||
Index: Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
|
||||
===================================================================
|
||||
--- Linux-PAM-1.4.0.orig/modules/pam_xauth/pam_xauth.c
|
||||
+++ Linux-PAM-1.4.0/modules/pam_xauth/pam_xauth.c
|
||||
@@ -355,11 +355,13 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||
char *cookiefile = NULL, *xauthority = NULL,
|
||||
*cookie = NULL, *display = NULL, *tmp = NULL,
|
||||
*xauthlocalhostname = NULL;
|
||||
- const char *user, *xauth = NULL;
|
||||
+ const char *user, *xauth = NULL, *login_name;
|
||||
struct passwd *tpwd, *rpwd;
|
||||
int fd, i, debug = 0;
|
||||
int retval = PAM_SUCCESS;
|
||||
- uid_t systemuser = 499, targetuser = 0;
|
||||
+ uid_t systemuser = 499, targetuser = 0, uid;
|
||||
+ gid_t gid;
|
||||
+ struct stat st;
|
||||
|
||||
/* Parse arguments. We don't understand many, so no sense in breaking
|
||||
* this into a separate function. */
|
||||
@@ -429,7 +431,16 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||
retval = PAM_SESSION_ERR;
|
||||
goto cleanup;
|
||||
}
|
||||
- rpwd = pam_modutil_getpwuid(pamh, getuid());
|
||||
+
|
||||
+ login_name = pam_modutil_getlogin(pamh);
|
||||
+ if (login_name == NULL) {
|
||||
+ login_name = "";
|
||||
+ }
|
||||
+ if (*login_name)
|
||||
+ rpwd = pam_modutil_getpwnam(pamh, login_name);
|
||||
+ else
|
||||
+ rpwd = pam_modutil_getpwuid(pamh, getuid());
|
||||
+
|
||||
if (rpwd == NULL) {
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
"error determining invoking user's name");
|
||||
@@ -518,18 +529,26 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||
cookiefile);
|
||||
}
|
||||
|
||||
+ /* Get owner and group of the cookiefile */
|
||||
+ uid = getuid();
|
||||
+ gid = getgid();
|
||||
+ if (stat(cookiefile, &st) == 0) {
|
||||
+ uid = st.st_uid;
|
||||
+ gid = st.st_gid;
|
||||
+ }
|
||||
+
|
||||
/* Read the user's .Xauthority file. Because the current UID is
|
||||
* the original user's UID, this will only fail if something has
|
||||
* gone wrong, or we have no cookies. */
|
||||
if (debug) {
|
||||
pam_syslog(pamh, LOG_DEBUG,
|
||||
- "running \"%s %s %s %s %s\" as %lu/%lu",
|
||||
- xauth, "-f", cookiefile, "nlist", display,
|
||||
- (unsigned long) getuid(), (unsigned long) getgid());
|
||||
+ "running \"%s %s %s %s %s %s\" as %lu/%lu",
|
||||
+ xauth, "-i", "-f", cookiefile, "nlist", display,
|
||||
+ (unsigned long) uid, (unsigned long) gid);
|
||||
}
|
||||
if (run_coprocess(pamh, NULL, &cookie,
|
||||
- getuid(), getgid(),
|
||||
- xauth, "-f", cookiefile, "nlist", display,
|
||||
+ uid, gid,
|
||||
+ xauth, "-i", "-f", cookiefile, "nlist", display,
|
||||
NULL) == 0) {
|
||||
#ifdef WITH_SELINUX
|
||||
security_context_t context = NULL;
|
||||
@@ -583,12 +602,12 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||
cookiefile,
|
||||
"nlist",
|
||||
t,
|
||||
- (unsigned long) getuid(),
|
||||
- (unsigned long) getgid());
|
||||
+ (unsigned long) uid,
|
||||
+ (unsigned long) gid);
|
||||
}
|
||||
run_coprocess(pamh, NULL, &cookie,
|
||||
- getuid(), getgid(),
|
||||
- xauth, "-f", cookiefile,
|
||||
+ uid, gid,
|
||||
+ xauth, "-i", "-f", cookiefile,
|
||||
"nlist", t, NULL);
|
||||
}
|
||||
free(t);
|
||||
@@ -673,13 +692,17 @@ pam_sm_open_session (pam_handle_t *pamh,
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
+ if (debug) {
|
||||
+ pam_syslog(pamh, LOG_DEBUG, "set environment variable '%s'",
|
||||
+ xauthority);
|
||||
+ }
|
||||
/* Set the new variable in the environment. */
|
||||
if (pam_putenv (pamh, xauthority) != PAM_SUCCESS)
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
"can't set environment variable '%s'",
|
||||
xauthority);
|
||||
putenv (xauthority); /* The environment owns this string now. */
|
||||
- xauthority = NULL; /* Don't free environment variables. */
|
||||
+ /* Don't free environment variables nor set them to NULL. */
|
||||
|
||||
/* set $DISPLAY in pam handle to make su - work */
|
||||
{
|
28
pam.changes
28
pam.changes
@ -1,3 +1,31 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 8 13:31:39 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
|
||||
|
||||
- /usr/bin/xauth chokes on the old user's $HOME being on an NFS
|
||||
file system. Run /usr/bin/xauth using the old user's uid/gid
|
||||
Patch courtesy of Dr. Werner Fink.
|
||||
[bsc#1174593, pam-xauth_ownership.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 8 02:33:16 UTC 2020 - Stanislav Brabec <sbrabec@suse.com>
|
||||
|
||||
- pam-login_defs-check.sh: Fix the regexp to get a real variable
|
||||
list (boo#1164274).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 24 13:06:33 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
|
||||
|
||||
- Revert the previous change [SR#815713].
|
||||
The group is not necessary for PAM functionality but used only
|
||||
during testing. The test system should therefore create this group.
|
||||
[bsc#1171016, pam.spec]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 15 15:05:18 UTC 2020 - Josef Möllers <josef.moellers@suse.com>
|
||||
|
||||
- Add requirement for group "wheel" to spec file.
|
||||
[bsc#1171016, pam.spec]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 8 13:19:12 UTC 2020 - Thorsten Kukuk <kukuk@suse.com>
|
||||
|
||||
|
2
pam.spec
2
pam.spec
@ -47,6 +47,7 @@ Source11: unix2_chkpwd.8
|
||||
Source12: pam-login_defs-check.sh
|
||||
Patch2: pam-limit-nproc.patch
|
||||
Patch4: pam-hostnames-in-access_conf.patch
|
||||
Patch5: pam-xauth_ownership.patch
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: bison
|
||||
BuildRequires: cracklib-devel
|
||||
@ -139,6 +140,7 @@ removed with one of the next releases.
|
||||
cp -a %{SOURCE12} .
|
||||
%patch2 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%build
|
||||
bash ./pam-login_defs-check.sh
|
||||
|
Loading…
Reference in New Issue
Block a user