Accepting request 24760 from home:mcalmer:branches:openSUSE:11.2

Copy from home:mcalmer:branches:openSUSE:11.2/pam_mount based on submit request 24760 from user mcalmer OBS-URL: https://build.opensuse.org/request/show/24760 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_mount?expand=0&rev=32
2009-11-20 13:35:27 +00:00 · 2009-11-20 13:35:27 +00:00 · 29b136c663
commit 29b136c663
parent 0dcc2073b6
7 changed files with 168 additions and 4 deletions
--- a/pam_mount-0.47-enable-logout-kill.dif
+++ b/pam_mount-0.47-enable-logout-kill.dif
@ -1,6 +1,8 @@
--- orig/pam_mount-0.47/config/pam_mount.conf.xml	2008-09-05 05:28:34.000000000 +0200
-+++ pam_mount-0.47/config/pam_mount.conf.xml	2009-01-10 17:52:15.000000000 +0100
-@@ -33,7 +33,7 @@
+Index: pam_mount-1.27/config/pam_mount.conf.xml
+===================================================================
+--- pam_mount-1.27.orig/config/pam_mount.conf.xml
+++ pam_mount-1.27/config/pam_mount.conf.xml
+@@ -29,7 +29,7 @@
 <mntoptions require="nosuid,nodev" />
 <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
 
--- a/pam_mount-1.27-fix-krb5-env.dif
+++ b/pam_mount-1.27-fix-krb5-env.dif
@ -0,0 +1,39 @@
+Index: pam_mount-1.27/doc/changelog.txt
+===================================================================
+--- pam_mount-1.27.orig/doc/changelog.txt
+++ pam_mount-1.27/doc/changelog.txt
+@@ -4,6 +4,7 @@ For details, see the history as recorded
+ 
+ Fixes:
+ - pam_mount: avoid crash in sudo by not calling setenv() with NULL
+- pam_mount: unwind krb5 environment info at the right time
+ - umount.crypt: do not remove entry from /etc/mtab twice
+ 
+ v1.27 (July 01 2009)
+Index: pam_mount-1.27/src/pam_mount.c
+===================================================================
+--- pam_mount-1.27.orig/src/pam_mount.c
+++ pam_mount-1.27/src/pam_mount.c
+@@ -550,9 +550,10 @@ PAM_EXTERN EXPORT_SYMBOL int pam_sm_open
+ 			ret = PAM_SERVICE_ERR;
+ 		}
+ 	}
+-	memset(system_authtok, 0, strlen(system_authtok));
+-	if (krb5 != NULL)
+-		unsetenv("KRB5CCNAME");
+	if (system_authtok != NULL) {
+		memset(system_authtok, 0, strlen(system_authtok));
+		free(system_authtok);
+	}
+ 	modify_pm_count(&Config, Config.user, "1");
+ 	envpath_restore();
+ 	if (getuid() == 0)
+@@ -570,6 +571,8 @@ PAM_EXTERN EXPORT_SYMBOL int pam_sm_open
+ 	 */
+ 	ret = PAM_SUCCESS;
+  out:
+	if (krb5 != NULL)
+		unsetenv("KRB5CCNAME");
+ 	w4rn("done opening session (ret=%d)\n", ret);
+ 	common_exit();
+ 	return ret;
--- a/pam_mount-1.27-fix-mtab-handling.dif
+++ b/pam_mount-1.27-fix-mtab-handling.dif
@ -0,0 +1,29 @@
+Index: pam_mount-1.27/doc/changelog.txt
+===================================================================
+--- pam_mount-1.27.orig/doc/changelog.txt
+++ pam_mount-1.27/doc/changelog.txt
+@@ -4,7 +4,7 @@ For details, see the history as recorded
+ 
+ Fixes:
+ - pam_mount: avoid crash in sudo by not calling setenv() with NULL
+-
+- umount.crypt: do not remove entry from /etc/mtab twice
+ 
+ v1.27 (July 01 2009)
+ ====================
+Index: pam_mount-1.27/src/mtcrypt.c
+===================================================================
+--- pam_mount-1.27.orig/src/mtcrypt.c
+++ pam_mount-1.27/src/mtcrypt.c
+@@ -563,9 +563,8 @@ static int mtcr_umount(struct umount_opt
+ 
+ 	umount_args[argk++] = "umount";
+ #ifdef __linux__
+-	umount_args[argk++] = "-i";
+-	if (opt->no_update)
+-		umount_args[argk++] = "-n";
+	/* Always pass in -n, as we manually edit /etc/mtab */
+	umount_args[argk++] = "-ni";
+ #endif
+ 	umount_args[argk++] = mountpoint;
+ 	umount_args[argk]   = NULL;
--- a/pam_mount-1.27-fix-sudo-crash.dif
+++ b/pam_mount-1.27-fix-sudo-crash.dif
@ -0,0 +1,57 @@
+diff --git a/doc/changelog.txt b/doc/changelog.txt
+index 5107e9b..bdc37f0 100644
+--- a/doc/changelog.txt
+++ b/doc/changelog.txt
+@@ -2,6 +2,10 @@
+ For details, see the history as recorded in the git repository.
+ 
+ 
+Fixes:
+- pam_mount: avoid crash in sudo by not calling setenv() with NULL
+
+
+ v1.27 (July 01 2009)
+ ====================
+ Changes:
+diff --git a/src/pam_mount.c b/src/pam_mount.c
+index 87262bd..73da556 100644
+--- a/src/pam_mount.c
+++ b/src/pam_mount.c
+@@ -451,7 +451,7 @@ PAM_EXTERN EXPORT_SYMBOL int pam_sm_open_session(pam_handle_t *pamh, int flags,
+ {
+ 	struct vol *vol;
+ 	int ret;
+-	unsigned int krb5_set;
+	const char *krb5;
+ 	char *system_authtok = NULL;
+ 	const void *tmp;
+ 	int getval;
+@@ -464,11 +464,17 @@ PAM_EXTERN EXPORT_SYMBOL int pam_sm_open_session(pam_handle_t *pamh, int flags,
+ 	w4rn(PACKAGE_STRING ": entering session stage\n");
+ 
+ 	/*
+	 * Environment variables set with setenv() only last while PAM is
+	 * active, i.e. disappear when the shell is started. On the other hand,
+	 * variabled fed to pam_putenv() are only visible once the shell
+	 * started.
+	 */
+	/*
+ 	 * Get the Kerberos CCNAME so we can make it available to the
+ 	 * mount command later on.
+ 	 */
+-	krb5_set = getenv("KRB5CCNAME") != NULL;
+-	if (setenv("KRB5CCNAME", pam_getenv(pamh, "KRB5CCNAME"), 1) < 0)
+	krb5 = pam_getenv(pamh, "KRB5CCNAME");
+	if (krb5 != NULL && setenv("KRB5CCNAME", krb5, true) < 0)
+ 		l0g("KRB5CCNAME setenv failed\n");
+ 
+ 	/* Store initialized config as PAM data */
+@@ -545,7 +551,7 @@ PAM_EXTERN EXPORT_SYMBOL int pam_sm_open_session(pam_handle_t *pamh, int flags,
+ 		}
+ 	}
+ 	memset(system_authtok, 0, strlen(system_authtok));
+-	if (krb5_set)
+	if (krb5 != NULL)
+ 		unsetenv("KRB5CCNAME");
+ 	modify_pm_count(&Config, Config.user, "1");
+ 	envpath_restore();
--- a/pam_mount-1.27-uid_guid-handling.dif
+++ b/pam_mount-1.27-uid_guid-handling.dif
@ -0,0 +1,24 @@
+diff --git a/src/rdconf1.c b/src/rdconf1.c
+index 0a90de7..9ec29f8 100644
+--- a/src/rdconf1.c
+++ b/src/rdconf1.c
+@@ -959,8 +959,7 @@ static int rc_volume_cond_uid(const struct passwd *pwd, xmlNode *node)
+ 			continue;
+ 		ret = __rc_volume_cond_id(signed_cast(const char *,
+ 		      node->content), pwd->pw_uid);
+-		if (ret < 0)
+-			return ret;
+		return ret;
+ 	}
+ 
+ 	l0g("config: empty or invalid content for <%s>\n", "uid");
+@@ -981,8 +980,7 @@ static int rc_volume_cond_gid(const struct passwd *pwd, xmlNode *node)
+ 			continue;
+ 		ret = __rc_volume_cond_id(signed_cast(const char *,
+ 		      node->content), pwd->pw_gid);
+-		if (ret < 0)
+-			return ret;
+		return ret;
+ 	}
+ 
+ 	l0g("config: empty or invalid content for <%s>\n", "gid");
--- a/pam_mount.changes
+++ b/pam_mount.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Nov 19 11:12:36 CET 2009 - mc@suse.de
+
+- backport some code to fix the sudo crash (bnc#544154)
+
 -------------------------------------------------------------------
 Mon Jul 27 12:01:46 CEST 2009 - mc@novell.com

--- a/pam_mount.spec
+++ b/pam_mount.spec
@ -26,7 +26,7 @@ BuildRequires:  libHX-devel >= 2.8
 BuildRequires:  linux-kernel-headers >= 2.6
 Summary:        A PAM Module that can Mount Volumes for a User Session
 Version:        1.27
-Release:        1
+Release:        2
 # psmisc: /bin/fuser
 Recommends:     cryptsetup
 Recommends:     cifs-mount xfsprogs
@ -40,6 +40,10 @@ Source2:        convert_keyhash.pl
 Source3:        mount.crypt
 Source4:        mount.encfs13
 Patch1:         pam_mount-0.47-enable-logout-kill.dif
+Patch2:         pam_mount-1.27-fix-sudo-crash.dif
+Patch3:         pam_mount-1.27-fix-mtab-handling.dif
+Patch4:         pam_mount-1.27-uid_guid-handling.dif
+Patch5:         pam_mount-1.27-fix-krb5-env.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            http://pam-mount.sourceforge.net/
 PreReq:         coreutils, perl-XML-Writer, perl-XML-Parser
@ -60,6 +64,10 @@ dm-crypt and LUKS.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1

 %build
 %{suse_update_config -f}