- Update fixppc.patch with upstream patches
- Add comments from upstream in 0001-util-never-follow-symlinks-in-rm_rf_children.patch. - Add logind-logout.patch: it should fix sudo / su with pam_systemd (bnc#746704). OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=263
This commit is contained in:
parent
729f3c2839
commit
b3750d1f49
@ -30,3 +30,30 @@ index 20cbc2b..dfc1dc6 100644
|
||||
--
|
||||
1.7.7
|
||||
|
||||
From c9d8629baa09f853fbcc44972c9748e70562270c Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Thu, 22 Mar 2012 01:43:36 +0100
|
||||
Subject: [PATCH] logind: extend comment about X11 socket symlink
|
||||
|
||||
---
|
||||
src/login/logind-session.c | 4 ++++
|
||||
1 files changed, 4 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/src/login/logind-session.c b/src/login/logind-session.c
|
||||
index af9c12d..4e0af86 100644
|
||||
--- a/src/login/logind-session.c
|
||||
+++ b/src/login/logind-session.c
|
||||
@@ -391,6 +391,10 @@ static int session_link_x11_socket(Session *s) {
|
||||
return -ENOENT;
|
||||
}
|
||||
|
||||
+ /* Note that this cannot be in a subdir to avoid
|
||||
+ * vulnerabilities since we are privileged but the runtime
|
||||
+ * path is owned by the user */
|
||||
+
|
||||
t = strappend(s->user->runtime_path, "/X11-display");
|
||||
if (!t) {
|
||||
log_error("Out of memory");
|
||||
--
|
||||
1.7.7
|
||||
|
||||
|
73
fixppc.patch
73
fixppc.patch
@ -1,3 +1,60 @@
|
||||
From 7264278fbbdc1dc6c30fedc902d1337594aa6ff6 Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Wed, 21 Mar 2012 23:47:44 +0100
|
||||
Subject: [PATCH] journal: PAGE_SIZE is not known on ppc and other archs
|
||||
|
||||
Let's use NAME_MAX, as suggested by Dan Walsh
|
||||
---
|
||||
src/journal/journald.c | 15 ++++++++++++---
|
||||
1 files changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/journal/journald.c b/src/journal/journald.c
|
||||
index d27cb60..87390bd 100644
|
||||
--- a/src/journal/journald.c
|
||||
+++ b/src/journal/journald.c
|
||||
@@ -29,7 +29,6 @@
|
||||
#include <sys/ioctl.h>
|
||||
#include <linux/sockios.h>
|
||||
#include <sys/statvfs.h>
|
||||
-#include <sys/user.h>
|
||||
|
||||
#include <systemd/sd-journal.h>
|
||||
#include <systemd/sd-login.h>
|
||||
@@ -2149,10 +2148,20 @@ static int process_event(Server *s, struct epoll_event *ev) {
|
||||
size_t label_len = 0;
|
||||
union {
|
||||
struct cmsghdr cmsghdr;
|
||||
+
|
||||
+ /* We use NAME_MAX space for the
|
||||
+ * SELinux label here. The kernel
|
||||
+ * currently enforces no limit, but
|
||||
+ * according to suggestions from the
|
||||
+ * SELinux people this will change and
|
||||
+ * it will probably be identical to
|
||||
+ * NAME_MAX. For now we use that, but
|
||||
+ * this should be updated one day when
|
||||
+ * the final limit is known.*/
|
||||
uint8_t buf[CMSG_SPACE(sizeof(struct ucred)) +
|
||||
CMSG_SPACE(sizeof(struct timeval)) +
|
||||
- CMSG_SPACE(sizeof(int)) +
|
||||
- CMSG_SPACE(PAGE_SIZE)]; /* selinux label */
|
||||
+ CMSG_SPACE(sizeof(int)) + /* fd */
|
||||
+ CMSG_SPACE(NAME_MAX)]; /* selinux label */
|
||||
} control;
|
||||
ssize_t n;
|
||||
int v;
|
||||
--
|
||||
1.7.7
|
||||
|
||||
From dd1e3d5a396284d1afdb2828991a543eb80c8040 Mon Sep 17 00:00:00 2001
|
||||
From: Frederic Crozat <fcrozat@suse.com>
|
||||
Date: Thu, 22 Mar 2012 09:39:54 +0100
|
||||
Subject: [PATCH] journal: char is unsigned on ppc, use int8_t instead.
|
||||
|
||||
---
|
||||
src/journal/cat.c | 2 +-
|
||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/src/journal/cat.c b/src/journal/cat.c
|
||||
index 31d76f3..8a51fb7 100644
|
||||
--- a/src/journal/cat.c
|
||||
@ -11,16 +68,6 @@ index 31d76f3..8a51fb7 100644
|
||||
static bool arg_level_prefix = true;
|
||||
|
||||
static int help(void) {
|
||||
diff --git a/src/journal/journald.c b/src/journal/journald.c
|
||||
index baad3ab..1899ad6 100644
|
||||
--- a/src/journal/journald.c
|
||||
+++ b/src/journal/journald.c
|
||||
@@ -2144,7 +2144,7 @@ static int process_event(Server *s, struct epoll_event *ev) {
|
||||
uint8_t buf[CMSG_SPACE(sizeof(struct ucred)) +
|
||||
CMSG_SPACE(sizeof(struct timeval)) +
|
||||
CMSG_SPACE(sizeof(int)) +
|
||||
- CMSG_SPACE(PAGE_SIZE)]; /* selinux label */
|
||||
+ CMSG_SPACE(PATH_MAX)]; /* selinux label */
|
||||
} control;
|
||||
ssize_t n;
|
||||
int v;
|
||||
--
|
||||
1.7.7
|
||||
|
||||
|
156
logind-logout.patch
Normal file
156
logind-logout.patch
Normal file
@ -0,0 +1,156 @@
|
||||
From 75c8e3cffd7da8eede614cf61384957af2c82a29 Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Thu, 22 Mar 2012 02:06:40 +0100
|
||||
Subject: [PATCH] logind: close FIFO before ending sessions cleanly
|
||||
|
||||
For clean session endings ask logind explicitly to get rid of the FIFO
|
||||
before closing it so that the FIFO logic doesn't result in su/sudo to be
|
||||
terminated immediately.
|
||||
---
|
||||
src/login/logind-dbus.c | 30 ++++++++++++++++++++
|
||||
src/login/pam-module.c | 71 +++++++++++++++++++++++++++++++++++++++++++++--
|
||||
2 files changed, 98 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
|
||||
index d8f4d89..ea6b89f 100644
|
||||
--- a/src/login/logind-dbus.c
|
||||
+++ b/src/login/logind-dbus.c
|
||||
@@ -80,6 +80,9 @@
|
||||
" <arg name=\"seat\" type=\"s\" direction=\"out\"/>\n" \
|
||||
" <arg name=\"vtnr\" type=\"u\" direction=\"out\"/>\n" \
|
||||
" </method>\n" \
|
||||
+ " <method name=\"ReleaseSession\">\n" \
|
||||
+ " <arg name=\"id\" type=\"s\" direction=\"in\"/>\n" \
|
||||
+ " </method>\n" \
|
||||
" <method name=\"ActivateSession\">\n" \
|
||||
" <arg name=\"id\" type=\"s\" direction=\"in\"/>\n" \
|
||||
" </method>\n" \
|
||||
@@ -1075,6 +1078,33 @@ static DBusHandlerResult manager_message_handler(
|
||||
if (r < 0)
|
||||
return bus_send_error_reply(connection, message, &error, r);
|
||||
|
||||
+ } else if (dbus_message_is_method_call(message, "org.freedesktop.login1.Manager", "ReleaseSession")) {
|
||||
+ const char *name;
|
||||
+ Session *session;
|
||||
+
|
||||
+ if (!dbus_message_get_args(
|
||||
+ message,
|
||||
+ &error,
|
||||
+ DBUS_TYPE_STRING, &name,
|
||||
+ DBUS_TYPE_INVALID))
|
||||
+ return bus_send_error_reply(connection, message, &error, -EINVAL);
|
||||
+
|
||||
+ session = hashmap_get(m->sessions, name);
|
||||
+ if (!session)
|
||||
+ return bus_send_error_reply(connection, message, &error, -ENOENT);
|
||||
+
|
||||
+ /* We use the FIFO to detect stray sessions where the
|
||||
+ process invoking PAM dies abnormally. We need to make
|
||||
+ sure that that process is not killed if at the clean
|
||||
+ end of the session it closes the FIFO. Hence, with
|
||||
+ this call explicitly turn off the FIFO logic, so that
|
||||
+ the PAM code can finish clean up on its own */
|
||||
+ session_remove_fifo(session);
|
||||
+
|
||||
+ reply = dbus_message_new_method_return(message);
|
||||
+ if (!reply)
|
||||
+ goto oom;
|
||||
+
|
||||
} else if (dbus_message_is_method_call(message, "org.freedesktop.login1.Manager", "ActivateSession")) {
|
||||
const char *name;
|
||||
Session *session;
|
||||
diff --git a/src/login/pam-module.c b/src/login/pam-module.c
|
||||
index 8544413..4106d2b 100644
|
||||
--- a/src/login/pam-module.c
|
||||
+++ b/src/login/pam-module.c
|
||||
@@ -414,7 +414,6 @@ _public_ PAM_EXTERN int pam_sm_open_session(
|
||||
"/org/freedesktop/login1",
|
||||
"org.freedesktop.login1.Manager",
|
||||
"CreateSession");
|
||||
-
|
||||
if (!m) {
|
||||
pam_syslog(handle, LOG_ERR, "Could not allocate create session message.");
|
||||
r = PAM_BUF_ERR;
|
||||
@@ -620,11 +619,77 @@ _public_ PAM_EXTERN int pam_sm_close_session(
|
||||
int argc, const char **argv) {
|
||||
|
||||
const void *p = NULL;
|
||||
+ const char *id;
|
||||
+ DBusConnection *bus = NULL;
|
||||
+ DBusMessage *m = NULL, *reply = NULL;
|
||||
+ DBusError error;
|
||||
+ int r;
|
||||
|
||||
- pam_get_data(handle, "systemd.session-fd", &p);
|
||||
+ assert(handle);
|
||||
+
|
||||
+ dbus_error_init(&error);
|
||||
+
|
||||
+ id = pam_getenv(handle, "XDG_SESSION_ID");
|
||||
+ if (id) {
|
||||
+
|
||||
+ /* Before we go and close the FIFO we need to tell
|
||||
+ * logind that this is a clean session shutdown, so
|
||||
+ * that it doesn't just go and slaughter us
|
||||
+ * immediately after closing the fd */
|
||||
+
|
||||
+ bus = dbus_bus_get_private(DBUS_BUS_SYSTEM, &error);
|
||||
+ if (!bus) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to connect to system bus: %s", bus_error_message(&error));
|
||||
+ r = PAM_SESSION_ERR;
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
+ m = dbus_message_new_method_call(
|
||||
+ "org.freedesktop.login1",
|
||||
+ "/org/freedesktop/login1",
|
||||
+ "org.freedesktop.login1.Manager",
|
||||
+ "ReleaseSession");
|
||||
+ if (!m) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Could not allocate release session message.");
|
||||
+ r = PAM_BUF_ERR;
|
||||
+ goto finish;
|
||||
+ }
|
||||
+
|
||||
+ if (!dbus_message_append_args(m,
|
||||
+ DBUS_TYPE_STRING, &id,
|
||||
+ DBUS_TYPE_INVALID)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Could not attach parameters to message.");
|
||||
+ r = PAM_BUF_ERR;
|
||||
+ goto finish;
|
||||
+ }
|
||||
|
||||
+ reply = dbus_connection_send_with_reply_and_block(bus, m, -1, &error);
|
||||
+ if (!reply) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to release session: %s", bus_error_message(&error));
|
||||
+ r = PAM_SESSION_ERR;
|
||||
+ goto finish;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ r = PAM_SUCCESS;
|
||||
+
|
||||
+finish:
|
||||
+ pam_get_data(handle, "systemd.session-fd", &p);
|
||||
if (p)
|
||||
close_nointr(PTR_TO_INT(p) - 1);
|
||||
|
||||
- return PAM_SUCCESS;
|
||||
+ dbus_error_free(&error);
|
||||
+
|
||||
+ if (bus) {
|
||||
+ dbus_connection_close(bus);
|
||||
+ dbus_connection_unref(bus);
|
||||
+ }
|
||||
+
|
||||
+ if (m)
|
||||
+ dbus_message_unref(m);
|
||||
+
|
||||
+ if (reply)
|
||||
+ dbus_message_unref(reply);
|
||||
+
|
||||
+ return r;
|
||||
}
|
||||
--
|
||||
1.7.7
|
||||
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 22 08:47:36 UTC 2012 - fcrozat@suse.com
|
||||
|
||||
- Update fixppc.patch with upstream patches
|
||||
- Add comments from upstream in
|
||||
0001-util-never-follow-symlinks-in-rm_rf_children.patch.
|
||||
- Add logind-logout.patch: it should fix sudo / su with pam_systemd
|
||||
(bnc#746704).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 19 14:07:23 UTC 2012 - fcrozat@suse.com
|
||||
|
||||
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 22 08:47:36 UTC 2012 - fcrozat@suse.com
|
||||
|
||||
- Update fixppc.patch with upstream patches
|
||||
- Add comments from upstream in
|
||||
0001-util-never-follow-symlinks-in-rm_rf_children.patch.
|
||||
- Add logind-logout.patch: it should fix sudo / su with pam_systemd
|
||||
(bnc#746704).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 19 14:07:23 UTC 2012 - fcrozat@suse.com
|
||||
|
||||
|
@ -82,13 +82,14 @@ Patch36: sysctl-modules.patch
|
||||
Patch38: dm-lvm-after-local-fs-pre-target.patch
|
||||
Patch39: correct_plymouth_paths_and_conflicts.patch
|
||||
Patch41: 0001-add-sparse-support-to-detect-endianness-bug.patch
|
||||
Patch42: fixppc.patch
|
||||
|
||||
# Upstream First - Policy:
|
||||
# Never add any patches to this package without the upstream commit id
|
||||
# in the patch. Any patches added here without a very good reason to make
|
||||
# an exception will be silently removed with the next version update.
|
||||
Patch40: 0001-util-never-follow-symlinks-in-rm_rf_children.patch
|
||||
Patch42: fixppc.patch
|
||||
Patch43: logind-logout.patch
|
||||
|
||||
%description
|
||||
Systemd is a system and service manager, compatible with SysV and LSB
|
||||
@ -150,6 +151,7 @@ Plymouth integration for systemd
|
||||
%patch40 -p1
|
||||
%patch41 -p1
|
||||
%patch42 -p1
|
||||
%patch43 -p1
|
||||
|
||||
%build
|
||||
autoreconf -fiv
|
||||
|
Loading…
Reference in New Issue
Block a user