From 1a1e884da963543c1ae6c7104a6f12b778214a76168eb4e48e75a631c0573e6d Mon Sep 17 00:00:00 2001 From: Ruediger Oertel Date: Wed, 17 Nov 2010 09:42:25 +0000 Subject: [PATCH] Accepting request 53230 from Base:System Accepted submit request 53230 from user coolo OBS-URL: https://build.opensuse.org/request/show/53230 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/coreutils?expand=0&rev=47 --- coreutils-6.8-su.patch | 1034 ----------------- coreutils-6.8.0-pie.patch | 192 --- coreutils-8.6-compile-su-with-fpie.diff | 42 + ...in-etc-default-su-resp-etc-login.defs.diff | 374 ++++++ coreutils-8.6-log-all-su-attempts.diff | 26 + ...e-sure-sbin-resp-usr-sbin-are-in-PATH.diff | 24 +- coreutils-8.6-pam-support-for-su.diff | 405 +++++++ coreutils-8.6-set-sane-default-path.diff | 37 + coreutils-8.6-update-man-page-for-pam.diff | 64 + coreutils.changes | 13 + coreutils.spec | 75 +- 11 files changed, 1004 insertions(+), 1282 deletions(-) delete mode 100644 coreutils-6.8-su.patch delete mode 100644 coreutils-6.8.0-pie.patch create mode 100644 coreutils-8.6-compile-su-with-fpie.diff create mode 100644 coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff create mode 100644 coreutils-8.6-log-all-su-attempts.diff rename coreutils-5.3.0-sbin4su.patch => coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff (82%) create mode 100644 coreutils-8.6-pam-support-for-su.diff create mode 100644 coreutils-8.6-set-sane-default-path.diff create mode 100644 coreutils-8.6-update-man-page-for-pam.diff diff --git a/coreutils-6.8-su.patch b/coreutils-6.8-su.patch deleted file mode 100644 index d698b38..0000000 --- a/coreutils-6.8-su.patch +++ /dev/null @@ -1,1034 +0,0 @@ -Add pam support in su - -Index: Makefile.in -=================================================================== ---- Makefile.in.orig 2010-10-15 16:31:46.000000000 +0200 -+++ Makefile.in 2010-11-11 16:02:50.366117868 +0100 -@@ -991,6 +991,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: configure -=================================================================== ---- configure.orig 2010-11-11 16:02:50.342113626 +0100 -+++ configure 2010-11-11 16:04:17.257475264 +0100 -@@ -639,6 +639,7 @@ OPTIONAL_BIN_PROGS - INSTALL_SU - LIB_GMP - LIB_CRYPT -+PAM_LIBS - GNULIB_TEST_WARN_CFLAGS - GNULIB_WARN_CFLAGS - WERROR_CFLAGS -@@ -1551,6 +1552,7 @@ enable_xattr - enable_libcap - with_tty_group - enable_gcc_warnings -+enable_pam - with_gmp - enable_install_program - enable_no_install_program -@@ -2203,6 +2205,7 @@ Optional Features: - --disable-xattr do not support extended attributes - --disable-libcap disable libcap support - --enable-gcc-warnings turn on lots of GCC warnings (for developers) -+ --disable-pam Disable PAM support in su (default=auto) - --enable-install-program=PROG_LIST - install the programs in PROG_LIST (comma-separated, - default: none) -@@ -53157,6 +53160,111 @@ $as_echo "#define HAVE_WORKING_FORK 1" > - fi - - -+# Check whether --enable-pam was given. -+if test "${enable_pam+set}" = set; then -+ enableval=$enable_pam; -+else -+ enable_pam=yes -+fi -+ -+if test "x$enable_pam" != xno; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5 -+$as_echo_n "checking for pam_start in -lpam... " >&6; } -+if test "${ac_cv_lib_pam_pam_start+set}" = set; then -+ $as_echo_n "(cached) " >&6 -+else -+ ac_check_lib_save_LIBS=$LIBS -+LIBS="-lpam $LIBS" -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+/* Override any GCC internal prototype to avoid an error. -+ Use char because int might match the return type of a GCC -+ builtin and then its argument prototype would still apply. */ -+#ifdef __cplusplus -+extern "C" -+#endif -+char pam_start (); -+int -+main () -+{ -+return pam_start (); -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then -+ ac_cv_lib_pam_pam_start=yes -+else -+ ac_cv_lib_pam_pam_start=no -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+LIBS=$ac_check_lib_save_LIBS -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5 -+$as_echo "$ac_cv_lib_pam_pam_start" >&6; } -+if test "x$ac_cv_lib_pam_pam_start" = x""yes; then -+ enable_pam=yes -+else -+ enable_pam=no -+fi -+ -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for misc_conv in -lpam_misc" >&5 -+$as_echo_n "checking for misc_conv in -lpam_misc... " >&6; } -+if test "${ac_cv_lib_pam_misc_misc_conv+set}" = set; then -+ $as_echo_n "(cached) " >&6 -+else -+ ac_check_lib_save_LIBS=$LIBS -+LIBS="-lpam_misc $LIBS" -+cat confdefs.h - <<_ACEOF >conftest.$ac_ext -+/* end confdefs.h. */ -+ -+/* Override any GCC internal prototype to avoid an error. -+ Use char because int might match the return type of a GCC -+ builtin and then its argument prototype would still apply. */ -+#ifdef __cplusplus -+extern "C" -+#endif -+char misc_conv (); -+int -+main () -+{ -+return misc_conv (); -+ ; -+ return 0; -+} -+_ACEOF -+if ac_fn_c_try_link "$LINENO"; then -+ ac_cv_lib_pam_misc_misc_conv=yes -+else -+ ac_cv_lib_pam_misc_misc_conv=no -+fi -+rm -f core conftest.err conftest.$ac_objext \ -+ conftest$ac_exeext conftest.$ac_ext -+LIBS=$ac_check_lib_save_LIBS -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_misc_misc_conv" >&5 -+$as_echo "$ac_cv_lib_pam_misc_misc_conv" >&6; } -+if test "x$ac_cv_lib_pam_misc_misc_conv" = x""yes; then -+ : -+else -+ enable_pam=no -+fi -+ -+ if test "x$enable_pam" != xno; then -+ -+$as_echo "#define USE_PAM 1" >>confdefs.h -+ -+ PAM_LIBS="-lpam -lpam_misc" -+ -+ fi -+fi -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable PAM support in su" >&5 -+$as_echo_n "checking whether to enable PAM support in su... " >&6; } -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_pam" >&5 -+$as_echo "$enable_pam" >&6; } -+ - optional_bin_progs= - for ac_func in chroot - do : -Index: configure.ac -=================================================================== ---- configure.ac.orig 2010-10-13 10:58:27.000000000 +0200 -+++ configure.ac 2010-11-11 16:02:50.442131303 +0100 -@@ -135,6 +135,20 @@ fi - - AC_FUNC_FORK - -+AC_ARG_ENABLE(pam, AS_HELP_STRING([--disable-pam], -+ [Enable PAM support in su (default=auto)]), , [enable_pam=yes]) -+if test "x$enable_pam" != xno; then -+ AC_CHECK_LIB([pam], [pam_start], [enable_pam=yes], [enable_pam=no]) -+ AC_CHECK_LIB([pam_misc], [misc_conv], [:], [enable_pam=no]) -+ if test "x$enable_pam" != xno; then -+ AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM]) -+ PAM_LIBS="-lpam -lpam_misc" -+ AC_SUBST(PAM_LIBS) -+ fi -+fi -+AC_MSG_CHECKING([whether to enable PAM support in su]) -+AC_MSG_RESULT([$enable_pam]) -+ - optional_bin_progs= - AC_CHECK_FUNCS([chroot], - gl_ADD_PROG([optional_bin_progs], [chroot])) -Index: doc/Makefile.in -=================================================================== ---- doc/Makefile.in.orig 2010-10-15 16:31:44.000000000 +0200 -+++ doc/Makefile.in 2010-11-11 16:02:50.442131303 +0100 -@@ -987,6 +987,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: gnulib-tests/Makefile.in -=================================================================== ---- gnulib-tests/Makefile.in.orig 2010-10-15 16:32:45.000000000 +0200 -+++ gnulib-tests/Makefile.in 2010-11-11 16:02:50.490139787 +0100 -@@ -2378,6 +2378,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: lib/Makefile.in -=================================================================== ---- lib/Makefile.in.orig 2010-10-15 16:31:45.000000000 +0200 -+++ lib/Makefile.in 2010-11-11 16:02:50.550150395 +0100 -@@ -1073,6 +1073,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: man/Makefile.in -=================================================================== ---- man/Makefile.in.orig 2010-11-11 16:02:50.294105140 +0100 -+++ man/Makefile.in 2010-11-11 16:02:50.554151102 +0100 -@@ -956,6 +956,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -Index: src/Makefile.am -=================================================================== ---- src/Makefile.am.orig 2010-10-12 13:13:16.000000000 +0200 -+++ src/Makefile.am 2010-11-11 16:02:50.594158172 +0100 -@@ -352,7 +352,8 @@ factor_LDADD += $(LIB_GMP) - uptime_LDADD += $(GETLOADAVG_LIBS) - - # for crypt --su_LDADD += $(LIB_CRYPT) -+su_SOURCES = su.c getdef.c -+su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS) - - # for various ACL functions - copy_LDADD += $(LIB_ACL) -Index: src/Makefile.in -=================================================================== ---- src/Makefile.in.orig 2010-10-15 17:06:15.000000000 +0200 -+++ src/Makefile.in 2010-11-11 16:09:48.436006623 +0100 -@@ -553,9 +553,10 @@ stdbuf_DEPENDENCIES = $(am__DEPENDENCIES - stty_SOURCES = stty.c - stty_OBJECTS = stty.$(OBJEXT) - stty_DEPENDENCIES = $(am__DEPENDENCIES_2) --su_SOURCES = su.c --su_OBJECTS = su.$(OBJEXT) --su_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) -+am_su_OBJECTS = su.$(OBJEXT) getdef.$(OBJEXT) -+su_OBJECTS = $(am_su_OBJECTS) -+su_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ -+ $(am__DEPENDENCIES_1) - sum_SOURCES = sum.c - sum_OBJECTS = sum.$(OBJEXT) - sum_DEPENDENCIES = $(am__DEPENDENCIES_2) -@@ -663,9 +664,9 @@ SOURCES = $(nodist_libver_a_SOURCES) $(_ - $(rmdir_SOURCES) runcon.c seq.c setuidgid.c $(sha1sum_SOURCES) \ - $(sha224sum_SOURCES) $(sha256sum_SOURCES) $(sha384sum_SOURCES) \ - $(sha512sum_SOURCES) shred.c shuf.c sleep.c sort.c split.c \ -- $(stat_SOURCES) stdbuf.c stty.c su.c sum.c sync.c tac.c tail.c \ -- tee.c test.c $(timeout_SOURCES) touch.c tr.c true.c truncate.c \ -- tsort.c tty.c $(uname_SOURCES) unexpand.c uniq.c unlink.c \ -+ $(stat_SOURCES) stdbuf.c stty.c $(su_SOURCES) sum.c sync.c tac.c \ -+ tail.c tee.c test.c $(timeout_SOURCES) touch.c tr.c true.c \ -+ truncate.c tsort.c tty.c $(uname_SOURCES) unexpand.c uniq.c unlink.c \ - uptime.c users.c $(vdir_SOURCES) wc.c who.c whoami.c yes.c - DIST_SOURCES = $(__SOURCES) $(arch_SOURCES) base64.c basename.c cat.c \ - chcon.c $(chgrp_SOURCES) chmod.c $(chown_SOURCES) chroot.c \ -@@ -682,7 +683,7 @@ DIST_SOURCES = $(__SOURCES) $(arch_SOURC - setuidgid.c $(sha1sum_SOURCES) $(sha224sum_SOURCES) \ - $(sha256sum_SOURCES) $(sha384sum_SOURCES) $(sha512sum_SOURCES) \ - shred.c shuf.c sleep.c sort.c split.c $(stat_SOURCES) stdbuf.c \ -- stty.c su.c sum.c sync.c tac.c tail.c tee.c test.c \ -+ stty.c $(su_SOURCES) sum.c sync.c tac.c tail.c tee.c test.c \ - $(timeout_SOURCES) touch.c tr.c true.c truncate.c tsort.c \ - tty.c $(uname_SOURCES) unexpand.c uniq.c unlink.c uptime.c \ - users.c $(vdir_SOURCES) wc.c who.c whoami.c yes.c -@@ -1363,6 +1364,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ -@@ -1779,7 +1781,8 @@ stdbuf_LDADD = $(LDADD) $(LIBICONV) - stty_LDADD = $(LDADD) - - # for crypt --su_LDADD = $(LDADD) $(LIB_CRYPT) -+su_SOURCES = su.c getdef.c -+su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS) - sum_LDADD = $(LDADD) - sync_LDADD = $(LDADD) - tac_LDADD = $(LDADD) -@@ -2425,6 +2428,7 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/find-mount-point.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fmt.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fold.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getdef.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getlimits.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-copy.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-cp-hash.Po@am__quote@ -Index: src/getdef.c -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ src/getdef.c 2010-11-11 16:02:50.662170193 +0100 -@@ -0,0 +1,259 @@ -+/* Copyright (C) 2003, 2004, 2005 Thorsten Kukuk -+ Author: Thorsten Kukuk -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program; if not, write to the Free Software Foundation, -+ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#define _GNU_SOURCE -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "getdef.h" -+ -+struct item { -+ char *name; /* Name of the option. */ -+ char *value; /* Value of the option. */ -+ struct item *next; /* Pointer to next option. */ -+}; -+ -+static struct item *list = NULL; -+ -+void -+free_getdef_data (void) -+{ -+ struct item *ptr; -+ -+ ptr = list; -+ while (ptr != NULL) -+ { -+ struct item *tmp; -+ tmp = ptr->next; -+ free (ptr->name); -+ free (ptr->value); -+ free (ptr); -+ ptr = tmp; -+ } -+ -+ list = NULL; -+} -+ -+/* Add a new entry to the list. */ -+static void -+store (const char *name, const char *value) -+{ -+ struct item *new = malloc (sizeof (struct item)); -+ -+ if (new == NULL) -+ abort (); -+ -+ if (name == NULL) -+ abort (); -+ -+ new->name = strdup (name); -+ new->value = strdup (value ?: ""); -+ new->next = list; -+ list = new; -+} -+ -+/* Search a special entry in the list and return the value. */ -+static const char * -+search (const char *name) -+{ -+ struct item *ptr; -+ -+ ptr = list; -+ while (ptr != NULL) -+ { -+ if (strcasecmp (name, ptr->name) == 0) -+ return ptr->value; -+ ptr = ptr->next; -+ } -+ -+ return NULL; -+} -+ -+/* Load the login.defs file (/etc/login.defs). */ -+static void -+load_defaults_internal (const char *filename) -+{ -+ FILE *fp; -+ char *buf = NULL; -+ size_t buflen = 0; -+ -+ fp = fopen (filename, "r"); -+ if (NULL == fp) -+ return; -+ -+ while (!feof (fp)) -+ { -+ char *tmp, *cp; -+#if defined(HAVE_GETLINE) -+ ssize_t n = getline (&buf, &buflen, fp); -+#elif defined (HAVE_GETDELIM) -+ ssize_t n = getdelim (&buf, &buflen, '\n', fp); -+#else -+ ssize_t n; -+ -+ if (buf == NULL) -+ { -+ buflen = 8096; -+ buf = malloc (buflen); -+ } -+ buf[0] = '\0'; -+ fgets (buf, buflen - 1, fp); -+ if (buf != NULL) -+ n = strlen (buf); -+ else -+ n = 0; -+#endif /* HAVE_GETLINE / HAVE_GETDELIM */ -+ cp = buf; -+ -+ if (n < 1) -+ break; -+ -+ tmp = strchr (cp, '#'); /* remove comments */ -+ if (tmp) -+ *tmp = '\0'; -+ while (isspace ((unsigned char) *cp)) /* remove spaces and tabs */ -+ ++cp; -+ if (*cp == '\0') /* ignore empty lines */ -+ continue; -+ -+ if (cp[strlen (cp) - 1] == '\n') -+ cp[strlen (cp) - 1] = '\0'; -+ -+ tmp = strsep (&cp, " \t="); -+ if (cp != NULL) -+ while (isspace ((unsigned char) *cp) || *cp == '=') -+ ++cp; -+ -+ store (tmp, cp); -+ } -+ fclose (fp); -+ -+ if (buf) -+ free (buf); -+} -+ -+static void -+load_defaults (void) -+{ -+ load_defaults_internal ("/etc/default/su"); -+ load_defaults_internal ("/etc/login.defs"); -+} -+ -+int -+getdef_bool (const char *name, int dflt) -+{ -+ const char *val; -+ -+ if (list == NULL) -+ load_defaults (); -+ -+ val = search (name); -+ -+ if (val == NULL) -+ return dflt; -+ -+ return (strcasecmp (val, "yes") == 0); -+} -+ -+long -+getdef_num (const char *name, long dflt) -+{ -+ const char *val; -+ char *cp; -+ long retval; -+ -+ if (list == NULL) -+ load_defaults (); -+ -+ val = search (name); -+ -+ if (val == NULL) -+ return dflt; -+ -+ errno = 0; -+ retval = strtol (val, &cp, 0); -+ if (*cp != '\0' -+ || ((retval == LONG_MAX || retval == LONG_MIN) && errno == ERANGE)) -+ { -+ fprintf (stderr, -+ "%s contains invalid numerical value: %s!\n", -+ name, val); -+ retval = dflt; -+ } -+ return retval; -+} -+ -+unsigned long -+getdef_unum (const char *name, unsigned long dflt) -+{ -+ const char *val; -+ char *cp; -+ unsigned long retval; -+ -+ if (list == NULL) -+ load_defaults (); -+ -+ val = search (name); -+ -+ if (val == NULL) -+ return dflt; -+ -+ errno = 0; -+ retval = strtoul (val, &cp, 0); -+ if (*cp != '\0' || (retval == ULONG_MAX && errno == ERANGE)) -+ { -+ fprintf (stderr, -+ "%s contains invalid numerical value: %s!\n", -+ name, val); -+ retval = dflt; -+ } -+ return retval; -+} -+ -+const char * -+getdef_str (const char *name, const char *dflt) -+{ -+ const char *retval; -+ -+ if (list == NULL) -+ load_defaults (); -+ -+ retval = search (name); -+ -+ return retval ?: dflt; -+} -+ -+#if defined(TEST) -+ -+int -+main () -+{ -+ printf ("CYPT=%s\n", getdef_str ("cRypt", "no")); -+ printf ("LOG_UNKFAIL_ENAB=%s\n", getdef_str ("log_unkfail_enab","")); -+ printf ("DOESNOTEXIST=%s\n", getdef_str ("DOESNOTEXIST","yes")); -+ return 0; -+} -+ -+#endif -Index: src/getdef.h -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ src/getdef.h 2010-11-11 16:02:50.678173021 +0100 -@@ -0,0 +1,29 @@ -+/* Copyright (C) 2003, 2005 Thorsten Kukuk -+ Author: Thorsten Kukuk -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License version 2 as -+ published by the Free Software Foundation. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program; if not, write to the Free Software Foundation, -+ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -+ -+#ifndef _GETDEF_H_ -+ -+#define _GETDEF_H_ 1 -+ -+extern int getdef_bool (const char *name, int dflt); -+extern long getdef_num (const char *name, long dflt); -+extern unsigned long getdef_unum (const char *name, unsigned long dflt); -+extern const char *getdef_str (const char *name, const char *dflt); -+ -+/* Free all data allocated by getdef_* calls before. */ -+extern void free_getdef_data (void); -+ -+#endif /* _GETDEF_H_ */ -Index: src/su.c -=================================================================== ---- src/su.c.orig 2010-10-11 19:35:11.000000000 +0200 -+++ src/su.c 2010-11-11 16:02:50.694175850 +0100 -@@ -37,6 +37,16 @@ - restricts who can su to UID 0 accounts. RMS considers that to - be fascist. - -+#ifdef USE_PAM -+ -+ Actually, with PAM, su has nothing to do with whether or not a -+ wheel group is enforced by su. RMS tries to restrict your access -+ to a su which implements the wheel group, but PAM considers that -+ to be fascist, and gives the user/sysadmin the opportunity to -+ enforce a wheel group by proper editing of /etc/pam.d/su -+ -+#endif -+ - Compile-time options: - -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog. - -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog. -@@ -52,12 +62,22 @@ - #include - #include - #include -+#ifdef USE_PAM -+#include -+#include -+#include -+#include -+#include -+#endif - - #include "system.h" - #include "getpass.h" - - #if HAVE_SYSLOG_H && HAVE_SYSLOG - # include -+# define SYSLOG_SUCCESS 1 -+# define SYSLOG_FAILURE 1 -+# define SYSLOG_NON_ROOT 1 - #else - # undef SYSLOG_SUCCESS - # undef SYSLOG_FAILURE -@@ -91,19 +111,13 @@ - # include - #endif - -+#include "getdef.h" -+ - /* The default PATH for simulated logins to non-superuser accounts. */ --#ifdef _PATH_DEFPATH --# define DEFAULT_LOGIN_PATH _PATH_DEFPATH --#else --# define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin" --#endif -+#define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin" - - /* The default PATH for simulated logins to superuser accounts. */ --#ifdef _PATH_DEFPATH_ROOT --# define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT --#else --# define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc" --#endif -+#define DEFAULT_ROOT_LOGIN_PATH "/usr/sbin:/bin:/usr/bin:/sbin:/usr/X11R6/bin" - - /* The shell to run if none is given in the user's passwd entry. */ - #define DEFAULT_SHELL "/bin/sh" -@@ -111,8 +125,9 @@ - /* The user to become if none is specified. */ - #define DEFAULT_USER "root" - -+#ifndef USE_PAM - char *crypt (char const *key, char const *salt); -- -+#endif - static void run_shell (char const *, char const *, char **, size_t) - ATTRIBUTE_NORETURN; - -@@ -125,6 +140,13 @@ static bool simulate_login; - /* If true, change some environment vars to indicate the user su'd to. */ - static bool change_environment; - -+#ifdef USE_PAM -+static bool _pam_session_opened; -+static bool _pam_cred_established; -+static void export_pamenv (void); -+static void create_watching_parent (void); -+#endif -+ - static struct option const longopts[] = - { - {"command", required_argument, NULL, 'c'}, -@@ -200,7 +222,162 @@ log_su (struct passwd const *pw, bool su - } - #endif - -+#ifdef USE_PAM -+#define PAM_SERVICE_NAME PROGRAM_NAME -+#define PAM_SERVICE_NAME_L PROGRAM_NAME "-l" -+static bool caught_signal = false; -+static pam_handle_t *pamh = NULL; -+static int retval; -+static struct pam_conv conv = -+{ -+ misc_conv, -+ NULL -+}; -+ -+#define PAM_BAIL_P(a) \ -+ if (retval) \ -+ { \ -+ pam_end (pamh, retval); \ -+ a; \ -+ } -+ -+static void -+cleanup_pam (int retcode) -+{ -+ if (_pam_session_opened) -+ pam_close_session (pamh, 0); -+ -+ if (_pam_cred_established) -+ pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT); -+ -+ pam_end(pamh, retcode); -+} -+ -+/* Signal handler for parent process. */ -+static void -+su_catch_sig (int sig) -+{ -+ caught_signal = true; -+} -+ -+/* Export env variables declared by PAM modules. */ -+static void -+export_pamenv (void) -+{ -+ char **env; -+ -+ /* This is a copy but don't care to free as we exec later anyways. */ -+ env = pam_getenvlist (pamh); -+ while (env && *env) -+ { -+ if (putenv (*env) != 0) -+ xalloc_die (); -+ env++; -+ } -+} -+ -+static void -+create_watching_parent (void) -+{ -+ pid_t child; -+ sigset_t ourset; -+ int status; -+ -+ retval = pam_open_session (pamh, 0); -+ if (retval != PAM_SUCCESS) -+ { -+ cleanup_pam (retval); -+ error (EXIT_FAILURE, 0, _("cannot not open session: %s"), -+ pam_strerror (pamh, retval)); -+ } -+ else -+ _pam_session_opened = 1; -+ -+ child = fork (); -+ if (child == (pid_t) -1) -+ { -+ cleanup_pam (PAM_ABORT); -+ error (EXIT_FAILURE, errno, _("cannot create child process")); -+ } -+ -+ /* the child proceeds to run the shell */ -+ if (child == 0) -+ return; -+ -+ /* In the parent watch the child. */ -+ -+ /* su without pam support does not have a helper that keeps -+ sitting on any directory so let's go to /. */ -+ if (chdir ("/") != 0) -+ error (0, errno, _("warning: cannot change directory to %s"), "/"); -+ -+ sigfillset (&ourset); -+ if (sigprocmask (SIG_BLOCK, &ourset, NULL)) -+ { -+ error (0, errno, _("cannot block signals")); -+ caught_signal = true; -+ } -+ if (!caught_signal) -+ { -+ struct sigaction action; -+ action.sa_handler = su_catch_sig; -+ sigemptyset (&action.sa_mask); -+ action.sa_flags = 0; -+ sigemptyset (&ourset); -+ if (sigaddset (&ourset, SIGTERM) -+ || sigaddset (&ourset, SIGALRM) -+ || sigaction (SIGTERM, &action, NULL) -+ || sigprocmask (SIG_UNBLOCK, &ourset, NULL)) -+ { -+ error (0, errno, _("cannot set signal handler")); -+ caught_signal = true; -+ } -+ } -+ if (!caught_signal) -+ { -+ for (;;) -+ { -+ pid_t pid; -+ -+ pid = waitpid (child, &status, WUNTRACED); -+ -+ if (WIFSTOPPED (status)) -+ { -+ kill (getpid (), SIGSTOP); -+ /* once we get here, we must have resumed */ -+ kill (pid, SIGCONT); -+ } -+ else -+ break; -+ } -+ if (WIFSIGNALED (status)) -+ status = WTERMSIG (status) + 128; -+ else -+ status = WEXITSTATUS (status); -+ } -+ else -+ status = 1; -+ -+ if (caught_signal) -+ { -+ fprintf (stderr, _("\nSession terminated, killing shell...")); -+ kill (child, SIGTERM); -+ } -+ -+ cleanup_pam (PAM_SUCCESS); -+ -+ if (caught_signal) -+ { -+ sleep (2); -+ kill (child, SIGKILL); -+ fprintf (stderr, _(" ...killed.\n")); -+ } -+ exit (status); -+} -+#endif -+ - /* Ask the user for a password. -+ If PAM is in use, let PAM ask for the password if necessary. - Return true if the user gives the correct password for entry PW, - false if not. Return true without asking for a password if run by UID 0 - or if PW has an empty password. */ -@@ -208,10 +385,52 @@ log_su (struct passwd const *pw, bool su - static bool - correct_password (const struct passwd *pw) - { -+#ifdef USE_PAM -+ const struct passwd *lpw; -+ const char *cp; -+ -+ retval = pam_start (simulate_login ? PAM_SERVICE_NAME_L : PAM_SERVICE_NAME, -+ pw->pw_name, &conv, &pamh); -+ PAM_BAIL_P (return false); -+ -+ if (isatty (0) && (cp = ttyname (0)) != NULL) -+ { -+ const char *tty; -+ -+ if (strncmp (cp, "/dev/", 5) == 0) -+ tty = cp + 5; -+ else -+ tty = cp; -+ retval = pam_set_item (pamh, PAM_TTY, tty); -+ PAM_BAIL_P (return false); -+ } -+#if 0 /* Manpage discourages use of getlogin. */ -+ cp = getlogin (); -+ if (!(cp && *cp && (lpw = getpwnam (cp)) != NULL && lpw->pw_uid == getuid ())) -+#endif -+ lpw = getpwuid (getuid ()); -+ if (lpw && lpw->pw_name) -+ { -+ retval = pam_set_item (pamh, PAM_RUSER, (const void *) lpw->pw_name); -+ PAM_BAIL_P (return false); -+ } -+ retval = pam_authenticate (pamh, 0); -+ PAM_BAIL_P (return false); -+ retval = pam_acct_mgmt (pamh, 0); -+ if (retval == PAM_NEW_AUTHTOK_REQD) -+ { -+ /* Password has expired. Offer option to change it. */ -+ retval = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); -+ PAM_BAIL_P (return false); -+ } -+ PAM_BAIL_P (return false); -+ /* Must be authenticated if this point was reached. */ -+ return true; -+#else /* !USE_PAM */ - char *unencrypted, *encrypted, *correct; - #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP - /* Shadow passwd stuff for SVR3 and maybe other systems. */ -- struct spwd *sp = getspnam (pw->pw_name); -+ const struct spwd *sp = getspnam (pw->pw_name); - - endspent (); - if (sp) -@@ -232,6 +451,7 @@ correct_password (const struct passwd *p - encrypted = crypt (unencrypted, correct); - memset (unencrypted, 0, strlen (unencrypted)); - return STREQ (encrypted, correct); -+#endif /* !USE_PAM */ - } - - /* Update `environ' for the new shell based on PW, with SHELL being -@@ -256,8 +476,8 @@ modify_environment (const struct passwd - xsetenv ("USER", pw->pw_name); - xsetenv ("LOGNAME", pw->pw_name); - xsetenv ("PATH", (pw->pw_uid -- ? DEFAULT_LOGIN_PATH -- : DEFAULT_ROOT_LOGIN_PATH)); -+ ? getdef_str ("PATH", DEFAULT_LOGIN_PATH) -+ : getdef_str ("SUPATH", DEFAULT_ROOT_LOGIN_PATH))); - } - else - { -@@ -267,6 +487,12 @@ modify_environment (const struct passwd - { - xsetenv ("HOME", pw->pw_dir); - xsetenv ("SHELL", shell); -+ if (getdef_bool ("ALWAYS_SET_PATH", 0)) -+ xsetenv ("PATH", (pw->pw_uid -+ ? getdef_str ("PATH", -+ DEFAULT_LOGIN_PATH) -+ : getdef_str ("SUPATH", -+ DEFAULT_ROOT_LOGIN_PATH))); - if (pw->pw_uid) - { - xsetenv ("USER", pw->pw_name); -@@ -274,19 +500,41 @@ modify_environment (const struct passwd - } - } - } -+ -+#ifdef USE_PAM -+ export_pamenv (); -+#endif - } - - /* Become the user and group(s) specified by PW. */ - - static void --change_identity (const struct passwd *pw) -+init_groups (const struct passwd *pw) - { - #ifdef HAVE_INITGROUPS - errno = 0; - if (initgroups (pw->pw_name, pw->pw_gid) == -1) -- error (EXIT_CANCELED, errno, _("cannot set groups")); -+ { -+#ifdef USE_PAM -+ cleanup_pam (PAM_ABORT); -+#endif -+ error (EXIT_FAILURE, errno, _("cannot set groups")); -+ } - endgrent (); - #endif -+ -+#ifdef USE_PAM -+ retval = pam_setcred (pamh, PAM_ESTABLISH_CRED); -+ if (retval != PAM_SUCCESS) -+ error (EXIT_FAILURE, 0, "%s", pam_strerror (pamh, retval)); -+ else -+ _pam_cred_established = 1; -+#endif -+} -+ -+static void -+change_identity (const struct passwd *pw) -+{ - if (setgid (pw->pw_gid)) - error (EXIT_CANCELED, errno, _("cannot set group id")); - if (setuid (pw->pw_uid)) -@@ -479,6 +727,7 @@ main (int argc, char **argv) - #ifdef SYSLOG_FAILURE - log_su (pw, false); - #endif -+ sleep (getdef_num ("FAIL_DELAY", 1)); - error (EXIT_CANCELED, 0, _("incorrect password")); - } - #ifdef SYSLOG_SUCCESS -@@ -500,9 +749,21 @@ main (int argc, char **argv) - shell = NULL; - } - shell = xstrdup (shell ? shell : pw->pw_shell); -- modify_environment (pw, shell); -+ -+ init_groups (pw); -+ -+#ifdef USE_PAM -+ create_watching_parent (); -+ /* Now we're in the child. */ -+#endif - - change_identity (pw); -+ -+ /* Set environment after pam_open_session, which may put KRB5CCNAME -+ into the pam_env, etc. */ -+ -+ modify_environment (pw, shell); -+ - if (simulate_login && chdir (pw->pw_dir) != 0) - error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir); - -Index: tests/Makefile.in -=================================================================== ---- tests/Makefile.in.orig 2010-10-15 16:31:45.000000000 +0200 -+++ tests/Makefile.in 2010-11-11 16:02:50.750185750 +0100 -@@ -1045,6 +1045,7 @@ PACKAGE_STRING = @PACKAGE_STRING@ - PACKAGE_TARNAME = @PACKAGE_TARNAME@ - PACKAGE_URL = @PACKAGE_URL@ - PACKAGE_VERSION = @PACKAGE_VERSION@ -+PAM_LIBS = @PAM_LIBS@ - PATH_SEPARATOR = @PATH_SEPARATOR@ - PERL = @PERL@ - POSIX_SHELL = @POSIX_SHELL@ diff --git a/coreutils-6.8.0-pie.patch b/coreutils-6.8.0-pie.patch deleted file mode 100644 index fca2788..0000000 --- a/coreutils-6.8.0-pie.patch +++ /dev/null @@ -1,192 +0,0 @@ -Index: lib/Makefile.am -=================================================================== ---- lib/Makefile.am.orig 2010-10-11 19:35:11.000000000 +0200 -+++ lib/Makefile.am 2010-11-11 16:24:42.950085976 +0100 -@@ -17,7 +17,7 @@ - - include gnulib.mk - --AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -+AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -fpie - - libcoreutils_a_SOURCES += \ - buffer-lcm.c buffer-lcm.h -Index: lib/Makefile.in -=================================================================== ---- lib/Makefile.in.orig 2010-11-11 16:21:01.630976009 +0100 -+++ lib/Makefile.in 2010-11-11 16:25:20.640746300 +0100 -@@ -1505,7 +1505,7 @@ MAINTAINERCLEANFILES = iconv_open-aix.h - iconv_open-irix.h iconv_open-osf.h iconv_open-solaris.h \ - parse-datetime.c - AM_CPPFLAGS = --AM_CFLAGS = $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -+AM_CFLAGS = $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -fpie - libcoreutils_a_SOURCES = set-mode-acl.c copy-acl.c file-has-acl.c \ - areadlink.c areadlink-with-size.c areadlinkat.c argv-iter.c \ - argv-iter.h base64.h base64.c bitrotate.h c-ctype.h c-ctype.c \ -Index: src/Makefile.am -=================================================================== ---- src/Makefile.am.orig 2010-11-11 16:21:01.674983785 +0100 -+++ src/Makefile.am 2010-11-11 16:21:01.839012773 +0100 -@@ -354,6 +354,10 @@ uptime_LDADD += $(GETLOADAVG_LIBS) - # for crypt - su_SOURCES = su.c getdef.c - su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS) -+su_CFLAGS = -fpie -+su_LDFLAGS = -pie -Wl,-z,relro,-z,now -+timeout_CFLAGS = -fpie -+timeout_LDFLAGS = -pie -Wl,-z,relro,-z,now - - # for various ACL functions - copy_LDADD += $(LIB_ACL) -Index: src/Makefile.in -=================================================================== ---- src/Makefile.in.orig 2010-11-11 16:21:01.674983786 +0100 -+++ src/Makefile.in 2010-11-11 16:24:16.137347873 +0100 -@@ -553,10 +553,12 @@ stdbuf_DEPENDENCIES = $(am__DEPENDENCIES - stty_SOURCES = stty.c - stty_OBJECTS = stty.$(OBJEXT) - stty_DEPENDENCIES = $(am__DEPENDENCIES_2) --am_su_OBJECTS = su.$(OBJEXT) getdef.$(OBJEXT) -+am_su_OBJECTS = su-su.$(OBJEXT) su-getdef.$(OBJEXT) - su_OBJECTS = $(am_su_OBJECTS) - su_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -+su_LINK = $(CCLD) $(su_CFLAGS) $(CFLAGS) $(su_LDFLAGS) $(LDFLAGS) -o \ -+ $@ - sum_SOURCES = sum.c - sum_OBJECTS = sum.$(OBJEXT) - sum_DEPENDENCIES = $(am__DEPENDENCIES_2) -@@ -575,9 +577,12 @@ tee_DEPENDENCIES = $(am__DEPENDENCIES_2) - test_SOURCES = test.c - test_OBJECTS = test.$(OBJEXT) - test_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) --am_timeout_OBJECTS = timeout.$(OBJEXT) operand2sig.$(OBJEXT) -+am_timeout_OBJECTS = timeout-timeout.$(OBJEXT) \ -+ timeout-operand2sig.$(OBJEXT) - timeout_OBJECTS = $(am_timeout_OBJECTS) - timeout_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) -+timeout_LINK = $(CCLD) $(timeout_CFLAGS) $(CFLAGS) $(timeout_LDFLAGS) \ -+ $(LDFLAGS) -o $@ - touch_SOURCES = touch.c - touch_OBJECTS = touch.$(OBJEXT) - touch_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) -@@ -1783,6 +1788,10 @@ stty_LDADD = $(LDADD) - # for crypt - su_SOURCES = su.c getdef.c - su_LDADD = $(LDADD) $(LIB_CRYPT) $(PAM_LIBS) -+su_CFLAGS = -fpie -+su_LDFLAGS = -pie -+timeout_CFLAGS = -fpie -+timeout_LDFLAGS = -pie - sum_LDADD = $(LDADD) - sync_LDADD = $(LDADD) - tac_LDADD = $(LDADD) -@@ -2317,7 +2326,7 @@ stty$(EXEEXT): $(stty_OBJECTS) $(stty_DE - $(AM_V_CCLD)$(LINK) $(stty_OBJECTS) $(stty_LDADD) $(LIBS) - su$(EXEEXT): $(su_OBJECTS) $(su_DEPENDENCIES) $(EXTRA_su_DEPENDENCIES) - @rm -f su$(EXEEXT) -- $(AM_V_CCLD)$(LINK) $(su_OBJECTS) $(su_LDADD) $(LIBS) -+ $(AM_V_CCLD)$(su_LINK) $(su_OBJECTS) $(su_LDADD) $(LIBS) - sum$(EXEEXT): $(sum_OBJECTS) $(sum_DEPENDENCIES) $(EXTRA_sum_DEPENDENCIES) - @rm -f sum$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(sum_OBJECTS) $(sum_LDADD) $(LIBS) -@@ -2338,7 +2347,7 @@ test$(EXEEXT): $(test_OBJECTS) $(test_DE - $(AM_V_CCLD)$(LINK) $(test_OBJECTS) $(test_LDADD) $(LIBS) - timeout$(EXEEXT): $(timeout_OBJECTS) $(timeout_DEPENDENCIES) $(EXTRA_timeout_DEPENDENCIES) - @rm -f timeout$(EXEEXT) -- $(AM_V_CCLD)$(LINK) $(timeout_OBJECTS) $(timeout_LDADD) $(LIBS) -+ $(AM_V_CCLD)$(timeout_LINK) $(timeout_OBJECTS) $(timeout_LDADD) $(LIBS) - touch$(EXEEXT): $(touch_OBJECTS) $(touch_DEPENDENCIES) $(EXTRA_touch_DEPENDENCIES) - @rm -f touch$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(touch_OBJECTS) $(touch_LDADD) $(LIBS) -@@ -2428,7 +2437,6 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/find-mount-point.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fmt.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fold.Po@am__quote@ --@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getdef.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getlimits.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-copy.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ginstall-cp-hash.Po@am__quote@ -@@ -2492,14 +2500,16 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stat.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stdbuf.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stty.Po@am__quote@ --@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/su.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/su-getdef.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/su-su.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sum.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sync.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tac.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tail.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tee.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test.Po@am__quote@ --@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeout.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeout-operand2sig.Po@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timeout-timeout.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/touch.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tr.Po@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/true.Po@am__quote@ -@@ -2688,6 +2698,62 @@ sha512sum-md5sum.obj: md5sum.c - @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ - @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(sha512sum_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha512sum-md5sum.obj `if test -f 'md5sum.c'; then $(CYGPATH_W) 'md5sum.c'; else $(CYGPATH_W) '$(srcdir)/md5sum.c'; fi` - -+su-su.o: su.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-su.o -MD -MP -MF $(DEPDIR)/su-su.Tpo -c -o su-su.o `test -f 'su.c' || echo '$(srcdir)/'`su.c -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/su-su.Tpo $(DEPDIR)/su-su.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='su.c' object='su-su.o' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-su.o `test -f 'su.c' || echo '$(srcdir)/'`su.c -+ -+su-su.obj: su.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-su.obj -MD -MP -MF $(DEPDIR)/su-su.Tpo -c -o su-su.obj `if test -f 'su.c'; then $(CYGPATH_W) 'su.c'; else $(CYGPATH_W) '$(srcdir)/su.c'; fi` -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/su-su.Tpo $(DEPDIR)/su-su.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='su.c' object='su-su.obj' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-su.obj `if test -f 'su.c'; then $(CYGPATH_W) 'su.c'; else $(CYGPATH_W) '$(srcdir)/su.c'; fi` -+ -+su-getdef.o: getdef.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-getdef.o -MD -MP -MF $(DEPDIR)/su-getdef.Tpo -c -o su-getdef.o `test -f 'getdef.c' || echo '$(srcdir)/'`getdef.c -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/su-getdef.Tpo $(DEPDIR)/su-getdef.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='getdef.c' object='su-getdef.o' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-getdef.o `test -f 'getdef.c' || echo '$(srcdir)/'`getdef.c -+ -+su-getdef.obj: getdef.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -MT su-getdef.obj -MD -MP -MF $(DEPDIR)/su-getdef.Tpo -c -o su-getdef.obj `if test -f 'getdef.c'; then $(CYGPATH_W) 'getdef.c'; else $(CYGPATH_W) '$(srcdir)/getdef.c'; fi` -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/su-getdef.Tpo $(DEPDIR)/su-getdef.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='getdef.c' object='su-getdef.obj' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(su_CFLAGS) $(CFLAGS) -c -o su-getdef.obj `if test -f 'getdef.c'; then $(CYGPATH_W) 'getdef.c'; else $(CYGPATH_W) '$(srcdir)/getdef.c'; fi` -+ -+timeout-timeout.o: timeout.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-timeout.o -MD -MP -MF $(DEPDIR)/timeout-timeout.Tpo -c -o timeout-timeout.o `test -f 'timeout.c' || echo '$(srcdir)/'`timeout.c -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/timeout-timeout.Tpo $(DEPDIR)/timeout-timeout.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='timeout.c' object='timeout-timeout.o' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-timeout.o `test -f 'timeout.c' || echo '$(srcdir)/'`timeout.c -+ -+timeout-timeout.obj: timeout.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-timeout.obj -MD -MP -MF $(DEPDIR)/timeout-timeout.Tpo -c -o timeout-timeout.obj `if test -f 'timeout.c'; then $(CYGPATH_W) 'timeout.c'; else $(CYGPATH_W) '$(srcdir)/timeout.c'; fi` -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/timeout-timeout.Tpo $(DEPDIR)/timeout-timeout.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='timeout.c' object='timeout-timeout.obj' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-timeout.obj `if test -f 'timeout.c'; then $(CYGPATH_W) 'timeout.c'; else $(CYGPATH_W) '$(srcdir)/timeout.c'; fi` -+ -+timeout-operand2sig.o: operand2sig.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-operand2sig.o -MD -MP -MF $(DEPDIR)/timeout-operand2sig.Tpo -c -o timeout-operand2sig.o `test -f 'operand2sig.c' || echo '$(srcdir)/'`operand2sig.c -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/timeout-operand2sig.Tpo $(DEPDIR)/timeout-operand2sig.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='operand2sig.c' object='timeout-operand2sig.o' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-operand2sig.o `test -f 'operand2sig.c' || echo '$(srcdir)/'`operand2sig.c -+ -+timeout-operand2sig.obj: operand2sig.c -+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -MT timeout-operand2sig.obj -MD -MP -MF $(DEPDIR)/timeout-operand2sig.Tpo -c -o timeout-operand2sig.obj `if test -f 'operand2sig.c'; then $(CYGPATH_W) 'operand2sig.c'; else $(CYGPATH_W) '$(srcdir)/operand2sig.c'; fi` -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/timeout-operand2sig.Tpo $(DEPDIR)/timeout-operand2sig.Po -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='operand2sig.c' object='timeout-operand2sig.obj' libtool=no @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(timeout_CFLAGS) $(CFLAGS) -c -o timeout-operand2sig.obj `if test -f 'operand2sig.c'; then $(CYGPATH_W) 'operand2sig.c'; else $(CYGPATH_W) '$(srcdir)/operand2sig.c'; fi` -+ - ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ diff --git a/coreutils-8.6-compile-su-with-fpie.diff b/coreutils-8.6-compile-su-with-fpie.diff new file mode 100644 index 0000000..60a0917 --- /dev/null +++ b/coreutils-8.6-compile-su-with-fpie.diff @@ -0,0 +1,42 @@ +From d1a49cccf99373293a88f5bce74857d5bb813e46 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Tue, 17 Aug 2010 09:21:22 +0200 +Subject: [PATCH 7/7] compile su with -fpie + +--- + lib/Makefile.am | 2 +- + src/Makefile.am | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletions(-) + +diff --git a/lib/Makefile.am b/lib/Makefile.am +index b4a591b..059928e 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -17,7 +17,7 @@ + + include gnulib.mk + +-AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) ++AM_CFLAGS += $(GNULIB_WARN_CFLAGS) $(WERROR_CFLAGS) -fpie + + libcoreutils_a_SOURCES += \ + buffer-lcm.c buffer-lcm.h +diff --git a/src/Makefile.am b/src/Makefile.am +index 484f6c2..17600af 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -355,6 +355,11 @@ uptime_LDADD += $(GETLOADAVG_LIBS) + su_SOURCES = su.c getdef.c + su_LDADD += $(LIB_CRYPT) $(PAM_LIBS) + ++su_CFLAGS = -fpie ++su_LDFLAGS = -pie ++timeout_CFLAGS = -fpie ++timeout_LDFLAGS = -pie ++ + # for various ACL functions + copy_LDADD += $(LIB_ACL) + ls_LDADD += $(LIB_ACL) +-- +1.7.1 + diff --git a/coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff b/coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff new file mode 100644 index 0000000..9770bc8 --- /dev/null +++ b/coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff @@ -0,0 +1,374 @@ +From d776b1b67eb1bc1b815426fdf22f38b25ef1e2df Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Mon, 9 Aug 2010 16:03:12 +0200 +Subject: [PATCH 5/7] honor settings in /etc/default/su resp /etc/login.defs + +--- + src/Makefile.am | 1 + + src/getdef.c | 259 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/getdef.h | 29 ++++++ + src/su.c | 13 +++- + 4 files changed, 300 insertions(+), 2 deletions(-) + create mode 100644 src/getdef.c + create mode 100644 src/getdef.h + +diff --git a/src/Makefile.am b/src/Makefile.am +index bc27274..484f6c2 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -352,6 +352,7 @@ factor_LDADD += $(LIB_GMP) + uptime_LDADD += $(GETLOADAVG_LIBS) + + # for crypt and pam ++su_SOURCES = su.c getdef.c + su_LDADD += $(LIB_CRYPT) $(PAM_LIBS) + + # for various ACL functions +diff --git a/src/getdef.c b/src/getdef.c +new file mode 100644 +index 0000000..e1872cf +--- /dev/null ++++ b/src/getdef.c +@@ -0,0 +1,259 @@ ++/* Copyright (C) 2003, 2004, 2005 Thorsten Kukuk ++ Author: Thorsten Kukuk ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software Foundation, ++ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ ++ ++#ifdef HAVE_CONFIG_H ++#include ++#endif ++ ++#define _GNU_SOURCE ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "getdef.h" ++ ++struct item { ++ char *name; /* Name of the option. */ ++ char *value; /* Value of the option. */ ++ struct item *next; /* Pointer to next option. */ ++}; ++ ++static struct item *list = NULL; ++ ++void ++free_getdef_data (void) ++{ ++ struct item *ptr; ++ ++ ptr = list; ++ while (ptr != NULL) ++ { ++ struct item *tmp; ++ tmp = ptr->next; ++ free (ptr->name); ++ free (ptr->value); ++ free (ptr); ++ ptr = tmp; ++ } ++ ++ list = NULL; ++} ++ ++/* Add a new entry to the list. */ ++static void ++store (const char *name, const char *value) ++{ ++ struct item *new = malloc (sizeof (struct item)); ++ ++ if (new == NULL) ++ abort (); ++ ++ if (name == NULL) ++ abort (); ++ ++ new->name = strdup (name); ++ new->value = strdup (value ?: ""); ++ new->next = list; ++ list = new; ++} ++ ++/* Search a special entry in the list and return the value. */ ++static const char * ++search (const char *name) ++{ ++ struct item *ptr; ++ ++ ptr = list; ++ while (ptr != NULL) ++ { ++ if (strcasecmp (name, ptr->name) == 0) ++ return ptr->value; ++ ptr = ptr->next; ++ } ++ ++ return NULL; ++} ++ ++/* Load the login.defs file (/etc/login.defs). */ ++static void ++load_defaults_internal (const char *filename) ++{ ++ FILE *fp; ++ char *buf = NULL; ++ size_t buflen = 0; ++ ++ fp = fopen (filename, "r"); ++ if (NULL == fp) ++ return; ++ ++ while (!feof (fp)) ++ { ++ char *tmp, *cp; ++#if defined(HAVE_GETLINE) ++ ssize_t n = getline (&buf, &buflen, fp); ++#elif defined (HAVE_GETDELIM) ++ ssize_t n = getdelim (&buf, &buflen, '\n', fp); ++#else ++ ssize_t n; ++ ++ if (buf == NULL) ++ { ++ buflen = 8096; ++ buf = malloc (buflen); ++ } ++ buf[0] = '\0'; ++ fgets (buf, buflen - 1, fp); ++ if (buf != NULL) ++ n = strlen (buf); ++ else ++ n = 0; ++#endif /* HAVE_GETLINE / HAVE_GETDELIM */ ++ cp = buf; ++ ++ if (n < 1) ++ break; ++ ++ tmp = strchr (cp, '#'); /* remove comments */ ++ if (tmp) ++ *tmp = '\0'; ++ while (isspace ((unsigned char) *cp)) /* remove spaces and tabs */ ++ ++cp; ++ if (*cp == '\0') /* ignore empty lines */ ++ continue; ++ ++ if (cp[strlen (cp) - 1] == '\n') ++ cp[strlen (cp) - 1] = '\0'; ++ ++ tmp = strsep (&cp, " \t="); ++ if (cp != NULL) ++ while (isspace ((unsigned char) *cp) || *cp == '=') ++ ++cp; ++ ++ store (tmp, cp); ++ } ++ fclose (fp); ++ ++ if (buf) ++ free (buf); ++} ++ ++static void ++load_defaults (void) ++{ ++ load_defaults_internal ("/etc/default/su"); ++ load_defaults_internal ("/etc/login.defs"); ++} ++ ++int ++getdef_bool (const char *name, int dflt) ++{ ++ const char *val; ++ ++ if (list == NULL) ++ load_defaults (); ++ ++ val = search (name); ++ ++ if (val == NULL) ++ return dflt; ++ ++ return (strcasecmp (val, "yes") == 0); ++} ++ ++long ++getdef_num (const char *name, long dflt) ++{ ++ const char *val; ++ char *cp; ++ long retval; ++ ++ if (list == NULL) ++ load_defaults (); ++ ++ val = search (name); ++ ++ if (val == NULL) ++ return dflt; ++ ++ errno = 0; ++ retval = strtol (val, &cp, 0); ++ if (*cp != '\0' ++ || ((retval == LONG_MAX || retval == LONG_MIN) && errno == ERANGE)) ++ { ++ fprintf (stderr, ++ "%s contains invalid numerical value: %s!\n", ++ name, val); ++ retval = dflt; ++ } ++ return retval; ++} ++ ++unsigned long ++getdef_unum (const char *name, unsigned long dflt) ++{ ++ const char *val; ++ char *cp; ++ unsigned long retval; ++ ++ if (list == NULL) ++ load_defaults (); ++ ++ val = search (name); ++ ++ if (val == NULL) ++ return dflt; ++ ++ errno = 0; ++ retval = strtoul (val, &cp, 0); ++ if (*cp != '\0' || (retval == ULONG_MAX && errno == ERANGE)) ++ { ++ fprintf (stderr, ++ "%s contains invalid numerical value: %s!\n", ++ name, val); ++ retval = dflt; ++ } ++ return retval; ++} ++ ++const char * ++getdef_str (const char *name, const char *dflt) ++{ ++ const char *retval; ++ ++ if (list == NULL) ++ load_defaults (); ++ ++ retval = search (name); ++ ++ return retval ?: dflt; ++} ++ ++#if defined(TEST) ++ ++int ++main () ++{ ++ printf ("CYPT=%s\n", getdef_str ("cRypt", "no")); ++ printf ("LOG_UNKFAIL_ENAB=%s\n", getdef_str ("log_unkfail_enab","")); ++ printf ("DOESNOTEXIST=%s\n", getdef_str ("DOESNOTEXIST","yes")); ++ return 0; ++} ++ ++#endif +diff --git a/src/getdef.h b/src/getdef.h +new file mode 100644 +index 0000000..2e86cf9 +--- /dev/null ++++ b/src/getdef.h +@@ -0,0 +1,29 @@ ++/* Copyright (C) 2003, 2005 Thorsten Kukuk ++ Author: Thorsten Kukuk ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License version 2 as ++ published by the Free Software Foundation. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software Foundation, ++ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ ++ ++#ifndef _GETDEF_H_ ++ ++#define _GETDEF_H_ 1 ++ ++extern int getdef_bool (const char *name, int dflt); ++extern long getdef_num (const char *name, long dflt); ++extern unsigned long getdef_unum (const char *name, unsigned long dflt); ++extern const char *getdef_str (const char *name, const char *dflt); ++ ++/* Free all data allocated by getdef_* calls before. */ ++extern void free_getdef_data (void); ++ ++#endif /* _GETDEF_H_ */ +diff --git a/src/su.c b/src/su.c +index 0071622..eaef195 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -111,6 +111,8 @@ + # include + #endif + ++#include "getdef.h" ++ + /* The default PATH for simulated logins to non-superuser accounts. */ + #define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin" + +@@ -475,8 +477,8 @@ modify_environment (const struct passwd *pw, const char *shell) + xsetenv ("USER", pw->pw_name); + xsetenv ("LOGNAME", pw->pw_name); + xsetenv ("PATH", (pw->pw_uid +- ? DEFAULT_LOGIN_PATH +- : DEFAULT_ROOT_LOGIN_PATH)); ++ ? getdef_str ("PATH", DEFAULT_LOGIN_PATH) ++ : getdef_str ("SUPATH", DEFAULT_ROOT_LOGIN_PATH))); + } + else + { +@@ -486,6 +488,12 @@ modify_environment (const struct passwd *pw, const char *shell) + { + xsetenv ("HOME", pw->pw_dir); + xsetenv ("SHELL", shell); ++ if (getdef_bool ("ALWAYS_SET_PATH", 0)) ++ xsetenv ("PATH", (pw->pw_uid ++ ? getdef_str ("PATH", ++ DEFAULT_LOGIN_PATH) ++ : getdef_str ("SUPATH", ++ DEFAULT_ROOT_LOGIN_PATH))); + if (pw->pw_uid) + { + xsetenv ("USER", pw->pw_name); +@@ -720,6 +728,7 @@ main (int argc, char **argv) + #ifdef SYSLOG_FAILURE + log_su (pw, false); + #endif ++ sleep (getdef_num ("FAIL_DELAY", 1)); + error (EXIT_CANCELED, 0, _("incorrect password")); + } + #ifdef SYSLOG_SUCCESS +-- +1.7.1 + diff --git a/coreutils-8.6-log-all-su-attempts.diff b/coreutils-8.6-log-all-su-attempts.diff new file mode 100644 index 0000000..492bc06 --- /dev/null +++ b/coreutils-8.6-log-all-su-attempts.diff @@ -0,0 +1,26 @@ +From f2ea0c33d8c25ee40e7fe7a16d0994c8069bc120 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 17 Aug 2010 13:22:01 +0200 +Subject: [PATCH 3/7] log all su attempts + +--- + src/su.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/src/su.c b/src/su.c +index 1d3d007..2a9e423 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -75,6 +75,9 @@ + + #if HAVE_SYSLOG_H && HAVE_SYSLOG + # include ++# define SYSLOG_SUCCESS 1 ++# define SYSLOG_FAILURE 1 ++# define SYSLOG_NON_ROOT 1 + #else + # undef SYSLOG_SUCCESS + # undef SYSLOG_FAILURE +-- +1.7.1 + diff --git a/coreutils-5.3.0-sbin4su.patch b/coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff similarity index 82% rename from coreutils-5.3.0-sbin4su.patch rename to coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff index 3af4168..4329952 100644 --- a/coreutils-5.3.0-sbin4su.patch +++ b/coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff @@ -1,8 +1,17 @@ -Index: src/su.c -=================================================================== ---- src/su.c.orig 2010-05-05 14:46:48.000000000 +0200 -+++ src/su.c 2010-05-05 14:48:55.023359308 +0200 -@@ -454,6 +454,117 @@ correct_password (const struct passwd *p +From b43728c1f0c7abe90e73369542564d3ad4704963 Mon Sep 17 00:00:00 2001 +From: Werner Fink +Date: Tue, 17 Aug 2010 09:09:55 +0200 +Subject: [PATCH 6/7] make sure /sbin resp /usr/sbin are in PATH + +--- + src/su.c | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 files changed, 127 insertions(+), 0 deletions(-) + +diff --git a/src/su.c b/src/su.c +index eaef195..d78f968 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -455,6 +455,117 @@ correct_password (const struct passwd *pw) #endif /* !USE_PAM */ } @@ -120,7 +129,7 @@ Index: src/su.c /* Update `environ' for the new shell based on PW, with SHELL being the value for the SHELL environment variable. */ -@@ -493,6 +604,22 @@ modify_environment (const struct passwd +@@ -494,6 +605,22 @@ modify_environment (const struct passwd *pw, const char *shell) DEFAULT_LOGIN_PATH) : getdef_str ("SUPATH", DEFAULT_ROOT_LOGIN_PATH))); @@ -143,3 +152,6 @@ Index: src/su.c if (pw->pw_uid) { xsetenv ("USER", pw->pw_name); +-- +1.7.1 + diff --git a/coreutils-8.6-pam-support-for-su.diff b/coreutils-8.6-pam-support-for-su.diff new file mode 100644 index 0000000..71279b2 --- /dev/null +++ b/coreutils-8.6-pam-support-for-su.diff @@ -0,0 +1,405 @@ +From 8b1e75c55ea6be5c8639c98b73ecfa0cf15226ce Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 17 Aug 2010 13:21:44 +0200 +Subject: [PATCH 1/7] pam support for su + +--- + configure.ac | 14 +++ + src/Makefile.am | 4 +- + src/su.c | 266 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 278 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 4ac30e8..eacd57f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -135,6 +135,20 @@ fi + + AC_FUNC_FORK + ++AC_ARG_ENABLE(pam, AS_HELP_STRING([--disable-pam], ++ [Enable PAM support in su (default=auto)]), , [enable_pam=yes]) ++if test "x$enable_pam" != xno; then ++ AC_CHECK_LIB([pam], [pam_start], [enable_pam=yes], [enable_pam=no]) ++ AC_CHECK_LIB([pam_misc], [misc_conv], [:], [enable_pam=no]) ++ if test "x$enable_pam" != xno; then ++ AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM]) ++ PAM_LIBS="-lpam -lpam_misc" ++ AC_SUBST(PAM_LIBS) ++ fi ++fi ++AC_MSG_CHECKING([whether to enable PAM support in su]) ++AC_MSG_RESULT([$enable_pam]) ++ + optional_bin_progs= + AC_CHECK_FUNCS([chroot], + gl_ADD_PROG([optional_bin_progs], [chroot])) +diff --git a/src/Makefile.am b/src/Makefile.am +index 00c7ff7..bc27274 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -351,8 +351,8 @@ factor_LDADD += $(LIB_GMP) + # for getloadavg + uptime_LDADD += $(GETLOADAVG_LIBS) + +-# for crypt +-su_LDADD += $(LIB_CRYPT) ++# for crypt and pam ++su_LDADD += $(LIB_CRYPT) $(PAM_LIBS) + + # for various ACL functions + copy_LDADD += $(LIB_ACL) +diff --git a/src/su.c b/src/su.c +index f8f5b61..1d3d007 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -37,6 +37,16 @@ + restricts who can su to UID 0 accounts. RMS considers that to + be fascist. + ++#ifdef USE_PAM ++ ++ Actually, with PAM, su has nothing to do with whether or not a ++ wheel group is enforced by su. RMS tries to restrict your access ++ to a su which implements the wheel group, but PAM considers that ++ to be fascist, and gives the user/sysadmin the opportunity to ++ enforce a wheel group by proper editing of /etc/pam.d/su ++ ++#endif ++ + Compile-time options: + -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog. + -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog. +@@ -52,6 +62,13 @@ + #include + #include + #include ++#ifdef USE_PAM ++#include ++#include ++#include ++#include ++#include ++#endif + + #include "system.h" + #include "getpass.h" +@@ -111,7 +128,9 @@ + /* The user to become if none is specified. */ + #define DEFAULT_USER "root" + ++#ifndef USE_PAM + char *crypt (char const *key, char const *salt); ++#endif + + static void run_shell (char const *, char const *, char **, size_t) + ATTRIBUTE_NORETURN; +@@ -125,6 +144,11 @@ static bool simulate_login; + /* If true, change some environment vars to indicate the user su'd to. */ + static bool change_environment; + ++#ifdef USE_PAM ++static bool _pam_session_opened; ++static bool _pam_cred_established; ++#endif ++ + static struct option const longopts[] = + { + {"command", required_argument, NULL, 'c'}, +@@ -200,7 +224,164 @@ log_su (struct passwd const *pw, bool successful) + } + #endif + ++#ifdef USE_PAM ++#define PAM_SERVICE_NAME PROGRAM_NAME ++#define PAM_SERVICE_NAME_L PROGRAM_NAME "-l" ++static sig_atomic_t volatile caught_signal = false; ++static pam_handle_t *pamh = NULL; ++static int retval; ++static struct pam_conv conv = ++{ ++ misc_conv, ++ NULL ++}; ++ ++#define PAM_BAIL_P(a) \ ++ if (retval) \ ++ { \ ++ pam_end (pamh, retval); \ ++ a; \ ++ } ++ ++static void ++cleanup_pam (int retcode) ++{ ++ if (_pam_session_opened) ++ pam_close_session (pamh, 0); ++ ++ if (_pam_cred_established) ++ pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT); ++ ++ pam_end(pamh, retcode); ++} ++ ++/* Signal handler for parent process. */ ++static void ++su_catch_sig (int sig) ++{ ++ caught_signal = true; ++} ++ ++/* Export env variables declared by PAM modules. */ ++static void ++export_pamenv (void) ++{ ++ char **env; ++ ++ /* This is a copy but don't care to free as we exec later anyways. */ ++ env = pam_getenvlist (pamh); ++ while (env && *env) ++ { ++ if (putenv (*env) != 0) ++ xalloc_die (); ++ env++; ++ } ++} ++ ++static void ++create_watching_parent (void) ++{ ++ pid_t child; ++ sigset_t ourset; ++ int status = 0; ++ ++ retval = pam_open_session (pamh, 0); ++ if (retval != PAM_SUCCESS) ++ { ++ cleanup_pam (retval); ++ error (EXIT_FAILURE, 0, _("cannot not open session: %s"), ++ pam_strerror (pamh, retval)); ++ } ++ else ++ _pam_session_opened = 1; ++ ++ child = fork (); ++ if (child == (pid_t) -1) ++ { ++ cleanup_pam (PAM_ABORT); ++ error (EXIT_FAILURE, errno, _("cannot create child process")); ++ } ++ ++ /* the child proceeds to run the shell */ ++ if (child == 0) ++ return; ++ ++ /* In the parent watch the child. */ ++ ++ /* su without pam support does not have a helper that keeps ++ sitting on any directory so let's go to /. */ ++ if (chdir ("/") != 0) ++ error (0, errno, _("warning: cannot change directory to %s"), "/"); ++ ++ sigfillset (&ourset); ++ if (sigprocmask (SIG_BLOCK, &ourset, NULL)) ++ { ++ error (0, errno, _("cannot block signals")); ++ caught_signal = true; ++ } ++ if (!caught_signal) ++ { ++ struct sigaction action; ++ action.sa_handler = su_catch_sig; ++ sigemptyset (&action.sa_mask); ++ action.sa_flags = 0; ++ sigemptyset (&ourset); ++ if (sigaddset (&ourset, SIGTERM) ++ || sigaddset (&ourset, SIGALRM) ++ || sigaction (SIGTERM, &action, NULL) ++ || sigprocmask (SIG_UNBLOCK, &ourset, NULL)) ++ { ++ error (0, errno, _("cannot set signal handler")); ++ caught_signal = true; ++ } ++ } ++ if (!caught_signal) ++ { ++ pid_t pid; ++ for (;;) ++ { ++ pid = waitpid (child, &status, WUNTRACED); ++ ++ if (pid != (pid_t)-1 && WIFSTOPPED (status)) ++ { ++ kill (getpid (), SIGSTOP); ++ /* once we get here, we must have resumed */ ++ kill (pid, SIGCONT); ++ } ++ else ++ break; ++ } ++ if (pid != (pid_t)-1) ++ if (WIFSIGNALED (status)) ++ status = WTERMSIG (status) + 128; ++ else ++ status = WEXITSTATUS (status); ++ else ++ status = 1; ++ } ++ else ++ status = 1; ++ ++ if (caught_signal) ++ { ++ fprintf (stderr, _("\nSession terminated, killing shell...")); ++ kill (child, SIGTERM); ++ } ++ ++ cleanup_pam (PAM_SUCCESS); ++ ++ if (caught_signal) ++ { ++ sleep (2); ++ kill (child, SIGKILL); ++ fprintf (stderr, _(" ...killed.\n")); ++ } ++ exit (status); ++} ++#endif ++ + /* Ask the user for a password. ++ If PAM is in use, let PAM ask for the password if necessary. + Return true if the user gives the correct password for entry PW, + false if not. Return true without asking for a password if run by UID 0 + or if PW has an empty password. */ +@@ -208,10 +389,52 @@ log_su (struct passwd const *pw, bool successful) + static bool + correct_password (const struct passwd *pw) + { ++#ifdef USE_PAM ++ const struct passwd *lpw; ++ const char *cp; ++ ++ retval = pam_start (simulate_login ? PAM_SERVICE_NAME_L : PAM_SERVICE_NAME, ++ pw->pw_name, &conv, &pamh); ++ PAM_BAIL_P (return false); ++ ++ if (isatty (0) && (cp = ttyname (0)) != NULL) ++ { ++ const char *tty; ++ ++ if (strncmp (cp, "/dev/", 5) == 0) ++ tty = cp + 5; ++ else ++ tty = cp; ++ retval = pam_set_item (pamh, PAM_TTY, tty); ++ PAM_BAIL_P (return false); ++ } ++#if 0 /* Manpage discourages use of getlogin. */ ++ cp = getlogin (); ++ if (!(cp && *cp && (lpw = getpwnam (cp)) != NULL && lpw->pw_uid == getuid ())) ++#endif ++ lpw = getpwuid (getuid ()); ++ if (lpw && lpw->pw_name) ++ { ++ retval = pam_set_item (pamh, PAM_RUSER, (const void *) lpw->pw_name); ++ PAM_BAIL_P (return false); ++ } ++ retval = pam_authenticate (pamh, 0); ++ PAM_BAIL_P (return false); ++ retval = pam_acct_mgmt (pamh, 0); ++ if (retval == PAM_NEW_AUTHTOK_REQD) ++ { ++ /* Password has expired. Offer option to change it. */ ++ retval = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ PAM_BAIL_P (return false); ++ } ++ PAM_BAIL_P (return false); ++ /* Must be authenticated if this point was reached. */ ++ return true; ++#else /* !USE_PAM */ + char *unencrypted, *encrypted, *correct; + #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP + /* Shadow passwd stuff for SVR3 and maybe other systems. */ +- struct spwd *sp = getspnam (pw->pw_name); ++ const struct spwd *sp = getspnam (pw->pw_name); + + endspent (); + if (sp) +@@ -232,6 +455,7 @@ correct_password (const struct passwd *pw) + encrypted = crypt (unencrypted, correct); + memset (unencrypted, 0, strlen (unencrypted)); + return STREQ (encrypted, correct); ++#endif /* !USE_PAM */ + } + + /* Update `environ' for the new shell based on PW, with SHELL being +@@ -274,19 +498,41 @@ modify_environment (const struct passwd *pw, const char *shell) + } + } + } ++ ++#ifdef USE_PAM ++ export_pamenv (); ++#endif + } + + /* Become the user and group(s) specified by PW. */ + + static void +-change_identity (const struct passwd *pw) ++init_groups (const struct passwd *pw) + { + #ifdef HAVE_INITGROUPS + errno = 0; + if (initgroups (pw->pw_name, pw->pw_gid) == -1) +- error (EXIT_CANCELED, errno, _("cannot set groups")); ++ { ++#ifdef USE_PAM ++ cleanup_pam (PAM_ABORT); ++#endif ++ error (EXIT_FAILURE, errno, _("cannot set groups")); ++ } + endgrent (); + #endif ++ ++#ifdef USE_PAM ++ retval = pam_setcred (pamh, PAM_ESTABLISH_CRED); ++ if (retval != PAM_SUCCESS) ++ error (EXIT_FAILURE, 0, "%s", pam_strerror (pamh, retval)); ++ else ++ _pam_cred_established = 1; ++#endif ++} ++ ++static void ++change_identity (const struct passwd *pw) ++{ + if (setgid (pw->pw_gid)) + error (EXIT_CANCELED, errno, _("cannot set group id")); + if (setuid (pw->pw_uid)) +@@ -500,9 +746,21 @@ main (int argc, char **argv) + shell = NULL; + } + shell = xstrdup (shell ? shell : pw->pw_shell); +- modify_environment (pw, shell); ++ ++ init_groups (pw); ++ ++#ifdef USE_PAM ++ create_watching_parent (); ++ /* Now we're in the child. */ ++#endif + + change_identity (pw); ++ ++ /* Set environment after pam_open_session, which may put KRB5CCNAME ++ into the pam_env, etc. */ ++ ++ modify_environment (pw, shell); ++ + if (simulate_login && chdir (pw->pw_dir) != 0) + error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir); + +-- +1.7.1 + diff --git a/coreutils-8.6-set-sane-default-path.diff b/coreutils-8.6-set-sane-default-path.diff new file mode 100644 index 0000000..d0604db --- /dev/null +++ b/coreutils-8.6-set-sane-default-path.diff @@ -0,0 +1,37 @@ +From 3c13edc2b9aeab8f24e60a62ab5e8a8db554486f Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Mon, 9 Aug 2010 16:02:30 +0200 +Subject: [PATCH 4/7] set sane default path + +--- + src/su.c | 12 ++---------- + 1 files changed, 2 insertions(+), 10 deletions(-) + +diff --git a/src/su.c b/src/su.c +index 2a9e423..0071622 100644 +--- a/src/su.c ++++ b/src/su.c +@@ -112,18 +112,10 @@ + #endif + + /* The default PATH for simulated logins to non-superuser accounts. */ +-#ifdef _PATH_DEFPATH +-# define DEFAULT_LOGIN_PATH _PATH_DEFPATH +-#else +-# define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin" +-#endif ++#define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin" + + /* The default PATH for simulated logins to superuser accounts. */ +-#ifdef _PATH_DEFPATH_ROOT +-# define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT +-#else +-# define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc" +-#endif ++#define DEFAULT_ROOT_LOGIN_PATH "/usr/sbin:/bin:/usr/bin:/sbin" + + /* The shell to run if none is given in the user's passwd entry. */ + #define DEFAULT_SHELL "/bin/sh" +-- +1.7.1 + diff --git a/coreutils-8.6-update-man-page-for-pam.diff b/coreutils-8.6-update-man-page-for-pam.diff new file mode 100644 index 0000000..41ecf6e --- /dev/null +++ b/coreutils-8.6-update-man-page-for-pam.diff @@ -0,0 +1,64 @@ +From 13ed7b537ae655c6d67965f1486aa2e3b181e574 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 17 Aug 2010 08:59:35 +0200 +Subject: [PATCH 2/7] update man page for pam + +--- + doc/coreutils.texi | 34 +++++----------------------------- + 1 files changed, 5 insertions(+), 29 deletions(-) + +diff --git a/doc/coreutils.texi b/doc/coreutils.texi +index 4d17ed1..27681da 100644 +--- a/doc/coreutils.texi ++++ b/doc/coreutils.texi +@@ -15172,8 +15172,11 @@ to certain shells, etc.). + @findex syslog + @command{su} can optionally be compiled to use @code{syslog} to report + failed, and optionally successful, @command{su} attempts. (If the system +-supports @code{syslog}.) However, GNU @command{su} does not check if the +-user is a member of the @code{wheel} group; see below. ++supports @code{syslog}.) ++ ++This version of @command{su} has support for using PAM for ++authentication. You can edit @file{/etc/pam.d/su} resp @file{/etc/pam.d/su-l} ++to customize its behaviour. + + The program accepts the following options. Also see @ref{Common options}. + +@@ -15254,33 +15257,6 @@ Exit status: + the exit status of the subshell otherwise + @end display + +-@cindex wheel group, not supported +-@cindex group wheel, not supported +-@cindex fascism +-@subsection Why GNU @command{su} does not support the @samp{wheel} group +- +-(This section is by Richard Stallman.) +- +-@cindex Twenex +-@cindex MIT AI lab +-Sometimes a few of the users try to hold total power over all the +-rest. For example, in 1984, a few users at the MIT AI lab decided to +-seize power by changing the operator password on the Twenex system and +-keeping it secret from everyone else. (I was able to thwart this coup +-and give power back to the users by patching the kernel, but I +-wouldn't know how to do that in Unix.) +- +-However, occasionally the rulers do tell someone. Under the usual +-@command{su} mechanism, once someone learns the root password who +-sympathizes with the ordinary users, he or she can tell the rest. The +-``wheel group'' feature would make this impossible, and thus cement the +-power of the rulers. +- +-I'm on the side of the masses, not that of the rulers. If you are +-used to supporting the bosses and sysadmins in whatever they do, you +-might find this idea strange at first. +- +- + @node timeout invocation + @section @command{timeout}: Run a command with a time limit + +-- +1.7.1 + diff --git a/coreutils.changes b/coreutils.changes index f9c458a..5832a27 100644 --- a/coreutils.changes +++ b/coreutils.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed Nov 17 08:33:10 UTC 2010 - coolo@novell.com + +- remove the prerequire on permissions - this will create a bad + cycle, coreutils is just too core + +------------------------------------------------------------------- +Tue Nov 16 10:50:04 UTC 2010 - lnussel@suse.de + +- split pam patch into separate independent files so the main + feature can be shared with other distros +- don't hard require coreutils-lang + ------------------------------------------------------------------- Thu Nov 11 16:33:50 CET 2010 - pth@suse.de diff --git a/coreutils.spec b/coreutils.spec index b968ec0..8a7697c 100644 --- a/coreutils.spec +++ b/coreutils.spec @@ -44,13 +44,20 @@ Patch5: coreutils-i18n-uninit.patch Patch6: coreutils-i18n-infloop.patch Patch8: coreutils-sysinfo.patch Patch16: coreutils-invalid-ids.patch -Patch20: coreutils-6.8-su.patch -Patch21: coreutils-6.8.0-pie.patch -Patch22: coreutils-5.3.0-sbin4su.patch -Patch23: coreutils-getaddrinfo.patch -Patch24: coreutils-ptr_int_casts.patch +Patch20: coreutils-8.6-pam-support-for-su.diff +Patch21: coreutils-8.6-update-man-page-for-pam.diff +Patch22: coreutils-8.6-log-all-su-attempts.diff +Patch23: coreutils-8.6-set-sane-default-path.diff +Patch24: coreutils-8.6-honor-settings-in-etc-default-su-resp-etc-login.defs.diff +Patch25: coreutils-8.6-make-sure-sbin-resp-usr-sbin-are-in-PATH.diff +# +Patch30: coreutils-8.6-compile-su-with-fpie.diff +Patch31: coreutils-getaddrinfo.patch +Patch32: coreutils-ptr_int_casts.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: permissions +# this will create a cycle, broken up randomly - coreutils is just too core to have other +# prerequires +#PreReq: permissions %description Basic file, shell, and text manipulation utilities. The package @@ -65,44 +72,6 @@ sha224sum sha256sum sha384sum sha512sum shred shuf sleep sort split stat stty su sum sync tac tail tee test timeout touch tr true tsort tty uname unexpand uniq unlink uptime users vdir wc who whoami yes - - -Authors: --------- - Arnold Robbins - Colin Plumb - David M. Ihnat - David MacKenzie - François Pinard - H. Peter Anvin - Ian Lance Taylor - Jay Lepreau - Jim Kingdon - Jim Meyering - Joseph Arceneaux - Kaveh Ghazi - Kayvan Aghaiepour - Larry McVoy - Mark Kettenis - Michael Meskes - Michael Stone - Mike Haertel - Mike Parker - Paul Eggert - Paul Rubin - Pete TerMaat - Randy Smith - Richard M. Stallman - Richard Mlynarik - Roland Huebner - Roland McGrath - Ross Paterson - Scott Bartram - Scott Miller - Stuart Kemp - Torbjorn Granlund - Ulrich Drepper - %lang_package %prep %setup -q @@ -114,11 +83,16 @@ Authors: %patch2 %patch8 %patch16 -%patch20 -%patch21 -%patch22 -%patch23 -%patch24 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +# +%patch30 -p1 +%patch31 +%patch32 %build AUTOPOINT=true autoreconf -fi @@ -128,7 +102,7 @@ export CFLAGS="%optflags -Wall" gl_cv_func_printf_directive_n=yes \ gl_cv_func_isnanl_works=yes \ DEFAULT_POSIX2_VERSION=199209 -make %{?_smp_mflags} PAMLIBS="-lpam -ldl" V=1 +make %{?_smp_mflags} V=1 #%check #if test $EUID -eq 0; then @@ -164,6 +138,7 @@ echo '.so man1/test.1' > %{buildroot}/%{_mandir}/man1/\[.1 %post %install_info --info-dir=%{_infodir} %{_infodir}/coreutils.info.gz +# may fail if permissions is not there, but there is no way around that %run_permissions %postun