rpms/pam/devel pam-0.77-can-2005-2977.patch, NONE, 1.1 pam-0.80-access-notty.patch, NONE, 1.1 pam-0.80-audit.patch, NONE, 1.1 pam-0.80-selinux-drop-multiple.patch, NONE, 1.1 pam-0.80-xauth-path.patch, NONE, 1.1 pam-0.79-loginuid-req-audit.patch, 1.2, 1.3 pam.spec, 1.94, 1.95 pam-0.77-audit.patch, 1.6, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Oct 26 22:27:27 UTC 2005
Author: tmraz
Update of /cvs/dist/rpms/pam/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv19514
Modified Files:
pam-0.79-loginuid-req-audit.patch pam.spec
Added Files:
pam-0.77-can-2005-2977.patch pam-0.80-access-notty.patch
pam-0.80-audit.patch pam-0.80-selinux-drop-multiple.patch
pam-0.80-xauth-path.patch
Removed Files:
pam-0.77-audit.patch
Log Message:
* Wed Oct 26 2005 Tomas Mraz <tmraz at redhat.com> 0.80-13
- fixed CAN-2005-2977 unix_chkpwd should skip user verification only if
run as root (#168181)
- link pam_loginuid to libaudit
- support no tty in pam_access (#170467)
- updated audit patch (by Steve Grubb)
- the previous pam_selinux change was not applied properly
- pam_xauth: look for the xauth binary in multiple directories (#171164)
pam-0.77-can-2005-2977.patch:
pam_unix_acct.c | 7 +++++++
pam_unix_passwd.c | 7 +++++++
support.c | 7 +++++++
unix_chkpwd.c | 12 ++++++------
4 files changed, 27 insertions(+), 6 deletions(-)
--- NEW FILE pam-0.77-can-2005-2977.patch ---
When you set SELinux to permissive mode or the policy doesn't prevent
running unix_chkpwd as regular user it is possible to use unix_chkpwd
for checking any user's passwords from a regular user account.
Because there is no delay and logging in unix_chkpwd it allows easy
brute-force attacks on passwords in /etc/shadow which probably
won't get noticed by administrator.
This patch prevents this unwanted behaviour and also adds logging.
--- Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root 2005-10-07 18:40:47.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c 2005-10-17 00:23:50.000000000 +0200
@@ -119,6 +119,13 @@
}
}
}
+
+ if (SELINUX_ENABLED && geteuid() == 0) {
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ setuid(0);
+ }
+
/* exec binary helper */
args[0] = x_strdup(CHKPWD_HELPER);
args[1] = x_strdup(user);
--- Linux-PAM-0.77/modules/pam_unix/support.c.only-root 2005-10-07 18:40:47.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_unix/support.c 2005-10-07 18:40:47.000000000 +0200
@@ -620,6 +620,13 @@
close(i);
}
}
+
+ if (SELINUX_ENABLED && geteuid() == 0) {
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ setuid(0);
+ }
+
/* exec binary helper */
args[0] = x_strdup(CHKPWD_HELPER);
args[1] = x_strdup(user);
--- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root 2005-10-07 18:40:47.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c 2005-10-17 00:24:20.000000000 +0200
@@ -268,6 +268,13 @@
close(i);
}
}
+
+ if (SELINUX_ENABLED && geteuid() == 0) {
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ setuid(0);
+ }
+
/* exec binary helper */
args[0] = x_strdup(CHKPWD_HELPER);
args[1] = x_strdup(user);
--- Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root 2005-10-07 18:40:47.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c 2005-10-07 18:40:47.000000000 +0200
@@ -466,13 +466,12 @@
}
/*
- * determine the current user's name is.
- * On a SELinux enabled system, policy will prevent third parties from using
- * unix_chkpwd as a password guesser. Leaving the existing check prevents
- * su from working, Since the current uid is the users and the password is
- * for root.
+ * Determine what the current user's name is.
+ * On a SELinux enabled system with a strict policy leaving the
+ * existing check prevents shadow password authentication from working.
+ * We must thus skip the check if the real uid is 0.
*/
- if (SELINUX_ENABLED) {
+ if (SELINUX_ENABLED && getuid() == 0) {
user=argv[1];
}
else {
@@ -534,6 +533,7 @@
/* return pass or fail */
if ((retval != PAM_SUCCESS) || force_failure) {
+ _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
return PAM_AUTH_ERR;
} else {
return PAM_SUCCESS;
pam-0.80-access-notty.patch:
README | 4 ++--
access.conf | 4 ++--
pam_access.c | 29 +++++++++++++++++------------
3 files changed, 21 insertions(+), 16 deletions(-)
--- NEW FILE pam-0.80-access-notty.patch ---
--- Linux-PAM-0.80/modules/pam_access/access.conf.notty 2004-11-18 14:40:55.000000000 +0100
+++ Linux-PAM-0.80/modules/pam_access/access.conf 2005-10-25 20:51:42.000000000 +0200
@@ -28,8 +28,8 @@
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
-# matches) or LOCAL (matches any string that does not contain a "."
-# character).
+# matches), NONE (matches no tty on non-networked logins) or
+# LOCAL (matches any string that does not contain a "." character).
#
# If you run NIS you can use @netgroupname in host or user patterns; this
# even works for @usergroup@@hostgroup patterns. Weird.
--- Linux-PAM-0.80/modules/pam_access/README.notty 2000-11-25 02:48:05.000000000 +0100
+++ Linux-PAM-0.80/modules/pam_access/README 2005-10-25 20:51:42.000000000 +0200
@@ -28,8 +28,8 @@
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
-# matches) or LOCAL (matches any string that does not contain a "."
-# character).
+# matches), NONE (matches no tty on non-networked logins) or
+# LOCAL (matches any string that does not contain a "." character).
#
# If you run NIS you can use @netgroupname in host or user patterns; this
# even works for @usergroup@@hostgroup patterns. Weird.
--- Linux-PAM-0.80/modules/pam_access/pam_access.c.notty 2005-06-08 18:11:48.000000000 +0200
+++ Linux-PAM-0.80/modules/pam_access/pam_access.c 2005-10-25 20:54:21.000000000 +0200
@@ -330,10 +330,12 @@
* if it matches the head of the string.
*/
- if (tok[0] == '@') { /* netgroup */
+ if (string != NULL && tok[0] == '@') { /* netgroup */
return (netgroup_match(tok + 1, string, (char *) 0));
} else if (string_match (pamh, tok, string)) /* ALL or exact match */
- return YES;
+ return (YES);
+ else if (string == NULL)
+ return (NO);
else if (tok[0] == '.') { /* domain: match last fields */
if ((str_len = strlen(string)) > (tok_len = strlen(tok))
&& strcasecmp(tok, string + str_len - tok_len) == 0)
@@ -385,11 +387,16 @@
/*
* If the token has the magic value "ALL" the match always succeeds.
* Otherwise, return YES if the token fully matches the string.
+ * "NONE" token matches NULL string.
*/
if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
return (YES);
- } else if (strcasecmp(tok, string) == 0) { /* try exact match */
+ } else if (string != NULL) {
+ if (strcasecmp(tok, string) == 0) { /* try exact match */
+ return (YES);
+ }
+ } else if (strcasecmp(tok, "NONE") == 0) {
return (YES);
}
return (NO);
@@ -439,19 +446,17 @@
|| void_from == NULL) {
D(("PAM_TTY not set, probing stdin"));
from = ttyname(STDIN_FILENO);
- if (from == NULL) {
- _log_err("couldn't get the tty name");
- return PAM_ABORT;
- }
- if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) {
- _log_err("couldn't set tty name");
- return PAM_ABORT;
- }
+ if (from != NULL) {
+ if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) {
+ _log_err("couldn't set tty name");
+ return PAM_ABORT;
+ }
+ }
}
else
from = void_from;
- if (from[0] == '/') { /* full path */
+ if (from != NULL && from[0] == '/') { /* full path */
from++;
from = strchr(from, '/');
from++;
pam-0.80-audit.patch:
Make.Rules.in | 4 -
_pam_aconf.h.in | 3 +
configure.in | 5 ++
libpam/pam_account.c | 4 +
libpam/pam_auth.c | 8 +++
libpam/pam_end.c | 4 +
libpam/pam_log.c | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++
libpam/pam_password.c | 4 +
libpam/pam_private.h | 9 +++
libpam/pam_session.c | 19 +++++++
libpam/pam_start.c | 3 +
11 files changed, 178 insertions(+), 4 deletions(-)
--- NEW FILE pam-0.80-audit.patch ---
diff -ur Linux-PAM-0.80.orig/configure.in Linux-PAM-0.80/configure.in
--- Linux-PAM-0.80.orig/configure.in 2005-10-26 09:54:51.000000000 -0400
+++ Linux-PAM-0.80/configure.in 2005-10-26 09:55:13.000000000 -0400
@@ -301,6 +301,11 @@
fi
AC_SUBST(CRACKLIB_DICTPATH)
+dnl Look for Linux Auditing library - see documentation
+AC_CHECK_HEADER([libaudit.h])
+AC_CHECK_LIB(audit, audit_send_user_message, AC_DEFINE(HAVE_LIBAUDIT) LIBAUDIT=-laudit)
+AC_SUBST(LIBAUDIT)
+
dnl Set FLAGS, linker options etc. depending on C compiler.
dnl gcc is tested and much preferred; others less so, if at all
dnl
diff -ur Linux-PAM-0.80.orig/libpam/pam_account.c Linux-PAM-0.80/libpam/pam_account.c
--- Linux-PAM-0.80.orig/libpam/pam_account.c 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/libpam/pam_account.c 2005-10-26 09:55:13.000000000 -0400
@@ -19,5 +19,9 @@
retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT);
+#if HAVE_LIBAUDIT
+ retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags);
+#endif
+
return retval;
}
diff -ur Linux-PAM-0.80.orig/libpam/pam_auth.c Linux-PAM-0.80/libpam/pam_auth.c
--- Linux-PAM-0.80.orig/libpam/pam_auth.c 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/libpam/pam_auth.c 2005-10-26 09:55:13.000000000 -0400
@@ -45,6 +45,10 @@
prelude_send_alert(pamh, retval);
#endif
+#if HAVE_LIBAUDIT
+ retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
+#endif
+
return retval;
}
@@ -67,6 +71,10 @@
retval = _pam_dispatch(pamh, flags, PAM_SETCRED);
+#if HAVE_LIBAUDIT
+ retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags);
+#endif
+
D(("pam_setcred exit"));
return retval;
diff -ur Linux-PAM-0.80.orig/libpam/pam_end.c Linux-PAM-0.80/libpam/pam_end.c
--- Linux-PAM-0.80.orig/libpam/pam_end.c 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/libpam/pam_end.c 2005-10-26 09:55:13.000000000 -0400
@@ -21,6 +21,10 @@
return PAM_SYSTEM_ERR;
}
+#ifdef HAVE_LIBAUDIT
+ _pam_audit_end(pamh, pam_status);
+#endif
+
/* first liberate the modules (it is not inconcevible that the
modules may need to use the service_name etc. to clean up) */
diff -ur Linux-PAM-0.80.orig/libpam/pam_log.c Linux-PAM-0.80/libpam/pam_log.c
--- Linux-PAM-0.80.orig/libpam/pam_log.c 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/libpam/pam_log.c 2005-10-26 09:55:29.000000000 -0400
@@ -10,6 +10,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
+#include <unistd.h>
#ifdef __hpux
# include <stdio.h>
@@ -373,3 +374,121 @@
D(("done."));
}
+#if HAVE_LIBAUDIT
+/* Instrumentation code for Linux Auditing System */
+#include <libaudit.h>
+#include <pwd.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <errno.h>
+
+#define PAMAUDIT_LOGGED 1
+
+static int
+_pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
+ const char *message, int retval)
+{
+ int rc;
+ char buf[256];
+
+ snprintf(buf, sizeof(buf), "PAM: %s acct=%s ", message,
+ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?");
+
+ rc = audit_log_user_message( audit_fd, type, buf,
+ pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
+
+ pamh->audit_state |= PAMAUDIT_LOGGED;
+ return rc;
+}
+
+int
+_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+{
+ const char *message;
+ int type;
+ int audit_fd;
+
+ audit_fd = audit_open();
+ if (audit_fd < 0) {
+ /* You get these error codes only when the kernel doesn't have
+ * audit compiled in. */
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return retval;
+
+ /* this should only fail in case of extreme resource shortage,
+ * need to prevent login in that case for CAPP compliance.
+ */
+ _pam_system_log(LOG_CRIT, "audit_open() failed: %s",
+ strerror(errno));
+ return PAM_SYSTEM_ERR;
+ }
+
+ switch (action) {
+ case PAM_AUTHENTICATE:
+ message = "authentication";
+ type = AUDIT_USER_AUTH;
+ break;
+ case PAM_OPEN_SESSION:
+ message = "session open";
+ type = AUDIT_USER_START;
+ break;
+ case PAM_CLOSE_SESSION:
+ message = "session close";
+ type = AUDIT_USER_END;
+ break;
+ case PAM_ACCOUNT:
+ message = "accounting";
+ type = AUDIT_USER_ACCT;
+ break;
+ case PAM_CHAUTHTOK:
+ message = "chauthtok";
+ type = AUDIT_USER_CHAUTHTOK;
+ break;
+ case PAM_SETCRED:
+ message = "setcred";
+ if (flags & PAM_ESTABLISH_CRED)
+ type = AUDIT_CRED_ACQ;
+ else if ((flags & PAM_REINITIALIZE_CRED) || (flags & PAM_REFRESH_CRED))
+ type = AUDIT_CRED_REFR;
+ else if (flags & PAM_DELETE_CRED)
+ type = AUDIT_CRED_DISP;
+ else
+ type = AUDIT_USER_ERR;
+ break;
+ case _PAM_ACTION_DONE:
+ message = "bad_ident";
+ type = AUDIT_USER_ERR;
+ break;
+ default:
+ message = "UNKNOWN";
+ type = AUDIT_USER_ERR;
+ _pam_system_log(LOG_CRIT, "_pam_auditlog() should never get here");
+ retval = PAM_SYSTEM_ERR;
+ }
+
+ if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0)
+ retval = PAM_SYSTEM_ERR;
+
+ audit_close(audit_fd);
+ return retval;
+}
+
+int
+_pam_audit_end(pam_handle_t *pamh, int status)
+{
+ if (! (pamh->audit_state & PAMAUDIT_LOGGED)) {
+ /* PAM library is being shut down without any of the auditted
+ * stacks having been run. Assume that this is sshd faking
+ * things for an unknown user.
+ */
+ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0);
+ }
+
+ return 0;
+}
+
+#endif /* HAVE_LIBAUDIT */
+
diff -ur Linux-PAM-0.80.orig/libpam/pam_password.c Linux-PAM-0.80/libpam/pam_password.c
--- Linux-PAM-0.80.orig/libpam/pam_password.c 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/libpam/pam_password.c 2005-10-26 09:55:13.000000000 -0400
@@ -52,6 +52,10 @@
D(("will resume when ready", retval));
}
+#if HAVE_LIBAUDIT
+ retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
+#endif
+
return retval;
}
diff -ur Linux-PAM-0.80.orig/libpam/pam_private.h Linux-PAM-0.80/libpam/pam_private.h
--- Linux-PAM-0.80.orig/libpam/pam_private.h 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/libpam/pam_private.h 2005-10-26 09:55:13.000000000 -0400
@@ -146,6 +146,9 @@
struct service handlers;
struct _pam_former_state former; /* library state - support for
event driven applications */
+#if HAVE_LIBAUDIT
+ int audit_state; /* keep track of reported audit messages */
+#endif
};
/* Values for select arg to _pam_dispatch() */
@@ -293,6 +296,12 @@
#define __PAM_TO_APP(pamh) \
do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
+
+#if HAVE_LIBAUDIT
+extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags);
+extern int _pam_audit_end(pam_handle_t *pamh, int pam_status);
+#endif
+
/*
* Copyright (C) 1995 by Red Hat Software, Marc Ewing
* Copyright (c) 1996-8,2001 by Andrew G. Morgan <morgan at kernel.org>
diff -ur Linux-PAM-0.80.orig/libpam/pam_session.c Linux-PAM-0.80/libpam/pam_session.c
--- Linux-PAM-0.80.orig/libpam/pam_session.c 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/libpam/pam_session.c 2005-10-26 09:55:13.000000000 -0400
@@ -10,6 +10,8 @@
int pam_open_session(pam_handle_t *pamh, int flags)
{
+ int retval;
+
D(("called"));
IF_NO_PAMH("pam_open_session", pamh, PAM_SYSTEM_ERR);
@@ -18,12 +20,18 @@
D(("called from module!?"));
return PAM_SYSTEM_ERR;
}
+ retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);
- return _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);
+#if HAVE_LIBAUDIT
+ retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags);
+#endif
+ return retval;
}
int pam_close_session(pam_handle_t *pamh, int flags)
{
+ int retval;
+
D(("called"));
IF_NO_PAMH("pam_close_session", pamh, PAM_SYSTEM_ERR);
@@ -33,5 +41,12 @@
return PAM_SYSTEM_ERR;
}
- return _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
+ retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
+
+#if HAVE_LIBAUDIT
+ retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags);
+#endif
+
+ return retval;
+
}
diff -ur Linux-PAM-0.80.orig/libpam/pam_start.c Linux-PAM-0.80/libpam/pam_start.c
--- Linux-PAM-0.80.orig/libpam/pam_start.c 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/libpam/pam_start.c 2005-10-26 09:55:13.000000000 -0400
@@ -77,6 +77,9 @@
(*pamh)->oldauthtok = NULL;
(*pamh)->fail_delay.delay_fn_ptr = NULL;
(*pamh)->former.choice = PAM_NOT_STACKED;
+#if HAVE_LIBAUDIT
+ (*pamh)->audit_state = 0;
+#endif
if (pam_conversation == NULL
|| ((*pamh)->pam_conversation = (struct pam_conv *)
diff -ur Linux-PAM-0.80.orig/Make.Rules.in Linux-PAM-0.80/Make.Rules.in
--- Linux-PAM-0.80.orig/Make.Rules.in 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/Make.Rules.in 2005-10-26 09:55:13.000000000 -0400
@@ -114,8 +114,8 @@
RANLIB=@RANLIB@
STRIP=@STRIP@
CC_STATIC=@CC_STATIC@
-
-LINKLIBS = $(NEED_LINK_LIB_C) $(LIBDL)
+LIBAUDIT=@LIBAUDIT@
+LINKLIBS = $(NEED_LINK_LIB_C) $(LIBDL) $(LIBAUDIT)
USESONAME=@USESONAME@
SOSWITCH=@SOSWITCH@
diff -ur Linux-PAM-0.80.orig/_pam_aconf.h.in Linux-PAM-0.80/_pam_aconf.h.in
--- Linux-PAM-0.80.orig/_pam_aconf.h.in 2005-10-26 09:54:52.000000000 -0400
+++ Linux-PAM-0.80/_pam_aconf.h.in 2005-10-26 09:55:13.000000000 -0400
@@ -107,4 +107,7 @@
* can be found */
#undef _PAM_ISA
+/* Use Linux Auditing library? */
+#undef HAVE_LIBAUDIT
+
#endif /* PAM_ACONF_H */
pam-0.80-selinux-drop-multiple.patch:
pam_selinux.8 | 3 --
pam_selinux.c | 78 ++--------------------------------------------------------
2 files changed, 3 insertions(+), 78 deletions(-)
--- NEW FILE pam-0.80-selinux-drop-multiple.patch ---
--- Linux-PAM-0.80/modules/pam_selinux/pam_selinux.8.drop-multiple 2005-05-16 13:04:31.000000000 +0200
+++ Linux-PAM-0.80/modules/pam_selinux/pam_selinux.8 2005-10-26 23:29:11.000000000 +0200
@@ -29,9 +29,6 @@
Only execute the close_session portion of the module.
.IP debug
turns on debugging via \fBsyslog(3)\fR.
-.IP multiple
-tells pam_selinux.so to allow the user to select the security context they will
-login with, if the user has more than one role.
.IP open
Only execute the open_session portion of the module.
.IP nottys
--- Linux-PAM-0.80/modules/pam_selinux/pam_selinux.c.drop-multiple 2005-10-25 20:51:39.000000000 +0200
+++ Linux-PAM-0.80/modules/pam_selinux/pam_selinux.c 2005-10-26 23:33:00.000000000 +0200
@@ -113,70 +113,6 @@
}
static security_context_t
-select_context (pam_handle_t *pamh, security_context_t* contextlist,
- int debug)
-{
- const void *void_conv;
- const struct pam_conv *conv;
-
- if (pam_get_item(pamh, PAM_CONV, &void_conv) == PAM_SUCCESS &&
- void_conv) {
- conv = void_conv;
- if (conv->conv != NULL) {
- struct pam_response *responses;
- char *text=calloc(PATH_MAX,1);
-
- if (text == NULL)
- return (security_context_t) strdup(contextlist[0]);
-
- snprintf(text, PATH_MAX,
- _("Your default context is %s. \n"), contextlist[0]);
- send_text(conv,text,debug);
- free(text);
- query_response(conv,_("Do you want to choose a different one? [n]"),
- &responses,debug);
- if (responses && ((responses[0].resp[0] == 'y') ||
- (responses[0].resp[0] == 'Y')))
- {
- int choice=0;
- int i;
- char *prompt=_("Enter number of choice: ");
- int len=strlen(prompt);
- char buf[PATH_MAX];
-
- _pam_drop_reply(responses, 1);
- for (i = 0; contextlist[i]; i++) {
- len+=strlen(contextlist[i]) + 10;
- }
- text=calloc(len,1);
- for (i = 0; contextlist[i]; i++) {
- snprintf(buf, PATH_MAX,
- "[%d] %s\n", i+1, contextlist[i]);
- strncat(text,buf,len);
- }
- strcat(text,prompt);
- while ((choice < 1) || (choice > i)) {
- query_response(conv,text,&responses,debug);
- choice = strtol (responses[0].resp, NULL, 10);
- _pam_drop_reply(responses, 1);
- }
- free(text);
- return (security_context_t) strdup(contextlist[choice-1]);
- }
- else if (responses)
- _pam_drop_reply(responses, 1);
- } else {
- if (debug)
- syslog(LOG_NOTICE, _("%s: bogus conversation function"),MODULE);
- }
- } else {
- if (debug)
- syslog(LOG_NOTICE, _("%s: no conversation function"),MODULE);
- }
- return (security_context_t) strdup(contextlist[0]);
-}
-
-static security_context_t
manual_context (pam_handle_t *pamh, const char *user, int debug)
{
const void *void_conv;
@@ -383,7 +319,7 @@
PAM_EXTERN int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- int i, debug = 0, ttys=1, has_tty=isatty(0), verbose=0, multiple=0, close_session=0;
+ int i, debug = 0, ttys=1, has_tty=isatty(0), verbose=0, close_session=0;
int ret = 0;
security_context_t* contextlist = NULL;
int num_contexts = 0;
@@ -403,9 +339,6 @@
if (strcmp(argv[i], "verbose") == 0) {
verbose = 1;
}
- if (strcmp(argv[i], "multiple") == 0) {
- multiple = 1;
- }
if (strcmp(argv[i], "close") == 0) {
close_session = 1;
}
@@ -439,13 +372,8 @@
free(level);
}
if (num_contexts > 0) {
- if (multiple && (num_contexts > 1) && has_tty) {
- user_context = select_context(pamh,contextlist, debug);
- freeconary(contextlist);
- } else {
- user_context = (security_context_t) strdup(contextlist[0]);
- freeconary(contextlist);
- }
+ user_context = (security_context_t) strdup(contextlist[0]);
+ freeconary(contextlist);
} else {
if (has_tty) {
user_context = manual_context(pamh,username,debug);
pam-0.80-xauth-path.patch:
_pam_aconf.h.in | 3 +++
configure.in | 17 +++++++++++++++++
modules/pam_xauth/README | 3 ++-
modules/pam_xauth/pam_xauth.8 | 9 +++++----
modules/pam_xauth/pam_xauth.c | 29 +++++++++++++++++++++++++----
5 files changed, 52 insertions(+), 9 deletions(-)
--- NEW FILE pam-0.80-xauth-path.patch ---
--- Linux-PAM-0.80/configure.in.xauth-path 2005-10-27 00:09:36.000000000 +0200
+++ Linux-PAM-0.80/configure.in 2005-10-27 00:20:03.000000000 +0200
@@ -192,6 +192,23 @@
AC_CHECK_LIB(c, lckpwdf, HAVE_LCKPWDF=yes, HAVE_LCKPWDF=no)
AC_SUBST(HAVE_LCKPWDF)
+AC_ARG_WITH(xauth,
+[ --with-xauth additional path to check for xauth when it is called from pam_xauth
+ [added to the default of /usr/X11R6/bin/xauth, /usr/bin/xauth, /usr/bin/X11/xauth]],
+pam_xauth_path=${withval})
+if test x$with_xauth == x ; then
+ AC_PATH_PROG(pam_xauth_path, xauth)
+dnl There is no sense in adding the first default path
+ if test x$pam_xauth_path == x/usr/X11R6/bin/xauth ; then
+ unset pam_xauth_path
+ fi
+fi
+
+if test x$pam_xauth_path != x ; then
+ AC_DEFINE_UNQUOTED(PAM_PATH_XAUTH, "$pam_xauth_path",
+ [Additional path of xauth executable])
+fi
+
dnl Checks for the existence of libdl - on BSD and Tru64 its part of libc
AC_CHECK_LIB(dl, dlopen, LIBDL=-ldl)
AC_SUBST(LIBDL)
--- Linux-PAM-0.80/_pam_aconf.h.in.xauth-path 2005-10-27 00:09:36.000000000 +0200
+++ Linux-PAM-0.80/_pam_aconf.h.in 2005-10-27 00:15:22.000000000 +0200
@@ -83,6 +83,9 @@
/* location of the mail spool directory */
#undef PAM_PATH_MAILDIR
+/* Additional path of xauth executable */
+#undef PAM_PATH_XAUTH
+
/* where should we include setfsuid's prototype from? If this is not
defined, we get it from unistd.h */
#undef HAVE_SYS_FSUID_H
--- Linux-PAM-0.80/modules/pam_xauth/pam_xauth.8.xauth-path 2003-07-24 21:21:50.000000000 +0200
+++ Linux-PAM-0.80/modules/pam_xauth/pam_xauth.8 2005-10-27 00:22:00.000000000 +0200
@@ -1,11 +1,11 @@
.\" Copyright 2001,2003 Red Hat, Inc.
.\" Written by Nalin Dahyabhai <nalin at redhat.com>, based on the original
.\" version by Michael K. Johnson
-.TH pam_xauth 8 2003/7/24 "Red Hat Linux" "System Administrator's Manual"
+.TH pam_xauth 8 2005/10/20 "Red Hat Linux" "System Administrator's Manual"
.SH NAME
pam_xauth \- forward xauth keys between users
.SH SYNOPSIS
-.B session optional /lib/security/pam_xauth.so \fIarguments\fP
+.B session optional pam_xauth.so \fIarguments\fP
.SH DESCRIPTION
pam_xauth.so is designed to forward xauth keys (sometimes referred
to as "cookies") between users.
@@ -45,8 +45,9 @@
.SH ARGUMENTS
.IP debug
Turns on debugging messages sent to syslog.
-.IP xauthpath=\fI/usr/X11R6/bin/xauth\fP
-Specify the path the xauth program (the default is /usr/X11R6/bin/xauth).
+.IP xauthpath=\fI/path/to/xauth\fP
+Specify the path the xauth program (it is expected in \fB/usr/X11R6/bin/xauth,\fP
+or \fB/usr/bin/xauth\fP, or \fB/usr/bin/X11/xauth\fP by default).
.IP systemuser=\fInumber\fP
Specify the highest UID which will be assumed to belong to a "system" user.
pam_xauth will refuse to forward credentials to users with UID less than or
--- Linux-PAM-0.80/modules/pam_xauth/pam_xauth.c.xauth-path 2005-06-01 08:40:58.000000000 +0200
+++ Linux-PAM-0.80/modules/pam_xauth/pam_xauth.c 2005-10-27 00:14:19.000000000 +0200
@@ -57,12 +57,21 @@
#include <security/_pam_modutil.h>
#define DATANAME "pam_xauth_cookie_file"
-#define XAUTHBIN "/usr/X11R6/bin/xauth"
#define XAUTHENV "XAUTHORITY"
#define HOMEENV "HOME"
#define XAUTHDEF ".Xauthority"
#define XAUTHTMP ".xauthXXXXXX"
+/* Possible paths to xauth executable */
+static const char * const xauthpaths[] = {
+#ifdef PAM_PATH_XAUTH
+ PAM_PATH_XAUTH,
+#endif
+ "/usr/X11R6/bin/xauth",
+ "/usr/bin/xauth",
+ "/usr/bin/X11/xauth"
+};
+
/* Run a given command (with a NULL-terminated argument list), feeding it the
* given input on stdin, and storing any output it generates. */
static int
@@ -129,7 +138,7 @@
args[i] = strdup(tmp);
}
/* Run the command. */
- execvp(command, args);
+ execv(command, args);
/* Never reached. */
exit(1);
}
@@ -270,10 +279,9 @@
int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- char xauthpath[] = XAUTHBIN;
char *cookiefile = NULL, *xauthority = NULL,
*cookie = NULL, *display = NULL, *tmp = NULL;
- const char *user, *xauth = xauthpath;
+ const char *user, *xauth = NULL;
struct passwd *tpwd, *rpwd;
int fd, i, debug = 0;
int retval = PAM_SUCCESS;
@@ -313,6 +321,19 @@
syslog(LOG_WARNING, "pam_xauth: unrecognized option `%s'",
argv[i]);
}
+
+ if (xauth == NULL) {
+ for (i = 0; i < sizeof(xauthpaths)/sizeof(xauthpaths[0]); i++) {
+ if (access(xauthpaths[i], X_OK) == 0) {
+ xauth = xauthpaths[i];
+ break;
+ }
+ }
+ if (xauth == NULL) {
+ /* xauth executable not found - nothing to do */
+ return PAM_SUCCESS;
+ }
+ }
/* If DISPLAY isn't set, we don't really care, now do we? */
if ((display = getenv("DISPLAY")) == NULL) {
--- Linux-PAM-0.80/modules/pam_xauth/README.xauth-path 2003-07-24 21:21:50.000000000 +0200
+++ Linux-PAM-0.80/modules/pam_xauth/README 2005-10-27 00:21:41.000000000 +0200
@@ -23,7 +23,8 @@
RECOGNIZED ARGUMENTS:
debug write debugging messages to syslog
xauthpath= the path to the xauth program, by default
- /usr/X11R6/bin/xauth
+ /usr/X11R6/bin/xauth, /usr/bin/xauth and
+ /usr/bin/X11/xauth
systemuser= highest user id assigned to system users, defaults
to 499 (pam_xauth will refuse to forward creds to
target users with id equal to or below this number,
pam-0.79-loginuid-req-audit.patch:
Makefile | 1
pam_loginuid.8 | 10 ++---
pam_loginuid.c | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
3 files changed, 110 insertions(+), 8 deletions(-)
Index: pam-0.79-loginuid-req-audit.patch
===================================================================
RCS file: /cvs/dist/rpms/pam/devel/pam-0.79-loginuid-req-audit.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- pam-0.79-loginuid-req-audit.patch 24 Aug 2005 09:15:09 -0000 1.2
+++ pam-0.79-loginuid-req-audit.patch 26 Oct 2005 22:27:20 -0000 1.3
@@ -22,6 +22,16 @@
.SH EXAMPLE
\fB/etc/pam.d/gdm\fP:
+--- Linux-PAM-0.79/modules/pam_loginuid/Makefile.req-audit 2005-03-31 18:39:58.000000000 +0200
++++ Linux-PAM-0.79/modules/pam_loginuid/Makefile 2005-10-12 14:19:44.000000000 +0200
+@@ -6,6 +6,7 @@
+
+ TITLE=pam_loginuid
+ MAN8=$(TITLE).8
++MODULE_SIMPLE_EXTRALIBS=-laudit
+
+ include ../Simple.Rules
+
--- Linux-PAM-0.79/modules/pam_loginuid/pam_loginuid.c.req-audit 2005-08-01 09:48:02.000000000 +0200
+++ Linux-PAM-0.79/modules/pam_loginuid/pam_loginuid.c 2005-08-24 10:57:29.000000000 +0200
@@ -22,6 +22,7 @@
Index: pam.spec
===================================================================
RCS file: /cvs/dist/rpms/pam/devel/pam.spec,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -r1.94 -r1.95
--- pam.spec 26 Oct 2005 19:23:04 -0000 1.94
+++ pam.spec 26 Oct 2005 22:27:20 -0000 1.95
@@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications.
Name: pam
Version: 0.80
-Release: 12
+Release: 13
License: GPL or BSD
Group: System Environment/Base
Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -28,7 +28,7 @@
Patch28: pam-0.75-sgml2latex.patch
Patch34: pam-0.77-dbpam.patch
Patch61: pam-pwdbselinux.patch
-Patch65: pam-0.77-audit.patch
+Patch65: pam-0.80-audit.patch
Patch66: pam-0.79-loginuid-req-audit.patch
Patch70: pam-0.80-selinux-nofail.patch
Patch71: pam-0.80-install-perms.patch
@@ -38,6 +38,10 @@
Patch75: pam-0.80-limits-process.patch
Patch76: pam-0.80-unix-honor-nis.patch
Patch77: pam-0.80-console-doc-fix.patch
+Patch78: pam-0.77-can-2005-2977.patch
+Patch79: pam-0.80-access-notty.patch
+Patch80: pam-0.80-selinux-drop-multiple.patch
+Patch81: pam-0.80-xauth-path.patch
BuildRoot: %{_tmppath}/%{name}-root
Requires: cracklib, cracklib-dicts >= 2.8, initscripts >= 3.94
@@ -103,6 +107,10 @@
%patch75 -p1 -b .process-limit
%patch76 -p1 -b .honor-nis
%patch77 -p1 -b .console-doc
+%patch78 -p1 -b .only-root
+%patch79 -p1 -b .notty
+%patch80 -p1 -b .drop-multiple
+%patch81 -p1 -b .xauth-path
for readme in modules/pam_*/README ; do
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
@@ -375,6 +383,15 @@
%{_libdir}/libpam_misc.so
%changelog
+* Wed Oct 26 2005 Tomas Mraz <tmraz at redhat.com> 0.80-13
+- fixed CAN-2005-2977 unix_chkpwd should skip user verification only if
+ run as root (#168181)
+- link pam_loginuid to libaudit
+- support no tty in pam_access (#170467)
+- updated audit patch (by Steve Grubb)
+- the previous pam_selinux change was not applied properly
+- pam_xauth: look for the xauth binary in multiple directories (#171164)
+
* Wed Oct 26 2005 Dan Walsh <dwalsh at redhat.com> 0.80-12
- Eliminate multiple in pam_selinux
--- pam-0.77-audit.patch DELETED ---
More information about the fedora-cvs-commits
mailing list