rpms/pam/devel pam-0.99.5.0-keyinit-revoke-user.patch, NONE, 1.1 pam-0.99.5.0-succif-unknown-user.patch, NONE, 1.1 pam.spec, 1.128, 1.129
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Aug 10 13:34:29 UTC 2006
- Previous message (by thread): rpms/selinux-policy/FC-5 policy-20060802.patch,1.2,1.3
- Next message (by thread): rpms/kdemultimedia/devel .cvsignore, 1.35, 1.36 kdemultimedia.spec, 1.74, 1.75 sources, 1.36, 1.37 kdemultimedia-3.5.3-3.5.4.patch, 1.2, NONE kdemultimedia.diff, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/dist/rpms/pam/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv14928
Modified Files:
pam.spec
Added Files:
pam-0.99.5.0-keyinit-revoke-user.patch
pam-0.99.5.0-succif-unknown-user.patch
Log Message:
* Thu Aug 10 2006 Tomas Mraz <tmraz at redhat.com> 0.99.5.0-7
- revoke keyrings properly when pam_keyinit called as root (#201048)
- pam_succeed_if should return PAM_USER_UNKNOWN when getpwnam fails (#197748)
pam-0.99.5.0-keyinit-revoke-user.patch:
pam_keyinit.c | 30 ++++++++++++++++++++++++++++--
1 files changed, 28 insertions(+), 2 deletions(-)
--- NEW FILE pam-0.99.5.0-keyinit-revoke-user.patch ---
diff -uNrp Linux-PAM-0.99.5.0/modules/pam_keyinit/pam_keyinit.c Linux-PAM-0.99.5.0.orig/modules/pam_keyinit/pam_keyinit.c
--- Linux-PAM-0.99.5.0.orig/modules/pam_keyinit/pam_keyinit.c 2006-08-09 14:00:04.000000000 +0100
+++ Linux-PAM-0.99.5.0/modules/pam_keyinit/pam_keyinit.c 2006-08-09 14:04:41.000000000 +0100
@@ -33,6 +33,8 @@
static int my_session_keyring;
static int session_counter;
static int do_revoke;
+static int revoke_as_uid;
+static int revoke_as_gid;
static int xdebug = 0;
static void debug(pam_handle_t *pamh, const char *fmt, ...)
@@ -124,14 +126,38 @@
*/
static void kill_keyrings(pam_handle_t *pamh)
{
+ int old_uid, old_gid;
+
/* revoke the session keyring we created earlier */
if (my_session_keyring > 0) {
debug(pamh, "REVOKE %d", my_session_keyring);
+ old_uid = getuid();
+ old_gid = getgid();
+ debug(pamh, "UID:%d [%d] GID:%d [%d]",
+ revoke_as_uid, old_uid, revoke_as_gid, old_gid);
+
+ /* switch to the real UID and GID so that we have permission to
+ * revoke the key */
+ if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0)
+ error(pamh, "Unable to change UID to %d temporarily\n",
+ revoke_as_uid);
+
+ if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
+ error(pamh, "Unable to change GID to %d temporarily\n",
+ revoke_as_gid);
+
syscall(__NR_keyctl,
KEYCTL_REVOKE,
my_session_keyring);
+ /* return to the orignal UID and GID (probably root) */
+ if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0)
+ error(pamh, "Unable to change UID back to %d\n", old_uid);
+
+ if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0)
+ error(pamh, "Unable to change GID back to %d\n", old_gid);
+
my_session_keyring = 0;
}
}
@@ -177,9 +203,9 @@
return PAM_USER_UNKNOWN;
}
- uid = pw->pw_uid;
+ revoke_as_uid = uid = pw->pw_uid;
old_uid = getuid();
- gid = pw->pw_gid;
+ revoke_as_gid = gid = pw->pw_gid;
old_gid = getgid();
debug(pamh, "UID:%d [%d] GID:%d [%d]", uid, old_uid, gid, old_gid);
pam-0.99.5.0-succif-unknown-user.patch:
pam_succeed_if.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE pam-0.99.5.0-succif-unknown-user.patch ---
--- Linux-PAM-0.99.5.0/modules/pam_succeed_if/pam_succeed_if.c.unknown-user 2006-06-30 12:05:15.000000000 +0200
+++ Linux-PAM-0.99.5.0/modules/pam_succeed_if/pam_succeed_if.c 2006-08-10 15:29:12.000000000 +0200
@@ -411,7 +411,7 @@
pam_syslog(pamh, LOG_CRIT,
"error retrieving information about user %lu",
(unsigned long)getuid());
- return PAM_SERVICE_ERR;
+ return PAM_USER_UNKNOWN;
}
user = pwd->pw_name;
} else {
@@ -430,7 +430,7 @@
pam_syslog(pamh, LOG_CRIT,
"error retrieving information about user %s",
user);
- return PAM_SERVICE_ERR;
+ return PAM_USER_UNKNOWN;
}
}
Index: pam.spec
===================================================================
RCS file: /cvs/dist/rpms/pam/devel/pam.spec,v
retrieving revision 1.128
retrieving revision 1.129
diff -u -r1.128 -r1.129
--- pam.spec 2 Aug 2006 18:08:23 -0000 1.128
+++ pam.spec 10 Aug 2006 13:34:26 -0000 1.129
@@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications
Name: pam
Version: 0.99.5.0
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPL or BSD
Group: System Environment/Base
Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -38,7 +38,9 @@
Patch86: pam-0.99.5.0-console-no-ainit.patch
Patch87: pam-0.99.5.0-keyinit-no-debug.patch
Patch88: pam-0.99.5.0-keyinit-multiinit.patch
+Patch89: pam-0.99.5.0-keyinit-revoke-user.patch
Patch90: pam-0.99.5.0-namespace-init.patch
+Patch91: pam-0.99.5.0-succif-unknown-user.patch
BuildRoot: %{_tmppath}/%{name}-root
Requires: cracklib, cracklib-dicts >= 2.8
@@ -104,7 +106,9 @@
%patch86 -p1 -b .no-ainit
%patch87 -p1 -b .no-debug
%patch88 -p1 -b .multiinit
+%patch89 -p1 -b .revoke-user
%patch90 -p1 -b .namespace-init
+%patch91 -p1 -b .unknown-user
for readme in modules/pam_*/README ; do
cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
@@ -371,6 +375,10 @@
%{_libdir}/libpam_misc.so
%changelog
+* Thu Aug 10 2006 Tomas Mraz <tmraz at redhat.com> 0.99.5.0-7
+- revoke keyrings properly when pam_keyinit called as root (#201048)
+- pam_succeed_if should return PAM_USER_UNKNOWN when getpwnam fails (#197748)
+
* Wed Aug 2 2006 Tomas Mraz <tmraz at redhat.com> 0.99.5.0-6
- revoke keyrings properly when pam_keyinit called more than once (#201048)
patch by David Howells
- Previous message (by thread): rpms/selinux-policy/FC-5 policy-20060802.patch,1.2,1.3
- Next message (by thread): rpms/kdemultimedia/devel .cvsignore, 1.35, 1.36 kdemultimedia.spec, 1.74, 1.75 sources, 1.36, 1.37 kdemultimedia-3.5.3-3.5.4.patch, 1.2, NONE kdemultimedia.diff, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list