rpms/pam/devel pam-0.99.5.0-keyinit-revoke-user.patch, NONE, 1.1 pam-0.99.5.0-succif-unknown-user.patch, NONE, 1.1 pam.spec, 1.128, 1.129

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Thu Aug 10 13:34:29 UTC 2006 

Author: tmraz

Update of /cvs/dist/rpms/pam/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv14928

Modified Files:
	pam.spec 
Added Files:
	pam-0.99.5.0-keyinit-revoke-user.patch 
	pam-0.99.5.0-succif-unknown-user.patch 
Log Message:
* Thu Aug 10 2006 Tomas Mraz <tmraz at redhat.com> 0.99.5.0-7
- revoke keyrings properly when pam_keyinit called as root (#201048)
- pam_succeed_if should return PAM_USER_UNKNOWN when getpwnam fails (#197748)


pam-0.99.5.0-keyinit-revoke-user.patch:
 pam_keyinit.c |   30 ++++++++++++++++++++++++++++--
 1 files changed, 28 insertions(+), 2 deletions(-)

--- NEW FILE pam-0.99.5.0-keyinit-revoke-user.patch ---
diff -uNrp Linux-PAM-0.99.5.0/modules/pam_keyinit/pam_keyinit.c Linux-PAM-0.99.5.0.orig/modules/pam_keyinit/pam_keyinit.c
--- Linux-PAM-0.99.5.0.orig/modules/pam_keyinit/pam_keyinit.c	2006-08-09 14:00:04.000000000 +0100
+++ Linux-PAM-0.99.5.0/modules/pam_keyinit/pam_keyinit.c	2006-08-09 14:04:41.000000000 +0100
@@ -33,6 +33,8 @@
 static int my_session_keyring;
 static int session_counter;
 static int do_revoke;
+static int revoke_as_uid;
+static int revoke_as_gid;
 static int xdebug = 0;
 
 static void debug(pam_handle_t *pamh, const char *fmt, ...)
@@ -124,14 +126,38 @@
  */
 static void kill_keyrings(pam_handle_t *pamh)
 {
+	int old_uid, old_gid;
+
 	/* revoke the session keyring we created earlier */
 	if (my_session_keyring > 0) {
 		debug(pamh, "REVOKE %d", my_session_keyring);
 
+		old_uid = getuid();
+		old_gid = getgid();
+		debug(pamh, "UID:%d [%d]  GID:%d [%d]",
+		      revoke_as_uid, old_uid, revoke_as_gid, old_gid);
+
+		/* switch to the real UID and GID so that we have permission to
+		 * revoke the key */
+		if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0)
+			error(pamh, "Unable to change UID to %d temporarily\n",
+			      revoke_as_uid);
+
+		if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
+			error(pamh, "Unable to change GID to %d temporarily\n",
+			      revoke_as_gid);
+
 		syscall(__NR_keyctl,
 			KEYCTL_REVOKE,
 			my_session_keyring);
 
+		/* return to the orignal UID and GID (probably root) */
+		if (revoke_as_uid != old_uid && setreuid(-1, old_uid) < 0)
+			error(pamh, "Unable to change UID back to %d\n", old_uid);
+
+		if (revoke_as_gid != old_gid && setregid(-1, old_gid) < 0)
+			error(pamh, "Unable to change GID back to %d\n", old_gid);
+
 		my_session_keyring = 0;
 	}
 }
@@ -177,9 +203,9 @@
 		return PAM_USER_UNKNOWN;
 	}
 
-	uid = pw->pw_uid;
+	revoke_as_uid = uid = pw->pw_uid;
 	old_uid = getuid();
-	gid = pw->pw_gid;
+	revoke_as_gid = gid = pw->pw_gid;
 	old_gid = getgid();
 	debug(pamh, "UID:%d [%d]  GID:%d [%d]", uid, old_uid, gid, old_gid);
 

pam-0.99.5.0-succif-unknown-user.patch:
 pam_succeed_if.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE pam-0.99.5.0-succif-unknown-user.patch ---
--- Linux-PAM-0.99.5.0/modules/pam_succeed_if/pam_succeed_if.c.unknown-user	2006-06-30 12:05:15.000000000 +0200
+++ Linux-PAM-0.99.5.0/modules/pam_succeed_if/pam_succeed_if.c	2006-08-10 15:29:12.000000000 +0200
@@ -411,7 +411,7 @@
 			pam_syslog(pamh, LOG_CRIT,
 				   "error retrieving information about user %lu",
 				   (unsigned long)getuid());
-			return PAM_SERVICE_ERR;
+			return PAM_USER_UNKNOWN;
 		}
 		user = pwd->pw_name;
 	} else {
@@ -430,7 +430,7 @@
 			pam_syslog(pamh, LOG_CRIT,
 				   "error retrieving information about user %s",
 				   user);
-			return PAM_SERVICE_ERR;
+			return PAM_USER_UNKNOWN;
 		}
 	}
 


Index: pam.spec
===================================================================
RCS file: /cvs/dist/rpms/pam/devel/pam.spec,v
retrieving revision 1.128
retrieving revision 1.129
diff -u -r1.128 -r1.129
--- pam.spec	2 Aug 2006 18:08:23 -0000	1.128
+++ pam.spec	10 Aug 2006 13:34:26 -0000	1.129
@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.5.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPL or BSD
 Group: System Environment/Base
 Source0: ftp.us.kernel.org:/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -38,7 +38,9 @@
 Patch86: pam-0.99.5.0-console-no-ainit.patch
 Patch87: pam-0.99.5.0-keyinit-no-debug.patch
 Patch88: pam-0.99.5.0-keyinit-multiinit.patch
+Patch89: pam-0.99.5.0-keyinit-revoke-user.patch
 Patch90: pam-0.99.5.0-namespace-init.patch
+Patch91: pam-0.99.5.0-succif-unknown-user.patch
 
 BuildRoot: %{_tmppath}/%{name}-root
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -104,7 +106,9 @@
 %patch86 -p1 -b .no-ainit
 %patch87 -p1 -b .no-debug
 %patch88 -p1 -b .multiinit
+%patch89 -p1 -b .revoke-user
 %patch90 -p1 -b .namespace-init
+%patch91 -p1 -b .unknown-user
 
 for readme in modules/pam_*/README ; do
 	cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
@@ -371,6 +375,10 @@
 %{_libdir}/libpam_misc.so
 
 %changelog
+* Thu Aug 10 2006 Tomas Mraz <tmraz at redhat.com> 0.99.5.0-7
+- revoke keyrings properly when pam_keyinit called as root (#201048)
+- pam_succeed_if should return PAM_USER_UNKNOWN when getpwnam fails (#197748)
+
 * Wed Aug  2 2006 Tomas Mraz <tmraz at redhat.com> 0.99.5.0-6
 - revoke keyrings properly when pam_keyinit called more than once (#201048)
   patch by David Howells

More information about the fedora-cvs-commits mailing list