rpms/pam/F-9 pam-1.0.4-unix-safeguards.patch, 1.2, 1.3 pam.spec, 1.182, 1.183

Tomáš Mráz tmraz at fedoraproject.org
Thu Mar 26 10:15:20 UTC 2009 

Author: tmraz

Update of /cvs/pkgs/rpms/pam/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14718

Modified Files:
	pam-1.0.4-unix-safeguards.patch pam.spec 
Log Message:
* Thu Mar 26 2009 Tomas Mraz <tmraz at redhat.com> 1.0.4-3
- replace all std descriptors when calling helpers (#491471)


pam-1.0.4-unix-safeguards.patch:

Index: pam-1.0.4-unix-safeguards.patch
===================================================================
RCS file: /cvs/pkgs/rpms/pam/F-9/pam-1.0.4-unix-safeguards.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- pam-1.0.4-unix-safeguards.patch	17 Mar 2009 14:17:51 -0000	1.2
+++ pam-1.0.4-unix-safeguards.patch	26 Mar 2009 10:15:20 -0000	1.3
@@ -1,6 +1,6 @@
 diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c
 --- Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards	2009-03-17 11:25:11.000000000 +0100
-+++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c	2009-03-17 11:25:11.000000000 +0100
++++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c	2009-03-26 10:29:32.000000000 +0100
 @@ -139,7 +139,7 @@ static int _unix_run_update_binary(pam_h
      const char *fromwhat, const char *towhat, int remember)
  {
@@ -28,7 +28,7 @@
          struct rlimit rlim;
  	static char *envp[] = { NULL };
  	char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
-@@ -171,15 +173,14 @@ static int _unix_run_update_binary(pam_h
+@@ -171,15 +173,18 @@ static int _unix_run_update_binary(pam_h
  
  	/* XXX - should really tidy up PAM here too */
  
@@ -36,6 +36,10 @@
  	/* reopen stdin as pipe */
 -	close(fds[1]);
  	dup2(fds[0], STDIN_FILENO);
++	/* and replace also the stdout/err as the helper will
++           not write anything there */
++	dup2(fds[1], STDOUT_FILENO);
++	dup2(fds[1], STDERR_FILENO);
  
  	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
 -	  for (i=2; i < rlim.rlim_max; i++) {
@@ -48,7 +52,7 @@
  	  }
  	}
  
-@@ -239,8 +240,8 @@ static int _unix_run_update_binary(pam_h
+@@ -239,8 +244,8 @@ static int _unix_run_update_binary(pam_h
  	retval = PAM_AUTH_ERR;
      }
  
@@ -61,7 +65,7 @@
      return retval;
 diff -up Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/support.c
 --- Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards	2009-03-17 11:25:11.000000000 +0100
-+++ Linux-PAM-1.0.4/modules/pam_unix/support.c	2009-03-17 11:25:11.000000000 +0100
++++ Linux-PAM-1.0.4/modules/pam_unix/support.c	2009-03-26 10:29:54.000000000 +0100
 @@ -396,7 +396,7 @@ static int _unix_run_helper_binary(pam_h
  				   unsigned int ctrl, const char *user)
  {
@@ -82,7 +86,7 @@
      }
  
      /* fork */
-@@ -427,15 +429,14 @@ static int _unix_run_helper_binary(pam_h
+@@ -427,15 +429,18 @@ static int _unix_run_helper_binary(pam_h
  
  	/* XXX - should really tidy up PAM here too */
  
@@ -90,6 +94,10 @@
  	/* reopen stdin as pipe */
 -	close(fds[1]);
  	dup2(fds[0], STDIN_FILENO);
++	/* and replace also the stdout/err as the helper will
++           not write anything there */
++	dup2(fds[1], STDOUT_FILENO);
++	dup2(fds[1], STDERR_FILENO);
  
  	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
 -	  for (i=2; i < (int)rlim.rlim_max; i++) {
@@ -102,7 +110,7 @@
  	  }
  	}
  
-@@ -488,8 +489,8 @@ static int _unix_run_helper_binary(pam_h
+@@ -488,8 +493,8 @@ static int _unix_run_helper_binary(pam_h
  	retval = PAM_AUTH_ERR;
      }
  
@@ -115,7 +123,7 @@
      D(("returning %d", retval));
 diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c
 --- Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards	2009-03-03 10:00:31.000000000 +0100
-+++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c	2009-03-17 15:14:09.000000000 +0100
++++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c	2009-03-26 10:29:17.000000000 +0100
 @@ -65,7 +65,7 @@ int _unix_run_verify_binary(pam_handle_t
  	const char *user, int *daysleft)
  {
@@ -125,7 +133,7 @@
    D(("running verify_binary"));
  
    /* create a pipe for the messages */
-@@ -85,29 +85,32 @@ int _unix_run_verify_binary(pam_handle_t
+@@ -85,29 +85,33 @@ int _unix_run_verify_binary(pam_handle_t
       * The "noreap" module argument is provided so that the admin can
       * override this behavior.
       */
@@ -149,9 +157,10 @@
 -    close(fds[0]);
 +    /* reopen stdout as pipe */
      dup2(fds[1], STDOUT_FILENO);
-+    /* and replace also the stdin so we do not exec the helper with
++    /* and replace also the stdin, stderr so we do not exec the helper with
 +       tty as stdin, it will not read anything from there anyway */
 +    dup2(fds[0], STDIN_FILENO);
++    dup2(fds[1], STDERR_FILENO);
  
      /* XXX - should really tidy up PAM here too */
  
@@ -167,7 +176,7 @@
        }
      }
  
-@@ -126,7 +129,6 @@ int _unix_run_verify_binary(pam_handle_t
+@@ -126,7 +130,6 @@ int _unix_run_verify_binary(pam_handle_t
  
      pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
      /* should not get here: exit with error */
@@ -175,7 +184,7 @@
      D(("helper binary is not available"));
      printf("-1\n");
      exit(PAM_AUTHINFO_UNAVAIL);
-@@ -162,9 +164,11 @@ int _unix_run_verify_binary(pam_handle_t
+@@ -162,9 +165,11 @@ int _unix_run_verify_binary(pam_handle_t
      }
      close(fds[0]);
    }


Index: pam.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pam/F-9/pam.spec,v
retrieving revision 1.182
retrieving revision 1.183
diff -u -r1.182 -r1.183
--- pam.spec	17 Mar 2009 14:17:51 -0000	1.182
+++ pam.spec	26 Mar 2009 10:15:20 -0000	1.183
@@ -5,7 +5,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 1.0.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -384,6 +384,9 @@
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Thu Mar 26 2009 Tomas Mraz <tmraz at redhat.com> 1.0.4-3
+- replace all std descriptors when calling helpers (#491471)
+
 * Tue Mar 17 2009 Tomas Mraz <tmraz at redhat.com> 1.0.4-2
 - update to new upstream minor release (bugfixes and
   minor security fixes)

More information about the fedora-extras-commits mailing list