rpms/pam/F-9 pam-1.0.4-unix-safeguards.patch, 1.2, 1.3 pam.spec, 1.182, 1.183
Tomáš Mráz
tmraz at fedoraproject.org
Thu Mar 26 10:15:20 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/pam/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14718
Modified Files:
pam-1.0.4-unix-safeguards.patch pam.spec
Log Message:
* Thu Mar 26 2009 Tomas Mraz <tmraz at redhat.com> 1.0.4-3
- replace all std descriptors when calling helpers (#491471)
pam-1.0.4-unix-safeguards.patch:
Index: pam-1.0.4-unix-safeguards.patch
===================================================================
RCS file: /cvs/pkgs/rpms/pam/F-9/pam-1.0.4-unix-safeguards.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- pam-1.0.4-unix-safeguards.patch 17 Mar 2009 14:17:51 -0000 1.2
+++ pam-1.0.4-unix-safeguards.patch 26 Mar 2009 10:15:20 -0000 1.3
@@ -1,6 +1,6 @@
diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards 2009-03-17 11:25:11.000000000 +0100
-+++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c 2009-03-17 11:25:11.000000000 +0100
++++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:29:32.000000000 +0100
@@ -139,7 +139,7 @@ static int _unix_run_update_binary(pam_h
const char *fromwhat, const char *towhat, int remember)
{
@@ -28,7 +28,7 @@
struct rlimit rlim;
static char *envp[] = { NULL };
char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
-@@ -171,15 +173,14 @@ static int _unix_run_update_binary(pam_h
+@@ -171,15 +173,18 @@ static int _unix_run_update_binary(pam_h
/* XXX - should really tidy up PAM here too */
@@ -36,6 +36,10 @@
/* reopen stdin as pipe */
- close(fds[1]);
dup2(fds[0], STDIN_FILENO);
++ /* and replace also the stdout/err as the helper will
++ not write anything there */
++ dup2(fds[1], STDOUT_FILENO);
++ dup2(fds[1], STDERR_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- for (i=2; i < rlim.rlim_max; i++) {
@@ -48,7 +52,7 @@
}
}
-@@ -239,8 +240,8 @@ static int _unix_run_update_binary(pam_h
+@@ -239,8 +244,8 @@ static int _unix_run_update_binary(pam_h
retval = PAM_AUTH_ERR;
}
@@ -61,7 +65,7 @@
return retval;
diff -up Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/support.c
--- Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards 2009-03-17 11:25:11.000000000 +0100
-+++ Linux-PAM-1.0.4/modules/pam_unix/support.c 2009-03-17 11:25:11.000000000 +0100
++++ Linux-PAM-1.0.4/modules/pam_unix/support.c 2009-03-26 10:29:54.000000000 +0100
@@ -396,7 +396,7 @@ static int _unix_run_helper_binary(pam_h
unsigned int ctrl, const char *user)
{
@@ -82,7 +86,7 @@
}
/* fork */
-@@ -427,15 +429,14 @@ static int _unix_run_helper_binary(pam_h
+@@ -427,15 +429,18 @@ static int _unix_run_helper_binary(pam_h
/* XXX - should really tidy up PAM here too */
@@ -90,6 +94,10 @@
/* reopen stdin as pipe */
- close(fds[1]);
dup2(fds[0], STDIN_FILENO);
++ /* and replace also the stdout/err as the helper will
++ not write anything there */
++ dup2(fds[1], STDOUT_FILENO);
++ dup2(fds[1], STDERR_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- for (i=2; i < (int)rlim.rlim_max; i++) {
@@ -102,7 +110,7 @@
}
}
-@@ -488,8 +489,8 @@ static int _unix_run_helper_binary(pam_h
+@@ -488,8 +493,8 @@ static int _unix_run_helper_binary(pam_h
retval = PAM_AUTH_ERR;
}
@@ -115,7 +123,7 @@
D(("returning %d", retval));
diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards 2009-03-03 10:00:31.000000000 +0100
-+++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c 2009-03-17 15:14:09.000000000 +0100
++++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:29:17.000000000 +0100
@@ -65,7 +65,7 @@ int _unix_run_verify_binary(pam_handle_t
const char *user, int *daysleft)
{
@@ -125,7 +133,7 @@
D(("running verify_binary"));
/* create a pipe for the messages */
-@@ -85,29 +85,32 @@ int _unix_run_verify_binary(pam_handle_t
+@@ -85,29 +85,33 @@ int _unix_run_verify_binary(pam_handle_t
* The "noreap" module argument is provided so that the admin can
* override this behavior.
*/
@@ -149,9 +157,10 @@
- close(fds[0]);
+ /* reopen stdout as pipe */
dup2(fds[1], STDOUT_FILENO);
-+ /* and replace also the stdin so we do not exec the helper with
++ /* and replace also the stdin, stderr so we do not exec the helper with
+ tty as stdin, it will not read anything from there anyway */
+ dup2(fds[0], STDIN_FILENO);
++ dup2(fds[1], STDERR_FILENO);
/* XXX - should really tidy up PAM here too */
@@ -167,7 +176,7 @@
}
}
-@@ -126,7 +129,6 @@ int _unix_run_verify_binary(pam_handle_t
+@@ -126,7 +130,6 @@ int _unix_run_verify_binary(pam_handle_t
pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
/* should not get here: exit with error */
@@ -175,7 +184,7 @@
D(("helper binary is not available"));
printf("-1\n");
exit(PAM_AUTHINFO_UNAVAIL);
-@@ -162,9 +164,11 @@ int _unix_run_verify_binary(pam_handle_t
+@@ -162,9 +165,11 @@ int _unix_run_verify_binary(pam_handle_t
}
close(fds[0]);
}
Index: pam.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pam/F-9/pam.spec,v
retrieving revision 1.182
retrieving revision 1.183
diff -u -r1.182 -r1.183
--- pam.spec 17 Mar 2009 14:17:51 -0000 1.182
+++ pam.spec 26 Mar 2009 10:15:20 -0000 1.183
@@ -5,7 +5,7 @@
Summary: A security tool which provides authentication for applications
Name: pam
Version: 1.0.4
-Release: 2%{?dist}
+Release: 3%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
# pam_rhosts_auth module is BSD with advertising
@@ -384,6 +384,9 @@
%doc doc/adg/*.txt doc/adg/html
%changelog
+* Thu Mar 26 2009 Tomas Mraz <tmraz at redhat.com> 1.0.4-3
+- replace all std descriptors when calling helpers (#491471)
+
* Tue Mar 17 2009 Tomas Mraz <tmraz at redhat.com> 1.0.4-2
- update to new upstream minor release (bugfixes and
minor security fixes)
More information about the fedora-extras-commits
mailing list