rpms/sudo/FC-3 sudo-1.6.7p5-pam-session.patch, NONE, 1.1 sudo.spec, 1.20, 1.21
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue May 24 12:57:38 UTC 2005
Author: kzak
Update of /cvs/dist/rpms/sudo/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv4265
Modified Files:
sudo.spec
Added Files:
sudo-1.6.7p5-pam-session.patch
Log Message:
- fix #154511 - sudo does not use limits.conf
- fix #144893 - sudo does not work with pam_tally correctly
sudo-1.6.7p5-pam-session.patch:
pam.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 47 insertions(+), 1 deletion(-)
--- NEW FILE sudo-1.6.7p5-pam-session.patch ---
--- sudo-1.6.7p5/auth/pam.c.sess 2003-04-16 02:39:15.000000000 +0200
+++ sudo-1.6.7p5/auth/pam.c 2005-05-24 14:11:36.945563416 +0200
@@ -104,6 +104,7 @@
return(AUTH_SUCCESS);
}
+
int
pam_verify(pw, prompt, auth)
struct passwd *pw;
@@ -120,9 +121,39 @@
error = pam_authenticate(pamh, PAM_SILENT);
switch (error) {
case PAM_SUCCESS:
- return(AUTH_SUCCESS);
+ /* backported from sudo-1.6.8p8 */
+ error = pam_acct_mgmt(pamh, PAM_SILENT);
+ switch (error) {
+ case PAM_SUCCESS:
+ return(AUTH_SUCCESS);
+ case PAM_AUTH_ERR:
+ log_error(NO_EXIT|NO_MAIL, "pam_acct_mgmt: %d", error);
+ return(AUTH_FAILURE);
+ case PAM_NEW_AUTHTOK_REQD:
+ log_error(NO_EXIT|NO_MAIL, "%s, %s",
+ "Account or password is expired",
+ "reset your password and try again");
+ error = pam_chauthtok(pamh,
+ PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (error == PAM_SUCCESS)
+ return(AUTH_SUCCESS);
+ if ((s = pam_strerror(pamh, error)))
+ log_error(NO_EXIT|NO_MAIL, "pam_chauthtok: %s", s);
+ return(AUTH_FAILURE);
+ case PAM_AUTHTOK_EXPIRED:
+ log_error(NO_EXIT|NO_MAIL,
+ "Password expired, contact your system administrator");
+ return(AUTH_FATAL);
+ case PAM_ACCT_EXPIRED:
+ log_error(NO_EXIT|NO_MAIL, "%s %s",
+ "Account expired or PAM config lacks an \"account\"",
+ "section for sudo, contact your system administrator");
+ return(AUTH_FATAL);
+ }
+ /* FALLTHROUGH */
case PAM_AUTH_ERR:
case PAM_MAXTRIES:
+ case PAM_PERM_DENIED:
return(AUTH_FAILURE);
default:
if ((s = pam_strerror(pamh, error)))
@@ -166,6 +197,7 @@
{
struct pam_conv pam_conv;
pam_handle_t *pamh;
+ int error;
/* We need to setup a new PAM session for the user we are changing *to*. */
pam_conv.conv = sudo_conv;
@@ -188,6 +220,20 @@
*/
(void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
+ /*
+ * That's enough initialize PAM session in this function, because
+ * sudo calls it before exec()
+ */
+ if ((error = pam_open_session(pamh, 0))!=PAM_SUCCESS) {
+ pam_end(pamh, error);
+ return(AUTH_FAILURE);
+ }
+ /*
+ * For example settings from pam_limits are persistent after pam_session_close() and
+ * it's probably more clean call pam_close_session() than omit it.
+ */
+ pam_close_session(pamh, 0);
+
if (pam_end(pamh, PAM_SUCCESS) == PAM_SUCCESS)
return(PAM_SUCCESS);
else
Index: sudo.spec
===================================================================
RCS file: /cvs/dist/rpms/sudo/FC-3/sudo.spec,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- sudo.spec 4 Oct 2004 15:39:47 -0000 1.20
+++ sudo.spec 24 May 2005 12:57:36 -0000 1.21
@@ -4,7 +4,7 @@
Summary: Allows restricted root access for specified users.
Name: sudo
Version: 1.6.7p5
-Release: 30.1
+Release: 30.2
License: BSD
Group: Applications/System
Source: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
@@ -17,6 +17,9 @@
BuildRequires: libselinux-devel
%endif
+# 154511 – sudo does not use limits.conf
+# 144893 – sudo does not work with pam_tally correctly
+Patch2: sudo-1.6.7p5-pam-session.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -36,6 +39,8 @@
%patch1 -p1 -b .selinux
%endif
+%patch2 -p1 -b .sess
+
%build
%ifarch s390 s390x
F_PIE=-fPIE
@@ -71,7 +76,7 @@
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
-session required pam_stack.so service=system-auth
+session required pam_limits.so
EOF
@@ -98,6 +103,10 @@
/bin/chmod 0440 /etc/sudoers || :
%changelog
+* Tue May 24 2005 Karel Zak <kzak at redhat.com> 1.6.7p5-30.2
+- fix #154511 - sudo does not use limits.conf
+- fix #144893 - sudo does not work with pam_tally correctly
+
* Mon Oct 4 2004 Thomas Woerner <twoerner at redhat.com> 1.6.7p5-30.1
- added missing BuildRequires for libselinux-devel (#132883)
More information about the fedora-cvs-commits
mailing list