rpms/pam/FC-6 pam-0.99.6.2-doc-add-ids.patch, NONE, 1.1 pam-0.99.6.2-ja-no-shortcut.patch, NONE, 1.1 pam-0.99.6.2-keyinit-setgid.patch, NONE, 1.1 pam-0.99.6.2-namespace-level.patch, NONE, 1.1 pam-0.99.6.2-namespace-overflow.patch, NONE, 1.1 pam-0.99.6.2-namespace-preserve-uid.patch, NONE, 1.1 pam-0.99.6.2-selinux-drop-multiple.patch, NONE, 1.1 pam-0.99.6.2-selinux-select-context.patch, NONE, 1.1 pam-0.99.6.2-unix-compare.patch, NONE, 1.1 pam-0.99.6.2-unix-username.patch, NONE, 1.1 pam.spec, 1.133, 1.134 pam-0.99.5.0-selinux-drop-multiple.patch, 1.1, NONE pam_namespace-10.patch, 1.1, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Dec 22 21:10:29 UTC 2006
Author: tmraz
Update of /cvs/dist/rpms/pam/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv32387
Modified Files:
pam.spec
Added Files:
pam-0.99.6.2-doc-add-ids.patch
pam-0.99.6.2-ja-no-shortcut.patch
pam-0.99.6.2-keyinit-setgid.patch
pam-0.99.6.2-namespace-level.patch
pam-0.99.6.2-namespace-overflow.patch
pam-0.99.6.2-namespace-preserve-uid.patch
pam-0.99.6.2-selinux-drop-multiple.patch
pam-0.99.6.2-selinux-select-context.patch
pam-0.99.6.2-unix-compare.patch
pam-0.99.6.2-unix-username.patch
Removed Files:
pam-0.99.5.0-selinux-drop-multiple.patch
pam_namespace-10.patch
Log Message:
* Fri Dec 22 2006 Tomas Mraz <tmraz at redhat.com> 0.99.6.2-3.9
- Truncated MD5 passwords in /etc/shadow should not be valid (#219187)
- Sync with RHEL-5 branch
pam-0.99.6.2-doc-add-ids.patch:
adg/Linux-PAM_ADG.xml | 2 +-
mwg/Linux-PAM_MWG.xml | 4 ++--
sag/Linux-PAM_SAG.xml | 2 +-
sag/pam_access.xml | 16 ++++++++--------
sag/pam_echo.xml | 12 ++++++------
sag/pam_env.xml | 16 ++++++++--------
sag/pam_exec.xml | 12 ++++++------
sag/pam_group.xml | 16 ++++++++--------
sag/pam_limits.xml | 16 ++++++++--------
sag/pam_namespace.xml | 16 ++++++++--------
sag/pam_time.xml | 16 ++++++++--------
11 files changed, 64 insertions(+), 64 deletions(-)
--- NEW FILE pam-0.99.6.2-doc-add-ids.patch ---
Index: doc/adg/Linux-PAM_ADG.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/adg/Linux-PAM_ADG.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- doc/adg/Linux-PAM_ADG.xml 5 Aug 2006 19:20:02 -0000 1.2
+++ doc/adg/Linux-PAM_ADG.xml 13 Oct 2006 12:42:03 -0000 1.3
@@ -1,7 +1,7 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<book>
+<book id="adg">
<bookinfo>
<title>The Linux-PAM Application Developers' Guide</title>
<authorgroup>
Index: doc/mwg/Linux-PAM_MWG.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/mwg/Linux-PAM_MWG.xml,v
retrieving revision 1.3
retrieving revision 1.5
diff -u -r1.3 -r1.5
--- doc/mwg/Linux-PAM_MWG.xml 5 Aug 2006 19:20:02 -0000 1.3
+++ doc/mwg/Linux-PAM_MWG.xml 13 Oct 2006 12:42:03 -0000 1.5
@@ -1,7 +1,7 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<book>
+<book id="mwg">
<bookinfo>
<title>The Linux-PAM Module Writers' Guide</title>
<authorgroup>
@@ -310,7 +310,7 @@
<section id="mwg-see-programming-sec">
<title>Security issues for module creation</title>
- <section>
+ <section id="mwg-see-programming-sec-res">
<title>Sufficient resources</title>
<para>
Care should be taken to ensure that the proper execution
Index: doc/sag/Linux-PAM_SAG.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/sag/Linux-PAM_SAG.xml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- doc/sag/Linux-PAM_SAG.xml 20 Sep 2006 13:46:03 -0000 1.4
+++ doc/sag/Linux-PAM_SAG.xml 13 Oct 2006 12:42:03 -0000 1.5
@@ -1,7 +1,7 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<book>
+<book id="sag">
<bookinfo>
<title>The Linux-PAM System Administrators' Guide</title>
<authorgroup>
Index: doc/sag/pam_access.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/sag/pam_access.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- doc/sag/pam_access.xml 28 Jun 2006 12:01:12 -0000 1.1
+++ doc/sag/pam_access.xml 13 Oct 2006 11:33:18 -0000 1.2
@@ -7,35 +7,35 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_access-cmdsynopsis"]/*)'/>
</cmdsynopsis>
- <section>
+ <section id='sag-pam_access-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-description"]/*)'/>
</section>
- <section>
+ <section id='sag-access.conf-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_access/access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-description"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_access-options'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-options"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_access-services'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-services"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_access-return_values'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-return_values"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_access-files'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-files"]/*)'/>
</section>
- <section>
+ <section id='sag-access.conf-examples'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_access/access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-examples"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_access-authors'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-authors"]/*)'/>
</section>
Index: doc/sag/pam_echo.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/sag/pam_echo.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- doc/sag/pam_echo.xml 28 Jun 2006 12:01:13 -0000 1.1
+++ doc/sag/pam_echo.xml 13 Oct 2006 11:33:18 -0000 1.2
@@ -7,27 +7,27 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_echo-cmdsynopsis"]/*)'/>
</cmdsynopsis>
- <section>
+ <section id='sag-pam_echo-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-description"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_echo-options'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-options"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_echo-services'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-services"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_echo-return_values'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-return_values"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_echo-examples'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-examples"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_echo-author'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-author"]/*)'/>
</section>
Index: doc/sag/pam_env.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/sag/pam_env.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- doc/sag/pam_env.xml 28 Jun 2006 12:01:13 -0000 1.1
+++ doc/sag/pam_env.xml 13 Oct 2006 11:33:18 -0000 1.2
@@ -7,35 +7,35 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_env-cmdsynopsis"]/*)'/>
</cmdsynopsis>
- <section>
+ <section id='sag-pam_env-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-description"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_env.conf-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_env/pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-description"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_env-options'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-options"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_env-services'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-services"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_env-return_values'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-return_values"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_env-files'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-files"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_env.conf-examples'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_env/pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-examples"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_env-authors'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-authors"]/*)'/>
</section>
Index: doc/sag/pam_exec.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/sag/pam_exec.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- doc/sag/pam_exec.xml 28 Jun 2006 12:01:13 -0000 1.1
+++ doc/sag/pam_exec.xml 13 Oct 2006 11:33:18 -0000 1.2
@@ -7,27 +7,27 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_exec-cmdsynopsis"]/*)'/>
</cmdsynopsis>
- <section>
+ <section id='sag-pam_exec-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-description"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_exec-options'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-options"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_exec-services'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-services"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_exec-return_values'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-return_values"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_exec-examples'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-examples"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_exec-author'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-author"]/*)'/>
</section>
Index: doc/sag/pam_group.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/sag/pam_group.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- doc/sag/pam_group.xml 28 Jun 2006 12:01:13 -0000 1.1
+++ doc/sag/pam_group.xml 13 Oct 2006 11:33:18 -0000 1.2
@@ -7,35 +7,35 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_group-cmdsynopsis"]/*)'/>
</cmdsynopsis>
- <section>
+ <section id='sag-pam_group-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/>
</section>
- <section>
+ <section id='sag-group.conf-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_group/group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-description"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_group-options'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-options"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_group-services'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-services"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_group-return_values'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-return_values"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_group-files'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-files"]/*)'/>
</section>
- <section>
+ <section id='sag-group.conf-examples'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_group/group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_group-authors'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-authors"]/*)'/>
</section>
Index: doc/sag/pam_limits.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/sag/pam_limits.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- doc/sag/pam_limits.xml 28 Jun 2006 12:01:13 -0000 1.1
+++ doc/sag/pam_limits.xml 13 Oct 2006 11:33:18 -0000 1.2
@@ -7,35 +7,35 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_limits-cmdsynopsis"]/*)'/>
</cmdsynopsis>
- <section>
+ <section id='sag-pam_limits-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-description"]/*)'/>
</section>
- <section>
+ <section id='sag-limits.conf-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_limits/limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-description"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_limits-options'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-options"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_limits-services'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-services"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_limits-return_values'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-return_values"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_limits-files'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-files"]/*)'/>
</section>
- <section>
+ <section id='sag-limits.conf-examples'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_limits/limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-examples"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_limits-authors'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-authors"]/*)'/>
</section>
Index: doc/sag/pam_namespace.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/sag/pam_namespace.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- doc/sag/pam_namespace.xml 28 Jun 2006 12:01:14 -0000 1.1
+++ doc/sag/pam_namespace.xml 13 Oct 2006 11:33:18 -0000 1.2
@@ -7,35 +7,35 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_namespace-cmdsynopsis"]/*)'/>
</cmdsynopsis>
- <section>
+ <section id='sag-pam_namespace-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-description"]/*)'/>
</section>
- <section>
+ <section id='sag-namespace.conf-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_namespace/namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-description"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_namespace-options'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-options"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_namespace-services'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-services"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_namespace-return_values'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-return_values"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_namespace-files'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-files"]/*)'/>
</section>
- <section>
+ <section id='sag-namespace.conf-examples'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_namespace/namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-examples"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_namespace-authors'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-authors"]/*)'/>
</section>
Index: doc/sag/pam_time.xml
===================================================================
RCS file: /cvsroot/pam/Linux-PAM/doc/sag/pam_time.xml,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- doc/sag/pam_time.xml 28 Jun 2006 12:01:14 -0000 1.1
+++ doc/sag/pam_time.xml 13 Oct 2006 11:33:18 -0000 1.2
@@ -7,35 +7,35 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_time-cmdsynopsis"]/*)'/>
</cmdsynopsis>
- <section>
+ <section id='sag-pam_time-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-description"]/*)'/>
</section>
- <section>
+ <section id='sag-time.conf-description'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_time/time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-description"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_time-options'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-options"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_time-services'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-services"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_time-return_values'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-return_values"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_time-files'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-files"]/*)'/>
</section>
- <section>
+ <section id='sag-time.conf-examples'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_time/time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-examples"]/*)'/>
</section>
- <section>
+ <section id='sag-pam_time-authors'>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-authors"]/*)'/>
</section>
pam-0.99.6.2-ja-no-shortcut.patch:
ja.po | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE pam-0.99.6.2-ja-no-shortcut.patch ---
--- Linux-PAM-0.99.6.2/po/ja.po.no-shortcut 2006-06-02 17:37:39.000000000 +0200
+++ Linux-PAM-0.99.6.2/po/ja.po 2006-12-13 20:52:39.000000000 +0100
@@ -218,7 +218,7 @@
#: modules/pam_unix/pam_unix_auth.c:160 modules/pam_userdb/pam_userdb.c:61
msgid "Password: "
-msgstr "ãã¹ã¯ã¼ã(P):"
+msgstr "ãã¹ã¯ã¼ã:"
#: modules/pam_unix/pam_unix_passwd.c:820
msgid "NIS password could not be changed."
pam-0.99.6.2-keyinit-setgid.patch:
pam_keyinit.c | 22 ++++++++++++----------
1 files changed, 12 insertions(+), 10 deletions(-)
--- NEW FILE pam-0.99.6.2-keyinit-setgid.patch ---
--- Linux-PAM-0.99.6.2/modules/pam_keyinit/pam_keyinit.c.setgid 2006-08-09 22:52:44.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_keyinit/pam_keyinit.c 2006-12-13 20:27:07.000000000 +0100
@@ -132,21 +132,21 @@
if (my_session_keyring > 0) {
debug(pamh, "REVOKE %d", my_session_keyring);
- old_uid = getuid();
- old_gid = getgid();
+ old_uid = geteuid();
+ old_gid = getegid();
debug(pamh, "UID:%d [%d] GID:%d [%d]",
revoke_as_uid, old_uid, revoke_as_gid, old_gid);
/* switch to the real UID and GID so that we have permission to
* revoke the key */
- if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0)
- error(pamh, "Unable to change UID to %d temporarily\n",
- revoke_as_uid);
-
if (revoke_as_gid != old_gid && setregid(-1, revoke_as_gid) < 0)
error(pamh, "Unable to change GID to %d temporarily\n",
revoke_as_gid);
+ if (revoke_as_uid != old_uid && setreuid(-1, revoke_as_uid) < 0)
+ error(pamh, "Unable to change UID to %d temporarily\n",
+ revoke_as_uid);
+
syscall(__NR_keyctl,
KEYCTL_REVOKE,
my_session_keyring);
@@ -211,12 +211,14 @@
/* switch to the real UID and GID so that the keyring ends up owned by
* the right user */
- if (uid != old_uid && setreuid(uid, -1) < 0)
- return error(pamh, "Unable to change UID to %d temporarily\n", uid);
-
if (gid != old_gid && setregid(gid, -1) < 0) {
error(pamh, "Unable to change GID to %d temporarily\n", gid);
- setreuid(old_uid, -1);
+ return PAM_SESSION_ERR;
+ }
+
+ if (uid != old_uid && setreuid(uid, -1) < 0) {
+ error(pamh, "Unable to change UID to %d temporarily\n", uid);
+ setregid(old_gid, -1);
return PAM_SESSION_ERR;
}
pam-0.99.6.2-namespace-level.patch:
namespace.conf | 16 +++------
namespace.conf.5.xml | 18 +++++-----
pam_namespace.c | 90 ++++++++++++++++++++++++++++++++++++++-------------
pam_namespace.h | 4 +-
4 files changed, 87 insertions(+), 41 deletions(-)
--- NEW FILE pam-0.99.6.2-namespace-level.patch ---
--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.selinux-namespace 2006-06-27 09:07:43.000000000 -0400
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf 2006-12-15 09:25:57.000000000 -0500
@@ -4,12 +4,10 @@
#
# Uncommenting the following three lines will polyinstantiate
# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
-# be polyinstantiated based on both security context as well as user
-# name, whereas home directory will be polyinstantiated based on
-# security context only. Polyinstantion will not be performed for
-# user root and adm for directories /tmp and /var/tmp, whereas home
-# directories will be polyinstantiated for all users. The user name
-# and/or context is appended to the instance prefix.
+# be polyinstantiated based on the MLS level part of the security context as well as user
+# name, Polyinstantion will not be performed for user root and adm for directories
+# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
+# The user name and context is appended to the instance prefix.
#
# Note that instance directories do not have to reside inside the
# polyinstantiated directory. In the examples below, instances of /tmp
@@ -25,6 +23,6 @@
# caution, as it will reduce security and isolation achieved by
# polyinstantiation.
#
-#/tmp /tmp-inst/ both root,adm
-#/var/tmp /var/tmp/tmp-inst/ both root,adm
-#$HOME $HOME/$USER.inst/inst- context
+#/tmp /tmp-inst/ level root,adm
+#/var/tmp /var/tmp/tmp-inst/ level root,adm
+#$HOME $HOME/$USER.inst/ level
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.selinux-namespace 2006-12-15 09:25:57.000000000 -0500
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2006-12-15 11:30:23.000000000 -0500
@@ -244,23 +244,29 @@
}
strcpy(poly.dir, dir);
strcpy(poly.instance_prefix, instance_prefix);
- if (strcmp(method, "user") == 0)
- poly.method = USER;
+
+ poly.method = NONE;
+ if (strcmp(method, "user") == 0)
+ poly.method = USER;
+
#ifdef WITH_SELINUX
- else if (strcmp(method, "context") == 0) {
+ if (strcmp(method, "level") == 0) {
if (idata->flags & PAMNS_CTXT_BASED_INST)
- poly.method = CONTEXT;
+ poly.method = LEVEL;
else
poly.method = USER;
- } else if (strcmp(method, "both") == 0) {
+ }
+
+ if (strcmp(method, "context") == 0) {
if (idata->flags & PAMNS_CTXT_BASED_INST)
- poly.method = BOTH;
+ poly.method = CONTEXT;
else
poly.method = USER;
}
#endif
- else {
+
+ if ( poly.method == NONE) {
pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
goto skipping;
}
@@ -448,19 +454,23 @@
return PAM_SESSION_ERR;
}
+ if (polyptr->method == USER) return PAM_SUCCESS;
+
+ rc = getexeccon(&scon);
+ if (rc < 0 || scon == NULL) {
+ pam_syslog(idata->pamh, LOG_ERR,
+ "Error getting exec context, %m");
+ return PAM_SESSION_ERR;
+ }
+
/*
* If polyinstantiating based on security context, get current
* process security context, get security class for directories,
* and ask the policy to provide security context of the
* polyinstantiated instance directory.
*/
- if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) {
- rc = getexeccon(&scon);
- if (rc < 0 || scon == NULL) {
- pam_syslog(idata->pamh, LOG_ERR,
- "Error getting exec context, %m");
- return PAM_SESSION_ERR;
- }
+
+ if (polyptr->method == CONTEXT) {
tclass = string_to_security_class("dir");
if (security_compute_member(scon, *origcon, tclass,
@@ -473,7 +483,48 @@
pam_syslog(idata->pamh, LOG_DEBUG,
"member context returned by policy %s", *i_context);
freecon(scon);
+ return PAM_SUCCESS;
+ }
+
+ /*
+ * If polyinstantiating based on security level, get current
+ * process security context, get security class for directories,
+ * and change the directories MLS Level to match process.
+ */
+
+ if (polyptr->method == LEVEL) {
+ context_t scontext = NULL;
+ context_t fcontext = NULL;
+ rc = PAM_SESSION_ERR;
+
+ scontext = context_new(scon);
+ if (! scontext) {
+ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
+ goto fail;
+ }
+ fcontext = context_new(*origcon);
+ if (! fcontext) {
+ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
+ goto fail;
+ }
+ if (context_range_set(fcontext, context_range_get(scontext)) != 0) {
+ pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context");
+ goto fail;
+ }
+ *i_context=strdup(context_str(fcontext));
+ if (! *i_context) {
+ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
+ goto fail;
+ }
+
+ rc = PAM_SUCCESS;
+ fail:
+ context_free(scontext);
+ context_free(fcontext);
+ freecon(scon);
+ return rc;
}
+ /* Should never get here */
return PAM_SUCCESS;
}
#endif
@@ -514,19 +565,14 @@
break;
#ifdef WITH_SELINUX
+ case LEVEL:
case CONTEXT:
- if (asprintf(i_name, "%s", *i_context) < 0) {
- *i_name = NULL;
- rc = PAM_SESSION_ERR;
- }
- break;
-
- case BOTH:
if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) {
*i_name = NULL;
rc = PAM_SESSION_ERR;
}
break;
+
#endif /* WITH_SELINUX */
default:
@@ -1158,7 +1204,7 @@
#ifdef WITH_SELINUX
if (is_selinux_enabled())
idata.flags |= PAMNS_SELINUX_ENABLED;
- if (ctxt_based_inst_needed())
+ if (ctxt_based_inst_needed())
idata.flags |= PAMNS_CTXT_BASED_INST;
#endif
--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml.selinux-namespace 2006-06-27 09:07:43.000000000 -0400
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml 2006-12-15 09:25:57.000000000 -0500
@@ -22,7 +22,7 @@
<para>
This module allows setup of private namespaces with polyinstantiated
directories. Directories can be polyinstantiated based on user name
- or, in the case of SELinux, user name, security context or both. If an
+ or, in the case of SELinux, user name, sensitivity level or complete security context. If an
executable script <filename>/etc/security/namespace.init</filename>
exists, it is used to initialize the namespace every time a new instance
directory is setup. The script receives the polyinstantiated
@@ -72,10 +72,10 @@
<para>
The third field, <replaceable>method</replaceable>, is the method
used for polyinstantiation. It can take 3 different values; "user"
- for polyinstantiation based on user name, "context" for
- polyinstantiation based on process security context, and "both"
- for polyinstantiation based on both user name and security context.
- Methods "context" and "both" are only available with SELinux. This
+ for polyinstantiation based on user name, "level" for
+ polyinstantiation based on process MLS level and user name, and "context" for
+ polyinstantiation based on process security context and user name
+ Methods "context" and "level" are only available with SELinux. This
field cannot be blank.
</para>
@@ -98,9 +98,9 @@
<literallayout>
# The following three lines will polyinstantiate /tmp,
# /var/tmp and user's home directories. /tmp and /var/tmp
- # will be polyinstantiated based on both security context
+ # will be polyinstantiated based on the security level
# as well as user name, whereas home directory will be
- # polyinstantiated based on security context only.
+ # polyinstantiated based on the full security context and user name.
# Polyinstantiation will not be performed for user root
# and adm for directories /tmp and /var/tmp, whereas home
# directories will be polyinstantiated for all users.
@@ -112,8 +112,8 @@
# will reside within the directories that are being
# polyinstantiated.
#
- /tmp /tmp-inst/ both root,adm
- /var/tmp /var/tmp/tmp-inst/ both root,adm
+ /tmp /tmp-inst/ level root,adm
+ /var/tmp /var/tmp/tmp-inst/ level root,adm
$HOME $HOME/$USER.inst/inst- context
</literallayout>
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.selinux-namespace 2006-12-15 09:25:57.000000000 -0500
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2006-12-15 09:25:57.000000000 -0500
@@ -63,6 +63,7 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
+#include <selinux/context.h>
#endif
#ifndef CLONE_NEWNS
@@ -93,9 +94,10 @@
* or both
*/
enum polymethod {
+ NONE,
USER,
CONTEXT,
- BOTH,
+ LEVEL,
};
/*
pam-0.99.6.2-namespace-overflow.patch:
pam_namespace.c | 6 ++----
pam_namespace.h | 2 +-
2 files changed, 3 insertions(+), 5 deletions(-)
--- NEW FILE pam-0.99.6.2-namespace-overflow.patch ---
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.overflow 2006-10-24 15:16:02.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2006-10-24 16:56:17.000000000 +0200
@@ -1205,8 +1205,7 @@
/*
* Add the user info to the instance data so we can refer to them later.
*/
- idata.user[0] = 0;
- strncat(idata.user, user_name, sizeof(idata.user));
+ idata.user = user_name;
idata.uid = pwd->pw_uid;
/*
@@ -1306,8 +1305,7 @@
/*
* Add the user info to the instance data so we can refer to them later.
*/
- idata.user[0] = 0;
- strncat(idata.user, user_name, sizeof(idata.user));
+ idata.user = user_name;
idata.uid = pwd->pw_uid;
/*
--- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.overflow 2006-10-24 15:16:02.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2006-10-24 16:55:28.000000000 +0200
@@ -130,7 +130,7 @@
struct instance_data {
pam_handle_t *pamh; /* The pam handle for this instance */
struct polydir_s *polydirs_ptr; /* The linked list pointer */
- char user[LOGIN_NAME_MAX]; /* User name */
+ const char *user; /* User name */
uid_t uid; /* The uid of the user */
unsigned long flags; /* Flags for debug, selinux etc */
};
pam-0.99.6.2-namespace-preserve-uid.patch:
namespace.init | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE pam-0.99.6.2-namespace-preserve-uid.patch ---
--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init.preserve-uid 2006-06-27 15:07:43.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init 2006-10-13 10:51:03.000000000 +0200
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -p
# This is only a boilerplate for the instance initialization script.
# It receives polydir path as $1 and the instance path as $2.
#
pam-0.99.6.2-selinux-drop-multiple.patch:
pam_selinux.8.xml | 15 ------------
pam_selinux.c | 64 ++----------------------------------------------------
2 files changed, 3 insertions(+), 76 deletions(-)
--- NEW FILE pam-0.99.6.2-selinux-drop-multiple.patch ---
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.drop-multiple 2006-06-18 10:26:59.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-11-10 17:47:16.000000000 +0100
@@ -25,9 +25,6 @@
debug
</arg>
<arg choice="opt">
- multiple
- </arg>
- <arg choice="opt">
open
</arg>
<arg choice="opt">
@@ -93,18 +90,6 @@
</varlistentry>
<varlistentry>
<term>
- <option>multiple</option>
- </term>
- <listitem>
- <para>
- Tells pam_selinux.so to allow the user to select the
- security context they will login with, if the user has
- more than one role.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
<option>open</option>
</term>
<listitem>
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.drop-multiple 2006-11-10 17:44:33.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2006-11-10 17:44:33.000000000 +0100
@@ -89,56 +89,6 @@
}
static security_context_t
-select_context (pam_handle_t *pamh, security_context_t* contextlist,
- int debug)
-{
- char *responses;
- char *text=calloc(PATH_MAX,1);
-
- if (text == NULL)
- return (security_context_t) strdup(contextlist[0]);
-
- snprintf(text, PATH_MAX,
- _("Your default context is %s. \n"), contextlist[0]);
- send_text(pamh,text,debug);
- free(text);
- query_response(pamh,_("Do you want to choose a different one? [n]"),
- &responses,debug);
- if (responses && ((responses[0] == 'y') ||
- (responses[0] == 'Y')))
- {
- int choice=0;
- int i;
- const char *prompt=_("Enter number of choice: ");
- int len=strlen(prompt);
- char buf[PATH_MAX];
-
- _pam_drop(responses);
- for (i = 0; contextlist[i]; i++) {
- len+=strlen(contextlist[i]) + 10;
- }
- text=calloc(len,1);
- for (i = 0; contextlist[i]; i++) {
- snprintf(buf, PATH_MAX,
- "[%d] %s\n", i+1, contextlist[i]);
- strncat(text,buf,len);
- }
- strcat(text,prompt);
- while ((choice < 1) || (choice > i)) {
- query_response(pamh,text,&responses,debug);
- choice = strtol (responses, NULL, 10);
- _pam_drop(responses);
- }
- free(text);
- return (security_context_t) strdup(contextlist[choice-1]);
- }
- else if (responses)
- _pam_drop(responses);
-
- return (security_context_t) strdup(contextlist[0]);
-}
-
-static security_context_t
manual_context (pam_handle_t *pamh, const char *user, int debug)
{
security_context_t newcon;
@@ -322,7 +272,7 @@
int argc, const char **argv)
{
int i, debug = 0, ttys=1, has_tty=isatty(0);
- int verbose=0, multiple=0, close_session=0;
+ int verbose=0, close_session=0;
int ret = 0;
security_context_t* contextlist = NULL;
int num_contexts = 0;
@@ -342,9 +292,6 @@
if (strcmp(argv[i], "verbose") == 0) {
verbose = 1;
}
- if (strcmp(argv[i], "multiple") == 0) {
- multiple = 1;
- }
if (strcmp(argv[i], "close") == 0) {
close_session = 1;
}
@@ -377,13 +324,8 @@
free(level);
}
if (num_contexts > 0) {
- if (multiple && (num_contexts > 1) && has_tty) {
- user_context = select_context(pamh,contextlist, debug);
- freeconary(contextlist);
- } else {
- user_context = (security_context_t) strdup(contextlist[0]);
- freeconary(contextlist);
- }
+ user_context = (security_context_t) strdup(contextlist[0]);
+ freeconary(contextlist);
} else {
if (has_tty) {
user_context = manual_context(pamh,username,debug);
pam-0.99.6.2-selinux-select-context.patch:
pam_selinux.8.xml | 14 ++++++
pam_selinux.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++++-----
2 files changed, 126 insertions(+), 10 deletions(-)
--- NEW FILE pam-0.99.6.2-selinux-select-context.patch ---
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2006-11-10 17:48:59.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-11-10 17:52:36.000000000 +0100
@@ -33,6 +33,9 @@
<arg choice="opt">
verbose
</arg>
+ <arg choice="opt">
+ select_context
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -118,6 +121,17 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>select_context</option>
+ </term>
+ <listitem>
+ <para>
+ Attempt to ask the user for a custom security context role.
+ If MLS is on ask also for sensitivity level.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2006-11-10 17:48:59.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2006-11-10 18:00:11.000000000 +0100
@@ -63,6 +63,7 @@
#include <selinux/selinux.h>
#include <selinux/get_context_list.h>
#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
@@ -151,6 +152,8 @@
}
else
send_text(pamh,_("Not a valid security context"),debug);
+
+ context_free(new_context); /* next time around allocates another */
}
else {
_pam_drop(responses);
@@ -161,6 +164,86 @@
return NULL;
}
+static int mls_range_allowed(security_context_t src, security_context_t dst)
+{
+ struct av_decision avd;
+ int retval;
+ unsigned int bit = CONTEXT__CONTAINS;
+
+ retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
+ if (retval || ((bit & avd.allowed) != bit))
+ return 0;
+
+ return 1;
+}
+
+static security_context_t
+config_context (pam_handle_t *pamh, security_context_t puser_context, int debug)
+{
+ security_context_t newcon;
+ context_t new_context;
+ int mls_enabled = is_selinux_mls_enabled();
+ char *responses;
+ char resp_val = 0;
+
+ while (1) {
+ query_response(pamh,
+ _("Would you like to enter a role/level? [y] "),
+ &responses,debug);
+
+ resp_val = responses[0];
+ _pam_drop(responses);
+ if ((resp_val == 'y') || (resp_val == 'Y') || (resp_val == '\0'))
+ {
+ new_context = context_new(puser_context);
+
+ /* Allow the user to enter role and level individually */
+ query_response(pamh,_("role: "),&responses,debug);
+ if (responses[0] && context_role_set(new_context, responses))
+ goto fail_set;
+ _pam_drop(responses);
+ if (mls_enabled)
+ {
+ query_response(pamh,_("level: "),&responses,debug);
+ if (responses[0] && context_range_set(new_context, responses))
+ goto fail_set;
+ _pam_drop(responses);
+ }
+
+ /* Get the string value of the context and see if it is valid. */
+ if (!security_check_context(context_str(new_context))) {
+ newcon = strdup(context_str(new_context));
+ context_free (new_context);
+ new_context = NULL;
+
+ /* we have to check that this user is allowed to go into the
+ range they have specified ... role is tied to an seuser, so that'll
+ be checked at setexeccon time */
+ if (mls_enabled && !mls_range_allowed(puser_context, newcon))
+ goto fail_range;
+
+ freecon(puser_context);
+ return newcon;
+ }
+ else
+ send_text(pamh,_("Not a valid security context"),debug);
+
+ context_free(new_context); /* next time around allocates another */
+ }
+ else
+ break;
+ } /* end while */
+
+ return puser_context;
+
+ fail_set:
+ _pam_drop(responses);
+ context_free (new_context);
+ fail_range:
+ freecon(puser_context);
+ return NULL;
+}
+
static void
security_restorelabel_tty(const pam_handle_t *pamh,
const char *tty, security_context_t context)
@@ -273,10 +356,12 @@
{
int i, debug = 0, ttys=1, has_tty=isatty(0);
int verbose=0, close_session=0;
+ int select_context = 0;
int ret = 0;
security_context_t* contextlist = NULL;
int num_contexts = 0;
- const void *username = NULL;
+ const void *pusername = NULL;
+ const char *username = NULL;
const void *tty = NULL;
char *seuser=NULL;
char *level=NULL;
@@ -295,6 +380,9 @@
if (strcmp(argv[i], "close") == 0) {
close_session = 1;
}
+ if (strcmp(argv[i], "select_context") == 0) {
+ select_context = 1;
+ }
}
if (debug)
@@ -307,10 +395,11 @@
if (!(selinux_enabled = is_selinux_enabled()>0) )
return PAM_SUCCESS;
- if (pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS ||
- username == NULL) {
+ if (pam_get_item(pamh, PAM_USER, &pusername) != PAM_SUCCESS ||
+ pusername == NULL) {
return PAM_USER_UNKNOWN;
}
+ username = pusername;
if (getseuserbyname(username, &seuser, &level)==0) {
num_contexts = get_ordered_context_list_with_level(seuser,
@@ -319,19 +408,32 @@
&contextlist);
if (debug)
pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
- (const char *)username, seuser, level);
+ username, seuser, level);
free(seuser);
free(level);
}
if (num_contexts > 0) {
user_context = (security_context_t) strdup(contextlist[0]);
+
+ if (select_context && has_tty) {
+ user_context = config_context(pamh, user_context, debug);
+ if (user_context == NULL) {
+ pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s",
+ username);
+ if (security_getenforce() == 1)
+ return PAM_AUTH_ERR;
+ else
+ return PAM_SUCCESS;
+ }
+ }
+
freeconary(contextlist);
} else {
if (has_tty) {
user_context = manual_context(pamh,username,debug);
if (user_context == NULL) {
pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
- (const char *)username);
+ username);
if (security_getenforce() == 1)
return PAM_AUTH_ERR;
else
@@ -340,7 +442,7 @@
} else {
pam_syslog (pamh, LOG_ERR,
"Unable to get valid context for %s, No valid tty",
- (const char *)username);
+ username);
if (security_getenforce() == 1)
return PAM_AUTH_ERR;
else
@@ -381,7 +483,7 @@
if (ret) {
pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s executable context %s.",
- (const char *)username, user_context);
+ username, user_context);
if (security_getenforce() == 1) {
freecon(user_context);
return PAM_AUTH_ERR;
@@ -389,7 +491,7 @@
} else {
if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
- (const char *)username, user_context);
+ username, user_context);
}
#ifdef HAVE_SETKEYCREATECON
ret = setkeycreatecon(user_context);
@@ -402,7 +504,7 @@
if (ret) {
pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s key creation context %s.",
- (const char *)username, user_context);
+ username, user_context);
if (security_getenforce() == 1) {
freecon(user_context);
return PAM_AUTH_ERR;
@@ -410,7 +512,7 @@
} else {
if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
- (const char *)username, user_context);
+ username, user_context);
}
#endif
freecon(user_context);
pam-0.99.6.2-unix-compare.patch:
support.c | 5 +++++
1 files changed, 5 insertions(+)
--- NEW FILE pam-0.99.6.2-unix-compare.patch ---
--- Linux-PAM-0.99.6.2/modules/pam_unix/support.c.compare 2006-12-11 19:49:49.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_unix/support.c 2006-12-11 21:46:35.000000000 +0100
@@ -710,11 +710,16 @@
retval = PAM_AUTH_ERR;
} else {
if (!strncmp(salt, "$1$", 3)) {
+ int pp_len;
pp = Goodcrypt_md5(p, salt);
if (strcmp(pp, salt) != 0) {
_pam_delete(pp);
pp = Brokencrypt_md5(p, salt);
}
+ pp_len = strlen(pp);
+ if (pp_len > salt_len)
+ /* we do not allow truncated MD5 passwords */
+ salt_len = pp_len;
} else {
pp = bigcrypt(p, salt);
}
pam-0.99.6.2-unix-username.patch:
pam_unix_auth.c | 3 ++-
pam_unix_passwd.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- NEW FILE pam-0.99.6.2-unix-username.patch ---
Make user name check consistent with useradd.
--- Linux-PAM-0.99.6.2/modules/pam_unix/pam_unix_passwd.c.username 2006-06-27 10:38:14.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_unix/pam_unix_passwd.c 2006-11-13 21:26:13.000000000 +0100
@@ -1041,7 +1041,8 @@
* any chances here. Require that the username starts with an
* alphanumeric character.
*/
- if (user == NULL || !isalnum(*user)) {
+ if (user == NULL || (!isalnum(*user) &&
+ *user != '_' && *user != '.')) {
pam_syslog(pamh, LOG_ERR, "bad username [%s]", user);
return PAM_USER_UNKNOWN;
}
--- Linux-PAM-0.99.6.2/modules/pam_unix/pam_unix_auth.c.username 2005-09-26 16:27:09.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_unix/pam_unix_auth.c 2006-11-13 21:25:05.000000000 +0100
@@ -128,7 +128,8 @@
* any chances here. Require that the username starts with an
* alphanumeric character.
*/
- if (name == NULL || !isalnum(*name)) {
+ if (name == NULL || (!isalnum(*name) &&
+ *name != '_' && *name != '.')) {
pam_syslog(pamh, LOG_ERR, "bad username [%s]", name);
retval = PAM_USER_UNKNOWN;
AUTH_RETURN;
Index: pam.spec
===================================================================
RCS file: /cvs/dist/rpms/pam/FC-6/pam.spec,v
retrieving revision 1.133
retrieving revision 1.134
diff -u -r1.133 -r1.134
--- pam.spec 28 Sep 2006 13:11:14 -0000 1.133
+++ pam.spec 22 Dec 2006 21:10:26 -0000 1.134
@@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications
Name: pam
Version: 0.99.6.2
-Release: 3%{?dist}
+Release: 3.8%{?dist}
License: GPL or BSD
Group: System Environment/Base
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -28,12 +28,21 @@
Patch21: pam-0.78-unix-hpux-aging.patch
Patch34: pam-0.99.4.0-dbpam.patch
Patch70: pam-0.99.2.1-selinux-nofail.patch
-Patch80: pam-0.99.5.0-selinux-drop-multiple.patch
+Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
Patch81: pam-0.99.3.0-cracklib-try-first-pass.patch
Patch82: pam-0.99.3.0-tally-fail-close.patch
Patch84: pam-0.99.6.2-selinux-keycreate.patch
Patch85: pam-0.99.6.0-succif-session.patch
Patch86: pam-0.99.6.2-namespace-no-unmount.patch
+Patch87: pam-0.99.6.2-namespace-preserve-uid.patch
+Patch88: pam-0.99.6.2-doc-add-ids.patch
+Patch89: pam-0.99.6.2-namespace-overflow.patch
+Patch90: pam-0.99.6.2-keyinit-setgid.patch
+Patch91: pam-0.99.6.2-unix-username.patch
+Patch92: pam-0.99.6.2-selinux-select-context.patch
+Patch93: pam-0.99.6.2-namespace-level.patch
+Patch94: pam-0.99.6.2-ja-no-shortcut.patch
+Patch95: pam-0.99.6.2-unix-compare.patch
BuildRoot: %{_tmppath}/%{name}-root
Requires: cracklib, cracklib-dicts >= 2.8
@@ -47,8 +56,8 @@
BuildRequires: audit-libs-devel >= 1.0.8
Requires: audit-libs >= 1.0.8
%endif
-BuildRequires: libselinux-devel >= 1.27.7
-Requires: libselinux >= 1.27.7
+BuildRequires: libselinux-devel >= 1.33.2
+Requires: libselinux >= 1.33.2
BuildRequires: glibc >= 2.3.90-37
Requires: glibc >= 2.3.90-37
# Following deps are necessary only to build the pam library documentation.
@@ -95,6 +104,15 @@
%patch84 -p1 -b .keycreate
%patch85 -p0 -b .session
%patch86 -p1 -b .no-unmount
+%patch87 -p1 -b .preserve-uid
+%patch88 -p0 -b .add-ids
+%patch89 -p1 -b .overflow
+%patch90 -p1 -b .setgid
+%patch91 -p1 -b .username
+%patch92 -p1 -b .select-context
+%patch93 -p1 -b .selinux-namespace
+%patch94 -p1 -b .no-shortcut
+%patch95 -p1 -b .compare
autoreconf
@@ -153,6 +171,9 @@
install -m 644 system-auth.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/system-auth
install -m 644 config-util.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/config-util
install -m 600 /dev/null $RPM_BUILD_ROOT%{_sysconfdir}/security/opasswd
+install -d -m 755 $RPM_BUILD_ROOT/var/log
+install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/faillog
+install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
# Forcibly strip binaries.
strip $RPM_BUILD_ROOT%{_sbindir}/* ||:
@@ -353,6 +374,8 @@
%dir %{_sysconfdir}/security/console.perms.d
%config %{_sysconfdir}/security/console.perms.d/50-default.perms
%dir /var/run/console
+%config(noreplace) %verify(not md5 size mtime) /var/log/faillog
+%config(noreplace) %verify(not md5 size mtime) /var/log/tallylog
%{_mandir}/man5/*
%{_mandir}/man8/*
@@ -367,6 +390,40 @@
%doc doc/adg/*.txt doc/adg/html
%changelog
+* Fri Dec 22 2006 Tomas Mraz <tmraz at redhat.com> 0.99.6.2-3.9
+- Truncated MD5 passwords in /etc/shadow should not be valid (#219187)
+
+* Fri Dec 15 2006 Dan Walsh <dwalsh at redhat.com> 0.99.6.2-3.8
+- Fix pam_namespace to work with cron (#216184)
+
+* Thu Dec 14 2006 Tomas Mraz <tmraz at redhat.com> 0.99.6.2-3.7
+- No shortcut on Password: in ja locale (#218271)
+- Revert to old euid and not ruid when setting euid in pam_keyinit (#219486)
+- Fix no answer to select_context question (#213812)
+- Rename selinux-namespace patch to namespace-level
+
+* Thu Dec 1 2006 Dan Walsh <dwalsh at redhat.com> 0.99.6.2-3.6
+- Add level polyinstantiation option to pam_namespace to only
+ change MLS component (#216184)
+
+* Thu Nov 30 2006 Tomas Mraz <tmraz at redhat.com> 0.99.6.2-3.5
+- add select-context option to pam_selinux (#213812)
+
+* Wed Nov 15 2006 Tomas Mraz <tmraz at redhat.com> 0.99.6.2-3.4
+- move setgid before setuid in pam_keyinit (#212329)
+- make username check in pam_unix consistent with useradd (#212153)
+
+* Tue Oct 24 2006 Tomas Mraz <tmraz at redhat.com> 0.99.6.2-3.3
+- don't overflow a buffer in pam_namespace (#211989)
+
+* Mon Oct 16 2006 Tomas Mraz <tmraz at redhat.com> 0.99.6.2-3.2
+- /var/log/faillog and tallylog must be %config(noreplace)
+
+* Fri Oct 13 2006 Tomas Mraz <tmraz at redhat.com> 0.99.6.2-3.1
+- preserve effective uid in namespace.init script (LSPP for newrole)
+- include /var/log/faillog and tallylog to filelist (#209646)
+- add ids to .xml docs so the generated html is always the same (#210569)
+
* Thu Sep 28 2006 Tomas Mraz <tmraz at redhat.com> 0.99.6.2-3
- add pam_namespace option no_unmount_on_close, required for newrole
--- pam-0.99.5.0-selinux-drop-multiple.patch DELETED ---
--- pam_namespace-10.patch DELETED ---
More information about the fedora-cvs-commits
mailing list