rpms/pam/devel pam-0.99.7.1-namespace-homedir.patch, NONE, 1.1 pam-0.99.8.1-unix-blankpass.patch, NONE, 1.1 pam.spec, 1.155, 1.156

Tomas Mraz (tmraz) fedora-extras-commits at redhat.com
Fri Aug 24 13:15:34 UTC 2007 

Author: tmraz

Update of /cvs/pkgs/rpms/pam/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31839

Modified Files:
	pam.spec 
Added Files:
	pam-0.99.7.1-namespace-homedir.patch 
	pam-0.99.8.1-unix-blankpass.patch 
Log Message:
* Fri Aug 24 2007 Tomas Mraz <tmraz at redhat.com> 0.99.8.1-6
- do not ask for blank password when SELinux confined (#254044)
- initialize homedirs in namespace init script (original patch by dwalsh)


pam-0.99.7.1-namespace-homedir.patch:

--- NEW FILE pam-0.99.7.1-namespace-homedir.patch ---
diff -up Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init.namespace_homedir Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init
--- Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init.namespace_homedir	2007-08-23 15:49:45.000000000 -0400
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/namespace.init	2007-08-23 15:51:56.000000000 -0400
@@ -1,6 +1,23 @@
 #!/bin/sh -p
-# This is only a boilerplate for the instance initialization script.
-# It receives polydir path as $1 and the instance path as $2.
+# It receives polydir path as $1 and the instance path as $2,
+# $3 is an indicatory whether $2 is a newly created directory,
+# $4 is the user who is logging in.
+#
+# The following section will copy the contents of /etc/skel if this is a
+# newly created home directory.
+if [ "$3" = 1 ]; then
+        user="$4"
+        passwd=$(getent passwd "$user")
+        homedir=$(echo "$passwd" | cut -f6 -d":")
+        if [ "$1" = "$homedir" ]; then
+                gid=$(echo "$passwd" | cut -f4 -d":")
+                cp -aT /etc/skel "$homedir"
+                [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
+                chown -R "$user":"$gid" "$homedir"
+                mode=$(awk '/^UMASK/{gsub("#.*$", "", $2); printf "%o", and(0777,compl(strtonum("0" $2))); exit}' /etc/login.defs)
+                chmod ${mode:-700} "$homedir"
+        fi
+fi
 #
 # If you intend to polyinstantiate /tmp and you also want to use the X windows
 # environment, you will have to use this script to bind mount the socket that

pam-0.99.8.1-unix-blankpass.patch:

--- NEW FILE pam-0.99.8.1-unix-blankpass.patch ---
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c
--- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.blankpass	2007-08-22 18:45:17.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c	2007-08-24 10:21:54.000000000 +0200
@@ -48,7 +48,7 @@ int main(int argc, char *argv[])
 	char pass[MAXPASS + 1];
 	char *option;
 	int npass, nullok;
-	int force_failure = 0;
+	int blankpass = 0;
 	int retval = PAM_AUTH_ERR;
 	char *user;
 	char *passwords[] = { pass };
@@ -113,6 +113,10 @@ int main(int argc, char *argv[])
 	if (npass != 1) {	/* is it a valid password? */
 		_log_err(LOG_DEBUG, "no valid password supplied");
 	}
+	
+	if (*pass == '\0') {
+		blankpass = 1;
+	}
 
 	retval = _unix_verify_password(user, pass, nullok);
 
@@ -120,8 +124,11 @@ int main(int argc, char *argv[])
 
 	/* return pass or fail */
 
-	if ((retval != PAM_SUCCESS) || force_failure) {
-	    _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
+	if (retval != PAM_SUCCESS) {
+	    /* don't log if it is a test for blank password */
+	    if (!blankpass) {
+		_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
+	    }
 	    return PAM_AUTH_ERR;
 	} else {
 	    return PAM_SUCCESS;
diff -up Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass Linux-PAM-0.99.8.1/modules/pam_unix/support.c
--- Linux-PAM-0.99.8.1/modules/pam_unix/support.c.blankpass	2007-08-22 18:45:17.000000000 +0200
+++ Linux-PAM-0.99.8.1/modules/pam_unix/support.c	2007-08-24 10:38:09.000000000 +0200
@@ -36,6 +36,9 @@
 #define SELINUX_ENABLED 0
 #endif
 
+static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
+				   unsigned int ctrl, const char *user);
+
 /* this is a front-end for module-application conversations */
 
 int _make_remark(pam_handle_t * pamh, unsigned int ctrl,
@@ -441,6 +444,14 @@ _unix_blankpasswd (pam_handle_t *pamh, u
 			 * if shadowing is enabled
 			 */
 			spwdent = pam_modutil_getspnam(pamh, name);
+			if (spwdent == NULL && (geteuid() || SELINUX_ENABLED)) {
+				/* we are not root perhaps this is the reason? Run helper */
+				D(("running helper binary"));
+				if (_unix_run_helper_binary(pamh, "", ctrl, name) == PAM_SUCCESS)
+					return 1;
+				else
+					return 0;
+			}
 		}
 		if (spwdent)
 			salt = x_strdup(spwdent->sp_pwdp);


Index: pam.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pam/devel/pam.spec,v
retrieving revision 1.155
retrieving revision 1.156
diff -u -r1.155 -r1.156
--- pam.spec	22 Aug 2007 19:30:39 -0000	1.155
+++ pam.spec	24 Aug 2007 13:15:01 -0000	1.156
@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.8.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -33,12 +33,14 @@
 Patch5:  pam-0.99.8.1-audit-no-log.patch
 Patch24: pam-0.99.8.1-unix-update-helper.patch
 Patch25: pam-0.99.7.1-unix-hpux-aging.patch
+Patch26: pam-0.99.8.1-unix-blankpass.patch
 Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch32: pam-0.99.3.0-tally-fail-close.patch
 Patch40: pam-0.99.7.1-namespace-temp-logon.patch
 Patch41: pam-0.99.8.1-namespace-init.patch
 Patch42: pam-0.99.8.1-console-hal-handled.patch
 Patch43: pam-0.99.8.1-console-mfd-scanners.patch
+Patch44: pam-0.99.7.1-namespace-homedir.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -97,12 +99,14 @@
 %patch5 -p1 -b .no-log
 %patch24 -p1 -b .update-helper
 %patch25 -p1 -b .unix-hpux-aging
+%patch26 -p1 -b .blankpass
 %patch31 -p1 -b .try-first-pass
 %patch32 -p1 -b .fail-close
 %patch40 -p1 -b .temp-logon
 %patch41 -p1 -b .ns-init
 %patch42 -p1 -b .hal-handled
 %patch43 -p1 -b .mfd-scanners
+%patch44 -p1 -b .homedir
 
 autoreconf
 
@@ -393,6 +397,10 @@
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Fri Aug 24 2007 Tomas Mraz <tmraz at redhat.com> 0.99.8.1-6
+- do not ask for blank password when SELinux confined (#254044)
+- initialize homedirs in namespace init script (original patch by dwalsh)
+
 * Wed Aug 22 2007 Tomas Mraz <tmraz at redhat.com> 0.99.8.1-5
 - most devices are now handled by HAL and not pam_console (patch by davidz)
 - license tag fix

More information about the fedora-extras-commits mailing list