rpms/pam/F-9 Linux-PAM-1.0.4.tar.bz2.sign, NONE, 1.1 pam-0.99.6.2-lastlog-failed.patch, NONE, 1.1 pam-1.0.2-cracklib-pwquality.patch, NONE, 1.1 pam-1.0.2-many-groups.patch, NONE, 1.1 pam-1.0.4-autoreconf.patch, NONE, 1.1 pam-1.0.4-unix-root-update.patch, NONE, 1.1 pam-1.0.4-unix-safeguards.patch, NONE, 1.1 .cvsignore, 1.49, 1.50 pam.spec, 1.179, 1.180 sources, 1.51, 1.52 Linux-PAM-1.0.1.tar.bz2.sign, 1.1, NONE pam-1.0.1-autoreconf.patch, 1.1, NONE pam-1.0.1-selinux-restore-execcon.patch, 1.1, NONE
Tomáš Mráz
tmraz at fedoraproject.org
Tue Mar 17 12:14:01 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/pam/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4135
Modified Files:
.cvsignore pam.spec sources
Added Files:
Linux-PAM-1.0.4.tar.bz2.sign pam-0.99.6.2-lastlog-failed.patch
pam-1.0.2-cracklib-pwquality.patch pam-1.0.2-many-groups.patch
pam-1.0.4-autoreconf.patch pam-1.0.4-unix-root-update.patch
pam-1.0.4-unix-safeguards.patch
Removed Files:
Linux-PAM-1.0.1.tar.bz2.sign pam-1.0.1-autoreconf.patch
pam-1.0.1-selinux-restore-execcon.patch
Log Message:
* Tue Mar 17 2009 Tomas Mraz <tmraz at redhat.com> 1.0.4-1
- update to new upstream minor release (bugfixes and
minor security fixes)
--- NEW FILE Linux-PAM-1.0.4.tar.bz2.sign ---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: See http://www.kernel.org/signature.html for info
iD8DBQBJrSJPyGugalF9Dw4RAt6qAJ9wJV8q96TSxBLtv4vgCWGPzuV68QCfZtlc
4R0aLQhcPhQbfNEmepdABj0=
=0Acn
-----END PGP SIGNATURE-----
pam-0.99.6.2-lastlog-failed.patch:
--- NEW FILE pam-0.99.6.2-lastlog-failed.patch ---
diff -up Linux-PAM-0.99.6.2/modules/pam_lastlog/pam_lastlog.c.failed Linux-PAM-0.99.6.2/modules/pam_lastlog/pam_lastlog.c
--- Linux-PAM-0.99.6.2/modules/pam_lastlog/pam_lastlog.c.failed 2006-08-24 20:03:44.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_lastlog/pam_lastlog.c 2008-09-12 21:21:42.000000000 +0200
@@ -46,6 +46,10 @@ struct lastlog {
};
#endif /* hpux */
+#ifndef _PATH_BTMP
+# define _PATH_BTMP "/var/log/btmp"
+#endif
+
/* XXX - time before ignoring lock. Is 1 sec enough? */
#define LASTLOG_IGNORE_LOCK_TIME 1
@@ -75,11 +79,13 @@ struct lastlog {
#define LASTLOG_DEBUG 020 /* send info to syslog(3) */
#define LASTLOG_QUIET 040 /* keep quiet about things */
#define LASTLOG_WTMP 0100 /* log to wtmp as well as lastlog */
+#define LASTLOG_BTMP 0200 /* display failed login info from btmp */
+#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
static int
_pam_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP);
+ int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE);
/* does the appliction require quiet? */
if (flags & PAM_SILENT) {
@@ -105,6 +111,10 @@ _pam_parse(pam_handle_t *pamh, int flags
ctrl |= LASTLOG_NEVER;
} else if (!strcmp(*argv,"nowtmp")) {
ctrl &= ~LASTLOG_WTMP;
+ } else if (!strcmp(*argv,"noupdate")) {
+ ctrl &= ~(LASTLOG_WTMP|LASTLOG_UPDATE);
+ } else if (!strcmp(*argv,"showfailed")) {
+ ctrl |= LASTLOG_BTMP;
} else {
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
}
@@ -135,7 +145,7 @@ get_tty(pam_handle_t *pamh)
}
static int
-last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid)
+last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t *lltime)
{
struct flock last_lock;
struct lastlog last_login;
@@ -166,6 +176,7 @@ last_login_read(pam_handle_t *pamh, int
last_lock.l_type = F_UNLCK;
(void) fcntl(last_fd, F_SETLK, &last_lock); /* unlock */
+ *lltime = last_login.ll_time;
if (!last_login.ll_time) {
if (announce & LASTLOG_DEBUG) {
pam_syslog(pamh, LOG_DEBUG,
@@ -320,13 +331,13 @@ last_login_write(pam_handle_t *pamh, int
}
static int
-last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user)
+last_login_date(pam_handle_t *pamh, int announce, uid_t uid, const char *user, time_t *lltime)
{
int retval;
int last_fd;
/* obtain the last login date and all the relevant info */
- last_fd = open(_PATH_LASTLOG, O_RDWR);
+ last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY);
if (last_fd < 0) {
if (errno == ENOENT) {
last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT,
@@ -353,7 +364,7 @@ last_login_date(pam_handle_t *pamh, int
return PAM_SERVICE_ERR;
}
- retval = last_login_read(pamh, announce, last_fd, uid);
+ retval = last_login_read(pamh, announce, last_fd, uid, lltime);
if (retval != PAM_SUCCESS)
{
close(last_fd);
@@ -361,7 +372,9 @@ last_login_date(pam_handle_t *pamh, int
return retval;
}
- retval = last_login_write(pamh, announce, last_fd, uid, user);
+ if (announce & LASTLOG_UPDATE) {
+ retval = last_login_write(pamh, announce, last_fd, uid, user);
+ }
close(last_fd);
D(("all done with last login"));
@@ -369,6 +382,116 @@ last_login_date(pam_handle_t *pamh, int
return retval;
}
+static int
+last_login_failed(pam_handle_t *pamh, int announce, const char *user, time_t lltime)
+{
+ int retval;
+ int fd;
+ struct utmp ut;
+ struct utmp utuser;
+ int failed = 0;
+ char the_time[256];
+ char *date = NULL;
+ char *host = NULL;
+ char *line = NULL;
+
+ if (strlen(user) > UT_NAMESIZE) {
+ pam_syslog(pamh, LOG_WARNING, "username too long, output might be inaccurate");
+ }
+
+ /* obtain the failed login attempt records from btmp */
+ fd = open(_PATH_BTMP, O_RDONLY);
+ if (fd < 0) {
+ pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_BTMP);
+ D(("unable to open %s file", _PATH_BTMP));
+ return PAM_SERVICE_ERR;
+ }
+
+ while ((retval=pam_modutil_read(fd, (void *)&ut,
+ sizeof(ut))) == sizeof(ut)) {
+ if (ut.ut_tv.tv_sec >= lltime && strncmp(ut.ut_user, user, UT_NAMESIZE) == 0) {
+ memcpy(&utuser, &ut, sizeof(utuser));
+ failed++;
+ }
+ }
+
+ if (failed) {
+ /* we want the date? */
+ if (announce & LASTLOG_DATE) {
+ struct tm *tm, tm_buf;
+ time_t lf_time;
+
+ lf_time = utuser.ut_tv.tv_sec;
+ tm = localtime_r (&lf_time, &tm_buf);
+ strftime (the_time, sizeof (the_time),
+ /* TRANSLATORS: "strftime options for date of last login" */
+ _(" %a %b %e %H:%M:%S %Z %Y"), tm);
+
+ date = the_time;
+ }
+
+ /* we want & have the host? */
+ if ((announce & LASTLOG_HOST)
+ && (utuser.ut_host[0] != '\0')) {
+ /* TRANSLATORS: " from <host>" */
+ if (asprintf(&host, _(" from %.*s"), UT_HOSTSIZE,
+ utuser.ut_host) < 0) {
+ pam_syslog(pamh, LOG_ERR, "out of memory");
+ retval = PAM_BUF_ERR;
+ goto cleanup;
+ }
+ }
+
+ /* we want and have the terminal? */
+ if ((announce & LASTLOG_LINE)
+ && (utuser.ut_line[0] != '\0')) {
+ /* TRANSLATORS: " on <terminal>" */
+ if (asprintf(&line, _(" on %.*s"), UT_LINESIZE,
+ utuser.ut_line) < 0) {
+ pam_syslog(pamh, LOG_ERR, "out of memory");
+ retval = PAM_BUF_ERR;
+ goto cleanup;
+ }
+ }
+
+ if (announce & (LASTLOG_LINE|LASTLOG_DATE|LASTLOG_HOST)) {
+ /* TRANSLATORS: "Last failed login: <date> from <host> on <terminal>" */
+ pam_info(pamh, _("Last failed login:%s%s%s"),
+ date ? date : "",
+ host ? host : "",
+ line ? line : "");
+ }
+
+ _pam_drop(line);
+#if defined HAVE_DNGETTEXT && defined ENABLE_NLS
+ asprintf (&line, dngettext(PACKAGE,
+ "There was %d failed login attempt since the last successful login.",
+ "There were %d failed login attempts since the last successful login.",
+ failed),
+ failed);
+#else
+ if (daysleft == 1)
+ asprintf(&line,
+ _("There was %d failed login attempt since the last successful login."),
+ failed);
+ else
+ asprintf(&line,
+ /* TRANSLATORS: only used if dngettext is not supported */
+ _("There were %d failed login attempts since the last successful login."),
+ failed);
+#endif
+ retval = pam_info(pamh, "%s", line);
+ }
+
+cleanup:
+ free(host);
+ free(line);
+ close(fd);
+ D(("all done with btmp"));
+
+ return retval;
+}
+
/* --- authentication management functions (only) --- */
PAM_EXTERN int
@@ -379,6 +502,7 @@ pam_sm_open_session(pam_handle_t *pamh,
const void *user;
const struct passwd *pwd;
uid_t uid;
+ time_t lltime = 0;
/*
* this module gets the uid of the PAM_USER. Uses it to display
@@ -407,7 +531,11 @@ pam_sm_open_session(pam_handle_t *pamh,
/* process the current login attempt (indicate last) */
- retval = last_login_date(pamh, ctrl, uid, user);
+ retval = last_login_date(pamh, ctrl, uid, user, &lltime);
+
+ if ((ctrl & LASTLOG_BTMP) && retval == PAM_SUCCESS) {
+ retval = last_login_failed(pamh, ctrl, user, lltime);
+ }
/* indicate success or failure */
diff -up Linux-PAM-0.99.6.2/modules/pam_lastlog/pam_lastlog.8.xml.failed Linux-PAM-0.99.6.2/modules/pam_lastlog/pam_lastlog.8.xml
--- Linux-PAM-0.99.6.2/modules/pam_lastlog/pam_lastlog.8.xml.failed 2006-06-09 18:44:07.000000000 +0200
+++ Linux-PAM-0.99.6.2/modules/pam_lastlog/pam_lastlog.8.xml 2008-09-12 21:12:35.000000000 +0200
@@ -39,6 +39,12 @@
<arg choice="opt">
nowtmp
</arg>
+ <arg choice="opt">
+ noupdate
+ </arg>
+ <arg choice="opt">
+ showfailed
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -137,6 +143,28 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>noupdate</option>
+ </term>
+ <listitem>
+ <para>
+ Don't update any file.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>showfailed</option>
+ </term>
+ <listitem>
+ <para>
+ Display number of failed login attempts and the date of the
+ last failed attempt from btmp. The date is not displayed
+ when <option>nodate</option> is specified.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -213,7 +241,7 @@
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
pam-1.0.2-cracklib-pwquality.patch:
--- NEW FILE pam-1.0.2-cracklib-pwquality.patch ---
diff -up Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.8.xml.pwquality Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.8.xml
--- Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.8.xml.pwquality 2007-11-06 15:58:54.000000000 +0100
+++ Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.8.xml 2008-09-23 15:06:40.000000000 +0200
@@ -59,7 +59,7 @@
<term>Palindrome</term>
<listitem>
<para>
- Is the new password a palindrome of the old one?
+ Is the new password a palindrome?
</para>
</listitem>
</varlistentry>
@@ -120,6 +120,23 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>Same consecutive characters</term>
+ <listitem>
+ <para>
+ Optional check for same consecutive characters.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Contains user name</term>
+ <listitem>
+ <para>
+ Optional check whether the password contains the user's name
+ in some form.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
<para>
This module with no arguments will work well for standard unix
@@ -281,7 +298,7 @@
than 10.
</para>
<para>
- (N > 0) This is the minimum number of upper
+ (N < 0) This is the minimum number of upper
case letters that must be met for a new password.
</para>
</listitem>
@@ -349,6 +366,50 @@
<varlistentry>
<term>
+ <option>minclass=<replaceable>N</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The minimum number of required classes of characters for
+ the new password. The default number is zero. The four
+ classes are digits, upper and lower letters and other
+ characters.
+ The difference to the <option>credit</option> check is
+ that a specific class if of characters is not required.
+ Instead <replaceable>N</replaceable> out of four of the
+ classes are required.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>maxrepeat=<replaceable>N</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Reject passwords which contain more than N same consecutive
+ characters. The default is 0 which means that this check
+ is disabled.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>reject_username</option>
+ </term>
+ <listitem>
+ <para>
+ Check whether the name of the user in straight or reversed
+ form is contained in the new password. If it is found the
+ new password is rejected.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
<option>use_authtok</option>
</term>
<listitem>
@@ -495,7 +556,7 @@ password required pam_unix.so use_autht
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
diff -up Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.c.pwquality Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.c
--- Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.c.pwquality 2008-09-23 15:06:40.000000000 +0200
+++ Linux-PAM-1.0.2/modules/pam_cracklib/pam_cracklib.c 2008-09-23 15:10:14.000000000 +0200
@@ -99,6 +99,8 @@ struct cracklib_options {
int min_class;
int use_authtok;
int try_first_pass;
+ int max_repeat;
+ int reject_user;
char prompt_type[BUFSIZ];
const char *cracklib_dictpath;
};
@@ -166,8 +168,14 @@ _pam_parse (pam_handle_t *pamh, struct c
opt->min_class = strtol(*argv+9,&ep,10);
if (!ep)
opt->min_class = 0;
- if (opt->min_class > 4)
- opt->min_class = 4 ;
+ if (opt->min_class > 4)
+ opt->min_class = 4;
+ } else if (!strncmp(*argv,"maxrepeat=",10)) {
+ opt->max_repeat = strtol(*argv+10,&ep,10);
+ if (!ep)
+ opt->max_repeat = 0;
+ } else if (!strncmp(*argv,"reject_username",15)) {
+ opt->reject_user = 1;
} else if (!strncmp(*argv,"use_authtok",11)) {
opt->use_authtok = 1;
} else if (!strncmp(*argv,"use_first_pass",14)) {
@@ -418,6 +426,58 @@ static int simple(struct cracklib_option
return 1;
}
+static int consecutive(struct cracklib_options *opt, const char *new)
+{
+ char c;
+ int i;
+ int same;
+
+ if (opt->max_repeat == 0)
+ return 0;
+
+ for (i = 0; new[i]; i++) {
+ if (i > 0 && new[i] == c) {
+ ++same;
+ if (same > opt->max_repeat)
+ return 1;
+ } else {
+ c = new[i];
+ same = 1;
+ }
+ }
+ return 0;
+}
+
+static int usercheck(struct cracklib_options *opt, const char *new,
+ char *user)
+{
+ char *f, *b;
+
+ if (!opt->reject_user)
+ return 0;
+
+ if (strstr(new, user) != NULL)
+ return 1;
+
+ /* now reverse the username, we can do that in place
+ as it is strdup-ed */
+ f = user;
+ b = user+strlen(user)-1;
+ while (f < b) {
+ char c;
+
+ c = *f;
+ *f = *b;
+ *b = c;
+ --b;
+ ++f;
+ }
+
+ if (strstr(new, user) != NULL)
+ return 1;
+ return 0;
+}
+
static char * str_lower(char *string)
{
char *cp;
@@ -428,10 +488,12 @@ static char * str_lower(char *string)
}
static const char *password_check(struct cracklib_options *opt,
- const char *old, const char *new)
+ const char *old, const char *new,
+ const char *user)
{
const char *msg = NULL;
char *oldmono = NULL, *newmono, *wrapped = NULL;
+ char *usermono = NULL;
if (old && strcmp(new, old) == 0) {
msg = _("is the same as the old one");
@@ -439,6 +501,7 @@ static const char *password_check(struct
}
newmono = str_lower(x_strdup(new));
+ usermono = str_lower(x_strdup(user));
if (old) {
oldmono = str_lower(x_strdup(old));
wrapped = malloc(strlen(oldmono) * 2 + 1);
@@ -464,8 +527,15 @@ static const char *password_check(struct
if (!msg && minclass (opt, new))
msg = _("not enough character classes");
+ if (!msg && consecutive(opt, new))
+ msg = _("contains too many same characters consecutively");
+
+ if (!msg && usercheck(opt, newmono, usermono))
+ msg = _("contains the user name in some form");
+
memset(newmono, 0, strlen(newmono));
free(newmono);
+ free(usermono);
if (old) {
memset(oldmono, 0, strlen(oldmono));
memset(wrapped, 0, strlen(wrapped));
@@ -532,18 +602,18 @@ static int _pam_unix_approve_pass(pam_ha
return PAM_AUTHTOK_ERR;
}
+ retval = pam_get_item(pamh, PAM_USER, &user);
+ if (retval != PAM_SUCCESS || user == NULL) {
+ if (ctrl & PAM_DEBUG_ARG)
+ pam_syslog(pamh,LOG_ERR,"Can not get username");
+ return PAM_AUTHTOK_ERR;
+ }
/*
* if one wanted to hardwire authentication token strength
* checking this would be the place
*/
- msg = password_check(opt, pass_old, pass_new);
+ msg = password_check(opt, pass_old, pass_new, user);
if (!msg) {
- retval = pam_get_item(pamh, PAM_USER, &user);
- if (retval != PAM_SUCCESS || user == NULL) {
- if (ctrl & PAM_DEBUG_ARG)
- pam_syslog(pamh,LOG_ERR,"Can not get username");
- return PAM_AUTHTOK_ERR;
- }
msg = check_old_password(user, pass_new);
}
pam-1.0.2-many-groups.patch:
--- NEW FILE pam-1.0.2-many-groups.patch ---
diff -up Linux-PAM-1.0.2/libpam/pam_modutil_getpwnam.c.many-groups Linux-PAM-1.0.2/libpam/pam_modutil_getpwnam.c
--- Linux-PAM-1.0.2/libpam/pam_modutil_getpwnam.c.many-groups 2007-08-30 06:00:39.000000000 +0200
+++ Linux-PAM-1.0.2/libpam/pam_modutil_getpwnam.c 2008-09-23 15:59:46.000000000 +0200
@@ -104,7 +104,7 @@ pam_modutil_getpwnam(pam_handle_t *pamh,
break;
}
- length <<= 2;
+ length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
diff -up Linux-PAM-1.0.2/libpam/pam_modutil_getpwuid.c.many-groups Linux-PAM-1.0.2/libpam/pam_modutil_getpwuid.c
--- Linux-PAM-1.0.2/libpam/pam_modutil_getpwuid.c.many-groups 2007-08-30 06:00:39.000000000 +0200
+++ Linux-PAM-1.0.2/libpam/pam_modutil_getpwuid.c 2008-09-23 15:59:59.000000000 +0200
@@ -115,7 +115,7 @@ pam_modutil_getpwuid(pam_handle_t *pamh,
break;
}
- length <<= 2;
+ length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
diff -up Linux-PAM-1.0.2/libpam/pam_modutil_getgrnam.c.many-groups Linux-PAM-1.0.2/libpam/pam_modutil_getgrnam.c
--- Linux-PAM-1.0.2/libpam/pam_modutil_getgrnam.c.many-groups 2007-08-30 06:00:39.000000000 +0200
+++ Linux-PAM-1.0.2/libpam/pam_modutil_getgrnam.c 2008-09-23 15:59:29.000000000 +0200
@@ -104,7 +104,7 @@ pam_modutil_getgrnam(pam_handle_t *pamh,
break;
}
- length <<= 2;
+ length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
diff -up Linux-PAM-1.0.2/libpam/pam_modutil_getspnam.c.many-groups Linux-PAM-1.0.2/libpam/pam_modutil_getspnam.c
--- Linux-PAM-1.0.2/libpam/pam_modutil_getspnam.c.many-groups 2007-08-30 06:00:39.000000000 +0200
+++ Linux-PAM-1.0.2/libpam/pam_modutil_getspnam.c 2008-09-23 16:00:11.000000000 +0200
@@ -104,7 +104,7 @@ pam_modutil_getspnam(pam_handle_t *pamh,
break;
}
- length <<= 2;
+ length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
diff -up Linux-PAM-1.0.2/libpam/pam_modutil_getgrgid.c.many-groups Linux-PAM-1.0.2/libpam/pam_modutil_getgrgid.c
--- Linux-PAM-1.0.2/libpam/pam_modutil_getgrgid.c.many-groups 2007-08-30 06:00:39.000000000 +0200
+++ Linux-PAM-1.0.2/libpam/pam_modutil_getgrgid.c 2008-09-23 15:59:07.000000000 +0200
@@ -115,7 +115,7 @@ pam_modutil_getgrgid(pam_handle_t *pamh,
break;
}
- length <<= 2;
+ length <<= PWD_LENGTH_SHIFT;
} while (length < PWD_ABSURD_PWD_LENGTH);
diff -up Linux-PAM-1.0.2/libpam/pam_modutil_private.h.many-groups Linux-PAM-1.0.2/libpam/pam_modutil_private.h
--- Linux-PAM-1.0.2/libpam/pam_modutil_private.h.many-groups 2005-09-21 12:00:58.000000000 +0200
+++ Linux-PAM-1.0.2/libpam/pam_modutil_private.h 2008-09-23 16:00:30.000000000 +0200
@@ -13,8 +13,9 @@
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
-#define PWD_INITIAL_LENGTH 0x100
-#define PWD_ABSURD_PWD_LENGTH 0x8000
+#define PWD_INITIAL_LENGTH 0x400
+#define PWD_ABSURD_PWD_LENGTH 0x40001
+#define PWD_LENGTH_SHIFT 4 /* 2^4 == 16 */
extern void
pam_modutil_cleanup(pam_handle_t *pamh, void *data,
pam-1.0.4-autoreconf.patch:
--- NEW FILE pam-1.0.4-autoreconf.patch ---
diff -up Linux-PAM-1.0.4/configure.in.autoreconf Linux-PAM-1.0.4/configure.in
--- Linux-PAM-1.0.4/configure.in.autoreconf 2009-03-16 16:57:54.000000000 +0100
+++ Linux-PAM-1.0.4/configure.in 2009-03-16 16:57:54.000000000 +0100
@@ -72,7 +72,7 @@ fi
AM_CONDITIONAL([STATIC_MODULES], [test "$STATIC_MODULES" != "no"])
dnl Checks for programs.
-AC_GNU_SOURCE
+AC_USE_SYSTEM_EXTENSIONS
AC_PROG_CC
AC_PROG_YACC
AM_PROG_LEX
pam-1.0.4-unix-root-update.patch:
--- NEW FILE pam-1.0.4-unix-root-update.patch ---
diff -up Linux-PAM-1.0.4/modules/pam_unix/unix_update.c.root-update Linux-PAM-1.0.4/modules/pam_unix/unix_update.c
--- Linux-PAM-1.0.4/modules/pam_unix/unix_update.c.root-update 2008-02-21 22:12:30.000000000 +0100
+++ Linux-PAM-1.0.4/modules/pam_unix/unix_update.c 2009-03-17 11:20:22.000000000 +0100
@@ -71,11 +71,14 @@ set_password(const char *forwho, const c
goto done;
}
- /* does pass agree with the official one?
- we always allow change from null pass */
- retval = helper_verify_password(forwho, pass, 1);
- if (retval != PAM_SUCCESS) {
- goto done;
+ /* If real caller uid is not root we must verify that
+ received old pass agrees with the current one.
+ We always allow change from null pass. */
+ if (getuid()) {
+ retval = helper_verify_password(forwho, pass, 1);
+ if (retval != PAM_SUCCESS) {
+ goto done;
+ }
}
/* first, save old password */
pam-1.0.4-unix-safeguards.patch:
--- NEW FILE pam-1.0.4-unix-safeguards.patch ---
diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c.safeguards 2009-03-17 11:20:22.000000000 +0100
+++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_passwd.c 2009-03-17 11:20:22.000000000 +0100
@@ -139,7 +139,7 @@ static int _unix_run_update_binary(pam_h
const char *fromwhat, const char *towhat, int remember)
{
int retval, child, fds[2];
- void (*sighandler)(int) = NULL;
+ struct sigaction newsa, oldsa;
D(("called."));
/* create a pipe for the password */
@@ -157,13 +157,15 @@ static int _unix_run_update_binary(pam_h
* The "noreap" module argument is provided so that the admin can
* override this behavior.
*/
- sighandler = signal(SIGCHLD, SIG_DFL);
+ memset(&newsa, '\0', sizeof(newsa));
+ newsa.sa_handler = SIG_DFL;
+ sigaction(SIGCHLD, &newsa, &oldsa);
}
/* fork */
child = fork();
if (child == 0) {
- size_t i=0;
+ int i=0;
struct rlimit rlim;
static char *envp[] = { NULL };
char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
@@ -171,15 +173,14 @@ static int _unix_run_update_binary(pam_h
/* XXX - should really tidy up PAM here too */
- close(0); close(1);
/* reopen stdin as pipe */
- close(fds[1]);
dup2(fds[0], STDIN_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- for (i=2; i < rlim.rlim_max; i++) {
- if ((unsigned int)fds[0] != i)
- close(i);
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}
@@ -239,8 +240,8 @@ static int _unix_run_update_binary(pam_h
retval = PAM_AUTH_ERR;
}
- if (sighandler != SIG_ERR) {
- (void) signal(SIGCHLD, sighandler); /* restore old signal handler */
+ if (off(UNIX_NOREAP, ctrl)) {
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
}
return retval;
diff -up Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/support.c
--- Linux-PAM-1.0.4/modules/pam_unix/support.c.safeguards 2009-03-17 11:20:22.000000000 +0100
+++ Linux-PAM-1.0.4/modules/pam_unix/support.c 2009-03-17 11:20:22.000000000 +0100
@@ -396,7 +396,7 @@ static int _unix_run_helper_binary(pam_h
unsigned int ctrl, const char *user)
{
int retval, child, fds[2];
- void (*sighandler)(int) = NULL;
+ struct sigaction newsa, oldsa;
D(("called."));
/* create a pipe for the password */
@@ -414,7 +414,9 @@ static int _unix_run_helper_binary(pam_h
* The "noreap" module argument is provided so that the admin can
* override this behavior.
*/
- sighandler = signal(SIGCHLD, SIG_DFL);
+ memset(&newsa, '\0', sizeof(newsa));
+ newsa.sa_handler = SIG_DFL;
+ sigaction(SIGCHLD, &newsa, &oldsa);
}
/* fork */
@@ -427,15 +429,14 @@ static int _unix_run_helper_binary(pam_h
/* XXX - should really tidy up PAM here too */
- close(0); close(1);
/* reopen stdin as pipe */
- close(fds[1]);
dup2(fds[0], STDIN_FILENO);
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- for (i=2; i < (int)rlim.rlim_max; i++) {
- if (fds[0] != i)
- close(i);
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}
@@ -488,8 +489,8 @@ static int _unix_run_helper_binary(pam_h
retval = PAM_AUTH_ERR;
}
- if (sighandler != SIG_ERR) {
- (void) signal(SIGCHLD, sighandler); /* restore old signal handler */
+ if (off(UNIX_NOREAP, ctrl)) {
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
}
D(("returning %d", retval));
diff -up Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c
--- Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c.safeguards 2009-03-03 10:00:31.000000000 +0100
+++ Linux-PAM-1.0.4/modules/pam_unix/pam_unix_acct.c 2009-03-17 11:20:22.000000000 +0100
@@ -65,7 +65,7 @@ int _unix_run_verify_binary(pam_handle_t
const char *user, int *daysleft)
{
int retval=0, child, fds[2];
- void (*sighandler)(int) = NULL;
+ struct sigaction newsa, oldsa;
D(("running verify_binary"));
/* create a pipe for the messages */
@@ -85,29 +85,29 @@ int _unix_run_verify_binary(pam_handle_t
* The "noreap" module argument is provided so that the admin can
* override this behavior.
*/
- sighandler = signal(SIGCHLD, SIG_DFL);
+ memset(&newsa, '\0', sizeof(newsa));
+ newsa.sa_handler = SIG_DFL;
+ sigaction(SIGCHLD, &newsa, &oldsa);
}
/* fork */
child = fork();
if (child == 0) {
- size_t i=0;
+ int i=0;
struct rlimit rlim;
static char *envp[] = { NULL };
char *args[] = { NULL, NULL, NULL, NULL };
- close(0); close(1);
- /* reopen stdin as pipe */
- close(fds[0]);
+ /* reopen stdout as pipe */
dup2(fds[1], STDOUT_FILENO);
/* XXX - should really tidy up PAM here too */
if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
- for (i=2; i < rlim.rlim_max; i++) {
- if ((unsigned int)fds[1] != i) {
- close(i);
- }
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
}
}
@@ -126,7 +126,6 @@ int _unix_run_verify_binary(pam_handle_t
pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
/* should not get here: exit with error */
- close (fds[1]);
D(("helper binary is not available"));
printf("-1\n");
exit(PAM_AUTHINFO_UNAVAIL);
@@ -162,9 +161,11 @@ int _unix_run_verify_binary(pam_handle_t
}
close(fds[0]);
}
- if (sighandler != SIG_ERR) {
- (void) signal(SIGCHLD, sighandler); /* restore old signal handler */
+
+ if (off(UNIX_NOREAP, ctrl)) {
+ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
}
+
D(("Returning %d",retval));
return retval;
}
diff -up Linux-PAM-1.0.4/modules/pam_unix/passverify.c.safeguards Linux-PAM-1.0.4/modules/pam_unix/passverify.c
--- Linux-PAM-1.0.4/modules/pam_unix/passverify.c.safeguards 2009-03-02 16:02:22.000000000 +0100
+++ Linux-PAM-1.0.4/modules/pam_unix/passverify.c 2009-03-17 11:20:22.000000000 +0100
@@ -117,7 +117,7 @@ verify_pwd_hash(const char *p, char *has
p = NULL; /* no longer needed here */
/* the moment of truth -- do we agree with the password? */
- D(("comparing state of pp[%s] and salt[%s]", pp, salt));
+ D(("comparing state of pp[%s] and hash[%s]", pp, hash));
if (pp && strcmp(pp, hash) == 0) {
retval = PAM_SUCCESS;
@@ -675,8 +675,13 @@ save_old_password(const char *forwho, co
}
}
+ if (fflush(pwfile) || fsync(fileno(pwfile))) {
+ D(("fflush or fsync error writing entries to old passwords file: %m"));
+ err = 1;
+ }
+
if (fclose(pwfile)) {
- D(("error writing entries to old passwords file: %m"));
+ D(("fclose error writing entries to old passwords file: %m"));
err = 1;
}
@@ -795,8 +800,13 @@ unix_update_passwd(pam_handle_t *pamh, c
}
fclose(opwfile);
+ if (fflush(pwfile) || fsync(fileno(pwfile))) {
+ D(("fflush or fsync error writing entries to password file: %m"));
+ err = 1;
+ }
+
if (fclose(pwfile)) {
- D(("error writing entries to password file: %m"));
+ D(("fclose error writing entries to password file: %m"));
err = 1;
}
@@ -925,8 +935,13 @@ unix_update_shadow(pam_handle_t *pamh, c
}
fclose(opwfile);
+ if (fflush(pwfile) || fsync(fileno(pwfile))) {
+ D(("fflush or fsync error writing entries to shadow file: %m"));
+ err = 1;
+ }
+
if (fclose(pwfile)) {
- D(("error writing entries to shadow file: %m"));
+ D(("fclose error writing entries to shadow file: %m"));
err = 1;
}
@@ -1007,8 +1022,12 @@ su_sighandler(int sig)
{
#ifndef SA_RESETHAND
/* emulate the behaviour of the SA_RESETHAND flag */
- if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV )
- signal(sig, SIG_DFL);
+ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) {
+ struct sigaction sa;
+ memset(&sa, '\0, sizeof(sa));
+ sa.sa_handler = SIG_DFL;
+ sigaction(sig, &sa, NULL);
+ }
#endif
if (sig > 0) {
_exit(sig);
diff -up Linux-PAM-1.0.4/modules/pam_unix/support.h.safeguards Linux-PAM-1.0.4/modules/pam_unix/support.h
--- Linux-PAM-1.0.4/modules/pam_unix/support.h.safeguards 2008-01-23 16:35:13.000000000 +0100
+++ Linux-PAM-1.0.4/modules/pam_unix/support.h 2009-03-17 11:24:55.000000000 +0100
@@ -127,6 +127,7 @@ static const UNIX_Ctrls unix_args[UNIX_C
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
+#define MAX_FD_NO 2000000
/* use this to free strings. ESPECIALLY password strings */
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/pam/F-9/.cvsignore,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
--- .cvsignore 18 Apr 2008 08:43:42 -0000 1.49
+++ .cvsignore 17 Mar 2009 12:14:00 -0000 1.50
@@ -2,4 +2,4 @@
*.tar.bz2
pam-redhat-0.99.9-1.tar.bz2
db-4.6.21.tar.gz
-Linux-PAM-1.0.1.tar.bz2
+Linux-PAM-1.0.4.tar.bz2
Index: pam.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pam/F-9/pam.spec,v
retrieving revision 1.179
retrieving revision 1.180
diff -u -r1.179 -r1.180
--- pam.spec 21 May 2008 08:37:37 -0000 1.179
+++ pam.spec 17 Mar 2009 12:14:00 -0000 1.180
@@ -4,15 +4,15 @@
Summary: A security tool which provides authentication for applications
Name: pam
-Version: 1.0.1
-Release: 4%{?dist}
+Version: 1.0.4
+Release: 1%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
# pam_rhosts_auth module is BSD with advertising
License: BSD and GPLv2+ and BSD with advertising
Group: System Environment/Base
-Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
-Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2.sign
+Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2
+Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign
Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2
Source4: http://download.oracle.com/berkeley-db/db-%{db_version}.tar.gz
Source5: other.pamd
@@ -25,15 +25,19 @@
Patch1: pam-0.99.7.0-redhat-modules.patch
Patch2: db-4.6.18-glibc.patch
Patch4: pam-0.99.8.1-dbpam.patch
-Patch5: pam-1.0.1-autoreconf.patch
+Patch5: pam-1.0.4-autoreconf.patch
Patch10: pam-1.0.0-sepermit-screensaver.patch
-Patch11: pam-1.0.1-selinux-restore-execcon.patch
Patch12: pam-1.0.0-selinux-env-params.patch
Patch21: pam-0.99.10.0-unix-audit-failed.patch
Patch22: pam-1.0.1-unix-prompts.patch
Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
Patch32: pam-0.99.3.0-tally-fail-close.patch
Patch41: pam-1.0.1-namespace-create.patch
+Patch42: pam-1.0.2-cracklib-pwquality.patch
+Patch43: pam-0.99.6.2-lastlog-failed.patch
+Patch44: pam-1.0.2-many-groups.patch
+Patch45: pam-1.0.4-unix-safeguards.patch
+Patch46: pam-1.0.4-unix-root-update.patch
%define _sbindir /sbin
%define _moduledir /%{_lib}/security
@@ -108,13 +112,17 @@
%patch4 -p1 -b .dbpam
%patch5 -p1 -b .autoreconf
%patch10 -p1 -b .screensaver
-%patch11 -p1 -b .restore-execcon
%patch12 -p0 -b .env-params
%patch21 -p1 -b .audit-failed
%patch22 -p1 -b .prompts
%patch31 -p1 -b .try-first-pass
%patch32 -p1 -b .fail-close
%patch41 -p1 -b .create
+%patch42 -p1 -b .pwquality
+%patch43 -p1 -b .failed
+%patch44 -p1 -b .many-groups
+%patch45 -p1 -b .safeguards
+%patch46 -p1 -b .root-update
autoreconf
@@ -384,6 +392,16 @@
%doc doc/adg/*.txt doc/adg/html
%changelog
+* Tue Mar 17 2009 Tomas Mraz <tmraz at redhat.com> 1.0.4-1
+- update to new upstream minor release (bugfixes and
+ minor security fixes)
+
+* Tue Sep 23 2008 Tomas Mraz <tmraz at redhat.com> 1.0.2-2
+- new password quality checks in pam_cracklib
+- report failed logins from btmp in pam_lastlog
+- allow larger groups in modutil functions
+- fix leaked file descriptor in pam_tally
+
* Wed May 21 2008 Tomas Mraz <tmraz at redhat.com> 1.0.1-4
- pam_namespace: allow safe creation of directories owned by user (#437116)
- pam_unix: fix multiple error prompts on password change (#443872)
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/pam/F-9/sources,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -r1.51 -r1.52
--- sources 18 Apr 2008 08:43:42 -0000 1.51
+++ sources 17 Mar 2009 12:14:00 -0000 1.52
@@ -1,3 +1,3 @@
26152d9c691715756b514dbf9cab9cd8 pam-redhat-0.99.9-1.tar.bz2
718082e7e35fc48478a2334b0bc4cd11 db-4.6.21.tar.gz
-1c75f81bd44c5da93014992820917847 Linux-PAM-1.0.1.tar.bz2
+189171821b56aaf791cc890d0707ea82 Linux-PAM-1.0.4.tar.bz2
--- Linux-PAM-1.0.1.tar.bz2.sign DELETED ---
--- pam-1.0.1-autoreconf.patch DELETED ---
--- pam-1.0.1-selinux-restore-execcon.patch DELETED ---
More information about the fedora-extras-commits
mailing list