rpms/pam/F-12 pam-1.1.0-xauth-context.patch, NONE, 1.1 pam.spec, 1.204, 1.205
Tomáš Mráz
tmraz at fedoraproject.org
Thu Oct 29 15:54:52 UTC 2009
- Previous message (by thread): rpms/cyrus-imapd/devel cyrus-imapd.spec,1.62,1.63
- Next message (by thread): rpms/powerpc-utils/F-12 powerpc-utils-autoconf.patch, NONE, 1.1 .cvsignore, 1.6, 1.7 powerpc-utils.spec, 1.9, 1.10 sources, 1.6, 1.7
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/pkgs/rpms/pam/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8767
Modified Files:
pam.spec
Added Files:
pam-1.1.0-xauth-context.patch
Log Message:
* Thu Oct 29 2009 Tomas Mraz <tmraz at redhat.com> 1.1.0-6
- pam_xauth: set the approprate context when creating .xauth files (#531530)
pam-1.1.0-xauth-context.patch:
Makefile.am | 2 +-
pam_xauth.c | 45 ++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 43 insertions(+), 4 deletions(-)
--- NEW FILE pam-1.1.0-xauth-context.patch ---
diff -up Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am
--- Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context 2006-06-09 18:44:08.000000000 +0200
+++ Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am 2009-10-29 14:34:18.000000000 +0100
@@ -16,7 +16,7 @@ secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
AM_LDFLAGS = -no-undefined -avoid-version -module \
- -L$(top_builddir)/libpam -lpam
+ -L$(top_builddir)/libpam -lpam @LIBSELINUX@
if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
diff -up Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c
--- Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context 2009-04-09 10:07:29.000000000 +0200
+++ Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c 2009-10-29 16:13:21.000000000 +0100
@@ -57,6 +57,12 @@
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+#include <sys/stat.h>
+#endif
+
#define DATANAME "pam_xauth_cookie_file"
#define XAUTHENV "XAUTHORITY"
#define HOMEENV "HOME"
@@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh,
getuid(), getgid(),
xauth, "-f", cookiefile, "nlist", display,
NULL) == 0) {
+ int save_errno;
+#ifdef WITH_SELINUX
+ security_context_t context = NULL;
+#endif
/* Check that we got a cookie. If not, we get creative. */
if (((cookie == NULL) || (strlen(cookie) == 0)) &&
((strncmp(display, "localhost:", 10) == 0) ||
@@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh,
/* Generate a new file to hold the data. */
euid = geteuid();
setfsuid(tpwd->pw_uid);
- fd = mkstemp(xauthority + strlen(XAUTHENV) + 1);
+
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled() > 0) {
+ struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (ctx != NULL) {
+ if (selabel_lookup(ctx, &context,
+ xauthority + sizeof(XAUTHENV), S_IFREG) != 0) {
+ pam_syslog(pamh, LOG_WARNING,
+ "could not get SELinux label for '%s'",
+ xauthority + sizeof(XAUTHENV));
+ }
+ selabel_close(ctx);
+ if (setfscreatecon(context)) {
+ pam_syslog(pamh, LOG_WARNING,
+ "setfscreatecon(%s) failed: %m", context);
+ }
+ }
+ }
+ fd = mkstemp(xauthority + sizeof(XAUTHENV));
+ save_errno = errno;
+ if (context != NULL) {
+ free(context);
+ setfscreatecon(NULL);
+ }
+#else
+ fd = mkstemp(xauthority + sizeof(XAUTHENV));
+ save_errno = errno;
+#endif
+
setfsuid(euid);
if (fd == -1) {
+ errno = save_errno;
pam_syslog(pamh, LOG_ERR,
"error creating temporary file `%s': %m",
- xauthority + strlen(XAUTHENV) + 1);
+ xauthority + sizeof(XAUTHENV));
retval = PAM_SESSION_ERR;
goto cleanup;
}
@@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh,
/* Get a copy of the filename to save as a data item for
* removal at session-close time. */
free(cookiefile);
- cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1);
+ cookiefile = strdup(xauthority + sizeof(XAUTHENV));
/* Save the filename. */
if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) {
Index: pam.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pam/F-12/pam.spec,v
retrieving revision 1.204
retrieving revision 1.205
diff -u -p -r1.204 -r1.205
--- pam.spec 1 Sep 2009 16:03:13 -0000 1.204
+++ pam.spec 29 Oct 2009 15:54:52 -0000 1.205
@@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.1.0
-Release: 5%{?dist}
+Release: 6%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
License: BSD and GPLv2+
@@ -26,6 +26,7 @@ Patch2: pam-1.0.91-std-noclose.patch
Patch3: pam-1.1.0-cracklib-authtok.patch
Patch4: pam-1.1.0-console-nochmod.patch
Patch5: pam-1.1.0-notally.patch
+Patch6: pam-1.1.0-xauth-context.patch
%define _sbindir /sbin
%define _moduledir /%{_lib}/security
@@ -91,6 +92,7 @@ mv pam-redhat-%{pam_redhat_version}/* mo
%patch3 -p1 -b .authtok
%patch4 -p1 -b .nochmod
%patch5 -p1 -b .notally
+%patch6 -p1 -b .xauth-context
libtoolize -f
autoreconf
@@ -323,6 +325,9 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
+* Thu Oct 29 2009 Tomas Mraz <tmraz at redhat.com> 1.1.0-6
+- pam_xauth: set the approprate context when creating .xauth files (#531530)
+
* Tue Sep 1 2009 Tomas Mraz <tmraz at redhat.com> 1.1.0-5
- do not change permissions with pam_console_apply
- drop obsolete pam_tally module and the faillog file (#461258)
- Previous message (by thread): rpms/cyrus-imapd/devel cyrus-imapd.spec,1.62,1.63
- Next message (by thread): rpms/powerpc-utils/F-12 powerpc-utils-autoconf.patch, NONE, 1.1 .cvsignore, 1.6, 1.7 powerpc-utils.spec, 1.9, 1.10 sources, 1.6, 1.7
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list