SE/Linux patch - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=249499
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Sun May 30 22:23:59 UTC 2004
On Sun, May 30, 2004 at 04:48:09PM -0400, Sam Hartman wrote:
> I indicated a willingness to work with Russel on selinux integration
> but he never got back to me.
oh?
ah.
seems like communication has been lost in transit then.
> He asked if I was interested in
> upgrading to PAM 0.77. I said no because it seemed like a lot of work
> for no significant gain.
*thinks*. lessavalook.
okay... debian's pam version is 0.76. SHRIEK there's a stack
of patches in the debian/patches directory!! no wonder it'd
be a lot of work!
and the NSA's pam patch is against 0.77, and it's 1,934 lines long.
eep :)
okay, let's see if it cleanly applies to 0.76.... annnd no it
doesn't.
okay, i tried doing a merge, but i am beginning to get into trouble
on pam_unix_passwd.c.
for example, in the original 0.76 pam_unix_passwd.c file, there
is code that does:
chown(OPW_TMPFILE, 0, 0);
chmod(OPW_TMPFILE, 0600);
yet i see no such thing in 0.77.
but i _do_ see a fchmod(fileno(owfile), st.st_mode).
and then later on there appear to be inconsistencies when
the shadow password file is handled in a similar fashion.
[whoever did that rewrite of pam 0.77, you're a pain! :)
only kidding.
you introduced a different style "set err = -1; goto end"
instead of returning an error message immediately: i know
_why_ it was done, it's to be able to clean-up the selinux
context at the end of that function which has over five
return points.
knowing why doesn't mean i have to like it if it causes a
patch to happen not to apply against an older version.
*grump*. ignore me.
]
i think the mods to unix_chkpwd.c where this a single clash
in main at the comment "read the nullok/nonull option" are
more straightforward to resolve.
it's just these passwd file and shadow file handling patches
that are... "odd" and don't cleanly apply.
> I indicated willingness to take patches from
> upstream's cvs if they made the selinux work easier but he never
> responded to the offer.
the only thing i can think of is that a communication thread has
been lost, somehow, because russell is under the impression that
pam / selinux integration has stalled.
*click*.
oh, so you'd be happy for someone (me being the closest victim)
to attempt a patch against the latest pam cvs rather than
specifically against 0.77?
hey, that's worth a shot, because against 0.76 it ain't gonna
happen - not cleanly, anyway.
correct me if a quick googling is wrong, but that's
http://sf.net/projects/pam, yes?
l.
More information about the Pam-list
mailing list