1
Index: Linux-PAM/Make.Rules.in
2
===================================================================
3
RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/Make.Rules.in,v
4
retrieving revision 1.3
5
diff -u -r1.3 Make.Rules.in
6
--- Linux-PAM/Make.Rules.in 15 Sep 2002 20:17:56 -0000 1.3
7
+++ Linux-PAM/Make.Rules.in 22 Sep 2002 19:35:35 -0000
13
-LINKLIBS = $(NEED_LINK_LIB_C) $(LIBDL)
15
+LINKLIBS = $(NEED_LINK_LIB_C) $(LIBDL)
16
Index: Linux-PAM/_pam_aconf.h.in
17
===================================================================
18
RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/_pam_aconf.h.in,v
19
retrieving revision 1.2
20
diff -u -r1.2 _pam_aconf.h.in
21
--- Linux-PAM/_pam_aconf.h.in 21 Sep 2002 18:11:03 -0000 1.2
22
+++ Linux-PAM/_pam_aconf.h.in 22 Sep 2002 19:35:35 -0000
24
/* read both confs - read /etc/pam.d and /etc/pam.conf in serial */
25
#undef PAM_READ_BOTH_CONFS
27
+#undef HAVE_SYS_CAPABILITY_H
33
/* location of the mail spool directory */
34
#undef PAM_PATH_MAILDIR
37
/* where should we include setfsuid's prototype from? If this is not
38
defined, we get it from unistd.h */
39
Index: Linux-PAM/configure.in
40
===================================================================
41
RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/configure.in,v
42
retrieving revision 1.13
43
diff -u -r1.13 configure.in
44
--- Linux-PAM/configure.in 21 Sep 2002 18:38:49 -0000 1.13
45
+++ Linux-PAM/configure.in 22 Sep 2002 19:46:38 -0000
50
-AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termios.h unistd.h sys/fsuid.h)
51
+AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termios.h unistd.h sys/fsuid.h sys/capability.h )
53
dnl Linux wants features.h in some of the source files.
54
AC_CHECK_HEADERS(features.h)
58
AC_CHECK_FUNCS(gethostname gettimeofday mkdir select strcspn strdup strerror strspn strstr strtol uname)
59
+AC_CHECK_LIB(cap, cap_init)
61
AC_CHECK_FUNCS(getpwnam_r getgrnam_r)
63
Index: Linux-PAM/modules/pam_limits/pam_limits.c
64
===================================================================
65
RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/modules/pam_limits/pam_limits.c,v
66
retrieving revision 1.10
67
diff -u -r1.10 pam_limits.c
68
--- Linux-PAM/modules/pam_limits/pam_limits.c 22 Sep 2002 00:04:48 -0000 1.10
69
+++ Linux-PAM/modules/pam_limits/pam_limits.c 22 Sep 2002 19:43:07 -0000
72
#include <security/_pam_aconf.h>
74
+#ifdef HAVE_SYS_CAPABILITY_H
75
+#include <sys/capability.h>
76
+#include <sys/prctl.h>
77
+#endif /* HAVE_SYS_CAPABILITY_H */
82
specific user or to count all logins */
83
int priority; /* the priority to run user process with */
84
char chroot_dir[8092] ; /* directory to chroot into */
85
+#ifdef HAVE_SYS_CAPABILITY_H
86
+ cap_t capabilities; /*capability handle*/
88
+#endif /* HAVE_SYS_CAPABILITY_H */
89
int supported[RLIM_NLIMITS];
90
struct user_limits_struct limits[RLIM_NLIMITS];
91
char conf_file[BUFSIZ];
94
#define LIMIT_PRI RLIM_NLIMITS+3
95
#define LIMIT_CHROOT RLIM_NLIMITS+4
96
+#define LIMIT_CAPS RLIM_NLIMITS+5
101
pl->login_limit = -2;
102
pl->login_limit_def = LIMITS_DEF_NONE;
104
+#ifdef HAVE_SYS_CAPABILITY_H
105
+ pl->capabilities = cap_init();
107
+#endif /* HAVE_SYS_CAPABILITY_H */
108
pl->chroot_dir[0] = '\0';
112
limit_item = LIMIT_PRI;
113
} else if (strcmp(lim_item, "chroot") == 0) {
114
limit_item = LIMIT_CHROOT;
115
+#ifdef HAVE_SYS_CAPABILITY_H
116
+ } else if (strcmp(lim_item, "capabilities") == 0) {
117
+ limit_item = LIMIT_CAPS;
118
+#endif /* HAVE_SYS_CAPABILITY_H */
120
_pam_log(LOG_DEBUG,"unknown limit item '%s'", lim_item);
123
if ( (limit_item != LIMIT_LOGIN)
124
&& (limit_item != LIMIT_NUMSYSLOGINS)
125
&& (limit_item != LIMIT_PRI)
126
- && (limit_item != LIMIT_CHROOT)) {
127
+ && (limit_item != LIMIT_CHROOT)
128
+ && (limit_item != LIMIT_CAPS)
130
if (limit_type & LIMIT_SOFT) {
131
if (pl->limits[limit_item].src_soft < source) {
134
pl->priority = limit_value;
135
} else if (limit_item == LIMIT_CHROOT) {
136
strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir));
139
+#ifdef HAVE_SYS_CAPABILITY_H
140
+ else if (limit_item == LIMIT_CAPS) {
141
+ pl->capabilities = cap_from_text(value_orig);
142
+ prctl(PR_SET_KEEPCAPS, 1);
145
+#endif /*HAVE_SYS_CAPABILITY_H*/
147
if (pl->login_limit_def < source) {
154
+#ifdef HAVE_SYS_CAPABILITY_H
155
+ if (!retval && pl->caps_set) {
156
+ retval = cap_set_proc(pl->capabilities) ? LIMIT_ERR : 0;
157
+ cap_free(pl->capabilities);
159
+#endif /* HAVE_SYS_CAPABILITY_H */