1
1
Description: fix multiple issues with lack of adequate privilege dropping
2
Origin: upstream, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=60530da87ddd4ce280fbd5cae182dc7ac3b1a154
3
Origin: upstream, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
4
Origin: upstream, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=4e8357e4609be470ee5214be01e2d1d0e688f580
5
Origin: upstream, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=ffe7058c70253d574b1963c7c93002bd410fddc9
6
Origin: upstream, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=05dafc06cd3dfeb7c4b24942e4e1ae33ff75a123
7
Origin: upstream, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=cee7448470a6fe895269c760134dc95d6952d260
8
Origin: upstream, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=843807a3a90f52e7538be756616510730a24739a
2
Origin: backport, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=60530da87ddd4ce280fbd5cae182dc7ac3b1a154
3
Origin: backport, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
4
Origin: backport, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=4e8357e4609be470ee5214be01e2d1d0e688f580
5
Origin: backport, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=ffe7058c70253d574b1963c7c93002bd410fddc9
6
Origin: backport, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=05dafc06cd3dfeb7c4b24942e4e1ae33ff75a123
7
Origin: backport, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=cee7448470a6fe895269c760134dc95d6952d260
8
Origin: backport, http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commit;h=843807a3a90f52e7538be756616510730a24739a
9
9
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599832
10
10
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611136
12
12
Index: pam-1.1.1/libpam/Makefile.am
13
13
===================================================================
14
14
--- pam-1.1.1.orig/libpam/Makefile.am 2009-11-04 09:04:49.000000000 -0500
15
+++ pam-1.1.1/libpam/Makefile.am 2011-05-17 12:45:23.835438270 -0400
17
pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \
18
pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \
19
pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \
20
- pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c
21
+ pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \
23
Index: pam-1.1.1/libpam/Makefile.in
24
===================================================================
25
--- pam-1.1.1.orig/libpam/Makefile.in 2009-12-16 07:25:34.000000000 -0500
26
+++ pam-1.1.1/libpam/Makefile.in 2011-05-17 12:45:23.835438270 -0400
28
pam_modutil_getpwnam.lo pam_modutil_ioloop.lo \
29
pam_modutil_getgrgid.lo pam_modutil_getpwuid.lo \
30
pam_modutil_getgrnam.lo pam_modutil_getspnam.lo \
31
- pam_modutil_getlogin.lo pam_modutil_ingroup.lo
32
+ pam_modutil_getlogin.lo pam_modutil_ingroup.lo \
34
libpam_la_OBJECTS = $(am_libpam_la_OBJECTS)
35
libpam_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
36
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
38
pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \
39
pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \
40
pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \
41
- pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c
42
+ pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \
48
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_getspnam.Plo@am__quote@
49
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ingroup.Plo@am__quote@
50
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_ioloop.Plo@am__quote@
51
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil_priv.Plo@am__quote@
52
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_password.Plo@am__quote@
53
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_prelude.Plo@am__quote@
54
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_session.Plo@am__quote@
55
Index: pam-1.1.1/libpam/include/security/pam_modutil.h
56
===================================================================
57
--- pam-1.1.1.orig/libpam/include/security/pam_modutil.h 2011-05-17 12:45:04.855438275 -0400
58
+++ pam-1.1.1/libpam/include/security/pam_modutil.h 2011-05-17 12:45:23.835438270 -0400
60
extern int PAM_NONNULL((1,3))
61
pam_modutil_audit_write(pam_handle_t *pamh, int type,
62
const char *message, int retval);
64
+struct pam_modutil_privs {
66
+ int number_of_groups;
73
+#define PAM_MODUTIL_NGROUPS 64
74
+#define PAM_MODUTIL_DEF_PRIVS(n) \
75
+ gid_t n##_grplist[PAM_MODUTIL_NGROUPS]; \
76
+ struct pam_modutil_privs n = { n##_grplist, PAM_MODUTIL_NGROUPS, 0, -1, -1, 0 }
78
+extern int PAM_NONNULL((1,2,3))
79
+pam_modutil_drop_priv(pam_handle_t *pamh,
80
+ struct pam_modutil_privs *p,
81
+ const struct passwd *pw);
83
+extern int PAM_NONNULL((1,2))
84
+pam_modutil_regain_priv(pam_handle_t *pamh,
85
+ struct pam_modutil_privs *p);
90
Index: pam-1.1.1/libpam/libpam.map
91
===================================================================
92
--- pam-1.1.1.orig/libpam/libpam.map 2009-11-04 07:51:15.000000000 -0500
93
+++ pam-1.1.1/libpam/libpam.map 2011-05-17 12:45:23.835438270 -0400
96
pam_modutil_audit_write;
99
+LIBPAM_MODUTIL_1.1.3 {
101
+ pam_modutil_drop_priv;
102
+ pam_modutil_regain_priv;
103
+} LIBPAM_MODUTIL_1.1;
15
+++ pam-1.1.1/libpam/Makefile.am 2011-05-31 07:05:35.974558499 -0400
17
include/security/pam_ext.h include/security/pam_modutil.h
19
noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \
20
- pam_modutil_private.h pam_static_modules.h
21
+ pam_modutil_private.h pam_static_modules.h \
22
+ include/security/_pam_privs.h
24
libpam_la_LDFLAGS = -no-undefined -version-info 82:2:82
25
libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@
27
pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \
28
pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \
29
pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c
31
+noinst_LIBRARIES = libpamprivs.a
32
+libpamprivs_a_SOURCES = pam_modutil_priv.c
33
+libpamprivs_a_CFLAGS = $(AM_CFLAGS) -fPIC
104
34
Index: pam-1.1.1/libpam/pam_modutil_priv.c
105
35
===================================================================
106
36
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
107
+++ pam-1.1.1/libpam/pam_modutil_priv.c 2011-05-17 12:45:23.835438270 -0400
37
+++ pam-1.1.1/libpam/pam_modutil_priv.c 2011-05-31 07:05:35.974558499 -0400
744
699
return PAM_SUCCESS;
702
Index: pam-1.1.1/libpam/include/security/_pam_privs.h
703
===================================================================
704
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
705
+++ pam-1.1.1/libpam/include/security/_pam_privs.h 2011-05-31 07:05:35.974558499 -0400
708
+ * Copyright (c) 2010 Dmitry V. Levin <ldv@altlinux.org>
710
+ * <security/pam_privs.h>
712
+ * Redistribution and use in source and binary forms, with or without
713
+ * modification, are permitted provided that the following conditions
715
+ * 1. Redistributions of source code must retain the above copyright
716
+ * notice, and the entire permission notice in its entirety,
717
+ * including the disclaimer of warranties.
718
+ * 2. Redistributions in binary form must reproduce the above copyright
719
+ * notice, this list of conditions and the following disclaimer in the
720
+ * documentation and/or other materials provided with the distribution.
721
+ * 3. The name of the author may not be used to endorse or promote
722
+ * products derived from this software without specific prior
723
+ * written permission.
725
+ * ALTERNATIVELY, this product may be distributed under the terms of
726
+ * the GNU Public License, in which case the provisions of the GPL are
727
+ * required INSTEAD OF the above restrictions. (This clause is
728
+ * necessary due to a potential bad interaction between the GPL and
729
+ * the restrictions contained in a BSD-style copyright.)
731
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
732
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
733
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
734
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
735
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
736
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
737
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
738
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
739
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
740
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
741
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
744
+#ifndef _SECURITY__PAM_PRIVS_H
745
+#define _SECURITY__PAM_PRIVS_H
751
+#include <security/_pam_types.h>
753
+struct pam_modutil_privs {
755
+ int number_of_groups;
762
+#define PAM_MODUTIL_NGROUPS 64
763
+#define PAM_MODUTIL_DEF_PRIVS(n) \
764
+ gid_t n##_grplist[PAM_MODUTIL_NGROUPS]; \
765
+ struct pam_modutil_privs n = { n##_grplist, PAM_MODUTIL_NGROUPS, 0, -1, -1, 0 }
767
+extern int PAM_NONNULL((1,2,3))
768
+pam_modutil_drop_priv(pam_handle_t *pamh,
769
+ struct pam_modutil_privs *p,
770
+ const struct passwd *pw);
772
+extern int PAM_NONNULL((1,2))
773
+pam_modutil_regain_priv(pam_handle_t *pamh,
774
+ struct pam_modutil_privs *p);
780
+#endif /* _SECURITY__PAM_MODUTIL_H */
781
Index: pam-1.1.1/modules/pam_env/Makefile.am
782
===================================================================
783
--- pam-1.1.1.orig/modules/pam_env/Makefile.am 2009-06-29 03:24:27.000000000 -0400
784
+++ pam-1.1.1/modules/pam_env/Makefile.am 2011-05-31 07:05:35.974558499 -0400
788
securelib_LTLIBRARIES = pam_env.la
789
-pam_env_la_LIBADD = -L$(top_builddir)/libpam -lpam
790
+pam_env_la_LIBADD = -L$(top_builddir)/libpam -lpam -lpamprivs
792
secureconf_DATA = pam_env.conf
793
sysconf_DATA = environment
794
Index: pam-1.1.1/modules/pam_mail/Makefile.am
795
===================================================================
796
--- pam-1.1.1.orig/modules/pam_mail/Makefile.am 2009-06-29 03:24:27.000000000 -0400
797
+++ pam-1.1.1/modules/pam_mail/Makefile.am 2011-05-31 07:05:35.974558499 -0400
801
securelib_LTLIBRARIES = pam_mail.la
802
-pam_mail_la_LIBADD = -L$(top_builddir)/libpam -lpam
803
+pam_mail_la_LIBADD = -L$(top_builddir)/libpam -lpam -lpamprivs
805
if ENABLE_REGENERATE_MAN
807
Index: pam-1.1.1/modules/pam_xauth/Makefile.am
808
===================================================================
809
--- pam-1.1.1.orig/modules/pam_xauth/Makefile.am 2009-11-04 07:04:53.000000000 -0500
810
+++ pam-1.1.1/modules/pam_xauth/Makefile.am 2011-05-31 07:05:35.974558499 -0400
813
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
814
AM_LDFLAGS = -no-undefined -avoid-version -module \
815
- -L$(top_builddir)/libpam -lpam @LIBSELINUX@
816
+ -L$(top_builddir)/libpam -lpam -lpamprivs @LIBSELINUX@
818
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map