summaryrefslogtreecommitdiff
path: root/debian/patches-applied/pam-loginuid-in-containers
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2019-01-22 15:21:19 -0800
committerSteve Langasek <vorlon@debian.org>2019-01-24 11:54:00 -0800
commit5bbcd8f9bad73877325151b2024c6cdd858174b5 (patch)
tree424e9a64f3aaf5588154b86636cfa5cf6f79edad /debian/patches-applied/pam-loginuid-in-containers
parent5cd7bb4511a7c2b355a615f19a9eca193320aa3e (diff)
Refresh patches
Diffstat (limited to 'debian/patches-applied/pam-loginuid-in-containers')
-rw-r--r--debian/patches-applied/pam-loginuid-in-containers146
1 files changed, 0 insertions, 146 deletions
diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers
deleted file mode 100644
index 1e965b2d..00000000
--- a/debian/patches-applied/pam-loginuid-in-containers
+++ /dev/null
@@ -1,146 +0,0 @@
-Author: St├ęphane Graber <stgraber@ubuntu.com>
-Description: pam_loginuid: Ignore failure in user namespaces
- When running pam_loginuid in a container using the user namespaces, even
- uid 0 isn't allowed to set the loginuid property.
- .
- This change catches the EACCES from opening loginuid, checks if the user
- is in the host namespace (by comparing the uid_map with the host's one)
- and only if that's the case, sets rc to 1.
- .
- Should uid_map not exist or be unreadable for some reason, it'll be
- assumed that the process is running on the host's namespace.
- .
- The initial reason behind this change was failure to ssh into an
- unprivileged container (using a 3.13 kernel and current LXC) when using
- a standard pam profile for sshd (which requires success from
- pam_loginuid).
- .
- I believe this solution doesn't have any drawback and will allow people
- to use unprivileged containers normally. An alternative would be to have
- all distros set pam_loginuid as optional but that'd be bad for any of
- the other potential failure case which people may care about.
- .
- There has also been some discussions to get some of the audit features
- tied with the user namespaces but currently none of that has been merged
- upstream and the currently proposed implementation doesn't cover
- loginuid (nor is it clear how this should even work when loginuid is set
- as immutable after initial write).
- .
- Signed-off-by: Steve Langasek <vorlon@debian.org>
- Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
-
-Index: ubuntu/modules/pam_loginuid/pam_loginuid.c
-===================================================================
---- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:07:08.665185675 +0000
-+++ ubuntu/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:05:05.000000000 +0000
-@@ -47,25 +47,56 @@
-
- /*
- * This function writes the loginuid to the /proc system. It returns
-- * 0 on success and 1 on failure.
-+ * PAM_SUCCESS on success,
-+ * PAM_IGNORE when /proc/self/loginuid does not exist,
-+ * PAM_SESSION_ERR in case of any other error.
- */
- static int set_loginuid(pam_handle_t *pamh, uid_t uid)
- {
-- int fd, count, rc = 0;
-- char loginuid[24];
-+ int fd, count, rc = PAM_SESSION_ERR;
-+ char loginuid[24], buf[24];
-+ static const char host_uid_map[] = " 0 0 4294967295\n";
-+ char uid_map[sizeof(host_uid_map)];
-+
-+ /* loginuid in user namespaces currently isn't writable and in some
-+ case, not even readable, so consider any failure as ignorable (but try
-+ anyway, in case we hit a kernel which supports it). */
-+ fd = open("/proc/self/uid_map", O_RDONLY);
-+ if (fd >= 0) {
-+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
-+ if (strncmp(uid_map, host_uid_map, count) != 0)
-+ rc = PAM_IGNORE;
-+ close(fd);
-+ }
-
-- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
-- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
-+ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
- if (fd < 0) {
-- if (errno != ENOENT) {
-- rc = 1;
-- pam_syslog(pamh, LOG_ERR,
-- "Cannot open /proc/self/loginuid: %m");
-+ if (errno == ENOENT) {
-+ rc = PAM_IGNORE;
-+ }
-+ if (rc != PAM_IGNORE) {
-+ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
-+ "/proc/self/loginuid");
- }
- return rc;
- }
-- if (pam_modutil_write(fd, loginuid, count) != count)
-- rc = 1;
-+
-+ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
-+ if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
-+ memcmp(buf, loginuid, count) == 0) {
-+ rc = PAM_SUCCESS;
-+ goto done; /* already correct */
-+ }
-+ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
-+ pam_modutil_write(fd, loginuid, count) == count) {
-+ rc = PAM_SUCCESS;
-+ } else {
-+ if (rc != PAM_IGNORE) {
-+ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
-+ "/proc/self/loginuid");
-+ }
-+ }
-+ done:
- close(fd);
- return rc;
- }
-@@ -165,6 +196,7 @@
- {
- const char *user = NULL;
- struct passwd *pwd;
-+ int ret;
- #ifdef HAVE_LIBAUDIT
- int require_auditd = 0;
- #endif
-@@ -183,9 +215,14 @@
- return PAM_SESSION_ERR;
- }
-
-- if (set_loginuid(pamh, pwd->pw_uid)) {
-- pam_syslog(pamh, LOG_ERR, "set_loginuid failed\n");
-- return PAM_SESSION_ERR;
-+ ret = set_loginuid(pamh, pwd->pw_uid);
-+ switch (ret) {
-+ case PAM_SUCCESS:
-+ case PAM_IGNORE:
-+ break;
-+ default:
-+ pam_syslog(pamh, LOG_ERR, "set_loginuid failed");
-+ return ret;
- }
-
- #ifdef HAVE_LIBAUDIT
-@@ -195,11 +232,12 @@
- argv++;
- }
-
-- if (require_auditd)
-- return check_auditd();
-- else
-+ if (require_auditd) {
-+ int rc = check_auditd();
-+ return rc != PAM_SUCCESS ? rc : ret;
-+ } else
- #endif
-- return PAM_SUCCESS;
-+ return ret;
- }
-
- /*