diff options
author | Laurent Bigonville <bigon@debian.org> | 2016-05-17 17:04:29 -0700 |
---|---|---|
committer | Steve Langasek <vorlon@debian.org> | 2019-01-08 22:12:40 -0800 |
commit | fa4a5c961c7705f80c2026f424ec9a012ceefa55 (patch) | |
tree | 09773e1fdbb5033e1d0d3a890eb056e8eecc35e4 /debian/patches-applied/pam-loginuid-in-containers | |
parent | 145032103cf7230bc0be74157885e5cf035ac006 (diff) | |
parent | 3fb0d1c3c727bd5b2e01fdc3e59e8d48bc384ce3 (diff) |
Import Debian changes 1.1.8-3.3
pam (1.1.8-3.3) unstable; urgency=low
* Non-maintainer upload.
[ Steve Langasek ]
* Updated Swedish translation to correct a typo, thanks to Anders Jonsson
and Martin Bagge. Closes: #743875
* Updated Turkish translation, thanks to Mert Dirik <mertdirik@gmail.com>.
(closes: #756756)
* d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default
soft nofile limit read from pid 1 to FD_SETSIZE. Thanks to Robie Basak
<robie.basak@ubuntu.com> for the patch. Closes: #783105.
* Acknowledge security NMU.
* pam-auth-update: don't mishandle trailing whitespace in profiles.
LP: #1487103.
[ Laurent Bigonville ]
* debian/control: Fix Vcs-* and Homepage fields (Closes: #752343)
* debian/watch: Update watch file and point it to http://www.linux-pam.org
* debian/patches-applied/pam_namespace_fix_bashism.patch: Fix bashism in
namespace.init script (Closes: #624842)
* debian/control: Build-depends against debhelper (>= 9) to match the
defined debhelper compatibility
* Rename the cve-2011-4708.patch to cve-2010-4708.patch to match reality,
thanks to Jakub Wilk <jwilk@debian.org> for noticing (Closes: #761594)
* debian/control: Bump Standards-Version to 3.9.8 (no further changes)
* debian/libpam-doc.doc-base.applications-guide: Fix spelling
* debian/libpam0g-dev.examples: Do not use shell brace expansion
* debian/patches-applied/pam-loginuid-in-containers: Updated with the version
from Ubuntu, this should fix logins in containers (Closes: #726661)
* debian/patches-applied/update-motd: Updated with the version from Ubuntu:
use /run/motd.dynamic instead of /var/run/motd, nothing in the archive
uses the later (Closes: #743286)
* debian/patches-applied/make_documentation_reproducible.patch: Make the
build reproducible, removes differences when building with different
locale values (Closes: #792127)
Diffstat (limited to 'debian/patches-applied/pam-loginuid-in-containers')
-rw-r--r-- | debian/patches-applied/pam-loginuid-in-containers | 52 |
1 files changed, 31 insertions, 21 deletions
diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers index bea1e32f..1e965b2d 100644 --- a/debian/patches-applied/pam-loginuid-in-containers +++ b/debian/patches-applied/pam-loginuid-in-containers @@ -29,11 +29,11 @@ Description: pam_loginuid: Ignore failure in user namespaces Signed-off-by: Steve Langasek <vorlon@debian.org> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> -Index: pam.deb/modules/pam_loginuid/pam_loginuid.c +Index: ubuntu/modules/pam_loginuid/pam_loginuid.c =================================================================== ---- pam.deb.orig/modules/pam_loginuid/pam_loginuid.c -+++ pam.deb/modules/pam_loginuid/pam_loginuid.c -@@ -46,25 +46,49 @@ +--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:07:08.665185675 +0000 ++++ ubuntu/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:05:05.000000000 +0000 +@@ -47,25 +47,56 @@ /* * This function writes the loginuid to the /proc system. It returns @@ -50,48 +50,58 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c + char loginuid[24], buf[24]; + static const char host_uid_map[] = " 0 0 4294967295\n"; + char uid_map[sizeof(host_uid_map)]; ++ ++ /* loginuid in user namespaces currently isn't writable and in some ++ case, not even readable, so consider any failure as ignorable (but try ++ anyway, in case we hit a kernel which supports it). */ ++ fd = open("/proc/self/uid_map", O_RDONLY); ++ if (fd >= 0) { ++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); ++ if (strncmp(uid_map, host_uid_map, count) != 0) ++ rc = PAM_IGNORE; ++ close(fd); ++ } - count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); +- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); - fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); if (fd < 0) { - if (errno != ENOENT) { - rc = 1; +- pam_syslog(pamh, LOG_ERR, +- "Cannot open /proc/self/loginuid: %m"); + if (errno == ENOENT) { + rc = PAM_IGNORE; -+ } else if (errno == EACCES) { -+ fd = open("/proc/self/uid_map", O_RDONLY); -+ if (fd >= 0) { -+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); -+ if (strncmp(uid_map, host_uid_map, count) != 0) -+ rc = PAM_IGNORE; -+ close(fd); -+ } -+ if (rc != PAM_IGNORE) -+ errno = EACCES; + } + if (rc != PAM_IGNORE) { - pam_syslog(pamh, LOG_ERR, - "Cannot open /proc/self/loginuid: %m"); ++ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", ++ "/proc/self/loginuid"); } return rc; } - if (pam_modutil_write(fd, loginuid, count) != count) - rc = 1; + ++ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); + if (pam_modutil_read(fd, buf, sizeof(buf)) == count && + memcmp(buf, loginuid, count) == 0) { + rc = PAM_SUCCESS; + goto done; /* already correct */ + } + if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 && -+ pam_modutil_write(fd, loginuid, count) == count) ++ pam_modutil_write(fd, loginuid, count) == count) { + rc = PAM_SUCCESS; ++ } else { ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m", ++ "/proc/self/loginuid"); ++ } ++ } + done: close(fd); return rc; } -@@ -164,6 +188,7 @@ +@@ -165,6 +196,7 @@ { const char *user = NULL; struct passwd *pwd; @@ -99,7 +109,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c #ifdef HAVE_LIBAUDIT int require_auditd = 0; #endif -@@ -182,9 +207,14 @@ +@@ -183,9 +215,14 @@ return PAM_SESSION_ERR; } @@ -117,7 +127,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c } #ifdef HAVE_LIBAUDIT -@@ -194,11 +224,12 @@ +@@ -195,11 +232,12 @@ argv++; } |