diff options
| author | Laurent Bigonville <bigon@debian.org> | 2016-05-17 17:04:29 -0700 |
|---|---|---|
| committer | Steve Langasek <vorlon@debian.org> | 2019-01-08 22:12:40 -0800 |
| commit | fa4a5c961c7705f80c2026f424ec9a012ceefa55 (patch) | |
| tree | 09773e1fdbb5033e1d0d3a890eb056e8eecc35e4 /debian/patches-applied/pam_namespace_fix_bashism.patch | |
| parent | 145032103cf7230bc0be74157885e5cf035ac006 (diff) | |
| parent | 3fb0d1c3c727bd5b2e01fdc3e59e8d48bc384ce3 (diff) | |
Import Debian changes 1.1.8-3.3
pam (1.1.8-3.3) unstable; urgency=low
* Non-maintainer upload.
[ Steve Langasek ]
* Updated Swedish translation to correct a typo, thanks to Anders Jonsson
and Martin Bagge. Closes: #743875
* Updated Turkish translation, thanks to Mert Dirik <mertdirik@gmail.com>.
(closes: #756756)
* d/applied-patches/pam-limits-nofile-fd-setsize-cap: cap the default
soft nofile limit read from pid 1 to FD_SETSIZE. Thanks to Robie Basak
<robie.basak@ubuntu.com> for the patch. Closes: #783105.
* Acknowledge security NMU.
* pam-auth-update: don't mishandle trailing whitespace in profiles.
LP: #1487103.
[ Laurent Bigonville ]
* debian/control: Fix Vcs-* and Homepage fields (Closes: #752343)
* debian/watch: Update watch file and point it to http://www.linux-pam.org
* debian/patches-applied/pam_namespace_fix_bashism.patch: Fix bashism in
namespace.init script (Closes: #624842)
* debian/control: Build-depends against debhelper (>= 9) to match the
defined debhelper compatibility
* Rename the cve-2011-4708.patch to cve-2010-4708.patch to match reality,
thanks to Jakub Wilk <jwilk@debian.org> for noticing (Closes: #761594)
* debian/control: Bump Standards-Version to 3.9.8 (no further changes)
* debian/libpam-doc.doc-base.applications-guide: Fix spelling
* debian/libpam0g-dev.examples: Do not use shell brace expansion
* debian/patches-applied/pam-loginuid-in-containers: Updated with the version
from Ubuntu, this should fix logins in containers (Closes: #726661)
* debian/patches-applied/update-motd: Updated with the version from Ubuntu:
use /run/motd.dynamic instead of /var/run/motd, nothing in the archive
uses the later (Closes: #743286)
* debian/patches-applied/make_documentation_reproducible.patch: Make the
build reproducible, removes differences when building with different
locale values (Closes: #792127)
Diffstat (limited to 'debian/patches-applied/pam_namespace_fix_bashism.patch')
| -rw-r--r-- | debian/patches-applied/pam_namespace_fix_bashism.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/debian/patches-applied/pam_namespace_fix_bashism.patch b/debian/patches-applied/pam_namespace_fix_bashism.patch new file mode 100644 index 00000000..6c6f1861 --- /dev/null +++ b/debian/patches-applied/pam_namespace_fix_bashism.patch @@ -0,0 +1,61 @@ +From fbc65c39d6853af268c9a093923afc876d0b138e Mon Sep 17 00:00:00 2001 +From: Steve Langasek <vorlon@debian.org> +Date: Tue, 14 Jan 2014 19:48:51 -0800 +Subject: pam_namespace: don't use bashisms in default namespace.init script + +* modules/pam_namespace/pam_namespace.c: call setuid() before execing the +namespace init script, so that scripts run with maximum privilege regardless +of the shell implementation. +* modules/pam_namespace/namespace.init: drop the '-p' bashism from the +shebang line + +This is not a POSIX standard option, it's a bashism. The bash manpage says +that it's used to prevent the effective user id from being reset to the real +user id on startup, and to ignore certain unsafe variables from the +environment. + +In the case of pam_namespace, the -p is not necessary for environment +sanitizing because the PAM module (properly) sanitizes the environment +before execing the script. + +The stated reason given in CVS history for passing -p is to "preserve euid +when called from setuid apps (su, newrole)." This should be done more +portably, by calling setuid() before spawning the shell. + +Signed-off-by: Steve Langasek <vorlon@debian.org> +Bug-Debian: http://bugs.debian.org/624842 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323 +--- + modules/pam_namespace/namespace.init | 2 +- + modules/pam_namespace/pam_namespace.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/modules/pam_namespace/namespace.init b/modules/pam_namespace/namespace.init +index 9ab5806..67d4aa2 100755 +--- a/modules/pam_namespace/namespace.init ++++ b/modules/pam_namespace/namespace.init +@@ -1,4 +1,4 @@ +-#!/bin/sh -p ++#!/bin/sh + # It receives polydir path as $1, the instance path as $2, + # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, + # and user name in $4. +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index e0d5e30..92883f5 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1205,6 +1205,11 @@ static int inst_init(const struct polydir_s *polyptr, const char *ipath, + _exit(1); + } + #endif ++ /* Pass maximum privs when we exec() */ ++ if (setuid(geteuid()) < 0) { ++ /* ignore failures, they don't matter */ ++ } ++ + if (execle(init_script, init_script, + polyptr->dir, ipath, newdir?"1":"0", idata->user, NULL, envp) < 0) + _exit(1); +-- +cgit v0.12 + |