summaryrefslogtreecommitdiff
path: root/debian/patches-applied
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2008-07-26 11:55:03 -0700
committerSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 17:01:53 -0800
commit4a29ef333c8d76a6fdef5f1b52a1d7544e67e9e7 (patch)
tree5ef409e7aba72e2589bf74c5b501c0b68c38dc92 /debian/patches-applied
parentf19948eec9253c72d5694c6f90928b02725d5e03 (diff)
Drop patch 049_pam_unix_sane_locking, which upon review is not needed;
it reduces the length of time we hold the lock, but at the expense of being able to enforce minimum times between password changes.
Diffstat (limited to 'debian/patches-applied')
-rw-r--r--debian/patches-applied/049_pam_unix_sane_locking150
-rw-r--r--debian/patches-applied/series3
2 files changed, 1 insertions, 152 deletions
diff --git a/debian/patches-applied/049_pam_unix_sane_locking b/debian/patches-applied/049_pam_unix_sane_locking
deleted file mode 100644
index 3baced2f..00000000
--- a/debian/patches-applied/049_pam_unix_sane_locking
+++ /dev/null
@@ -1,150 +0,0 @@
-Delta from 1.12 to 1.13 from Linux-PAM pam_unix_passwd.c
-made to work with our changes. Not sure this is actually relevant, as
-other changes seem to have been made upstream. This patch was
-specifically reverted in upstream CVS revision 1.18 as introducing a
-"race".
-
-Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c
-===================================================================
---- Linux-PAM/modules/pam_unix/pam_unix_passwd.c.orig
-+++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c
-@@ -749,8 +749,7 @@
- char *towhat, unsigned int ctrl, int remember)
- {
- struct passwd *pwd = NULL;
-- int retval = 0;
-- int unlocked = 0;
-+ int retval = 0, i = 0;
- char *master = NULL;
-
- D(("called"));
-@@ -770,12 +769,6 @@
- int status;
- enum clnt_stat err;
-
-- /* Unlock passwd file to avoid deadlock */
--#ifdef USE_LCKPWDF
-- ulckpwdf();
--#endif
-- unlocked = 1;
--
- /* Initialize password information */
- yppwd.newpw.pw_passwd = pwd->pw_passwd;
- yppwd.newpw.pw_name = pwd->pw_name;
-@@ -833,29 +826,28 @@
- }
-
- if (_unix_comesfromsource(pamh, forwho, 1, 0)) {
--#ifdef USE_LCKPWDF
-- if(unlocked) {
-- int i = 0;
-- /* These values for the number of attempts and the sleep time
-- are, of course, completely arbitrary.
-- My reading of the PAM docs is that, once pam_chauthtok() has been
-- called with PAM_UPDATE_AUTHTOK, we are obliged to take any
-- reasonable steps to make sure the token is updated; so retrying
-- for 1/10 sec. isn't overdoing it. */
-- while((retval = lckpwdf()) != 0 && i < 100) {
-- usleep(1000);
-- i++;
-- }
-- if(retval != 0) {
-- return PAM_AUTHTOK_LOCK_BUSY;
-- }
-- }
--#endif
- /* first, save old password */
- if (save_old_password(pamh, forwho, fromwhat, remember)) {
- retval = PAM_AUTHTOK_ERR;
- goto done;
- }
-+
-+#ifdef USE_LCKPWDF
-+ /* These values for the number of attempts and the sleep time
-+ are, of course, completely arbitrary.
-+ My reading of the PAM docs is that, once pam_chauthtok() has been
-+ called with PAM_UPDATE_AUTHTOK, we are obliged to take any
-+ reasonable steps to make sure the token is updated; so retrying
-+ for 1/10 sec. isn't overdoing it. */
-+ while((retval = lckpwdf()) != 0 && i < 100) {
-+ usleep(1000);
-+ i++;
-+ }
-+ if(retval != 0) {
-+ retval = PAM_AUTHTOK_LOCK_BUSY;
-+ goto done;
-+ }
-+#endif
- if (on(UNIX_SHADOW, ctrl) || _unix_shadowed(pwd)) {
- retval = _update_shadow(pamh, forwho, towhat);
- #ifdef WITH_SELINUX
-@@ -1024,7 +1016,7 @@
- int argc, const char **argv)
- {
- unsigned int ctrl, lctrl;
-- int retval, i;
-+ int retval;
- int remember = -1;
-
- /* <DO NOT free() THESE> */
-@@ -1255,30 +1247,11 @@
- pass_new = pass_old = NULL; /* tidy up */
- return retval;
- }
--#ifdef USE_LCKPWDF
-- /* These values for the number of attempts and the sleep time
-- are, of course, completely arbitrary.
-- My reading of the PAM docs is that, once pam_chauthtok() has been
-- called with PAM_UPDATE_AUTHTOK, we are obliged to take any
-- reasonable steps to make sure the token is updated; so retrying
-- for 1/10 sec. isn't overdoing it. */
-- i=0;
-- while((retval = lckpwdf()) != 0 && i < 100) {
-- usleep(1000);
-- i++;
-- }
-- if(retval != 0) {
-- return PAM_AUTHTOK_LOCK_BUSY;
-- }
--#endif
-
- if (pass_old) {
- retval = _unix_verify_password(pamh, user, pass_old, ctrl);
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_NOTICE, "user password changed by another process");
--#ifdef USE_LCKPWDF
-- ulckpwdf();
--#endif
- return retval;
- }
- }
-@@ -1286,9 +1259,6 @@
- retval = _unix_verify_shadow(pamh, user, ctrl);
- if (retval != PAM_SUCCESS) {
- pam_syslog(pamh, LOG_NOTICE, "user not authenticated 2");
--#ifdef USE_LCKPWDF
-- ulckpwdf();
--#endif
- return retval;
- }
-
-@@ -1297,9 +1267,6 @@
- pam_syslog(pamh, LOG_NOTICE,
- "new password not acceptable 2");
- pass_new = pass_old = NULL; /* tidy up */
--#ifdef USE_LCKPWDF
-- ulckpwdf();
--#endif
- return retval;
- }
-
-@@ -1341,9 +1308,6 @@
- pam_syslog(pamh, LOG_CRIT,
- "out of memory for password");
- pass_new = pass_old = NULL; /* tidy up */
--#ifdef USE_LCKPWDF
-- ulckpwdf();
--#endif
- return PAM_BUF_ERR;
- }
- /* copy first 8 bytes of password */
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 131a9f8b..e1705f85 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -5,13 +5,12 @@
026_pam_unix_passwd_unknown_user
do_not_check_nis_accidentally
027_pam_limits_better_init_allow_explicit_root
-031_pam_include -p2
+031_pam_include
032_pam_limits_EPERM_NOT_FATAL
036_pam_wheel_getlogin_considered_harmful
hurd_no_setfsuid
040_pam_limits_log_failure
045_pam_dispatch_jump_is_ignore
-049_pam_unix_sane_locking
054_pam_security_abstract_securetty_handling
055_pam_unix_nullok_secure
057_pam_unix_passwd_OOM_check