summaryrefslogtreecommitdiff
path: root/debian/patches-applied
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2009-02-28 11:14:17 -0800
committerSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 17:28:22 -0800
commitd534d7165ddc41b5e81400b57dbd2a3efcfba10b (patch)
tree45e0623a5952a09437cee59e6216662d174b162f /debian/patches-applied
parent5c47dbc3a15e99aefaf53820bacd49f1bf17734d (diff)
New patch dont_freeze_password_chain, cherry-picked from upstream:
don't always follow the same path through the password stack on the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK pass; this Linux-PAM deviation from the original PAM spec causes a number of problems, in particular causing wrong return values when using the refactored pam-auth-update stack. LP: #303515, #305882.
Diffstat (limited to 'debian/patches-applied')
-rw-r--r--debian/patches-applied/dont_freeze_password_chain117
-rw-r--r--debian/patches-applied/series1
2 files changed, 118 insertions, 0 deletions
diff --git a/debian/patches-applied/dont_freeze_password_chain b/debian/patches-applied/dont_freeze_password_chain
new file mode 100644
index 00000000..799d0a0e
--- /dev/null
+++ b/debian/patches-applied/dont_freeze_password_chain
@@ -0,0 +1,117 @@
+Don't freeze the chain for chauthtok.
+
+bugzilla.novell.com#470337, LP: #303515.
+
+Author: Thorsten Kukuk <kukuk@thkukuk.de>
+
+Upstream status: cherry-picked from upstream.
+
+=== modified file 'doc/man/pam_sm_chauthtok.3.xml'
+--- doc/man/pam_sm_chauthtok.3.xml 2006-06-28 14:22:40 +0000
++++ doc/man/pam_sm_chauthtok.3.xml 2009-02-18 00:34:47 +0000
+@@ -40,7 +40,7 @@
+ </citerefentry> interface.
+ </para>
+ <para>
+- This function is used to (re-)set the authentication token of the user.
++ This function is used to (re-)set the authentication token of the user.
+ </para>
+ <para>
+ Valid flags, which may be logically OR'd with
+@@ -60,10 +60,10 @@
+ <listitem>
+ <para>
+ This argument indicates to the module that the users
+- authentication token (password) should only be changed if
+- it has expired. This flag is optional and
+- <emphasis>must</emphasis> be combined with one of the
+- following two flags. Note, however, the following two options
++ authentication token (password) should only be changed if
++ it has expired. This flag is optional and
++ <emphasis>must</emphasis> be combined with one of the
++ following two flags. Note, however, the following two options
+ are <emphasis>mutually exclusive</emphasis>.
+ </para>
+ </listitem>
+@@ -72,15 +72,20 @@
+ <term>PAM_PRELIM_CHECK</term>
+ <listitem>
+ <para>
+- This indicates that the modules are being probed as to
+- their ready status for altering the user's authentication
+- token. If the module requires access to another system over
+- some network it should attempt to verify it can connect to
+- this system on receiving this flag. If a module cannot establish
+- it is ready to update the user's authentication token it should
++ This indicates that the modules are being probed as to
++ their ready status for altering the user's authentication
++ token. If the module requires access to another system over
++ some network it should attempt to verify it can connect to
++ this system on receiving this flag. If a module cannot establish
++ it is ready to update the user's authentication token it should
+ return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this
+ information will be passed back to the application.
+ </para>
++ <para>
++ If the control value <emphasis>sufficient</emphasis> is used in
++ the password stack, the <emphasis>PAM_PRELIM_CHECK</emphasis> section
++ of the modules following that control value is not always executed.
++ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+@@ -89,18 +94,18 @@
+ <para>
+ This informs the module that this is the call it should change
+ the authorization tokens. If the flag is logically OR'd with
+- <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
++ <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the
+ token is only changed if it has actually expired.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <para>
+- The PAM library calls this function twice in succession. The first
+- time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
+- if the module does not return
++ The PAM library calls this function twice in succession. The first
++ time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then,
++ if the module does not return
+ <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with
+- <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
++ <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on
+ the second call that the authorization token is (possibly) changed.
+ </para>
+ </refsect1>
+
+=== modified file 'libpam/pam_dispatch.c'
+--- libpam/pam_dispatch.c 2008-12-03 22:16:33 +0000
++++ libpam/pam_dispatch.c 2009-02-18 00:34:47 +0000
+@@ -132,11 +132,10 @@
+ }
+
+ /*
+- * use_cached_chain is how we ensure that the setcred/close_session
+- * and chauthtok(2) modules are called in the same order as they did
+- * when they were invoked as auth/open_session/chauthtok(1). This
+- * feature was added in 0.75 to make the behavior of pam_setcred
+- * sane. It was debugged by release 0.76.
++ * use_cached_chain is how we ensure that the setcred and
++ * close_session modules are called in the same order as they did
++ * when they were invoked as auth/open_session. This feature was
++ * added in 0.75 to make the behavior of pam_setcred sane.
+ */
+ if (use_cached_chain != _PAM_PLEASE_FREEZE) {
+
+@@ -358,9 +357,6 @@
+ break;
+ case PAM_CHAUTHTOK:
+ h = pamh->handlers.conf.chauthtok;
+- if (flags & PAM_UPDATE_AUTHTOK) {
+- use_cached_chain = _PAM_MUST_BE_FROZEN;
+- }
+ break;
+ default:
+ pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
+
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 8035591b..a1e163ed 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -21,3 +21,4 @@ pam_env_ignore_garbage.patch -p2
pam.d-manpage-section
pam_unix-chkpwd-wait
autoconf.patch
+dont_freeze_password_chain -p0