diff options
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | configure.in | 2 | ||||
| -rw-r--r-- | modules/pam_tally2/pam_tally2.8.xml | 12 | ||||
| -rw-r--r-- | modules/pam_xauth/pam_xauth.c | 45 |
5 files changed, 43 insertions, 31 deletions
@@ -1,3 +1,12 @@ +2011-10-25 Thorsten Kukuk <kukuk@thkukuk.de> + + * release version 1.1.5 + + * configure.in: Bump version number. + + * modules/pam_tally2/pam_tally2.8.xml: Remove never used option + "no_lock_time". + 2011-10-14 Kees Cook <kees@debian.org> * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an @@ -1,5 +1,11 @@ Linux-PAM NEWS -- history of user-visible changes. +Release 1.1.5 +* pam_env: Fix CVE-2011-3148 and CVE-2011-3149 +* pam_access: Add hostname resolution cache +* Documentation: Improvements/fixes + + Release 1.1.4 * Add vietnamese translation diff --git a/configure.in b/configure.in index 7940a94e..5058155f 100644 --- a/configure.in +++ b/configure.in @@ -1,7 +1,7 @@ dnl Process this file with autoconf to produce a configure script. AC_INIT AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y]) -AM_INIT_AUTOMAKE("Linux-PAM", 1.1.4) +AM_INIT_AUTOMAKE("Linux-PAM", 1.1.5) AC_PREREQ(2.61) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml index 4ad529fd..5fecea24 100644 --- a/modules/pam_tally2/pam_tally2.8.xml +++ b/modules/pam_tally2/pam_tally2.8.xml @@ -238,17 +238,6 @@ </varlistentry> <varlistentry> <term> - <option>no_lock_time</option> - </term> - <listitem> - <para> - Do not use the .fail_locktime field in - <filename>/var/log/faillog</filename> for this user. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> <option>even_deny_root</option> </term> <listitem> @@ -446,4 +435,3 @@ session optional pam_mail.so standard </refsect1> </refentry> - diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index a64ae89f..88624b1c 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -459,24 +459,33 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, goto cleanup; } - /* Check that both users are amenable to this. By default, this - * boils down to this policy: - * export(ruser=root): only if <user> is listed in .xauth/export - * export(ruser=*) if <user> is listed in .xauth/export, or - * if .xauth/export does not exist - * import(user=*): if <ruser> is listed in .xauth/import, or - * if .xauth/import does not exist */ - i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED; - i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug); - if (i != PAM_SUCCESS) { - retval = PAM_SESSION_ERR; - goto cleanup; - } - i = PAM_SUCCESS; - i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug); - if (i != PAM_SUCCESS) { - retval = PAM_SESSION_ERR; - goto cleanup; + + /* If current user and the target user are the same, don't + check the ACL list, but forward X11 */ + if (strcmp (rpwd->pw_name, tpwd->pw_name) != 0) { + + /* Check that both users are amenable to this. By default, this + * boils down to this policy: + * export(ruser=root): only if <user> is listed in .xauth/export + * export(ruser=*) if <user> is listed in .xauth/export, or + * if .xauth/export does not exist + * import(user=*): if <ruser> is listed in .xauth/import, or + * if .xauth/import does not exist */ + i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED; + i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug); + if (i != PAM_SUCCESS) { + retval = PAM_SESSION_ERR; + goto cleanup; + } + i = PAM_SUCCESS; + i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug); + if (i != PAM_SUCCESS) { + retval = PAM_SESSION_ERR; + goto cleanup; + } + } else { + if (debug) + pam_syslog (pamh, LOG_DEBUG, "current and target user are the same, forward X11"); } /* Figure out where the source user's .Xauthority file is. */ |