diff options
Diffstat (limited to 'debian/patches-applied/pam-loginuid-in-containers')
-rw-r--r-- | debian/patches-applied/pam-loginuid-in-containers | 52 |
1 files changed, 31 insertions, 21 deletions
diff --git a/debian/patches-applied/pam-loginuid-in-containers b/debian/patches-applied/pam-loginuid-in-containers index bea1e32f..1e965b2d 100644 --- a/debian/patches-applied/pam-loginuid-in-containers +++ b/debian/patches-applied/pam-loginuid-in-containers @@ -29,11 +29,11 @@ Description: pam_loginuid: Ignore failure in user namespaces Signed-off-by: Steve Langasek <vorlon@debian.org> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> -Index: pam.deb/modules/pam_loginuid/pam_loginuid.c +Index: ubuntu/modules/pam_loginuid/pam_loginuid.c =================================================================== ---- pam.deb.orig/modules/pam_loginuid/pam_loginuid.c -+++ pam.deb/modules/pam_loginuid/pam_loginuid.c -@@ -46,25 +46,49 @@ +--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:07:08.665185675 +0000 ++++ ubuntu/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:05:05.000000000 +0000 +@@ -47,25 +47,56 @@ /* * This function writes the loginuid to the /proc system. It returns @@ -50,48 +50,58 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c + char loginuid[24], buf[24]; + static const char host_uid_map[] = " 0 0 4294967295\n"; + char uid_map[sizeof(host_uid_map)]; ++ ++ /* loginuid in user namespaces currently isn't writable and in some ++ case, not even readable, so consider any failure as ignorable (but try ++ anyway, in case we hit a kernel which supports it). */ ++ fd = open("/proc/self/uid_map", O_RDONLY); ++ if (fd >= 0) { ++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); ++ if (strncmp(uid_map, host_uid_map, count) != 0) ++ rc = PAM_IGNORE; ++ close(fd); ++ } - count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); +- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); - fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); + fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR); if (fd < 0) { - if (errno != ENOENT) { - rc = 1; +- pam_syslog(pamh, LOG_ERR, +- "Cannot open /proc/self/loginuid: %m"); + if (errno == ENOENT) { + rc = PAM_IGNORE; -+ } else if (errno == EACCES) { -+ fd = open("/proc/self/uid_map", O_RDONLY); -+ if (fd >= 0) { -+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); -+ if (strncmp(uid_map, host_uid_map, count) != 0) -+ rc = PAM_IGNORE; -+ close(fd); -+ } -+ if (rc != PAM_IGNORE) -+ errno = EACCES; + } + if (rc != PAM_IGNORE) { - pam_syslog(pamh, LOG_ERR, - "Cannot open /proc/self/loginuid: %m"); ++ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", ++ "/proc/self/loginuid"); } return rc; } - if (pam_modutil_write(fd, loginuid, count) != count) - rc = 1; + ++ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid); + if (pam_modutil_read(fd, buf, sizeof(buf)) == count && + memcmp(buf, loginuid, count) == 0) { + rc = PAM_SUCCESS; + goto done; /* already correct */ + } + if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 && -+ pam_modutil_write(fd, loginuid, count) == count) ++ pam_modutil_write(fd, loginuid, count) == count) { + rc = PAM_SUCCESS; ++ } else { ++ if (rc != PAM_IGNORE) { ++ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m", ++ "/proc/self/loginuid"); ++ } ++ } + done: close(fd); return rc; } -@@ -164,6 +188,7 @@ +@@ -165,6 +196,7 @@ { const char *user = NULL; struct passwd *pwd; @@ -99,7 +109,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c #ifdef HAVE_LIBAUDIT int require_auditd = 0; #endif -@@ -182,9 +207,14 @@ +@@ -183,9 +215,14 @@ return PAM_SESSION_ERR; } @@ -117,7 +127,7 @@ Index: pam.deb/modules/pam_loginuid/pam_loginuid.c } #ifdef HAVE_LIBAUDIT -@@ -194,11 +224,12 @@ +@@ -195,11 +232,12 @@ argv++; } |