diff options
Diffstat (limited to 'debian/patches-applied')
| -rw-r--r-- | debian/patches-applied/031_pam_include | 54 | ||||
| -rw-r--r-- | debian/patches-applied/036_pam_wheel_getlogin_considered_harmful | 225 |
2 files changed, 158 insertions, 121 deletions
diff --git a/debian/patches-applied/031_pam_include b/debian/patches-applied/031_pam_include index e28415c4..8e7ea587 100644 --- a/debian/patches-applied/031_pam_include +++ b/debian/patches-applied/031_pam_include @@ -4,11 +4,11 @@ Authors: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> Upstream status: not yet submitted -Index: pam/Linux-PAM/libpam/pam_handlers.c +Index: pam.deb/libpam/pam_handlers.c =================================================================== ---- pam.orig/Linux-PAM/libpam/pam_handlers.c -+++ pam/Linux-PAM/libpam/pam_handlers.c -@@ -114,6 +114,10 @@ +--- pam.deb.orig/libpam/pam_handlers.c ++++ pam.deb/libpam/pam_handlers.c +@@ -117,6 +117,10 @@ module_type = PAM_T_ACCT; } else if (!strcasecmp("password", tok)) { module_type = PAM_T_PASS; @@ -19,35 +19,49 @@ Index: pam/Linux-PAM/libpam/pam_handlers.c } else { /* Illegal module type */ D(("_pam_init_handlers: bad module type: %s", tok)); -@@ -178,14 +182,33 @@ +@@ -186,8 +190,10 @@ _pam_set_default_control(actions, _PAM_ACTION_BAD); } +parsing_done: tok = _pam_StrTok(NULL, " \n\t", &nexttok); if (pam_include) { -- if (_pam_load_conf_file(pamh, tok, this_service, module_type + struct stat include_dir; + if (substack) { + res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other, + stack_level, module_type, actions, tok, +@@ -198,13 +204,35 @@ + return PAM_ABORT; + } + } +- if (_pam_load_conf_file(pamh, tok, this_service, module_type, +- stack_level + substack + if (tok[0] == '/') { -+ if (_pam_load_conf_file(pamh, tok, this_service, module_type - #ifdef PAM_READ_BOTH_CONFS -- , !other -+ , !other - #endif /* PAM_READ_BOTH_CONFS */ - ) == PAM_SUCCESS) -- continue; ++ if (_pam_load_conf_file(pamh, tok, this_service, ++ module_type, stack_level + substack ++#ifdef PAM_READ_BOTH_CONFS ++ , !other ++#endif /* PAM_READ_BOTH_CONFS */ ++ ) == PAM_SUCCESS) + continue; -+ } else if (!stat(PAM_CONFIG_D, &include_dir) && S_ISDIR(include_dir.st_mode)) { ++ } ++ else if (!stat(PAM_CONFIG_D, include_dir) ++ && S_ISDIR(include_dir.st_mode)) ++ { + char *include_file; + if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) { + pam_syslog(pamh, LOG_CRIT, "asprintf failed"); + return PAM_ABORT; + } -+ if (_pam_load_conf_file(pamh, include_file, this_service, module_type -+#ifdef PAM_READ_BOTH_CONFS -+ , !other -+#endif /* PAM_READ_BOTH_CONFS */ -+ ) == PAM_SUCCESS) { ++ if (_pam_load_conf_file(pamh, include_file, this_service, ++ module_type, stack_level + substack + #ifdef PAM_READ_BOTH_CONFS + , !other + #endif /* PAM_READ_BOTH_CONFS */ +- ) == PAM_SUCCESS) +- continue; ++ ) == PAM_SUCCESS) ++ { + free(include_file); + continue; + } @@ -55,4 +69,4 @@ Index: pam/Linux-PAM/libpam/pam_handlers.c + } _pam_set_default_control(actions, _PAM_ACTION_BAD); mod_path = NULL; - must_fail = 1; + handler_type = PAM_HT_MUST_FAIL; diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful index b95a677b..ec26a87c 100644 --- a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful +++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful @@ -8,10 +8,10 @@ Authors: Ben Collins <bcollins@debian.org> Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> -Index: Linux-PAM/modules/pam_wheel/pam_wheel.c +Index: pam.deb/modules/pam_wheel/pam_wheel.c =================================================================== ---- Linux-PAM/modules/pam_wheel/pam_wheel.c.orig -+++ Linux-PAM/modules/pam_wheel/pam_wheel.c +--- pam.deb.orig/modules/pam_wheel/pam_wheel.c ++++ pam.deb/modules/pam_wheel/pam_wheel.c @@ -60,9 +60,8 @@ /* argument parsing */ @@ -68,10 +68,10 @@ Index: Linux-PAM/modules/pam_wheel/pam_wheel.c /* * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu -Index: Linux-PAM/modules/pam_wheel/pam_wheel.8.xml +Index: pam.deb/modules/pam_wheel/pam_wheel.8.xml =================================================================== ---- Linux-PAM/modules/pam_wheel/pam_wheel.8.xml.orig -+++ Linux-PAM/modules/pam_wheel/pam_wheel.8.xml +--- pam.deb.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam.deb/modules/pam_wheel/pam_wheel.8.xml @@ -33,9 +33,6 @@ <arg choice="opt"> trust @@ -101,141 +101,164 @@ Index: Linux-PAM/modules/pam_wheel/pam_wheel.8.xml </variablelist> </refsect1> -Index: Linux-PAM/modules/pam_wheel/pam_wheel.8 +Index: pam.deb/modules/pam_wheel/pam_wheel.8 =================================================================== ---- Linux-PAM/modules/pam_wheel/pam_wheel.8.orig -+++ Linux-PAM/modules/pam_wheel/pam_wheel.8 -@@ -1,11 +1,11 @@ +--- pam.deb.orig/modules/pam_wheel/pam_wheel.8 ++++ pam.deb/modules/pam_wheel/pam_wheel.8 +@@ -1,64 +1,59 @@ .\" Title: pam_wheel .\" Author: --.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> --.\" Date: 06/09/2006 --.\" Manual: Linux\-PAM Manual --.\" Source: Linux\-PAM Manual -+.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/> -+.\" Date: 08/19/2007 -+.\" Manual: Linux-PAM Manual -+.\" Source: Linux-PAM Manual +-.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/> +-.\" Date: 01/08/2008 ++.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/> ++.\" Date: 07/26/2008 + .\" Manual: Linux-PAM Manual + .\" Source: Linux-PAM Manual .\" --.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" -+.TH "PAM_WHEEL" "8" "08/19/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" +-.TH "PAM_WHEEL" "8" "01/08/2008" "Linux-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_WHEEL" "8" "07/26/2008" "Linux-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) -@@ -14,7 +14,7 @@ - pam_wheel \- Only permit root access to members of group wheel + .ad l + .SH "NAME" +-pam_wheel - Only permit root access to members of group wheel ++pam_wheel \- Only permit root access to members of group wheel .SH "SYNOPSIS" .HP 13 --\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] -+\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] +-\fBpam_wheel\.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] ++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] .SH "DESCRIPTION" .PP The pam_wheel PAM module is used to enforce the so\-called -@@ -24,30 +24,37 @@ - group. If no group with this name exist, the module is using the group with the group\-ID - \fB0\fR. + \fIwheel\fR +-group\. By default it permits root access to the system if the applicant user is a member of the ++group\&. By default it permits root access to the system if the applicant user is a member of the + \fIwheel\fR +-group\. If no group with this name exist, the module is using the group with the group\-ID +-\fB0\fR\. ++group\&. If no group with this name exist, the module is using the group with the group\-ID ++\fB0\fR\&. .SH "OPTIONS" --.TP 3n -+.PP + .PP \fBdebug\fR -+.RS 4 - Print debug information. --.TP 3n -+.RE -+.PP + .RS 4 +-Print debug information\. ++Print debug information\&. + .RE + .PP \fBdeny\fR -+.RS 4 + .RS 4 Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the \fBgroup\fR - option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless +-option), deny access\. Conversely, if the user is not in the group, return PAM_IGNORE (unless ++option), deny access\&. Conversely, if the user is not in the group, return PAM_IGNORE (unless \fBtrust\fR - was also specified, in which case we return PAM_SUCCESS). --.TP 3n -+.RE -+.PP +-was also specified, in which case we return PAM_SUCCESS)\. ++was also specified, in which case we return PAM_SUCCESS)\&. + .RE + .PP \fBgroup=\fR\fB\fIname\fR\fR -+.RS 4 + .RS 4 Instead of checking the wheel or GID 0 groups, use the \fB\fIname\fR\fR - group to perform the authentication. --.TP 3n -+.RE -+.PP +-group to perform the authentication\. ++group to perform the authentication\&. + .RE + .PP \fBroot_only\fR -+.RS 4 - The check for wheel membership is done only. --.TP 3n -+.RE -+.PP + .RS 4 +-The check for wheel membership is done only\. ++The check for wheel membership is done only\&. + .RE + .PP \fBtrust\fR -+.RS 4 - The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd). --.TP 3n + .RS 4 +-The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\. +-.RE +-.PP -\fBuse_uid\fR --The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example). -+.RE +-.RS 4 +-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example)\. ++The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. + .RE .SH "MODULE SERVICES PROVIDED" .PP - The -@@ -56,32 +63,46 @@ +@@ -66,52 +61,52 @@ + \fBauth\fR + and \fBaccount\fR - services are supported. +-services are supported\. ++services are supported\&. .SH "RETURN VALUES" --.TP 3n -+.PP + .PP PAM_AUTH_ERR -+.RS 4 - Authentication failure. --.TP 3n -+.RE -+.PP + .RS 4 +-Authentication failure\. ++Authentication failure\&. + .RE + .PP PAM_BUF_ERR -+.RS 4 - Memory buffer error. --.TP 3n -+.RE -+.PP + .RS 4 +-Memory buffer error\. ++Memory buffer error\&. + .RE + .PP PAM_IGNORE -+.RS 4 - The return value should be ignored by PAM dispatch. --.TP 3n -+.RE -+.PP + .RS 4 +-The return value should be ignored by PAM dispatch\. ++The return value should be ignored by PAM dispatch\&. + .RE + .PP PAM_PERM_DENY -+.RS 4 - Permission denied. --.TP 3n -+.RE -+.PP + .RS 4 +-Permission denied\. ++Permission denied\&. + .RE + .PP PAM_SERVICE_ERR -+.RS 4 - Cannot determine the user name. --.TP 3n -+.RE -+.PP + .RS 4 +-Cannot determine the user name\. ++Cannot determine the user name\&. + .RE + .PP PAM_SUCCESS -+.RS 4 - Success. --.TP 3n -+.RE -+.PP + .RS 4 +-Success\. ++Success\&. + .RE + .PP PAM_USER_UNKNOWN -+.RS 4 - User not known. -+.RE + .RS 4 +-User not known\. ++User not known\&. + .RE .SH "EXAMPLES" .PP - The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants. +-The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\. ++The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\&. .sp --.RS 3n -+.RS 4 + .RS 4 .nf - su auth sufficient pam_rootok.so - su auth required pam_wheel.so -Index: Linux-PAM/modules/pam_wheel/README +-su auth sufficient pam_rootok\.so +-su auth required pam_wheel\.so +-su auth required pam_unix\.so ++su auth sufficient pam_rootok\&.so ++su auth required pam_wheel\&.so ++su auth required pam_unix\&.so + + .fi + .RE +@@ -124,4 +119,4 @@ + \fBpam\fR(8) + .SH "AUTHOR" + .PP +-pam_wheel was written by Cristian Gafton <gafton@redhat\.com>\. ++pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&. +Index: pam.deb/modules/pam_wheel/README =================================================================== ---- Linux-PAM/modules/pam_wheel/README.orig -+++ Linux-PAM/modules/pam_wheel/README +--- pam.deb.orig/modules/pam_wheel/README ++++ pam.deb/modules/pam_wheel/README @@ -39,12 +39,6 @@ modules the wheel members may be able to su to root without being prompted for a passwd). |