summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog3
-rw-r--r--debian/patches-applied/no_helper_for_nis+.patch31
-rw-r--r--debian/patches-applied/series1
3 files changed, 35 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 4957bf72..5c91f7cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,9 @@ pam (0.99.10.0-1) UNRELEASED; urgency=low
* New patch setreuid_juggling.patch: restore the 0.99.9.0 behavior wrt uid
changes for NIS+, since I know the old behavior was right and don't
believe anyone has tested the new code.
+ * New patch no_helper_for_nis+.patch, which restores the behavior of doing
+ in-process NIS+ account checking instead of unconditionally passing it
+ off to the unix_chkpwd helper; if it wasn't broke, don't fix it.
* The password-changing helper functionality for SELinux systems has been
split out into a separate unix_update binary, so at long last we can
change unix_chkpwd to be sgid shadow instead of suid root.
diff --git a/debian/patches-applied/no_helper_for_nis+.patch b/debian/patches-applied/no_helper_for_nis+.patch
new file mode 100644
index 00000000..da9a03ad
--- /dev/null
+++ b/debian/patches-applied/no_helper_for_nis+.patch
@@ -0,0 +1,31 @@
+Don't force use of the helper for account verification with NIS+; the
+previous code already works robustly for any non-threaded caller, and
+will fall back to use of the helper anyway.
+
+Authors: Steve Langasek <steve.langasek@canonical.com>
+
+Upstream status: to be discussed
+
+Index: pam.deb/modules/pam_unix/passverify.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/passverify.c
++++ pam.deb/modules/pam_unix/passverify.c
+@@ -166,7 +166,6 @@
+ if (*pwd != NULL) {
+ if (strcmp((*pwd)->pw_passwd, "*NP*") == 0)
+ { /* NIS+ */
+-#ifdef HELPER_COMPILE
+ uid_t save_euid, save_uid;
+
+ save_euid = geteuid();
+@@ -194,10 +193,6 @@
+
+ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ return PAM_AUTHINFO_UNAVAIL;
+-#else
+- /* we must run helper for NIS+ passwords */
+- return PAM_UNIX_RUN_HELPER;
+-#endif
+ } else if (is_pwd_shadowed(*pwd)) {
+ /*
+ * ...and shadow password file entry for this user,
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 3b410ab1..c67db0e0 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -1,5 +1,6 @@
thread-safe_save_old_password.patch
setreuid_juggling.patch
+no_helper_for_nis+.patch
007_modules_pam_unix
008_modules_pam_limits_chroot
021_nis_cleanup