From c68dce23face9f26b651917b418c7f80931fa7b7 Mon Sep 17 00:00:00 2001
From: Steve Langasek <vorlon@debian.org>
Date: Sat, 26 Jul 2008 23:28:59 -0700
Subject: don't use _unix_blankpasswd() when trying to decide whether to pass
 the 'nullok' option to the helper, because _unix_blankpasswd() will itself
 call in to the helper... instead, check directly for a secure tty.

---
 debian/patches-applied/055_pam_unix_nullok_secure | 29 +++++++++++++++++++----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/debian/patches-applied/055_pam_unix_nullok_secure b/debian/patches-applied/055_pam_unix_nullok_secure
index 0ea5eec1..b5f795de 100644
--- a/debian/patches-applied/055_pam_unix_nullok_secure
+++ b/debian/patches-applied/055_pam_unix_nullok_secure
@@ -39,16 +39,35 @@ Index: pam.deb/modules/pam_unix/support.c
  			}
  		}
  
-@@ -457,7 +464,7 @@
+@@ -430,6 +437,7 @@
+     child = fork();
+     if (child == 0) {
+         int i=0;
++        int nullok = off(UNIX__NONULL, ctrl);
+         struct rlimit rlim;
+ 	static char *envp[] = { NULL };
+ 	char *args[] = { NULL, NULL, NULL, NULL };
+@@ -457,7 +465,18 @@
  	/* exec binary helper */
  	args[0] = strdup(CHKPWD_HELPER);
  	args[1] = x_strdup(user);
 -	if (off(UNIX__NONULL, ctrl)) {	/* this means we've succeeded */
-+	if (_unix_blankpasswd(pamh, ctrl, user)) {	/* this means we've succeeded */
++
++	if (on(UNIX_NULLOK_SECURE, ctrl)) {
++	    const void *uttyname;
++	    retval = pam_get_item(pamh, PAM_TTY, &uttyname);
++	    if (retval != PAM_SUCCESS || uttyname == NULL)
++	        nullok = 0;
++
++	    if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
++		nullok = 0;
++	}
++
++	if (nullok) {
  	  args[2]=strdup("nullok");
  	} else {
  	  args[2]=strdup("nonull");
-@@ -554,6 +561,17 @@
+@@ -554,6 +573,17 @@
  	if (salt)
  		_pam_delete(salt);
  
@@ -66,7 +85,7 @@ Index: pam.deb/modules/pam_unix/support.c
  	return retval;
  }
  
-@@ -613,7 +631,8 @@
+@@ -613,7 +643,8 @@
  			}
  		}
  	} else {
@@ -96,7 +115,7 @@ Index: pam.deb/modules/pam_unix/support.h
  /* UNIX__PRELIM */         {NULL,              _ALL_ON_^(0x180),         0x80},
  /* UNIX__UPDATE */         {NULL,              _ALL_ON_^(0x180),        0x100},
 -/* UNIX__NONULL */         {NULL,              _ALL_ON_,                0x200},
-+/* UNIX__NONULL */         {NULL,              _ALL_ON_^(0x1000000),    0x200},
++/* UNIX__NONULL */         {NULL,              _ALL_ON_^(0x8000000),    0x200},
  /* UNIX__QUIET */          {NULL,              _ALL_ON_,                0x400},
  /* UNIX_USE_AUTHTOK */     {"use_authtok",     _ALL_ON_,                0x800},
  /* UNIX_SHADOW */          {"shadow",          _ALL_ON_,               0x1000},
-- 
cgit v1.2.3