From fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 25 Oct 2011 14:24:50 +0200 Subject: 2011-10-25 Thorsten Kukuk * release version 1.1.5 * configure.in: Bump version number. * modules/pam_tally2/pam_tally2.8.xml: Remove never used option "no_lock_time". --- ChangeLog | 9 ++++++++ NEWS | 6 +++++ configure.in | 2 +- modules/pam_tally2/pam_tally2.8.xml | 12 ---------- modules/pam_xauth/pam_xauth.c | 45 ++++++++++++++++++++++--------------- 5 files changed, 43 insertions(+), 31 deletions(-) diff --git a/ChangeLog b/ChangeLog index 107f7651..d7d808b0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2011-10-25 Thorsten Kukuk + + * release version 1.1.5 + + * configure.in: Bump version number. + + * modules/pam_tally2/pam_tally2.8.xml: Remove never used option + "no_lock_time". + 2011-10-14 Kees Cook * modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an diff --git a/NEWS b/NEWS index a80a2ab9..81f961f1 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,11 @@ Linux-PAM NEWS -- history of user-visible changes. +Release 1.1.5 +* pam_env: Fix CVE-2011-3148 and CVE-2011-3149 +* pam_access: Add hostname resolution cache +* Documentation: Improvements/fixes + + Release 1.1.4 * Add vietnamese translation diff --git a/configure.in b/configure.in index 7940a94e..5058155f 100644 --- a/configure.in +++ b/configure.in @@ -1,7 +1,7 @@ dnl Process this file with autoconf to produce a configure script. AC_INIT AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y]) -AM_INIT_AUTOMAKE("Linux-PAM", 1.1.4) +AM_INIT_AUTOMAKE("Linux-PAM", 1.1.5) AC_PREREQ(2.61) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml index 4ad529fd..5fecea24 100644 --- a/modules/pam_tally2/pam_tally2.8.xml +++ b/modules/pam_tally2/pam_tally2.8.xml @@ -236,17 +236,6 @@ - - - - - - - Do not use the .fail_locktime field in - /var/log/faillog for this user. - - - @@ -446,4 +435,3 @@ session optional pam_mail.so standard - diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index a64ae89f..88624b1c 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -459,24 +459,33 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, goto cleanup; } - /* Check that both users are amenable to this. By default, this - * boils down to this policy: - * export(ruser=root): only if is listed in .xauth/export - * export(ruser=*) if is listed in .xauth/export, or - * if .xauth/export does not exist - * import(user=*): if is listed in .xauth/import, or - * if .xauth/import does not exist */ - i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED; - i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug); - if (i != PAM_SUCCESS) { - retval = PAM_SESSION_ERR; - goto cleanup; - } - i = PAM_SUCCESS; - i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug); - if (i != PAM_SUCCESS) { - retval = PAM_SESSION_ERR; - goto cleanup; + + /* If current user and the target user are the same, don't + check the ACL list, but forward X11 */ + if (strcmp (rpwd->pw_name, tpwd->pw_name) != 0) { + + /* Check that both users are amenable to this. By default, this + * boils down to this policy: + * export(ruser=root): only if is listed in .xauth/export + * export(ruser=*) if is listed in .xauth/export, or + * if .xauth/export does not exist + * import(user=*): if is listed in .xauth/import, or + * if .xauth/import does not exist */ + i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED; + i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug); + if (i != PAM_SUCCESS) { + retval = PAM_SESSION_ERR; + goto cleanup; + } + i = PAM_SUCCESS; + i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug); + if (i != PAM_SUCCESS) { + retval = PAM_SESSION_ERR; + goto cleanup; + } + } else { + if (debug) + pam_syslog (pamh, LOG_DEBUG, "current and target user are the same, forward X11"); } /* Figure out where the source user's .Xauthority file is. */ -- cgit v1.2.3