From 4a29ef333c8d76a6fdef5f1b52a1d7544e67e9e7 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Sat, 26 Jul 2008 11:55:03 -0700 Subject: Drop patch 049_pam_unix_sane_locking, which upon review is not needed; it reduces the length of time we hold the lock, but at the expense of being able to enforce minimum times between password changes. --- debian/changelog | 3 + debian/patches-applied/049_pam_unix_sane_locking | 150 ----------------------- debian/patches-applied/series | 3 +- 3 files changed, 4 insertions(+), 152 deletions(-) delete mode 100644 debian/patches-applied/049_pam_unix_sane_locking (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 4f316ff1..702f892d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -53,6 +53,9 @@ pam (0.99.10.0-1) UNRELEASED; urgency=low (set or unset) when looking up the user's password entry for password changes. Thanks to Quentin Godfroy for the patch. Closes: #469635. + * Drop patch 049_pam_unix_sane_locking, which upon review is not needed; + it reduces the length of time we hold the lock, but at the expense of + being able to enforce minimum times between password changes. -- Steve Langasek Tue, 22 Jul 2008 10:55:45 -0700 diff --git a/debian/patches-applied/049_pam_unix_sane_locking b/debian/patches-applied/049_pam_unix_sane_locking deleted file mode 100644 index 3baced2f..00000000 --- a/debian/patches-applied/049_pam_unix_sane_locking +++ /dev/null @@ -1,150 +0,0 @@ -Delta from 1.12 to 1.13 from Linux-PAM pam_unix_passwd.c -made to work with our changes. Not sure this is actually relevant, as -other changes seem to have been made upstream. This patch was -specifically reverted in upstream CVS revision 1.18 as introducing a -"race". - -Index: Linux-PAM/modules/pam_unix/pam_unix_passwd.c -=================================================================== ---- Linux-PAM/modules/pam_unix/pam_unix_passwd.c.orig -+++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c -@@ -749,8 +749,7 @@ - char *towhat, unsigned int ctrl, int remember) - { - struct passwd *pwd = NULL; -- int retval = 0; -- int unlocked = 0; -+ int retval = 0, i = 0; - char *master = NULL; - - D(("called")); -@@ -770,12 +769,6 @@ - int status; - enum clnt_stat err; - -- /* Unlock passwd file to avoid deadlock */ --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif -- unlocked = 1; -- - /* Initialize password information */ - yppwd.newpw.pw_passwd = pwd->pw_passwd; - yppwd.newpw.pw_name = pwd->pw_name; -@@ -833,29 +826,28 @@ - } - - if (_unix_comesfromsource(pamh, forwho, 1, 0)) { --#ifdef USE_LCKPWDF -- if(unlocked) { -- int i = 0; -- /* These values for the number of attempts and the sleep time -- are, of course, completely arbitrary. -- My reading of the PAM docs is that, once pam_chauthtok() has been -- called with PAM_UPDATE_AUTHTOK, we are obliged to take any -- reasonable steps to make sure the token is updated; so retrying -- for 1/10 sec. isn't overdoing it. */ -- while((retval = lckpwdf()) != 0 && i < 100) { -- usleep(1000); -- i++; -- } -- if(retval != 0) { -- return PAM_AUTHTOK_LOCK_BUSY; -- } -- } --#endif - /* first, save old password */ - if (save_old_password(pamh, forwho, fromwhat, remember)) { - retval = PAM_AUTHTOK_ERR; - goto done; - } -+ -+#ifdef USE_LCKPWDF -+ /* These values for the number of attempts and the sleep time -+ are, of course, completely arbitrary. -+ My reading of the PAM docs is that, once pam_chauthtok() has been -+ called with PAM_UPDATE_AUTHTOK, we are obliged to take any -+ reasonable steps to make sure the token is updated; so retrying -+ for 1/10 sec. isn't overdoing it. */ -+ while((retval = lckpwdf()) != 0 && i < 100) { -+ usleep(1000); -+ i++; -+ } -+ if(retval != 0) { -+ retval = PAM_AUTHTOK_LOCK_BUSY; -+ goto done; -+ } -+#endif - if (on(UNIX_SHADOW, ctrl) || _unix_shadowed(pwd)) { - retval = _update_shadow(pamh, forwho, towhat); - #ifdef WITH_SELINUX -@@ -1024,7 +1016,7 @@ - int argc, const char **argv) - { - unsigned int ctrl, lctrl; -- int retval, i; -+ int retval; - int remember = -1; - - /* */ -@@ -1255,30 +1247,11 @@ - pass_new = pass_old = NULL; /* tidy up */ - return retval; - } --#ifdef USE_LCKPWDF -- /* These values for the number of attempts and the sleep time -- are, of course, completely arbitrary. -- My reading of the PAM docs is that, once pam_chauthtok() has been -- called with PAM_UPDATE_AUTHTOK, we are obliged to take any -- reasonable steps to make sure the token is updated; so retrying -- for 1/10 sec. isn't overdoing it. */ -- i=0; -- while((retval = lckpwdf()) != 0 && i < 100) { -- usleep(1000); -- i++; -- } -- if(retval != 0) { -- return PAM_AUTHTOK_LOCK_BUSY; -- } --#endif - - if (pass_old) { - retval = _unix_verify_password(pamh, user, pass_old, ctrl); - if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_NOTICE, "user password changed by another process"); --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return retval; - } - } -@@ -1286,9 +1259,6 @@ - retval = _unix_verify_shadow(pamh, user, ctrl); - if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_NOTICE, "user not authenticated 2"); --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return retval; - } - -@@ -1297,9 +1267,6 @@ - pam_syslog(pamh, LOG_NOTICE, - "new password not acceptable 2"); - pass_new = pass_old = NULL; /* tidy up */ --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return retval; - } - -@@ -1341,9 +1308,6 @@ - pam_syslog(pamh, LOG_CRIT, - "out of memory for password"); - pass_new = pass_old = NULL; /* tidy up */ --#ifdef USE_LCKPWDF -- ulckpwdf(); --#endif - return PAM_BUF_ERR; - } - /* copy first 8 bytes of password */ diff --git a/debian/patches-applied/series b/debian/patches-applied/series index 131a9f8b..e1705f85 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -5,13 +5,12 @@ 026_pam_unix_passwd_unknown_user do_not_check_nis_accidentally 027_pam_limits_better_init_allow_explicit_root -031_pam_include -p2 +031_pam_include 032_pam_limits_EPERM_NOT_FATAL 036_pam_wheel_getlogin_considered_harmful hurd_no_setfsuid 040_pam_limits_log_failure 045_pam_dispatch_jump_is_ignore -049_pam_unix_sane_locking 054_pam_security_abstract_securetty_handling 055_pam_unix_nullok_secure 057_pam_unix_passwd_OOM_check -- cgit v1.2.3