From c47d70c3fbfe9a26150323751e7c935f37dc21b8 Mon Sep 17 00:00:00 2001
From: Steve Langasek <vorlon@debian.org>
Date: Thu, 10 Sep 2009 03:25:42 -0700
Subject: =?UTF-8?q?debian/patches/pam=5Fsecuretty=5Ftty=5Fcheck=5Fbefore?=
 =?UTF-8?q?=5Fuser=5Fcheck:=20new=20patch,=20to=20make=20pam=5Fsecuretty?=
 =?UTF-8?q?=20always=20return=20success=20on=20a=20secure=20tty=20regardle?=
 =?UTF-8?q?ss=20of=20what=20username=20was=20passed.=20=20Thanks=20to=20Ni?=
 =?UTF-8?q?colas=20Fran=C3=A7ois=20<nicolas.francois@centraliens.net>=20fo?=
 =?UTF-8?q?r=20the=20patch.=20=20Closes:=20#537848?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 debian/changelog                                   |  9 +++++
 .../pam_securetty_tty_check_before_user_check      | 40 ++++++++++++++++++++++
 debian/patches-applied/series                      |  1 +
 3 files changed, 50 insertions(+)
 create mode 100644 debian/patches-applied/pam_securetty_tty_check_before_user_check

(limited to 'debian')

diff --git a/debian/changelog b/debian/changelog
index f75d1e5f..7e03fb7a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+pam (1.1.0-4) UNRELEASED; urgency=low
+
+  * debian/patches/pam_securetty_tty_check_before_user_check: new patch,
+    to make pam_securetty always return success on a secure tty regardless
+    of what username was passed.  Thanks to Nicolas François
+    <nicolas.francois@centraliens.net> for the patch.  Closes: #537848
+
+ -- Steve Langasek <vorlon@debian.org>  Thu, 10 Sep 2009 03:20:33 -0700
+
 pam (1.1.0-3) unstable; urgency=low
 
   * Bump debian/compat to 7, so we can use sane contents in debian/*.install
diff --git a/debian/patches-applied/pam_securetty_tty_check_before_user_check b/debian/patches-applied/pam_securetty_tty_check_before_user_check
new file mode 100644
index 00000000..5f976ab5
--- /dev/null
+++ b/debian/patches-applied/pam_securetty_tty_check_before_user_check
@@ -0,0 +1,40 @@
+Patch for Debian bug #537848
+
+pam_securetty should not return PAM_USER_UNKNOWN when the tty is secure.
+regardless of what was entered as a username.
+
+Authors: Nicolas François <nicolas.francois@centraliens.net>
+
+Upstream status: committed to CVS
+
+Index: sid/modules/pam_securetty/pam_securetty.c
+===================================================================
+--- sid.orig/modules/pam_securetty/pam_securetty.c	2009-07-23 17:39:36.904158303 +0200
++++ sid/modules/pam_securetty/pam_securetty.c	2009-07-23 17:48:55.596157670 +0200
+@@ -82,13 +82,11 @@
+     }
+ 
+     user_pwd = pam_modutil_getpwnam(pamh, username);
+-    if (user_pwd == NULL) {
+-	return PAM_USER_UNKNOWN;
+-    } else if (user_pwd->pw_uid != 0) { /* If the user is not root,
+-					   securetty's does not apply
+-					   to them */
++    if (user_pwd != NULL && user_pwd->pw_uid != 0) {
++	/* If the user is not root, securetty's does not apply to them */
+ 	return PAM_SUCCESS;
+     }
++    /* The user is now either root or an invalid / mistyped username */
+ 
+     retval = pam_get_item(pamh, PAM_TTY, &void_uttyname);
+     uttyname = void_uttyname;
+@@ -102,6 +100,9 @@
+ 	pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'",
+ 	           username, uttyname);
+     } else if (retval != PAM_SUCCESS) {
++	if (user_pwd == NULL) {
++	    retval = PAM_USER_UNKNOWN;
++	}
+ 	pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
+ 	           uttyname);
+     }
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index e7f8120c..dde1da8f 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -21,3 +21,4 @@ autoconf.patch
 update-motd
 fix-man-crud
 namespace_with_awk_not_gawk
+pam_securetty_tty_check_before_user_check
-- 
cgit v1.2.3