1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
diff -urN Linux-PAM-0.72/modules/pam_limits/Makefile Linux-PAM-0.72.new/modules/pam_limits/Makefile
--- Linux-PAM-0.72/modules/pam_limits/Makefile Wed Jul 4 20:58:43 2001
+++ Linux-PAM-0.72.new/modules/pam_limits/Makefile Wed Jul 4 19:31:37 2001
@@ -6,7 +6,7 @@
# Created by Cristian Gafton <gafton@redhat.com> 1996/09/10
#
-ifeq ($(OS),linux)
+ifneq (,$(findstring $(OS),gnu linux))
TITLE=pam_limits
CONFD=$(CONFIGED)/security
export CONFD
@@ -22,7 +22,10 @@
LIBOBJD = $(addprefix dynamic/,$(LIBOBJ))
LIBOBJS = $(addprefix static/,$(LIBOBJ))
+ifeq (linux,$(OS))
LINKLIBS+=-lcap
+CFLAGS+=-DUSE_CAPABILITIES
+endif
dynamic/%.o : %.c
$(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@
diff -urN Linux-PAM-0.72/modules/pam_limits/pam_limits.c Linux-PAM-0.72.new/modules/pam_limits/pam_limits.c
--- Linux-PAM-0.72/modules/pam_limits/pam_limits.c Wed Jul 4 20:58:48 2001
+++ Linux-PAM-0.72.new/modules/pam_limits/pam_limits.c Wed Jul 4 19:31:31 2001
@@ -13,12 +13,10 @@
* See end for Copyright information
*/
-#if !(defined(linux))
-#error THIS CODE IS KNOWN TO WORK ONLY ON LINUX !!!
-#endif
-
+#ifdef USE_CAPABILITIES
#include <sys/capability.h>
#include <sys/prctl.h>
+#endif
#include <stdio.h>
#include <unistd.h>
@@ -62,9 +60,11 @@
specific user or to count all logins */
static int priority; /* the priority to run user process with */
static char chroot_dir[8092] = ""; /* directory to chroot into */
+#ifdef USE_CAPABILITIES
static cap_t capabilities; /* capability handle */
static int caps_set = 0; /* capabilities set */
static int caps_allocated = 0; /* capabilities allocated */
+#endif
#define LIMIT_LOGIN RLIM_NLIMITS+1
#define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
@@ -261,11 +261,13 @@
priority = 0;
login_limit = -2;
login_limit_def = LIMITS_DEF_NONE;
+#ifdef USE_CAPABILITIES
if (caps_allocated)
cap_free(capabilities);
capabilities = cap_init();
caps_allocated = 1;
caps_set = 0;
+#endif
return retval;
}
@@ -401,9 +403,13 @@
} else if (limit_item == LIMIT_CHROOT) {
strncpy(chroot_dir, value_orig, sizeof(chroot_dir));
} else if (limit_item == LIMIT_CAPS) {
+#ifdef USE_CAPABILITIES
capabilities = cap_from_text(value_orig);
prctl(PR_SET_KEEPCAPS, 1);
caps_set = 1;
+#else
+ _pam_log(LOG_WARNING, "capabilities not supported on this system, ignoring them");
+#endif
}
return;
}
@@ -533,12 +539,14 @@
if (i != 0)
retval = LIMIT_ERR;
}
+#ifdef USE_CAPABILITIES
if (!retval && caps_set) {
retval = cap_set_proc(capabilities) ? LIMIT_ERR : 0;
cap_free(capabilities);
caps_set = 0;
caps_allocated = 0;
}
+#endif
return retval;
}
|