From 36d9a1c73dbeb541f13e4424a25ec29d884c0e11 Mon Sep 17 00:00:00 2001
From: Tomáš Mráz <tmraz@fedoraproject.org>
Date: Sep 21 2007 14:08:14 +0000
Subject: - do not preserve contexts when copying skel and other namespace.init fixes

    (#298941)
- do not free memory sent to putenv (#231698)

---

diff --git a/pam-0.99.7.1-namespace-homedir.patch b/pam-0.99.7.1-namespace-homedir.patch
index 0431131..597bf98 100644
--- a/pam-0.99.7.1-namespace-homedir.patch
+++ b/pam-0.99.7.1-namespace-homedir.patch
@@ -1,29 +1,47 @@
 diff -up Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init.homedir Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init
---- Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init.homedir	2007-08-24 10:40:46.000000000 +0200
-+++ Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init	2007-08-24 15:33:52.000000000 +0200
-@@ -1,9 +1,24 @@
+--- Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init.homedir	2007-09-19 19:37:26.000000000 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_namespace/namespace.init	2007-09-21 14:13:52.000000000 +0200
+@@ -1,26 +1,24 @@
  #!/bin/sh -p
 -# This is only a boilerplate for the instance initialization script.
  # It receives polydir path as $1, the instance path as $2, 
  # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
  # and user name in $4.
  #
+-# If you intend to polyinstantiate /tmp and you also want to use the X windows
+-# environment, you will have to use this script to bind mount the socket that
+-# is used by the X server to communicate with its clients. X server places
+-# this socket in /tmp/.X11-unix directory, which will get obscured by
+-# polyinstantiation. Uncommenting the following lines will bind mount
+-# the relevant directory at an alternative location (/.tmp/.X11-unix) such
+-# that the X server, window manager and X clients, can still find the
+-# socket X0 at the polyinstanted /tmp/.X11-unix.
+-#
+-#if [ $1 = /tmp ]; then
+-#	if [ ! -f /.tmp/.X11-unix ]; then
+-#		mkdir -p /.tmp/.X11-unix
+-#	fi
+-#	mount --bind /tmp/.X11-unix /.tmp/.X11-unix
+-#	cp -fp -- /tmp/.X0-lock "$2/.X0-lock"
+-#	mkdir -- "$2/.X11-unix"
+-#	ln -fs -- /.tmp/.X11-unix/X0 "$2/.X11-unix/X0"
+-#fi
 +# The following section will copy the contents of /etc/skel if this is a
 +# newly created home directory.
 +if [ "$3" = 1 ]; then
++        # This line will fix the labeling on all newly created directories
++        [ -x /sbin/restorecon ] && /sbin/restorecon "$1"
 +        user="$4"
 +        passwd=$(getent passwd "$user")
 +        homedir=$(echo "$passwd" | cut -f6 -d":")
 +        if [ "$1" = "$homedir" ]; then
 +                gid=$(echo "$passwd" | cut -f4 -d":")
-+                cp -aT /etc/skel "$homedir"
-+                [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
++                cp -rT /etc/skel "$homedir"
 +                chown -R "$user":"$gid" "$homedir"
 +                mode=$(awk '/^UMASK/{gsub("#.*$", "", $2); printf "%o", and(0777,compl(strtonum("0" $2))); exit}' /etc/login.defs)
 +                chmod ${mode:-700} "$homedir"
++                [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
 +        fi
 +fi
-+#
- # If you intend to polyinstantiate /tmp and you also want to use the X windows
- # environment, you will have to use this script to bind mount the socket that
- # is used by the X server to communicate with its clients. X server places
+ 
+ exit 0
diff --git a/pam-0.99.8.1-xauth-no-free.patch b/pam-0.99.8.1-xauth-no-free.patch
new file mode 100644
index 0000000..fcd9eff
--- /dev/null
+++ b/pam-0.99.8.1-xauth-no-free.patch
@@ -0,0 +1,11 @@
+diff -up Linux-PAM-0.99.8.1/modules/pam_xauth/pam_xauth.c.no-free Linux-PAM-0.99.8.1/modules/pam_xauth/pam_xauth.c
+--- Linux-PAM-0.99.8.1/modules/pam_xauth/pam_xauth.c.no-free	2007-09-21 16:02:06.000000000 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_xauth/pam_xauth.c	2007-09-21 16:02:47.000000000 +0200
+@@ -573,6 +573,7 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 				   "can't set environment variable '%s'",
+ 				   xauthority);
+ 		putenv (xauthority); /* The environment owns this string now. */
++		xauthority = NULL;
+ 
+ 		/* set $DISPLAY in pam handle to make su - work */
+ 		{
diff --git a/pam.spec b/pam.spec
index 0df2f7b..aae5e9b 100644
--- a/pam.spec
+++ b/pam.spec
@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.8.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -43,6 +43,7 @@ Patch43: pam-0.99.8.1-console-mfd-scanners.patch
 Patch44: pam-0.99.7.1-namespace-homedir.patch
 Patch45: pam-0.99.8.1-selinux-permit.patch
 Patch46: pam-0.99.8.1-succif-in-operator.patch
+Patch47: pam-0.99.8.1-xauth-no-free.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -111,6 +112,7 @@ cp %{SOURCE7} .
 %patch44 -p1 -b .homedir
 %patch45 -p1 -b .permit
 %patch46 -p1 -b .in-operator
+%patch47 -p1 -b .no-free
 
 autoreconf
 
@@ -403,6 +405,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Fri Sep 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-9
+- do not preserve contexts when copying skel and other namespace.init
+  fixes (#298941)
+- do not free memory sent to putenv (#231698)
+
 * Wed Sep 19 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-8
 - add pam_selinux_permit module
 - pam_succeed_if: fix in operator (#295151)