From 706ac5f5a58cc74597782f7554f62b867b0135cb Mon Sep 17 00:00:00 2001 From: Tomáš Mráz Date: Nov 02 2009 10:48:52 +0000 Subject: - pam_console: fix memory corruption when executing handlers (patch by Stas Sergeev) and a few more fixes in the handler execution code (#532302) - pam_xauth: set the approprate context when creating .xauth files (#531530) --- diff --git a/pam-1.1.0-console-fixes.patch b/pam-1.1.0-console-fixes.patch new file mode 100644 index 0000000..08cd4c6 --- /dev/null +++ b/pam-1.1.0-console-fixes.patch @@ -0,0 +1,71 @@ +diff -up Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix Linux-PAM-1.1.0/modules/pam_console/handlers.c +--- Linux-PAM-1.1.0/modules/pam_console/handlers.c.consolefix 2009-11-02 08:45:24.000000000 +0100 ++++ Linux-PAM-1.1.0/modules/pam_console/handlers.c 2009-11-02 08:50:19.000000000 +0100 +@@ -172,13 +172,13 @@ call_exec(struct console_handler *handle + const char *flagptr; + const char **argv; + int i = 0; +- argv = malloc(sizeof(*argv)*nparams+2); +- ++ argv = malloc(sizeof(*argv)*(nparams+2)); ++ + if (argv == NULL) + return; +- ++ + argv[i++] = handler->executable; +- ++ + for (flagptr = handler->flags; *flagptr != '\0'; flagptr += strlen(flagptr)+1) { + switch (testflag(flagptr)) { + case HF_LOGFAIL: +@@ -231,7 +231,7 @@ execute_handler(pam_handle_t *pamh, stru + } + + sighandler = signal(SIGCHLD, SIG_DFL); +- ++ + child = fork(); + switch (child) { + case -1: +@@ -246,30 +246,31 @@ execute_handler(pam_handle_t *pamh, stru + if (!wait_exit) { + switch(fork()) { + case 0: +- exit(0); ++ if(setsid() == -1) { ++ _exit(255); ++ } ++ break; + case -1: +- exit(255); ++ _exit(255); + default: +- if(setsid() == -1) { +- exit(255); +- } ++ _exit(0); + } + } + if (set_uid) { + struct passwd *pw; + pw = getpwnam(user); + if (pw == NULL) +- exit(255); ++ _exit(255); + if (setgid(pw->pw_gid) == -1 || + setuid(pw->pw_uid) == -1) +- exit(255); ++ _exit(255); + } + call_exec(handler, nparams, user, tty); +- exit(255); ++ _exit(255); + default: + break; + } +- ++ + waitpid(child, &rv, 0); + + if (sighandler != SIG_ERR) diff --git a/pam-1.1.0-xauth-context.patch b/pam-1.1.0-xauth-context.patch new file mode 100644 index 0000000..91c08ba --- /dev/null +++ b/pam-1.1.0-xauth-context.patch @@ -0,0 +1,92 @@ +diff -up Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am +--- Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context 2006-06-09 18:44:08.000000000 +0200 ++++ Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am 2009-10-29 14:34:18.000000000 +0100 +@@ -16,7 +16,7 @@ secureconfdir = $(SCONFIGDIR) + + AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include + AM_LDFLAGS = -no-undefined -avoid-version -module \ +- -L$(top_builddir)/libpam -lpam ++ -L$(top_builddir)/libpam -lpam @LIBSELINUX@ + if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map + endif +diff -up Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c +--- Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context 2009-04-09 10:07:29.000000000 +0200 ++++ Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c 2009-10-29 16:13:21.000000000 +0100 +@@ -57,6 +57,12 @@ + #include + #include + ++#ifdef WITH_SELINUX ++#include ++#include ++#include ++#endif ++ + #define DATANAME "pam_xauth_cookie_file" + #define XAUTHENV "XAUTHORITY" + #define HOMEENV "HOME" +@@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh, + getuid(), getgid(), + xauth, "-f", cookiefile, "nlist", display, + NULL) == 0) { ++ int save_errno; ++#ifdef WITH_SELINUX ++ security_context_t context = NULL; ++#endif + /* Check that we got a cookie. If not, we get creative. */ + if (((cookie == NULL) || (strlen(cookie) == 0)) && + ((strncmp(display, "localhost:", 10) == 0) || +@@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh, + /* Generate a new file to hold the data. */ + euid = geteuid(); + setfsuid(tpwd->pw_uid); +- fd = mkstemp(xauthority + strlen(XAUTHENV) + 1); ++ ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() > 0) { ++ struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ if (ctx != NULL) { ++ if (selabel_lookup(ctx, &context, ++ xauthority + sizeof(XAUTHENV), S_IFREG) != 0) { ++ pam_syslog(pamh, LOG_WARNING, ++ "could not get SELinux label for '%s'", ++ xauthority + sizeof(XAUTHENV)); ++ } ++ selabel_close(ctx); ++ if (setfscreatecon(context)) { ++ pam_syslog(pamh, LOG_WARNING, ++ "setfscreatecon(%s) failed: %m", context); ++ } ++ } ++ } ++ fd = mkstemp(xauthority + sizeof(XAUTHENV)); ++ save_errno = errno; ++ if (context != NULL) { ++ free(context); ++ setfscreatecon(NULL); ++ } ++#else ++ fd = mkstemp(xauthority + sizeof(XAUTHENV)); ++ save_errno = errno; ++#endif ++ + setfsuid(euid); + if (fd == -1) { ++ errno = save_errno; + pam_syslog(pamh, LOG_ERR, + "error creating temporary file `%s': %m", +- xauthority + strlen(XAUTHENV) + 1); ++ xauthority + sizeof(XAUTHENV)); + retval = PAM_SESSION_ERR; + goto cleanup; + } +@@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh, + /* Get a copy of the filename to save as a data item for + * removal at session-close time. */ + free(cookiefile); +- cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1); ++ cookiefile = strdup(xauthority + sizeof(XAUTHENV)); + + /* Save the filename. */ + if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) { diff --git a/pam.spec b/pam.spec index 548be59..c3f029f 100644 --- a/pam.spec +++ b/pam.spec @@ -3,11 +3,10 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.0.91 -Release: 6%{?dist} +Release: 7%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, -# pam_rhosts_auth module is BSD with advertising -License: BSD and GPLv2+ and BSD with advertising +License: BSD and GPLv2+ Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/beta/Linux-PAM-%{version}.tar.bz2 Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/beta/Linux-PAM-%{version}.tar.bz2.sign @@ -24,6 +23,8 @@ Source13: config-util.5 Source14: 90-nproc.conf Patch1: pam-1.0.90-redhat-modules.patch Patch2: pam-1.0.91-std-noclose.patch +Patch6: pam-1.1.0-xauth-context.patch +Patch7: pam-1.1.0-console-fixes.patch %define _sbindir /sbin %define _moduledir /%{_lib}/security @@ -86,6 +87,8 @@ mv pam-redhat-%{pam_redhat_version}/* modules %patch1 -p1 -b .redhat-modules %patch2 -p1 -b .std-noclose +%patch6 -p1 -b .xauth-context +%patch7 -p1 -b .console-fixes libtoolize -f autoreconf @@ -173,7 +176,7 @@ for dir in modules/pam_* ; do if [ -d ${dir} ] ; then %if ! %{WITH_SELINUX} [ ${dir} = "modules/pam_selinux" ] && continue -%endif +%endif if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then echo ERROR `basename ${dir}` did not build a module. exit 1 @@ -325,6 +328,11 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Mon Nov 2 2009 Tomas Mraz 1.0.91-7 +- pam_console: fix memory corruption when executing handlers (patch by + Stas Sergeev) and a few more fixes in the handler execution code (#532302) +- pam_xauth: set the approprate context when creating .xauth files (#531530) + * Fri Apr 10 2009 Tomas Mraz 1.0.91-6 - add password-auth, fingerprint-auth, and smartcard-auth for applications which can use them namely gdm (#494874)