diff --git a/.cvsignore b/.cvsignore index 97a0dd4..ba589d2 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -usermode-1.102.tar.bz2 +usermode-1.103.tar.bz2 diff --git a/sources b/sources index 5570c95..5d24209 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0a8437ef146b8eabbd733959c5cac851 usermode-1.102.tar.bz2 +f3650586d3199b5ccefd6ab0b35c844c usermode-1.103.tar.bz2 diff --git a/usermode-1.102-PAM_TTY.patch b/usermode-1.102-PAM_TTY.patch deleted file mode 100644 index 846d14c..0000000 --- a/usermode-1.102-PAM_TTY.patch +++ /dev/null @@ -1,100 +0,0 @@ -# HG changeset patch -# User Miloslav Trmač -# Date 1265372688 -3600 -# Node ID 9a7b1e69d0a8213092caf45beb52c07a8d334ea3 -# Parent 8a897830e2d8745a72eb4236f02a981cfdc95528 -Set PAM_TTY if known. - -2010-02-05 Miloslav Trmač - - * userhelper.c (set_pam_items): New function. - (passwd, chfn, wrap): Use pam_set_items. - -diff -r 8a897830e2d8 -r 9a7b1e69d0a8 ChangeLog ---- a/ChangeLog Thu Feb 04 23:00:17 2010 +0100 -+++ b/ChangeLog Fri Feb 05 13:24:48 2010 +0100 -@@ -1,3 +1,8 @@ -+2010-02-05 Miloslav Trmač -+ -+ * userhelper.c (set_pam_items): New function. -+ (passwd, chfn, wrap): Use pam_set_items. -+ - 2010-02-04 Miloslav Trmač - - * userhelper.c (become_super): Check for failures of the system -diff -r 8a897830e2d8 -r 9a7b1e69d0a8 userhelper.c ---- a/userhelper.c Thu Feb 04 23:00:17 2010 +0100 -+++ b/userhelper.c Fri Feb 05 13:24:48 2010 +0100 -@@ -1102,6 +1102,31 @@ - return NULL; - } - -+/* Set various attributes of DATA, including the requesting user USER. */ -+static void -+set_pam_items(struct app_data *data, const char *user) -+{ -+ int retval; -+ char *tty; -+ -+ retval = pam_set_item(data->pamh, PAM_RUSER, user); -+ if (retval != PAM_SUCCESS) { -+ debug_msg("userhelper: pam_set_item(PAM_RUSER) failed\n"); -+ fail_exit(data, retval); -+ } -+ -+ tty = ttyname(STDIN_FILENO); -+ if (tty != NULL) { -+ if (strncmp(tty, "/dev/", 5) == 0) -+ tty += 5; -+ retval = pam_set_item(data->pamh, PAM_TTY, tty); -+ if (retval != PAM_SUCCESS) { -+ debug_msg("userhelper: pam_set_item(PAM_TTY) failed\n"); -+ fail_exit(data, retval); -+ } -+ } -+} -+ - /* Change the user's password using the indicated conversation function and - * application data (which includes the ability to cancel if the user requests - * it. For this task, we don't retry on failure. */ -@@ -1118,11 +1143,7 @@ - fail_exit(conv->appdata_ptr, retval); - } - -- retval = pam_set_item(data->pamh, PAM_RUSER, user); -- if (retval != PAM_SUCCESS) { -- debug_msg("userhelper: pam_set_item(PAM_RUSER) failed\n"); -- fail_exit(conv->appdata_ptr, retval); -- } -+ set_pam_items(data, user); - - debug_msg("userhelper: changing password for \"%s\"\n", user); - retval = pam_chauthtok(data->pamh, 0); -@@ -1195,12 +1216,7 @@ - fail_exit(conv->appdata_ptr, retval); - } - -- /* Set the requesting user. */ -- retval = pam_set_item(data->pamh, PAM_RUSER, user); -- if (retval != PAM_SUCCESS) { -- debug_msg("userhelper: pam_set_item(PAM_RUSER) failed\n"); -- fail_exit(conv->appdata_ptr, retval); -- } -+ set_pam_items(data, user); - - /* Try to authenticate the user. */ - do { -@@ -1742,12 +1758,7 @@ - fail_exit(conv->appdata_ptr, retval); - } - -- /* Set the requesting user. */ -- retval = pam_set_item(data->pamh, PAM_RUSER, user); -- if (retval != PAM_SUCCESS) { -- debug_msg("userhelper: pam_set_item(PAM_RUSER) failed\n"); -- fail_exit(conv->appdata_ptr, retval); -- } -+ set_pam_items(data, user); - - /* Try to authenticate the user. */ - do { diff --git a/usermode-1.102-paranoia.patch b/usermode-1.102-paranoia.patch deleted file mode 100644 index 94218f3..0000000 --- a/usermode-1.102-paranoia.patch +++ /dev/null @@ -1,94 +0,0 @@ -# HG changeset patch -# User Miloslav Trmač -# Date 1265320817 -3600 -# Node ID 8a897830e2d8745a72eb4236f02a981cfdc95528 -# Parent 0dcd3edc6d56d65d8f02b31a9c807b1c152232c5 -Be more paranoid about manipulating user/group IDs. - -2010-02-04 Miloslav Trmač - - * userhelper.c (become_super): Check for failures of the system - calls in addition to verifying the expected results. - (become_normal): Check for failures of the system - calls in addition to verifying the expected results. Call setregid() - as well. Verify the real gid/uid values. - -diff -r 0dcd3edc6d56 -r 8a897830e2d8 ChangeLog ---- a/ChangeLog Sun Dec 06 17:02:50 2009 +0000 -+++ b/ChangeLog Thu Feb 04 23:00:17 2010 +0100 -@@ -1,3 +1,11 @@ -+2010-02-04 Miloslav Trmač -+ -+ * userhelper.c (become_super): Check for failures of the system -+ calls in addition to verifying the expected results. -+ (become_normal): Check for failures of the system -+ calls in addition to verifying the expected results. Call setregid() -+ as well. Verify the real gid/uid values. -+ - 2009-10-05 Miloslav Trmač - - * configure.ac: Release 1.102. -diff -r 0dcd3edc6d56 -r 8a897830e2d8 userhelper.c ---- a/userhelper.c Sun Dec 06 17:02:50 2009 +0000 -+++ b/userhelper.c Thu Feb 04 23:00:17 2010 +0100 -@@ -985,17 +985,20 @@ - static void - become_super(void) - { -- /* Become the superuser. */ -- setgroups(0, NULL); -- setregid(0, 0); -- setreuid(0, 0); -- /* Yes, setuid() and friends can fail, even for superusers. */ -+ /* Become the superuser. -+ Yes, setuid() and friends can fail, even for superusers. */ -+ if (setgroups(0, NULL) != 0 || -+ setregid(0, 0) != 0 || -+ setreuid(0, 0) != 0) { -+ debug_msg("userhelper: set*id() failure: %s\n", -+ strerror(errno)); -+ exit(ERR_EXEC_FAILED); -+ } - if ((geteuid() != 0) || - (getuid() != 0) || - (getegid() != 0) || - (getgid() != 0)) { -- debug_msg("userhelper: set*id() failure: %s\n", -- strerror(errno)); -+ debug_msg("userhelper: set*id() didn't work\n"); - exit(ERR_EXEC_FAILED); - } - } -@@ -1003,17 +1006,26 @@ - static void - become_normal(const char *user) - { -- /* Join the groups of the user who invoked us. */ -- initgroups(user, getgid()); -+ gid_t gid; -+ uid_t uid; -+ -+ gid = getgid(); -+ uid = getuid(); -+ /* Become the user who invoked us. */ -+ if (initgroups(user, gid) != 0 || -+ setregid(gid, gid) != 0 || -+ setreuid(uid, uid) != 0) { -+ debug_msg("userhelper: set*id() failure: %s\n", -+ strerror(errno)); -+ exit(ERR_EXEC_FAILED); -+ } - /* Verify that we're back to normal. */ -- if (getegid() != getgid()) { -+ if (getegid() != gid || getgid() != gid) { - debug_msg("userhelper: still setgid()\n"); - exit(ERR_EXEC_FAILED); - } -- /* Become the user who invoked us. */ -- setreuid(getuid(), getuid()); - /* Yes, setuid() can fail. */ -- if (geteuid() != getuid()) { -+ if (geteuid() != uid || getuid() != uid) { - debug_msg("userhelper: still setuid()\n"); - exit(ERR_EXEC_FAILED); - } diff --git a/usermode.spec b/usermode.spec index 472eb71..9bb0e37 100644 --- a/usermode.spec +++ b/usermode.spec @@ -1,15 +1,11 @@ Summary: Tools for certain user account management tasks Name: usermode -Version: 1.102 -Release: 2%{?dist} +Version: 1.103 +Release: 1%{?dist} License: GPLv2+ Group: Applications/System URL: https://fedorahosted.org/usermode/ Source: https://fedorahosted.org/releases/u/s/usermode/usermode-%{version}.tar.bz2 -# Committed upstream -Patch0: usermode-1.102-paranoia.patch -# Committed upstream -Patch1: usermode-1.102-PAM_TTY.patch Requires: pam, passwd, util-linux BuildRequires: desktop-file-utils, gettext, glib2-devel, gtk2-devel, intltool BuildRequires: libblkid-devel, libSM-devel, libselinux-devel, libuser-devel @@ -39,8 +35,6 @@ graphical tools for certain account management tasks. %prep %setup -q -%patch0 -p1 -b .paranoia -%patch1 -p1 -b .PAM_TTY %build %configure --with-selinux @@ -118,11 +112,16 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/applications/* %changelog +* Tue Feb 16 2010 Miloslav Trmač - 1.103-1 +- Update to usermode-1.103 + * Fri Feb 5 2010 Miloslav Trmač - 1.102-2 - Use %%{?_smp_mflags} - Use the four-parameter version of %%defattr - Be more paranoid about dropping privileges + Resolves: #562194 - Set PAM_TTY + Resolves: #562195 * Mon Oct 5 2009 Miloslav Trmač - 1.102-1 - Update to usermode-1.102