diff options
| author |   Patrick J Volkerding <volkerdi@slackware.com> | 2013-11-04 17:08:47 +0000 |
|---|---|---|
| committer |   Eric Hameleers <alien@slackware.com> | 2018-05-31 22:57:36 +0200 |
| commit | 76fc4757ac91ac7947a01fb7b53dddf9a78a01d1 (patch) | |
| tree | 9b98e6e193c7870cb27ac861394c1c4592850922 /extra/source/pam | |
| parent | 9664bee729d487bcc0a0bc35859f8e13d5421c75 (diff) | |
| download | current-slackware-14.1.tar.gz current-slackware-14.1.tar.xz | |
Slackware 14.1slackware-14.1
Mon Nov 4 17:08:47 UTC 2013
Slackware 14.1 x86_64 stable is released!
It's been another interesting release cycle here at Slackware bringing
new features like support for UEFI machines, updated compilers and
development tools, the switch from MySQL to MariaDB, and many more
improvements throughout the system. Thanks to the team, the upstream
developers, the dedicated Slackware community, and everyone else who
pitched in to help make this release a reality.
The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a
dual-sided
32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware
project by picking up a copy from store.slackware.com. We're taking
pre-orders now, and offer a discount if you sign up for a subscription.
Have fun! :-)
Diffstat (limited to 'extra/source/pam')
| -rwxr-xr-x | extra/source/pam/make-pam-solibs-for-chrome.sh | 84 | ||||
| -rwxr-xr-x | extra/source/pam/pam.SlackBuild | 173 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.0.90-redhat-modules.patch | 23 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.0.91-std-noclose.patch | 98 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.0-notally.patch | 12 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.1-faillock.patch | 1712 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.2-noflex.patch | 27 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch | 167 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch | 64 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.3-limits-range.patch | 351 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.3-nouserenv.patch | 27 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch | 54 | ||||
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.3-securetty-console.patch | 120 | ||||
| -rw-r--r-- | extra/source/pam/slack-desc | 19 |
14 files changed, 0 insertions, 2931 deletions
diff --git a/extra/source/pam/make-pam-solibs-for-chrome.sh b/extra/source/pam/make-pam-solibs-for-chrome.sh deleted file mode 100755 index e7cd4c9e6..000000000 --- a/extra/source/pam/make-pam-solibs-for-chrome.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/sh - -# Copyright 2011 Patrick J. Volkerding, Sebeka, Minnesota, USA -# All rights reserved. -# -# Redistribution and use of this script, with or without modification, is -# permitted provided that the following conditions are met: -# -# 1. Redistributions of this script must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO -# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; -# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF -# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# This expects to find a file pam-*.txz in the local directory that -# will contain a usable PAM shared library to satify the requirement -# for that library. To get whatever is actually using PAM working is -# going to need more PAM structure installed, but luckily I've yet to -# encounter what needs it and everything works fine with only the -# libpam.so.0 installed. - -if ! ls pam-*-*-*.txz 1> /dev/null 2> /dev/null ; then - echo "FAIL: no Slackware pam txz package found." - exit 1 -fi - -PKGNAM=google-chrome-pam-solibs -VERSION=${VERSION:-$(echo pam-*-*-*.txz | cut -f 2 -d -)} -ARCH=${ARCH:-$(echo pam-*-*-*.txz | cut -f 3 -d -)} -BUILD=${BUILD:-$(echo pam-*-*-*.txz | cut -f 4 -d - | cut -f 1 -d .)} - -CWD=$(pwd) -TMP=${TMP:-/tmp} -PKG=$TMP/package-$PKGNAM -rm -rf $PKG -mkdir -p $TMP $PKG - -cd $PKG -mkdir tmp -( cd tmp - explodepkg $CWD/pam-$VERSION-$ARCH-$BUILD.txz - sh install/doinst.sh -) -mkdir -p $PKG/opt/google/chrome -if [ -d tmp/lib64 ]; then - cp -a tmp/lib64/libpam.so.0* $PKG/opt/google/chrome -else - cp -a tmp/lib/libpam.so.0* $PKG/opt/google/chrome -fi -rm -rf $PKG/tmp - -mkdir -p $PKG/install -cat << EOF > $PKG/install/slack-desc -# HOW TO EDIT THIS FILE: -# The "handy ruler" below makes it easier to edit a package description. Line -# up the first '|' above the ':' following the base package name, and the '|' -# on the right side marks the last column you can put a character in. You must -# make exactly 11 lines for the formatting to be correct. It's also -# customary to leave one space after the ':'. - |-----handy-ruler------------------------------------------------------| -google-chrome-pam-solibs: google-chrome-pam-solibs (libpam.so.0) -google-chrome-pam-solibs: -google-chrome-pam-solibs: This is a package that provides libpam.so.0 to satisfy the library -google-chrome-pam-solibs: requirement for Google Chrome when that is installed in the -google-chrome-pam-solibs: usual /opt/google/chrome directory. It does not provide any other -google-chrome-pam-solibs: PAM features, and cannot be used to compile against or by other -google-chrome-pam-solibs: programs. If you need real PAM for some reason (like to compile -google-chrome-pam-solibs: Chromium), please see the pam.SlackBuild in the source directory. -google-chrome-pam-solibs: -google-chrome-pam-solibs: -google-chrome-pam-solibs: -EOF - -cd $PKG -/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD$TAG.txz - diff --git a/extra/source/pam/pam.SlackBuild b/extra/source/pam/pam.SlackBuild deleted file mode 100755 index bbea0617a..000000000 --- a/extra/source/pam/pam.SlackBuild +++ /dev/null @@ -1,173 +0,0 @@ -#!/bin/sh - -# Copyright 2010 Vincent Batts, vbatts@hashbangbash.com -# Copyright 2010, 2011 Patrick J. Volkerding, Sebeka, Minnesota, USA -# All rights reserved. -# -# Redistribution and use of this script, with or without modification, is -# permitted provided that the following conditions are met: -# -# 1. Redistributions of this script must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO -# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; -# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF -# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# Call the church police! ;-) -SRCNAM=Linux-PAM -PKGNAM=pam -PAMRHVER=${PAMRHVER:-$(echo pam-redhat-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1,2 -d - | rev)} -VERSION=${VERSION:-$(echo $SRCNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} - -# Automatically determine the architecture we're building on: -if [ -z "$ARCH" ]; then - case "$( uname -m )" in - i?86) export ARCH=i486 ;; - arm*) export ARCH=arm ;; - # Unless $ARCH is already set, use uname -m for all other archs: - *) export ARCH=$( uname -m ) ;; - esac -fi - -NUMJOBS=${NUMJOBS:--j7} - -if [ "$ARCH" = "i386" ]; then - SLKCFLAGS="-O2 -march=i386 -mcpu=i686" - LIBDIRSUFFIX="" -elif [ "$ARCH" = "i486" ]; then - SLKCFLAGS="-O2 -march=i486 -mtune=i686" - LIBDIRSUFFIX="" -elif [ "$ARCH" = "s390" ]; then - SLKCFLAGS="-O2" - LIBDIRSUFFIX="" -elif [ "$ARCH" = "x86_64" ]; then - SLKCFLAGS="-O2 -fPIC" - LIBDIRSUFFIX="64" -else - SLKCFLAGS="-O2" - LIBDIRSUFFIX="" -fi - -CWD=$(pwd) -TMP=${TMP:-/tmp} -PKG=$TMP/package-$PKGNAM - -rm -rf $PKG -mkdir -p $TMP $PKG - -cd $TMP -rm -rf $SRCNAM-$VERSION -tar xvf $CWD/$SRCNAM-$VERSION.tar.?z* || exit 1 -cd $SRCNAM-$VERSION || exit 1 - -# Better take the Red Hat added modules and patches, because that's very -# likely to be the most standard as far as PAM goes: -tar xvf $CWD/pam-redhat-$PAMRHVER.tar.?z* || exit 1 -mv pam-redhat-$PAMRHVER/{CHANGELOG*,COPYING*,README*} . -mv pam-redhat-$PAMRHVER/* modules -zcat $CWD/patches/pam-1.0.90-redhat-modules.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/patches/pam-1.0.91-std-noclose.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/patches/pam-1.1.0-notally.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/patches/pam-1.1.1-faillock.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/patches/pam-1.1.2-noflex.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/patches/pam-1.1.3-faillock-screensaver.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/patches/pam-1.1.3-limits-nosetreuid.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/patches/pam-1.1.3-limits-range.patch.gz | patch -p0 --verbose || exit 1 -zcat $CWD/patches/pam-1.1.3-nouserenv.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/patches/pam-1.1.3-pwhistory-incomplete.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/patches/pam-1.1.3-securetty-console.patch.gz | patch -p0 --verbose || exit 1 - -# Churn some patches from .am -> .in: -autoreconf -f - -# Make these 2 man pages or the build falls over later on: -( cd modules/pam_faillock - xmlto man faillock.8.xml - xmlto man pam_faillock.8.xml -) - -chown -R root:root . -find . \ - \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ - -exec chmod 755 {} \; -o \ - \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ - -exec chmod 644 {} \; - -CFLAGS="$SLKCFLAGS" \ -CXXFLAGS="$SLKCFLAGS" \ -./configure \ - --prefix=/ \ - --libdir=/lib${LIBDIRSUFFIX} \ - --sysconfdir=/etc \ - --includedir=/usr/include/security \ - --datarootdir=/usr/share \ - --localstatedir=/var \ - --mandir=/usr/man \ - --docdir=/usr/doc/$PKGNAM-$VERSION \ - --enable-read-both-confs \ - --disable-prelude \ - --disable-selinux \ - --build=$ARCH-slackware-linux || exit 1 - -make $NUMJOBS || make || exit 1 -make install DESTDIR=$PKG || exit 1 - -# this is a pam helper, that can only be called from pam -chown root:shadow $PKG/sbin/unix_chkpwd -chmod g+s $PKG/sbin/unix_chkpwd - -# Strip binaries: -( cd $PKG - find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null - find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null -) - -# Compress and if needed symlink the man pages: -if [ -d $PKG/usr/man ]; then - ( cd $PKG/usr/man - for manpagedir in $(find . -type d -name "man*") ; do - ( cd $manpagedir - for eachpage in $( find . -type l -maxdepth 1) ; do - ln -s $( readlink $eachpage ).gz $eachpage.gz - rm $eachpage - done - gzip -9 *.? - ) - done - ) -fi - -mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION -cp -a \ - AUTHORS COPYING* Copyright NEWS README* \ - $PKG/usr/doc/$PKGNAM-$VERSION - -# If there's a ChangeLog, installing at least part of the recent history -# is useful, but don't let it get totally out of control: -if [ -r ChangeLog ]; then - DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION) - cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog - touch -r ChangeLog $DOCSDIR/ChangeLog -fi -if [ -r CHANGELOG ]; then - DOCSDIR=$(echo $PKG/usr/doc/${PKGNAM}-$VERSION) - cat CHANGELOG | head -n 1000 > $DOCSDIR/CHANGELOG - touch -r CHANGELOG $DOCSDIR/CHANGELOG -fi -rm -f $PKG/usr/doc/$PKGNAM-$VERSION/index.html - -mkdir -p $PKG/install -cat $CWD/slack-desc > $PKG/install/slack-desc - -cd $PKG -/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD$TAG.txz - diff --git a/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch b/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch deleted file mode 100644 index 3ad41ccc6..000000000 --- a/extra/source/pam/patches/pam-1.0.90-redhat-modules.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am ---- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100 -+++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100 -@@ -3,6 +3,7 @@ - # - - SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ -+ pam_chroot pam_console pam_postgresok \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ -diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in ---- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100 -+++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100 -@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil - libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \ - po/Makefile.in \ - modules/Makefile \ -+ modules/pam_chroot/Makefile modules/pam_console/Makefile \ -+ modules/pam_postgresok/Makefile \ - modules/pam_access/Makefile modules/pam_cracklib/Makefile \ - modules/pam_debug/Makefile modules/pam_deny/Makefile \ - modules/pam_echo/Makefile modules/pam_env/Makefile \ diff --git a/extra/source/pam/patches/pam-1.0.91-std-noclose.patch b/extra/source/pam/patches/pam-1.0.91-std-noclose.patch deleted file mode 100644 index 735948490..000000000 --- a/extra/source/pam/patches/pam-1.0.91-std-noclose.patch +++ /dev/null @@ -1,98 +0,0 @@ -diff -up Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c ---- Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_mkhomedir/pam_mkhomedir.c 2009-03-26 10:02:15.000000000 +0100 -@@ -131,13 +131,21 @@ create_homedir (pam_handle_t *pamh, int - if (child == 0) { - int i; - struct rlimit rlim; -+ int dummyfds[2]; - static char *envp[] = { NULL }; - char *args[] = { NULL, NULL, NULL, NULL, NULL }; - -+ /* replace std file descriptors with a dummy pipe */ -+ if (pipe(dummyfds) == 0) { -+ dup2(dummyfds[0], STDIN_FILENO); -+ dup2(dummyfds[1], STDOUT_FILENO); -+ dup2(dummyfds[1], STDERR_FILENO); -+ } -+ - if (getrlimit(RLIMIT_NOFILE, &rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { - close(i); - } - } -diff -up Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/support.c ---- Linux-PAM-1.0.91/modules/pam_unix/support.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/support.c 2009-03-26 10:08:59.000000000 +0100 -@@ -443,13 +443,16 @@ static int _unix_run_helper_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_passwd.c 2009-03-26 10:07:06.000000000 +0100 -@@ -175,13 +175,16 @@ static int _unix_run_update_binary(pam_h - - /* reopen stdin as pipe */ - dup2(fds[0], STDIN_FILENO); -+ /* and replace also the stdout/err as the helper will -+ not write anything there */ -+ dup2(fds[1], STDOUT_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDIN_FILENO) -- close(i); -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - -diff -up Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c ---- Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c.std-noclose 2009-03-03 14:56:01.000000000 +0100 -+++ Linux-PAM-1.0.91/modules/pam_unix/pam_unix_acct.c 2009-03-26 10:05:41.000000000 +0100 -@@ -100,16 +100,18 @@ int _unix_run_verify_binary(pam_handle_t - - /* reopen stdout as pipe */ - dup2(fds[1], STDOUT_FILENO); -+ /* and replace also the stdin, stderr so we do not exec the helper with -+ tty as stdin, it will not read anything from there anyway */ -+ dup2(fds[0], STDIN_FILENO); -+ dup2(fds[1], STDERR_FILENO); - - /* XXX - should really tidy up PAM here too */ - - if (getrlimit(RLIMIT_NOFILE,&rlim)==0) { - if (rlim.rlim_max >= MAX_FD_NO) - rlim.rlim_max = MAX_FD_NO; -- for (i=0; i < (int)rlim.rlim_max; i++) { -- if (i != STDOUT_FILENO) { -- close(i); -- } -+ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) { -+ close(i); - } - } - diff --git a/extra/source/pam/patches/pam-1.1.0-notally.patch b/extra/source/pam/patches/pam-1.1.0-notally.patch deleted file mode 100644 index 9327eecba..000000000 --- a/extra/source/pam/patches/pam-1.1.0-notally.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am ---- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200 -+++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200 -@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de - pam_mkhomedir pam_motd pam_namespace pam_nologin \ - pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ -- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ -+ pam_succeed_if pam_tally2 pam_time pam_timestamp \ - pam_tty_audit pam_umask \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth - diff --git a/extra/source/pam/patches/pam-1.1.1-faillock.patch b/extra/source/pam/patches/pam-1.1.1-faillock.patch deleted file mode 100644 index 46f303741..000000000 --- a/extra/source/pam/patches/pam-1.1.1-faillock.patch +++ /dev/null @@ -1,1712 +0,0 @@ -diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in ---- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200 -@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil - modules/pam_access/Makefile modules/pam_cracklib/Makefile \ - modules/pam_debug/Makefile modules/pam_deny/Makefile \ - modules/pam_echo/Makefile modules/pam_env/Makefile \ -- modules/pam_faildelay/Makefile \ -+ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \ - modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ - modules/pam_ftp/Makefile modules/pam_group/Makefile \ - modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ -diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml ---- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200 -+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200 -@@ -0,0 +1,38 @@ -+<?xml version='1.0' encoding='UTF-8'?> -+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" -+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -+<section id='sag-pam_faillock'> -+ <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title> -+ <cmdsynopsis> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/> -+ </cmdsynopsis> -+ <cmdsynopsis> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/> -+ </cmdsynopsis> -+ <section id='sag-pam_faillock-description'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-options'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-types'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-return_values'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-examples'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/> -+ </section> -+ <section id='sag-pam_faillock-author'> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> -+ </section> -+</section> -diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am ---- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200 -@@ -3,7 +3,7 @@ - # - - SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ -- pam_chroot pam_console pam_postgresok \ -+ pam_chroot pam_console pam_postgresok pam_faillock \ - pam_env pam_exec pam_faildelay pam_filter pam_ftp \ - pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ - pam_listfile pam_localuser pam_loginuid pam_mail \ -diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,147 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+#include <string.h> -+#include <stdlib.h> -+#include <unistd.h> -+#include <errno.h> -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <sys/file.h> -+#include <fcntl.h> -+#include <security/pam_modutil.h> -+ -+#include "faillock.h" -+ -+int -+open_tally (const char *dir, const char *user, int create) -+{ -+ char *path; -+ int flags = O_RDWR; -+ int fd; -+ -+ if (strstr(user, "../") != NULL) -+ /* just a defensive programming as the user must be a -+ * valid user on the system anyway -+ */ -+ return -1; -+ path = malloc(strlen(dir) + strlen(user) + 2); -+ if (path == NULL) -+ return -1; -+ -+ strcpy(path, dir); -+ if (*dir && dir[strlen(dir) - 1] != '/') { -+ strcat(path, "/"); -+ } -+ strcat(path, user); -+ -+ if (create) { -+ flags |= O_CREAT; -+ } -+ -+ fd = open(path, flags, 0600); -+ -+ if (fd != -1) -+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR); -+ -+ return fd; -+} -+ -+#define CHUNK_SIZE (64 * sizeof(struct tally)) -+#define MAX_RECORDS 1024 -+ -+int -+read_tally(int fd, struct tally_data *tallies) -+{ -+ void *data = NULL, *newdata; -+ unsigned int count = 0; -+ ssize_t chunk = 0; -+ -+ do { -+ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE); -+ if (newdata == NULL) { -+ free(data); -+ return -1; -+ } -+ -+ data = newdata; -+ -+ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE); -+ if (chunk < 0) { -+ free(data); -+ return -1; -+ } -+ -+ count += chunk/sizeof(struct tally); -+ -+ if (count >= MAX_RECORDS) -+ break; -+ } -+ while (chunk == CHUNK_SIZE); -+ -+ tallies->records = data; -+ tallies->count = count; -+ -+ return 0; -+} -+ -+int -+update_tally(int fd, struct tally_data *tallies) -+{ -+ void *data = tallies->records; -+ unsigned int count = tallies->count; -+ ssize_t chunk; -+ -+ if (tallies->count > MAX_RECORDS) { -+ data = tallies->records + (count - MAX_RECORDS); -+ count = MAX_RECORDS; -+ } -+ -+ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { -+ return -1; -+ } -+ -+ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally)); -+ -+ if (chunk != (ssize_t)(count * sizeof(struct tally))) { -+ return -1; -+ } -+ -+ if (ftruncate(fd, count * sizeof(struct tally)) == -1) -+ return -1; -+ -+ return 0; -+} -diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,72 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * faillock.h - authentication failure data file record structure -+ * -+ * Each record in the file represents an instance of login failure of -+ * the user at the recorded time -+ */ -+ -+ -+#ifndef _FAILLOCK_H -+#define _FAILLOCK_H -+ -+#include <stdint.h> -+ -+#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ -+#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ -+#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */ -+ -+struct tally { -+ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */ -+ uint16_t reserved; /* reserved for future use */ -+ uint16_t status; /* record status */ -+ uint64_t time; /* time of the login failure */ -+}; -+/* 64 bytes per entry */ -+ -+struct tally_data { -+ struct tally *records; /* array of tallies */ -+ unsigned int count; /* number of records */ -+}; -+ -+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" -+ -+int open_tally(const char *dir, const char *user, int create); -+int read_tally(int fd, struct tally_data *tallies); -+int update_tally(int fd, struct tally_data *tallies); -+#endif -+ -diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,123 @@ -+<?xml version="1.0" encoding='UTF-8'?> -+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> -+ -+<refentry id="faillock"> -+ -+ <refmeta> -+ <refentrytitle>faillock</refentrytitle> -+ <manvolnum>8</manvolnum> -+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> -+ </refmeta> -+ -+ <refnamediv id="pam_faillock-name"> -+ <refname>faillock</refname> -+ <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose> -+ </refnamediv> -+ -+ <refsynopsisdiv> -+ <cmdsynopsis id="faillock-cmdsynopsis"> -+ <command>faillock</command> -+ <arg choice="opt"> -+ --dir <replaceable>/path/to/tally-directory</replaceable> -+ </arg> -+ <arg choice="opt"> -+ --user <replaceable>username</replaceable> -+ </arg> -+ <arg choice="opt"> -+ --reset -+ </arg> -+ </cmdsynopsis> -+ </refsynopsisdiv> -+ -+ <refsect1 id="faillock-description"> -+ -+ <title>DESCRIPTION</title> -+ -+ <para> -+ The <emphasis>pam_faillock.so</emphasis> module maintains a list of -+ failed authentication attempts per user during a specified interval -+ and locks the account in case there were more than -+ <replaceable>deny</replaceable> consecutive failed authentications. -+ It stores the failure records into per-user files in the tally -+ directory. -+ </para> -+ <para> -+ The <command>faillock</command> command is an application which -+ can be used to examine and modify the contents of the -+ the tally files. It can display the recent failed authentication -+ attempts of the <replaceable>username</replaceable> or clear the tally -+ files of all or individual <replaceable>usernames</replaceable>. -+ </para> -+ </refsect1> -+ -+ <refsect1 id="faillock-options"> -+ -+ <title>OPTIONS</title> -+ <variablelist> -+ <varlistentry> -+ <term> -+ <option>--dir <replaceable>/path/to/tally-directory</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The directory where the user files with the failure records are kept. The -+ default is <filename>/var/run/faillock</filename>. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>--user <replaceable>username</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The user whose failure records should be displayed or cleared. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>--reset</option> -+ </term> -+ <listitem> -+ <para> -+ Instead of displaying the user's failure records, clear them. -+ </para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id="faillock-files"> -+ <title>FILES</title> -+ <variablelist> -+ <varlistentry> -+ <term><filename>/var/run/faillock/*</filename></term> -+ <listitem> -+ <para>the files logging the authentication failures for users</para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id='faillock-see_also'> -+ <title>SEE ALSO</title> -+ <para> -+ <citerefentry> -+ <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum> -+ </citerefentry>, -+ <citerefentry> -+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> -+ </citerefentry> -+ </para> -+ </refsect1> -+ -+ <refsect1 id='faillock-author'> -+ <title>AUTHOR</title> -+ <para> -+ faillock was written by Tomas Mraz. -+ </para> -+ </refsect1> -+ -+</refentry> -diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c ---- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,231 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+ -+#include <stdio.h> -+#include <stdlib.h> -+#include <string.h> -+#include <dirent.h> -+#include <errno.h> -+#include <pwd.h> -+#include <time.h> -+#ifdef HAVE_LIBAUDIT -+#include <libaudit.h> -+#endif -+ -+#include "faillock.h" -+ -+struct options { -+ unsigned int reset; -+ const char *dir; -+ const char *user; -+ const char *progname; -+}; -+ -+static int -+args_parse(int argc, char **argv, struct options *opts) -+{ -+ int i; -+ memset(opts, 0, sizeof(*opts)); -+ -+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; -+ opts->progname = argv[0]; -+ -+ for (i = 1; i < argc; ++i) { -+ -+ if (strcmp(argv[i], "--dir") == 0) { -+ ++i; -+ if (i >= argc || strlen(argv[i]) == 0) { -+ fprintf(stderr, "%s: No directory supplied.\n", argv[0]); -+ return -1; -+ } -+ opts->dir = argv[i]; -+ } -+ else if (strcmp(argv[i], "--user") == 0) { -+ ++i; -+ if (i >= argc || strlen(argv[i]) == 0) { -+ fprintf(stderr, "%s: No user name supplied.\n", argv[0]); -+ return -1; -+ } -+ opts->user = argv[i]; -+ } -+ else if (strcmp(argv[i], "--reset") == 0) { -+ opts->reset = 1; -+ } -+ else { -+ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]); -+ return -1; -+ } -+ } -+ return 0; -+} -+ -+static void -+usage(const char *progname) -+{ -+ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"), -+ progname); -+} -+ -+static int -+do_user(struct options *opts, const char *user) -+{ -+ int fd; -+ int rv; -+ struct tally_data tallies; -+ -+ fd = open_tally(opts->dir, user, 0); -+ -+ if (fd == -1) { -+ if (errno == ENOENT) { -+ return 0; -+ } -+ else { -+ fprintf(stderr, "%s: Error opening the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+ return 3; -+ } -+ } -+ if (opts->reset) { -+#ifdef HAVE_LIBAUDIT -+ char buf[64]; -+ int audit_fd; -+#endif -+ -+ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ fprintf(stderr, "%s: Error clearing the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+#ifdef HAVE_LIBAUDIT -+ } -+ if ((audit_fd=audit_open()) >= 0) { -+ struct passwd *pwd; -+ -+ if ((pwd=getpwnam(user)) != NULL) { -+ snprintf(buf, sizeof(buf), "faillock reset uid=%u", -+ pwd->pw_uid); -+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -+ buf, NULL, NULL, NULL, rv == 0); -+ } -+ close(audit_fd); -+ } -+ if (rv == -1) { -+#endif -+ close(fd); -+ return 4; -+ } -+ } -+ else { -+ unsigned int i; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ if ((rv=read_tally(fd, &tallies)) == -1) { -+ fprintf(stderr, "%s: Error reading the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+ close(fd); -+ return 5; -+ } -+ -+ printf("%s:\n", user); -+ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid"); -+ -+ for (i = 0; i < tallies.count; i++) { -+ struct tm *tm; -+ char timebuf[80]; -+ uint16_t status = tallies.records[i].status; -+ time_t when = tallies.records[i].time; -+ -+ tm = localtime(&when); -+ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm); -+ printf("%-19s %-5s %-52.52s %s\n", timebuf, -+ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), -+ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); -+ } -+ free(tallies.records); -+ } -+ close(fd); -+ return 0; -+} -+ -+static int -+do_allusers(struct options *opts) -+{ -+ struct dirent **userlist; -+ int rv, i; -+ -+ rv = scandir(opts->dir, &userlist, NULL, alphasort); -+ if (rv < 0) { -+ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname); -+ perror(NULL); -+ return 2; -+ } -+ -+ for (i = 0; i < rv; i++) { -+ if (userlist[i]->d_name[0] == '.') { -+ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') || -+ userlist[i]->d_name[1] == '\0') -+ continue; -+ } -+ do_user(opts, userlist[i]->d_name); -+ free(userlist[i]); -+ } -+ free(userlist); -+ -+ return 0; -+} -+ -+ -+/*-----------------------------------------------------------------------*/ -+int -+main (int argc, char *argv[]) -+{ -+ struct options opts; -+ -+ if (args_parse(argc, argv, &opts)) { -+ usage(argv[0]); -+ return 1; -+ } -+ -+ if (opts.user == NULL) { -+ return do_allusers(&opts); -+ } -+ -+ return do_user(&opts, opts.user); -+} -+ -diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am ---- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,43 @@ -+# -+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de> -+# Copyright (c) 2008 Red Hat, Inc. -+# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+# -+ -+CLEANFILES = *~ -+MAINTAINERCLEANFILES = $(MANS) README -+ -+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock -+ -+man_MANS = pam_faillock.8 faillock.8 -+XMLS = README.xml pam_faillock.8.xml faillock.8.xml -+ -+TESTS = tst-pam_faillock -+ -+securelibdir = $(SECUREDIR) -+secureconfdir = $(SCONFIGDIR) -+ -+noinst_HEADERS = faillock.h -+ -+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -+ -+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module -+pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) -+if HAVE_VERSIONING -+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -+endif -+ -+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) -+ -+securelib_LTLIBRARIES = pam_faillock.la -+sbin_PROGRAMS = faillock -+ -+pam_faillock_la_SOURCES = pam_faillock.c faillock.c -+faillock_SOURCES = main.c faillock.c -+ -+if ENABLE_REGENERATE_MAN -+noinst_DATA = README -+README: pam_faillock.8.xml -+-include $(top_srcdir)/Make.xml.rules -+endif -diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,550 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+#include <stdio.h> -+#include <string.h> -+#include <unistd.h> -+#include <stdint.h> -+#include <stdlib.h> -+#include <errno.h> -+#include <time.h> -+#include <pwd.h> -+#include <syslog.h> -+ -+#ifdef HAVE_LIBAUDIT -+#include <libaudit.h> -+#endif -+ -+#include <security/pam_modules.h> -+#include <security/pam_modutil.h> -+#include <security/pam_ext.h> -+ -+#include "faillock.h" -+ -+#define PAM_SM_AUTH -+#define PAM_SM_ACCOUNT -+ -+#define FAILLOCK_ACTION_PREAUTH 0 -+#define FAILLOCK_ACTION_AUTHSUCC 1 -+#define FAILLOCK_ACTION_AUTHFAIL 2 -+ -+#define FAILLOCK_FLAG_DENY_ROOT 0x1 -+#define FAILLOCK_FLAG_AUDIT 0x2 -+#define FAILLOCK_FLAG_SILENT 0x4 -+#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 -+#define FAILLOCK_FLAG_UNLOCKED 0x10 -+ -+#define MAX_TIME_INTERVAL 604800 /* 7 days */ -+ -+struct options { -+ unsigned int action; -+ unsigned int flags; -+ unsigned short deny; -+ unsigned int fail_interval; -+ unsigned int unlock_time; -+ unsigned int root_unlock_time; -+ const char *dir; -+ const char *user; -+ int failures; -+ uint64_t latest_time; -+ uid_t uid; -+ uint64_t now; -+}; -+ -+static void -+args_parse(pam_handle_t *pamh, int argc, const char **argv, -+ int flags, struct options *opts) -+{ -+ int i; -+ memset(opts, 0, sizeof(*opts)); -+ -+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; -+ opts->deny = 3; -+ opts->fail_interval = 900; -+ opts->unlock_time = 600; -+ opts->root_unlock_time = MAX_TIME_INTERVAL+1; -+ -+ for (i = 0; i < argc; ++i) { -+ -+ if (strncmp(argv[i], "dir=", 4) == 0) { -+ if (argv[i][4] != '/') { -+ pam_syslog(pamh, LOG_ERR, -+ "Tally directory is not absolute path (%s); keeping default", argv[i]); -+ } else { -+ opts->dir = argv[i]+4; -+ } -+ } -+ else if (strncmp(argv[i], "deny=", 5) == 0) { -+ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for deny argument"); -+ } -+ } -+ else if (strncmp(argv[i], "fail_interval=", 14) == 0) { -+ unsigned int temp; -+ if (sscanf(argv[i]+14, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for fail_interval argument"); -+ } else { -+ opts->fail_interval = temp; -+ } -+ } -+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) { -+ unsigned int temp; -+ if (sscanf(argv[i]+12, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for unlock_time argument"); -+ } else { -+ opts->unlock_time = temp; -+ } -+ } -+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { -+ unsigned int temp; -+ if (sscanf(argv[i]+17, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for root_unlock_time argument"); -+ } else { -+ opts->root_unlock_time = temp; -+ } -+ } -+ else if (strcmp(argv[i], "preauth") == 0) { -+ opts->action = FAILLOCK_ACTION_PREAUTH; -+ } -+ else if (strcmp(argv[i], "authfail") == 0) { -+ opts->action = FAILLOCK_ACTION_AUTHFAIL; -+ } -+ else if (strcmp(argv[i], "authsucc") == 0) { -+ opts->action = FAILLOCK_ACTION_AUTHSUCC; -+ } -+ else if (strcmp(argv[i], "even_deny_root") == 0) { -+ opts->flags |= FAILLOCK_FLAG_DENY_ROOT; -+ } -+ else if (strcmp(argv[i], "audit") == 0) { -+ opts->flags |= FAILLOCK_FLAG_AUDIT; -+ } -+ else if (strcmp(argv[i], "silent") == 0) { -+ opts->flags |= FAILLOCK_FLAG_SILENT; -+ } -+ else if (strcmp(argv[i], "no_log_info") == 0) { -+ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; -+ } -+ else { -+ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]); -+ } -+ } -+ -+ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1) -+ opts->root_unlock_time = opts->unlock_time; -+ if (flags & PAM_SILENT) -+ opts->flags |= FAILLOCK_FLAG_SILENT; -+} -+ -+static int get_pam_user(pam_handle_t *pamh, struct options *opts) -+{ -+ const char *user; -+ int rv; -+ struct passwd *pwd; -+ -+ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ if (*user == '\0') { -+ return PAM_IGNORE; -+ } -+ -+ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) { -+ if (opts->flags & FAILLOCK_FLAG_AUDIT) { -+ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user); -+ } -+ else { -+ pam_syslog(pamh, LOG_ERR, "User unknown"); -+ } -+ return PAM_IGNORE; -+ } -+ opts->user = user; -+ opts->uid = pwd->pw_uid; -+ return PAM_SUCCESS; -+} -+ -+static int -+check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) -+{ -+ int tfd; -+ unsigned int i; -+ uint64_t latest_time; -+ int failures; -+ -+ opts->now = time(NULL); -+ -+ tfd = open_tally(opts->dir, opts->user, 0); -+ -+ *fd = tfd; -+ -+ if (tfd == -1) { -+ if (errno == EACCES || errno == ENOENT) { -+ return PAM_SUCCESS; -+ } -+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ if (read_tally(tfd, tallies) != 0) { -+ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ return PAM_SUCCESS; -+ } -+ -+ latest_time = 0; -+ for(i = 0; i < tallies->count; i++) { -+ if ((tallies->records[i].status & TALLY_STATUS_VALID) && -+ tallies->records[i].time > latest_time) -+ latest_time = tallies->records[i].time; -+ } -+ -+ opts->latest_time = latest_time; -+ -+ failures = 0; -+ for(i = 0; i < tallies->count; i++) { -+ if ((tallies->records[i].status & TALLY_STATUS_VALID) && -+ latest_time - tallies->records[i].time < opts->fail_interval) { -+ ++failures; -+ } -+ } -+ -+ opts->failures = failures; -+ -+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ return PAM_SUCCESS; -+ } -+ -+ if (opts->deny && failures >= opts->deny) { -+ if ((opts->uid && latest_time + opts->unlock_time < opts->now) || -+ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) { -+#ifdef HAVE_LIBAUDIT -+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ -+ char buf[64]; -+ int audit_fd; -+ -+ audit_fd = audit_open(); -+ /* If there is an error & audit support is in the kernel report error */ -+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT)) -+ return PAM_SYSTEM_ERR; -+ -+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -+ NULL, NULL, NULL, 1); -+ } -+#endif -+ opts->flags |= FAILLOCK_FLAG_UNLOCKED; -+ return PAM_SUCCESS; -+ } -+ return PAM_AUTH_ERR; -+ } -+ return PAM_SUCCESS; -+} -+ -+static void -+reset_tally(pam_handle_t *pamh, struct options *opts, int *fd) -+{ -+ int rv; -+ -+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ } -+} -+ -+static int -+write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) -+{ -+ struct tally *records; -+ unsigned int i; -+ int failures; -+ unsigned int oldest; -+ uint64_t oldtime; -+ const void *source = NULL; -+ -+ if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, 1); -+ } -+ if (*fd == -1) { -+ if (errno == EACCES) { -+ return PAM_SUCCESS; -+ } -+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ oldtime = 0; -+ oldest = 0; -+ failures = 0; -+ -+ for (i = 0; i < tallies->count; ++i) { -+ if (tallies->records[i].time < oldtime) { -+ oldtime = tallies->records[i].time; -+ oldest = i; -+ } -+ if (opts->flags & FAILLOCK_FLAG_UNLOCKED || -+ opts->now - tallies->records[i].time >= opts->fail_interval ) { -+ tallies->records[i].status &= ~TALLY_STATUS_VALID; -+ } else { -+ ++failures; -+ } -+ } -+ -+ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) { -+ oldest = tallies->count; -+ -+ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) { -+ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m"); -+ return PAM_BUF_ERR; -+ } -+ -+ ++tallies->count; -+ tallies->records = records; -+ } -+ -+ memset(&tallies->records[oldest], 0, sizeof (*tallies->records)); -+ -+ tallies->records[oldest].status = TALLY_STATUS_VALID; -+ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) { -+ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) { -+ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) { -+ source = ""; -+ } -+ } -+ else { -+ tallies->records[oldest].status |= TALLY_STATUS_TTY; -+ } -+ } -+ else { -+ tallies->records[oldest].status |= TALLY_STATUS_RHOST; -+ } -+ -+ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source)); -+ /* source does not have to be null terminated */ -+ -+ tallies->records[oldest].time = opts->now; -+ -+ ++failures; -+ -+ if (opts->deny && failures == opts->deny) { -+#ifdef HAVE_LIBAUDIT -+ char buf[64]; -+ int audit_fd; -+ -+ audit_fd = audit_open(); -+ /* If there is an error & audit support is in the kernel report error */ -+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT)) -+ return PAM_SYSTEM_ERR; -+ -+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); -+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, -+ NULL, NULL, NULL, 1); -+ -+ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, -+ NULL, NULL, NULL, 1); -+ } -+ close(audit_fd); -+#endif -+ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) { -+ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked", -+ opts->user); -+ } -+ } -+ -+ if (update_tally(*fd, tallies) == 0) -+ return PAM_SUCCESS; -+ -+ return PAM_SYSTEM_ERR; -+} -+ -+static void -+faillock_message(pam_handle_t *pamh, struct options *opts) -+{ -+ int64_t left; -+ -+ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { -+ if (opts->uid) { -+ left = opts->latest_time + opts->unlock_time - opts->now; -+ } -+ else { -+ left = opts->latest_time + opts->root_unlock_time - opts->now; -+ } -+ -+ left /= 60; /* minutes */ -+ -+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), -+ opts->failures); -+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); -+ } -+} -+ -+static void -+tally_cleanup(struct tally_data *tallies, int fd) -+{ -+ if (fd != -1) { -+ close(fd); -+ } -+ -+ free(tallies->records); -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_authenticate(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ struct options opts; -+ int rv, fd = -1; -+ struct tally_data tallies; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ -+ args_parse(pamh, argc, argv, flags, &opts); -+ -+ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */ -+ -+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ switch (opts.action) { -+ case FAILLOCK_ACTION_PREAUTH: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) { -+ faillock_message(pamh, &opts); -+ } -+ break; -+ -+ case FAILLOCK_ACTION_AUTHSUCC: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS && fd != -1) { -+ reset_tally(pamh, &opts, &fd); -+ } -+ break; -+ -+ case FAILLOCK_ACTION_AUTHFAIL: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS) { -+ rv = PAM_IGNORE; /* this return value should be ignored */ -+ write_tally(pamh, &opts, &tallies, &fd); -+ } -+ break; -+ } -+ -+ tally_cleanup(&tallies, fd); -+ -+ return rv; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, -+ int argc UNUSED, const char **argv UNUSED) -+{ -+ return PAM_SUCCESS; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ struct options opts; -+ int rv, fd = -1; -+ struct tally_data tallies; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ -+ args_parse(pamh, argc, argv, flags, &opts); -+ -+ opts.action = FAILLOCK_ACTION_AUTHSUCC; -+ -+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ check_tally(pamh, &opts, &tallies, &fd); -+ if (fd != -1) { -+ reset_tally(pamh, &opts, &fd); -+ } -+ -+ tally_cleanup(&tallies, fd); -+ -+ return PAM_SUCCESS; -+} -+ -+/*-----------------------------------------------------------------------*/ -+ -+#ifdef PAM_STATIC -+ -+/* static module data */ -+ -+struct pam_module _pam_faillock_modstruct = { -+ MODULE_NAME, -+#ifdef PAM_SM_AUTH -+ pam_sm_authenticate, -+ pam_sm_setcred, -+#else -+ NULL, -+ NULL, -+#endif -+#ifdef PAM_SM_ACCOUNT -+ pam_sm_acct_mgmt, -+#else -+ NULL, -+#endif -+ NULL, -+ NULL, -+ NULL, -+}; -+ -+#endif /* #ifdef PAM_STATIC */ -+ -diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,396 @@ -+<?xml version="1.0" encoding='UTF-8'?> -+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> -+ -+<refentry id="pam_faillock"> -+ -+ <refmeta> -+ <refentrytitle>pam_faillock</refentrytitle> -+ <manvolnum>8</manvolnum> -+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> -+ </refmeta> -+ -+ <refnamediv id="pam_faillock-name"> -+ <refname>pam_faillock</refname> -+ <refpurpose>Module counting authentication failures during a specified interval</refpurpose> -+ </refnamediv> -+ -+ <refsynopsisdiv> -+ <cmdsynopsis id="pam_faillock-cmdsynopsisauth"> -+ <command>auth ... pam_faillock.so</command> -+ <arg choice="req"> -+ preauth|authfail|authsucc -+ </arg> -+ <arg choice="opt"> -+ dir=<replaceable>/path/to/tally-directory</replaceable> -+ </arg> -+ <arg choice="opt"> -+ even_deny_root -+ </arg> -+ <arg choice="opt"> -+ deny=<replaceable>n</replaceable> -+ </arg> -+ <arg choice="opt"> -+ fail_interval=<replaceable>n</replaceable> -+ </arg> -+ <arg choice="opt"> -+ unlock_time=<replaceable>n</replaceable> -+ </arg> -+ <arg choice="opt"> -+ root_unlock_time=<replaceable>n</replaceable> -+ </arg> -+ <arg choice="opt"> -+ audit -+ </arg> -+ <arg choice="opt"> -+ silent -+ </arg> -+ <arg choice="opt"> -+ no_log_info -+ </arg> -+ </cmdsynopsis> -+ <cmdsynopsis id="pam_faillock-cmdsynopsisacct"> -+ <command>account ... pam_faillock.so</command> -+ <arg choice="opt"> -+ dir=<replaceable>/path/to/tally-directory</replaceable> -+ </arg> -+ <arg choice="opt"> -+ no_log_info -+ </arg> -+ </cmdsynopsis> -+ </refsynopsisdiv> -+ -+ <refsect1 id="pam_faillock-description"> -+ -+ <title>DESCRIPTION</title> -+ -+ <para> -+ This module maintains a list of failed authentication attempts per -+ user during a specified interval and locks the account in case -+ there were more than <replaceable>deny</replaceable> consecutive -+ failed authentications. -+ </para> -+ <para> -+ Normally, failed attempts to authenticate <emphasis>root</emphasis> will -+ <emphasis remap='B'>not</emphasis> cause the root account to become -+ blocked, to prevent denial-of-service: if your users aren't given -+ shell accounts and root may only login via <command>su</command> or -+ at the machine console (not telnet/rsh, etc), this is safe. -+ </para> -+ </refsect1> -+ -+ <refsect1 id="pam_faillock-options"> -+ -+ <title>OPTIONS</title> -+ <variablelist> -+ <varlistentry> -+ <term> -+ <option>{preauth|authfail|authsucc}</option> -+ </term> -+ <listitem> -+ <para> -+ This argument must be set accordingly to the position of this module -+ instance in the PAM stack. -+ </para> -+ <para> -+ The <emphasis>preauth</emphasis> argument must be used when the module -+ is called before the modules which ask for the user credentials such -+ as the password. The module just examines whether the user should -+ be blocked from accessing the service in case there were anomalous -+ number of failed consecutive authentication attempts recently. This -+ call is optional if <emphasis>authsucc</emphasis> is used. -+ </para> -+ <para> -+ The <emphasis>authfail</emphasis> argument must be used when the module -+ is called after the modules which determine the authentication outcome, -+ failed. Unless the user is already blocked due to previous authentication -+ failures, the module will record the failure into the appropriate user -+ tally file. -+ </para> -+ <para> -+ The <emphasis>authsucc</emphasis> argument must be used when the module -+ is called after the modules which determine the authentication outcome, -+ succeded. Unless the user is already blocked due to previous authentication -+ failures, the module will then clear the record of the failures in the -+ respective user tally file. Otherwise it will return authentication error. -+ If this call is not done, the pam_faillock will not distinguish between -+ consecutive and non-consecutive failed authentication attempts. The -+ <emphasis>preauth</emphasis> call must be used in such case. Due to -+ complications in the way the PAM stack can be configured it is also -+ possible to call <emphasis>pam_faillock</emphasis> as an account module. -+ In such configuration the module must be also called in the -+ <emphasis>preauth</emphasis> stage. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>dir=<replaceable>/path/to/tally-directory</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The directory where the user files with the failure records are kept. The -+ default is <filename>/var/run/faillock</filename>. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>audit</option> -+ </term> -+ <listitem> -+ <para> -+ Will log the user name into the system log if the user is not found. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>silent</option> -+ </term> -+ <listitem> -+ <para> -+ Don't print informative messages. This option is implicite -+ in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis> -+ functions. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>no_log_info</option> -+ </term> -+ <listitem> -+ <para> -+ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>deny=<replaceable>n</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ Deny access if the number of consecutive authentication failures -+ for this user during the recent interval exceeds -+ <replaceable>n</replaceable>. The default is 3. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>fail_interval=<replaceable>n</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The length of the interval during which the consecutive -+ authentication failures must happen for the user account -+ lock out is <replaceable>n</replaceable> seconds. -+ The default is 900 (15 minutes). -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>unlock_time=<replaceable>n</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ The access will be reenabled after -+ <replaceable>n</replaceable> seconds after the lock out. -+ The default is 600 (10 minutes). -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>even_deny_root</option> -+ </term> -+ <listitem> -+ <para> -+ Root account can become locked as well as regular accounts. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term> -+ <option>root_unlock_time=<replaceable>n</replaceable></option> -+ </term> -+ <listitem> -+ <para> -+ This option implies <option>even_deny_root</option> option. -+ Allow access after <replaceable>n</replaceable> seconds -+ to root account after the account is locked. In case the -+ option is not specified the value is the same as of the -+ <option>unlock_time</option> option. -+ </para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id="pam_faillock-types"> -+ <title>MODULE TYPES PROVIDED</title> -+ <para> -+ The <option>auth</option> and <option>account</option> module types are -+ provided. -+ </para> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-return_values'> -+ <title>RETURN VALUES</title> -+ <variablelist> -+ <varlistentry> -+ <term>PAM_AUTH_ERR</term> -+ <listitem> -+ <para> -+ A invalid option was given, the module was not able -+ to retrieve the user name, no valid counter file -+ was found, or too many failed logins. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term>PAM_SUCCESS</term> -+ <listitem> -+ <para> -+ Everything was successful. -+ </para> -+ </listitem> -+ </varlistentry> -+ <varlistentry> -+ <term>PAM_IGNORE</term> -+ <listitem> -+ <para> -+ User not present in passwd database. -+ </para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-notes'> -+ <title>NOTES</title> -+ <para> -+ <emphasis>pam_faillock</emphasis> setup in the PAM stack is different -+ from the <emphasis>pam_tally2</emphasis> module setup. -+ </para> -+ <para> -+ There is no setuid wrapper for access to the data file such as when the -+ <emphasis remap='B'>pam_faillock.so</emphasis> module is called from -+ a screensaver. As this would make it impossible to share PAM configuration -+ with such services the following workaround is used: If the data file -+ cannot be opened because of insufficient permissions -+ (<errorcode>EACCES</errorcode>) the module returns -+ <errorcode>PAM_SUCCESS</errorcode>. -+ </para> -+ <para> -+ Note that using the module in <option>preauth</option> without the -+ <option>silent</option> option or with <emphasis>requisite</emphasis> -+ control field leaks an information about existence or -+ non-existence of an user account in the system because -+ the failures are not recorded for the unknown users. The message -+ about the user account being locked is never displayed for nonexisting -+ user accounts allowing the adversary to infer that a particular account -+ is not existing on a system. -+ </para> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-examples'> -+ <title>EXAMPLES</title> -+ <para> -+ Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>. -+ They make <emphasis>pam_faillock</emphasis> to lock the account after 4 consecutive -+ failed logins during the default interval of 15 minutes. Root account will be locked -+ as well. The accounts will be automatically unlocked after 20 minutes. -+ </para> -+ <para> -+ In the first example the module is called only in the <emphasis>auth</emphasis> -+ phase and the module does not print any information about the account blocking -+ by <emphasis>pam_faillock</emphasis>. The <emphasis>preauth</emphasis> call can -+ be added to tell the user that his login is blocked by the module and also to abort -+ the authentication without even asking for password in such case. -+ </para> -+ <programlisting> -+auth required pam_securetty.so -+auth required pam_env.so -+auth required pam_nologin.so -+# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200 -+# to display the message about account being locked -+auth [success=1 default=bad] pam_unix.so -+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 -+auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200 -+auth required pam_deny.so -+account required pam_unix.so -+password required pam_unix.so shadow -+session required pam_selinux.so close -+session required pam_loginuid.so -+session required pam_unix.so -+session required pam_selinux.so open -+ </programlisting> -+ <para> -+ In the second example the module is called both in the <emphasis>auth</emphasis> -+ and <emphasis>account</emphasis> phases and the module gives the authenticating -+ user message when the account is locked -+ </para> -+ <programlisting> -+auth required pam_securetty.so -+auth required pam_env.so -+auth required pam_nologin.so -+auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200 -+# optionally use requisite above if you do not want to prompt for the password -+# on locked accounts, possibly with removing the silent option as well -+auth sufficient pam_unix.so -+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 -+auth required pam_deny.so -+account required pam_faillock.so -+# if you drop the above call to pam_faillock.so the lock will be done also -+# on non-consecutive authentication failures -+account required pam_unix.so -+password required pam_unix.so shadow -+session required pam_selinux.so close -+session required pam_loginuid.so -+session required pam_unix.so -+session required pam_selinux.so open -+ </programlisting> -+ </refsect1> -+ -+ <refsect1 id="pam_faillock-files"> -+ <title>FILES</title> -+ <variablelist> -+ <varlistentry> -+ <term><filename>/var/run/faillock/*</filename></term> -+ <listitem> -+ <para>the files logging the authentication failures for users</para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-see_also'> -+ <title>SEE ALSO</title> -+ <para> -+ <citerefentry> -+ <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum> -+ </citerefentry>, -+ <citerefentry> -+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> -+ </citerefentry>, -+ <citerefentry> -+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> -+ </citerefentry>, -+ <citerefentry> -+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> -+ </citerefentry> -+ </para> -+ </refsect1> -+ -+ <refsect1 id='pam_faillock-author'> -+ <title>AUTHOR</title> -+ <para> -+ pam_faillock was written by Tomas Mraz. -+ </para> -+ </refsect1> -+ -+</refentry> -diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml ---- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,46 @@ -+<?xml version="1.0" encoding='UTF-8'?> -+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -+"http://www.docbook.org/xml/4.3/docbookx.dtd" -+[ -+<!-- -+<!ENTITY pamaccess SYSTEM "pam_faillock.8.xml"> -+--> -+]> -+ -+<article> -+ -+ <articleinfo> -+ -+ <title> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/> -+ </title> -+ -+ </articleinfo> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/> -+ </section> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/> -+ </section> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-notes"]/*)'/> -+ </section> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/> -+ </section> -+ -+ <section> -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/> -+ </section> -+ -+</article> -diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock ---- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200 -+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+../../tests/tst-dlopen .libs/pam_faillock.so diff --git a/extra/source/pam/patches/pam-1.1.2-noflex.patch b/extra/source/pam/patches/pam-1.1.2-noflex.patch deleted file mode 100644 index fc965559b..000000000 --- a/extra/source/pam/patches/pam-1.1.2-noflex.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up Linux-PAM-1.1.2/doc/Makefile.am.noflex Linux-PAM-1.1.2/doc/Makefile.am ---- Linux-PAM-1.1.2/doc/Makefile.am.noflex 2008-02-04 16:05:51.000000000 +0100 -+++ Linux-PAM-1.1.2/doc/Makefile.am 2010-09-20 10:40:59.000000000 +0200 -@@ -2,7 +2,7 @@ - # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> - # - --SUBDIRS = man specs sag adg mwg -+SUBDIRS = man sag adg mwg - - CLEANFILES = *~ - -diff -up Linux-PAM-1.1.2/Makefile.am.noflex Linux-PAM-1.1.2/Makefile.am ---- Linux-PAM-1.1.2/Makefile.am.noflex 2010-07-08 14:04:19.000000000 +0200 -+++ Linux-PAM-1.1.2/Makefile.am 2010-09-20 10:04:56.000000000 +0200 -@@ -5,9 +5,9 @@ - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news - - if STATIC_MODULES --SUBDIRS = modules libpam libpamc libpam_misc tests po conf doc examples xtests -+SUBDIRS = modules libpam libpamc libpam_misc tests po doc examples xtests - else --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests - endif - - CLEANFILES = *~ diff --git a/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch b/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch deleted file mode 100644 index 249d2850c..000000000 --- a/extra/source/pam/patches/pam-1.1.3-faillock-screensaver.patch +++ /dev/null @@ -1,167 +0,0 @@ -diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c ---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100 -@@ -41,13 +41,14 @@ - #include <sys/types.h> - #include <sys/stat.h> - #include <sys/file.h> -+#include <sys/stat.h> - #include <fcntl.h> - #include <security/pam_modutil.h> - - #include "faillock.h" - - int --open_tally (const char *dir, const char *user, int create) -+open_tally (const char *dir, const char *user, uid_t uid, int create) - { - char *path; - int flags = O_RDWR; -@@ -69,8 +70,18 @@ open_tally (const char *dir, const char - - fd = open(path, flags, 0600); - -- if (fd != -1) -+ free(path); -+ -+ if (fd != -1) { -+ struct stat st; -+ - while (flock(fd, LOCK_EX) == -1 && errno == EINTR); -+ if (fstat(fd, &st) == 0) { -+ if (st.st_uid != uid) { -+ fchown(fd, uid, -1); -+ } -+ } -+ } - - return fd; - } -diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h ---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100 -@@ -45,6 +45,7 @@ - #define _FAILLOCK_H - - #include <stdint.h> -+#include <sys/types.h> - - #define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ - #define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ -@@ -65,7 +66,7 @@ struct tally_data { - - #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" - --int open_tally(const char *dir, const char *user, int create); -+int open_tally(const char *dir, const char *user, uid_t uid, int create); - int read_tally(int fd, struct tally_data *tallies); - int update_tally(int fd, struct tally_data *tallies); - #endif -diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c ---- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100 -@@ -106,8 +106,11 @@ do_user(struct options *opts, const char - int fd; - int rv; - struct tally_data tallies; -+ struct passwd *pwd; - -- fd = open_tally(opts->dir, user, 0); -+ pwd = getpwnam(user); -+ -+ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); - - if (fd == -1) { - if (errno == ENOENT) { -@@ -134,9 +137,8 @@ do_user(struct options *opts, const char - #ifdef HAVE_LIBAUDIT - } - if ((audit_fd=audit_open()) >= 0) { -- struct passwd *pwd; - -- if ((pwd=getpwnam(user)) != NULL) { -+ if (pwd != NULL) { - snprintf(buf, sizeof(buf), "faillock reset uid=%u", - pwd->pw_uid); - audit_log_user_message(audit_fd, AUDIT_USER_ACCT, -diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100 -@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o - - opts->now = time(NULL); - -- tfd = open_tally(opts->dir, opts->user, 0); -+ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); - - *fd = tfd; - -@@ -289,9 +289,14 @@ reset_tally(pam_handle_t *pamh, struct o - { - int rv; - -- while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -- if (rv == -1) { -- pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); -+ } -+ else { -+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ } - } - } - -@@ -306,7 +311,7 @@ write_tally(pam_handle_t *pamh, struct o - const void *source = NULL; - - if (*fd == -1) { -- *fd = open_tally(opts->dir, opts->user, 1); -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); - } - if (*fd == -1) { - if (errno == EACCES) { -@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh, - - case FAILLOCK_ACTION_AUTHSUCC: - rv = check_tally(pamh, &opts, &tallies, &fd); -- if (rv == PAM_SUCCESS && fd != -1) { -+ if (rv == PAM_SUCCESS) { - reset_tally(pamh, &opts, &fd); - } - break; -@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int - return rv; - } - -- check_tally(pamh, &opts, &tallies, &fd); -- if (fd != -1) { -- reset_tally(pamh, &opts, &fd); -- } -+ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ -+ reset_tally(pamh, &opts, &fd); - - tally_cleanup(&tallies, fd); - -diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100 -@@ -277,13 +277,9 @@ - from the <emphasis>pam_tally2</emphasis> module setup. - </para> - <para> -- There is no setuid wrapper for access to the data file such as when the -- <emphasis remap='B'>pam_faillock.so</emphasis> module is called from -- a screensaver. As this would make it impossible to share PAM configuration -- with such services the following workaround is used: If the data file -- cannot be opened because of insufficient permissions -- (<errorcode>EACCES</errorcode>) the module returns -- <errorcode>PAM_SUCCESS</errorcode>. -+ The individual files with the failure records are created as owned by -+ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module -+ to work correctly when it is called from a screensaver. - </para> - <para> - Note that using the module in <option>preauth</option> without the diff --git a/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch b/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch deleted file mode 100644 index 885690d09..000000000 --- a/extra/source/pam/patches/pam-1.1.3-limits-nosetreuid.patch +++ /dev/null @@ -1,64 +0,0 @@ -diff -up Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c.nosetreuid Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c ---- Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c.nosetreuid 2009-02-20 14:27:14.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_limits/pam_limits.c 2010-11-11 12:31:04.000000000 +0100 -@@ -103,7 +103,6 @@ struct pam_limit_s { - /* argument parsing */ - - #define PAM_DEBUG_ARG 0x0001 --#define PAM_DO_SETREUID 0x0002 - #define PAM_UTMP_EARLY 0x0004 - #define PAM_NO_AUDIT 0x0008 - -@@ -127,8 +126,6 @@ _pam_parse (const pam_handle_t *pamh, in - ctrl |= PAM_DEBUG_ARG; - } else if (!strncmp(*argv,"conf=",5)) { - pl->conf_file = *argv+5; -- } else if (!strncmp(*argv,"change_uid",10)) { -- ctrl |= PAM_DO_SETREUID; - } else if (!strcmp(*argv,"utmp_early")) { - ctrl |= PAM_UTMP_EARLY; - } else if (!strcmp(*argv,"noaudit")) { -@@ -777,10 +774,6 @@ out: - return retval; - } - -- if (ctrl & PAM_DO_SETREUID) { -- setreuid(pwd->pw_uid, -1); -- } -- - retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl); - if (retval & LOGIN_ERR) - pam_error(pamh, _("Too many logins for '%s'."), pwd->pw_name); -diff -up Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml.nosetreuid Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml ---- Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml.nosetreuid 2009-06-01 09:03:20.000000000 +0200 -+++ Linux-PAM-1.1.3/modules/pam_limits/pam_limits.8.xml 2010-11-11 12:32:35.000000000 +0100 -@@ -23,9 +23,6 @@ - <cmdsynopsis id="pam_limits-cmdsynopsis"> - <command>pam_limits.so</command> - <arg choice="opt"> -- change_uid -- </arg> -- <arg choice="opt"> - conf=<replaceable>/path/to/limits.conf</replaceable> - </arg> - <arg choice="opt"> -@@ -72,19 +69,6 @@ - <variablelist> - <varlistentry> - <term> -- <option>change_uid</option> -- </term> -- <listitem> -- <para> -- Change real uid to the user for who the limits are set up. Use this -- option if you have problems like login not forking a shell for user -- who has no processes. Be warned that something else may break when -- you do this. -- </para> -- </listitem> -- </varlistentry> -- <varlistentry> -- <term> - <option>conf=<replaceable>/path/to/limits.conf</replaceable></option> - </term> - <listitem> diff --git a/extra/source/pam/patches/pam-1.1.3-limits-range.patch b/extra/source/pam/patches/pam-1.1.3-limits-range.patch deleted file mode 100644 index c357eb282..000000000 --- a/extra/source/pam/patches/pam-1.1.3-limits-range.patch +++ /dev/null @@ -1,351 +0,0 @@ -Index: modules/pam_limits/limits.conf.5.xml -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_limits/limits.conf.5.xml,v -retrieving revision 1.9 -retrieving revision 1.11 -diff -u -p -r1.9 -r1.11 ---- modules/pam_limits/limits.conf.5.xml 20 Feb 2009 13:27:14 -0000 1.9 -+++ modules/pam_limits/limits.conf.5.xml 14 Dec 2010 08:40:40 -0000 1.11 -@@ -53,7 +53,38 @@ - <listitem> - <para> - the wildcard <emphasis remap='B'>%</emphasis>, for maxlogins limit only, -- can also be used with <emphasis remap='b'>%group</emphasis> syntax. -+ can also be used with <emphasis remap='B'>%group</emphasis> syntax. If the -+ <emphasis remap='B'>%</emphasis> wildcard is used alone it is identical -+ to using <emphasis remap='B'>*</emphasis> with maxsyslogins limit. With -+ a group specified after <emphasis remap='B'>%</emphasis> it limits the total -+ number of logins of all users that are member of the group. -+ </para> -+ </listitem> -+ <listitem> -+ <para> -+ an uid range specified as <replaceable><min_uid></replaceable><emphasis -+ remap='B'>:</emphasis><replaceable><max_uid></replaceable>. If min_uid -+ is omitted, the match is exact for the max_uid. If max_uid is omitted, all -+ uids greater than or equal min_uid match. -+ </para> -+ </listitem> -+ <listitem> -+ <para> -+ a gid range specified as <emphasis -+ remap='B'>@</emphasis><replaceable><min_gid></replaceable><emphasis -+ remap='B'>:</emphasis><replaceable><max_gid></replaceable>. If min_gid -+ is omitted, the match is exact for the max_gid. If max_gid is omitted, all -+ gids greater than or equal min_gid match. For the exact match all groups including -+ the user's supplementary groups are examined. For the range matches only -+ the user's primary group is examined. -+ </para> -+ </listitem> -+ <listitem> -+ <para> -+ a gid specified as <emphasis -+ remap='B'>%:</emphasis><replaceable><gid></replaceable> applicable -+ to maxlogins limit only. It limits the total number of logins of all users -+ that are member of the group with the specified gid. - </para> - </listitem> - </itemizedlist> -@@ -182,7 +213,7 @@ - <varlistentry> - <term><option>maxsyslogins</option></term> - <listitem> -- <para>maximum number of logins on system</para> -+ <para>maximum number of all logins on system</para> - </listitem> - </varlistentry> - <varlistentry> -@@ -272,12 +303,15 @@ - </para> - <programlisting> - * soft core 0 --* hard rss 10000 -+* hard nofile 512 - @student hard nproc 20 - @faculty soft nproc 20 - @faculty hard nproc 50 - ftp hard nproc 0 - @student - maxlogins 4 -+:123 hard cpu 5000 -+@500: soft cpu 10000 -+600:700 hard locks 10 - </programlisting> - </refsect1> - -Index: modules/pam_limits/pam_limits.c -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_limits/pam_limits.c,v -retrieving revision 1.48 -retrieving revision 1.49 -diff -u -p -r1.48 -r1.49 ---- modules/pam_limits/pam_limits.c 18 Nov 2010 09:37:32 -0000 1.48 -+++ modules/pam_limits/pam_limits.c 14 Dec 2010 08:40:40 -0000 1.49 -@@ -55,6 +55,12 @@ - #define LIMITS_DEF_DEFAULT 4 /* limit was set by an default entry */ - #define LIMITS_DEF_NONE 5 /* this limit was not set yet */ - -+#define LIMIT_RANGE_ERR -1 /* error in specified uid/gid range */ -+#define LIMIT_RANGE_NONE 0 /* no range specified */ -+#define LIMIT_RANGE_ONE 1 /* exact uid/gid specified (:max_uid)*/ -+#define LIMIT_RANGE_MIN 2 /* only minimum uid/gid specified (min_uid:) */ -+#define LIMIT_RANGE_MM 3 /* both min and max uid/gid specified (min_uid:max_uid) */ -+ - static const char *limits_def_names[] = { - "USER", - "GROUP", -@@ -520,8 +526,57 @@ process_limit (const pam_handle_t *pamh, - return; - } - --static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl, -- struct pam_limit_s *pl) -+static int -+parse_uid_range(pam_handle_t *pamh, const char *domain, -+ uid_t *min_uid, uid_t *max_uid) -+{ -+ const char *range = domain; -+ char *pmax; -+ char *endptr; -+ int rv = LIMIT_RANGE_MM; -+ -+ if ((pmax=strchr(range, ':')) == NULL) -+ return LIMIT_RANGE_NONE; -+ ++pmax; -+ -+ if (range[0] == '@' || range[0] == '%') -+ ++range; -+ -+ if (range[0] == ':') -+ rv = LIMIT_RANGE_ONE; -+ else { -+ errno = 0; -+ *min_uid = strtoul (range, &endptr, 10); -+ if (errno != 0 || (range == endptr) || *endptr != ':') { -+ pam_syslog(pamh, LOG_DEBUG, -+ "wrong min_uid/gid value in '%s'", domain); -+ return LIMIT_RANGE_ERR; -+ } -+ } -+ -+ if (*pmax == '\0') { -+ if (rv == LIMIT_RANGE_ONE) -+ return LIMIT_RANGE_ERR; -+ else -+ return LIMIT_RANGE_MIN; -+ } -+ -+ errno = 0; -+ *max_uid = strtoul (pmax, &endptr, 10); -+ if (errno != 0 || (pmax == endptr) || *endptr != '\0') { -+ pam_syslog(pamh, LOG_DEBUG, -+ "wrong max_uid/gid value in '%s'", domain); -+ return LIMIT_RANGE_ERR; -+ } -+ -+ if (rv == LIMIT_RANGE_ONE) -+ *min_uid = *max_uid; -+ return rv; -+} -+ -+static int -+parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, -+ int ctrl, struct pam_limit_s *pl) - { - FILE *fil; - char buf[LINE_LENGTH]; -@@ -543,8 +598,10 @@ static int parse_config_file(pam_handle_ - char item[LINE_LENGTH]; - char value[LINE_LENGTH]; - int i; -+ int rngtype; - size_t j; - char *tptr,*line; -+ uid_t min_uid = (uid_t)-1, max_uid = (uid_t)-1; - - line = buf; - /* skip the leading white space */ -@@ -572,6 +629,11 @@ static int parse_config_file(pam_handle_ - for(j=0; j < strlen(ltype); j++) - ltype[j]=tolower(ltype[j]); - -+ if ((rngtype=parse_uid_range(pamh, domain, &min_uid, &max_uid)) < 0) { -+ pam_syslog(pamh, LOG_WARNING, "invalid uid range '%s' - skipped", domain); -+ continue; -+ } -+ - if (i == 4) { /* a complete line */ - for(j=0; j < strlen(item); j++) - item[j]=tolower(item[j]); -@@ -581,47 +643,133 @@ static int parse_config_file(pam_handle_ - if (strcmp(uname, domain) == 0) /* this user have a limit */ - process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); - else if (domain[0]=='@') { -- if (ctrl & PAM_DEBUG_ARG) { -+ if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "checking if %s is in group %s", - uname, domain + 1); -- } -- if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) -- process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, -+ } -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) -+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, -+ pl); -+ break; -+ case LIMIT_RANGE_ONE: -+ if (pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) -+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, - pl); -+ break; -+ case LIMIT_RANGE_MM: -+ if (gid > (gid_t)max_uid) -+ break; -+ /* fallthrough */ -+ case LIMIT_RANGE_MIN: -+ if (gid >= (gid_t)min_uid) -+ process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, -+ pl); -+ } - } else if (domain[0]=='%') { -- if (ctrl & PAM_DEBUG_ARG) { -+ if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "checking if %s is in group %s", - uname, domain + 1); -- } -- if (strcmp(domain,"%") == 0) -- process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl, -- pl); -- else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { -- strcpy(pl->login_group, domain+1); -- process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, -- pl); - } -- } else if (strcmp(domain, "*") == 0) -- process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, -- pl); -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ if (strcmp(domain,"%") == 0) -+ process_limit(pamh, LIMITS_DEF_ALL, ltype, item, value, ctrl, -+ pl); -+ else if (pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { -+ strcpy(pl->login_group, domain+1); -+ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, -+ pl); -+ } -+ break; -+ case LIMIT_RANGE_ONE: -+ if (pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) { -+ struct group *grp; -+ grp = pam_modutil_getgrgid(pamh, (gid_t)max_uid); -+ strncpy(pl->login_group, grp->gr_name, sizeof(pl->login_group)); -+ pl->login_group[sizeof(pl->login_group)-1] = '\0'; -+ process_limit(pamh, LIMITS_DEF_ALLGROUP, ltype, item, value, ctrl, -+ pl); -+ } -+ break; -+ case LIMIT_RANGE_MIN: -+ case LIMIT_RANGE_MM: -+ pam_syslog(pamh, LOG_WARNING, "range unsupported for %%group matching - ignored"); -+ } -+ } else { -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ if (strcmp(domain, "*") == 0) -+ process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, -+ pl); -+ break; -+ case LIMIT_RANGE_ONE: -+ if (uid != max_uid) -+ break; -+ /* fallthrough */ -+ case LIMIT_RANGE_MM: -+ if (uid > max_uid) -+ break; -+ /* fallthrough */ -+ case LIMIT_RANGE_MIN: -+ if (uid >= min_uid) -+ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); -+ } -+ } - } else if (i == 2 && ltype[0] == '-') { /* Probably a no-limit line */ - if (strcmp(uname, domain) == 0) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname); - } -- fclose(fil); -- return PAM_IGNORE; -- } else if (domain[0] == '@' && pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) { -+ } else if (domain[0] == '@') { -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ if (!pam_modutil_user_in_group_nam_nam(pamh, uname, domain+1)) -+ continue; /* next line */ -+ break; -+ case LIMIT_RANGE_ONE: -+ if (!pam_modutil_user_in_group_nam_gid(pamh, uname, (gid_t)max_uid)) -+ continue; /* next line */ -+ break; -+ case LIMIT_RANGE_MM: -+ if (gid > (gid_t)max_uid) -+ continue; /* next line */ -+ /* fallthrough */ -+ case LIMIT_RANGE_MIN: -+ if (gid < (gid_t)min_uid) -+ continue; /* next line */ -+ } - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_DEBUG, - "no limits for '%s' in group '%s'", - uname, domain+1); - } -- fclose(fil); -- return PAM_IGNORE; -+ } else { -+ switch(rngtype) { -+ case LIMIT_RANGE_NONE: -+ continue; /* next line */ -+ case LIMIT_RANGE_ONE: -+ if (uid != max_uid) -+ continue; /* next line */ -+ break; -+ case LIMIT_RANGE_MM: -+ if (uid > max_uid) -+ continue; /* next line */ -+ /* fallthrough */ -+ case LIMIT_RANGE_MIN: -+ if (uid >= min_uid) -+ break; -+ continue; /* next line */ -+ } -+ if (ctrl & PAM_DEBUG_ARG) { -+ pam_syslog(pamh, LOG_DEBUG, "no limits for '%s'", uname); -+ } - } -+ fclose(fil); -+ return PAM_IGNORE; - } else { - pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line); - } -@@ -731,7 +879,7 @@ pam_sm_open_session (pam_handle_t *pamh, - return PAM_ABORT; - } - -- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl); -+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); - if (retval == PAM_IGNORE) { - D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE)); - return PAM_SUCCESS; -@@ -755,7 +903,7 @@ pam_sm_open_session (pam_handle_t *pamh, - /* Parse the *.conf files. */ - for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { - pl->conf_file = globbuf.gl_pathv[i]; -- retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl); -+ retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl); - if (retval == PAM_IGNORE) { - D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); - globfree(&globbuf); diff --git a/extra/source/pam/patches/pam-1.1.3-nouserenv.patch b/extra/source/pam/patches/pam-1.1.3-nouserenv.patch deleted file mode 100644 index f3a742c8d..000000000 --- a/extra/source/pam/patches/pam-1.1.3-nouserenv.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c ---- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200 -+++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100 -@@ -10,7 +10,7 @@ - #define DEFAULT_READ_ENVFILE 1 - - #define DEFAULT_USER_ENVFILE ".pam_environment" --#define DEFAULT_USER_READ_ENVFILE 1 -+#define DEFAULT_USER_READ_ENVFILE 0 - - #include "config.h" - -diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml ---- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200 -+++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100 -@@ -147,7 +147,10 @@ - <listitem> - <para> - Turns on or off the reading of the user specific environment -- file. 0 is off, 1 is on. By default this option is on. -+ file. 0 is off, 1 is on. By default this option is off as user -+ supplied environment variables in the PAM environment could affect -+ behavior of subsequent modules in the stack without the consent -+ of the system administrator. - </para> - </listitem> - </varlistentry> diff --git a/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch b/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch deleted file mode 100644 index 6117b26ea..000000000 --- a/extra/source/pam/patches/pam-1.1.3-pwhistory-incomplete.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c.incomplete Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c ---- Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c.incomplete 2008-12-18 14:09:36.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_pwhistory/pam_pwhistory.c 2010-11-11 14:45:02.000000000 +0100 -@@ -187,12 +187,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - { - retval = pam_get_authtok (pamh, PAM_AUTHTOK, &newpass, NULL); - if (retval != PAM_SUCCESS && retval != PAM_TRY_AGAIN) -- return retval; -+ { -+ if (retval == PAM_CONV_AGAIN) -+ retval = PAM_INCOMPLETE; -+ return retval; -+ } - tries++; - -- if (newpass == NULL || retval == PAM_TRY_AGAIN) -- continue; -- - if (options.debug) - { - if (newpass) -@@ -201,12 +202,8 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - pam_syslog (pamh, LOG_DEBUG, "got no auth token"); - } - -- if (retval != PAM_SUCCESS || newpass == NULL) -- { -- if (retval == PAM_CONV_AGAIN) -- retval = PAM_INCOMPLETE; -- return retval; -- } -+ if (newpass == NULL || retval == PAM_TRY_AGAIN) -+ continue; - - if (options.debug) - pam_syslog (pamh, LOG_DEBUG, "check against old password file"); -@@ -219,7 +216,6 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - newpass = NULL; - /* Remove password item, else following module will use it */ - pam_set_item (pamh, PAM_AUTHTOK, (void *) NULL); -- continue; - } - } - -@@ -230,8 +226,7 @@ pam_sm_chauthtok (pam_handle_t *pamh, in - return PAM_MAXTRIES; - } - -- /* Remember new password */ -- return pam_set_item (pamh, PAM_AUTHTOK, newpass); -+ return PAM_SUCCESS; - } - - diff --git a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch b/extra/source/pam/patches/pam-1.1.3-securetty-console.patch deleted file mode 100644 index 94fa6ecf0..000000000 --- a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch +++ /dev/null @@ -1,120 +0,0 @@ -Index: modules/pam_securetty/pam_securetty.8.xml -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml,v -retrieving revision 1.4 -retrieving revision 1.6 -diff -u -p -r1.4 -r1.6 ---- modules/pam_securetty/pam_securetty.8.xml 18 Aug 2008 13:29:25 -0000 1.4 -+++ modules/pam_securetty/pam_securetty.8.xml 25 Nov 2010 16:58:59 -0000 1.6 -@@ -33,7 +33,9 @@ - user is logging in on a "secure" tty, as defined by the listing - in <filename>/etc/securetty</filename>. pam_securetty also checks - to make sure that <filename>/etc/securetty</filename> is a plain -- file and not world writable. -+ file and not world writable. It will also allow root logins on -+ the tty specified with <option>console=</option> switch on the -+ kernel command line. - </para> - <para> - This module has no effect on non-root users and requires that the -@@ -61,6 +63,18 @@ - </para> - </listitem> - </varlistentry> -+ <varlistentry> -+ <term> -+ <option>noconsole</option> -+ </term> -+ <listitem> -+ <para> -+ Do not automatically allow root logins on the kernel console -+ device, as specified on the kernel command line, if it is -+ not also specified in the <filename>/etc/securetty</filename> file. -+ </para> -+ </listitem> -+ </varlistentry> - </variablelist> - </refsect1> - -Index: modules/pam_securetty/pam_securetty.c -=================================================================== -RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v -retrieving revision 1.14 -retrieving revision 1.15 -diff -u -p -r1.14 -r1.15 ---- modules/pam_securetty/pam_securetty.c 10 Sep 2009 10:19:58 -0000 1.14 -+++ modules/pam_securetty/pam_securetty.c 24 Nov 2010 12:28:01 -0000 1.15 -@@ -2,6 +2,7 @@ - - #define SECURETTY_FILE "/etc/securetty" - #define TTY_PREFIX "/dev/" -+#define CMDLINE_FILE "/proc/cmdline" - - /* - * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. -@@ -22,6 +23,7 @@ - #include <pwd.h> - #include <string.h> - #include <ctype.h> -+#include <limits.h> - - /* - * here, we make a definition for the externally accessible function -@@ -38,6 +40,7 @@ - #include <security/pam_ext.h> - - #define PAM_DEBUG_ARG 0x0001 -+#define PAM_NOCONSOLE_ARG 0x0002 - - static int - _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) -@@ -51,6 +54,8 @@ _pam_parse (const pam_handle_t *pamh, in - - if (!strcmp(*argv,"debug")) - ctrl |= PAM_DEBUG_ARG; -+ else if (!strcmp(*argv, "noconsole")) -+ ctrl |= PAM_NOCONSOLE_ARG; - else { - pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); - } -@@ -144,6 +149,40 @@ securetty_perform_check (pam_handle_t *p - } - fclose(ttyfile); - -+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { -+ FILE *cmdlinefile; -+ -+ /* Allow access from the kernel console, if enabled */ -+ cmdlinefile = fopen(CMDLINE_FILE, "r"); -+ -+ if (cmdlinefile != NULL) { -+ char line[LINE_MAX], *p; -+ -+ line[0] = 0; -+ fgets(line, sizeof(line), cmdlinefile); -+ fclose(cmdlinefile); -+ -+ for (p = line; p; p = strstr(p+1, "console=")) { -+ char *e; -+ -+ /* Test whether this is a beginning of a word? */ -+ if (p > line && p[-1] != ' ') -+ continue; -+ -+ /* Ist this our console? */ -+ if (strncmp(p + 8, uttyname, strlen(uttyname))) -+ continue; -+ -+ /* Is there any garbage after the TTY name? */ -+ e = p + 8 + strlen(uttyname); -+ if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) { -+ retval = 0; -+ break; -+ } -+ } -+ } -+ } -+ - if (retval) { - pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", - uttyname); diff --git a/extra/source/pam/slack-desc b/extra/source/pam/slack-desc deleted file mode 100644 index 8b57bc0d6..000000000 --- a/extra/source/pam/slack-desc +++ /dev/null @@ -1,19 +0,0 @@ -# HOW TO EDIT THIS FILE: -# The "handy ruler" below makes it easier to edit a package description. Line -# up the first '|' above the ':' following the base package name, and the '|' -# on the right side marks the last column you can put a character in. You must -# make exactly 11 lines for the formatting to be correct. It's also -# customary to leave one space after the ':'. - - |-----handy-ruler------------------------------------------------------| -pam: pam (Pluggable Authentication Modules) -pam: -pam: PAM = Pluggable Authentication Modules. Basically, it is a flexible -pam: mechanism for authenticating users. PAM provides a way to develop -pam: programs that are independent of authentication scheme. However, -pam: these programs will need "authentication modules" (and libpam) at -pam: run-time in order to work. -pam: -pam: -pam: Homepage: http://www.kernel.org/pub/linux/libs/pam/ -pam: |