diff options
author | Maxin B. John <maxin.john@intel.com> | 2016-05-25 17:07:39 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-05-30 15:58:12 +0100 |
commit | 87f0a826255e8e43a327e7b085fd5bc14b4f324c (patch) | |
tree | d39dbdf25d5e0b0690b3a39aecd5505d88b52bea /meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | |
parent | 52d130d9e9735af569f018fc9161a54ed198d2d4 (diff) | |
download | poky-87f0a826255e8e43a327e7b085fd5bc14b4f324c.tar.gz |
libpam: update to 1.3.0
1.2.1 -> 1.3.0
Remove upstreamed patch:
a) pam-no-innetgr.patch
Refreshed the following patches for 1.3.0:
a) crypt_configure.patch
b) pam-unix-nullok-secure.patch
(From OE-Core rev: ac512ff9fbe41428e3d71d3e943aaa871d8b155a)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch')
-rw-r--r-- | meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | 119 |
1 files changed, 37 insertions, 82 deletions
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch index 3241e82959..d2cc66882e 100644 --- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch +++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | |||
@@ -1,9 +1,11 @@ | |||
1 | From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001 | 1 | From b6545b83f94c5fb7aec1478b8d458a1393f479c8 Mon Sep 17 00:00:00 2001 |
2 | From: Amarnath Valluri <amarnath.valluri@intel.com> | 2 | From: "Maxin B. John" <maxin.john@intel.com> |
3 | Date: Wed, 15 Jul 2015 13:07:20 +0300 | 3 | Date: Wed, 25 May 2016 14:12:25 +0300 |
4 | Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix, | 4 | Subject: [PATCH] pam_unix: support 'nullok_secure' option |
5 | which accepts users with null passwords only when the applicant is connected | 5 | |
6 | from a tty listed in /etc/securetty. | 6 | Debian patch to add a new 'nullok_secure' option to pam_unix, |
7 | which accepts users with null passwords only when the applicant is | ||
8 | connected from a tty listed in /etc/securetty. | ||
7 | 9 | ||
8 | Authors: Sam Hartman <hartmans@debian.org>, | 10 | Authors: Sam Hartman <hartmans@debian.org>, |
9 | Steve Langasek <vorlon@debian.org> | 11 | Steve Langasek <vorlon@debian.org> |
@@ -11,78 +13,31 @@ Authors: Sam Hartman <hartmans@debian.org>, | |||
11 | Upstream-Status: Pending | 13 | Upstream-Status: Pending |
12 | 14 | ||
13 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | 15 | Signed-off-by: Ming Liu <ming.liu@windriver.com> |
14 | |||
15 | v2: | ||
16 | - Forward ported from v1.1.6 to v1.2.1 | ||
17 | |||
18 | Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> | 16 | Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> |
17 | Signed-off-by: Maxin B. John <maxin.john@intel.com> | ||
19 | --- | 18 | --- |
20 | modules/pam_unix/Makefile.am | 3 ++- | 19 | modules/pam_unix/Makefile.am | 3 ++- |
21 | modules/pam_unix/README | 11 ++++++++++- | ||
22 | modules/pam_unix/pam_unix.8 | 9 ++++++++- | ||
23 | modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++- | 20 | modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++- |
24 | modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++----- | 21 | modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++----- |
25 | modules/pam_unix/support.h | 8 ++++++-- | 22 | modules/pam_unix/support.h | 8 ++++++-- |
26 | 6 files changed, 79 insertions(+), 11 deletions(-) | 23 | 4 files changed, 61 insertions(+), 9 deletions(-) |
27 | 24 | ||
28 | diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am | 25 | diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am |
29 | index 56ed591..9a372ac 100644 | 26 | index 56df178..2bba460 100644 |
30 | --- a/modules/pam_unix/Makefile.am | 27 | --- a/modules/pam_unix/Makefile.am |
31 | +++ b/modules/pam_unix/Makefile.am | 28 | +++ b/modules/pam_unix/Makefile.am |
32 | @@ -30,7 +30,8 @@ if HAVE_VERSIONING | 29 | @@ -30,7 +30,8 @@ if HAVE_VERSIONING |
33 | pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map | 30 | pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map |
34 | endif | 31 | endif |
35 | pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ | 32 | pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ |
36 | - @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) | 33 | - @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ |
37 | + @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \ | 34 | + @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \ |
38 | + ../pam_securetty/tty_secure.lo | 35 | + ../pam_securetty/tty_secure.lo |
39 | 36 | ||
40 | securelib_LTLIBRARIES = pam_unix.la | 37 | securelib_LTLIBRARIES = pam_unix.la |
41 | 38 | ||
42 | diff --git a/modules/pam_unix/README b/modules/pam_unix/README | ||
43 | index 3935dba..7880d91 100644 | ||
44 | --- a/modules/pam_unix/README | ||
45 | +++ b/modules/pam_unix/README | ||
46 | @@ -67,7 +67,16 @@ nullok | ||
47 | |||
48 | The default action of this module is to not permit the user access to a | ||
49 | service if their official password is blank. The nullok argument overrides | ||
50 | - this default. | ||
51 | + this default and allows any user with a blank password to access the | ||
52 | + service. | ||
53 | + | ||
54 | +nullok_secure | ||
55 | + | ||
56 | + The default action of this module is to not permit the user access to a | ||
57 | + service if their official password is blank. The nullok_secure argument | ||
58 | + overrides this default and allows any user with a blank password to access | ||
59 | + the service as long as the value of PAM_TTY is set to one of the values | ||
60 | + found in /etc/securetty. | ||
61 | |||
62 | try_first_pass | ||
63 | |||
64 | diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 | ||
65 | index 339178b..a4bd906 100644 | ||
66 | --- a/modules/pam_unix/pam_unix.8 | ||
67 | +++ b/modules/pam_unix/pam_unix.8 | ||
68 | @@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi | ||
69 | .RS 4 | ||
70 | The default action of this module is to not permit the user access to a service if their official password is blank\&. The | ||
71 | \fBnullok\fR | ||
72 | -argument overrides this default\&. | ||
73 | +argument overrides this default and allows any user with a blank password to access the service\&. | ||
74 | +.RE | ||
75 | +.PP | ||
76 | +\fBnullok_secure\fR | ||
77 | +.RS 4 | ||
78 | +The default action of this module is to not permit the user access to a service if their official password is blank\&. The | ||
79 | +\fBnullok_secure\fR | ||
80 | +argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. | ||
81 | .RE | ||
82 | .PP | ||
83 | \fBtry_first_pass\fR | ||
84 | diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml | 39 | diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml |
85 | index a8b64bb..1ced6f4 100644 | 40 | index 1b318f1..be0330e 100644 |
86 | --- a/modules/pam_unix/pam_unix.8.xml | 41 | --- a/modules/pam_unix/pam_unix.8.xml |
87 | +++ b/modules/pam_unix/pam_unix.8.xml | 42 | +++ b/modules/pam_unix/pam_unix.8.xml |
88 | @@ -159,7 +159,24 @@ | 43 | @@ -159,7 +159,24 @@ |
@@ -112,10 +67,10 @@ index a8b64bb..1ced6f4 100644 | |||
112 | </listitem> | 67 | </listitem> |
113 | </varlistentry> | 68 | </varlistentry> |
114 | diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c | 69 | diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c |
115 | index abccd82..2361957 100644 | 70 | index fc8595e..29e3341 100644 |
116 | --- a/modules/pam_unix/support.c | 71 | --- a/modules/pam_unix/support.c |
117 | +++ b/modules/pam_unix/support.c | 72 | +++ b/modules/pam_unix/support.c |
118 | @@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, | 73 | @@ -183,13 +183,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, |
119 | /* now parse the arguments to this module */ | 74 | /* now parse the arguments to this module */ |
120 | 75 | ||
121 | for (; argc-- > 0; ++argv) { | 76 | for (; argc-- > 0; ++argv) { |
@@ -141,7 +96,7 @@ index abccd82..2361957 100644 | |||
141 | } | 96 | } |
142 | } | 97 | } |
143 | 98 | ||
144 | @@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, | 99 | @@ -560,6 +569,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, |
145 | if (child == 0) { | 100 | if (child == 0) { |
146 | static char *envp[] = { NULL }; | 101 | static char *envp[] = { NULL }; |
147 | const char *args[] = { NULL, NULL, NULL, NULL }; | 102 | const char *args[] = { NULL, NULL, NULL, NULL }; |
@@ -149,7 +104,7 @@ index abccd82..2361957 100644 | |||
149 | 104 | ||
150 | /* XXX - should really tidy up PAM here too */ | 105 | /* XXX - should really tidy up PAM here too */ |
151 | 106 | ||
152 | @@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, | 107 | @@ -587,7 +597,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, |
153 | /* exec binary helper */ | 108 | /* exec binary helper */ |
154 | args[0] = CHKPWD_HELPER; | 109 | args[0] = CHKPWD_HELPER; |
155 | args[1] = user; | 110 | args[1] = user; |
@@ -167,7 +122,7 @@ index abccd82..2361957 100644 | |||
167 | args[2]="nullok"; | 122 | args[2]="nullok"; |
168 | } else { | 123 | } else { |
169 | args[2]="nonull"; | 124 | args[2]="nonull"; |
170 | @@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) | 125 | @@ -672,6 +691,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) |
171 | if (on(UNIX__NONULL, ctrl)) | 126 | if (on(UNIX__NONULL, ctrl)) |
172 | return 0; /* will fail but don't let on yet */ | 127 | return 0; /* will fail but don't let on yet */ |
173 | 128 | ||
@@ -185,7 +140,7 @@ index abccd82..2361957 100644 | |||
185 | /* UNIX passwords area */ | 140 | /* UNIX passwords area */ |
186 | 141 | ||
187 | retval = get_pwd_hash(pamh, name, &pwd, &salt); | 142 | retval = get_pwd_hash(pamh, name, &pwd, &salt); |
188 | @@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name | 143 | @@ -758,7 +788,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name |
189 | } | 144 | } |
190 | } | 145 | } |
191 | } else { | 146 | } else { |
@@ -195,46 +150,46 @@ index abccd82..2361957 100644 | |||
195 | 150 | ||
196 | if (retval == PAM_SUCCESS) { | 151 | if (retval == PAM_SUCCESS) { |
197 | diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h | 152 | diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h |
198 | index 3729ce0..43cdbea 100644 | 153 | index b4c279c..8da4a8e 100644 |
199 | --- a/modules/pam_unix/support.h | 154 | --- a/modules/pam_unix/support.h |
200 | +++ b/modules/pam_unix/support.h | 155 | +++ b/modules/pam_unix/support.h |
201 | @@ -99,8 +99,9 @@ typedef struct { | 156 | @@ -98,8 +98,9 @@ typedef struct { |
202 | #define UNIX_MIN_PASS_LEN 27 /* min length for password */ | ||
203 | #define UNIX_QUIET 28 /* Don't print informational messages */ | 157 | #define UNIX_QUIET 28 /* Don't print informational messages */ |
204 | #define UNIX_DES 29 /* DES, default */ | 158 | #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */ |
205 | +#define UNIX_NULLOK_SECURE 30 /* NULL passwords allowed only on secure ttys */ | 159 | #define UNIX_DES 30 /* DES, default */ |
160 | +#define UNIX_NULLOK_SECURE 31 /* NULL passwords allowed only on secure ttys */ | ||
206 | /* -------------- */ | 161 | /* -------------- */ |
207 | -#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ | 162 | -#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ |
208 | +#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ | 163 | +#define UNIX_CTRLS_ 32 /* number of ctrl arguments defined */ |
209 | 164 | ||
210 | #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) | 165 | #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) |
211 | 166 | ||
212 | @@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = | 167 | @@ -117,7 +118,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = |
213 | /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0}, | 168 | /* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, |
214 | /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, | 169 | /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, |
215 | /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, | 170 | /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, |
216 | -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, | 171 | -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, |
217 | +/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0}, | 172 | +/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0}, |
218 | /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, | 173 | /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, |
219 | /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, | 174 | /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, |
220 | /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, | 175 | /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, |
221 | @@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = | 176 | @@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = |
222 | /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, | ||
223 | /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, | 177 | /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, |
178 | /* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, | ||
224 | /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, | 179 | /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, |
225 | +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0}, | 180 | +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0}, |
226 | }; | 181 | }; |
227 | 182 | ||
228 | #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) | 183 | #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) |
229 | @@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh | 184 | @@ -172,6 +174,8 @@ extern int _unix_read_password(pam_handle_t * pamh |
230 | ,const char *prompt2 | ||
231 | ,const char *data_name | 185 | ,const char *data_name |
232 | ,const void **pass); | 186 | ,const void **pass); |
233 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, | ||
234 | + const char *uttyname); | ||
235 | 187 | ||
188 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname); | ||
189 | + | ||
236 | extern int _unix_run_verify_binary(pam_handle_t *pamh, | 190 | extern int _unix_run_verify_binary(pam_handle_t *pamh, |
237 | unsigned int ctrl, const char *user, int *daysleft); | 191 | unsigned int ctrl, const char *user, int *daysleft); |
192 | #endif /* _PAM_UNIX_SUPPORT_H */ | ||
238 | -- | 193 | -- |
239 | 2.1.4 | 194 | 2.4.0 |
240 | 195 | ||