1 files changed, 122 insertions, 104 deletions
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
index b285e96c27..423267f707 100644
--- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
+++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
@@ -1,6 +1,9 @@
-Debian patch to add a new 'nullok_secure' option to pam_unix, which
+From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001
-accepts users with null passwords only when the applicant is connected
+From: Amarnath Valluri <amarnath.valluri@intel.com>
-from a tty listed in /etc/securetty.
+Date: Wed, 15 Jul 2015 13:07:20 +0300
+Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix,
+ which accepts users with null passwords only when the applicant is connected
+ from a tty listed in /etc/securetty.
 Authors: Sam Hartman <hartmans@debian.org>,
         Steve Langasek <vorlon@debian.org>
@@ -8,10 +11,24 @@ Authors: Sam Hartman <hartmans@debian.org>,
 Upstream-Status: Pending
 Signed-off-by: Ming Liu <ming.liu@windriver.com>
-===================================================================
-diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
+v2:
--- a/modules/pam_unix/Makefile.am      2013-07-05 09:51:31.014483164 +0800
+        - Forward ported from v1.1.6 to v1.2.1
-+++ b/modules/pam_unix/Makefile.am      2013-07-05 10:26:12.884484000 +0800
+Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
+---
+ modules/pam_unix/Makefile.am    |  3 ++-
+ modules/pam_unix/README         | 11 ++++++++++-
+ modules/pam_unix/pam_unix.8     |  9 ++++++++-
+ modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++-
+ modules/pam_unix/support.c      | 40 +++++++++++++++++++++++++++++++++++-----
+ modules/pam_unix/support.h      |  8 ++++++--
+ 6 files changed, 79 insertions(+), 11 deletions(-)
+diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
+index 56ed591..9a372ac 100644
+--- a/modules/pam_unix/Makefile.am
+++ b/modules/pam_unix/Makefile.am
 @@ -30,7 +30,8 @@ if HAVE_VERSIONING
   pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
@@ -22,10 +39,33 @@ diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
 
 securelib_LTLIBRARIES = pam_unix.la
 
-diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
+diff --git a/modules/pam_unix/README b/modules/pam_unix/README
--- a/modules/pam_unix/pam_unix.8       2013-07-05 09:52:16.825108201 +0800
+index 3935dba..7880d91 100644
-+++ b/modules/pam_unix/pam_unix.8       2013-07-05 10:28:34.724483774 +0800
+--- a/modules/pam_unix/README
-@@ -220,7 +220,14 @@ A little more extreme than debug\&.
+++ b/modules/pam_unix/README
+@@ -67,7 +67,16 @@ nullok
+ 
+     The default action of this module is to not permit the user access to a
+     service if their official password is blank. The nullok argument overrides
+-    this default.
+    this default and allows any user with a blank password to access the
+    service.
+
+nullok_secure
+
+    The default action of this module is to not permit the user access to a
+    service if their official password is blank. The nullok_secure argument
+    overrides this default and allows any user with a blank password to access
+    the service as long as the value of PAM_TTY is set to one of the values
+    found in /etc/securetty.
+ 
+ try_first_pass
+ 
+diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
+index 339178b..a4bd906 100644
+--- a/modules/pam_unix/pam_unix.8
+++ b/modules/pam_unix/pam_unix.8
+@@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi
 .RS 4
 The default action of this module is to not permit the user access to a service if their official password is blank\&. The
 \fBnullok\fR
@@ -41,10 +81,11 @@ diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
 .RE
 .PP
 \fBtry_first_pass\fR
-diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
+diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
--- a/modules/pam_unix/pam_unix.8.xml   2013-07-05 09:52:38.775108523 +0800
+index a8b64bb..1ced6f4 100644
-+++ b/modules/pam_unix/pam_unix.8.xml   2013-07-05 10:30:23.084483630 +0800
+--- a/modules/pam_unix/pam_unix.8.xml
-@@ -135,7 +135,24 @@
+++ b/modules/pam_unix/pam_unix.8.xml
+@@ -159,7 +159,24 @@
           <para>
             The default action of this module is to not permit the
             user access to a service if their official password is blank.
@@ -70,36 +111,15 @@ diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
           </para>
         </listitem>
       </varlistentry>
-diff -urpN a/modules/pam_unix/README b/modules/pam_unix/README
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
--- a/modules/pam_unix/README   2013-07-05 09:51:52.205107846 +0800
+index abccd82..2361957 100644
-+++ b/modules/pam_unix/README   2013-07-05 10:27:10.774484537 +0800
+--- a/modules/pam_unix/support.c
-@@ -57,7 +57,16 @@ nullok
+++ b/modules/pam_unix/support.c
- 
+@@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
-     The default action of this module is to not permit the user access to a
-     service if their official password is blank. The nullok argument overrides
-    this default.
-+    this default and allows any user with a blank password to access the
-+    service.
-+
-+nullok_secure
-+
-+    The default action of this module is to not permit the user access to a
-+    service if their official password is blank. The nullok_secure argument
-+    overrides this default and allows any user with a blank password to access
-+    the service as long as the value of PAM_TTY is set to one of the values
-+    found in /etc/securetty.
- 
- try_first_pass
- 
-diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
--- a/modules/pam_unix/support.c        2013-07-05 09:50:49.134482523 +0800
-+++ b/modules/pam_unix/support.c        2013-07-05 09:56:26.924484267 +0800
-@@ -84,14 +84,22 @@ int _set_ctrl(pam_handle_t *pamh, int fl
        /* now parse the arguments to this module */
 
        for (; argc-- > 0; ++argv) {
-               int j;
+               int sl;
-+               int j, sl;
 
                D(("pam_unix arg: %s", *argv));
 
@@ -108,48 +128,46 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
 -                           && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
 -                               break;
 +                       if (unix_args[j].token) {
-+                           sl = strlen(unix_args[j].token);
+                               sl = strlen(unix_args[j].token);
-+                           if (unix_args[j].token[sl-1] == '=') {
+                               if (unix_args[j].token[sl-1] == '=') {
-+                               /* exclude argument from comparison */
+                                       /* exclude argument from comparison */
-+                               if (!strncmp(*argv, unix_args[j].token, sl))
+                                       if (!strncmp(*argv, unix_args[j].token, sl))
-+                                   break;
+                                               break;
-+                           } else {
+                               } else {
 +                               /* compare full strings */
-+                               if (!strcmp(*argv, unix_args[j].token))
+                                       if (!strcmp(*argv, unix_args[j].token))
-+                                   break;
+                                               break;
-+                           }
+                               }
                        }
                }
 
-@@ -461,6 +469,7 @@ static int _unix_run_helper_binary(pam_h
+@@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
-     child = fork();
     if (child == 0) {
-         int i=0;
-+        int nullok = off(UNIX__NONULL, ctrl);
-         struct rlimit rlim;
        static char *envp[] = { NULL };
-        char *args[] = { NULL, NULL, NULL, NULL };
+        const char *args[] = { NULL, NULL, NULL, NULL };
-@@ -488,7 +497,18 @@ static int _unix_run_helper_binary(pam_h
+       int nullok = off(UNIX__NONULL, ctrl);
+ 
+        /* XXX - should really tidy up PAM here too */
+ 
+@@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
        /* exec binary helper */
-        args[0] = strdup(CHKPWD_HELPER);
+        args[0] = CHKPWD_HELPER;
-        args[1] = x_strdup(user);
+        args[1] = user;
 -       if (off(UNIX__NONULL, ctrl)) {  /* this means we've succeeded */
-+
 +       if (on(UNIX_NULLOK_SECURE, ctrl)) {
-+           const void *uttyname;
+               const void *uttyname;
-+           retval = pam_get_item(pamh, PAM_TTY, &uttyname);
+               retval = pam_get_item(pamh, PAM_TTY, &uttyname);
-+           if (retval != PAM_SUCCESS || uttyname == NULL
+               if (retval != PAM_SUCCESS || uttyname == NULL
-+               || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
+                       || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) {
-+           {
+                       nullok = 0;
-+               nullok = 0;
+               }
-+           }
 +       }
 +
 +       if (nullok) {
-          args[2]=strdup("nullok");
+          args[2]="nullok";
        } else {
-          args[2]=strdup("nonull");
+          args[2]="nonull";
-@@ -567,6 +587,17 @@ _unix_blankpasswd (pam_handle_t *pamh, u
+@@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
        if (on(UNIX__NONULL, ctrl))
                return 0;       /* will fail but don't let on yet */
 
@@ -167,56 +185,56 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
        /* UNIX passwords area */
 
        retval = get_pwd_hash(pamh, name, &pwd, &salt);
-@@ -653,7 +684,8 @@ int _unix_verify_password(pam_handle_t *
+@@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
                        }
                }
        } else {
 -               retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
-+               retval = verify_pwd_hash(p, salt,
+               retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name));
-+                                        _unix_blankpasswd(pamh, ctrl, name));
        }
 
        if (retval == PAM_SUCCESS) {
-diff -urpN a/modules/pam_unix/support.h b/modules/pam_unix/support.h
+diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
--- a/modules/pam_unix/support.h        2013-07-05 09:51:10.385107934 +0800
+index 3729ce0..43cdbea 100644
-+++ b/modules/pam_unix/support.h        2013-07-05 10:23:54.815107842 +0800
+--- a/modules/pam_unix/support.h
-@@ -90,8 +90,9 @@ typedef struct {
+++ b/modules/pam_unix/support.h
-                                           password hash algorithms */
+@@ -99,8 +99,9 @@ typedef struct {
- #define UNIX_BLOWFISH_PASS       26    /* new password hashes will use blowfish */
 #define UNIX_MIN_PASS_LEN        27    /* min length for password */
-+#define UNIX_NULLOK_SECURE       28    /* NULL passwords allowed only on secure ttys */
+ #define UNIX_QUIET              28     /* Don't print informational messages */
+ #define UNIX_DES                 29     /* DES, default */
+#define UNIX_NULLOK_SECURE       30     /* NULL passwords allowed only on secure ttys */
 /* -------------- */
-#define UNIX_CTRLS_              28    /* number of ctrl arguments defined */
+-#define UNIX_CTRLS_              30    /* number of ctrl arguments defined */
-+#define UNIX_CTRLS_              29    /* number of ctrl arguments defined */
+#define UNIX_CTRLS_              31    /* number of ctrl arguments defined */
 
 #define UNIX_DES_CRYPT(ctrl)   (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
 
-@@ -109,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_C
+@@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- /* UNIX_NOT_SET_PASS */    {"not_set_pass",    _ALL_ON_,                0100},
+ /* UNIX_NOT_SET_PASS */    {"not_set_pass",    _ALL_ON_,                0100, 0},
- /* UNIX__PRELIM */         {NULL,              _ALL_ON_^(0600),         0200},
+ /* UNIX__PRELIM */         {NULL,              _ALL_ON_^(0600),         0200, 0},
- /* UNIX__UPDATE */         {NULL,              _ALL_ON_^(0600),         0400},
+ /* UNIX__UPDATE */         {NULL,              _ALL_ON_^(0600),         0400, 0},
-/* UNIX__NONULL */         {NULL,              _ALL_ON_,               01000},
+-/* UNIX__NONULL */         {NULL,              _ALL_ON_,               01000, 0},
-+/* UNIX__NONULL */         {NULL,              _ALL_ON_^(0x10000000),  0x200},
+/* UNIX__NONULL */         {NULL,              _ALL_ON_^(0x10000000),   0200, 0},
- /* UNIX__QUIET */          {NULL,              _ALL_ON_,               02000},
+ /* UNIX__QUIET */          {NULL,              _ALL_ON_,               02000, 0},
- /* UNIX_USE_AUTHTOK */     {"use_authtok",     _ALL_ON_,               04000},
+ /* UNIX_USE_AUTHTOK */     {"use_authtok",     _ALL_ON_,               04000, 0},
- /* UNIX_SHADOW */          {"shadow",          _ALL_ON_,              010000},
+ /* UNIX_SHADOW */          {"shadow",          _ALL_ON_,              010000, 0},
-@@ -127,7 +128,8 @@ static const UNIX_Ctrls unix_args[UNIX_C
+@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- /* UNIX_SHA512_PASS */     {"sha512",       _ALL_ON_^(0260420000), 040000000},
+ /* UNIX_MIN_PASS_LEN */    {"minlen=",         _ALL_ON_,         0400000000, 0},
- /* UNIX_ALGO_ROUNDS */     {"rounds=",         _ALL_ON_,          0100000000},
+ /* UNIX_QUIET */           {"quiet",           _ALL_ON_,         01000000000, 0},
- /* UNIX_BLOWFISH_PASS */   {"blowfish",    _ALL_ON_^(0260420000), 0200000000},
+ /* UNIX_DES */             {"des",             _ALL_ON_^(0260420000),      0, 1},
-/* UNIX_MIN_PASS_LEN */    {"minlen=",         _ALL_ON_,          0400000000},
+/* UNIX_NULLOK_SECURE */   {"nullok_secure",   _ALL_ON_^(0x200),  0x10000000, 0},
-+/* UNIX_MIN_PASS_LEN */    {"minlen=",         _ALL_ON_,          0400000000},
-+/* UNIX_NULLOK_SECURE */   {"nullok_secure",   _ALL_ON_^(0x200),  0x10000000},
 };
 
 #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
-@@ -163,6 +165,9 @@ extern int _unix_read_password(pam_handl
+@@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh
+                        ,const char *prompt2
                        ,const char *data_name
                        ,const void **pass);
- 
 +extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
-+                                 const char *uttyname);
+         const char *uttyname);
-+
+ 
 extern int _unix_run_verify_binary(pam_handle_t *pamh,
                        unsigned int ctrl, const char *user, int *daysleft);
- #endif /* _PAM_UNIX_SUPPORT_H */
+-- 
+2.1.4

diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch index b285e96c27..423267f707 100644 --- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch +++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
@@ -1,6 +1,9 @@
1	Debian patch to add a new 'nullok_secure' option to pam_unix, which	1	From 9bdc197474795f2d000c2bc04f58f7cef8898f21 Mon Sep 17 00:00:00 2001
2	accepts users with null passwords only when the applicant is connected	2	From: Amarnath Valluri <amarnath.valluri@intel.com>
3	from a tty listed in /etc/securetty.	3	Date: Wed, 15 Jul 2015 13:07:20 +0300
		4	Subject: [PATCH] Debian patch to add a new 'nullok_secure' option to pam_unix,
		5	which accepts users with null passwords only when the applicant is connected
		6	from a tty listed in /etc/securetty.
4		7
5	Authors: Sam Hartman <hartmans@debian.org>,	8	Authors: Sam Hartman <hartmans@debian.org>,
6	Steve Langasek <vorlon@debian.org>	9	Steve Langasek <vorlon@debian.org>
@@ -8,10 +11,24 @@ Authors: Sam Hartman <hartmans@debian.org>,
8	Upstream-Status: Pending	11	Upstream-Status: Pending
9		12
10	Signed-off-by: Ming Liu <ming.liu@windriver.com>	13	Signed-off-by: Ming Liu <ming.liu@windriver.com>
11	===================================================================	14
12	diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am	15	v2:
13	--- a/modules/pam_unix/Makefile.am 2013-07-05 09:51:31.014483164 +0800	16	- Forward ported from v1.1.6 to v1.2.1
14	+++ b/modules/pam_unix/Makefile.am 2013-07-05 10:26:12.884484000 +0800	17
		18	Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
		19	---
		20	modules/pam_unix/Makefile.am \| 3 ++-
		21	modules/pam_unix/README \| 11 ++++++++++-
		22	modules/pam_unix/pam_unix.8 \| 9 ++++++++-
		23	modules/pam_unix/pam_unix.8.xml \| 19 ++++++++++++++++++-
		24	modules/pam_unix/support.c \| 40 +++++++++++++++++++++++++++++++++++-----
		25	modules/pam_unix/support.h \| 8 ++++++--
		26	6 files changed, 79 insertions(+), 11 deletions(-)
		27
		28	diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
		29	index 56ed591..9a372ac 100644
		30	--- a/modules/pam_unix/Makefile.am
		31	+++ b/modules/pam_unix/Makefile.am
15	@@ -30,7 +30,8 @@ if HAVE_VERSIONING	32	@@ -30,7 +30,8 @@ if HAVE_VERSIONING
16	pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map	33	pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
17	endif	34	endif
@@ -22,10 +39,33 @@ diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
22		39
23	securelib_LTLIBRARIES = pam_unix.la	40	securelib_LTLIBRARIES = pam_unix.la
24		41
25	diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8	42	diff --git a/modules/pam_unix/README b/modules/pam_unix/README
26	--- a/modules/pam_unix/pam_unix.8 2013-07-05 09:52:16.825108201 +0800	43	index 3935dba..7880d91 100644
27	+++ b/modules/pam_unix/pam_unix.8 2013-07-05 10:28:34.724483774 +0800	44	--- a/modules/pam_unix/README
28	@@ -220,7 +220,14 @@ A little more extreme than debug\&.	45	+++ b/modules/pam_unix/README
		46	@@ -67,7 +67,16 @@ nullok
		47
		48	The default action of this module is to not permit the user access to a
		49	service if their official password is blank. The nullok argument overrides
		50	- this default.
		51	+ this default and allows any user with a blank password to access the
		52	+ service.
		53	+
		54	+nullok_secure
		55	+
		56	+ The default action of this module is to not permit the user access to a
		57	+ service if their official password is blank. The nullok_secure argument
		58	+ overrides this default and allows any user with a blank password to access
		59	+ the service as long as the value of PAM_TTY is set to one of the values
		60	+ found in /etc/securetty.
		61
		62	try_first_pass
		63
		64	diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
		65	index 339178b..a4bd906 100644
		66	--- a/modules/pam_unix/pam_unix.8
		67	+++ b/modules/pam_unix/pam_unix.8
		68	@@ -92,7 +92,14 @@ Turns off informational messages namely messages about session open and close vi
29	.RS 4	69	.RS 4
30	The default action of this module is to not permit the user access to a service if their official password is blank\&. The	70	The default action of this module is to not permit the user access to a service if their official password is blank\&. The
31	\fBnullok\fR	71	\fBnullok\fR
@@ -41,10 +81,11 @@ diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
41	.RE	81	.RE
42	.PP	82	.PP
43	\fBtry_first_pass\fR	83	\fBtry_first_pass\fR
44	diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml	84	diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
45	--- a/modules/pam_unix/pam_unix.8.xml 2013-07-05 09:52:38.775108523 +0800	85	index a8b64bb..1ced6f4 100644
46	+++ b/modules/pam_unix/pam_unix.8.xml 2013-07-05 10:30:23.084483630 +0800	86	--- a/modules/pam_unix/pam_unix.8.xml
47	@@ -135,7 +135,24 @@	87	+++ b/modules/pam_unix/pam_unix.8.xml
		88	@@ -159,7 +159,24 @@
48	<para>	89	<para>
49	The default action of this module is to not permit the	90	The default action of this module is to not permit the
50	user access to a service if their official password is blank.	91	user access to a service if their official password is blank.
@@ -70,36 +111,15 @@ diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
70	</para>	111	</para>
71	</listitem>	112	</listitem>
72	</varlistentry>	113	</varlistentry>
73	diff -urpN a/modules/pam_unix/README b/modules/pam_unix/README	114	diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
74	--- a/modules/pam_unix/README 2013-07-05 09:51:52.205107846 +0800	115	index abccd82..2361957 100644
75	+++ b/modules/pam_unix/README 2013-07-05 10:27:10.774484537 +0800	116	--- a/modules/pam_unix/support.c
76	@@ -57,7 +57,16 @@ nullok	117	+++ b/modules/pam_unix/support.c
77		118	@@ -189,13 +189,22 @@ int _set_ctrl(pam_handle_t pamh, int flags, int remember, int *rounds,
78	The default action of this module is to not permit the user access to a
79	service if their official password is blank. The nullok argument overrides
80	- this default.
81	+ this default and allows any user with a blank password to access the
82	+ service.
83	+
84	+nullok_secure
85	+
86	+ The default action of this module is to not permit the user access to a
87	+ service if their official password is blank. The nullok_secure argument
88	+ overrides this default and allows any user with a blank password to access
89	+ the service as long as the value of PAM_TTY is set to one of the values
90	+ found in /etc/securetty.
91
92	try_first_pass
93
94	diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
95	--- a/modules/pam_unix/support.c 2013-07-05 09:50:49.134482523 +0800
96	+++ b/modules/pam_unix/support.c 2013-07-05 09:56:26.924484267 +0800
97	@@ -84,14 +84,22 @@ int _set_ctrl(pam_handle_t *pamh, int fl
98	/* now parse the arguments to this module */	119	/* now parse the arguments to this module */
99		120
100	for (; argc-- > 0; ++argv) {	121	for (; argc-- > 0; ++argv) {
101	- int j;	122	+ int sl;
102	+ int j, sl;
103		123
104	D(("pam_unix arg: %s", *argv));	124	D(("pam_unix arg: %s", *argv));
105		125
@@ -108,48 +128,46 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
108	- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {	128	- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
109	- break;	129	- break;
110	+ if (unix_args[j].token) {	130	+ if (unix_args[j].token) {
111	+ sl = strlen(unix_args[j].token);	131	+ sl = strlen(unix_args[j].token);
112	+ if (unix_args[j].token[sl-1] == '=') {	132	+ if (unix_args[j].token[sl-1] == '=') {
113	+ /* exclude argument from comparison */	133	+ /* exclude argument from comparison */
114	+ if (!strncmp(*argv, unix_args[j].token, sl))	134	+ if (!strncmp(*argv, unix_args[j].token, sl))
115	+ break;	135	+ break;
116	+ } else {	136	+ } else {
117	+ /* compare full strings */	137	+ /* compare full strings */
118	+ if (!strcmp(*argv, unix_args[j].token))	138	+ if (!strcmp(*argv, unix_args[j].token))
119	+ break;	139	+ break;
120	+ }	140	+ }
121	}	141	}
122	}	142	}
123		143
124	@@ -461,6 +469,7 @@ static int _unix_run_helper_binary(pam_h	144	@@ -566,6 +575,7 @@ static int _unix_run_helper_binary(pam_handle_t pamh, const char passwd,
125	child = fork();
126	if (child == 0) {	145	if (child == 0) {
127	int i=0;
128	+ int nullok = off(UNIX__NONULL, ctrl);
129	struct rlimit rlim;
130	static char *envp[] = { NULL };	146	static char *envp[] = { NULL };
131	char *args[] = { NULL, NULL, NULL, NULL };	147	const char *args[] = { NULL, NULL, NULL, NULL };
132	@@ -488,7 +497,18 @@ static int _unix_run_helper_binary(pam_h	148	+ int nullok = off(UNIX__NONULL, ctrl);
		149
		150	/* XXX - should really tidy up PAM here too */
		151
		152	@@ -593,7 +603,16 @@ static int _unix_run_helper_binary(pam_handle_t pamh, const char passwd,
133	/* exec binary helper */	153	/* exec binary helper */
134	args[0] = strdup(CHKPWD_HELPER);	154	args[0] = CHKPWD_HELPER;
135	args[1] = x_strdup(user);	155	args[1] = user;
136	- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */	156	- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
137	+
138	+ if (on(UNIX_NULLOK_SECURE, ctrl)) {	157	+ if (on(UNIX_NULLOK_SECURE, ctrl)) {
139	+ const void *uttyname;	158	+ const void *uttyname;
140	+ retval = pam_get_item(pamh, PAM_TTY, &uttyname);	159	+ retval = pam_get_item(pamh, PAM_TTY, &uttyname);
141	+ if (retval != PAM_SUCCESS \|\| uttyname == NULL	160	+ if (retval != PAM_SUCCESS \|\| uttyname == NULL
142	+ \|\| _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)	161	+ \|\| _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) {
143	+ {	162	+ nullok = 0;
144	+ nullok = 0;	163	+ }
145	+ }
146	+ }	164	+ }
147	+	165	+
148	+ if (nullok) {	166	+ if (nullok) {
149	args[2]=strdup("nullok");	167	args[2]="nullok";
150	} else {	168	} else {
151	args[2]=strdup("nonull");	169	args[2]="nonull";
152	@@ -567,6 +587,17 @@ _unix_blankpasswd (pam_handle_t *pamh, u	170	@@ -678,6 +697,17 @@ _unix_blankpasswd (pam_handle_t pamh, unsigned int ctrl, const char name)
153	if (on(UNIX__NONULL, ctrl))	171	if (on(UNIX__NONULL, ctrl))
154	return 0; /* will fail but don't let on yet */	172	return 0; /* will fail but don't let on yet */
155		173
@@ -167,56 +185,56 @@ diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c
167	/* UNIX passwords area */	185	/* UNIX passwords area */
168		186
169	retval = get_pwd_hash(pamh, name, &pwd, &salt);	187	retval = get_pwd_hash(pamh, name, &pwd, &salt);
170	@@ -653,7 +684,8 @@ int _unix_verify_password(pam_handle_t *	188	@@ -764,7 +794,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
171	}	189	}
172	}	190	}
173	} else {	191	} else {
174	- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));	192	- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
175	+ retval = verify_pwd_hash(p, salt,	193	+ retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name));
176	+ _unix_blankpasswd(pamh, ctrl, name));
177	}	194	}
178		195
179	if (retval == PAM_SUCCESS) {	196	if (retval == PAM_SUCCESS) {
180	diff -urpN a/modules/pam_unix/support.h b/modules/pam_unix/support.h	197	diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
181	--- a/modules/pam_unix/support.h 2013-07-05 09:51:10.385107934 +0800	198	index 3729ce0..43cdbea 100644
182	+++ b/modules/pam_unix/support.h 2013-07-05 10:23:54.815107842 +0800	199	--- a/modules/pam_unix/support.h
183	@@ -90,8 +90,9 @@ typedef struct {	200	+++ b/modules/pam_unix/support.h
184	password hash algorithms */	201	@@ -99,8 +99,9 @@ typedef struct {
185	#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
186	#define UNIX_MIN_PASS_LEN 27 /* min length for password */	202	#define UNIX_MIN_PASS_LEN 27 /* min length for password */
187	+#define UNIX_NULLOK_SECURE 28 /* NULL passwords allowed only on secure ttys */	203	#define UNIX_QUIET 28 /* Don't print informational messages */
		204	#define UNIX_DES 29 /* DES, default */
		205	+#define UNIX_NULLOK_SECURE 30 /* NULL passwords allowed only on secure ttys */
188	/* -------------- */	206	/* -------------- */
189	-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */	207	-#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
190	+#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */	208	+#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
191		209
192	#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))	210	#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
193		211
194	@@ -109,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_C	212	@@ -118,7 +119,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
195	/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100},	213	/* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100, 0},
196	/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200},	214	/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
197	/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400},	215	/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
198	-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000},	216	-/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
199	+/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200},	217	+/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0200, 0},
200	/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000},	218	/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
201	/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000},	219	/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
202	/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000},	220	/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
203	@@ -127,7 +128,8 @@ static const UNIX_Ctrls unix_args[UNIX_C	221	@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
204	/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000},	222	/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
205	/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000},	223	/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
206	/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000},	224	/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
207	-/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000},	225	+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000, 0},
208	+/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000},
209	+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000},
210	};	226	};
211		227
212	#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)	228	#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
213	@@ -163,6 +165,9 @@ extern int _unix_read_password(pam_handl	229	@@ -171,6 +173,8 @@ extern int _unix_read_password(pam_handle_t * pamh
		230	,const char *prompt2
214	,const char *data_name	231	,const char *data_name
215	,const void **pass);	232	,const void **pass);
216
217	+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,	233	+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
218	+ const char *uttyname);	234	+ const char *uttyname);
219	+	235
220	extern int _unix_run_verify_binary(pam_handle_t *pamh,	236	extern int _unix_run_verify_binary(pam_handle_t *pamh,
221	unsigned int ctrl, const char user, int daysleft);	237	unsigned int ctrl, const char user, int daysleft);
222	#endif /* _PAM_UNIX_SUPPORT_H */	238	--
		239	2.1.4
		240