diff options
Diffstat (limited to 'meta/recipes-extended/pam')
-rw-r--r-- | meta/recipes-extended/pam/libpam/0001-modules-pam_namespace-Makefile.am-correctly-install-.patch | 28 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/crypt_configure.patch | 40 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch | 203 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | 195 | ||||
-rw-r--r-- | meta/recipes-extended/pam/libpam_1.5.1.bb (renamed from meta/recipes-extended/pam/libpam_1.3.1.bb) | 17 |
5 files changed, 35 insertions, 448 deletions
diff --git a/meta/recipes-extended/pam/libpam/0001-modules-pam_namespace-Makefile.am-correctly-install-.patch b/meta/recipes-extended/pam/libpam/0001-modules-pam_namespace-Makefile.am-correctly-install-.patch new file mode 100644 index 0000000000..b41d1e5962 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/0001-modules-pam_namespace-Makefile.am-correctly-install-.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | From e2db4082f6b988f1d5803028e9e47aee5f3519ac Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex.kanavin@gmail.com> | ||
3 | Date: Sun, 27 Dec 2020 00:30:45 +0100 | ||
4 | Subject: [PATCH] modules/pam_namespace/Makefile.am: correctly install systemd | ||
5 | unit file | ||
6 | |||
7 | Upstream-Status: Pending | ||
8 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | ||
9 | --- | ||
10 | modules/pam_namespace/Makefile.am | 2 +- | ||
11 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
12 | |||
13 | diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am | ||
14 | index 21e1b33..ddd5fc0 100644 | ||
15 | --- a/modules/pam_namespace/Makefile.am | ||
16 | +++ b/modules/pam_namespace/Makefile.am | ||
17 | @@ -18,7 +18,7 @@ TESTS = $(dist_check_SCRIPTS) | ||
18 | securelibdir = $(SECUREDIR) | ||
19 | secureconfdir = $(SCONFIGDIR) | ||
20 | namespaceddir = $(SCONFIGDIR)/namespace.d | ||
21 | -servicedir = $(prefix)/lib/systemd/system | ||
22 | +servicedir = /lib/systemd/system | ||
23 | |||
24 | AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ | ||
25 | -DSECURECONF_DIR=\"$(SCONFIGDIR)/\" $(WARN_CFLAGS) | ||
26 | -- | ||
27 | 2.24.0 | ||
28 | |||
diff --git a/meta/recipes-extended/pam/libpam/crypt_configure.patch b/meta/recipes-extended/pam/libpam/crypt_configure.patch deleted file mode 100644 index 917a8af64d..0000000000 --- a/meta/recipes-extended/pam/libpam/crypt_configure.patch +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | From b86575ab4a0df07da160283459da270e1c0372a0 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Maxin B. John" <maxin.john@intel.com> | ||
3 | Date: Tue, 24 May 2016 14:11:09 +0300 | ||
4 | Subject: [PATCH] crypt_configure | ||
5 | |||
6 | This patch fixes a case where it find crypt defined in libc (musl) but | ||
7 | not in specified libraries then it ends up assigning | ||
8 | LIBCRYPT="-l" which then goes into makefile cause all sort of problems | ||
9 | e.g. | ||
10 | |||
11 | ld: cannot find -l-m32 | ||
12 | | collect2: error: ld returned 1 exit status | ||
13 | The reason is that -l appears on commandline with | ||
14 | out any library and compiler treats the next argument as library name | ||
15 | whatever it is. | ||
16 | |||
17 | Upstream-Status: Pending | ||
18 | |||
19 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
20 | Signed-off-by: Maxin B. John <maxin.john@intel.com> | ||
21 | --- | ||
22 | configure.ac | 2 +- | ||
23 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/configure.ac b/configure.ac | ||
26 | index df39d07..e68d856 100644 | ||
27 | --- a/configure.ac | ||
28 | +++ b/configure.ac | ||
29 | @@ -401,7 +401,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"], | ||
30 | [crypt_libs="crypt"]) | ||
31 | |||
32 | BACKUP_LIBS=$LIBS | ||
33 | -AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="") | ||
34 | +AC_SEARCH_LIBS([crypt],[$crypt_libs], [test "$ac_cv_search_crypt" = "none required" || LIBCRYPT="$ac_cv_search_crypt"]) | ||
35 | AC_CHECK_FUNCS(crypt_r crypt_gensalt_r) | ||
36 | LIBS=$BACKUP_LIBS | ||
37 | AC_SUBST(LIBCRYPT) | ||
38 | -- | ||
39 | 2.4.0 | ||
40 | |||
diff --git a/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch b/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch deleted file mode 100644 index 9b8d4c2975..0000000000 --- a/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch +++ /dev/null | |||
@@ -1,203 +0,0 @@ | |||
1 | Description: extract the securetty logic for use with the "nullok_secure" option | ||
2 | introduced in the "055_pam_unix_nullok_secure" patch. | ||
3 | |||
4 | Upstream-Status: Pending | ||
5 | |||
6 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
7 | =================================================================== | ||
8 | Index: Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am | ||
9 | =================================================================== | ||
10 | --- Linux-PAM-1.3.0.orig/modules/pam_securetty/Makefile.am | ||
11 | +++ Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am | ||
12 | @@ -24,6 +24,10 @@ endif | ||
13 | securelib_LTLIBRARIES = pam_securetty.la | ||
14 | pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la | ||
15 | |||
16 | +pam_securetty_la_SOURCES = \ | ||
17 | + pam_securetty.c \ | ||
18 | + tty_secure.c | ||
19 | + | ||
20 | if ENABLE_REGENERATE_MAN | ||
21 | noinst_DATA = README | ||
22 | README: pam_securetty.8.xml | ||
23 | Index: Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c | ||
24 | =================================================================== | ||
25 | --- Linux-PAM-1.3.0.orig/modules/pam_securetty/pam_securetty.c | ||
26 | +++ Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c | ||
27 | @@ -1,7 +1,5 @@ | ||
28 | /* pam_securetty module */ | ||
29 | |||
30 | -#define SECURETTY_FILE "/etc/securetty" | ||
31 | -#define TTY_PREFIX "/dev/" | ||
32 | #define CMDLINE_FILE "/proc/cmdline" | ||
33 | #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" | ||
34 | |||
35 | @@ -40,6 +38,9 @@ | ||
36 | #include <security/pam_modutil.h> | ||
37 | #include <security/pam_ext.h> | ||
38 | |||
39 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, | ||
40 | + const char *uttyname); | ||
41 | + | ||
42 | #define PAM_DEBUG_ARG 0x0001 | ||
43 | #define PAM_NOCONSOLE_ARG 0x0002 | ||
44 | |||
45 | @@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p | ||
46 | const char *username; | ||
47 | const char *uttyname; | ||
48 | const void *void_uttyname; | ||
49 | - char ttyfileline[256]; | ||
50 | - char ptname[256]; | ||
51 | - struct stat ttyfileinfo; | ||
52 | struct passwd *user_pwd; | ||
53 | - FILE *ttyfile; | ||
54 | |||
55 | /* log a trail for debugging */ | ||
56 | if (ctrl & PAM_DEBUG_ARG) { | ||
57 | @@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p | ||
58 | return PAM_SERVICE_ERR; | ||
59 | } | ||
60 | |||
61 | - /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ | ||
62 | - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { | ||
63 | - uttyname += sizeof(TTY_PREFIX)-1; | ||
64 | - } | ||
65 | - | ||
66 | - if (stat(SECURETTY_FILE, &ttyfileinfo)) { | ||
67 | - pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); | ||
68 | - return PAM_SUCCESS; /* for compatibility with old securetty handling, | ||
69 | - this needs to succeed. But we still log the | ||
70 | - error. */ | ||
71 | - } | ||
72 | - | ||
73 | - if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { | ||
74 | - /* If the file is world writable or is not a | ||
75 | - normal file, return error */ | ||
76 | - pam_syslog(pamh, LOG_ERR, | ||
77 | - "%s is either world writable or not a normal file", | ||
78 | - SECURETTY_FILE); | ||
79 | - return PAM_AUTH_ERR; | ||
80 | - } | ||
81 | - | ||
82 | - ttyfile = fopen(SECURETTY_FILE,"r"); | ||
83 | - if (ttyfile == NULL) { /* Check that we opened it successfully */ | ||
84 | - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); | ||
85 | - return PAM_SERVICE_ERR; | ||
86 | - } | ||
87 | - | ||
88 | - if (isdigit(uttyname[0])) { | ||
89 | - snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); | ||
90 | - } else { | ||
91 | - ptname[0] = '\0'; | ||
92 | - } | ||
93 | - | ||
94 | - retval = 1; | ||
95 | - | ||
96 | - while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) | ||
97 | - && retval) { | ||
98 | - if (ttyfileline[strlen(ttyfileline) - 1] == '\n') | ||
99 | - ttyfileline[strlen(ttyfileline) - 1] = '\0'; | ||
100 | - | ||
101 | - retval = ( strcmp(ttyfileline, uttyname) | ||
102 | - && (!ptname[0] || strcmp(ptname, uttyname)) ); | ||
103 | - } | ||
104 | - fclose(ttyfile); | ||
105 | + retval = _pammodutil_tty_secure(pamh, uttyname); | ||
106 | |||
107 | if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { | ||
108 | FILE *cmdlinefile; | ||
109 | Index: Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c | ||
110 | =================================================================== | ||
111 | --- /dev/null | ||
112 | +++ Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c | ||
113 | @@ -0,0 +1,90 @@ | ||
114 | +/* | ||
115 | + * A function to determine if a particular line is in /etc/securetty | ||
116 | + */ | ||
117 | + | ||
118 | + | ||
119 | +#define SECURETTY_FILE "/etc/securetty" | ||
120 | +#define TTY_PREFIX "/dev/" | ||
121 | + | ||
122 | +/* This function taken out of pam_securetty by Sam Hartman | ||
123 | + * <hartmans@debian.org>*/ | ||
124 | +/* | ||
125 | + * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. | ||
126 | + * July 25, 1996. | ||
127 | + * Slight modifications AGM. 1996/12/3 | ||
128 | + */ | ||
129 | + | ||
130 | +#include <unistd.h> | ||
131 | +#include <sys/types.h> | ||
132 | +#include <sys/stat.h> | ||
133 | +#include <security/pam_modules.h> | ||
134 | +#include <stdarg.h> | ||
135 | +#include <syslog.h> | ||
136 | +#include <sys/syslog.h> | ||
137 | +#include <stdio.h> | ||
138 | +#include <string.h> | ||
139 | +#include <stdlib.h> | ||
140 | +#include <ctype.h> | ||
141 | +#include <security/pam_modutil.h> | ||
142 | +#include <security/pam_ext.h> | ||
143 | + | ||
144 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, | ||
145 | + const char *uttyname); | ||
146 | + | ||
147 | +int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) | ||
148 | +{ | ||
149 | + int retval = PAM_AUTH_ERR; | ||
150 | + char ttyfileline[256]; | ||
151 | + char ptname[256]; | ||
152 | + struct stat ttyfileinfo; | ||
153 | + FILE *ttyfile; | ||
154 | + /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ | ||
155 | + if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) | ||
156 | + uttyname += sizeof(TTY_PREFIX)-1; | ||
157 | + | ||
158 | + if (stat(SECURETTY_FILE, &ttyfileinfo)) { | ||
159 | + pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", | ||
160 | + SECURETTY_FILE); | ||
161 | + return PAM_SUCCESS; /* for compatibility with old securetty handling, | ||
162 | + this needs to succeed. But we still log the | ||
163 | + error. */ | ||
164 | + } | ||
165 | + | ||
166 | + if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { | ||
167 | + /* If the file is world writable or is not a | ||
168 | + normal file, return error */ | ||
169 | + pam_syslog(pamh, LOG_ERR, | ||
170 | + "%s is either world writable or not a normal file", | ||
171 | + SECURETTY_FILE); | ||
172 | + return PAM_AUTH_ERR; | ||
173 | + } | ||
174 | + | ||
175 | + ttyfile = fopen(SECURETTY_FILE,"r"); | ||
176 | + if(ttyfile == NULL) { /* Check that we opened it successfully */ | ||
177 | + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); | ||
178 | + return PAM_SERVICE_ERR; | ||
179 | + } | ||
180 | + | ||
181 | + if (isdigit(uttyname[0])) { | ||
182 | + snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); | ||
183 | + } else { | ||
184 | + ptname[0] = '\0'; | ||
185 | + } | ||
186 | + | ||
187 | + retval = 1; | ||
188 | + | ||
189 | + while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) | ||
190 | + && retval) { | ||
191 | + if(ttyfileline[strlen(ttyfileline) - 1] == '\n') | ||
192 | + ttyfileline[strlen(ttyfileline) - 1] = '\0'; | ||
193 | + retval = ( strcmp(ttyfileline,uttyname) | ||
194 | + && (!ptname[0] || strcmp(ptname, uttyname)) ); | ||
195 | + } | ||
196 | + fclose(ttyfile); | ||
197 | + | ||
198 | + if(retval) { | ||
199 | + retval = PAM_AUTH_ERR; | ||
200 | + } | ||
201 | + | ||
202 | + return retval; | ||
203 | +} | ||
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch deleted file mode 100644 index d2cc66882e..0000000000 --- a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch +++ /dev/null | |||
@@ -1,195 +0,0 @@ | |||
1 | From b6545b83f94c5fb7aec1478b8d458a1393f479c8 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Maxin B. John" <maxin.john@intel.com> | ||
3 | Date: Wed, 25 May 2016 14:12:25 +0300 | ||
4 | Subject: [PATCH] pam_unix: support 'nullok_secure' option | ||
5 | |||
6 | Debian patch to add a new 'nullok_secure' option to pam_unix, | ||
7 | which accepts users with null passwords only when the applicant is | ||
8 | connected from a tty listed in /etc/securetty. | ||
9 | |||
10 | Authors: Sam Hartman <hartmans@debian.org>, | ||
11 | Steve Langasek <vorlon@debian.org> | ||
12 | |||
13 | Upstream-Status: Pending | ||
14 | |||
15 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
16 | Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com> | ||
17 | Signed-off-by: Maxin B. John <maxin.john@intel.com> | ||
18 | --- | ||
19 | modules/pam_unix/Makefile.am | 3 ++- | ||
20 | modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++- | ||
21 | modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++----- | ||
22 | modules/pam_unix/support.h | 8 ++++++-- | ||
23 | 4 files changed, 61 insertions(+), 9 deletions(-) | ||
24 | |||
25 | diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am | ||
26 | index 56df178..2bba460 100644 | ||
27 | --- a/modules/pam_unix/Makefile.am | ||
28 | +++ b/modules/pam_unix/Makefile.am | ||
29 | @@ -30,7 +30,8 @@ if HAVE_VERSIONING | ||
30 | pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map | ||
31 | endif | ||
32 | pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ | ||
33 | - @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ | ||
34 | + @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \ | ||
35 | + ../pam_securetty/tty_secure.lo | ||
36 | |||
37 | securelib_LTLIBRARIES = pam_unix.la | ||
38 | |||
39 | diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml | ||
40 | index 1b318f1..be0330e 100644 | ||
41 | --- a/modules/pam_unix/pam_unix.8.xml | ||
42 | +++ b/modules/pam_unix/pam_unix.8.xml | ||
43 | @@ -159,7 +159,24 @@ | ||
44 | <para> | ||
45 | The default action of this module is to not permit the | ||
46 | user access to a service if their official password is blank. | ||
47 | - The <option>nullok</option> argument overrides this default. | ||
48 | + The <option>nullok</option> argument overrides this default | ||
49 | + and allows any user with a blank password to access the | ||
50 | + service. | ||
51 | + </para> | ||
52 | + </listitem> | ||
53 | + </varlistentry> | ||
54 | + <varlistentry> | ||
55 | + <term> | ||
56 | + <option>nullok_secure</option> | ||
57 | + </term> | ||
58 | + <listitem> | ||
59 | + <para> | ||
60 | + The default action of this module is to not permit the | ||
61 | + user access to a service if their official password is blank. | ||
62 | + The <option>nullok_secure</option> argument overrides this | ||
63 | + default and allows any user with a blank password to access | ||
64 | + the service as long as the value of PAM_TTY is set to one of | ||
65 | + the values found in /etc/securetty. | ||
66 | </para> | ||
67 | </listitem> | ||
68 | </varlistentry> | ||
69 | diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c | ||
70 | index fc8595e..29e3341 100644 | ||
71 | --- a/modules/pam_unix/support.c | ||
72 | +++ b/modules/pam_unix/support.c | ||
73 | @@ -183,13 +183,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds, | ||
74 | /* now parse the arguments to this module */ | ||
75 | |||
76 | for (; argc-- > 0; ++argv) { | ||
77 | + int sl; | ||
78 | |||
79 | D(("pam_unix arg: %s", *argv)); | ||
80 | |||
81 | for (j = 0; j < UNIX_CTRLS_; ++j) { | ||
82 | - if (unix_args[j].token | ||
83 | - && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { | ||
84 | - break; | ||
85 | + if (unix_args[j].token) { | ||
86 | + sl = strlen(unix_args[j].token); | ||
87 | + if (unix_args[j].token[sl-1] == '=') { | ||
88 | + /* exclude argument from comparison */ | ||
89 | + if (!strncmp(*argv, unix_args[j].token, sl)) | ||
90 | + break; | ||
91 | + } else { | ||
92 | + /* compare full strings */ | ||
93 | + if (!strcmp(*argv, unix_args[j].token)) | ||
94 | + break; | ||
95 | + } | ||
96 | } | ||
97 | } | ||
98 | |||
99 | @@ -560,6 +569,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, | ||
100 | if (child == 0) { | ||
101 | static char *envp[] = { NULL }; | ||
102 | const char *args[] = { NULL, NULL, NULL, NULL }; | ||
103 | + int nullok = off(UNIX__NONULL, ctrl); | ||
104 | |||
105 | /* XXX - should really tidy up PAM here too */ | ||
106 | |||
107 | @@ -587,7 +597,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, | ||
108 | /* exec binary helper */ | ||
109 | args[0] = CHKPWD_HELPER; | ||
110 | args[1] = user; | ||
111 | - if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ | ||
112 | + if (on(UNIX_NULLOK_SECURE, ctrl)) { | ||
113 | + const void *uttyname; | ||
114 | + retval = pam_get_item(pamh, PAM_TTY, &uttyname); | ||
115 | + if (retval != PAM_SUCCESS || uttyname == NULL | ||
116 | + || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) { | ||
117 | + nullok = 0; | ||
118 | + } | ||
119 | + } | ||
120 | + | ||
121 | + if (nullok) { | ||
122 | args[2]="nullok"; | ||
123 | } else { | ||
124 | args[2]="nonull"; | ||
125 | @@ -672,6 +691,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name) | ||
126 | if (on(UNIX__NONULL, ctrl)) | ||
127 | return 0; /* will fail but don't let on yet */ | ||
128 | |||
129 | + if (on(UNIX_NULLOK_SECURE, ctrl)) { | ||
130 | + int retval2; | ||
131 | + const void *uttyname; | ||
132 | + retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); | ||
133 | + if (retval2 != PAM_SUCCESS || uttyname == NULL) | ||
134 | + return 0; | ||
135 | + | ||
136 | + if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) | ||
137 | + return 0; | ||
138 | + } | ||
139 | + | ||
140 | /* UNIX passwords area */ | ||
141 | |||
142 | retval = get_pwd_hash(pamh, name, &pwd, &salt); | ||
143 | @@ -758,7 +788,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name | ||
144 | } | ||
145 | } | ||
146 | } else { | ||
147 | - retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); | ||
148 | + retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name)); | ||
149 | } | ||
150 | |||
151 | if (retval == PAM_SUCCESS) { | ||
152 | diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h | ||
153 | index b4c279c..8da4a8e 100644 | ||
154 | --- a/modules/pam_unix/support.h | ||
155 | +++ b/modules/pam_unix/support.h | ||
156 | @@ -98,8 +98,9 @@ typedef struct { | ||
157 | #define UNIX_QUIET 28 /* Don't print informational messages */ | ||
158 | #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */ | ||
159 | #define UNIX_DES 30 /* DES, default */ | ||
160 | +#define UNIX_NULLOK_SECURE 31 /* NULL passwords allowed only on secure ttys */ | ||
161 | /* -------------- */ | ||
162 | -#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */ | ||
163 | +#define UNIX_CTRLS_ 32 /* number of ctrl arguments defined */ | ||
164 | |||
165 | #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) | ||
166 | |||
167 | @@ -117,7 +118,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = | ||
168 | /* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0}, | ||
169 | /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0}, | ||
170 | /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0}, | ||
171 | -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0}, | ||
172 | +/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0}, | ||
173 | /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0}, | ||
174 | /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0}, | ||
175 | /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0}, | ||
176 | @@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = | ||
177 | /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, | ||
178 | /* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, | ||
179 | /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, | ||
180 | +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0}, | ||
181 | }; | ||
182 | |||
183 | #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) | ||
184 | @@ -172,6 +174,8 @@ extern int _unix_read_password(pam_handle_t * pamh | ||
185 | ,const char *data_name | ||
186 | ,const void **pass); | ||
187 | |||
188 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname); | ||
189 | + | ||
190 | extern int _unix_run_verify_binary(pam_handle_t *pamh, | ||
191 | unsigned int ctrl, const char *user, int *daysleft); | ||
192 | #endif /* _PAM_UNIX_SUPPORT_H */ | ||
193 | -- | ||
194 | 2.4.0 | ||
195 | |||
diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb b/meta/recipes-extended/pam/libpam_1.5.1.bb index bc72afe6ad..6af1d43c60 100644 --- a/meta/recipes-extended/pam/libpam_1.3.1.bb +++ b/meta/recipes-extended/pam/libpam_1.5.1.bb | |||
@@ -21,13 +21,10 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux | |||
21 | file://pam.d/common-session-noninteractive \ | 21 | file://pam.d/common-session-noninteractive \ |
22 | file://pam.d/other \ | 22 | file://pam.d/other \ |
23 | file://libpam-xtests.patch \ | 23 | file://libpam-xtests.patch \ |
24 | file://pam-security-abstract-securetty-handling.patch \ | 24 | file://0001-modules-pam_namespace-Makefile.am-correctly-install-.patch \ |
25 | file://pam-unix-nullok-secure.patch \ | 25 | " |
26 | file://crypt_configure.patch \ | ||
27 | " | ||
28 | 26 | ||
29 | SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165" | 27 | SRC_URI[sha256sum] = "201d40730b1135b1b3cdea09f2c28ac634d73181ccd0172ceddee3649c5792fc" |
30 | SRC_URI[sha256sum] = "eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db" | ||
31 | 28 | ||
32 | SRC_URI_append_libc-musl = " file://0001-Add-support-for-defining-missing-funcitonality.patch \ | 29 | SRC_URI_append_libc-musl = " file://0001-Add-support-for-defining-missing-funcitonality.patch \ |
33 | file://include_paths_header.patch \ | 30 | file://include_paths_header.patch \ |
@@ -39,13 +36,14 @@ EXTRA_OECONF = "--includedir=${includedir}/security \ | |||
39 | --libdir=${base_libdir} \ | 36 | --libdir=${base_libdir} \ |
40 | --disable-nis \ | 37 | --disable-nis \ |
41 | --disable-regenerate-docu \ | 38 | --disable-regenerate-docu \ |
39 | --disable-doc \ | ||
42 | --disable-prelude" | 40 | --disable-prelude" |
43 | 41 | ||
44 | CFLAGS_append = " -fPIC " | 42 | CFLAGS_append = " -fPIC " |
45 | 43 | ||
46 | S = "${WORKDIR}/Linux-PAM-${PV}" | 44 | S = "${WORKDIR}/Linux-PAM-${PV}" |
47 | 45 | ||
48 | inherit autotools gettext pkgconfig | 46 | inherit autotools gettext pkgconfig systemd |
49 | 47 | ||
50 | PACKAGECONFIG ??= "" | 48 | PACKAGECONFIG ??= "" |
51 | PACKAGECONFIG[audit] = "--enable-audit,--disable-audit,audit," | 49 | PACKAGECONFIG[audit] = "--enable-audit,--disable-audit,audit," |
@@ -54,7 +52,7 @@ PACKAGECONFIG[userdb] = "--enable-db=db,--enable-db=no,db," | |||
54 | PACKAGES += "${PN}-runtime ${PN}-xtests" | 52 | PACKAGES += "${PN}-runtime ${PN}-xtests" |
55 | FILES_${PN} = "${base_libdir}/lib*${SOLIBS}" | 53 | FILES_${PN} = "${base_libdir}/lib*${SOLIBS}" |
56 | FILES_${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}" | 54 | FILES_${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}" |
57 | FILES_${PN}-runtime = "${sysconfdir}" | 55 | FILES_${PN}-runtime = "${sysconfdir} ${sbindir} ${systemd_system_unitdir}" |
58 | FILES_${PN}-xtests = "${datadir}/Linux-PAM/xtests" | 56 | FILES_${PN}-xtests = "${datadir}/Linux-PAM/xtests" |
59 | 57 | ||
60 | PACKAGES_DYNAMIC += "^${MLPREFIX}pam-plugin-.*" | 58 | PACKAGES_DYNAMIC += "^${MLPREFIX}pam-plugin-.*" |
@@ -77,11 +75,10 @@ RDEPENDS_${PN}-runtime = "${PN}-${libpam_suffix} \ | |||
77 | RDEPENDS_${PN}-xtests = "${PN}-${libpam_suffix} \ | 75 | RDEPENDS_${PN}-xtests = "${PN}-${libpam_suffix} \ |
78 | ${MLPREFIX}pam-plugin-access-${libpam_suffix} \ | 76 | ${MLPREFIX}pam-plugin-access-${libpam_suffix} \ |
79 | ${MLPREFIX}pam-plugin-debug-${libpam_suffix} \ | 77 | ${MLPREFIX}pam-plugin-debug-${libpam_suffix} \ |
80 | ${MLPREFIX}pam-plugin-cracklib-${libpam_suffix} \ | ||
81 | ${MLPREFIX}pam-plugin-pwhistory-${libpam_suffix} \ | 78 | ${MLPREFIX}pam-plugin-pwhistory-${libpam_suffix} \ |
82 | ${MLPREFIX}pam-plugin-succeed-if-${libpam_suffix} \ | 79 | ${MLPREFIX}pam-plugin-succeed-if-${libpam_suffix} \ |
83 | ${MLPREFIX}pam-plugin-time-${libpam_suffix} \ | 80 | ${MLPREFIX}pam-plugin-time-${libpam_suffix} \ |
84 | coreutils" | 81 | bash coreutils" |
85 | 82 | ||
86 | # FIXME: Native suffix breaks here, disable it for now | 83 | # FIXME: Native suffix breaks here, disable it for now |
87 | RRECOMMENDS_${PN} = "${PN}-runtime-${libpam_suffix}" | 84 | RRECOMMENDS_${PN} = "${PN}-runtime-${libpam_suffix}" |