diff options
Diffstat (limited to 'meta/recipes-extended/pam')
19 files changed, 1327 insertions, 0 deletions
diff --git a/meta/recipes-extended/pam/libpam/99_pam b/meta/recipes-extended/pam/libpam/99_pam new file mode 100644 index 0000000000..97e990d10b --- /dev/null +++ b/meta/recipes-extended/pam/libpam/99_pam | |||
@@ -0,0 +1 @@ | |||
d root root 0755 /var/run/sepermit none | |||
diff --git a/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch b/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch new file mode 100644 index 0000000000..d364cea97e --- /dev/null +++ b/meta/recipes-extended/pam/libpam/add-checks-for-crypt-returning-NULL.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | Backport from linux-pam git repo. | ||
2 | |||
3 | [YOCTO #4107] | ||
4 | |||
5 | Upstream-Status: Backport | ||
6 | |||
7 | Signed-off-by: Kang Kai <kai.kang@windriver.com> | ||
8 | |||
9 | From 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 Mon Sep 17 00:00:00 2001 | ||
10 | From: Tomas Mraz <tmraz@fedoraproject.org> | ||
11 | Date: Fri, 8 Feb 2013 15:04:26 +0100 | ||
12 | Subject: [PATCH] Add checks for crypt() returning NULL. | ||
13 | |||
14 | modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return. | ||
15 | modules/pam_unix/bigcrypt.c (bigcrypt): Likewise. | ||
16 | --- | ||
17 | modules/pam_pwhistory/opasswd.c | 2 +- | ||
18 | modules/pam_unix/bigcrypt.c | 9 +++++++++ | ||
19 | 2 files changed, 10 insertions(+), 1 deletions(-) | ||
20 | |||
21 | diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c | ||
22 | index 274fdb9..836d713 100644 | ||
23 | --- a/modules/pam_pwhistory/opasswd.c | ||
24 | +++ b/modules/pam_pwhistory/opasswd.c | ||
25 | @@ -108,7 +108,7 @@ compare_password(const char *newpass, const char *oldpass) | ||
26 | outval = crypt (newpass, oldpass); | ||
27 | #endif | ||
28 | |||
29 | - return strcmp(outval, oldpass) == 0; | ||
30 | + return outval != NULL && strcmp(outval, oldpass) == 0; | ||
31 | } | ||
32 | |||
33 | /* Check, if the new password is already in the opasswd file. */ | ||
34 | diff --git a/modules/pam_unix/bigcrypt.c b/modules/pam_unix/bigcrypt.c | ||
35 | index e10d1c5..e1d57a0 100644 | ||
36 | --- a/modules/pam_unix/bigcrypt.c | ||
37 | +++ b/modules/pam_unix/bigcrypt.c | ||
38 | @@ -109,6 +109,10 @@ char *bigcrypt(const char *key, const char *salt) | ||
39 | #else | ||
40 | tmp_ptr = crypt(plaintext_ptr, salt); /* libc crypt() */ | ||
41 | #endif | ||
42 | + if (tmp_ptr == NULL) { | ||
43 | + free(dec_c2_cryptbuf); | ||
44 | + return NULL; | ||
45 | + } | ||
46 | /* and place in the static area */ | ||
47 | strncpy(cipher_ptr, tmp_ptr, 13); | ||
48 | cipher_ptr += ESEGMENT_SIZE + SALT_SIZE; | ||
49 | @@ -130,6 +134,11 @@ char *bigcrypt(const char *key, const char *salt) | ||
50 | #else | ||
51 | tmp_ptr = crypt(plaintext_ptr, salt_ptr); | ||
52 | #endif | ||
53 | + if (tmp_ptr == NULL) { | ||
54 | + _pam_overwrite(dec_c2_cryptbuf); | ||
55 | + free(dec_c2_cryptbuf); | ||
56 | + return NULL; | ||
57 | + } | ||
58 | |||
59 | /* skip the salt for seg!=0 */ | ||
60 | strncpy(cipher_ptr, (tmp_ptr + SALT_SIZE), ESEGMENT_SIZE); | ||
61 | -- | ||
62 | 1.7.5.4 | ||
63 | |||
diff --git a/meta/recipes-extended/pam/libpam/destdirfix.patch b/meta/recipes-extended/pam/libpam/destdirfix.patch new file mode 100644 index 0000000000..52145ecb34 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/destdirfix.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | Avoid the failure: | ||
2 | |||
3 | | mkdir -p /etc/security/namespace.d | ||
4 | | mkdir: cannot create directory `/etc/security/namespace.d': Permission denied | ||
5 | |||
6 | if /etc/security/namespace.d doesn't exist. The DESTDIR prefix is missing. | ||
7 | |||
8 | RP 2012/8/19 | ||
9 | |||
10 | Upstream-Status: Pending | ||
11 | |||
12 | Index: Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am | ||
13 | =================================================================== | ||
14 | --- Linux-PAM-1.1.6.orig/modules/pam_namespace/Makefile.am 2012-08-15 11:08:43.000000000 +0000 | ||
15 | +++ Linux-PAM-1.1.6/modules/pam_namespace/Makefile.am 2012-08-19 12:25:32.311038943 +0000 | ||
16 | @@ -40,7 +40,7 @@ | ||
17 | secureconf_SCRIPTS = namespace.init | ||
18 | |||
19 | install-data-local: | ||
20 | - mkdir -p $(namespaceddir) | ||
21 | + mkdir -p $(DESTDIR)$(namespaceddir) | ||
22 | endif | ||
23 | |||
24 | |||
diff --git a/meta/recipes-extended/pam/libpam/fixsepbuild.patch b/meta/recipes-extended/pam/libpam/fixsepbuild.patch new file mode 100644 index 0000000000..8a9c3b2fa1 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/fixsepbuild.patch | |||
@@ -0,0 +1,24 @@ | |||
1 | Fix the build error when a separate build directory is used: | ||
2 | |||
3 | Making install in xtestsmake[1]: Entering directory `/media/build1/poky/build1/tmp/work/i586-poky-linux/libpam/1.1.6-r2/build/xtests'/usr/bin/install -c -d /media/build1/poky/build1/tmp/work/i586-poky-linux/libpam/1.1.6-r2/image/usr/share/Linux-PAM/xtestsfor file in run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd tst-pam_dispatch5.pamd tst-pam_cracklib1.pamd tst-pam_cracklib2.pamd tst-pam_unix1.pamd tst-pam_unix2.pamd tst-pam_unix3.pamd tst-pam_unix4.pamd tst-pam_unix1.sh tst-pam_unix2.sh tst-pam_unix3.sh tst-pam_unix4.sh access.conf tst-pam_access1.pamd tst-pam_access1.sh tst-pam_access2.pamd tst-pam_access2.sh tst-pam_access3.pamd tst-pam_access3.sh tst-pam_access4.pamd tst-pam_access4.sh limits.conf tst-pam_limits1.pamd tst-pam_limits1.sh tst-pam_succeed_if1.pamd tst-pam_succeed_if1.sh group.conf tst-pam_group1.pamd tst-pam_group1.sh tst-pam_authfail.pamd tst-pam_authsucceed.pamd tst-pam_substack1.pamd tst-pam_substack1a.pamd tst-pam_substack1.sh tst-pam_substack2.pamd tst-pam_substack2a.pamd tst-pam_substack2.sh tst-pam_substack3.pamd tst-pam_substack3a.pamd tst-pam_substack3.sh tst-pam_substack4.pamd tst-pam_substack4a.pamd tst-pam_substack4.sh tst-pam_substack5.pamd tst-pam_substack5a.pamd tst-pam_substack5.sh tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh tst-pam_time1.pamd time.conf ; do \/usr/bin/install -c $file /media/build1/poky/build1/tmp/work/i586-poky-linux/libpam/1.1.6-r2/image/usr/share/Linux-PAM/xtests ; \ done | ||
4 | /usr/bin/install: cannot stat `run-xtests.sh': No such file or directory | ||
5 | /usr/bin/install: cannot stat `tst-pam_dispatch1.pamd': No such file or directory | ||
6 | /usr/bin/install: cannot stat `tst-pam_dispatch2.pamd': No such file or directory | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | RP 2013/03/21 | ||
11 | |||
12 | Index: Linux-PAM-1.1.6/xtests/Makefile.am | ||
13 | =================================================================== | ||
14 | --- Linux-PAM-1.1.6.orig/xtests/Makefile.am 2013-03-08 12:26:30.360266000 +0000 | ||
15 | +++ Linux-PAM-1.1.6/xtests/Makefile.am 2013-03-21 11:39:58.557166650 +0000 | ||
16 | @@ -59,7 +59,7 @@ | ||
17 | install_xtests: | ||
18 | $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests | ||
19 | for file in $(EXTRA_DIST) ; do \ | ||
20 | - $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \ | ||
21 | + $(INSTALL) $(srcdir)/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ | ||
22 | done | ||
23 | for file in $(XTESTS); do \ | ||
24 | $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ | ||
diff --git a/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch b/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch new file mode 100644 index 0000000000..5d2b69aae0 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/libpam-fix-for-CVE-2010-4708.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Fix for CVE-2010-4708 | ||
4 | |||
5 | Change default for user_readenv to 0 and document the | ||
6 | new default for user_readenv. | ||
7 | |||
8 | This fix is got from: | ||
9 | http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env | ||
10 | /pam_env.c?r1=1.22&r2=1.23&view=patch | ||
11 | http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env | ||
12 | /pam_env.8.xml?r1=1.7&r2=1.8&view=patch | ||
13 | |||
14 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
15 | |||
16 | --- | ||
17 | --- a/modules/pam_env/pam_env.c 2012-09-05 13:57:47.000000000 +0800 | ||
18 | +++ b/modules/pam_env/pam_env.c 2012-09-05 13:58:05.000000000 +0800 | ||
19 | @@ -10,7 +10,7 @@ | ||
20 | #define DEFAULT_READ_ENVFILE 1 | ||
21 | |||
22 | #define DEFAULT_USER_ENVFILE ".pam_environment" | ||
23 | -#define DEFAULT_USER_READ_ENVFILE 1 | ||
24 | +#define DEFAULT_USER_READ_ENVFILE 0 | ||
25 | |||
26 | #include "config.h" | ||
27 | |||
28 | --- a/modules/pam_env/pam_env.8.xml 2012-09-05 13:58:24.000000000 +0800 | ||
29 | +++ b/modules/pam_env/pam_env.8.xml 2012-09-05 13:59:36.000000000 +0800 | ||
30 | @@ -147,7 +147,10 @@ | ||
31 | <listitem> | ||
32 | <para> | ||
33 | Turns on or off the reading of the user specific environment | ||
34 | - file. 0 is off, 1 is on. By default this option is on. | ||
35 | + file. 0 is off, 1 is on. By default this option is off as user | ||
36 | + supplied environment variables in the PAM environment could affect | ||
37 | + behavior of subsequent modules in the stack without the consent | ||
38 | + of the system administrator. | ||
39 | </para> | ||
40 | </listitem> | ||
41 | </varlistentry> | ||
diff --git a/meta/recipes-extended/pam/libpam/libpam-xtests-remove-bash-dependency.patch b/meta/recipes-extended/pam/libpam/libpam-xtests-remove-bash-dependency.patch new file mode 100644 index 0000000000..680029ae0d --- /dev/null +++ b/meta/recipes-extended/pam/libpam/libpam-xtests-remove-bash-dependency.patch | |||
@@ -0,0 +1,226 @@ | |||
1 | From 555407ff6e2f742df64ae93859f14a0fc1397829 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Fri, 12 Sep 2014 05:35:05 -0400 | ||
4 | Subject: [PATCH] libpam/xtests: remove bash dependency | ||
5 | |||
6 | There's not bash specific syntax in the xtest scripts: | ||
7 | |||
8 | # after below patches applied: | ||
9 | $ cd Linux-PAM-1.1.6/xtests | ||
10 | $ checkbashisms *.sh | ||
11 | No output | ||
12 | |||
13 | Just remove the runtime dependency to bash. | ||
14 | |||
15 | Upstream-Status: Pending | ||
16 | |||
17 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
18 | --- | ||
19 | xtests/run-xtests.sh | 2 +- | ||
20 | xtests/tst-pam_access1.sh | 2 +- | ||
21 | xtests/tst-pam_access2.sh | 2 +- | ||
22 | xtests/tst-pam_access3.sh | 2 +- | ||
23 | xtests/tst-pam_access4.sh | 2 +- | ||
24 | xtests/tst-pam_assemble_line1.sh | 2 +- | ||
25 | xtests/tst-pam_group1.sh | 2 +- | ||
26 | xtests/tst-pam_limits1.sh | 2 +- | ||
27 | xtests/tst-pam_pwhistory1.sh | 2 +- | ||
28 | xtests/tst-pam_substack1.sh | 2 +- | ||
29 | xtests/tst-pam_substack2.sh | 2 +- | ||
30 | xtests/tst-pam_substack3.sh | 2 +- | ||
31 | xtests/tst-pam_substack4.sh | 2 +- | ||
32 | xtests/tst-pam_substack5.sh | 2 +- | ||
33 | xtests/tst-pam_succeed_if1.sh | 2 +- | ||
34 | xtests/tst-pam_unix1.sh | 2 +- | ||
35 | xtests/tst-pam_unix2.sh | 2 +- | ||
36 | xtests/tst-pam_unix3.sh | 2 +- | ||
37 | xtests/tst-pam_unix4.sh | 2 +- | ||
38 | 19 files changed, 19 insertions(+), 19 deletions(-) | ||
39 | |||
40 | diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh | ||
41 | index 3a89057..1cf8684 100755 | ||
42 | --- a/xtests/run-xtests.sh | ||
43 | +++ b/xtests/run-xtests.sh | ||
44 | @@ -1,4 +1,4 @@ | ||
45 | -#!/bin/bash | ||
46 | +#!/bin/sh | ||
47 | |||
48 | SRCDIR=$1 | ||
49 | shift 1 | ||
50 | diff --git a/xtests/tst-pam_access1.sh b/xtests/tst-pam_access1.sh | ||
51 | index 180d256..70521d2 100755 | ||
52 | --- a/xtests/tst-pam_access1.sh | ||
53 | +++ b/xtests/tst-pam_access1.sh | ||
54 | @@ -1,4 +1,4 @@ | ||
55 | -#!/bin/bash | ||
56 | +#!/bin/sh | ||
57 | |||
58 | /usr/sbin/groupadd tstpamaccess | ||
59 | /usr/sbin/useradd -G tstpamaccess -p '!!' tstpamaccess1 | ||
60 | diff --git a/xtests/tst-pam_access2.sh b/xtests/tst-pam_access2.sh | ||
61 | index 0a30275..7e3e60f 100755 | ||
62 | --- a/xtests/tst-pam_access2.sh | ||
63 | +++ b/xtests/tst-pam_access2.sh | ||
64 | @@ -1,4 +1,4 @@ | ||
65 | -#!/bin/bash | ||
66 | +#!/bin/sh | ||
67 | |||
68 | /usr/sbin/groupadd tstpamaccess | ||
69 | /usr/sbin/useradd -p '!!' tstpamaccess2 | ||
70 | diff --git a/xtests/tst-pam_access3.sh b/xtests/tst-pam_access3.sh | ||
71 | index 348e0c3..3630e2e 100755 | ||
72 | --- a/xtests/tst-pam_access3.sh | ||
73 | +++ b/xtests/tst-pam_access3.sh | ||
74 | @@ -1,4 +1,4 @@ | ||
75 | -#!/bin/bash | ||
76 | +#!/bin/sh | ||
77 | |||
78 | /usr/sbin/useradd -p '!!' tstpamaccess3 | ||
79 | ./tst-pam_access3 | ||
80 | diff --git a/xtests/tst-pam_access4.sh b/xtests/tst-pam_access4.sh | ||
81 | index 61e7b44..4538df4 100755 | ||
82 | --- a/xtests/tst-pam_access4.sh | ||
83 | +++ b/xtests/tst-pam_access4.sh | ||
84 | @@ -1,4 +1,4 @@ | ||
85 | -#!/bin/bash | ||
86 | +#!/bin/sh | ||
87 | |||
88 | /usr/sbin/useradd -p '!!' tstpamaccess4 | ||
89 | ./tst-pam_access4 | ||
90 | diff --git a/xtests/tst-pam_assemble_line1.sh b/xtests/tst-pam_assemble_line1.sh | ||
91 | index 248d47e..dc2a675 100755 | ||
92 | --- a/xtests/tst-pam_assemble_line1.sh | ||
93 | +++ b/xtests/tst-pam_assemble_line1.sh | ||
94 | @@ -1,3 +1,3 @@ | ||
95 | -#!/bin/bash | ||
96 | +#!/bin/sh | ||
97 | |||
98 | exec ./tst-pam_authfail tst-pam_assemble_line1 | ||
99 | diff --git a/xtests/tst-pam_group1.sh b/xtests/tst-pam_group1.sh | ||
100 | index b76377f..44faca9 100755 | ||
101 | --- a/xtests/tst-pam_group1.sh | ||
102 | +++ b/xtests/tst-pam_group1.sh | ||
103 | @@ -1,4 +1,4 @@ | ||
104 | -#!/bin/bash | ||
105 | +#!/bin/sh | ||
106 | |||
107 | /usr/sbin/groupadd tstpamgrpg | ||
108 | /usr/sbin/useradd -p '!!' tstpamgrp | ||
109 | diff --git a/xtests/tst-pam_limits1.sh b/xtests/tst-pam_limits1.sh | ||
110 | index 4faa822..32c021d 100755 | ||
111 | --- a/xtests/tst-pam_limits1.sh | ||
112 | +++ b/xtests/tst-pam_limits1.sh | ||
113 | @@ -1,4 +1,4 @@ | ||
114 | -#!/bin/bash | ||
115 | +#!/bin/sh | ||
116 | |||
117 | /usr/sbin/useradd -p '!!' tstpamlimits | ||
118 | ./tst-pam_limits1 | ||
119 | diff --git a/xtests/tst-pam_pwhistory1.sh b/xtests/tst-pam_pwhistory1.sh | ||
120 | index ddb3b8b..0f212e2 100644 | ||
121 | --- a/xtests/tst-pam_pwhistory1.sh | ||
122 | +++ b/xtests/tst-pam_pwhistory1.sh | ||
123 | @@ -1,4 +1,4 @@ | ||
124 | -#!/bin/bash | ||
125 | +#!/bin/sh | ||
126 | |||
127 | /usr/sbin/useradd tstpampwhistory | ||
128 | ./tst-pam_pwhistory1 | ||
129 | diff --git a/xtests/tst-pam_substack1.sh b/xtests/tst-pam_substack1.sh | ||
130 | index 5260175..f1b72a7 100755 | ||
131 | --- a/xtests/tst-pam_substack1.sh | ||
132 | +++ b/xtests/tst-pam_substack1.sh | ||
133 | @@ -1,3 +1,3 @@ | ||
134 | -#!/bin/bash | ||
135 | +#!/bin/sh | ||
136 | |||
137 | exec ./tst-pam_authfail tst-pam_substack1 | ||
138 | diff --git a/xtests/tst-pam_substack2.sh b/xtests/tst-pam_substack2.sh | ||
139 | index c02f597..3804fa7 100755 | ||
140 | --- a/xtests/tst-pam_substack2.sh | ||
141 | +++ b/xtests/tst-pam_substack2.sh | ||
142 | @@ -1,3 +1,3 @@ | ||
143 | -#!/bin/bash | ||
144 | +#!/bin/sh | ||
145 | |||
146 | exec ./tst-pam_authsucceed tst-pam_substack2 | ||
147 | diff --git a/xtests/tst-pam_substack3.sh b/xtests/tst-pam_substack3.sh | ||
148 | index 0e572aa..aa48e8e 100755 | ||
149 | --- a/xtests/tst-pam_substack3.sh | ||
150 | +++ b/xtests/tst-pam_substack3.sh | ||
151 | @@ -1,3 +1,3 @@ | ||
152 | -#!/bin/bash | ||
153 | +#!/bin/sh | ||
154 | |||
155 | exec ./tst-pam_authsucceed tst-pam_substack3 | ||
156 | diff --git a/xtests/tst-pam_substack4.sh b/xtests/tst-pam_substack4.sh | ||
157 | index a3ef08a..958a07a 100755 | ||
158 | --- a/xtests/tst-pam_substack4.sh | ||
159 | +++ b/xtests/tst-pam_substack4.sh | ||
160 | @@ -1,3 +1,3 @@ | ||
161 | -#!/bin/bash | ||
162 | +#!/bin/sh | ||
163 | |||
164 | exec ./tst-pam_authsucceed tst-pam_substack4 | ||
165 | diff --git a/xtests/tst-pam_substack5.sh b/xtests/tst-pam_substack5.sh | ||
166 | index e2714fd..7e0da74 100755 | ||
167 | --- a/xtests/tst-pam_substack5.sh | ||
168 | +++ b/xtests/tst-pam_substack5.sh | ||
169 | @@ -1,3 +1,3 @@ | ||
170 | -#!/bin/bash | ||
171 | +#!/bin/sh | ||
172 | |||
173 | exec ./tst-pam_authfail tst-pam_substack5 | ||
174 | diff --git a/xtests/tst-pam_succeed_if1.sh b/xtests/tst-pam_succeed_if1.sh | ||
175 | index a643b2e..58e57b4 100755 | ||
176 | --- a/xtests/tst-pam_succeed_if1.sh | ||
177 | +++ b/xtests/tst-pam_succeed_if1.sh | ||
178 | @@ -1,4 +1,4 @@ | ||
179 | -#!/bin/bash | ||
180 | +#!/bin/sh | ||
181 | |||
182 | /usr/sbin/useradd -p '!!' tstpamtest | ||
183 | /usr/sbin/useradd -p '!!' pamtest | ||
184 | diff --git a/xtests/tst-pam_unix1.sh b/xtests/tst-pam_unix1.sh | ||
185 | index f75bd84..72deac0 100755 | ||
186 | --- a/xtests/tst-pam_unix1.sh | ||
187 | +++ b/xtests/tst-pam_unix1.sh | ||
188 | @@ -1,4 +1,4 @@ | ||
189 | -#!/bin/bash | ||
190 | +#!/bin/sh | ||
191 | |||
192 | /usr/sbin/useradd -p '!!' tstpamunix | ||
193 | ./tst-pam_unix1 | ||
194 | diff --git a/xtests/tst-pam_unix2.sh b/xtests/tst-pam_unix2.sh | ||
195 | index 7093155..c04d6e6 100755 | ||
196 | --- a/xtests/tst-pam_unix2.sh | ||
197 | +++ b/xtests/tst-pam_unix2.sh | ||
198 | @@ -1,4 +1,4 @@ | ||
199 | -#!/bin/bash | ||
200 | +#!/bin/sh | ||
201 | |||
202 | # pamunix0 = 0aXKZztA.d1KY | ||
203 | /usr/sbin/useradd -p 0aXKZztA.d1KY tstpamunix | ||
204 | diff --git a/xtests/tst-pam_unix3.sh b/xtests/tst-pam_unix3.sh | ||
205 | index ef4a07c..b52db2b 100755 | ||
206 | --- a/xtests/tst-pam_unix3.sh | ||
207 | +++ b/xtests/tst-pam_unix3.sh | ||
208 | @@ -1,4 +1,4 @@ | ||
209 | -#!/bin/bash | ||
210 | +#!/bin/sh | ||
211 | |||
212 | # pamunix01 = 0aXKZztA.d1KYIuFXArmd2jU | ||
213 | /usr/sbin/useradd -p 0aXKZztA.d1KYIuFXArmd2jU tstpamunix | ||
214 | diff --git a/xtests/tst-pam_unix4.sh b/xtests/tst-pam_unix4.sh | ||
215 | index 787c2f9..e7976fd 100755 | ||
216 | --- a/xtests/tst-pam_unix4.sh | ||
217 | +++ b/xtests/tst-pam_unix4.sh | ||
218 | @@ -1,4 +1,4 @@ | ||
219 | -#!/bin/bash | ||
220 | +#!/bin/sh | ||
221 | |||
222 | # pamunix01 = 0aXKZztA.d1KYIuFXArmd2jU | ||
223 | /usr/sbin/useradd -p 0aXKZztA.d1KYIuFXArmd2jU tstpamunix | ||
224 | -- | ||
225 | 1.7.9.5 | ||
226 | |||
diff --git a/meta/recipes-extended/pam/libpam/libpam-xtests.patch b/meta/recipes-extended/pam/libpam/libpam-xtests.patch new file mode 100644 index 0000000000..be687457f8 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/libpam-xtests.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | This patch is used to create a new sub package libpam-xtests to do more checks. | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | Signed-off-by: Kang Kai <kai.kang@windriver.com> | ||
6 | --- Linux-PAM-1.1.4/xtests/Makefile.am.orig 2011-07-19 17:00:09.619980001 +0800 | ||
7 | +++ Linux-PAM-1.1.4/xtests/Makefile.am 2011-07-19 16:54:00.229979998 +0800 | ||
8 | @@ -7,7 +7,7 @@ | ||
9 | AM_LDFLAGS = -L$(top_builddir)/libpam -lpam \ | ||
10 | -L$(top_builddir)/libpam_misc -lpam_misc | ||
11 | |||
12 | -CLEANFILES = *~ $(XTESTS) | ||
13 | +CLEANFILES = *~ | ||
14 | |||
15 | EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ | ||
16 | tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \ | ||
17 | @@ -51,3 +51,18 @@ | ||
18 | |||
19 | xtests: $(XTESTS) run-xtests.sh | ||
20 | "$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS} | ||
21 | + | ||
22 | +all: $(XTESTS) | ||
23 | + | ||
24 | +install: install_xtests | ||
25 | + | ||
26 | +install_xtests: | ||
27 | + $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests | ||
28 | + for file in $(EXTRA_DIST) ; do \ | ||
29 | + $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \ | ||
30 | + done | ||
31 | + for file in $(XTESTS); do \ | ||
32 | + $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ | ||
33 | + done | ||
34 | + | ||
35 | +.PHONY: all install_xtests | ||
diff --git a/meta/recipes-extended/pam/libpam/pam-no-innetgr.patch b/meta/recipes-extended/pam/libpam/pam-no-innetgr.patch new file mode 100644 index 0000000000..5e551ac48f --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam-no-innetgr.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | innetgr may not be there so make sure that when innetgr is not present | ||
2 | then we inform about it and not use it. | ||
3 | |||
4 | -Khem | ||
5 | |||
6 | Upstream-Status: Pending | ||
7 | |||
8 | Signed-off-by: Scott Garman <scott.a.garman@intel.com> | ||
9 | |||
10 | Index: Linux-PAM-1.1.3/modules/pam_group/pam_group.c | ||
11 | =================================================================== | ||
12 | --- Linux-PAM-1.1.3.orig/modules/pam_group/pam_group.c | ||
13 | +++ Linux-PAM-1.1.3/modules/pam_group/pam_group.c | ||
14 | @@ -659,7 +659,11 @@ static int check_account(pam_handle_t *p | ||
15 | } | ||
16 | /* If buffer starts with @, we are using netgroups */ | ||
17 | if (buffer[0] == '@') | ||
18 | - good &= innetgr (&buffer[1], NULL, user, NULL); | ||
19 | +#ifdef HAVE_INNETGR | ||
20 | + good &= innetgr (&buffer[1], NULL, user, NULL); | ||
21 | +#else | ||
22 | + pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); | ||
23 | +#endif | ||
24 | /* otherwise, if the buffer starts with %, it's a UNIX group */ | ||
25 | else if (buffer[0] == '%') | ||
26 | good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); | ||
27 | Index: Linux-PAM-1.1.3/modules/pam_time/pam_time.c | ||
28 | =================================================================== | ||
29 | --- Linux-PAM-1.1.3.orig/modules/pam_time/pam_time.c | ||
30 | +++ Linux-PAM-1.1.3/modules/pam_time/pam_time.c | ||
31 | @@ -555,9 +555,13 @@ check_account(pam_handle_t *pamh, const | ||
32 | } | ||
33 | /* If buffer starts with @, we are using netgroups */ | ||
34 | if (buffer[0] == '@') | ||
35 | - good &= innetgr (&buffer[1], NULL, user, NULL); | ||
36 | +#ifdef HAVE_INNETGR | ||
37 | + good &= innetgr (&buffer[1], NULL, user, NULL); | ||
38 | +#else | ||
39 | + pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); | ||
40 | +#endif | ||
41 | else | ||
42 | - good &= logic_field(pamh, user, buffer, count, is_same); | ||
43 | + good &= logic_field(pamh, user, buffer, count, is_same); | ||
44 | D(("with user: %s", good ? "passes":"fails" )); | ||
45 | |||
46 | /* here we get the time field */ | ||
47 | Index: Linux-PAM-1.1.3/modules/pam_succeed_if/pam_succeed_if.c | ||
48 | =================================================================== | ||
49 | --- Linux-PAM-1.1.3.orig/modules/pam_succeed_if/pam_succeed_if.c | ||
50 | +++ Linux-PAM-1.1.3/modules/pam_succeed_if/pam_succeed_if.c | ||
51 | @@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, | ||
52 | } | ||
53 | /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ | ||
54 | static int | ||
55 | -evaluate_innetgr(const char *host, const char *user, const char *group) | ||
56 | +evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) | ||
57 | { | ||
58 | +#ifdef HAVE_INNETGR | ||
59 | if (innetgr(group, host, user, NULL) == 1) | ||
60 | return PAM_SUCCESS; | ||
61 | +#else | ||
62 | + pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); | ||
63 | +#endif | ||
64 | + | ||
65 | return PAM_AUTH_ERR; | ||
66 | } | ||
67 | /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ | ||
68 | static int | ||
69 | -evaluate_notinnetgr(const char *host, const char *user, const char *group) | ||
70 | +evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) | ||
71 | { | ||
72 | +#ifdef HAVE_INNETGR | ||
73 | if (innetgr(group, host, user, NULL) == 0) | ||
74 | return PAM_SUCCESS; | ||
75 | +#else | ||
76 | + pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); | ||
77 | +#endif | ||
78 | return PAM_AUTH_ERR; | ||
79 | } | ||
80 | |||
81 | @@ -361,14 +370,14 @@ evaluate(pam_handle_t *pamh, int debug, | ||
82 | const void *rhost; | ||
83 | if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) | ||
84 | rhost = NULL; | ||
85 | - return evaluate_innetgr(rhost, user, right); | ||
86 | + return evaluate_innetgr(pamh, rhost, user, right); | ||
87 | } | ||
88 | /* (Rhost, user) is not in this group. */ | ||
89 | if (strcasecmp(qual, "notinnetgr") == 0) { | ||
90 | const void *rhost; | ||
91 | if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) | ||
92 | rhost = NULL; | ||
93 | - return evaluate_notinnetgr(rhost, user, right); | ||
94 | + return evaluate_notinnetgr(pamh, rhost, user, right); | ||
95 | } | ||
96 | /* Fail closed. */ | ||
97 | return PAM_SERVICE_ERR; | ||
diff --git a/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch b/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch new file mode 100644 index 0000000000..f1834f6ce3 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch | |||
@@ -0,0 +1,200 @@ | |||
1 | Description: extract the securetty logic for use with the "nullok_secure" option | ||
2 | introduced in the "055_pam_unix_nullok_secure" patch. | ||
3 | |||
4 | Upstream-Status: Pending | ||
5 | |||
6 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
7 | =================================================================== | ||
8 | diff -urpN a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am | ||
9 | --- a/modules/pam_securetty/Makefile.am 2013-07-05 11:08:23.224483237 +0800 | ||
10 | +++ b/modules/pam_securetty/Makefile.am 2013-07-05 11:15:21.304486456 +0800 | ||
11 | @@ -24,6 +24,10 @@ endif | ||
12 | securelib_LTLIBRARIES = pam_securetty.la | ||
13 | pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam | ||
14 | |||
15 | +pam_securetty_la_SOURCES = \ | ||
16 | + pam_securetty.c \ | ||
17 | + tty_secure.c | ||
18 | + | ||
19 | if ENABLE_REGENERATE_MAN | ||
20 | noinst_DATA = README | ||
21 | README: pam_securetty.8.xml | ||
22 | diff -urpN a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c | ||
23 | --- a/modules/pam_securetty/pam_securetty.c 2013-07-05 11:07:50.064483568 +0800 | ||
24 | +++ b/modules/pam_securetty/pam_securetty.c 2013-07-05 11:12:23.994483344 +0800 | ||
25 | @@ -1,7 +1,5 @@ | ||
26 | /* pam_securetty module */ | ||
27 | |||
28 | -#define SECURETTY_FILE "/etc/securetty" | ||
29 | -#define TTY_PREFIX "/dev/" | ||
30 | #define CMDLINE_FILE "/proc/cmdline" | ||
31 | #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" | ||
32 | |||
33 | @@ -40,6 +38,9 @@ | ||
34 | #include <security/pam_modutil.h> | ||
35 | #include <security/pam_ext.h> | ||
36 | |||
37 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, | ||
38 | + const char *uttyname); | ||
39 | + | ||
40 | #define PAM_DEBUG_ARG 0x0001 | ||
41 | #define PAM_NOCONSOLE_ARG 0x0002 | ||
42 | |||
43 | @@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p | ||
44 | const char *username; | ||
45 | const char *uttyname; | ||
46 | const void *void_uttyname; | ||
47 | - char ttyfileline[256]; | ||
48 | - char ptname[256]; | ||
49 | - struct stat ttyfileinfo; | ||
50 | struct passwd *user_pwd; | ||
51 | - FILE *ttyfile; | ||
52 | |||
53 | /* log a trail for debugging */ | ||
54 | if (ctrl & PAM_DEBUG_ARG) { | ||
55 | @@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p | ||
56 | return PAM_SERVICE_ERR; | ||
57 | } | ||
58 | |||
59 | - /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ | ||
60 | - if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { | ||
61 | - uttyname += sizeof(TTY_PREFIX)-1; | ||
62 | - } | ||
63 | - | ||
64 | - if (stat(SECURETTY_FILE, &ttyfileinfo)) { | ||
65 | - pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); | ||
66 | - return PAM_SUCCESS; /* for compatibility with old securetty handling, | ||
67 | - this needs to succeed. But we still log the | ||
68 | - error. */ | ||
69 | - } | ||
70 | - | ||
71 | - if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { | ||
72 | - /* If the file is world writable or is not a | ||
73 | - normal file, return error */ | ||
74 | - pam_syslog(pamh, LOG_ERR, | ||
75 | - "%s is either world writable or not a normal file", | ||
76 | - SECURETTY_FILE); | ||
77 | - return PAM_AUTH_ERR; | ||
78 | - } | ||
79 | - | ||
80 | - ttyfile = fopen(SECURETTY_FILE,"r"); | ||
81 | - if (ttyfile == NULL) { /* Check that we opened it successfully */ | ||
82 | - pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); | ||
83 | - return PAM_SERVICE_ERR; | ||
84 | - } | ||
85 | - | ||
86 | - if (isdigit(uttyname[0])) { | ||
87 | - snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); | ||
88 | - } else { | ||
89 | - ptname[0] = '\0'; | ||
90 | - } | ||
91 | - | ||
92 | - retval = 1; | ||
93 | - | ||
94 | - while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) | ||
95 | - && retval) { | ||
96 | - if (ttyfileline[strlen(ttyfileline) - 1] == '\n') | ||
97 | - ttyfileline[strlen(ttyfileline) - 1] = '\0'; | ||
98 | - | ||
99 | - retval = ( strcmp(ttyfileline, uttyname) | ||
100 | - && (!ptname[0] || strcmp(ptname, uttyname)) ); | ||
101 | - } | ||
102 | - fclose(ttyfile); | ||
103 | + retval = _pammodutil_tty_secure(pamh, uttyname); | ||
104 | |||
105 | if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { | ||
106 | FILE *cmdlinefile; | ||
107 | diff -urpN a/modules/pam_securetty/tty_secure.c b/modules/pam_securetty/tty_secure.c | ||
108 | --- a/modules/pam_securetty/tty_secure.c 1970-01-01 08:30:00.000000000 +0830 | ||
109 | +++ b/modules/pam_securetty/tty_secure.c 2013-07-05 11:14:21.534482900 +0800 | ||
110 | @@ -0,0 +1,90 @@ | ||
111 | +/* | ||
112 | + * A function to determine if a particular line is in /etc/securetty | ||
113 | + */ | ||
114 | + | ||
115 | + | ||
116 | +#define SECURETTY_FILE "/etc/securetty" | ||
117 | +#define TTY_PREFIX "/dev/" | ||
118 | + | ||
119 | +/* This function taken out of pam_securetty by Sam Hartman | ||
120 | + * <hartmans@debian.org>*/ | ||
121 | +/* | ||
122 | + * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. | ||
123 | + * July 25, 1996. | ||
124 | + * Slight modifications AGM. 1996/12/3 | ||
125 | + */ | ||
126 | + | ||
127 | +#include <unistd.h> | ||
128 | +#include <sys/types.h> | ||
129 | +#include <sys/stat.h> | ||
130 | +#include <security/pam_modules.h> | ||
131 | +#include <stdarg.h> | ||
132 | +#include <syslog.h> | ||
133 | +#include <sys/syslog.h> | ||
134 | +#include <stdio.h> | ||
135 | +#include <string.h> | ||
136 | +#include <stdlib.h> | ||
137 | +#include <ctype.h> | ||
138 | +#include <security/pam_modutil.h> | ||
139 | +#include <security/pam_ext.h> | ||
140 | + | ||
141 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, | ||
142 | + const char *uttyname); | ||
143 | + | ||
144 | +int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) | ||
145 | +{ | ||
146 | + int retval = PAM_AUTH_ERR; | ||
147 | + char ttyfileline[256]; | ||
148 | + char ptname[256]; | ||
149 | + struct stat ttyfileinfo; | ||
150 | + FILE *ttyfile; | ||
151 | + /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ | ||
152 | + if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) | ||
153 | + uttyname += sizeof(TTY_PREFIX)-1; | ||
154 | + | ||
155 | + if (stat(SECURETTY_FILE, &ttyfileinfo)) { | ||
156 | + pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", | ||
157 | + SECURETTY_FILE); | ||
158 | + return PAM_SUCCESS; /* for compatibility with old securetty handling, | ||
159 | + this needs to succeed. But we still log the | ||
160 | + error. */ | ||
161 | + } | ||
162 | + | ||
163 | + if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { | ||
164 | + /* If the file is world writable or is not a | ||
165 | + normal file, return error */ | ||
166 | + pam_syslog(pamh, LOG_ERR, | ||
167 | + "%s is either world writable or not a normal file", | ||
168 | + SECURETTY_FILE); | ||
169 | + return PAM_AUTH_ERR; | ||
170 | + } | ||
171 | + | ||
172 | + ttyfile = fopen(SECURETTY_FILE,"r"); | ||
173 | + if(ttyfile == NULL) { /* Check that we opened it successfully */ | ||
174 | + pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); | ||
175 | + return PAM_SERVICE_ERR; | ||
176 | + } | ||
177 | + | ||
178 | + if (isdigit(uttyname[0])) { | ||
179 | + snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); | ||
180 | + } else { | ||
181 | + ptname[0] = '\0'; | ||
182 | + } | ||
183 | + | ||
184 | + retval = 1; | ||
185 | + | ||
186 | + while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) | ||
187 | + && retval) { | ||
188 | + if(ttyfileline[strlen(ttyfileline) - 1] == '\n') | ||
189 | + ttyfileline[strlen(ttyfileline) - 1] = '\0'; | ||
190 | + retval = ( strcmp(ttyfileline,uttyname) | ||
191 | + && (!ptname[0] || strcmp(ptname, uttyname)) ); | ||
192 | + } | ||
193 | + fclose(ttyfile); | ||
194 | + | ||
195 | + if(retval) { | ||
196 | + retval = PAM_AUTH_ERR; | ||
197 | + } | ||
198 | + | ||
199 | + return retval; | ||
200 | +} | ||
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch new file mode 100644 index 0000000000..b285e96c27 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | |||
@@ -0,0 +1,222 @@ | |||
1 | Debian patch to add a new 'nullok_secure' option to pam_unix, which | ||
2 | accepts users with null passwords only when the applicant is connected | ||
3 | from a tty listed in /etc/securetty. | ||
4 | |||
5 | Authors: Sam Hartman <hartmans@debian.org>, | ||
6 | Steve Langasek <vorlon@debian.org> | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
11 | =================================================================== | ||
12 | diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am | ||
13 | --- a/modules/pam_unix/Makefile.am 2013-07-05 09:51:31.014483164 +0800 | ||
14 | +++ b/modules/pam_unix/Makefile.am 2013-07-05 10:26:12.884484000 +0800 | ||
15 | @@ -30,7 +30,8 @@ if HAVE_VERSIONING | ||
16 | pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map | ||
17 | endif | ||
18 | pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ | ||
19 | - @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) | ||
20 | + @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \ | ||
21 | + ../pam_securetty/tty_secure.lo | ||
22 | |||
23 | securelib_LTLIBRARIES = pam_unix.la | ||
24 | |||
25 | diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 | ||
26 | --- a/modules/pam_unix/pam_unix.8 2013-07-05 09:52:16.825108201 +0800 | ||
27 | +++ b/modules/pam_unix/pam_unix.8 2013-07-05 10:28:34.724483774 +0800 | ||
28 | @@ -220,7 +220,14 @@ A little more extreme than debug\&. | ||
29 | .RS 4 | ||
30 | The default action of this module is to not permit the user access to a service if their official password is blank\&. The | ||
31 | \fBnullok\fR | ||
32 | -argument overrides this default\&. | ||
33 | +argument overrides this default and allows any user with a blank password to access the service\&. | ||
34 | +.RE | ||
35 | +.PP | ||
36 | +\fBnullok_secure\fR | ||
37 | +.RS 4 | ||
38 | +The default action of this module is to not permit the user access to a service if their official password is blank\&. The | ||
39 | +\fBnullok_secure\fR | ||
40 | +argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. | ||
41 | .RE | ||
42 | .PP | ||
43 | \fBtry_first_pass\fR | ||
44 | diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml | ||
45 | --- a/modules/pam_unix/pam_unix.8.xml 2013-07-05 09:52:38.775108523 +0800 | ||
46 | +++ b/modules/pam_unix/pam_unix.8.xml 2013-07-05 10:30:23.084483630 +0800 | ||
47 | @@ -135,7 +135,24 @@ | ||
48 | <para> | ||
49 | The default action of this module is to not permit the | ||
50 | user access to a service if their official password is blank. | ||
51 | - The <option>nullok</option> argument overrides this default. | ||
52 | + The <option>nullok</option> argument overrides this default | ||
53 | + and allows any user with a blank password to access the | ||
54 | + service. | ||
55 | + </para> | ||
56 | + </listitem> | ||
57 | + </varlistentry> | ||
58 | + <varlistentry> | ||
59 | + <term> | ||
60 | + <option>nullok_secure</option> | ||
61 | + </term> | ||
62 | + <listitem> | ||
63 | + <para> | ||
64 | + The default action of this module is to not permit the | ||
65 | + user access to a service if their official password is blank. | ||
66 | + The <option>nullok_secure</option> argument overrides this | ||
67 | + default and allows any user with a blank password to access | ||
68 | + the service as long as the value of PAM_TTY is set to one of | ||
69 | + the values found in /etc/securetty. | ||
70 | </para> | ||
71 | </listitem> | ||
72 | </varlistentry> | ||
73 | diff -urpN a/modules/pam_unix/README b/modules/pam_unix/README | ||
74 | --- a/modules/pam_unix/README 2013-07-05 09:51:52.205107846 +0800 | ||
75 | +++ b/modules/pam_unix/README 2013-07-05 10:27:10.774484537 +0800 | ||
76 | @@ -57,7 +57,16 @@ nullok | ||
77 | |||
78 | The default action of this module is to not permit the user access to a | ||
79 | service if their official password is blank. The nullok argument overrides | ||
80 | - this default. | ||
81 | + this default and allows any user with a blank password to access the | ||
82 | + service. | ||
83 | + | ||
84 | +nullok_secure | ||
85 | + | ||
86 | + The default action of this module is to not permit the user access to a | ||
87 | + service if their official password is blank. The nullok_secure argument | ||
88 | + overrides this default and allows any user with a blank password to access | ||
89 | + the service as long as the value of PAM_TTY is set to one of the values | ||
90 | + found in /etc/securetty. | ||
91 | |||
92 | try_first_pass | ||
93 | |||
94 | diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c | ||
95 | --- a/modules/pam_unix/support.c 2013-07-05 09:50:49.134482523 +0800 | ||
96 | +++ b/modules/pam_unix/support.c 2013-07-05 09:56:26.924484267 +0800 | ||
97 | @@ -84,14 +84,22 @@ int _set_ctrl(pam_handle_t *pamh, int fl | ||
98 | /* now parse the arguments to this module */ | ||
99 | |||
100 | for (; argc-- > 0; ++argv) { | ||
101 | - int j; | ||
102 | + int j, sl; | ||
103 | |||
104 | D(("pam_unix arg: %s", *argv)); | ||
105 | |||
106 | for (j = 0; j < UNIX_CTRLS_; ++j) { | ||
107 | - if (unix_args[j].token | ||
108 | - && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { | ||
109 | - break; | ||
110 | + if (unix_args[j].token) { | ||
111 | + sl = strlen(unix_args[j].token); | ||
112 | + if (unix_args[j].token[sl-1] == '=') { | ||
113 | + /* exclude argument from comparison */ | ||
114 | + if (!strncmp(*argv, unix_args[j].token, sl)) | ||
115 | + break; | ||
116 | + } else { | ||
117 | + /* compare full strings */ | ||
118 | + if (!strcmp(*argv, unix_args[j].token)) | ||
119 | + break; | ||
120 | + } | ||
121 | } | ||
122 | } | ||
123 | |||
124 | @@ -461,6 +469,7 @@ static int _unix_run_helper_binary(pam_h | ||
125 | child = fork(); | ||
126 | if (child == 0) { | ||
127 | int i=0; | ||
128 | + int nullok = off(UNIX__NONULL, ctrl); | ||
129 | struct rlimit rlim; | ||
130 | static char *envp[] = { NULL }; | ||
131 | char *args[] = { NULL, NULL, NULL, NULL }; | ||
132 | @@ -488,7 +497,18 @@ static int _unix_run_helper_binary(pam_h | ||
133 | /* exec binary helper */ | ||
134 | args[0] = strdup(CHKPWD_HELPER); | ||
135 | args[1] = x_strdup(user); | ||
136 | - if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ | ||
137 | + | ||
138 | + if (on(UNIX_NULLOK_SECURE, ctrl)) { | ||
139 | + const void *uttyname; | ||
140 | + retval = pam_get_item(pamh, PAM_TTY, &uttyname); | ||
141 | + if (retval != PAM_SUCCESS || uttyname == NULL | ||
142 | + || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) | ||
143 | + { | ||
144 | + nullok = 0; | ||
145 | + } | ||
146 | + } | ||
147 | + | ||
148 | + if (nullok) { | ||
149 | args[2]=strdup("nullok"); | ||
150 | } else { | ||
151 | args[2]=strdup("nonull"); | ||
152 | @@ -567,6 +587,17 @@ _unix_blankpasswd (pam_handle_t *pamh, u | ||
153 | if (on(UNIX__NONULL, ctrl)) | ||
154 | return 0; /* will fail but don't let on yet */ | ||
155 | |||
156 | + if (on(UNIX_NULLOK_SECURE, ctrl)) { | ||
157 | + int retval2; | ||
158 | + const void *uttyname; | ||
159 | + retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); | ||
160 | + if (retval2 != PAM_SUCCESS || uttyname == NULL) | ||
161 | + return 0; | ||
162 | + | ||
163 | + if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) | ||
164 | + return 0; | ||
165 | + } | ||
166 | + | ||
167 | /* UNIX passwords area */ | ||
168 | |||
169 | retval = get_pwd_hash(pamh, name, &pwd, &salt); | ||
170 | @@ -653,7 +684,8 @@ int _unix_verify_password(pam_handle_t * | ||
171 | } | ||
172 | } | ||
173 | } else { | ||
174 | - retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); | ||
175 | + retval = verify_pwd_hash(p, salt, | ||
176 | + _unix_blankpasswd(pamh, ctrl, name)); | ||
177 | } | ||
178 | |||
179 | if (retval == PAM_SUCCESS) { | ||
180 | diff -urpN a/modules/pam_unix/support.h b/modules/pam_unix/support.h | ||
181 | --- a/modules/pam_unix/support.h 2013-07-05 09:51:10.385107934 +0800 | ||
182 | +++ b/modules/pam_unix/support.h 2013-07-05 10:23:54.815107842 +0800 | ||
183 | @@ -90,8 +90,9 @@ typedef struct { | ||
184 | password hash algorithms */ | ||
185 | #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ | ||
186 | #define UNIX_MIN_PASS_LEN 27 /* min length for password */ | ||
187 | +#define UNIX_NULLOK_SECURE 28 /* NULL passwords allowed only on secure ttys */ | ||
188 | /* -------------- */ | ||
189 | -#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ | ||
190 | +#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ | ||
191 | |||
192 | #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) | ||
193 | |||
194 | @@ -109,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_C | ||
195 | /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100}, | ||
196 | /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200}, | ||
197 | /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400}, | ||
198 | -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000}, | ||
199 | +/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200}, | ||
200 | /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000}, | ||
201 | /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000}, | ||
202 | /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000}, | ||
203 | @@ -127,7 +128,8 @@ static const UNIX_Ctrls unix_args[UNIX_C | ||
204 | /* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000}, | ||
205 | /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000}, | ||
206 | /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000}, | ||
207 | -/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000}, | ||
208 | +/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000}, | ||
209 | +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000}, | ||
210 | }; | ||
211 | |||
212 | #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) | ||
213 | @@ -163,6 +165,9 @@ extern int _unix_read_password(pam_handl | ||
214 | ,const char *data_name | ||
215 | ,const void **pass); | ||
216 | |||
217 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, | ||
218 | + const char *uttyname); | ||
219 | + | ||
220 | extern int _unix_run_verify_binary(pam_handle_t *pamh, | ||
221 | unsigned int ctrl, const char *user, int *daysleft); | ||
222 | #endif /* _PAM_UNIX_SUPPORT_H */ | ||
diff --git a/meta/recipes-extended/pam/libpam/pam.d/common-account b/meta/recipes-extended/pam/libpam/pam.d/common-account new file mode 100644 index 0000000000..316b17337b --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam.d/common-account | |||
@@ -0,0 +1,25 @@ | |||
1 | # | ||
2 | # /etc/pam.d/common-account - authorization settings common to all services | ||
3 | # | ||
4 | # This file is included from other service-specific PAM config files, | ||
5 | # and should contain a list of the authorization modules that define | ||
6 | # the central access policy for use on the system. The default is to | ||
7 | # only deny service to users whose accounts are expired in /etc/shadow. | ||
8 | # | ||
9 | # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. | ||
10 | # To take advantage of this, it is recommended that you configure any | ||
11 | # local modules either before or after the default block, and use | ||
12 | # pam-auth-update to manage selection of other modules. See | ||
13 | # pam-auth-update(8) for details. | ||
14 | # | ||
15 | |||
16 | # here are the per-package modules (the "Primary" block) | ||
17 | account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so | ||
18 | # here's the fallback if no module succeeds | ||
19 | account requisite pam_deny.so | ||
20 | # prime the stack with a positive return value if there isn't one already; | ||
21 | # this avoids us returning an error just because nothing sets a success code | ||
22 | # since the modules above will each just jump around | ||
23 | account required pam_permit.so | ||
24 | # and here are more per-package modules (the "Additional" block) | ||
25 | # end of pam-auth-update config | ||
diff --git a/meta/recipes-extended/pam/libpam/pam.d/common-auth b/meta/recipes-extended/pam/libpam/pam.d/common-auth new file mode 100644 index 0000000000..460b69f198 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam.d/common-auth | |||
@@ -0,0 +1,18 @@ | |||
1 | # | ||
2 | # /etc/pam.d/common-auth - authentication settings common to all services | ||
3 | # | ||
4 | # This file is included from other service-specific PAM config files, | ||
5 | # and should contain a list of the authentication modules that define | ||
6 | # the central authentication scheme for use on the system | ||
7 | # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the | ||
8 | # traditional Unix authentication mechanisms. | ||
9 | |||
10 | # here are the per-package modules (the "Primary" block) | ||
11 | auth [success=1 default=ignore] pam_unix.so nullok_secure | ||
12 | # here's the fallback if no module succeeds | ||
13 | auth requisite pam_deny.so | ||
14 | # prime the stack with a positive return value if there isn't one already; | ||
15 | # this avoids us returning an error just because nothing sets a success code | ||
16 | # since the modules above will each just jump around | ||
17 | auth required pam_permit.so | ||
18 | # and here are more per-package modules (the "Additional" block) | ||
diff --git a/meta/recipes-extended/pam/libpam/pam.d/common-password b/meta/recipes-extended/pam/libpam/pam.d/common-password new file mode 100644 index 0000000000..3896057328 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam.d/common-password | |||
@@ -0,0 +1,26 @@ | |||
1 | # | ||
2 | # /etc/pam.d/common-password - password-related modules common to all services | ||
3 | # | ||
4 | # This file is included from other service-specific PAM config files, | ||
5 | # and should contain a list of modules that define the services to be | ||
6 | # used to change user passwords. The default is pam_unix. | ||
7 | |||
8 | # Explanation of pam_unix options: | ||
9 | # | ||
10 | # The "sha512" option enables salted SHA512 passwords. Without this option, | ||
11 | # the default is Unix crypt. Prior releases used the option "md5". | ||
12 | # | ||
13 | # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in | ||
14 | # login.defs. | ||
15 | # | ||
16 | # See the pam_unix manpage for other options. | ||
17 | |||
18 | # here are the per-package modules (the "Primary" block) | ||
19 | password [success=1 default=ignore] pam_unix.so obscure sha512 | ||
20 | # here's the fallback if no module succeeds | ||
21 | password requisite pam_deny.so | ||
22 | # prime the stack with a positive return value if there isn't one already; | ||
23 | # this avoids us returning an error just because nothing sets a success code | ||
24 | # since the modules above will each just jump around | ||
25 | password required pam_permit.so | ||
26 | # and here are more per-package modules (the "Additional" block) | ||
diff --git a/meta/recipes-extended/pam/libpam/pam.d/common-session b/meta/recipes-extended/pam/libpam/pam.d/common-session new file mode 100644 index 0000000000..a4a551f711 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam.d/common-session | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | # /etc/pam.d/common-session - session-related modules common to all services | ||
3 | # | ||
4 | # This file is included from other service-specific PAM config files, | ||
5 | # and should contain a list of modules that define tasks to be performed | ||
6 | # at the start and end of sessions of *any* kind (both interactive and | ||
7 | # non-interactive). | ||
8 | # | ||
9 | |||
10 | # here are the per-package modules (the "Primary" block) | ||
11 | session [default=1] pam_permit.so | ||
12 | # here's the fallback if no module succeeds | ||
13 | session requisite pam_deny.so | ||
14 | # prime the stack with a positive return value if there isn't one already; | ||
15 | # this avoids us returning an error just because nothing sets a success code | ||
16 | # since the modules above will each just jump around | ||
17 | session required pam_permit.so | ||
18 | # and here are more per-package modules (the "Additional" block) | ||
19 | session required pam_unix.so | ||
diff --git a/meta/recipes-extended/pam/libpam/pam.d/common-session-noninteractive b/meta/recipes-extended/pam/libpam/pam.d/common-session-noninteractive new file mode 100644 index 0000000000..b110bb2b49 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam.d/common-session-noninteractive | |||
@@ -0,0 +1,19 @@ | |||
1 | # | ||
2 | # /etc/pam.d/common-session-noninteractive - session-related modules | ||
3 | # common to all non-interactive services | ||
4 | # | ||
5 | # This file is included from other service-specific PAM config files, | ||
6 | # and should contain a list of modules that define tasks to be performed | ||
7 | # at the start and end of all non-interactive sessions. | ||
8 | # | ||
9 | |||
10 | # here are the per-package modules (the "Primary" block) | ||
11 | session [default=1] pam_permit.so | ||
12 | # here's the fallback if no module succeeds | ||
13 | session requisite pam_deny.so | ||
14 | # prime the stack with a positive return value if there isn't one already; | ||
15 | # this avoids us returning an error just because nothing sets a success code | ||
16 | # since the modules above will each just jump around | ||
17 | session required pam_permit.so | ||
18 | # and here are more per-package modules (the "Additional" block) | ||
19 | session required pam_unix.so | ||
diff --git a/meta/recipes-extended/pam/libpam/pam.d/other b/meta/recipes-extended/pam/libpam/pam.d/other new file mode 100644 index 0000000000..ec970ecbe0 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam.d/other | |||
@@ -0,0 +1,24 @@ | |||
1 | # | ||
2 | # /etc/pam.d/other - specify the PAM fallback behaviour | ||
3 | # | ||
4 | # Note that this file is used for any unspecified service; for example | ||
5 | #if /etc/pam.d/cron specifies no session modules but cron calls | ||
6 | #pam_open_session, the session module out of /etc/pam.d/other is | ||
7 | #used. | ||
8 | |||
9 | # We use pam_warn.so to generate syslog notes that the 'other' | ||
10 | #fallback rules are being used (as a hint to suggest you should setup | ||
11 | #specific PAM rules for the service and aid to debugging). Then to be | ||
12 | #secure, deny access to all services by default. | ||
13 | |||
14 | auth required pam_warn.so | ||
15 | auth required pam_deny.so | ||
16 | |||
17 | account required pam_warn.so | ||
18 | account required pam_deny.so | ||
19 | |||
20 | password required pam_warn.so | ||
21 | password required pam_deny.so | ||
22 | |||
23 | session required pam_warn.so | ||
24 | session required pam_deny.so | ||
diff --git a/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch b/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch new file mode 100644 index 0000000000..06cca13abe --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam_timestamp-fix-potential-directory-traversal-issu.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 | ||
2 | From: "Dmitry V. Levin" <ldv@altlinux.org> | ||
3 | Date: Wed, 26 Mar 2014 22:17:23 +0000 | ||
4 | Subject: [PATCH] pam_timestamp: fix potential directory traversal issue | ||
5 | (ticket #27) | ||
6 | |||
7 | commit 9dcead87e6d7f66d34e7a56d11a30daca367dffb upstream | ||
8 | |||
9 | pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of | ||
10 | the timestamp pathname it creates, so extra care should be taken to | ||
11 | avoid potential directory traversal issues. | ||
12 | |||
13 | * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat | ||
14 | "." and ".." tty values as invalid. | ||
15 | (get_ruser): Treat "." and ".." ruser values, as well as any ruser | ||
16 | value containing '/', as invalid. | ||
17 | |||
18 | Fixes CVE-2014-2583. | ||
19 | |||
20 | Reported-by: Sebastian Krahmer <krahmer@suse.de> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | |||
24 | Signed-off-by: Yue Tao <Yue.Tao@windriver.com> | ||
25 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
26 | --- | ||
27 | modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++- | ||
28 | 1 files changed, 12 insertions(+), 1 deletions(-) | ||
29 | |||
30 | diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c | ||
31 | index 5193733..b3f08b1 100644 | ||
32 | --- a/modules/pam_timestamp/pam_timestamp.c | ||
33 | +++ b/modules/pam_timestamp/pam_timestamp.c | ||
34 | @@ -158,7 +158,7 @@ check_tty(const char *tty) | ||
35 | tty = strrchr(tty, '/') + 1; | ||
36 | } | ||
37 | /* Make sure the tty wasn't actually a directory (no basename). */ | ||
38 | - if (strlen(tty) == 0) { | ||
39 | + if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { | ||
40 | return NULL; | ||
41 | } | ||
42 | return tty; | ||
43 | @@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) | ||
44 | if (pwd != NULL) { | ||
45 | ruser = pwd->pw_name; | ||
46 | } | ||
47 | + } else { | ||
48 | + /* | ||
49 | + * This ruser is used by format_timestamp_name as a component | ||
50 | + * of constructed timestamp pathname, so ".", "..", and '/' | ||
51 | + * are disallowed to avoid potential path traversal issues. | ||
52 | + */ | ||
53 | + if (!strcmp(ruser, ".") || | ||
54 | + !strcmp(ruser, "..") || | ||
55 | + strchr(ruser, '/')) { | ||
56 | + ruser = NULL; | ||
57 | + } | ||
58 | } | ||
59 | if (ruser == NULL || strlen(ruser) >= ruserbuflen) { | ||
60 | *ruserbuf = '\0'; | ||
61 | -- | ||
62 | 1.7.5.4 | ||
63 | |||
diff --git a/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch b/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch new file mode 100644 index 0000000000..c13535ecc2 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/reflect-the-enforce_for_root-semantics-change-in-pam.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | Backport from linux-pam git repo. | ||
2 | |||
3 | [YOCTO #4107] | ||
4 | |||
5 | Upstream-Status: Backport | ||
6 | |||
7 | Signed-off-by: Kang Kai <kai.kang@windriver.com> | ||
8 | |||
9 | From bd07ad3adc626f842a4391d256541883426fd389 Mon Sep 17 00:00:00 2001 | ||
10 | From: Tomas Mraz <tmraz@fedoraproject.org> | ||
11 | Date: Tue, 13 Nov 2012 09:19:05 +0100 | ||
12 | Subject: [PATCH] Reflect the enforce_for_root semantics change in | ||
13 | pam_pwhistory xtest. | ||
14 | |||
15 | xtests/tst-pam_pwhistory1.pamd: Use enforce_for_root as the test is | ||
16 | running with real uid == 0. | ||
17 | --- | ||
18 | xtests/tst-pam_pwhistory1.pamd | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/xtests/tst-pam_pwhistory1.pamd b/xtests/tst-pam_pwhistory1.pamd | ||
22 | index 68e1b94..d60db7c 100644 | ||
23 | --- a/xtests/tst-pam_pwhistory1.pamd | ||
24 | +++ b/xtests/tst-pam_pwhistory1.pamd | ||
25 | @@ -1,6 +1,6 @@ | ||
26 | #%PAM-1.0 | ||
27 | auth required pam_permit.so | ||
28 | account required pam_permit.so | ||
29 | -password required pam_pwhistory.so remember=10 retry=1 | ||
30 | +password required pam_pwhistory.so remember=10 retry=1 enforce_for_root | ||
31 | password required pam_unix.so use_authtok md5 | ||
32 | session required pam_permit.so | ||
33 | -- | ||
34 | 1.7.11.7 | ||
35 | |||
diff --git a/meta/recipes-extended/pam/libpam_1.1.6.bb b/meta/recipes-extended/pam/libpam_1.1.6.bb new file mode 100644 index 0000000000..3b6d5144f9 --- /dev/null +++ b/meta/recipes-extended/pam/libpam_1.1.6.bb | |||
@@ -0,0 +1,165 @@ | |||
1 | SUMMARY = "Linux-PAM (Pluggable Authentication Modules)" | ||
2 | DESCRIPTION = "Linux-PAM (Pluggable Authentication Modules for Linux), a flexible mechanism for authenticating users" | ||
3 | HOMEPAGE = "https://fedorahosted.org/linux-pam/" | ||
4 | BUGTRACKER = "https://fedorahosted.org/linux-pam/newticket" | ||
5 | SECTION = "base" | ||
6 | # PAM is dual licensed under GPL and BSD. | ||
7 | # /etc/pam.d comes from Debian libpam-runtime in 2009-11 (at that time | ||
8 | # libpam-runtime-1.0.1 is GPLv2+), by openembedded | ||
9 | LICENSE = "GPLv2+ | BSD" | ||
10 | LIC_FILES_CHKSUM = "file://COPYING;md5=7eb5c1bf854e8881005d673599ee74d3" | ||
11 | |||
12 | SRC_URI = "http://linux-pam.org/library/Linux-PAM-${PV}.tar.bz2 \ | ||
13 | file://99_pam \ | ||
14 | file://pam.d/common-account \ | ||
15 | file://pam.d/common-auth \ | ||
16 | file://pam.d/common-password \ | ||
17 | file://pam.d/common-session \ | ||
18 | file://pam.d/common-session-noninteractive \ | ||
19 | file://pam.d/other \ | ||
20 | file://libpam-xtests.patch \ | ||
21 | file://destdirfix.patch \ | ||
22 | file://fixsepbuild.patch \ | ||
23 | file://reflect-the-enforce_for_root-semantics-change-in-pam.patch \ | ||
24 | file://add-checks-for-crypt-returning-NULL.patch \ | ||
25 | file://libpam-fix-for-CVE-2010-4708.patch \ | ||
26 | file://pam-security-abstract-securetty-handling.patch \ | ||
27 | file://pam-unix-nullok-secure.patch \ | ||
28 | file://pam_timestamp-fix-potential-directory-traversal-issu.patch \ | ||
29 | file://libpam-xtests-remove-bash-dependency.patch \ | ||
30 | " | ||
31 | SRC_URI[md5sum] = "7b73e58b7ce79ffa321d408de06db2c4" | ||
32 | SRC_URI[sha256sum] = "bab887d6280f47fc3963df3b95735a27a16f0f663636163ddf3acab5f1149fc2" | ||
33 | |||
34 | SRC_URI_append_libc-uclibc = " file://pam-no-innetgr.patch" | ||
35 | |||
36 | DEPENDS = "bison flex flex-native cracklib" | ||
37 | |||
38 | EXTRA_OECONF = "--with-db-uniquename=_pam \ | ||
39 | --includedir=${includedir}/security \ | ||
40 | --libdir=${base_libdir} \ | ||
41 | --disable-nis \ | ||
42 | --disable-regenerate-docu \ | ||
43 | --disable-prelude" | ||
44 | |||
45 | CFLAGS_append = " -fPIC " | ||
46 | |||
47 | PR = "r5" | ||
48 | |||
49 | S = "${WORKDIR}/Linux-PAM-${PV}" | ||
50 | |||
51 | inherit autotools gettext pkgconfig | ||
52 | |||
53 | PACKAGECONFIG[audit] = "--enable-audit,--disable-audit,audit," | ||
54 | |||
55 | PACKAGES += "${PN}-runtime ${PN}-xtests" | ||
56 | FILES_${PN} = "${base_libdir}/lib*${SOLIBS}" | ||
57 | FILES_${PN}-dbg += "${base_libdir}/security/.debug \ | ||
58 | ${base_libdir}/security/pam_filter/.debug \ | ||
59 | ${datadir}/Linux-PAM/xtests/.debug" | ||
60 | |||
61 | FILES_${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}" | ||
62 | FILES_${PN}-runtime = "${sysconfdir}" | ||
63 | FILES_${PN}-xtests = "${datadir}/Linux-PAM/xtests" | ||
64 | |||
65 | PACKAGES_DYNAMIC += "^${MLPREFIX}pam-plugin-.*" | ||
66 | |||
67 | def get_multilib_bit(d): | ||
68 | baselib = d.getVar('baselib', True) or '' | ||
69 | return baselib.replace('lib', '') | ||
70 | |||
71 | libpam_suffix = "suffix${@get_multilib_bit(d)}" | ||
72 | |||
73 | RPROVIDES_${PN} += "${PN}-${libpam_suffix}" | ||
74 | RPROVIDES_${PN}-runtime += "${PN}-runtime-${libpam_suffix}" | ||
75 | |||
76 | RDEPENDS_${PN}-runtime = "${PN}-${libpam_suffix} \ | ||
77 | ${MLPREFIX}pam-plugin-deny-${libpam_suffix} \ | ||
78 | ${MLPREFIX}pam-plugin-permit-${libpam_suffix} \ | ||
79 | ${MLPREFIX}pam-plugin-warn-${libpam_suffix} \ | ||
80 | ${MLPREFIX}pam-plugin-unix-${libpam_suffix} \ | ||
81 | " | ||
82 | RDEPENDS_${PN}-xtests = "${PN}-${libpam_suffix} \ | ||
83 | ${MLPREFIX}pam-plugin-access-${libpam_suffix} \ | ||
84 | ${MLPREFIX}pam-plugin-debug-${libpam_suffix} \ | ||
85 | ${MLPREFIX}pam-plugin-cracklib-${libpam_suffix} \ | ||
86 | ${MLPREFIX}pam-plugin-pwhistory-${libpam_suffix} \ | ||
87 | ${MLPREFIX}pam-plugin-succeed-if-${libpam_suffix} \ | ||
88 | ${MLPREFIX}pam-plugin-time-${libpam_suffix} \ | ||
89 | coreutils" | ||
90 | |||
91 | # FIXME: Native suffix breaks here, disable it for now | ||
92 | RRECOMMENDS_${PN} = "${PN}-runtime-${libpam_suffix}" | ||
93 | RRECOMMENDS_${PN}_class-native = "" | ||
94 | |||
95 | python populate_packages_prepend () { | ||
96 | def pam_plugin_append_file(pn, dir, file): | ||
97 | nf = os.path.join(dir, file) | ||
98 | of = d.getVar('FILES_' + pn, True) | ||
99 | if of: | ||
100 | nf = of + " " + nf | ||
101 | d.setVar('FILES_' + pn, nf) | ||
102 | |||
103 | def pam_plugin_hook(file, pkg, pattern, format, basename): | ||
104 | pn = d.getVar('PN', True) | ||
105 | libpam_suffix = d.getVar('libpam_suffix', True) | ||
106 | |||
107 | rdeps = d.getVar('RDEPENDS_' + pkg, True) | ||
108 | if rdeps: | ||
109 | rdeps = rdeps + " " + pn + "-" + libpam_suffix | ||
110 | else: | ||
111 | rdeps = pn + "-" + libpam_suffix | ||
112 | d.setVar('RDEPENDS_' + pkg, rdeps) | ||
113 | |||
114 | provides = d.getVar('RPROVIDES_' + pkg, True) | ||
115 | if provides: | ||
116 | provides = provides + " " + pkg + "-" + libpam_suffix | ||
117 | else: | ||
118 | provides = pkg + "-" + libpam_suffix | ||
119 | d.setVar('RPROVIDES_' + pkg, provides) | ||
120 | |||
121 | mlprefix = d.getVar('MLPREFIX', True) or '' | ||
122 | dvar = bb.data.expand('${WORKDIR}/package', d, True) | ||
123 | pam_libdir = d.expand('${base_libdir}/security') | ||
124 | pam_sbindir = d.expand('${sbindir}') | ||
125 | pam_filterdir = d.expand('${base_libdir}/security/pam_filter') | ||
126 | pam_pkgname = mlprefix + 'pam-plugin%s' | ||
127 | |||
128 | do_split_packages(d, pam_libdir, '^pam(.*)\.so$', pam_pkgname, | ||
129 | 'PAM plugin for %s', hook=pam_plugin_hook, extra_depends='') | ||
130 | pam_plugin_append_file('%spam-plugin-unix' % mlprefix, pam_sbindir, 'unix_chkpwd') | ||
131 | pam_plugin_append_file('%spam-plugin-unix' % mlprefix, pam_sbindir, 'unix_update') | ||
132 | pam_plugin_append_file('%spam-plugin-tally' % mlprefix, pam_sbindir, 'pam_tally') | ||
133 | pam_plugin_append_file('%spam-plugin-tally2' % mlprefix, pam_sbindir, 'pam_tally2') | ||
134 | pam_plugin_append_file('%spam-plugin-timestamp' % mlprefix, pam_sbindir, 'pam_timestamp_check') | ||
135 | pam_plugin_append_file('%spam-plugin-mkhomedir' % mlprefix, pam_sbindir, 'mkhomedir_helper') | ||
136 | pam_plugin_append_file('%spam-plugin-console' % mlprefix, pam_sbindir, 'pam_console_apply') | ||
137 | do_split_packages(d, pam_filterdir, '^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='') | ||
138 | } | ||
139 | |||
140 | do_install() { | ||
141 | autotools_do_install | ||
142 | |||
143 | # don't install /var/run when populating rootfs. Do it through volatile | ||
144 | rm -rf ${D}${localstatedir} | ||
145 | install -d ${D}${sysconfdir}/default/volatiles | ||
146 | install -m 0644 ${WORKDIR}/99_pam ${D}${sysconfdir}/default/volatiles | ||
147 | |||
148 | install -d ${D}${sysconfdir}/pam.d/ | ||
149 | install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ | ||
150 | |||
151 | # The lsb requires unix_chkpwd has setuid permission | ||
152 | chmod 4755 ${D}${sbindir}/unix_chkpwd | ||
153 | |||
154 | if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then | ||
155 | echo "session optional pam_systemd.so" >> ${D}${sysconfdir}/pam.d/common-session | ||
156 | fi | ||
157 | } | ||
158 | |||
159 | python do_pam_sanity () { | ||
160 | if not bb.utils.contains('DISTRO_FEATURES', 'pam', True, False, d): | ||
161 | bb.warn("Building libpam but 'pam' isn't in DISTRO_FEATURES, PAM won't work correctly") | ||
162 | } | ||
163 | addtask pam_sanity before do_configure | ||
164 | |||
165 | BBCLASSEXTEND = "nativesdk native" | ||