Browse Source

Merge pull request #6492 from neheb/pam

libpam: Update to 1.3.0
lilik-openwrt-22.03
Nikos Mavrogiannopoulos 6 years ago
committed by GitHub
parent
commit
0b0a774916
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 81 additions and 141 deletions
  1. +3
    -3
      libs/libpam/Makefile
  2. +1
    -1
      libs/libpam/patches/0001-build-always-use-lib-instead-of-lib64.patch
  3. +1
    -1
      libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch
  4. +1
    -1
      libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch
  5. +0
    -28
      libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch
  6. +1
    -1
      libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch
  7. +0
    -106
      libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch
  8. +74
    -0
      libs/libpam/patches/0007-Replace-strndupa-with-strcpy.patch

+ 3
- 3
libs/libpam/Makefile View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=libpam
PKG_VERSION:=1.2.0
PKG_RELEASE:=2
PKG_VERSION:=1.3.0
PKG_RELEASE:=1
PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.linux-pam.org/library/
PKG_HASH:=cd8beac5961e942e9c73b32a3cd1a3457755f8fb35d07c9ec64511e19e135ea4
PKG_HASH:=241aed1ef522f66ed672719ecf2205ec513fd0075ed80cda8e086a5b1a01d1bb
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
PKG_MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>


+ 1
- 1
libs/libpam/patches/0001-build-always-use-lib-instead-of-lib64.patch View File

@ -20,7 +20,7 @@ index fd0e310..306b6e2 100644
fi
- if test ${libdir} = '${exec_prefix}/lib'
- then
- case "`uname -m`" in
- case "$host_cpu" in
- x86_64|ppc64|s390x|sparc64)
- libdir="/lib64" ;;
- *)


+ 1
- 1
libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch View File

@ -19,7 +19,7 @@ diff --git a/configure.ac b/configure.ac
index 306b6e2..084071a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -534,7 +534,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
@@ -524,7 +524,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)


+ 1
- 1
libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch View File

@ -16,7 +16,7 @@ diff --git a/configure.ac b/configure.ac
index 084071a..ca4bf5b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -536,8 +536,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
@@ -526,8 +526,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
AC_CHECK_FUNCS(getgrouplist getline getdelim)
AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
AC_CHECK_FUNCS([ruserok_af ruserok], [break])


+ 0
- 28
libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch View File

@ -1,28 +0,0 @@
From a35daea1b8be768d1b0be6eae157fbf3e5380f92 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 18:22:31 +0800
Subject: [PATCH 4/7] build: fix build when crypt() is not part of crypt_libs.
* configure.ac: ditto.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index ca4bf5b..6553c78 100644
--- a/configure.ac
+++ b/configure.ac
@@ -408,7 +408,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
[crypt_libs="crypt"])
BACKUP_LIBS=$LIBS
-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
LIBS=$BACKUP_LIBS
AC_SUBST(LIBCRYPT)
--
1.7.10.4

+ 1
- 1
libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch View File

@ -15,7 +15,7 @@ diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_pass
index 2d330e5..970724a 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -336,7 +336,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
@@ -410,7 +410,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
}
if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {


+ 0
- 106
libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch View File

@ -1,106 +0,0 @@
From c681bd104627139eac2f40fe303e1f67676233e8 Mon Sep 17 00:00:00 2001
From: Yousong Zhou <yszhou4tech@gmail.com>
Date: Wed, 17 Jun 2015 15:33:43 +0800
Subject: [PATCH 7/7] Check if innetgr is available at compile time.
innetgr may not be there so make sure that when innetgr is not present
then we inform about it and not use it.
* modules/pam_group/pam_group.c: ditto
* modules/pam_succeed_if/pam_succeed_if.c: ditto
* modules/pam_time/pam_time.c: ditto
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech at gmail.com>
---
modules/pam_group/pam_group.c | 4 ++++
modules/pam_succeed_if/pam_succeed_if.c | 17 +++++++++++++----
modules/pam_time/pam_time.c | 4 ++++
3 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index be5f20f..6a065ca 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -656,7 +656,11 @@ static int check_account(pam_handle_t *pamh, const char *service,
}
/* If buffer starts with @, we are using netgroups */
if (buffer[0] == '@')
+#ifdef HAVE_INNETGR
good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
+#endif
/* otherwise, if the buffer starts with %, it's a UNIX group */
else if (buffer[0] == '%')
good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
index aa828fc..c0c68a0 100644
--- a/modules/pam_succeed_if/pam_succeed_if.c
+++ b/modules/pam_succeed_if/pam_succeed_if.c
@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
}
/* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
static int
-evaluate_innetgr(const char *host, const char *user, const char *group)
+evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 1)
return PAM_SUCCESS;
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
+#endif
+
return PAM_AUTH_ERR;
}
/* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
static int
-evaluate_notinnetgr(const char *host, const char *user, const char *group)
+evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
{
+#ifdef HAVE_INNETGR
if (innetgr(group, host, user, NULL) == 0)
return PAM_SUCCESS;
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
+#endif
return PAM_AUTH_ERR;
}
@@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug,
const void *rhost;
if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
rhost = NULL;
- return evaluate_innetgr(rhost, user, right);
+ return evaluate_innetgr(pamh, rhost, user, right);
}
/* (Rhost, user) is not in this group. */
if (strcasecmp(qual, "notinnetgr") == 0) {
const void *rhost;
if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
rhost = NULL;
- return evaluate_notinnetgr(rhost, user, right);
+ return evaluate_notinnetgr(pamh, rhost, user, right);
}
/* Fail closed. */
return PAM_SERVICE_ERR;
diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
index c94737c..0b34a14 100644
--- a/modules/pam_time/pam_time.c
+++ b/modules/pam_time/pam_time.c
@@ -555,7 +555,11 @@ check_account(pam_handle_t *pamh, const char *service,
}
/* If buffer starts with @, we are using netgroups */
if (buffer[0] == '@')
+#ifdef HAVE_INNETGR
good &= innetgr (&buffer[1], NULL, user, NULL);
+#else
+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
+#endif
else
good &= logic_field(pamh, user, buffer, count, is_same);
D(("with user: %s", good ? "passes":"fails" ));
--
1.7.10.4

+ 74
- 0
libs/libpam/patches/0007-Replace-strndupa-with-strcpy.patch View File

@ -0,0 +1,74 @@
From 9f23ba5a40b42acf4463b593bffd73caee8b527c Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Sun, 15 Jul 2018 20:43:44 -0700
Subject: [PATCH] Replace strndupa with strcpy
glibc only. A static string is better.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
modules/pam_exec/pam_exec.c | 31 +++++++++++--------------------
1 file changed, 11 insertions(+), 20 deletions(-)
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index 0ab6548..2fbab4f 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -102,7 +102,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
int use_stdout = 0;
int optargc;
const char *logfile = NULL;
- const char *authtok = NULL;
+ char authtok[PAM_MAX_RESP_SIZE];
pid_t pid;
int fds[2];
int stdout_fds[2];
@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
}
pam_set_item (pamh, PAM_AUTHTOK, resp);
- authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
+ strcpy (authtok, resp);
_pam_drop (resp);
}
else
- authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
+ strcpy (authtok, void_pass);
if (pipe(fds) != 0)
{
@@ -222,23 +222,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
if (expose_authtok) /* send the password to the child */
{
- if (authtok != NULL)
- { /* send the password to the child */
- if (debug)
- pam_syslog (pamh, LOG_DEBUG, "send password to child");
- if (write(fds[1], authtok, strlen(authtok)+1) == -1)
- pam_syslog (pamh, LOG_ERR,
- "sending password to child failed: %m");
- authtok = NULL;
- }
- else
- {
- if (write(fds[1], "", 1) == -1) /* blank password */
- pam_syslog (pamh, LOG_ERR,
- "sending password to child failed: %m");
- }
- close(fds[0]); /* close here to avoid possible SIGPIPE above */
- close(fds[1]);
+ if (debug)
+ pam_syslog (pamh, LOG_DEBUG, "send password to child");
+ if (write(fds[1], authtok, strlen(authtok)) == -1)
+ pam_syslog (pamh, LOG_ERR,
+ "sending password to child failed: %m");
+
+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
+ close(fds[1]);
}
if (use_stdout)
--
2.19.1

Loading…
Cancel
Save