diff options
| author | Sam Hartman <hartmans@debian.org> | 2021-02-01 16:40:25 -0500 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@canonical.com> | 2021-09-15 17:52:35 -0700 |
| commit | 7dec8233c6ce514187804f58e8489c8e819f478a (patch) | |
| tree | 6b308fec75db1b94d874440889991bee42062405 | |
| parent | 3c8e0c11da150a11efdd9b6f0978ac331605d52b (diff) | |
| download | pam-7dec8233c6ce514187804f58e8489c8e819f478a.tar.gz pam-7dec8233c6ce514187804f58e8489c8e819f478a.tar.bz2 pam-7dec8233c6ce514187804f58e8489c8e819f478a.zip | |
patches-applied/pam_mkhomedir_stat_before_opendir: Stat the skeleton directory before opendir
According to https://bugs.debian.org/834589 there are cases where the
kernel will not permit opendir before stat of the enclosing directory.
In the described case it was autofs, but I can see various filesystems
that mount a network namespace doing the same thing trying to prevent
excessive network traffic from a tree traversal. Statting the autofs
entry before opendir causes it to work.
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/patches-applied/pam_mkhomedir_stat_before_opendir | 25 | ||||
| -rw-r--r-- | debian/patches-applied/series | 1 |
3 files changed, 28 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 29abc9b5..f99a71ee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,8 @@ pam (1.4.0-3) UNRELEASED; urgency=medium Closes: #978601 [ Sam Hartman ] + * patches-applied/pam_mkhomedir_stat_before_opendir: Stat the skeleton + directory before opendir, Closes: #834589 * libpam-modules.install: Install pam_faillock binaries, Closes: #981092 * debian/patches-applied/pam_unix_initialize_daysleft : Initialize days before password expire, Closes: #980285 * pam-configs/unix: Default to yescript rather than sha512. From a theoretical security standpoint, it looks like yescript has similar security properties, assuming (as we typically do in the crypto protocol community) that sha256 is still reasonable. However, in terms of practical resistant to password cracking, particularly in terms of valuing space complexity as well as time complexity, yescript is superior, Closes: #978553 diff --git a/debian/patches-applied/pam_mkhomedir_stat_before_opendir b/debian/patches-applied/pam_mkhomedir_stat_before_opendir new file mode 100644 index 00000000..3e5f0a12 --- /dev/null +++ b/debian/patches-applied/pam_mkhomedir_stat_before_opendir @@ -0,0 +1,25 @@ +Index: pam/modules/pam_mkhomedir/mkhomedir_helper.c +=================================================================== +--- pam.orig/modules/pam_mkhomedir/mkhomedir_helper.c ++++ pam/modules/pam_mkhomedir/mkhomedir_helper.c +@@ -38,6 +38,7 @@ create_homedir(const struct passwd *pwd, + DIR *d; + struct dirent *dent; + int retval = PAM_SESSION_ERR; ++ struct stat stat_buf; + + /* Create the new directory */ + if (mkdir(dest, 0700) && errno != EEXIST) +@@ -53,6 +54,12 @@ create_homedir(const struct passwd *pwd, + goto go_out; + } + ++ /* Various things such as an autofs mount with browsing disabled ++ * can cause the directory to appear only on stat. The intent is ++ * to minimize network traversal when a file explorer tries to ++ * traverse large chunks of a directory tree. So stat first.*/ ++ stat(source, &stat_buf); ++ + /* Scan the directory */ + d = opendir(source); + if (d == NULL) diff --git a/debian/patches-applied/series b/debian/patches-applied/series index 587a6366..6addd12c 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -24,3 +24,4 @@ nullok_secure-compat.patch pam_unix_initialize_daysleft pam_faillock_create_directory +pam_mkhomedir_stat_before_opendir |