diff options
| -rw-r--r-- | changelog | 5 | ||||
| -rw-r--r-- | patches-applied/031_pam_include | 114 | ||||
| -rw-r--r-- | patches-applied/056_no_label_at_end | 12 | ||||
| -rw-r--r-- | patches-applied/series | 3 |
4 files changed, 54 insertions, 80 deletions
@@ -146,6 +146,9 @@ pam (0.99.7.1-2) UNRELEASED; urgency=low Laurent Bigonville for the hint. Closes: #439038. * Add a watch file for use with uscan; thanks to Laurent Bigonville for this patch as well. Closes: #439040. + * Rewrite of 031_pam_include, fixing a memory leak and letting us drop + patch 056_no_label_at_end; thanks to Jan Christoph Nordholz + <hesso@pool.math.tu-berlin.de> for this much-improved version! * New patch no_pthread_mutexes: don't use pthread mutexes in pam_modutil functions, they're not needed because pam handles themselves should not be used concurrently by multiple threads and @@ -153,7 +156,7 @@ pam (0.99.7.1-2) UNRELEASED; urgency=low * New patch hurd_no_setfsuid: if we don't have sys/fsuid.h, work around using setreuid instead. - -- Steve Langasek <vorlon@debian.org> Sat, 25 Aug 2007 03:49:47 -0700 + -- Steve Langasek <vorlon@debian.org> Sat, 25 Aug 2007 22:00:05 -0700 pam (0.79-4) unstable; urgency=medium diff --git a/patches-applied/031_pam_include b/patches-applied/031_pam_include index f3fc82e6..5ccbe6a3 100644 --- a/patches-applied/031_pam_include +++ b/patches-applied/031_pam_include @@ -1,75 +1,59 @@ -Index: Linux-PAM/libpam/pam_handlers.c +Patch to implement an @include directive for use in pam.d config files. + +Authors: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> + +Upstream status: not yet submitted + +Index: pam/Linux-PAM/libpam/pam_handlers.c =================================================================== ---- Linux-PAM/libpam/pam_handlers.c.orig -+++ Linux-PAM/libpam/pam_handlers.c -@@ -114,6 +114,62 @@ +--- pam.orig/Linux-PAM/libpam/pam_handlers.c ++++ pam/Linux-PAM/libpam/pam_handlers.c +@@ -114,6 +114,11 @@ module_type = PAM_T_ACCT; } else if (!strcasecmp("password", tok)) { module_type = PAM_T_PASS; + } else if (!strcasecmp("@include", tok)) { -+ /* include a file here -+ * most of the code adapted from _pam_init_handlers */ -+ FILE *inc_f; -+ int retval; -+ int drop_f = 1; -+ -+ tok = _pam_StrTok(NULL, " \n\t", &nexttok); -+ if (tok == NULL) { -+ D(("_pam_parse_conf_file: included file name not given")); -+ pam_syslog(pamh, LOG_ERR, -+ "(%s) included file name not given", -+ this_service); -+ } else { -+ char *filename; -+ struct stat test_d; -+ -+ if (!strcmp("/", tok)) { -+ filename = tok; -+ drop_f = 0; -+ } else if ( stat(PAM_CONFIG_D, &test_d) == 0 && S_ISDIR(test_d.st_mode) ) { -+ D(("searching " PAM_CONFIG_D " for included file")); -+ filename = malloc(sizeof(PAM_CONFIG_DF) -+ +strlen(tok)); -+ if (filename == NULL) { -+ pam_syslog(pamh, LOG_ERR, -+ "_pam_parse_conf_file: no memory; service %s", -+ this_service); -+ return PAM_BUF_ERR; -+ } -+ sprintf(filename, PAM_CONFIG_DF, tok); -+ } -+ D(("opening %s", filename)); -+ inc_f = fopen(filename, "r"); -+ if (inc_f != NULL) { -+ retval = _pam_parse_conf_file(pamh, inc_f, known_service, requested_module_type -+#ifdef PAM_READ_BOTH_CONFS -+ , not_other -+#endif /* PAM_READ_BOTH_CONFS */ -+ ); -+ fclose(inc_f); -+ if (retval != PAM_SUCCESS) { -+ pam_syslog(pamh, LOG_ERR, -+ "_pam_parse_conf_file: error reading %s", -+ filename); -+ pam_syslog(pamh, LOG_ERR, -+ "_pam_parse_conf_file: [%s]", -+ pam_strerror(pamh, retval)); -+ return retval; -+ } -+ } -+ if (drop_f) -+ _pam_drop(filename); -+ } -+ /* skip dealing with the module; and go to the next line */ -+ goto end; ++ pam_include = 1; ++ D(("Following legacy '@include' directive.")); ++ module_type = requested_module_type; ++ goto parsing_done; } else { /* Illegal module type */ D(("_pam_init_handlers: bad module type: %s", tok)); -@@ -244,6 +300,7 @@ - return PAM_ABORT; +@@ -178,14 +183,33 @@ + _pam_set_default_control(actions, _PAM_ACTION_BAD); } - } -+end: - } - return ( (x < 0) ? PAM_ABORT:PAM_SUCCESS ); ++parsing_done: + tok = _pam_StrTok(NULL, " \n\t", &nexttok); + if (pam_include) { +- if (_pam_load_conf_file(pamh, tok, this_service, module_type ++ struct stat include_dir; ++ if (tok[0] == '/') { ++ if (_pam_load_conf_file(pamh, tok, this_service, module_type + #ifdef PAM_READ_BOTH_CONFS +- , !other ++ , !other + #endif /* PAM_READ_BOTH_CONFS */ + ) == PAM_SUCCESS) +- continue; ++ continue; ++ } else if (!stat(PAM_CONFIG_D, &include_dir) && S_ISDIR(include_dir.st_mode)) { ++ char *include_file; ++ if (asprintf (&include_file, PAM_CONFIG_DF, tok) < 0) { ++ pam_syslog(pamh, LOG_CRIT, "asprintf failed"); ++ return PAM_ABORT; ++ } ++ if (_pam_load_conf_file(pamh, include_file, this_service, module_type ++#ifdef PAM_READ_BOTH_CONFS ++ , !other ++#endif /* PAM_READ_BOTH_CONFS */ ++ ) == PAM_SUCCESS) { ++ free(include_file); ++ continue; ++ } ++ free(include_file); ++ } + _pam_set_default_control(actions, _PAM_ACTION_BAD); + mod_path = NULL; + must_fail = 1; diff --git a/patches-applied/056_no_label_at_end b/patches-applied/056_no_label_at_end deleted file mode 100644 index 6f24b474..00000000 --- a/patches-applied/056_no_label_at_end +++ /dev/null @@ -1,12 +0,0 @@ -Index: Linux-PAM/libpam/pam_handlers.c -=================================================================== ---- Linux-PAM/libpam/pam_handlers.c.orig -+++ Linux-PAM/libpam/pam_handlers.c -@@ -300,6 +300,7 @@ - } - } - end: -+ continue; - } - - return ( (x < 0) ? PAM_ABORT:PAM_SUCCESS ); diff --git a/patches-applied/series b/patches-applied/series index a8bd5798..df0d86c3 100644 --- a/patches-applied/series +++ b/patches-applied/series @@ -9,7 +9,7 @@ 026_pam_unix_passwd_unknown_user -p0 027_pam_limits_better_init_allow_explicit_root -p0 029_pam_limits_capabilities -p0 -031_pam_include -p0 +031_pam_include 032_pam_limits_EPERM_NOT_FATAL -p0 036_pam_wheel_getlogin_considered_harmful -p0 038_support_hurd -p0 @@ -22,7 +22,6 @@ hurd_no_setfsuid -p0 049_pam_unix_sane_locking -p0 054_pam_security_abstract_securetty_handling -p0 055_pam_unix_nullok_secure -p0 -056_no_label_at_end -p0 057_pam_unix_passwd_OOM_check -p0 061_pam_issue_double_free -p0 063_paswd_segv -p0 |