diff options
| -rw-r--r-- | debian/changelog | 3 | ||||
| -rw-r--r-- | debian/patches-applied/no_helper_for_nis+.patch | 31 | ||||
| -rw-r--r-- | debian/patches-applied/series | 1 |
3 files changed, 35 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 4957bf72..5c91f7cc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -26,6 +26,9 @@ pam (0.99.10.0-1) UNRELEASED; urgency=low * New patch setreuid_juggling.patch: restore the 0.99.9.0 behavior wrt uid changes for NIS+, since I know the old behavior was right and don't believe anyone has tested the new code. + * New patch no_helper_for_nis+.patch, which restores the behavior of doing + in-process NIS+ account checking instead of unconditionally passing it + off to the unix_chkpwd helper; if it wasn't broke, don't fix it. * The password-changing helper functionality for SELinux systems has been split out into a separate unix_update binary, so at long last we can change unix_chkpwd to be sgid shadow instead of suid root. diff --git a/debian/patches-applied/no_helper_for_nis+.patch b/debian/patches-applied/no_helper_for_nis+.patch new file mode 100644 index 00000000..da9a03ad --- /dev/null +++ b/debian/patches-applied/no_helper_for_nis+.patch @@ -0,0 +1,31 @@ +Don't force use of the helper for account verification with NIS+; the +previous code already works robustly for any non-threaded caller, and +will fall back to use of the helper anyway. + +Authors: Steve Langasek <steve.langasek@canonical.com> + +Upstream status: to be discussed + +Index: pam.deb/modules/pam_unix/passverify.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.c ++++ pam.deb/modules/pam_unix/passverify.c +@@ -166,7 +166,6 @@ + if (*pwd != NULL) { + if (strcmp((*pwd)->pw_passwd, "*NP*") == 0) + { /* NIS+ */ +-#ifdef HELPER_COMPILE + uid_t save_euid, save_uid; + + save_euid = geteuid(); +@@ -194,10 +193,6 @@ + + if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; +-#else +- /* we must run helper for NIS+ passwords */ +- return PAM_UNIX_RUN_HELPER; +-#endif + } else if (is_pwd_shadowed(*pwd)) { + /* + * ...and shadow password file entry for this user, diff --git a/debian/patches-applied/series b/debian/patches-applied/series index 3b410ab1..c67db0e0 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -1,5 +1,6 @@ thread-safe_save_old_password.patch setreuid_juggling.patch +no_helper_for_nis+.patch 007_modules_pam_unix 008_modules_pam_limits_chroot 021_nis_cleanup |