diff options
| -rw-r--r-- | patches-applied/008_modules_pam_limits_chroot | 108 | ||||
| -rw-r--r-- | patches-applied/009_pam_unix_likeauth | 131 |
2 files changed, 239 insertions, 0 deletions
diff --git a/patches-applied/008_modules_pam_limits_chroot b/patches-applied/008_modules_pam_limits_chroot new file mode 100644 index 00000000..9c4f9c27 --- /dev/null +++ b/patches-applied/008_modules_pam_limits_chroot @@ -0,0 +1,108 @@ +Index: Linux-PAM/doc/modules/pam_limits.sgml +=================================================================== +RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/doc/modules/pam_limits.sgml,v +retrieving revision 1.1.1.1 +diff -u -r1.1.1.1 pam_limits.sgml +--- Linux-PAM/doc/modules/pam_limits.sgml 29 Apr 2001 04:16:56 -0000 1.1.1.1 ++++ Linux-PAM/doc/modules/pam_limits.sgml 5 May 2002 18:35:58 -0000 +@@ -142,6 +142,7 @@ + <item><tt/as/ - address space limit + <item><tt/maxlogins/ - max number of logins for this user. + <item><tt/priority/ - the priority to run user process with ++<item><tt/chroot/ - directory to chroot user to + </itemize> + + <p> +@@ -184,6 +185,7 @@ + @faculty soft nproc 20 + @faculty hard nproc 50 + ftp hard nproc 0 ++ftp - chroot /ftp + @student - maxlogins 4 + </verb> + </tscreen> +Index: Linux-PAM/modules/pam_limits/pam_limits.c +=================================================================== +RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/modules/pam_limits/pam_limits.c,v +retrieving revision 1.1.1.1 +diff -u -r1.1.1.1 pam_limits.c +--- Linux-PAM/modules/pam_limits/pam_limits.c 29 Apr 2001 04:17:23 -0000 1.1.1.1 ++++ Linux-PAM/modules/pam_limits/pam_limits.c 5 May 2002 18:50:32 -0000 +@@ -61,12 +61,14 @@ + int priority; /* the priority to run user process with */ + struct user_limits_struct limits[RLIM_NLIMITS]; + char conf_file[BUFSIZ]; ++ char chroot_dir[8092] ; /* directory to chroot into */ + }; + + #define LIMIT_LOGIN RLIM_NLIMITS+1 + #define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2 + + #define LIMIT_PRI RLIM_NLIMITS+3 ++#define LIMIT_CHROOT RLIM_NLIMITS+4 + + #define LIMIT_SOFT 1 + #define LIMIT_HARD 2 +@@ -273,6 +275,8 @@ + pl->login_limit = -2; + pl->login_limit_def = LIMITS_DEF_NONE; + ++ pl->chroot_dir[0] = '\0'; ++ + return retval; + } + +@@ -318,6 +322,8 @@ + pl->flag_numsyslogins = 1; + } else if (strcmp(lim_item, "priority") == 0) { + limit_item = LIMIT_PRI; ++ } else if (strcmp(lim_item, "chroot") == 0) { ++ limit_item = LIMIT_CHROOT; + } else { + _pam_log(LOG_DEBUG,"unknown limit item '%s'", lim_item); + return; +@@ -365,7 +371,7 @@ + } + + if (limit_item != LIMIT_LOGIN && limit_item != LIMIT_NUMSYSLOGINS +- && limit_item != LIMIT_PRI ++ && limit_item != LIMIT_PRI && limit_item != LIMIT_CHROOT + ) { + if (limit_type & LIMIT_SOFT) { + if (pl->limits[limit_item].src_soft < source) { +@@ -387,15 +393,18 @@ + if (limit_item == LIMIT_PRI) { + /* additional check */ + pl->priority = ((limit_value>0)?limit_value:0); +- } else { ++ } else if (limit_item == LIMIT_LOGIN || ++ limit_item == LIMIT_NUMSYSLOGINS) { + if (pl->login_limit_def < source) { + return; + } else { + pl->login_limit = limit_value; + pl->login_limit_def = source; + } ++ } else if (limit_item == LIMIT_CHROOT) { ++ strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir)); + } +- return; ++ return; + } + + static int parse_config_file(const char *uname, int ctrl, +@@ -517,6 +526,14 @@ + retval |= LOGIN_ERR; + } else if (pl->login_limit == 0) + retval |= LOGIN_ERR; ++ ++ if (!retval && pl->chroot_dir[0]) { ++ i = chdir(pl->chroot_dir); ++ if (i == 0) ++ i = chroot(pl->chroot_dir); ++ if (i != 0) ++ retval = LIMIT_ERR; ++ } + return retval; + } + diff --git a/patches-applied/009_pam_unix_likeauth b/patches-applied/009_pam_unix_likeauth new file mode 100644 index 00000000..37a9b696 --- /dev/null +++ b/patches-applied/009_pam_unix_likeauth @@ -0,0 +1,131 @@ +Index: Linux-PAM/modules/pam_unix/pam_unix_auth.c +=================================================================== +RCS file: /afs/sipb/project/debian/cvs/pam/Linux-PAM/modules/pam_unix/pam_unix_auth.c,v +retrieving revision 1.1.1.1 +diff -u -r1.1.1.1 pam_unix_auth.c +--- Linux-PAM/modules/pam_unix/pam_unix_auth.c 29 Apr 2001 04:17:37 -0000 1.1.1.1 ++++ Linux-PAM/modules/pam_unix/pam_unix_auth.c 19 May 2002 00:42:59 -0000 +@@ -81,17 +81,26 @@ + #define _UNIX_AUTHTOK "-UN*X-PASS" + + #define AUTH_RETURN \ +-{ \ ++do { \ + if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \ + D(("recording return code for next time [%d]", \ + retval)); \ ++ *ret_data = retval; \ + pam_set_data(pamh, "unix_setcred_return", \ +- (void *) retval, NULL); \ ++ (void *) ret_data, setcred_free); \ + } \ + D(("done. [%s]", pam_strerror(pamh, retval))); \ + return retval; \ ++} while (0) ++ ++ ++static void setcred_free (pam_handle_t * pamh, void *ptr, int err) ++{ ++ if (ptr) ++ free (ptr); + } + ++ + PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags + ,int argc, const char **argv) + { +@@ -105,7 +114,8 @@ + + /* Get a few bytes so we can pass our return value to + pam_sm_setcred(). */ +- ret_data = malloc(sizeof(int)); ++ if (on(UNIX_LIKE_AUTH, ctrl)) ++ ret_data = malloc(sizeof(int)); + + /* get the user'name' */ + +@@ -120,7 +130,7 @@ + if (name == NULL || !isalnum(*name)) { + _log_err(LOG_ERR, pamh, "bad username [%s]", name); + retval = PAM_USER_UNKNOWN; +- AUTH_RETURN ++ AUTH_RETURN; + } + if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) + D(("username [%s] obtained", name)); +@@ -133,7 +143,7 @@ + */ + retval = PAM_INCOMPLETE; + } +- AUTH_RETURN ++ AUTH_RETURN; + } + + /* if this user does not have a password... */ +@@ -142,7 +152,7 @@ + D(("user '%s' has blank passwd", name)); + name = NULL; + retval = PAM_SUCCESS; +- AUTH_RETURN ++ AUTH_RETURN; + } + /* get this user's authentication token */ + +@@ -161,7 +171,7 @@ + retval = PAM_INCOMPLETE; + } + name = NULL; +- AUTH_RETURN ++ AUTH_RETURN; + } + D(("user=%s, password=[%s]", name, p)); + +@@ -169,7 +179,7 @@ + retval = _unix_verify_password(pamh, name, p, ctrl); + name = p = NULL; + +- AUTH_RETURN ++ AUTH_RETURN; + } + + +@@ -185,29 +195,23 @@ + PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags + ,int argc, const char **argv) + { +- unsigned int ctrl; + int retval; ++ int *pretval = NULL; + + D(("called.")); + +- /* FIXME: it shouldn't be necessary to parse the arguments again. The +- only argument we need is UNIX_LIKE_AUTH: if it was set, +- pam_get_data will succeed. If it wasn't, it will fail, and we +- return PAM_SUCCESS. -SRL */ +- ctrl = _set_ctrl(pamh, flags, NULL, argc, argv); + retval = PAM_SUCCESS; + +- if (on(UNIX_LIKE_AUTH, ctrl)) { +- int *pretval = NULL; +- +- D(("recovering return code from auth call")); +- pam_get_data(pamh, "unix_setcred_return", (const void **) pretval); +- if(pretval) { +- retval = *pretval; +- free(pretval); +- D(("recovered data indicates that old retval was %d", retval)); +- } ++ D(("recovering return code from auth call")); ++ /* We will only find something here if UNIX_LIKE_AUTH is set -- ++ don't worry about an explicit check of argv. */ ++ pam_get_data(pamh, "unix_setcred_return", (const void **) &pretval); ++ if(pretval) { ++ retval = *pretval; ++ pam_set_data(pamh, "unix_setcred_return", NULL, NULL); ++ D(("recovered data indicates that old retval was %d", retval)); + } ++ + return retval; + } + |