From 3c69856acf9af74368b789b1ed867b433db0ed02 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Fri, 3 Feb 2012 00:13:44 +0000
Subject: pam_unix: make configuration consistent in --enable-static-modules
 mode

In --enable-static-modules mode, it was not possible to use "pam_unix"
in PAM config files.  Instead, different names had to be used for each
management group: pam_unix_auth, pam_unix_acct, pam_unix_passwd and
pam_unix_session.  This change makes pam_unix configuration consistent
with other PAM modules.

* README: Remove the paragraph describing pam_unix distinctions in
--enable-static-modules mode.
* libpam/pam_static_modules.h (_pam_unix_acct_modstruct,
_pam_unix_auth_modstruct, _pam_unix_passwd_modstruct,
_pam_unix_session_modstruct): Remove.
(_pam_unix_modstruct): New pam_module declaration.
* modules/pam_unix/pam_unix_static.h: New file.
* modules/pam_unix/pam_unix_static.c: Likewise.
* modules/pam_unix/Makefile.am (noinst_HEADERS): Add pam_unix_static.h
(pam_unix_la_SOURCES) [STATIC_MODULES]: Add pam_unix_static.c
* modules/pam_unix/pam_unix_acct.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_acct_modstruct): Remove.
* modules/pam_unix/pam_unix_auth.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_auth_modstruct): Remove.
* modules/pam_unix/pam_unix_passwd.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_passwd_modstruct): Remove.
* modules/pam_unix/pam_unix_sess.c [PAM_STATIC]: Include
pam_unix_static.h
[PAM_STATIC] (_pam_unix_session_modstruct): Remove.

Suggested-by: Matveychikov Ilya <i.matveychikov@securitycode.ru>
---
 modules/pam_unix/pam_unix_acct.c | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

(limited to 'modules/pam_unix/pam_unix_acct.c')

diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 2731b8bc..8e90cc9a 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -52,7 +52,11 @@
 
 /* indicate that the following groups are defined */
 
-#define PAM_SM_ACCOUNT
+#ifdef PAM_STATIC
+# include "pam_unix_static.h"
+#else
+# define PAM_SM_ACCOUNT
+#endif
 
 #include <security/pam_modules.h>
 #include <security/pam_ext.h>
@@ -178,8 +182,8 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
  * account management module.
  */
 
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
-				int argc, const char **argv)
+int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
 	unsigned int ctrl;
 	const void *void_uname;
@@ -291,17 +295,3 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
 
 	return retval;
 }
-
-
-/* static module data */
-#ifdef PAM_STATIC
-struct pam_module _pam_unix_acct_modstruct = {
-    "pam_unix_acct",
-    NULL,
-    NULL,
-    pam_sm_acct_mgmt,
-    NULL,
-    NULL,
-    NULL,
-};
-#endif
-- 
cgit v1.2.3


From 8e508f23bf5ed727649c99bbd540f7b1c2c2bd35 Mon Sep 17 00:00:00 2001
From: Stevan Bajić <stevan@bajic.ch>
Date: Mon, 9 Jul 2012 09:43:11 +0200
Subject: RLIMIT_* variables are no longer defined unless you explicitly
 include sys/resource.h.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>

modules/pam_unix/pam_unix_acct.c: Include sys/resource.h.
---
 modules/pam_unix/pam_unix_acct.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'modules/pam_unix/pam_unix_acct.c')

diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 8e90cc9a..4a362f88 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -41,6 +41,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <sys/types.h>
+#include <sys/resource.h>
 #include <syslog.h>
 #include <pwd.h>
 #include <shadow.h>
-- 
cgit v1.2.3


From a9ac7fd64000712fdedd4c38b408ffebd2988156 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Thu, 29 Aug 2013 14:09:39 +0200
Subject: Restart waitpid if it returns with EINTR (ticket #17)

* modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/support.c: Likewise.
---
 modules/pam_unix/pam_unix_acct.c   | 3 ++-
 modules/pam_unix/pam_unix_passwd.c | 3 ++-
 modules/pam_unix/support.c         | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

(limited to 'modules/pam_unix/pam_unix_acct.c')

diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 4a362f88..7f8250ca 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -142,7 +142,8 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
     if (child > 0) {
       char buf[32];
       int rc=0;
-      rc=waitpid(child, &retval, 0);  /* wait for helper to complete */
+      /* wait for helper to complete: */
+      while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR);
       if (rc<0) {
 	pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc);
 	retval = PAM_AUTH_ERR;
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 94bc3ec8..9bc1cd9e 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -254,7 +254,8 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
 
 	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
 	close(fds[1]);
-	rc=waitpid(child, &retval, 0);  /* wait for helper to complete */
+	/* wait for helper to complete: */
+	while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR);
 	if (rc<0) {
 	  pam_syslog(pamh, LOG_ERR, "unix_update waitpid failed: %m");
 	  retval = PAM_AUTHTOK_ERR;
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index f36786e4..d8f4a6f7 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -621,7 +621,8 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
 	}
 	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
 	close(fds[1]);
-	rc=waitpid(child, &retval, 0);  /* wait for helper to complete */
+	/* wait for helper to complete: */
+	while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
 	if (rc<0) {
 	  pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc);
 	  retval = PAM_AUTH_ERR;
-- 
cgit v1.2.3


From f11cd89316cc051e23ef080aee5c7d823c6dfce2 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Fri, 30 Aug 2013 14:46:47 +0200
Subject: Fix compile error

* modules/pam_unix/pam_unix_acct.c: fix last change
---
 modules/pam_unix/pam_unix_acct.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/pam_unix/pam_unix_acct.c')

diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 7f8250ca..865dc290 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -143,7 +143,7 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
       char buf[32];
       int rc=0;
       /* wait for helper to complete: */
-      while ((rc=waitpid(child, &retval, 0) < 0 && errno == EINTR);
+      while ((rc=waitpid(child, &retval, 0)) < 0 && errno == EINTR);
       if (rc<0) {
 	pam_syslog(pamh, LOG_ERR, "unix_chkpwd waitpid returned %d: %m", rc);
 	retval = PAM_AUTH_ERR;
-- 
cgit v1.2.3


From ba315ae8effdcad591608c99452dad05c4cf20ab Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Mon, 16 Sep 2013 11:48:12 +0200
Subject: Check return value of setuid to remove glibc warnings.

* modules/pam_unix/pam_unix_acct.c: Check setuid return value.
* modules/pam_unix/support.c: Likewise.
---
 modules/pam_unix/pam_unix_acct.c | 7 ++++++-
 modules/pam_unix/support.c       | 5 ++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

(limited to 'modules/pam_unix/pam_unix_acct.c')

diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 865dc290..8ec44492 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -121,7 +121,12 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
     if (geteuid() == 0) {
       /* must set the real uid to 0 so the helper will not error
          out if pam is called from setuid binary (su, sudo...) */
-      setuid(0);
+      if (setuid(0) == -1) {
+          pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
+          printf("-1\n");
+          fflush(stdout);
+          _exit(PAM_AUTHINFO_UNAVAIL);
+      }
     }
 
     /* exec binary helper */
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 9284dbaa..19d72e66 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -586,7 +586,10 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
 	if (geteuid() == 0) {
           /* must set the real uid to 0 so the helper will not error
 	     out if pam is called from setuid binary (su, sudo...) */
-	  setuid(0);
+	  if (setuid(0) == -1) {
+             D(("setuid failed"));
+	     _exit(PAM_AUTHINFO_UNAVAIL);
+          }
 	}
 
 	/* exec binary helper */
-- 
cgit v1.2.3