[Pkg-cvs-commits] r13 - in /trunk: changelog patches/60_PAM_support
93sam at users.alioth.debian.org
93sam at users.alioth.debian.org
Fri May 19 23:14:12 UTC 2006
Author: 93sam
Date: Fri May 19 23:14:09 2006
New Revision: 13
URL: http://svn.debian.org/wsvn/?sc=1&rev=13
Log:
Updated PAM support patch, now testing it.
Modified:
trunk/changelog
trunk/patches/60_PAM_support
Modified: trunk/changelog
URL: http://svn.debian.org/wsvn/trunk/changelog?rev=13&op=diff
==============================================================================
--- trunk/changelog (original)
+++ trunk/changelog Fri May 19 23:14:09 2006
@@ -1,5 +1,10 @@
cvs (1:1.12.13-1) unstable; urgency=low
+ [ Steve McIntyre ]
+ * CVS now maintained by a team, with packaging/patches maintained
+ on alioth. First new team member is Zak B. Elep.
+
+ [ Zak B. Elep ]
* New upstream version.
* debian/control:
+ Add myself to Uploaders.
@@ -14,9 +19,6 @@ cvs (1:1.12.13-1) unstable; urgency=low
* debian/patches:
+ Slightly touch 14_ext_expansion
+ Slightly touch 56_extra_tags
- + Temporarily disabled 60_PAM_support; although merged in
- upstream since 1.12.10, Debian's PAM configuration needs
- special attention
+ Remove 63_add_commit_dir, now merged in upstream
+ Remove 64_fix_loginfo_variables, now merged in upstream
+ Slightly touch 66_64bit_crashfix
@@ -26,8 +28,6 @@ cvs (1:1.12.13-1) unstable; urgency=low
+ Slightly touch 85_normalize_correct_roots
+ Slightly touch 94_parseopts to use new RCS_setlocalid and
RCS_setincexc
- + Added references to patch authors when applicable, thanks to
- Steve McIntyre :-)
* debian/cvs.docs:
+ Update paths.
* Fix this changelog, remove spurious tabs.
@@ -39,7 +39,12 @@ cvs (1:1.12.13-1) unstable; urgency=low
* debian/cvs.doc-base.client:
+ Point Index to cvsclient.html
- -- Zak B. Elep <zakame at spunge.org> Sat, 13 May 2006 01:03:14 +0800
+ [ Steve McIntyre ]
+ * Updated/reduced size of 60_PAM_support
+ * Improved documentation on the Debian patches to aid in team
+ maintenance.
+
+ -- Steve McIntyre <93sam at debian.org> Fri, 19 May 2006 23:57:58 +0100
cvs (1:1.12.9-17) unstable; urgency=low
Modified: trunk/patches/60_PAM_support
URL: http://svn.debian.org/wsvn/trunk/patches/60_PAM_support?rev=13&op=diff
==============================================================================
--- trunk/patches/60_PAM_support (original)
+++ trunk/patches/60_PAM_support Fri May 19 23:14:09 2006
@@ -6,248 +6,10 @@
# user does not exist
#
# Patch by Steve McIntyre <steve at einval.com>
---- ./cvs-1.12.9/src/server.c~ 2004-05-05 23:10:59.000000000 +0100
-+++ ./cvs-1.12.9/src/server.c 2004-05-05 23:29:38.000000000 +0100
-@@ -108,7 +108,7 @@
-
- /* Should we check for system usernames/passwords? Can be changed by
- CVSROOT/config. */
--int system_auth = 1;
-+int system_auth = 0;
-
- # endif /* AUTH_SERVER_SUPPORT */
-
-@@ -5486,6 +5486,8 @@
- #ifdef HAVE_PAM
-
- # include <security/pam_appl.h>
-+static char *default_pam_username = NULL;
-+int pam_auth = 1;
-
- struct cvs_pam_userinfo {
- char *username;
-@@ -5545,14 +5547,16 @@
-
-
-
--static int
--check_system_password (char *username, char *password)
-+static char *
-+check_pam_password (char *username, char *password, char *repository )
- {
- pam_handle_t *pamh = NULL;
-+ struct passwd *pw = NULL;
- int retval, err;
- struct cvs_pam_userinfo ui = { username, password };
- struct pam_conv conv = { cvs_pam_conv, (void *)&ui };
- char *pam_stage = "start";
-+ char *host_user = NULL;
-
- retval = pam_start (PAM_SERVICE_NAME, username, &conv, &pamh);
-
-@@ -5577,9 +5581,41 @@
- exit (EXIT_FAILURE);
- }
-
-- return retval == PAM_SUCCESS; /* indicate success */
-+ if (PAM_SUCCESS == retval)
-+ {
-+ /* An issue with using pam is that the host may well not have
-+ a local user entry to match the authenticated user. Check
-+ with getpwnam; if that fails, then we can optionally fall
-+ back to a specified local username */
-+ pw = getpwnam (username);
-+ if (pw == NULL)
-+ {
-+ if(NULL != default_pam_username)
-+ {
-+ host_user = xstrdup(default_pam_username);
-+ /* And don't check existence again - switch_to_user()
-+ will do it for us later */
-+ }
-+ }
-+ else
-+ host_user = xstrdup(username);
-+ }
-+
-+ return host_user; /* indicate success */
-+}
-+
-+/* Set the default user to use for a remote pam user for whom
-+ getpwnam() will fail */
-+void
-+set_default_pam_user (username)
-+ char *username;
-+{
-+ if( (username != NULL) && (strlen(username) > 0))
-+ default_pam_username = xstrdup(username);
- }
--#else
-+
-+#endif /* HAVE_PAM */
-+
- static int
- check_system_password (char *username, char *password)
- {
-@@ -5644,9 +5680,6 @@
- #endif
- return 1;
- }
--#endif
--
--
-
- /* Return a hosting username if password matches, else NULL. */
- static char *
-@@ -5671,7 +5704,11 @@
-
- assert (rc == 0);
-
-+#ifdef HAVE_PAM
-+ if (!pam_auth && !system_auth)
-+#else
- if (!system_auth)
-+#endif /* HAVE_PAM */
- {
- /* Note that the message _does_ distinguish between the case in
- which we check for a system password and the case in which
-@@ -5684,18 +5721,21 @@
- exit (EXIT_FAILURE);
- }
-
-- /* No cvs password found, so try /etc/passwd. */
-- if ( check_system_password(username, password) )
-- host_user = xstrdup (username);
-- else
-- host_user = NULL;
-+ if (system_auth)
-+ {
-+ /* No cvs password found, so try /etc/passwd. */
-+ if ( check_system_password(username, password) )
-+ host_user = xstrdup (username);
-+ else
-+ host_user = NULL;
-
- #ifdef LOG_AUTHPRIV
-- if (!host_user)
-- syslog (LOG_AUTHPRIV | LOG_NOTICE,
-- "login refused for %s: user has no password", username);
-+ if (!host_user)
-+ syslog (LOG_AUTHPRIV | LOG_NOTICE,
-+ "login refused for %s: user has no password", username);
- #endif
--
-+ }
-+
- handle_return:
- if (host_user)
- {
-@@ -5728,7 +5768,7 @@
- char *password = NULL;
- size_t password_allocated = 0;
-
-- char *host_user;
-+ char *host_user = NULL;
- char *descrambled_password;
- #endif /* AUTH_SERVER_SUPPORT */
- int verify_and_exit = 0;
-@@ -5868,7 +5908,15 @@
-
- /* We need the real cleartext before we hash it. */
- descrambled_password = descramble (password);
-- host_user = check_password (username, descrambled_password, repository);
-+
-+ if (NULL == host_user)
-+ host_user = check_password (username, descrambled_password, repository);
-+
-+#ifdef HAVE_PAM
-+ if (NULL == host_user && pam_auth)
-+ host_user = check_pam_password (username, descrambled_password, repository);
-+#endif /* HAVE_PAM */
-+
- if (host_user == NULL)
- {
- #ifdef HAVE_SYSLOG_H
---- ./cvs-1.12.9/src/parseinfo.c~ 2004-03-22 17:26:47.000000000 +0000
-+++ ./cvs-1.12.9/src/parseinfo.c 2004-05-05 23:30:50.000000000 +0100
-@@ -432,6 +432,27 @@
- }
- }
- #endif /* SUPPORT_OLD_INFO_FMT_STRINGS */
-+ else if (strcmp (line, "DefaultPamUser") == 0)
-+ {
-+#ifdef HAVE_PAM
-+ set_default_pam_user(p);
-+#endif
-+ } /* Don't complain if we don't have PAM here... */
-+ else if (strcmp (line, "PamAuth") == 0)
-+ {
-+ if (strcmp (p, "no") == 0)
-+#ifdef HAVE_PAM
-+ pam_auth = 0;
-+#else
-+ ;
-+#endif
-+ else if (strcmp (p, "yes") == 0)
-+#ifdef HAVE_PAM
-+ pam_auth = 1;
-+#else
-+ ;
-+#endif
-+ } /* Don't complain if we don't have PAM here... */
- else
- {
- /* We may be dealing with a keyword which was added in a
---- ./cvs-1.12.9/src/server.h~ 2004-04-05 16:36:17.000000000 +0100
-+++ ./cvs-1.12.9/src/server.h 2004-05-05 23:31:31.000000000 +0100
-@@ -151,6 +151,9 @@
- #ifdef AUTH_SERVER_SUPPORT
- extern char *CVS_Username;
- extern int system_auth;
-+#ifdef HAVE_PAM
-+extern int pam_auth;
-+#endif /* HAVE_PAM */
- #endif /* AUTH_SERVER_SUPPORT */
-
- #endif /* SERVER_SUPPORT */
---- ./cvs-1.12.9/src/cvs.h~ 2004-05-05 23:10:59.000000000 +0100
-+++ ./cvs-1.12.9/src/cvs.h 2004-05-05 23:19:59.000000000 +0100
-@@ -451,6 +451,7 @@
- void root_allow_add (char *);
- void root_allow_free (void);
- int root_allow_ok (char *);
-+void set_default_pam_user (char *);
-
- char *previous_rev (RCSNode *rcs, const char *rev);
- char *gca (const char *rev1, const char *rev2);
---- ./cvs-1.12.9/src/main.c~ 2004-05-05 23:10:59.000000000 +0100
-+++ ./cvs-1.12.9/src/main.c 2004-05-05 23:21:20.000000000 +0100
-@@ -435,6 +435,9 @@
- {"help-synonyms", 0, NULL, 2},
- {"help-options", 0, NULL, 4},
- {"allow-root", required_argument, NULL, 3},
-+#ifdef HAVE_PAM
-+ {"default-pam-user", required_argument, NULL, 5},
-+#endif
- {0, 0, 0, 0}
- };
- /* `getopt_long' stores the option index here, but right now we
-@@ -549,6 +552,12 @@
- /* --allow-root */
- root_allow_add (optarg);
- break;
-+#ifdef HAVE_PAM
-+ case 5:
-+ /* --default-pam-user */
-+ set_default_pam_user (optarg);
-+ break;
-+#endif
- case 'Q':
- really_quiet = 1;
- /* FALL THROUGH */
---- ./cvs-1.12.9/doc/cvs.texinfo~ 2004-05-05 23:10:59.000000000 +0100
-+++ ./cvs-1.12.9/doc/cvs.texinfo 2004-05-05 23:34:15.000000000 +0100
-@@ -2555,8 +2555,18 @@
+diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo
+--- cvs-1.12.13-old/doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100
++++ cvs-1.12.13/doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100
+@@ -2662,8 +2662,18 @@
system has PAM (Pluggable Authentication Modules)
and your @sc{cvs} server executable was configured to
use it at compile time (using @code{./configure --enable-pam} - see the
@@ -268,8 +30,8 @@
authentication source PAM can be configured to use (possibilities
include a simple UNIX password, NIS, LDAP, and others) in its
global configuration file (usually @file{/etc/pam.conf}
-@@ -2583,7 +2593,7 @@
- cvs account required pam_unix.so
+@@ -2691,7 +2701,7 @@
+ cvs session required pam_unix.so
@end example
-The the equivalent @file{/etc/pam.d/cvs} would contain
@@ -277,7 +39,7 @@
@example
auth required pam_unix.so
-@@ -2606,6 +2616,15 @@
+@@ -2715,6 +2725,13 @@
feature should not be used if you may not have control of the name
@sc{cvs} will be invoked as.
@@ -286,10 +48,97 @@
+may set a default name for the account on the server
+that will be used after authentication. To do this,
+either set @code{DefaultPamUser=user} in the @sc{cvs}
-+ at file{config} file, @pxref{config}, or add a
-+command-line option @sc{--default-pam-user user} on the
-+server command line.
++ at file{config} file, @pxref{config}.
+
Be aware, also, that falling back to system
authentication might be a security risk: @sc{cvs}
operations would then be authenticated with that user's
+diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c
+--- cvs-1.12.13-old/src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100
++++ cvs-1.12.13/src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100
+@@ -303,8 +303,12 @@
+ */
+ #endif /* PROXY_SUPPORT */
+ #ifdef AUTH_SERVER_SUPPORT
+- new->system_auth = true;
++ new->system_auth = false;
+ #endif /* AUTH_SERVER_SUPPORT */
++#ifdef HAVE_PAM
++ new->PamAuth = true;
++ new->DefaultPamUser = NULL;
++#endif
+
+ return new;
+ }
+@@ -696,6 +700,13 @@
+ readSizeT (infopath, "MaxCompressionLevel", p,
+ &retval->MaxCompressionLevel);
+ #endif /* SERVER_SUPPORT */
++#ifdef HAVE_PAM
++ else if (!strcmp (line, "DefaultPamUser"))
++ retval->DefaultPamUser = xstrdup(p);
++ else if (!strcmp (line, "PamAuth"))
++ readBool (infopath, "PamAuth", p,
++ &retval->PamAuth);
++#endif
+ else
+ /* We may be dealing with a keyword which was added in a
+ subsequent version of CVS. In that case it is a good idea
+diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
+--- cvs-1.12.13-old/src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100
++++ cvs-1.12.13/src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100
+@@ -59,6 +59,10 @@
+ #ifdef PRESERVE_PERMISSIONS_SUPPORT
+ bool preserve_perms;
+ #endif /* PRESERVE_PERMISSIONS_SUPPORT */
++#ifdef HAVE_PAM
++ char *DefaultPamUser;
++ bool PamAuth;
++#endif
+ };
+
+ bool parse_error (const char *, unsigned int);
+diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
+--- cvs-1.12.13-old/src/server.c 2005-09-28 16:25:59.000000000 +0100
++++ cvs-1.12.13/src/server.c 2006-05-20 00:02:10.000000000 +0100
+@@ -6919,6 +6919,15 @@
+ {
+ pam_stage = "get pam user";
+ retval = pam_get_item (pamh, PAM_USER, (const void **)username);
++ if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
++ {
++ /* An issue with using pam is that the host may well not have
++ a local user entry to match the authenticated user. If this
++ has failed, optionally fall back to a specified local
++ username */
++ *username = xstrdup(config->DefaultPamUser);
++ retval = PAM_SUCCESS;
++ }
+ }
+
+ if (retval != PAM_SUCCESS)
+@@ -7022,7 +7031,11 @@
+
+ assert (rc == 0);
+
++#ifdef HAVE_PAM
++ if (!config->system_auth && !config->PamAuth)
++#else
+ if (!config->system_auth)
++#endif
+ {
+ /* Note that the message _does_ distinguish between the case in
+ which we check for a system password and the case in which
+@@ -7037,9 +7050,10 @@
+
+ /* No cvs password found, so try /etc/passwd. */
+ #ifdef HAVE_PAM
+- if (check_pam_password (&username, password))
++ if ( (config->PamAuth && check_pam_password (&username, password)) ||
++ (config->system_auth && check_system_password (&username, password)))
+ #else /* !HAVE_PAM */
+- if (check_system_password (username, password))
++ if (config->system_auth && check_system_password (username, password))
+ #endif /* HAVE_PAM */
+ host_user = xstrdup (username);
+ else
More information about the Pkg-cvs-commits
mailing list