[Pkg-shadow-commits] r367 - branches/experimental/debian/patches
Nicolas FRANCOIS
pkg-shadow-devel@lists.alioth.debian.org
Sun, 10 Jul 2005 11:55:56 +0000
Author: nekral-guest
Date: 2005-07-10 11:55:55 +0000 (Sun, 10 Jul 2005)
New Revision: 367
Modified:
branches/experimental/debian/patches/010_more-i18ned-messages
branches/experimental/debian/patches/439_su_PAM_session
branches/experimental/debian/patches/series
Log:
Update 439_su_PAM_session to 4.0.10 (and 010_more-i18ned-messages, broken
by 439)
Also move 444 to the end.
Modified: branches/experimental/debian/patches/010_more-i18ned-messages
===================================================================
--- branches/experimental/debian/patches/010_more-i18ned-messages 2005-07-10 07:20:31 UTC (rev 366)
+++ branches/experimental/debian/patches/010_more-i18ned-messages 2005-07-10 11:55:55 UTC (rev 367)
@@ -183,12 +183,13 @@
pam_end (pamh, ret);
exit (1);
}
-@@ -681,7 +681,7 @@
+@@ -681,8 +681,8 @@
if (ret != PAM_SUCCESS) {
SYSLOG ((LOG_ERR, "pam_open_session: %s",
pam_strerror (pamh, ret)));
- fprintf (stderr, "%s: %s\n", Prog, pam_strerror (pamh, ret));
+ fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
+ pam_setcred(pamh, PAM_DELETE_CRED);
pam_end (pamh, ret);
exit (1);
}
Modified: branches/experimental/debian/patches/439_su_PAM_session
===================================================================
--- branches/experimental/debian/patches/439_su_PAM_session 2005-07-10 07:20:31 UTC (rev 366)
+++ branches/experimental/debian/patches/439_su_PAM_session 2005-07-10 11:55:55 UTC (rev 367)
@@ -1,65 +1,50 @@
Goal: add pam session ability to su (patch from Topi Miettinen)
Fixes: #57526, #55873, #57532
-Note: When CLOSE_SESSIONS is not set, pam_end is not called.
+Note: this is a rewrite of the previous 439_su_PAM_session
+ One difference may be that the session is not closed as root (changing
+ this will require a major rewrite of su).
-Status wrt upstream: Current upstream handles session management in run_shell
- However:
- * the session is closed after changing the uid.
- (i.e. not as root, as it should be)
- In order to close the session as root, the session
- management should be removed from run_shell.
- * CLOSE_SESSIONS is not taken into account
-
-Index: shadow-4.0.3/src/su.c
+Index: shadow-4.0.10/src/su.c
===================================================================
---- shadow-4.0.3.orig/src/su.c 2005-05-29 16:46:20.851112000 +0200
-+++ shadow-4.0.3/src/su.c 2005-05-29 16:51:38.131112000 +0200
-@@ -703,17 +703,56 @@
- pam_end (pamh, ret);
+--- shadow-4.0.10.orig/src/su.c 2005-07-10 11:48:56.000000000 +0300
++++ shadow-4.0.10/src/su.c 2005-07-10 14:40:22.000000000 +0300
+@@ -148,13 +148,15 @@
+ */
+ static void run_shell (const char *shellstr, char *args[], int doshell)
+ {
+- int child;
++ int child = 0;
+ sigset_t ourset;
+ int status;
+ int ret;
+
+- child = fork ();
+- if (child == 0) { /* child shell */
++ if (getdef_bool("CLOSE_SESSIONS")) {
++ child = fork ();
++ }
++ if (child == 0) { /* child shell or no CLOSE_SESSIONS */
+ pam_end (pamh, PAM_SUCCESS);
+
+ if (doshell)
+@@ -172,6 +174,7 @@
+ closelog ();
exit (1);
}
-+ ret = pam_open_session(pamh, 0);
-+ if (ret != PAM_SUCCESS) {
-+ SYSLOG((LOG_ERR, "pam_open_session: %s\n", pam_strerror(pamh, ret)));
-+ fprintf(stderr, "%s: %s\n", Prog, pam_strerror(pamh, ret));
++ /* Unreachable if ! CLOSE_SESSIONS */
+ /* parent only */
+ sigfillset (&ourset);
+ if (sigprocmask (SIG_BLOCK, &ourset, NULL)) {
+@@ -656,6 +659,7 @@
+ SYSLOG ((LOG_ERR, "pam_open_session: %s",
+ pam_strerror (pamh, ret)));
+ fprintf (stderr, "%s: %s\n", Prog, pam_strerror (pamh, ret));
+ pam_setcred(pamh, PAM_DELETE_CRED);
-+ pam_end(pamh, ret);
-+ exit(1);
-+ }
-+ /* We must fork before setuid() because we need to call
-+ * pam_close_session() as root.
-+ */
-+
-+ /* We let the admin configure whether they need to keep login
-+ around to close sessions */
-+ if (getdef_bool("CLOSE_SESSIONS")) {
-+ pid_t pid;
-+ int status;
-+
-+ signal(SIGINT, SIG_IGN);
-+ pid = fork();
-+
-+ switch(pid) {
-+ case -1:
-+ SYSLOG((LOG_ERR, "su: fork failure: %m"));
-+ perror("su: fork failure");
-+ pam_setcred(pamh, PAM_DELETE_CRED);
-+ pam_close_session(pamh, 0);
-+ pam_end(pamh, PAM_ABORT);
-+ exit(1);
-+ case 0: /* child */
-+ signal(SIGINT, SIG_DFL);
-+ break;
-+ default: /* parent */
-+ waitpid(pid, &status, 0);
-+ /* now we are done using PAM */
-+ pam_setcred(pamh, PAM_DELETE_CRED);
-+ ret = pam_close_session(pamh, 0);
-+ pam_end(pamh, ret);
-+ exit(WEXITSTATUS(status));
-+ }
-+ }
+ pam_end (pamh, ret);
+ exit (1);
+ }
+@@ -677,6 +681,7 @@
/* become the new user */
if (change_uid (&pwent)) {
@@ -67,11 +52,3 @@
pam_setcred (pamh, PAM_DELETE_CRED);
pam_end (pamh, PAM_ABORT);
exit (1);
- }
-
-- /* now we are done using PAM */
-- pam_end (pamh, PAM_SUCCESS);
--
- #else /* !USE_PAM */
- if (!amroot) /* no limits if su from root */
- setup_limits (&pwent);
Modified: branches/experimental/debian/patches/series
===================================================================
--- branches/experimental/debian/patches/series 2005-07-10 07:20:31 UTC (rev 366)
+++ branches/experimental/debian/patches/series 2005-07-10 11:55:55 UTC (rev 367)
@@ -1,4 +1,3 @@
-444_missing_Italian_manpages
# 001_Makefile.in.in.dpatch # This patch is the pure evil by patching gettext generated files
002_more-i18n.dpatch
#354_Makefile.am
@@ -31,7 +30,7 @@
008_su_no_sanitize_env
#008_su_get_PAM_username # updated, but depends on 437_su_add_GNU_options
#
-# 439_su_PAM_session # This one is complicated. keep it for latter.
+439_su_PAM_session
# 350_su_syslog_old:new # applied
#
# 008_login_MAXHOSTNAMELEN # It should probably be dropped.
@@ -142,3 +141,4 @@
427_chage_expiry_0
442_useradd.8-O
443_man_it_Makefile.am
+444_missing_Italian_manpages