[Pkg-shadow-commits] r181 - trunk/debian/patches

Nicolas FRANCOIS pkg-shadow-devel@lists.alioth.debian.org
Sun, 29 May 2005 15:34:20 +0000 

Author: nekral-guest
Date: 2005-05-29 15:34:20 +0000 (Sun, 29 May 2005)
New Revision: 181

Added:
   trunk/debian/patches/008_su_PAM_session
Modified:
   trunk/debian/patches/008_src.dpatch
   trunk/debian/patches/series
Log:
Isolate session management in a separate patch.


Modified: trunk/debian/patches/008_src.dpatch
===================================================================
--- trunk/debian/patches/008_src.dpatch	2005-05-29 13:16:12 UTC (rev 180)
+++ trunk/debian/patches/008_src.dpatch	2005-05-29 15:34:20 UTC (rev 181)
@@ -26,8 +26,8 @@
 
 Index: shadow-4.0.3/src/su.c
 ===================================================================
---- shadow-4.0.3.orig/src/su.c	2005-05-29 11:05:49.128975000 +0200
-+++ shadow-4.0.3/src/su.c	2005-05-29 11:06:07.168975000 +0200
+--- shadow-4.0.3.orig/src/su.c	2005-05-29 15:29:01.741112000 +0200
++++ shadow-4.0.3/src/su.c	2005-05-29 16:46:20.851112000 +0200
 @@ -49,6 +49,7 @@
  #include <grp.h>
  #include <signal.h>
@@ -185,7 +185,7 @@
  	/*
  	 * Get the program name. The program name is used as a prefix to
  	 * most error messages.
-@@ -224,14 +330,66 @@
+@@ -224,15 +330,67 @@
  	 * Process the command line arguments. 
  	 */
  
@@ -228,8 +228,8 @@
 -		argc--;
 -		argv++;		/* shift ... */
 +		++optind;
-+	}
-+
+ 	}
+ 
 +	if (optind < argc)
 +		strncpy(name, argv[optind++], sizeof(name) - 1);
 +	else {
@@ -253,11 +253,12 @@
 +	if (!pw) {
 +		SYSLOG((LOG_CRIT, "Unknown UID: %d\n", (int) my_uid));
 +		su_failure(tty);
- 	}
++	}
 +	STRFCPY(oldname, pw->pw_name);
- 
++
  	/*
  	 * If a new login is being set up, the old environment will be
+ 	 * ignored and a new one created later on.
 @@ -257,35 +415,6 @@
  			addenv (*envp++, NULL);
  	}
@@ -302,14 +303,14 @@
 -		pwent.pw_shell = "/bin/sh";	/* XXX warning: const */
 +	if (pwent.pw_shell == NULL || pwent.pw_shell[0] == '\0')
 +		pwent.pw_shell = (char *) "/bin/sh";
- 
++
 +	if (shell == 0 && change_environment == 0)
 +		shell = getenv ("SHELL");
 +	if (shell != 0 && getuid () && restricted_shell (pwent.pw_shell))
 +		shell = 0;
 +	if (shell == 0)
 +	shell = (char *) strdup (pwent.pw_shell);
-+
+ 
 +	signal(SIGINT, SIG_IGN);
  #ifdef USE_PAM
  	ret = pam_authenticate (pamh, 0);
@@ -348,68 +349,8 @@
  
  	if (pwent.pw_shell[0] == '*') {	/* subsystem root required */
  		pwent.pw_shell++;	/* skip the '*' */
-@@ -554,17 +703,56 @@
- 		pam_end (pamh, ret);
+@@ -573,11 +722,14 @@
  		exit (1);
- 	}
-+	ret = pam_open_session(pamh, 0);
-+	if (ret != PAM_SUCCESS) {
-+		SYSLOG((LOG_ERR, "pam_open_session: %s\n", pam_strerror(pamh, ret)));
-+		fprintf(stderr, "%s: %s\n", Prog, pam_strerror(pamh, ret));
-+		pam_setcred(pamh, PAM_DELETE_CRED);
-+		pam_end(pamh, ret);
-+		exit(1);
-+	}
-+	/* We must fork before setuid() because we need to call
-+	 * pam_close_session() as root.
-+	 */
-+
-+	/* We let the admin configure whether they need to keep login
-+	   around to close sessions */
-+	if (getdef_bool("CLOSE_SESSIONS")) {
-+		pid_t pid;
-+		int status;
-+
-+		signal(SIGINT, SIG_IGN);
-+		pid = fork();
-+
-+		switch(pid) {
-+		case -1:
-+			SYSLOG((LOG_ERR, "su: fork failure: %m"));
-+			perror("su: fork failure");
-+			pam_setcred(pamh, PAM_DELETE_CRED);
-+			pam_close_session(pamh, 0);
-+			pam_end(pamh, PAM_ABORT);
-+			exit(1);
-+		case 0: /* child */
-+			signal(SIGINT, SIG_DFL);
-+			break;
-+		default: /* parent */
-+			waitpid(pid, &status, 0);
-+			/* now we are done using PAM */
-+			pam_setcred(pamh, PAM_DELETE_CRED);
-+			ret = pam_close_session(pamh, 0);
-+			pam_end(pamh, ret);
-+			exit(WEXITSTATUS(status));
-+		}
-+	}
- 
- 	/* become the new user */
- 	if (change_uid (&pwent)) {
-+		pam_close_session(pamh, 0);
- 		pam_setcred (pamh, PAM_DELETE_CRED);
- 		pam_end (pamh, PAM_ABORT);
- 		exit (1);
- 	}
- 
--	/* now we are done using PAM */
--	pam_end (pamh, PAM_SUCCESS);
--
- #else				/* !USE_PAM */
- 	if (!amroot)		/* no limits if su from root */
- 		setup_limits (&pwent);
-@@ -573,11 +761,14 @@
- 		exit (1);
  #endif				/* !USE_PAM */
  
 -	if (fakelogin)
@@ -427,7 +368,7 @@
  #endif
  
  	/*
-@@ -589,46 +780,6 @@
+@@ -589,46 +741,6 @@
  	 */
  	closelog ();
  

Added: trunk/debian/patches/008_su_PAM_session
===================================================================
--- trunk/debian/patches/008_su_PAM_session	2005-05-29 13:16:12 UTC (rev 180)
+++ trunk/debian/patches/008_su_PAM_session	2005-05-29 15:34:20 UTC (rev 181)
@@ -0,0 +1,77 @@
+Goal: add pam session ability to su (patch from Topi Miettinen)
+Fixes: #57526, #55873, #57532
+
+Note: When CLOSE_SESSIONS is not set, pam_end is not called.
+
+Status wrt upstream: Current upstream handles session management in run_shell
+                     However:
+                     * the session is closed after changing the uid.
+                       (i.e. not as root, as it should be)
+                       In order to close the session as root, the session
+                       management should be removed from run_shell.
+                     * CLOSE_SESSIONS is not taken into account
+
+Index: shadow-4.0.3/src/su.c
+===================================================================
+--- shadow-4.0.3.orig/src/su.c	2005-05-29 16:46:20.851112000 +0200
++++ shadow-4.0.3/src/su.c	2005-05-29 16:51:38.131112000 +0200
+@@ -703,17 +703,56 @@
+ 		pam_end (pamh, ret);
+ 		exit (1);
+ 	}
++	ret = pam_open_session(pamh, 0);
++	if (ret != PAM_SUCCESS) {
++		SYSLOG((LOG_ERR, "pam_open_session: %s\n", pam_strerror(pamh, ret)));
++		fprintf(stderr, "%s: %s\n", Prog, pam_strerror(pamh, ret));
++		pam_setcred(pamh, PAM_DELETE_CRED);
++		pam_end(pamh, ret);
++		exit(1);
++	}
++	/* We must fork before setuid() because we need to call
++	 * pam_close_session() as root.
++	 */
++
++	/* We let the admin configure whether they need to keep login
++	   around to close sessions */
++	if (getdef_bool("CLOSE_SESSIONS")) {
++		pid_t pid;
++		int status;
++
++		signal(SIGINT, SIG_IGN);
++		pid = fork();
++
++		switch(pid) {
++		case -1:
++			SYSLOG((LOG_ERR, "su: fork failure: %m"));
++			perror("su: fork failure");
++			pam_setcred(pamh, PAM_DELETE_CRED);
++			pam_close_session(pamh, 0);
++			pam_end(pamh, PAM_ABORT);
++			exit(1);
++		case 0: /* child */
++			signal(SIGINT, SIG_DFL);
++			break;
++		default: /* parent */
++			waitpid(pid, &status, 0);
++			/* now we are done using PAM */
++			pam_setcred(pamh, PAM_DELETE_CRED);
++			ret = pam_close_session(pamh, 0);
++			pam_end(pamh, ret);
++			exit(WEXITSTATUS(status));
++		}
++	}
+ 
+ 	/* become the new user */
+ 	if (change_uid (&pwent)) {
++		pam_close_session(pamh, 0);
+ 		pam_setcred (pamh, PAM_DELETE_CRED);
+ 		pam_end (pamh, PAM_ABORT);
+ 		exit (1);
+ 	}
+ 
+-	/* now we are done using PAM */
+-	pam_end (pamh, PAM_SUCCESS);
+-
+ #else				/* !USE_PAM */
+ 	if (!amroot)		/* no limits if su from root */
+ 		setup_limits (&pwent);

Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series	2005-05-29 13:16:12 UTC (rev 180)
+++ trunk/debian/patches/series	2005-05-29 15:34:20 UTC (rev 181)
@@ -5,6 +5,7 @@
 005_manpages.dpatch
 006_libmisc.dpatch
 008_src.dpatch
+008_su_PAM_session
 008_su_syslog_old:new
 008_login_MAXHOSTNAMELEN
 008_grpck_add_prune_option