[Pkg-shadow-commits] r181 - trunk/debian/patches
Nicolas FRANCOIS
pkg-shadow-devel@lists.alioth.debian.org
Sun, 29 May 2005 15:34:20 +0000
Author: nekral-guest
Date: 2005-05-29 15:34:20 +0000 (Sun, 29 May 2005)
New Revision: 181
Added:
trunk/debian/patches/008_su_PAM_session
Modified:
trunk/debian/patches/008_src.dpatch
trunk/debian/patches/series
Log:
Isolate session management in a separate patch.
Modified: trunk/debian/patches/008_src.dpatch
===================================================================
--- trunk/debian/patches/008_src.dpatch 2005-05-29 13:16:12 UTC (rev 180)
+++ trunk/debian/patches/008_src.dpatch 2005-05-29 15:34:20 UTC (rev 181)
@@ -26,8 +26,8 @@
Index: shadow-4.0.3/src/su.c
===================================================================
---- shadow-4.0.3.orig/src/su.c 2005-05-29 11:05:49.128975000 +0200
-+++ shadow-4.0.3/src/su.c 2005-05-29 11:06:07.168975000 +0200
+--- shadow-4.0.3.orig/src/su.c 2005-05-29 15:29:01.741112000 +0200
++++ shadow-4.0.3/src/su.c 2005-05-29 16:46:20.851112000 +0200
@@ -49,6 +49,7 @@
#include <grp.h>
#include <signal.h>
@@ -185,7 +185,7 @@
/*
* Get the program name. The program name is used as a prefix to
* most error messages.
-@@ -224,14 +330,66 @@
+@@ -224,15 +330,67 @@
* Process the command line arguments.
*/
@@ -228,8 +228,8 @@
- argc--;
- argv++; /* shift ... */
+ ++optind;
-+ }
-+
+ }
+
+ if (optind < argc)
+ strncpy(name, argv[optind++], sizeof(name) - 1);
+ else {
@@ -253,11 +253,12 @@
+ if (!pw) {
+ SYSLOG((LOG_CRIT, "Unknown UID: %d\n", (int) my_uid));
+ su_failure(tty);
- }
++ }
+ STRFCPY(oldname, pw->pw_name);
-
++
/*
* If a new login is being set up, the old environment will be
+ * ignored and a new one created later on.
@@ -257,35 +415,6 @@
addenv (*envp++, NULL);
}
@@ -302,14 +303,14 @@
- pwent.pw_shell = "/bin/sh"; /* XXX warning: const */
+ if (pwent.pw_shell == NULL || pwent.pw_shell[0] == '\0')
+ pwent.pw_shell = (char *) "/bin/sh";
-
++
+ if (shell == 0 && change_environment == 0)
+ shell = getenv ("SHELL");
+ if (shell != 0 && getuid () && restricted_shell (pwent.pw_shell))
+ shell = 0;
+ if (shell == 0)
+ shell = (char *) strdup (pwent.pw_shell);
-+
+
+ signal(SIGINT, SIG_IGN);
#ifdef USE_PAM
ret = pam_authenticate (pamh, 0);
@@ -348,68 +349,8 @@
if (pwent.pw_shell[0] == '*') { /* subsystem root required */
pwent.pw_shell++; /* skip the '*' */
-@@ -554,17 +703,56 @@
- pam_end (pamh, ret);
+@@ -573,11 +722,14 @@
exit (1);
- }
-+ ret = pam_open_session(pamh, 0);
-+ if (ret != PAM_SUCCESS) {
-+ SYSLOG((LOG_ERR, "pam_open_session: %s\n", pam_strerror(pamh, ret)));
-+ fprintf(stderr, "%s: %s\n", Prog, pam_strerror(pamh, ret));
-+ pam_setcred(pamh, PAM_DELETE_CRED);
-+ pam_end(pamh, ret);
-+ exit(1);
-+ }
-+ /* We must fork before setuid() because we need to call
-+ * pam_close_session() as root.
-+ */
-+
-+ /* We let the admin configure whether they need to keep login
-+ around to close sessions */
-+ if (getdef_bool("CLOSE_SESSIONS")) {
-+ pid_t pid;
-+ int status;
-+
-+ signal(SIGINT, SIG_IGN);
-+ pid = fork();
-+
-+ switch(pid) {
-+ case -1:
-+ SYSLOG((LOG_ERR, "su: fork failure: %m"));
-+ perror("su: fork failure");
-+ pam_setcred(pamh, PAM_DELETE_CRED);
-+ pam_close_session(pamh, 0);
-+ pam_end(pamh, PAM_ABORT);
-+ exit(1);
-+ case 0: /* child */
-+ signal(SIGINT, SIG_DFL);
-+ break;
-+ default: /* parent */
-+ waitpid(pid, &status, 0);
-+ /* now we are done using PAM */
-+ pam_setcred(pamh, PAM_DELETE_CRED);
-+ ret = pam_close_session(pamh, 0);
-+ pam_end(pamh, ret);
-+ exit(WEXITSTATUS(status));
-+ }
-+ }
-
- /* become the new user */
- if (change_uid (&pwent)) {
-+ pam_close_session(pamh, 0);
- pam_setcred (pamh, PAM_DELETE_CRED);
- pam_end (pamh, PAM_ABORT);
- exit (1);
- }
-
-- /* now we are done using PAM */
-- pam_end (pamh, PAM_SUCCESS);
--
- #else /* !USE_PAM */
- if (!amroot) /* no limits if su from root */
- setup_limits (&pwent);
-@@ -573,11 +761,14 @@
- exit (1);
#endif /* !USE_PAM */
- if (fakelogin)
@@ -427,7 +368,7 @@
#endif
/*
-@@ -589,46 +780,6 @@
+@@ -589,46 +741,6 @@
*/
closelog ();
Added: trunk/debian/patches/008_su_PAM_session
===================================================================
--- trunk/debian/patches/008_su_PAM_session 2005-05-29 13:16:12 UTC (rev 180)
+++ trunk/debian/patches/008_su_PAM_session 2005-05-29 15:34:20 UTC (rev 181)
@@ -0,0 +1,77 @@
+Goal: add pam session ability to su (patch from Topi Miettinen)
+Fixes: #57526, #55873, #57532
+
+Note: When CLOSE_SESSIONS is not set, pam_end is not called.
+
+Status wrt upstream: Current upstream handles session management in run_shell
+ However:
+ * the session is closed after changing the uid.
+ (i.e. not as root, as it should be)
+ In order to close the session as root, the session
+ management should be removed from run_shell.
+ * CLOSE_SESSIONS is not taken into account
+
+Index: shadow-4.0.3/src/su.c
+===================================================================
+--- shadow-4.0.3.orig/src/su.c 2005-05-29 16:46:20.851112000 +0200
++++ shadow-4.0.3/src/su.c 2005-05-29 16:51:38.131112000 +0200
+@@ -703,17 +703,56 @@
+ pam_end (pamh, ret);
+ exit (1);
+ }
++ ret = pam_open_session(pamh, 0);
++ if (ret != PAM_SUCCESS) {
++ SYSLOG((LOG_ERR, "pam_open_session: %s\n", pam_strerror(pamh, ret)));
++ fprintf(stderr, "%s: %s\n", Prog, pam_strerror(pamh, ret));
++ pam_setcred(pamh, PAM_DELETE_CRED);
++ pam_end(pamh, ret);
++ exit(1);
++ }
++ /* We must fork before setuid() because we need to call
++ * pam_close_session() as root.
++ */
++
++ /* We let the admin configure whether they need to keep login
++ around to close sessions */
++ if (getdef_bool("CLOSE_SESSIONS")) {
++ pid_t pid;
++ int status;
++
++ signal(SIGINT, SIG_IGN);
++ pid = fork();
++
++ switch(pid) {
++ case -1:
++ SYSLOG((LOG_ERR, "su: fork failure: %m"));
++ perror("su: fork failure");
++ pam_setcred(pamh, PAM_DELETE_CRED);
++ pam_close_session(pamh, 0);
++ pam_end(pamh, PAM_ABORT);
++ exit(1);
++ case 0: /* child */
++ signal(SIGINT, SIG_DFL);
++ break;
++ default: /* parent */
++ waitpid(pid, &status, 0);
++ /* now we are done using PAM */
++ pam_setcred(pamh, PAM_DELETE_CRED);
++ ret = pam_close_session(pamh, 0);
++ pam_end(pamh, ret);
++ exit(WEXITSTATUS(status));
++ }
++ }
+
+ /* become the new user */
+ if (change_uid (&pwent)) {
++ pam_close_session(pamh, 0);
+ pam_setcred (pamh, PAM_DELETE_CRED);
+ pam_end (pamh, PAM_ABORT);
+ exit (1);
+ }
+
+- /* now we are done using PAM */
+- pam_end (pamh, PAM_SUCCESS);
+-
+ #else /* !USE_PAM */
+ if (!amroot) /* no limits if su from root */
+ setup_limits (&pwent);
Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series 2005-05-29 13:16:12 UTC (rev 180)
+++ trunk/debian/patches/series 2005-05-29 15:34:20 UTC (rev 181)
@@ -5,6 +5,7 @@
005_manpages.dpatch
006_libmisc.dpatch
008_src.dpatch
+008_su_PAM_session
008_su_syslog_old:new
008_login_MAXHOSTNAMELEN
008_grpck_add_prune_option