Upgrading to GitLab 12.1.0.

Commit 53b121b8 authored by Andreas Henriksson's avatar Andreas Henriksson

gbp pq import && gbp pq export

 gbp pq import
gbp:info: Trying to apply patches at '7bc7e74e'
gbp:warning: Patch 'pam_unix_fix_sgid_shadow_auth.patch' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch 'pam_unix_dont_trust_chkpwd_caller.patch' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '007_modules_pam_unix' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '008_modules_pam_limits_chroot' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '022_pam_unix_group_time_miscfixes' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch 'do_not_check_nis_accidentally' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '031_pam_include' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '032_pam_limits_EPERM_NOT_FATAL' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '036_pam_wheel_getlogin_considered_harmful' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch 'hurd_no_setfsuid' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '040_pam_limits_log_failure' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '045_pam_dispatch_jump_is_ignore' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '054_pam_security_abstract_securetty_handling' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch '055_pam_unix_nullok_secure' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch 'cve-2010-4708.patch' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch 'PAM-manpage-section' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch 'update-motd' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:warning: Patch 'lib_security_multiarch_compat' has no authorship information, using 'Steve Langasek <vorlon@debian.org>'
gbp:info: 24 patches listed in 'debian/patches/series' imported on 'patch-queue/master'
parent 7bc7e74e
This diff is collapsed.
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: _modules_pam_limits_chroot
---
modules/pam_limits/limits.conf | 2 ++
modules/pam_limits/limits.conf.5.xml | 6 ++++++
modules/pam_limits/pam_limits.c | 25 ++++++++++++++++++++++---
3 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf
index be621a7..ed3ceda 100644
--- a/modules/pam_limits/limits.conf
+++ b/modules/pam_limits/limits.conf
@@ -35,6 +35,7 @@
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
+# - chroot - change root to directory (Debian-specific)
#
#<domain> <type> <item> <value>
#
@@ -45,6 +46,7 @@
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
+#ftp - chroot /ftp
#@student - maxlogins 4
# End of file
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
index 380a139..d59b1a8 100644
--- a/modules/pam_limits/limits.conf.5.xml
+++ b/modules/pam_limits/limits.conf.5.xml
@@ -266,6 +266,12 @@
(Linux 2.6.12 and higher)</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>chroot</option></term>
+ <listitem>
+ <para>the directory to chroot the user to</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</listitem>
</varlistentry>
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 4bc4ae7..43196e8 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -88,6 +88,7 @@
@@ -88,6 +88,7 @@ struct pam_limit_s {
int flag_numsyslogins; /* whether to limit logins only for a
specific user or to count all logins */
int priority; /* the priority to run user process with */
......@@ -8,7 +57,7 @@
struct user_limits_struct limits[RLIM_NLIMITS];
const char *conf_file;
int utmp_after_pam_call;
@@ -98,6 +99,7 @@
@@ -98,6 +99,7 @@ struct pam_limit_s {
#define LIMIT_NUMSYSLOGINS RLIM_NLIMITS+2
#define LIMIT_PRI RLIM_NLIMITS+3
......@@ -16,7 +65,7 @@
#define LIMIT_SOFT 1
#define LIMIT_HARD 2
@@ -484,6 +486,8 @@
@@ -484,6 +486,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
pl->login_limit = -2;
pl->login_limit_def = LIMITS_DEF_NONE;
......@@ -25,7 +74,7 @@
return retval;
}
@@ -554,6 +558,8 @@
@@ -554,6 +558,8 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
pl->flag_numsyslogins = 1;
} else if (strcmp(lim_item, "priority") == 0) {
limit_item = LIMIT_PRI;
......@@ -34,7 +83,7 @@
} else {
pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item);
return;
@@ -591,9 +597,9 @@
@@ -591,9 +597,9 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
pam_syslog(pamh, LOG_DEBUG,
"wrong limit value '%s' for limit type '%s'",
lim_value, lim_type);
......@@ -46,7 +95,7 @@
#ifdef __USE_FILE_OFFSET64
rlimit_value = strtoull (lim_value, &endptr, 10);
#else
@@ -654,7 +660,11 @@
@@ -654,7 +660,11 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type,
#endif
}
......@@ -59,7 +108,7 @@
&& (limit_item != LIMIT_NUMSYSLOGINS)
&& (limit_item != LIMIT_PRI) ) {
if (limit_type & LIMIT_SOFT) {
@@ -998,6 +1008,15 @@
@@ -998,6 +1008,15 @@ static int setup_limits(pam_handle_t *pamh,
retval |= LOGIN_ERR;
}
......@@ -75,36 +124,3 @@
return retval;
}
--- a/modules/pam_limits/limits.conf.5.xml
+++ b/modules/pam_limits/limits.conf.5.xml
@@ -266,6 +266,12 @@
(Linux 2.6.12 and higher)</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>chroot</option></term>
+ <listitem>
+ <para>the directory to chroot the user to</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</listitem>
</varlistentry>
--- a/modules/pam_limits/limits.conf
+++ b/modules/pam_limits/limits.conf
@@ -35,6 +35,7 @@
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
+# - chroot - change root to directory (Debian-specific)
#
#<domain> <type> <item> <value>
#
@@ -45,6 +46,7 @@
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
+#ftp - chroot /ftp
#@student - maxlogins 4
# End of file
Description: handle the case of flags being empty or only PAM_SILENT, which is
documented in other PAM implementations as meaning PAM_ESTABLISH_CRED:
http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: handle the case of flags being empty or only PAM_SILENT, which is
documented in other PAM implementations as meaning PAM_ESTABLISH_CRED:
http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.basetechref%2Fdoc%2Fbasetrf1%2Fpam_setcred.htm
---
modules/pam_group/pam_group.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index 8cd178c..0d68f34 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -761,9 +761,12 @@
@@ -761,9 +761,12 @@ pam_sm_setcred (pam_handle_t *pamh, int flags,
unsigned setting;
/* only interested in establishing credentials */
......
Description: distinguish between password manipulation failure and missing user.
Author: Martin Schwenke <martin@meltin.net>
From: Martin Schwenke <martin@meltin.net>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: distinguish between password manipulation failure and missing user.
---
modules/pam_unix/passverify.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index a26782f..18a5877 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -749,7 +749,7 @@
@@ -749,7 +749,7 @@ PAMH_ARG_DECL(int unix_update_passwd,
struct passwd *tmpent = NULL;
struct stat st;
FILE *pwfile, *opwfile;
......@@ -12,7 +19,7 @@ Author: Martin Schwenke <martin@meltin.net>
int oldmask;
#ifdef WITH_SELINUX
security_context_t prev_context=NULL;
@@ -820,6 +820,7 @@
@@ -820,6 +820,7 @@ PAMH_ARG_DECL(int unix_update_passwd,
tmpent->pw_passwd = assigned_passwd.charp;
err = 0;
......@@ -20,7 +27,7 @@ Author: Martin Schwenke <martin@meltin.net>
}
if (putpwent(tmpent, pwfile)) {
D(("error writing entry to password file: %m"));
@@ -862,7 +863,7 @@
@@ -862,7 +863,7 @@ done:
return PAM_SUCCESS;
} else {
unlink(PW_TMPFILE);
......
Description: Allow explicit limits for root and reset limits on each session
When crossing session boundaries (such as when su'ing from one user to
another), if the target account has no limit specified in limits.conf we
want to use the default, not the current value configured for the
source account.
.
If /proc/1/limits is unavailable, fall back to a set of hard-coded values
that shadow the currently known defaults on Linux.
.
Also, don't apply wildcard limits to the root account; only apply limits to
root that reference root by name.
Author: Peter Paluch <peterp@frcatel.fri.utc.sk>,
Ben Collins <bcollins@debian.org>,
Steve Langasek <vorlon@debian.org>,
From: Peter Paluch <peterp@frcatel.fri.utc.sk>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: Allow explicit limits for root and reset limits on each session
Bug-Debian: http://bugs.debian.org/63230
When crossing session boundaries (such as when su'ing from one user to
another), if the target account has no limit specified in limits.conf we
want to use the default, not the current value configured for the
source account.
If /proc/1/limits is unavailable, fall back to a set of hard-coded values
that shadow the currently known defaults on Linux.
Also, don't apply wildcard limits to the root account; only apply limits to
root that reference root by name.
---
modules/pam_limits/limits.conf | 4 ++
modules/pam_limits/limits.conf.5.xml | 6 +++
modules/pam_limits/pam_limits.c | 88 ++++++++++++++++++++++++++++++++----
3 files changed, 89 insertions(+), 9 deletions(-)
diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf
index ed3ceda..1aec652 100644
--- a/modules/pam_limits/limits.conf
+++ b/modules/pam_limits/limits.conf
@@ -11,6 +11,9 @@
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
+# - NOTE: group and wildcard limits are not applied to root.
+# To apply a limit to the root user, <domain> must be
+# the literal username root.
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
@@ -41,6 +44,7 @@
#
#* soft core 0
+#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml
index d59b1a8..cfe92b2 100644
--- a/modules/pam_limits/limits.conf.5.xml
+++ b/modules/pam_limits/limits.conf.5.xml
@@ -96,6 +96,11 @@
</para>
</listitem>
</itemizedlist>
+ <para>
+ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not
+ applied to the root user. To set a limit for the root user, this field
+ must contain the literal username <emphasis remap='B'>root</emphasis>.
+ </para>
</listitem>
</varlistentry>
@@ -323,6 +328,7 @@
</para>
<programlisting>
* soft core 0
+root hard core 100000
* hard nofile 512
@student hard nproc 20
@faculty soft nproc 20
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 43196e8..93b1b60 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -46,6 +46,14 @@
......@@ -30,7 +85,7 @@ Bug-Debian: http://bugs.debian.org/63230
/* Module defines */
#define LINE_LENGTH 1024
@@ -83,6 +91,7 @@
@@ -83,6 +91,7 @@ struct user_limits_struct {
/* internal data */
struct pam_limit_s {
......@@ -38,7 +93,7 @@ Bug-Debian: http://bugs.debian.org/63230
int login_limit; /* the max logins limit */
int login_limit_def; /* which entry set the login limit */
int flag_numsyslogins; /* whether to limit logins only for a
@@ -448,9 +457,18 @@
@@ -448,9 +457,18 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
{
int i;
int retval = PAM_SUCCESS;
......@@ -57,7 +112,7 @@ Bug-Debian: http://bugs.debian.org/63230
for(i = 0; i < RLIM_NLIMITS; i++) {
int r = getrlimit(i, &pl->limits[i].limit);
if (r == -1) {
@@ -466,18 +484,68 @@
@@ -466,18 +484,68 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl)
}
#ifdef __linux__
......@@ -132,7 +187,7 @@ Bug-Debian: http://bugs.debian.org/63230
errno = 0;
pl->priority = getpriority (PRIO_PROCESS, 0);
@@ -816,7 +884,7 @@
@@ -816,7 +884,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
if (strcmp(uname, domain) == 0) /* this user have a limit */
process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
......@@ -141,7 +196,7 @@ Bug-Debian: http://bugs.debian.org/63230
if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
@@ -842,7 +910,7 @@
@@ -842,7 +910,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl,
pl);
}
......@@ -150,7 +205,7 @@ Bug-Debian: http://bugs.debian.org/63230
if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG,
"checking if %s is in group %s",
@@ -876,7 +944,7 @@
@@ -876,7 +944,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid,
} else {
switch(rngtype) {
case LIMIT_RANGE_NONE:
......@@ -159,7 +214,7 @@ Bug-Debian: http://bugs.debian.org/63230
process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl,
pl);
break;
@@ -1062,6 +1130,8 @@
@@ -1062,6 +1130,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
return PAM_ABORT;
}
......@@ -168,45 +223,3 @@ Bug-Debian: http://bugs.debian.org/63230
retval = parse_config_file(pamh, pwd->pw_name, pwd->pw_uid, pwd->pw_gid, ctrl, pl);
if (retval == PAM_IGNORE) {
D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE));
--- a/modules/pam_limits/limits.conf
+++ b/modules/pam_limits/limits.conf
@@ -11,6 +11,9 @@
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
+# - NOTE: group and wildcard limits are not applied to root.
+# To apply a limit to the root user, <domain> must be
+# the literal username root.
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
@@ -41,6 +44,7 @@
#
#* soft core 0
+#root hard core 100000
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
--- a/modules/pam_limits/limits.conf.5.xml
+++ b/modules/pam_limits/limits.conf.5.xml
@@ -96,6 +96,11 @@
</para>
</listitem>
</itemizedlist>
+ <para>
+ <emphasis remap='B'>NOTE:</emphasis> group and wildcard limits are not
+ applied to the root user. To set a limit for the root user, this field
+ must contain the literal username <emphasis remap='B'>root</emphasis>.
+ </para>
</listitem>
</varlistentry>
@@ -323,6 +328,7 @@
</para>
<programlisting>
* soft core 0
+root hard core 100000
* hard nofile 512
@student hard nproc 20
@faculty soft nproc 20
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: _pam_include
Patch to implement an @include directive for use in pam.d config files.
Authors: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Upstream status: not yet submitted
---
libpam/pam_handlers.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
index 106ef7c..eec395b 100644
--- a/libpam/pam_handlers.c
+++ b/libpam/pam_handlers.c
@@ -122,6 +122,10 @@
@@ -122,6 +122,10 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
module_type = PAM_T_ACCT;
} else if (!strcasecmp("password", tok)) {
module_type = PAM_T_PASS;
......@@ -17,7 +26,7 @@ Upstream status: not yet submitted
} else {
/* Illegal module type */
D(("_pam_init_handlers: bad module type: %s", tok));
@@ -192,8 +196,10 @@
@@ -192,8 +196,10 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
_pam_set_default_control(actions, _PAM_ACTION_BAD);
}
......@@ -28,7 +37,7 @@ Upstream status: not yet submitted
if (substack) {
res = _pam_add_handler(pamh, PAM_HT_SUBSTACK, other,
stack_level, module_type, actions, tok,
@@ -204,13 +210,35 @@
@@ -204,13 +210,35 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f
return PAM_ABORT;
}
}
......
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: _pam_limits_EPERM_NOT_FATAL
setrlimit will sometimes return EPERM for example if you try to increase the
number of open files too much. This is not something we want to consider
fatal. This also happens if you use non-root and try to decrease a limit.
......@@ -6,10 +10,15 @@ Running PAM as non-root is not so great.
Authors: ?
Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
---
modules/pam_limits/pam_limits.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 93b1b60..1de2aef 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -1046,6 +1046,8 @@
@@ -1046,6 +1046,8 @@ static int setup_limits(pam_handle_t *pamh,
if (res != 0)
pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
rlimit2str(i));
......
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: _pam_wheel_getlogin_considered_harmful
Patch for Debian bug #163787 et al
Always use the process uid, not getlogin(), to identify an applicant in
......@@ -7,10 +11,49 @@ an xterm
Authors: Ben Collins <bcollins@debian.org>
Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
---
modules/pam_wheel/pam_wheel.8.xml | 15 ---------------
modules/pam_wheel/pam_wheel.c | 33 +++++++++------------------------
2 files changed, 9 insertions(+), 39 deletions(-)
diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
index c8d9377..6c5450b 100644
--- a/modules/pam_wheel/pam_wheel.8.xml
+++ b/modules/pam_wheel/pam_wheel.8.xml
@@ -33,9 +33,6 @@
<arg choice="opt">
trust
</arg>
- <arg choice="opt">
- use_uid
- </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -116,18 +113,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>
- <option>use_uid</option>
- </term>
- <listitem>
- <para>
- The check for wheel membership will be done against
- the current uid instead of the original one (useful when
- jumping with su from one account to another for example).
- </para>
- </listitem>
- </varlistentry>
</variablelist>
</refsect1>
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
index 6ea7b84..cc3d7c7 100644
--- a/modules/pam_wheel/pam_wheel.c
+++ b/modules/pam_wheel/pam_wheel.c
@@ -60,9 +60,8 @@
@@ -60,9 +60,8 @@ static int is_on_list(char * const *list, const char *member)
/* argument parsing */
#define PAM_DEBUG_ARG 0x0001
......@@ -22,7 +65,7 @@ Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
#define PAM_ROOT_ONLY_ARG 0x0020
static int
@@ -80,8 +79,7 @@
@@ -80,8 +79,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
if (!strcmp(*argv,"debug"))
ctrl |= PAM_DEBUG_ARG;
......@@ -32,7 +75,7 @@ Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
else if (!strcmp(*argv,"trust"))
ctrl |= PAM_TRUST_ARG;
else if (!strcmp(*argv,"deny"))
@@ -129,27 +127,14 @@
@@ -129,27 +127,14 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
}
}
......@@ -66,34 +109,3 @@ Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
/*
* At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
--- a/modules/pam_wheel/pam_wheel.8.xml
+++ b/modules/pam_wheel/pam_wheel.8.xml
@@ -33,9 +33,6 @@
<arg choice="opt">
trust
</arg>
- <arg choice="opt">
- use_uid
- </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -116,18 +113,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term>
- <option>use_uid</option>
- </term>
- <listitem>
- <para>
- The check for wheel membership will be done against
- the current uid instead of the original one (useful when
- jumping with su from one account to another for example).
- </para>
- </listitem>
- </varlistentry>
</variablelist>
</refsect1>
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: _pam_limits_log_failure
Patch for Debian bug #180310
Generate some (low-severity) log information whenever setrlimit() fails,
......@@ -6,10 +10,15 @@ for debugging purposes.
Authors: Sam Hartman <hartmans@debian.org>
Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net>
---
modules/pam_limits/pam_limits.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 1de2aef..dab98ad 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -1043,9 +1043,19 @@
@@ -1043,9 +1043,19 @@ static int setup_limits(pam_handle_t *pamh,
if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
res = setrlimit(i, &pl->limits[i].limit);
......
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: _pam_dispatch_jump_is_ignore
Previously jumps were treated as PAM_IGNORE in the freezing part of
the chain and PAM_OK (aka required) in the frozen part of the chain.
No one on pam-list was able to explain this behavior, so I changed it
to be consistent.
---
libpam/pam_dispatch.c | 17 +----------------
1 file changed, 1 insertion(+), 16 deletions(-)
diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
index cf632e8..7eae66b 100644
--- a/libpam/pam_dispatch.c
+++ b/libpam/pam_dispatch.c
@@ -260,22 +260,7 @@
@@ -260,22 +260,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
if ( _PAM_ACTION_IS_JUMP(action) ) {
/* If we are evaluating a cached chain, we treat this
......
Description: extract the securetty logic for use with the "nullok_secure" option
introduced in the "055_pam_unix_nullok_secure" patch.
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 23 Jan 2019 13:02:04 +0100
Subject: extract the securetty logic for use with the "nullok_secure" option
introduced in the "055_pam_unix_nullok_secure" patch.
---
modules/pam_securetty/Makefile.am | 4 ++
modules/pam_securetty/pam_securetty.c | 54 ++-------------------
modules/pam_securetty/tty_secure.c | 90 +++++++++++++++++++++++++++++++++++
3 files changed, 98 insertions(+), 50 deletions(-)
create mode 100644 modules/pam_securetty/tty_secure.c
diff --git a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am
index 30cc879..bf2ac36 100644
--- a/modules/pam_securetty/Makefile.am
+++ b/modules/pam_securetty/Makefile.am
@@ -24,6 +24,10 @@ endif
securelib_LTLIBRARIES = pam_securetty.la
pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la
+pam_securetty_la_SOURCES = \
+ pam_securetty.c \
+ tty_secure.c
+
if ENABLE_REGENERATE_MAN
noinst_DATA = README
README: pam_securetty.8.xml
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index cb1da25..11fc26b 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -1,7 +1,5 @@
......@@ -21,7 +47,7 @@ Description: extract the securetty logic for use with the "nullok_secure" option
#define PAM_DEBUG_ARG 0x0001
#define PAM_NOCONSOLE_ARG 0x0002
@@ -73,11 +74,7 @@
@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
const char *username;
const char *uttyname;
const void *void_uttyname;
......@@ -33,7 +59,7 @@ Description: extract the securetty logic for use with the "nullok_secure" option
/* log a trail for debugging */
if (ctrl & PAM_DEBUG_ARG) {
@@ -105,50 +102,7 @@
@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
return PAM_SERVICE_ERR;
}
......@@ -85,6 +111,9 @@ Description: extract the securetty logic for use with the "nullok_secure" option
if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
FILE *cmdlinefile;
diff --git a/modules/pam_securetty/tty_secure.c b/modules/pam_securetty/tty_secure.c
new file mode 100644
index 0000000..97fd5ca
--- /dev/null
+++ b/modules/pam_securetty/tty_secure.c
@@ -0,0 +1,90 @@
......@@ -178,16 +207,3 @@ Description: extract the securetty logic for use with the "nullok_secure" option
+
+ return retval;
+}
--- a/modules/pam_securetty/Makefile.am
+++ b/modules/pam_securetty/Makefile.am
@@ -24,6 +24,10 @@
securelib_LTLIBRARIES = pam_securetty.la
pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la
+pam_securetty_la_SOURCES = \
+ pam_securetty.c \
+ tty_secure.c
+
if ENABLE_REGENERATE_MAN
noinst_DATA = README
README: pam_securetty.8.xml
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 23 Jan 2019 13:02:05 +0100
Subject: _pam_unix_nullok_secure
Debian patch to add a new 'nullok_secure' option to pam_unix, which
accepts users with null passwords only when the applicant is connected
from a tty listed in /etc/securetty.
......@@ -6,10 +10,62 @@ Authors: Sam Hartman <hartmans@debian.org>,
Steve Langasek <vorlon@debian.org>
Upstream status: not yet submitted
---
modules/pam_unix/Makefile.am | 3 ++-
modules/pam_unix/pam_unix.8.xml | 19 +++++++++++++++++-
modules/pam_unix/support.c | 43 ++++++++++++++++++++++++++++++++++++-----
modules/pam_unix/support.h | 5 +++--
4 files changed, 61 insertions(+), 9 deletions(-)
diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
index 072c95b..038f244 100644
--- a/modules/pam_unix/Makefile.am
+++ b/modules/pam_unix/Makefile.am
@@ -30,7 +30,8 @@ if HAVE_VERSIONING
pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \
- @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@
+ @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \
+ ../pam_securetty/tty_secure.lo
securelib_LTLIBRARIES = pam_unix.la
diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
index ee7ab4c..c762e52 100644
--- a/modules/pam_unix/pam_unix.8.xml
+++ b/modules/pam_unix/pam_unix.8.xml
@@ -159,7 +159,24 @@
<para>
The default action of this module is to not permit the
user access to a service if their official password is blank.
- The <option>nullok</option> argument overrides this default.
+ The <option>nullok</option> argument overrides this default
+ and allows any user with a blank password to access the
+ service.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>nullok_secure</option>