diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch')
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch | 200 |
1 files changed, 200 insertions, 0 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch new file mode 100644 index 000000000..f1834f6ce --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch @@ -0,0 +1,200 @@ +Description: extract the securetty logic for use with the "nullok_secure" option + introduced in the "055_pam_unix_nullok_secure" patch. + +Upstream-Status: Pending + +Signed-off-by: Ming Liu <ming.liu@windriver.com> +=================================================================== +diff -urpN a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am +--- a/modules/pam_securetty/Makefile.am 2013-07-05 11:08:23.224483237 +0800 ++++ b/modules/pam_securetty/Makefile.am 2013-07-05 11:15:21.304486456 +0800 +@@ -24,6 +24,10 @@ endif + securelib_LTLIBRARIES = pam_securetty.la + pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam + ++pam_securetty_la_SOURCES = \ ++ pam_securetty.c \ ++ tty_secure.c ++ + if ENABLE_REGENERATE_MAN + noinst_DATA = README + README: pam_securetty.8.xml +diff -urpN a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c +--- a/modules/pam_securetty/pam_securetty.c 2013-07-05 11:07:50.064483568 +0800 ++++ b/modules/pam_securetty/pam_securetty.c 2013-07-05 11:12:23.994483344 +0800 +@@ -1,7 +1,5 @@ + /* pam_securetty module */ + +-#define SECURETTY_FILE "/etc/securetty" +-#define TTY_PREFIX "/dev/" + #define CMDLINE_FILE "/proc/cmdline" + #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active" + +@@ -40,6 +38,9 @@ + #include <security/pam_modutil.h> + #include <security/pam_ext.h> + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + #define PAM_DEBUG_ARG 0x0001 + #define PAM_NOCONSOLE_ARG 0x0002 + +@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p + const char *username; + const char *uttyname; + const void *void_uttyname; +- char ttyfileline[256]; +- char ptname[256]; +- struct stat ttyfileinfo; + struct passwd *user_pwd; +- FILE *ttyfile; + + /* log a trail for debugging */ + if (ctrl & PAM_DEBUG_ARG) { +@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p + return PAM_SERVICE_ERR; + } + +- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ +- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { +- uttyname += sizeof(TTY_PREFIX)-1; +- } +- +- if (stat(SECURETTY_FILE, &ttyfileinfo)) { +- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE); +- return PAM_SUCCESS; /* for compatibility with old securetty handling, +- this needs to succeed. But we still log the +- error. */ +- } +- +- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { +- /* If the file is world writable or is not a +- normal file, return error */ +- pam_syslog(pamh, LOG_ERR, +- "%s is either world writable or not a normal file", +- SECURETTY_FILE); +- return PAM_AUTH_ERR; +- } +- +- ttyfile = fopen(SECURETTY_FILE,"r"); +- if (ttyfile == NULL) { /* Check that we opened it successfully */ +- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); +- return PAM_SERVICE_ERR; +- } +- +- if (isdigit(uttyname[0])) { +- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); +- } else { +- ptname[0] = '\0'; +- } +- +- retval = 1; +- +- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) +- && retval) { +- if (ttyfileline[strlen(ttyfileline) - 1] == '\n') +- ttyfileline[strlen(ttyfileline) - 1] = '\0'; +- +- retval = ( strcmp(ttyfileline, uttyname) +- && (!ptname[0] || strcmp(ptname, uttyname)) ); +- } +- fclose(ttyfile); ++ retval = _pammodutil_tty_secure(pamh, uttyname); + + if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { + FILE *cmdlinefile; +diff -urpN a/modules/pam_securetty/tty_secure.c b/modules/pam_securetty/tty_secure.c +--- a/modules/pam_securetty/tty_secure.c 1970-01-01 08:30:00.000000000 +0830 ++++ b/modules/pam_securetty/tty_secure.c 2013-07-05 11:14:21.534482900 +0800 +@@ -0,0 +1,90 @@ ++/* ++ * A function to determine if a particular line is in /etc/securetty ++ */ ++ ++ ++#define SECURETTY_FILE "/etc/securetty" ++#define TTY_PREFIX "/dev/" ++ ++/* This function taken out of pam_securetty by Sam Hartman ++ * <hartmans@debian.org>*/ ++/* ++ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. ++ * July 25, 1996. ++ * Slight modifications AGM. 1996/12/3 ++ */ ++ ++#include <unistd.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <security/pam_modules.h> ++#include <stdarg.h> ++#include <syslog.h> ++#include <sys/syslog.h> ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <ctype.h> ++#include <security/pam_modutil.h> ++#include <security/pam_ext.h> ++ ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ ++int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname) ++{ ++ int retval = PAM_AUTH_ERR; ++ char ttyfileline[256]; ++ char ptname[256]; ++ struct stat ttyfileinfo; ++ FILE *ttyfile; ++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ ++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) ++ uttyname += sizeof(TTY_PREFIX)-1; ++ ++ if (stat(SECURETTY_FILE, &ttyfileinfo)) { ++ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", ++ SECURETTY_FILE); ++ return PAM_SUCCESS; /* for compatibility with old securetty handling, ++ this needs to succeed. But we still log the ++ error. */ ++ } ++ ++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { ++ /* If the file is world writable or is not a ++ normal file, return error */ ++ pam_syslog(pamh, LOG_ERR, ++ "%s is either world writable or not a normal file", ++ SECURETTY_FILE); ++ return PAM_AUTH_ERR; ++ } ++ ++ ttyfile = fopen(SECURETTY_FILE,"r"); ++ if(ttyfile == NULL) { /* Check that we opened it successfully */ ++ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (isdigit(uttyname[0])) { ++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); ++ } else { ++ ptname[0] = '\0'; ++ } ++ ++ retval = 1; ++ ++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) ++ && retval) { ++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n') ++ ttyfileline[strlen(ttyfileline) - 1] = '\0'; ++ retval = ( strcmp(ttyfileline,uttyname) ++ && (!ptname[0] || strcmp(ptname, uttyname)) ); ++ } ++ fclose(ttyfile); ++ ++ if(retval) { ++ retval = PAM_AUTH_ERR; ++ } ++ ++ return retval; ++} |