[Pkg-shadow-commits] r178 - trunk/debian/patches
Nicolas FRANCOIS
pkg-shadow-devel@lists.alioth.debian.org
Sat, 28 May 2005 17:24:00 +0000
Author: nekral-guest
Date: 2005-05-28 17:23:59 +0000 (Sat, 28 May 2005)
New Revision: 178
Added:
trunk/debian/patches/008_login_close_session_as_root
Modified:
trunk/debian/patches/008_src.dpatch
trunk/debian/patches/series
Log:
Extract a chunk from 008_src to 008_login_close_session_as_root.
It deals with forking (to call pam_close_session) before changing the uid.
Added: trunk/debian/patches/008_login_close_session_as_root
===================================================================
--- trunk/debian/patches/008_login_close_session_as_root 2005-05-24 11:07:39 UTC (rev 177)
+++ trunk/debian/patches/008_login_close_session_as_root 2005-05-28 17:23:59 UTC (rev 178)
@@ -0,0 +1,103 @@
+Goal: The PAM session needs to be closed as root, thus before change_uid().
+
+Status wrt upstream: It should certainly be applied upstream.
+
+Notes: The changelog reports:
+ * src/login.c: moved usage of setup_uid_gid() when PAM is enabled or
+ pam_groups.so's groups get clobbered
+ (Ben Collins 19 Sep 1999)
+
+ There was also a bug report (#53570 - login: no pam_sm_close_session
+ call as root - 28 Dec 1999). The submitter proposed to move change_uid
+ instead of the call to PAM_END.
+
+ With both patches, the behaviour of the parent is modified (for example signal handlers).
+ I don't know if this may be a problem.
+
+Index: shadow-4.0.3/src/login.c
+===================================================================
+--- shadow-4.0.3.orig/src/login.c 2005-05-28 19:11:32.274189000 +0200
++++ shadow-4.0.3/src/login.c 2005-05-28 19:11:33.674189000 +0200
+@@ -1276,6 +1276,40 @@
+ login_fbtab (tty, pwent.pw_uid, pwent.pw_gid);
+ #endif
+
++#ifdef USE_PAM
++ /*
++ * We must fork before setuid() because we need to call
++ * pam_close_session() as root.
++ *
++ * Note: not true in other (non-Linux) PAM implementations, where
++ * the parent process of login (init, telnetd, ...) is responsible
++ * for calling pam_close_session(). This avoids an extra process for
++ * each login. Maybe we should do this on Linux too? We let the
++ * admin configure whether they need to keep login around to close
++ * sessions.
++ */
++ if (getdef_bool ("CLOSE_SESSIONS")) {
++ signal (SIGINT, SIG_IGN);
++ child = fork ();
++ if (child < 0) {
++ /* error in fork() */
++ fprintf (stderr,
++ "login: failure forking: %s",
++ strerror (errno));
++ PAM_END;
++ exit (0);
++ } else if (child) {
++ /*
++ * parent - wait for child to finish, then cleanup
++ * session
++ */
++ wait (NULL);
++ PAM_END;
++ exit (0);
++ }
++ /* child */
++ }
++#endif
+ /* We call set_groups() above because this clobbers pam_groups.so */
+ #ifndef USE_PAM
+ if (setup_uid_gid (&pwent, is_console))
+@@ -1377,41 +1411,6 @@
+ signal (SIGTERM, SIG_DFL); /* default terminate signal */
+ signal (SIGALRM, SIG_DFL); /* default alarm signal */
+ signal (SIGHUP, SIG_DFL); /* added this. --marekm */
+-
+-#ifdef USE_PAM
+- /*
+- * We must fork before setuid() because we need to call
+- * pam_close_session() as root.
+- *
+- * Note: not true in other (non-Linux) PAM implementations, where
+- * the parent process of login (init, telnetd, ...) is responsible
+- * for calling pam_close_session(). This avoids an extra process for
+- * each login. Maybe we should do this on Linux too? We let the
+- * admin configure whether they need to keep login around to close
+- * sessions.
+- */
+- if (getdef_bool ("CLOSE_SESSIONS")) {
+- signal (SIGINT, SIG_IGN);
+- child = fork ();
+- if (child < 0) {
+- /* error in fork() */
+- fprintf (stderr,
+- "login: failure forking: %s",
+- strerror (errno));
+- PAM_END;
+- exit (0);
+- } else if (child) {
+- /*
+- * parent - wait for child to finish, then cleanup
+- * session
+- */
+- wait (NULL);
+- PAM_END;
+- exit (0);
+- }
+- /* child */
+- }
+-#endif
+ signal (SIGINT, SIG_DFL); /* default interrupt signal */
+
+ endpwent (); /* stop access to password file */
Modified: trunk/debian/patches/008_src.dpatch
===================================================================
--- trunk/debian/patches/008_src.dpatch 2005-05-24 11:07:39 UTC (rev 177)
+++ trunk/debian/patches/008_src.dpatch 2005-05-28 17:23:59 UTC (rev 178)
@@ -218,90 +218,7 @@
if (getdef_str ("FTMP_FILE") != NULL) {
const char *failent_user;
-@@ -1208,6 +1269,40 @@
- login_fbtab (tty, pwent.pw_uid, pwent.pw_gid);
- #endif
-
-+#ifdef USE_PAM
-+ /*
-+ * We must fork before setuid() because we need to call
-+ * pam_close_session() as root.
-+ *
-+ * Note: not true in other (non-Linux) PAM implementations, where
-+ * the parent process of login (init, telnetd, ...) is responsible
-+ * for calling pam_close_session(). This avoids an extra process for
-+ * each login. Maybe we should do this on Linux too? We let the
-+ * admin configure whether they need to keep login around to close
-+ * sessions.
-+ */
-+ if (getdef_bool ("CLOSE_SESSIONS")) {
-+ signal (SIGINT, SIG_IGN);
-+ child = fork ();
-+ if (child < 0) {
-+ /* error in fork() */
-+ fprintf (stderr,
-+ "login: failure forking: %s",
-+ strerror (errno));
-+ PAM_END;
-+ exit (0);
-+ } else if (child) {
-+ /*
-+ * parent - wait for child to finish, then cleanup
-+ * session
-+ */
-+ wait (NULL);
-+ PAM_END;
-+ exit (0);
-+ }
-+ /* child */
-+ }
-+#endif
- /* We call set_groups() above because this clobbers pam_groups.so */
- #ifndef USE_PAM
- if (setup_uid_gid (&pwent, is_console))
-@@ -1309,41 +1404,6 @@
- signal (SIGTERM, SIG_DFL); /* default terminate signal */
- signal (SIGALRM, SIG_DFL); /* default alarm signal */
- signal (SIGHUP, SIG_DFL); /* added this. --marekm */
--
--#ifdef USE_PAM
-- /*
-- * We must fork before setuid() because we need to call
-- * pam_close_session() as root.
-- *
-- * Note: not true in other (non-Linux) PAM implementations, where
-- * the parent process of login (init, telnetd, ...) is responsible
-- * for calling pam_close_session(). This avoids an extra process for
-- * each login. Maybe we should do this on Linux too? We let the
-- * admin configure whether they need to keep login around to close
-- * sessions.
-- */
-- if (getdef_bool ("CLOSE_SESSIONS")) {
-- signal (SIGINT, SIG_IGN);
-- child = fork ();
-- if (child < 0) {
-- /* error in fork() */
-- fprintf (stderr,
-- "login: failure forking: %s",
-- strerror (errno));
-- PAM_END;
-- exit (0);
-- } else if (child) {
-- /*
-- * parent - wait for child to finish, then cleanup
-- * session
-- */
-- wait (NULL);
-- PAM_END;
-- exit (0);
-- }
-- /* child */
-- }
--#endif
- signal (SIGINT, SIG_DFL); /* default interrupt signal */
-
- endpwent (); /* stop access to password file */
-@@ -1357,7 +1417,11 @@
+@@ -1357,7 +1418,11 @@
if (pwent.pw_uid == 0)
SYSLOG ((LOG_NOTICE, "ROOT LOGIN %s", fromhost));
else if (getdef_bool ("LOG_OK_LOGINS"))
Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series 2005-05-24 11:07:39 UTC (rev 177)
+++ trunk/debian/patches/series 2005-05-28 17:23:59 UTC (rev 178)
@@ -8,6 +8,7 @@
008_grpck_add_prune_option
008_login_stop_checking_args_after--
008_login_opt-f_with_username_after--
+008_login_close_session_as_root
008_usermod_warn_old_home_not_removed
008_userdel_remove_group_from_gshadow
008_newgrp_preserve_env