[Pkg-shadow-commits] r1154 - in branches/etch/debian: . patches

Nicolas FRANCOIS nekral-guest at alioth.debian.org
Sun Feb 25 16:41:59 CET 2007 

Author: nekral-guest
Date: 2007-02-25 16:41:58 +0100 (Sun, 25 Feb 2007)
New Revision: 1154

Added:
   branches/etch/debian/patches/405_su_no_pam_end_before_exec
Modified:
   branches/etch/debian/changelog
   branches/etch/debian/patches/series
Log:
Avoid terminating the PAM library in the forked child.  This is done later
in the parent after closing the PAM session.  With pam_krb5, this allow
users to reuse the cached credential in the forked shell. Closes: #412061


Modified: branches/etch/debian/changelog
===================================================================
--- branches/etch/debian/changelog	2007-02-24 15:21:57 UTC (rev 1153)
+++ branches/etch/debian/changelog	2007-02-25 15:41:58 UTC (rev 1154)
@@ -3,6 +3,11 @@
   * The "Pélardon" release
   * Upstream bugs fixed upstream:
     - 104_man-sv: Recode Swedish manpages to ISO-8859-1. Closes: #403210
+  * Upstream bugs or fixes not yet fixed in upstream releases or CVS:
+    - 405_su_no_pam_end_before_exec: Avoid terminating the PAM library in the
+    forked child.  This is done later in the parent after closing the PAM
+    session.  With pam_krb5, this allow users to reuse the cached credential
+    in the forked shell. Closes: #412061
 
  -- Christian Perrier <bubulle at debian.org>  Fri, 15 Dec 2006 18:38:33 +0100
 

Added: branches/etch/debian/patches/405_su_no_pam_end_before_exec
===================================================================
--- branches/etch/debian/patches/405_su_no_pam_end_before_exec	2007-02-24 15:21:57 UTC (rev 1153)
+++ branches/etch/debian/patches/405_su_no_pam_end_before_exec	2007-02-25 15:41:58 UTC (rev 1154)
@@ -0,0 +1,29 @@
+Goal: Avoid terminating the PAM library in the forked child. This is done
+      later in the parent after closing the PAM session.
+
+Note: OR'ing the status with PAM_DATA_SILENT should be sufficient, but it
+is not supported by some modules, and the pam_end is not strictly needed
+anyway.
+
+Fixes: #412061
+
+Status wrt upstream: not reported yet.
+
+Index: shadow-4.0.18.1/src/su.c
+===================================================================
+--- shadow-4.0.18.1.orig/src/su.c	2007-02-25 14:22:54.000000000 +0100
++++ shadow-4.0.18.1/src/su.c	2007-02-25 14:29:01.000000000 +0100
+@@ -197,7 +197,12 @@
+ 
+ 	child = fork ();
+ 	if (child == 0) {	/* child shell */
+-		pam_end (pamh, PAM_SUCCESS);
++		/*
++		 * PAM_DATA_SILENT is not supported by some modules, and
++		 * there is no strong need to clean up the process space's
++		 * memory since we will either call exec or exit.
++		pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
++		 */
+ 
+ 		if (doshell)
+ 			(void) shell (shellstr, (char *) args[0], envp);

Modified: branches/etch/debian/patches/series
===================================================================
--- branches/etch/debian/patches/series	2007-02-24 15:21:57 UTC (rev 1153)
+++ branches/etch/debian/patches/series	2007-02-25 15:41:58 UTC (rev 1154)
@@ -46,3 +46,4 @@
 404_man-fr
 103_man-de
 104_man-sv
+405_su_no_pam_end_before_exec

More information about the Pkg-shadow-commits mailing list