Hello community, here is the log from the commit of package pam_fp checked in at Mon Oct 27 17:32:16 CET 2008. -------- --- pam_fp/pam_fp.changes 2008-10-20 14:58:46.000000000 +0200 +++ /mounts/work_src_done/STABLE/pam_fp/pam_fp.changes 2008-10-27 17:06:07.651886000 +0100 @@ -1,0 +2,12 @@ +Mon Oct 27 17:05:51 CET 2008 - ro@suse.de + +- re-add s390 to ExcludeArch list (not just s390x) + +------------------------------------------------------------------- +Mon Oct 27 14:12:25 CET 2008 - thoenig@suse.de + +- correct usage of pam_syslog (bnc#433048) +- use blocking pipe (bnc#433048) +- initialize signal handler structures with 0 (bnc#433048) + +------------------------------------------------------------------- calling whatdependson for head-i586 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_fp.spec ++++++ --- /var/tmp/diff_new_pack.w25561/_old 2008-10-27 17:32:04.000000000 +0100 +++ /var/tmp/diff_new_pack.w25561/_new 2008-10-27 17:32:04.000000000 +0100 @@ -24,9 +24,10 @@ Summary: PAM module to be used with libfprint BuildRequires: coreutils libfprint-devel pam-devel pkgconfig PreReq: coreutils pam pam-config +# on biarch platforms we need to have it before the call of pam-config Recommends: yast2-fingerprint-reader Version: 0.1 -Release: 6 +Release: 7 License: GPL v2 or later Group: Productivity/Security Source0: %{name}-%{version}.tar.bz2 @@ -85,6 +86,12 @@ /%_lib/security/pam_fp.so %changelog +* Mon Oct 27 2008 ro@suse.de +- re-add s390 to ExcludeArch list (not just s390x) +* Mon Oct 27 2008 thoenig@suse.de +- correct usage of pam_syslog (bnc#433048) +- use blocking pipe (bnc#433048) +- initialize signal handler structures with 0 (bnc#433048) * Mon Oct 20 2008 thoenig@suse.de - fix stderr output (bnc#436904) - don't enable PAM module by default. This is handled by ++++++ pam_fp-0.1.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/pam_fp-0.1/src/pam_fp.c new/pam_fp-0.1/src/pam_fp.c --- old/pam_fp-0.1/src/pam_fp.c 2008-10-20 15:19:33.000000000 +0200 +++ new/pam_fp-0.1/src/pam_fp.c 2008-10-27 14:10:59.000000000 +0100 @@ -86,6 +86,8 @@ int fds[2]; struct sigaction sigchld_action; struct sigaction sigchld_action_old; + struct sigaction sigpipe_action; + struct sigaction sigpipe_action_old; pam_fp_libfprint_s fprint; } pam_fp_s; @@ -97,39 +99,59 @@ if (pam_tf_debug) { va_start (ap, format); vsnprintf (message, sizeof(message), format, ap); - va_end(ap); - pam_syslog (pam_fp->pamh, type, message); + va_end (ap); + pam_syslog (pam_fp->pamh, type, "%s", message); } } -static int pam_fp_save_sigchld_handler(pam_fp_s *pam_fp) +static int pam_fp_save_sigchld_handler (pam_fp_s *pam_fp) { - int retval; + int retval; - pam_fp->sigchld_action.sa_handler = SIG_IGN; - retval = sigaction (SIGCHLD, &pam_fp->sigchld_action, &pam_fp->sigchld_action_old); + pam_fp->sigchld_action.sa_handler = SIG_IGN; + sigemptyset (&pam_fp->sigchld_action.sa_mask); + retval = sigaction (SIGCHLD, &pam_fp->sigchld_action, &pam_fp->sigchld_action_old); - return retval; + return retval; +} + +static int pam_fp_restore_sigchld_handler (const pam_fp_s *pam_fp) +{ + int retval; + + retval = sigaction (SIGCHLD, &pam_fp->sigchld_action_old, NULL); + + return retval; } -static int pam_fp_restore_sigchld_handler(const pam_fp_s *pam_fp) +static int pam_fp_save_sigpipe_handler (pam_fp_s *pam_fp) { - int retval; + int retval; - retval = sigaction (SIGCHLD, &pam_fp->sigchld_action_old, NULL); + pam_fp->sigpipe_action.sa_handler = SIG_IGN; + sigemptyset (&pam_fp->sigchld_action.sa_mask); + retval = sigaction (SIGPIPE, &pam_fp->sigpipe_action, &pam_fp->sigpipe_action_old); - return retval; + return retval; } +static int pam_fp_restore_sigpipe_handler (const pam_fp_s *pam_fp) +{ + int retval; + + retval = sigaction (SIGPIPE, &pam_fp->sigpipe_action_old, NULL); + + return retval; +} static void pam_fp_options (const pam_fp_s *pam_fp, int argc, const char **argv) { int i; for (i = 0; i < argc; i++) { - if (!strcmp(argv[i], "debug")) + if (!strcmp (argv[i], "debug")) pam_tf_debug = 1; - else if (!strcmp(argv[i], " ") || !strcmp(argv[i], "\t")) + else if (!strcmp (argv[i], " ") || !strcmp (argv[i], "\t")) continue; else pam_fp_log (pam_fp, LOG_INFO, @@ -137,7 +159,7 @@ } } -static int pam_fp_read_pipe(const pam_fp_s *pam_fp, int *result) +static int pam_fp_read_pipe (const pam_fp_s *pam_fp, int *result) { int retval = -1; @@ -201,7 +223,7 @@ { int ret = -1; pam_fp_libfprint_s *fprint = &pam_fp->fprint; - const char *driver_name = fp_driver_get_full_name (fp_dev_get_driver(fprint->dev)); + const char *driver_name = fp_driver_get_full_name (fp_dev_get_driver (fprint->dev)); const char *fstr = pam_fp_fts (fprint->finger); pam_fp_log (pam_fp, LOG_NOTICE, "Awaiting swipe (%s, %s).", driver_name, fstr); @@ -243,11 +265,17 @@ int retval = -1; int ret; pam_fp_libfprint_s *fprint = &pam_fp->fprint; + int std_err, std_err_new; char *home_dir_old; char *home_dir; struct passwd *passwd; - passwd = getpwnam(pam_fp->user); + /* don't let libfprint clutter console prompts in case of errors */ + std_err = dup (STDERR_FILENO); + std_err_new = open ("/dev/null", O_WRONLY); + dup2 (std_err_new, STDERR_FILENO); + + passwd = getpwnam (pam_fp->user); if (passwd == NULL) { pam_fp_log (pam_fp, LOG_ERR, "fork(2) failed."); goto out; @@ -264,7 +292,7 @@ pam_fp_log (pam_fp, LOG_NOTICE, "Stored $HOME=\"%s\".", home_dir_old); - home_dir = strdup(passwd->pw_dir); + home_dir = strdup (passwd->pw_dir); if (home_dir == NULL) { pam_fp_log (pam_fp, LOG_ERR, "strdup(3) failed."); free (home_dir_old); @@ -285,13 +313,13 @@ goto out; } - fprint->ddevs = fp_discover_devs(); + fprint->ddevs = fp_discover_devs (); if (fprint->ddevs == NULL) { pam_fp_log (pam_fp, LOG_ERR, "fp_discover_devs failed."); goto out; } - fprint->prints = fp_discover_prints(); + fprint->prints = fp_discover_prints (); if (fprint->prints == NULL) { pam_fp_log (pam_fp, LOG_ERR, "fp_discover_prints failed."); fp_dscv_devs_free(fprint->ddevs); @@ -306,22 +334,22 @@ goto out; } - fprint->dev = fp_dev_open(fprint->ddev); + fprint->dev = fp_dev_open (fprint->ddev); if (fprint->dev == NULL) { pam_fp_log (pam_fp, LOG_ERR, "fp_dev_open() failed."); - fp_dscv_devs_free(fprint->ddevs); - fp_dscv_prints_free(fprint->prints); + fp_dscv_devs_free (fprint->ddevs); + fp_dscv_prints_free (fprint->prints); goto out; } - fprint->finger = fp_dscv_print_get_finger(fprint->print); + fprint->finger = fp_dscv_print_get_finger (fprint->print); - ret = fp_print_data_from_dscv_print(fprint->print, &fprint->data); - fp_dscv_prints_free(fprint->prints); + ret = fp_print_data_from_dscv_print (fprint->print, &fprint->data); + fp_dscv_prints_free (fprint->prints); if (ret != 0) { pam_fp_log (pam_fp, LOG_ERR, "%s (fp_print_data_from_dscv_print failed).", __FUNCTION__); - fp_dev_close(fprint->dev); - fp_print_data_free(fprint->data); + fp_dev_close (fprint->dev); + fp_print_data_free (fprint->data); goto out; } @@ -332,11 +360,15 @@ ret = setenv ("HOME", home_dir_old, 1); if (ret < 0) pam_fp_log (pam_fp, LOG_ERR, "setenv(3) failed."); - if (home_dir_old) - free(home_dir_old); + free (home_dir_old); if (home_dir) - free(home_dir); + free (home_dir); + dup2 (std_err, STDERR_FILENO); + if (std_err_new > 0) + close (std_err_new); + if (std_err > 0) + close (std_err); return retval; } @@ -375,18 +407,18 @@ } out: - fp_print_data_free(fprint->data); + fp_print_data_free (fprint->data); return ret; } static void pam_fp_libfprint_deinit (pam_fp_s *pam_fp) { pam_fp_libfprint_s *fprint = &pam_fp->fprint; - fp_print_data_free(fprint->data); - fp_dev_close(fprint->dev); + fp_print_data_free (fprint->data); + fp_dev_close (fprint->dev); } -static void pam_fp_swipe(pam_fp_s *pam_fp) +static void pam_fp_swipe (pam_fp_s *pam_fp) { int ret = -1; @@ -409,7 +441,7 @@ _exit (0); } -static void pam_fp_prompt(pam_fp_s *pam_fp) +static void pam_fp_prompt (pam_fp_s *pam_fp) { int ret = -1; char *resp; @@ -418,18 +450,21 @@ pam_prompt (pam_fp->pamh, PAM_PROMPT_ECHO_OFF, &resp, "Password or swipe finger: "); pam_set_item (pam_fp->pamh, PAM_AUTHTOK, resp); + if (strlen (resp) > 0) { + /* password was given, authenticate based on the passwordD, if any */ + pam_fp_log (pam_fp, LOG_NOTICE, "Password received, stopping child process (pid %i).", pam_fp->child); + kill (pam_fp->child, SIGKILL); + wait (NULL); + goto out; + } + ret = pam_fp_read_pipe (pam_fp, &pam_fp->swipe_result); if (ret > 0) { - /* there was a swipe, authenticate based on its result */ + /* there was a swipe, store its result */ pam_fp_log (pam_fp, LOG_NOTICE, "Read result from pipe: %i", pam_fp->swipe_result); pam_fp->swipe_succeeded = 1; - /* FIXME */ - goto out; - } else { - /* there was no swipe, authenticate based on the password, if any */ - pam_fp_log (pam_fp, LOG_NOTICE, "Password received, stopping child process."); - kill (pam_fp->child, SIGKILL); } + out: pam_fp_log (pam_fp, LOG_INFO, "%s (parent) exit.", __FUNCTION__); return; @@ -444,20 +479,22 @@ pam_fp_s pam_fp; struct termios term_attr; int pid; - long fd_flags; pam_fp.pamh = pamh; pam_fp.swipe_result = PAM_AUTHINFO_UNAVAIL; pam_fp.swipe_succeeded = 0; pam_fp_options (&pam_fp, argc, argv); - pam_fp_save_sigchld_handler(&pam_fp); + memset (&pam_fp.sigchld_action, 0, sizeof(pam_fp.sigchld_action)); + memset (&pam_fp.sigpipe_action, 0, sizeof(pam_fp.sigpipe_action)); + pam_fp_save_sigchld_handler (&pam_fp); + pam_fp_save_sigpipe_handler (&pam_fp); pam_fp.isatty = isatty (STDIN_FILENO); if (pam_fp.isatty == 1) tcgetattr (STDIN_FILENO, &term_attr); pam_get_item (pamh, PAM_RHOST, (const void **)(const void*) &rhost); - if (rhost != NULL && strlen(rhost) > 0) { + if (rhost != NULL && strlen (rhost) > 0) { pam_fp_log (&pam_fp, LOG_ERR, "Error: Remote login from host \"%s\" detected.", rhost); goto out; } @@ -481,19 +518,14 @@ goto out; } - fd_flags = fcntl(pam_fp.fds[0], F_GETFL); - fcntl(pam_fp.fds[0], F_SETFL, fd_flags | O_NONBLOCK); - fd_flags = fcntl(pam_fp.fds[1], F_GETFL); - fcntl(pam_fp.fds[1], F_SETFL, fd_flags | O_NONBLOCK); - ret = pam_fp_libfprint_init (&pam_fp); if (ret != 0) { pam_fp_log (&pam_fp, LOG_ERR, "Initializing libfprint failed."); goto out; } - pam_fp.parent = getpid(); - pid = fork(); + pam_fp.parent = getpid (); + pid = fork (); if (pid < 0) { pam_fp_log (&pam_fp, LOG_ERR, "fork(2) failed."); goto out; @@ -501,14 +533,14 @@ if (pid == 0) { /* child */ - pam_fp.child = getpid(); + pam_fp.child = getpid (); pam_fp_log (&pam_fp, LOG_INFO, "Starting pam_fp_swipe (pid %i).", pam_fp.child); - pam_fp_swipe(&pam_fp); + pam_fp_swipe (&pam_fp); } else { /* parent */ pam_fp.child = pid; pam_fp_log (&pam_fp, LOG_INFO, "Starting pam_fp_prompt (pid %i).", pam_fp.parent); - pam_fp_prompt(&pam_fp); + pam_fp_prompt (&pam_fp); } pam_fp_libfprint_deinit (&pam_fp); @@ -521,7 +553,8 @@ retval = pam_fp.swipe_result; else retval = PAM_AUTHINFO_UNAVAIL; - pam_fp_restore_sigchld_handler(&pam_fp); + pam_fp_restore_sigpipe_handler (&pam_fp); + pam_fp_restore_sigchld_handler (&pam_fp); pam_fp_log (&pam_fp, LOG_INFO, "%s returning '%d': %s.", __FUNCTION__, retval, retval ? pam_strerror (pamh, retval) : "success"); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org