commit pam for openSUSE:Factory

6 Feb 2009

Hello community,

here is the log from the commit of package pam for openSUSE:Factory
checked in at Fri Feb 6 16:59:34 CET 2009.


--------

--- pam/pam.changes	2008-12-10 14:26:57.000000000 +0100
+++ pam/pam.changes	2009-02-05 17:07:39.000000000 +0100
@@ -1,0 +2,11 @@
+Thu Feb  5 17:01:56 CET 2009 - kukuk@suse.de
+
+- Log failures of setrlimit in pam_limits [bnc#448314]
+- Fix using of requisite in password stack [bnc#470337]
+
+-------------------------------------------------------------------
+Tue Jan 20 12:21:08 CET 2009 - kukuk@suse.de
+
+- Regenerate documentation [bnc#448314]
+
+-------------------------------------------------------------------

calling whatdependson for head-i586


New:
----
  libpam-password-requisite.diff
  pam_limits-logging.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pam.spec ++++++
--- /var/tmp/diff_new_pack.i21083/_old	2009-02-06 16:55:42.000000000 +0100
+++ /var/tmp/diff_new_pack.i21083/_new	2009-02-06 16:55:42.000000000 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package pam (Version 1.0.2)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -40,7 +40,7 @@
 %endif
 #
 Version:        1.0.2
-Release:        15
+Release:        18
 Summary:        A Security Tool that Provides Authentication for Applications
 Source:         Linux-PAM-%{version}.tar.bz2
 Source1:        Linux-PAM-%{version}-SUSE-docs.tar.bz2
@@ -69,6 +69,8 @@
 Patch14:        pam_pwhistory-type.diff
 Patch15:        pam_time.diff
 Patch16:        pam_limits-doc.diff
+Patch17:        pam_limits-logging.diff
+Patch18:        libpam-password-requisite.diff
 
 %description
 PAM (Pluggable Authentication Modules) is a system security tool that
@@ -134,6 +136,8 @@
 %patch14 -p0
 %patch15 -p0
 %patch16 -p0
+%patch17 -p0
+%patch18 -p0
 
 %build
 aclocal -I m4 --install --force
@@ -342,6 +346,11 @@
 %{_libdir}/libpam_misc.so
 
 %changelog
+* Thu Feb 05 2009 kukuk@suse.de
+- Log failures of setrlimit in pam_limits [bnc#448314]
+- Fix using of requisite in password stack [bnc#470337]
+* Tue Jan 20 2009 kukuk@suse.de
+- Regenerate documentation [bnc#448314]
 * Wed Dec 10 2008 olh@suse.de
 - use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
   (bnc#437293)

++++++ libpam-password-requisite.diff ++++++
--- libpam/pam_dispatch.c	3 Dec 2008 14:16:33 -0000	1.13
+++ libpam/pam_dispatch.c	4 Feb 2009 13:48:02 -0000
@@ -132,11 +132,10 @@
 	}
 
 	/*
-	 * use_cached_chain is how we ensure that the setcred/close_session
-	 * and chauthtok(2) modules are called in the same order as they did
-	 * when they were invoked as auth/open_session/chauthtok(1). This
-	 * feature was added in 0.75 to make the behavior of pam_setcred
-	 * sane. It was debugged by release 0.76.
+	 * use_cached_chain is how we ensure that the setcred and
+         * close_session modules are called in the same order as they did
+	 * when they were invoked as auth/open_session. This feature was
+	 * added in 0.75 to make the behavior of pam_setcred sane.
 	 */
 	if (use_cached_chain != _PAM_PLEASE_FREEZE) {
 
@@ -358,9 +357,6 @@
 	break;
     case PAM_CHAUTHTOK:
 	h = pamh->handlers.conf.chauthtok;
-	if (flags & PAM_UPDATE_AUTHTOK) {
-	    use_cached_chain = _PAM_MUST_BE_FROZEN;
-	}
 	break;
     default:
 	pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
--- libpam/pam_password.c	24 Jul 2006 15:47:40 -0000	1.5
+++ libpam/pam_password.c	4 Feb 2009 13:48:02 -0000
@@ -24,6 +24,13 @@
 	return PAM_SYSTEM_ERR;
     }
 
+    /* applications are not allowed to set this flags */
+    if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
+      syslog(LOG_ERR, _PAM_SYSTEM_LOG_PREFIX
+	     "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application");
+      return PAM_SYSTEM_ERR;
+    }
+
     if (pamh->former.choice == PAM_NOT_STACKED) {
 	_pam_start_timer(pamh);    /* we try to make the time for a failure
 				      independent of the time it takes to
@@ -58,4 +67,3 @@
 
     return retval;
 }
-
++++++ Linux-PAM-1.0.2-SUSE-docs.tar.bz2 ++++++
++++ 1918 lines of diff (skipped)

++++++ Linux-PAM-docu-generated.diff ++++++
++++ 15766 lines (skipped)
++++ between pam/Linux-PAM-docu-generated.diff
++++ and pam/Linux-PAM-docu-generated.diff

++++++ pam_limits-logging.diff ++++++
--- modules/pam_limits/pam_limits.c	7 Dec 2007 15:40:02 -0000	1.46
+++ modules/pam_limits/pam_limits.c	5 Feb 2009 15:48:49 -0000
@@ -42,7 +42,7 @@
 #include <locale.h>
 
 #ifdef HAVE_LIBAUDIT
-#include <libaudit.h>                                                                                                                                            
+#include <libaudit.h>
 #endif
 
 /* Module defines */
@@ -141,6 +141,73 @@
     return ctrl;
 }
 
+static const char *
+i2str (int i)
+{
+  switch (i) {
+  case RLIMIT_CPU:
+    return "cpu";
+    break;
+  case RLIMIT_FSIZE:
+    return "fsize";
+    break;
+  case RLIMIT_DATA:
+    return "data";
+    break;
+  case RLIMIT_STACK:
+    return "stack";
+    break;
+  case RLIMIT_CORE:
+    return "core";
+    break;
+  case RLIMIT_RSS:
+    return "rss";
+    break;
+  case RLIMIT_NPROC:
+    return "nproc";
+    break;
+  case RLIMIT_NOFILE:
+    return "nofile";
+    break;
+  case RLIMIT_MEMLOCK:
+    return "memlock";
+    break;
+#ifdef RLIMIT_AS
+  case RLIMIT_AS:
+    return "as";
+    break;
+#endif
+#ifdef RLIMIT_LOCKS
+  case RLIMIT_LOCKS:
+    return "locks";
+    break;
+#endif
+#ifdef RLIMIT_SIGPENDING
+  case RLIMIT_SIGPENDING:
+    return "sigpending";
+    break;
+#endif
+#ifdef RLIMIT_MSGQUEUE
+  case RLIMIT_MSGQUEUE:
+    return "msgqueue";
+    break;
+#endif
+#ifdef RLIMIT_NICE
+  case RLIMIT_NICE:
+    return "nice";
+    break;
+#endif
+#ifdef RLIMIT_RTPRIO
+  case RLIMIT_RTPRIO:
+    return "rtprio";
+    break;
+#endif
+  default:
+    return "UNKNOWN";
+    break;
+  }
+}
+
 
 #define LIMITED_OK 0 /* limit setting appeared to work */
 #define LIMIT_ERR  1 /* error setting a limit */
@@ -416,8 +483,8 @@
 	 if (int_value < -20)
 	   int_value = -20;
 	 rlimit_value = 20 - int_value;
-#endif
          break;
+#endif
     }
 
     if ( (limit_item != LIMIT_LOGIN)
@@ -575,6 +642,8 @@
     int retval = LIMITED_OK;
 
     for (i=0, status=LIMITED_OK; i<RLIM_NLIMITS; i++) {
+      int res;
+
 	if (!pl->limits[i].supported) {
 	    /* skip it if its not known to the system */
 	    continue;
@@ -586,7 +655,11 @@
 	}
         if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max)
             pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max;
-	status |= setrlimit(i, &pl->limits[i].limit);
+	res = setrlimit(i, &pl->limits[i].limit);
+	if (res != 0)
+	  pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m",
+		     i2str(i));
+	status |= res;
     }
 
     if (status) {
@@ -595,6 +668,7 @@
 
     status = setpriority(PRIO_PROCESS, 0, pl->priority);
     if (status != 0) {
+        pam_syslog(pamh, LOG_ERR, "Could not set limit for PRIO_PROCESS: %m");
         retval = LIMIT_ERR;
     }
 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org

    

root＠Hilbert.suse.de

tags

participants (1)