diff options
Diffstat (limited to 'abs/core-testing/coreutils/coreutils-pam.patch')
-rw-r--r-- | abs/core-testing/coreutils/coreutils-pam.patch | 241 |
1 files changed, 123 insertions, 118 deletions
diff --git a/abs/core-testing/coreutils/coreutils-pam.patch b/abs/core-testing/coreutils/coreutils-pam.patch index 7171522..e61908f 100644 --- a/abs/core-testing/coreutils/coreutils-pam.patch +++ b/abs/core-testing/coreutils/coreutils-pam.patch @@ -1,17 +1,96 @@ ---- coreutils-6.7/src/Makefile.am.pam 2006-11-24 21:28:10.000000000 +0000 -+++ coreutils-6.7/src/Makefile.am 2007-01-09 17:00:01.000000000 +0000 -@@ -103,7 +103,7 @@ - # If necessary, add -lm to resolve use of pow in lib/strtod.c. - uptime_LDADD = $(LDADD) $(POW_LIB) $(GETLOADAVG_LIBS) +diff -urNp coreutils-8.4-orig/configure.ac coreutils-8.4/configure.ac +--- coreutils-8.4-orig/configure.ac 2010-01-11 18:20:42.000000000 +0100 ++++ coreutils-8.4/configure.ac 2010-02-12 10:17:46.000000000 +0100 +@@ -126,6 +126,13 @@ if test "$gl_gcc_warnings" = yes; then + AC_SUBST([GNULIB_WARN_CFLAGS]) + fi --su_LDADD = $(LDADD) $(LIB_CRYPT) -+su_LDADD = $(LDADD) $(LIB_CRYPT) @LIB_PAM@ ++dnl Give the chance to enable PAM ++AC_ARG_ENABLE(pam, dnl ++[ --enable-pam Enable use of the PAM libraries], ++[AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM]) ++LIB_PAM="-ldl -lpam -lpam_misc" ++AC_SUBST(LIB_PAM)]) ++ + AC_FUNC_FORK + + optional_bin_progs= +diff -urNp coreutils-8.4-orig/doc/coreutils.texi coreutils-8.4/doc/coreutils.texi +--- coreutils-8.4-orig/doc/coreutils.texi 2010-01-03 18:06:20.000000000 +0100 ++++ coreutils-8.4/doc/coreutils.texi 2010-02-12 10:17:46.000000000 +0100 +@@ -15081,8 +15081,11 @@ to certain shells, etc.). + @findex syslog + @command{su} can optionally be compiled to use @code{syslog} to report + failed, and optionally successful, @command{su} attempts. (If the system +-supports @code{syslog}.) However, GNU @command{su} does not check if the +-user is a member of the @code{wheel} group; see below. ++supports @code{syslog}.) ++ ++This version of @command{su} has support for using PAM for ++authentication. You can edit @file{/etc/pam.d/su} to customize its ++behaviour. + + The program accepts the following options. Also see @ref{Common options}. + +@@ -15124,6 +15127,8 @@ environment variables except @env{TERM}, + @env{PATH} to a compiled-in default value. Change to @var{user}'s home + directory. Prepend @samp{-} to the shell's name, intended to make it + read its login startup file(s). ++Additionaly @env{DISPLAY} and @env{XAUTHORITY} environment variables ++are preserved as well for PAM functionality. + + @item -m + @itemx -p +@@ -15163,33 +15168,6 @@ Exit status: + the exit status of the subshell otherwise + @end display + +-@cindex wheel group, not supported +-@cindex group wheel, not supported +-@cindex fascism +-@subsection Why GNU @command{su} does not support the @samp{wheel} group +- +-(This section is by Richard Stallman.) +- +-@cindex Twenex +-@cindex MIT AI lab +-Sometimes a few of the users try to hold total power over all the +-rest. For example, in 1984, a few users at the MIT AI lab decided to +-seize power by changing the operator password on the Twenex system and +-keeping it secret from everyone else. (I was able to thwart this coup +-and give power back to the users by patching the kernel, but I +-wouldn't know how to do that in Unix.) +- +-However, occasionally the rulers do tell someone. Under the usual +-@command{su} mechanism, once someone learns the root password who +-sympathizes with the ordinary users, he or she can tell the rest. The +-``wheel group'' feature would make this impossible, and thus cement the +-power of the rulers. +- +-I'm on the side of the masses, not that of the rulers. If you are +-used to supporting the bosses and sysadmins in whatever they do, you +-might find this idea strange at first. +- +- + @node timeout invocation + @section @command{timeout}: Run a command with a time limit + +diff -urNp coreutils-8.4-orig/src/Makefile.am coreutils-8.4/src/Makefile.am +--- coreutils-8.4-orig/src/Makefile.am 2010-01-03 18:06:20.000000000 +0100 ++++ coreutils-8.4/src/Makefile.am 2010-02-12 10:17:46.000000000 +0100 +@@ -361,7 +361,7 @@ factor_LDADD += $(LIB_GMP) + uptime_LDADD += $(GETLOADAVG_LIBS) + + # for crypt +-su_LDADD += $(LIB_CRYPT) ++su_LDADD += $(LIB_CRYPT) @LIB_PAM@ - dir_LDADD += $(LIB_ACL) - ls_LDADD += $(LIB_ACL) ---- coreutils-6.7/src/su.c.pam 2007-01-09 17:00:01.000000000 +0000 -+++ coreutils-6.7/src/su.c 2007-01-09 17:16:43.000000000 +0000 -@@ -38,6 +38,16 @@ + # for various ACL functions + copy_LDADD += $(LIB_ACL) +diff -urNp coreutils-8.4-orig/src/su.c coreutils-8.4/src/su.c +--- coreutils-8.4-orig/src/su.c 2010-02-12 10:15:15.000000000 +0100 ++++ coreutils-8.4/src/su.c 2010-02-12 10:24:29.000000000 +0100 +@@ -37,6 +37,16 @@ restricts who can su to UID 0 accounts. RMS considers that to be fascist. @@ -28,9 +107,9 @@ Compile-time options: -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog. -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog. -@@ -59,6 +69,15 @@ - prototype (returning `int') in <unistd.h>. */ - #define getusershell _getusershell_sys_proto_ +@@ -53,6 +63,15 @@ + #include <pwd.h> + #include <grp.h> +#ifdef USE_PAM +# include <signal.h> @@ -44,18 +123,13 @@ #include "system.h" #include "getpass.h" -@@ -128,15 +147,22 @@ +@@ -120,10 +139,17 @@ /* The user to become if none is specified. */ #define DEFAULT_USER "root" +#ifndef USE_PAM char *crypt (char const *key, char const *salt); +#endif - char *getusershell (void); - void endusershell (void); - void setusershell (void); - - extern char **environ; -static void run_shell (char const *, char const *, char **, size_t) +static void run_shell (char const *, char const *, char **, size_t, @@ -68,7 +142,7 @@ /* If true, pass the `-f' option to the subshell. */ static bool fast_startup; -@@ -225,7 +251,26 @@ +@@ -209,7 +235,26 @@ log_su (struct passwd const *pw, bool su } #endif @@ -95,7 +169,7 @@ Return true if the user gives the correct password for entry PW, false if not. Return true without asking for a password if run by UID 0 or if PW has an empty password. */ -@@ -233,6 +278,44 @@ +@@ -217,6 +262,44 @@ log_su (struct passwd const *pw, bool su static bool correct_password (const struct passwd *pw) { @@ -140,7 +214,7 @@ char *unencrypted, *encrypted, *correct; #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP /* Shadow passwd stuff for SVR3 and maybe other systems. */ -@@ -257,6 +340,7 @@ +@@ -241,6 +324,7 @@ correct_password (const struct passwd *p encrypted = crypt (unencrypted, correct); memset (unencrypted, 0, strlen (unencrypted)); return STREQ (encrypted, correct); @@ -148,26 +222,26 @@ } /* Update `environ' for the new shell based on PW, with SHELL being -@@ -270,12 +354,18 @@ +@@ -254,12 +338,18 @@ modify_environment (const struct passwd /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH. Unset all other environment variables. */ char const *term = getenv ("TERM"); + char const *display = getenv ("DISPLAY"); + char const *xauthority = getenv ("XAUTHORITY"); if (term) - term = xstrdup (term); + term = xstrdup (term); environ = xmalloc ((6 + !!term) * sizeof (char *)); environ[0] = NULL; if (term) - xsetenv ("TERM", term); + xsetenv ("TERM", term); + if (display) -+ xsetenv ("DISPLAY", display); ++ xsetenv ("DISPLAY", display); + if (xauthority) -+ xsetenv ("XAUTHORITY", xauthority); ++ xsetenv ("XAUTHORITY", xauthority); xsetenv ("HOME", pw->pw_dir); xsetenv ("SHELL", shell); xsetenv ("USER", pw->pw_name); -@@ -308,8 +398,13 @@ +@@ -292,8 +382,13 @@ change_identity (const struct passwd *pw { #ifdef HAVE_INITGROUPS errno = 0; @@ -177,13 +251,13 @@ + pam_close_session(pamh, 0); + pam_end(pamh, PAM_ABORT); +#endif - error (EXIT_FAILURE, errno, _("cannot set groups")); + error (EXIT_CANCELED, errno, _("cannot set groups")); + } endgrent (); #endif if (setgid (pw->pw_gid)) -@@ -318,6 +413,31 @@ - error (EXIT_FAILURE, errno, _("cannot set user id")); +@@ -302,6 +397,31 @@ change_identity (const struct passwd *pw + error (EXIT_CANCELED, errno, _("cannot set user id")); } +#ifdef USE_PAM @@ -214,12 +288,12 @@ /* Run SHELL, or DEFAULT_SHELL if SHELL is empty. If COMMAND is nonzero, pass it to the shell with the -c option. Pass ADDITIONAL_ARGS to the shell as more arguments; there -@@ -325,17 +445,49 @@ +@@ -309,17 +429,49 @@ change_identity (const struct passwd *pw static void run_shell (char const *shell, char const *command, char **additional_args, -- size_t n_additional_args) -+ size_t n_additional_args, const struct passwd *pw) +- size_t n_additional_args) ++ size_t n_additional_args, const struct passwd *pw) { size_t n_args = 1 + fast_startup + 2 * !!command + n_additional_args + 1; char const **args = xnmalloc (n_args, sizeof *args); @@ -265,7 +339,7 @@ shell_basename = last_component (shell); arg0 = xmalloc (strlen (shell_basename) + 2); arg0[0] = '-'; -@@ -360,6 +512,66 @@ +@@ -344,6 +496,67 @@ run_shell (char const *shell, char const error (0, errno, "%s", shell); exit (exit_status); } @@ -303,12 +377,12 @@ + + pid = waitpid(-1, &status, WUNTRACED); + -+ if (WIFSTOPPED(status)) { -+ kill(getpid(), SIGSTOP); ++ if (((pid_t)-1 != pid) && (0 != WIFSTOPPED (status))) { ++ kill(getpid(), WSTOPSIG(status)); + /* once we get here, we must have resumed */ + kill(pid, SIGCONT); + } -+ } while (WIFSTOPPED(status)); ++ } while (0 != WIFSTOPPED(status)); + } + + if (caught) { @@ -327,12 +401,13 @@ + fprintf(stderr, " ...killed.\n"); + exit(-1); + } -+ exit (WEXITSTATUS(status)); ++ exit ((0 != WIFEXITED (status)) ? WEXITSTATUS (status) ++ : WTERMSIG (status) + 128); +#endif /* USE_PAM */ } /* Return true if SHELL is a restricted shell (one not returned by -@@ -527,9 +739,9 @@ +@@ -511,9 +724,9 @@ main (int argc, char **argv) shell = xstrdup (shell ? shell : pw->pw_shell); modify_environment (pw, shell); @@ -342,82 +417,12 @@ - error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir); +#endif + /* error() flushes stderr, but does not check for write failure. + Normally, we would catch this via our atexit() hook of +@@ -523,5 +736,5 @@ main (int argc, char **argv) + if (ferror (stderr)) + exit (EXIT_CANCELED); + - run_shell (shell, command, argv + optind, MAX (0, argc - optind)); + run_shell (shell, command, argv + optind, MAX (0, argc - optind), pw); } ---- coreutils-6.7/doc/coreutils.texi.pam 2006-10-27 15:30:48.000000000 +0100 -+++ coreutils-6.7/doc/coreutils.texi 2007-01-09 17:00:01.000000000 +0000 -@@ -13395,8 +13395,11 @@ - @findex syslog - @command{su} can optionally be compiled to use @code{syslog} to report - failed, and optionally successful, @command{su} attempts. (If the system --supports @code{syslog}.) However, GNU @command{su} does not check if the --user is a member of the @code{wheel} group; see below. -+supports @code{syslog}.) -+ -+This version of @command{su} has support for using PAM for -+authentication. You can edit @file{/etc/pam.d/su} to customize its -+behaviour. - - The program accepts the following options. Also see @ref{Common options}. - -@@ -12815,6 +12815,8 @@ - @env{PATH} to a compiled-in default value. Change to @var{user}'s home - directory. Prepend @samp{-} to the shell's name, intended to make it - read its login startup file(s). -+Additionaly @env{DISPLAY} and @env{XAUTHORITY} environment variables -+are preserved as well for PAM functionality. - - @item -m - @itemx -p -@@ -13477,33 +13480,6 @@ - the exit status of the subshell otherwise - @end display - --@cindex wheel group, not supported --@cindex group wheel, not supported --@cindex fascism --@subsection Why GNU @command{su} does not support the @samp{wheel} group -- --(This section is by Richard Stallman.) -- --@cindex Twenex --@cindex MIT AI lab --Sometimes a few of the users try to hold total power over all the --rest. For example, in 1984, a few users at the MIT AI lab decided to --seize power by changing the operator password on the Twenex system and --keeping it secret from everyone else. (I was able to thwart this coup --and give power back to the users by patching the kernel, but I --wouldn't know how to do that in Unix.) -- --However, occasionally the rulers do tell someone. Under the usual --@command{su} mechanism, once someone learns the root password who --sympathizes with the ordinary users, he or she can tell the rest. The --``wheel group'' feature would make this impossible, and thus cement the --power of the rulers. -- --I'm on the side of the masses, not that of the rulers. If you are --used to supporting the bosses and sysadmins in whatever they do, you --might find this idea strange at first. -- -- - @node timeout invocation - @section @command{timeout}: Run a command with a time limit - ---- coreutils-6.7/configure.ac.pam 2006-12-07 21:30:24.000000000 +0000 -+++ coreutils-6.7/configure.ac 2007-01-09 17:18:04.000000000 +0000 -@@ -44,6 +44,13 @@ - gl_INIT - coreutils_MACROS - -+dnl Give the chance to enable PAM -+AC_ARG_ENABLE(pam, dnl -+[ --enable-pam Enable use of the PAM libraries], -+[AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM]) -+LIB_PAM="-ldl -lpam -lpam_misc" -+AC_SUBST(LIB_PAM)]) -+ - AC_FUNC_FORK - - optional_bin_progs= - |