r4764 - in trunk: BOOK BOOK/introduction/welcome BOOK/postlfs/security patches

randy at linuxfromscratch.org randy at linuxfromscratch.org
Sat Jul 23 09:39:45 PDT 2005


Author: randy
Date: 2005-07-23 10:39:43 -0600 (Sat, 23 Jul 2005)
New Revision: 4764

Added:
   trunk/patches/shadow-4.0.9-Linux_PAM_fixes-1.patch
Removed:
   trunk/patches/shadow-4.0.7-fix_lastlog-1.patch
Modified:
   trunk/BOOK/general.ent
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/postlfs/security/shadow.xml
Log:
Updated to Shadow-4.0.9

Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent	2005-07-22 22:59:56 UTC (rev 4763)
+++ trunk/BOOK/general.ent	2005-07-23 16:39:43 UTC (rev 4764)
@@ -1,8 +1,8 @@
-<!ENTITY day          "22">
+<!ENTITY day          "23">
 <!ENTITY month        "07">
 <!ENTITY year         "2005">
 <!ENTITY version      "svn-&year;&month;&day;">
-<!ENTITY releasedate  "July &day;nd, &year;">
+<!ENTITY releasedate  "July &day;rd, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
 <!ENTITY lfs-version  "stable">          <!-- version|stable|testing|unstable|development] -->
@@ -32,7 +32,7 @@
 <!ENTITY openssl-version              "0.9.7g">
 <!ENTITY cracklib-version             "2.7">
 <!ENTITY Linux_PAM-version            "0.78">
-<!ENTITY shadow-version               "4.0.7">
+<!ENTITY shadow-version               "4.0.9">
 <!ENTITY iptables-version             "1.3.1">
 <!ENTITY gnupg-version                "1.4.1">
 <!ENTITY tripwire-version             "portable-0.9">

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml	2005-07-22 22:59:56 UTC (rev 4763)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2005-07-23 16:39:43 UTC (rev 4764)
@@ -25,6 +25,11 @@
   <itemizedlist>
     
     <listitem>
+      <para>July 23rd 2005 [randy]: Updated to Shadow-4.0.9 via a patch from
+      DJ Lucas.</para>
+    </listitem>
+
+    <listitem>
       <para>July 22nd 2005 [randy]: Added textual updates to the "After LFS
       Configuration" chapter.</para>
     </listitem>

Modified: trunk/BOOK/postlfs/security/shadow.xml
===================================================================
--- trunk/BOOK/postlfs/security/shadow.xml	2005-07-22 22:59:56 UTC (rev 4763)
+++ trunk/BOOK/postlfs/security/shadow.xml	2005-07-23 16:39:43 UTC (rev 4764)
@@ -5,11 +5,11 @@
   %general-entities;
 
   <!ENTITY shadow-download-http " ">
-  <!ENTITY shadow-download-ftp  "ftp://ftp.pld.org.pl/software/shadow/shadow-&shadow-version;.tar.bz2">
-  <!ENTITY shadow-md5sum        "89ebec0d1c0d861a5bd5c4c63e5cb0cc">
-  <!ENTITY shadow-size          "1.0 MB">
-  <!ENTITY shadow-buildsize     "13.2 MB">
-  <!ENTITY shadow-time          "0.31 SBU">
+  <!ENTITY shadow-download-ftp  "ftp://ftp.pld.org.pl/software/shadow/old/shadow-&shadow-version;.tar.bz2">
+  <!ENTITY shadow-md5sum        "66e3a3a60ea6b021a7babff311b07607">
+  <!ENTITY shadow-size          "1.1 MB">
+  <!ENTITY shadow-buildsize     "13 MB">
+  <!ENTITY shadow-time          "0.3 SBU">
 ]>
 
 <sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
@@ -59,8 +59,9 @@
     <bridgehead renderas="sect3">Additional Downloads</bridgehead>
     <itemizedlist spacing='compact'>
       <listitem>
-        <para>Patch to fix a bug in the <command>lastlog</command> program:
-        <ulink url="&patch-root;/shadow-&shadow-version;-fix_lastlog-1.patch"/></para>
+        <para>Patch to fix several invalid warning messages when used with
+        <application>Linux_PAM</application>: <ulink
+        url="&patch-root;/shadow-&shadow-version;-Linux_PAM_fixes-1.patch"/></para>
       </listitem>
     </itemizedlist>
 
@@ -77,7 +78,7 @@
     <para>Reinstall <application>Shadow</application> by running the following
     commands:</para>
 
-<screen><userinput>patch -Np1 -i ../shadow-&shadow-version;-fix_lastlog-1.patch &&
+<screen><userinput>patch -Np1 -i ../shadow-&shadow-version;-Linux_PAM_fixes-1.patch &&
 ./configure --libdir=/lib --enable-shared \
     --with-libpam --without-libcrack &&
 sed -i 's/groups$(EXEEXT) //' src/Makefile &&
@@ -262,11 +263,6 @@
     sed -i -e "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
 done</userinput></screen>
 
-      </sect4>
-
-      <sect4>
-        <title>Other</title>
-
         <warning>
           <para>At this point, you should do a simple test to see if
           <application>Shadow</application> is working as expected. Open
@@ -282,6 +278,11 @@
           your system.</para>
         </warning>
 
+      </sect4>
+
+      <sect4>
+        <title>Other</title>
+
         <para>Currently, <filename>/etc/pam.d/other</filename> is configured
         to allow anyone with an account on the machine to use PAM-aware
         programs without a configuration file for that program. After testing
@@ -363,7 +364,9 @@
                 PORTTIME_CHECKS_ENAB CONSOLE \
                 MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
                 SU_WHEEL_ONLY MD5_CRYPT_ENAB \
-                CONSOLE_GROUPS ENVIRON_FILE
+                CONSOLE_GROUPS ENVIRON_FILE \
+                ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
+                ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE
 do
     sed -i -e "s/^$FUNCTION/# &/" /etc/login.defs
 done</userinput></screen>

Deleted: trunk/patches/shadow-4.0.7-fix_lastlog-1.patch
===================================================================
--- trunk/patches/shadow-4.0.7-fix_lastlog-1.patch	2005-07-22 22:59:56 UTC (rev 4763)
+++ trunk/patches/shadow-4.0.7-fix_lastlog-1.patch	2005-07-23 16:39:43 UTC (rev 4764)
@@ -1,23 +0,0 @@
-Submitted By: Archaic <archaic at linuxfromscratch dot org>
-Date: 2005-03-22
-Initial Package Version: 4.0.7
-Origin: http://cvs.pld.org.pl/shadow/libmisc/log.c?r1=1.7&r2=1.8
-Upstream Status: Already in CVS
-Description: Shadow fails to update the time of last login as noted by lastlog
-when logging into a regular console. The Port (tty) column does get updated.
-Remote logins and xterm logins seem to be not be broken, just console.
-
-$LastChangedBy$
-$Date$
-
-diff -Naur shadow-4.0.7.orig/libmisc/log.c shadow-4.0.7/libmisc/log.c
---- shadow-4.0.7.orig/libmisc/log.c	2003-12-17 12:52:25.000000000 +0000
-+++ shadow-4.0.7/libmisc/log.c	2005-03-22 05:53:59.000000000 +0000
-@@ -89,6 +89,7 @@
- 
- 	ll_time = newlog.ll_time;
- 	time (&ll_time);
-+	newlog.ll_time = ll_time;
- 	strncpy (newlog.ll_line, line, sizeof newlog.ll_line);
- #if HAVE_LL_HOST
- 	strncpy (newlog.ll_host, host, sizeof newlog.ll_host);

Added: trunk/patches/shadow-4.0.9-Linux_PAM_fixes-1.patch
===================================================================
--- trunk/patches/shadow-4.0.9-Linux_PAM_fixes-1.patch	2005-07-22 22:59:56 UTC (rev 4763)
+++ trunk/patches/shadow-4.0.9-Linux_PAM_fixes-1.patch	2005-07-23 16:39:43 UTC (rev 4764)
@@ -0,0 +1,585 @@
+Submitted By: DJ Lucas (dj AT linuxfromscratch DOT org)
+Date: 2005-07-06
+Initial Package Version: 4.0.9
+Origin: http://lists.pld.org.pl/mailman/pipermail/shadow/2005-June/000125.html
+Upstream Status: Accepted
+Description: Fixes erroneous warning messages when used with Linux-PAM,
+             backported from 4.0.10+ CVS.
+
+$LastChangedBy$
+$Date$
+
+
+diff -Naur shadow-4.0.9-orig/libmisc/setupenv.c shadow-4.0.9/libmisc/setupenv.c
+--- shadow-4.0.9-orig/libmisc/setupenv.c	2005-03-30 23:14:50.000000000 -0600
++++ shadow-4.0.9/libmisc/setupenv.c	2005-07-06 20:52:18.000000000 -0500
+@@ -238,7 +238,17 @@
+ 	 * Create the PATH environmental variable and export it.
+ 	 */
+ 
++	/*
++	 * Export the user name.  For BSD derived systems, it's "USER", for
++	 * all others it's "LOGNAME".  We set both of them.
++	 */
++
++	addenv ("USER", info->pw_name);
++	addenv ("LOGNAME", info->pw_name);
++
++#ifndef USE_PAM
+ 	cp = getdef_str ((info->pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
++
+ 	if (!cp) {
+ 		/* not specified, use a minimal default */
+ 		addenv ("PATH=/bin:/usr/bin", NULL);
+@@ -251,14 +261,6 @@
+ 	}
+ 
+ 	/*
+-	 * Export the user name.  For BSD derived systems, it's "USER", for
+-	 * all others it's "LOGNAME".  We set both of them.
+-	 */
+-
+-	addenv ("USER", info->pw_name);
+-	addenv ("LOGNAME", info->pw_name);
+-
+-	/*
+ 	 * MAILDIR environment variable for Qmail
+ 	 */
+ 	if ((cp = getdef_str ("QMAIL_DIR")))
+@@ -274,6 +276,7 @@
+ 	else if ((cp = getdef_str ("MAIL_FILE")))
+ 		addenv_path ("MAIL", info->pw_dir, cp);
+ 	else {
++
+ #if defined(MAIL_SPOOL_FILE)
+ 		addenv_path ("MAIL", info->pw_dir, MAIL_SPOOL_FILE);
+ #elif defined(MAIL_SPOOL_DIR)
+@@ -281,11 +284,10 @@
+ #endif
+ 	}
+ 
+-#ifndef USE_PAM
+ 	/*
+ 	 * Read environment from optional config file.  --marekm
+ 	 */
+ 	if ((envf = getdef_str ("ENVIRON_FILE")))
+ 		read_env_file (envf);
+-#endif
++#endif /* !USE_PAM */
+ }
+diff -Naur shadow-4.0.9-orig/libmisc/tz.c shadow-4.0.9/libmisc/tz.c
+--- shadow-4.0.9-orig/libmisc/tz.c	2003-04-22 05:59:22.000000000 -0500
++++ shadow-4.0.9/libmisc/tz.c	2005-07-06 20:52:18.000000000 -0500
+@@ -49,8 +49,10 @@
+ 
+ 	if ((fp = fopen (fname, "r")) == NULL ||
+ 	    fgets (tzbuf, sizeof (tzbuf), fp) == NULL) {
++#ifndef USE_PAM
+ 		if (!(def_tz = getdef_str ("ENV_TZ")) || def_tz[0] == '/')
+ 			def_tz = "TZ=CST6CDT";
++#endif /* !USE_PAM */
+ 
+ 		strcpy (tzbuf, def_tz);
+ 	} else
+diff -Naur shadow-4.0.9-orig/src/login.c shadow-4.0.9/src/login.c
+--- shadow-4.0.9-orig/src/login.c	2005-04-18 09:10:30.000000000 -0500
++++ shadow-4.0.9/src/login.c	2005-07-06 20:52:18.000000000 -0500
+@@ -30,7 +30,7 @@
+ #include <config.h>
+ 
+ #include "rcsid.h"
+-RCSID (PKG_VER "$Id: login.c,v 1.52 2005/04/17 15:38:56 kloczek Exp $")
++RCSID (PKG_VER "$Id: login.c,v 1.59 2005/06/20 09:36:27 kloczek Exp $")
+ #include "prototypes.h"
+ #include "defines.h"
+ #include <sys/stat.h>
+@@ -277,9 +277,11 @@
+ 
+ 	if ((tmp = getenv ("TZ"))) {
+ 		addenv ("TZ", tmp);
+-	} else if ((cp = getdef_str ("ENV_TZ")))
++	} 
++#ifndef USE_PAM
++		else if ((cp = getdef_str ("ENV_TZ")))
+ 		addenv (*cp == '/' ? tz (cp) : cp, NULL);
+-
++#endif /* !USE_PAM */
+ 	/* 
+ 	 * Add the clock frequency so that profiling commands work
+ 	 * correctly.
+@@ -287,8 +289,11 @@
+ 
+ 	if ((tmp = getenv ("HZ"))) {
+ 		addenv ("HZ", tmp);
+-	} else if ((cp = getdef_str ("ENV_HZ")))
++	} 
++#ifndef USE_PAM
++		else if ((cp = getdef_str ("ENV_HZ")))
+ 		addenv (cp, NULL);
++#endif /* !USE_PAM */
+ }
+ 
+ 
+@@ -347,8 +352,7 @@
+ 	int retcode;
+ 	pid_t child;
+ 	char *pam_user;
+-#endif				/* USE_PAM */
+-#if defined(SHADOWPWD) && !defined(USE_PAM)
++#else
+ 	struct spwd *spwd = NULL;
+ #endif
+ 	/*
+@@ -369,7 +373,7 @@
+ 
+ 	check_flags (argc, argv);
+ 
+-	while ((flag = getopt (argc, argv, "d:f:h:pr:")) != EOF) {
++	while ((flag = getopt (argc, argv, "d:f::h:pr:")) != EOF) {
+ 		switch (flag) {
+ 		case 'p':
+ 			pflg++;
+@@ -378,11 +382,16 @@
+ 			/*
+ 			 * username must be a separate token
+ 			 * (-f root, *not* -froot).  --marekm
++			 *
++			 * if -f has an arg, use that, else use the
++			 * normal user name passed after all options
++			 * --benc
+ 			 */
+-			if (optarg != argv[optind - 1])
++			if (optarg != NULL && optarg != argv[optind - 1])
+ 				usage ();
+ 			fflg++;
+-			STRFCPY (username, optarg);
++			if (optarg)
++				STRFCPY (username, optarg);
+ 			break;
+ #ifdef	RLOGIN
+ 		case 'r':
+@@ -418,7 +427,7 @@
+ 	 */
+ 
+ 	if ((rflg || fflg || hflg) && !amroot) {
+-		fprintf (stderr, _("%s: permission denied.\n"), Prog);
++		fprintf (stderr, _("%s: Permission denied.\n"), Prog);
+ 		exit (1);
+ 	}
+ 
+@@ -498,6 +507,8 @@
+ 
+ 		setup_tty ();
+ 
++#ifndef USE_PAM
++
+ 		umask (getdef_num ("UMASK", 077));
+ 
+ 		{
+@@ -514,6 +525,8 @@
+ 				set_filesize_limit (limit);
+ 		}
+ 
++#endif /* !USE_PAM */
++
+ 		/*
+ 		 * The entire environment will be preserved if the -p flag
+ 		 * is used.
+@@ -535,7 +548,7 @@
+ 		init_env ();
+ 
+ 		if (optind < argc) {	/* get the user name */
+-			if (rflg || fflg)
++			if (rflg || (fflg && username[0]))
+ 				usage ();
+ 
+ 			STRFCPY (username, argv[optind]);
+@@ -703,11 +716,14 @@
+ 
+ 		if (!pwd || setup_groups (pwd))
+ 			exit (1);
++		else
++			pwent = *pwd;
+ 
+ 		retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+ 		PAM_FAIL_CHECK;
+ 
+-		retcode = pam_open_session (pamh, 0);
++		retcode = pam_open_session (pamh,
++					    hushed (&pwent) ? PAM_SILENT : 0);
+ 		PAM_FAIL_CHECK;
+ 
+ #else				/* ! USE_PAM */
+@@ -742,7 +758,6 @@
+ 			pwent = *pwd;
+ 		}
+ #ifndef USE_PAM
+-#ifdef SHADOWPWD
+ 		spwd = NULL;
+ 		if (pwd && strcmp (pwd->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
+ 			spwd = getspnam (username);
+@@ -753,7 +768,6 @@
+ 					 "no shadow password for `%s'%s",
+ 					 username, fromhost));
+ 		}
+-#endif				/* SHADOWPWD */
+ 
+ 		/*
+ 		 * If the encrypted password begins with a "!", the account
+@@ -918,9 +932,7 @@
+ 		subroot++;	/* say i was here again */
+ 		endpwent ();	/* close all of the file which were */
+ 		endgrent ();	/* open in the original rooted file */
+-#ifdef	SHADOWPWD
+ 		endspent ();	/* system. they will be re-opened */
+-#endif
+ #ifdef	SHADOWGRP
+ 		endsgent ();	/* in the new rooted file system */
+ #endif
+@@ -938,7 +950,6 @@
+ 	 * and changes to the user in the child before executing the passwd
+ 	 * program.  --marekm
+ 	 */
+-#ifdef	SHADOWPWD
+ 	if (spwd) {		/* check for age of password */
+ 		if (expire (&pwent, spwd)) {
+ 			pwd = getpwnam (username);
+@@ -947,11 +958,44 @@
+ 				pwent = *pwd;
+ 		}
+ 	}
+-#endif				/* SHADOWPWD */
+ 	setup_limits (&pwent);	/* nice, ulimit etc. */
+ #endif				/* ! USE_PAM */
+ 	chown_tty (tty, &pwent);
+ 
++#ifdef USE_PAM
++	/*
++	 * We must fork before setuid() because we need to call
++	 * pam_close_session() as root.
++	 *
++	 * Note: not true in other (non-Linux) PAM implementations, where
++	 * the parent process of login (init, telnetd, ...) is responsible
++	 * for calling pam_close_session(). This avoids an extra process for
++	 * each login. Maybe we should do this on Linux too? We let the
++	 * admin configure whether they need to keep login around to close
++	 * sessions.
++	 */
++	if (getdef_bool ("CLOSE_SESSIONS")) {
++		signal (SIGINT, SIG_IGN);
++		child = fork ();
++		if (child < 0) {
++			/* error in fork() */
++			fprintf (stderr,
++				 "login: failure forking: %s",
++				 strerror (errno));
++			PAM_END;
++			exit (0);
++		} else if (child) {
++			/*
++			 * parent - wait for child to finish, then cleanup
++			 * session
++			 */
++			wait (NULL);
++			PAM_END;
++			exit (0);
++		}
++		/* child */
++	}
++#endif
+ 	/* We call set_groups() above because this clobbers pam_groups.so */
+ #ifndef USE_PAM
+ 	if (setup_uid_gid (&pwent, is_console))
+@@ -1021,11 +1065,7 @@
+ #endif
+ 			printf (".\n");
+ 		}
+-#ifdef	SHADOWPWD
+ 		agecheck (&pwent, spwd);
+-#else
+-		agecheck (&pwent);
+-#endif
+ 
+ 		mailcheck ();	/* report on the status of mail */
+ #endif				/* !USE_PAM */
+@@ -1039,55 +1079,22 @@
+ 	signal (SIGTERM, SIG_DFL);	/* default terminate signal */
+ 	signal (SIGALRM, SIG_DFL);	/* default alarm signal */
+ 	signal (SIGHUP, SIG_DFL);	/* added this.  --marekm */
+-
+-#ifdef USE_PAM
+-	/*
+-	 * We must fork before setuid() because we need to call
+-	 * pam_close_session() as root.
+-	 *
+-	 * Note: not true in other (non-Linux) PAM implementations, where
+-	 * the parent process of login (init, telnetd, ...) is responsible
+-	 * for calling pam_close_session(). This avoids an extra process for
+-	 * each login. Maybe we should do this on Linux too? We let the
+-	 * admin configure whether they need to keep login around to close
+-	 * sessions.
+-	 */
+-	if (getdef_bool ("CLOSE_SESSIONS")) {
+-		signal (SIGINT, SIG_IGN);
+-		child = fork ();
+-		if (child < 0) {
+-			/* error in fork() */
+-			fprintf (stderr,
+-				 "login: failure forking: %s",
+-				 strerror (errno));
+-			PAM_END;
+-			exit (0);
+-		} else if (child) {
+-			/*
+-			 * parent - wait for child to finish, then cleanup
+-			 * session
+-			 */
+-			wait (NULL);
+-			PAM_END;
+-			exit (0);
+-		}
+-		/* child */
+-	}
+-#endif
+ 	signal (SIGINT, SIG_DFL);	/* default interrupt signal */
+ 
+ 	endpwent ();		/* stop access to password file */
+ 	endgrent ();		/* stop access to group file */
+-#ifdef	SHADOWPWD
+ 	endspent ();		/* stop access to shadow passwd file */
+-#endif
+ #ifdef	SHADOWGRP
+ 	endsgent ();		/* stop access to shadow group file */
+ #endif
+ 	if (pwent.pw_uid == 0)
+ 		SYSLOG ((LOG_NOTICE, "ROOT LOGIN %s", fromhost));
+ 	else if (getdef_bool ("LOG_OK_LOGINS"))
++#ifdef USE_PAM
++		SYSLOG ((LOG_INFO, "`%s' logged in %s", pam_user, fromhost));
++#else
+ 		SYSLOG ((LOG_INFO, "`%s' logged in %s", username, fromhost));
++#endif
+ 	closelog ();
+ 	if ((tmp = getdef_str ("FAKE_SHELL")) != NULL) {
+ 		shell (tmp, pwent.pw_shell);	/* fake shell */
+diff -Naur shadow-4.0.9-orig/src/su.c shadow-4.0.9/src/su.c
+--- shadow-4.0.9-orig/src/su.c	2005-04-02 08:09:48.000000000 -0600
++++ shadow-4.0.9/src/su.c	2005-07-06 20:52:18.000000000 -0500
+@@ -30,17 +30,11 @@
+ #include <config.h>
+ 
+ #include "rcsid.h"
+-RCSID (PKG_VER "$Id: su.c,v 1.30 2005/04/02 14:09:48 kloczek Exp $")
++RCSID (PKG_VER "$Id: su.c,v 1.34 2005/06/20 10:17:08 kloczek Exp $")
+ #include <sys/types.h>
+ #include <stdio.h>
+ #ifdef USE_PAM
+ #include "pam_defs.h"
+-static const struct pam_conv conv = {
+-	misc_conv,
+-	NULL
+-};
+-
+-static pam_handle_t *pamh = NULL;
+ #endif
+ 
+ #include "prototypes.h"
+@@ -64,8 +58,18 @@
+ static char name[BUFSIZ];
+ static char oldname[BUFSIZ];
+ 
+-static char *Prog;
++#ifdef USE_PAM
++static const struct pam_conv conv = {
++	misc_conv,
++	NULL
++};
+ 
++static pam_handle_t *pamh = NULL;
++#endif 
++
++static int caught = 0;
++
++static char *Prog;
+ extern struct passwd pwent;
+ 
+ /*
+@@ -73,9 +77,8 @@
+  */
+ 
+ extern char **newenvp;
+-extern size_t newenvc;
+-
+ extern char **environ;
++extern size_t newenvc;
+ 
+ /* local function prototypes */
+ 
+@@ -125,7 +128,7 @@
+ #ifdef USE_SYSLOG
+ 	if (getdef_bool ("SYSLOG_SU_ENAB"))
+ 		SYSLOG ((pwent.pw_uid ? LOG_INFO : LOG_NOTICE,
+-			 "- %s %s-%s", tty,
++			 "- %s %s:%s", tty,
+ 			 oldname[0] ? oldname : "???", name[0] ? name : "???"));
+ 	closelog ();
+ #endif
+@@ -133,9 +136,8 @@
+ 	exit (1);
+ }
+ 
+-#ifdef USE_PAM
+-static int caught = 0;
+ 
++#ifdef USE_PAM
+ /* Signal handler for parent process later */
+ static void su_catch_sig (int sig)
+ {
+@@ -270,9 +272,8 @@
+ 	RETSIGTYPE (*oldsig) ();
+ 	int is_console = 0;
+ 
+-#ifdef	SHADOWPWD
+ 	struct spwd *spwd = 0;
+-#endif
++
+ #ifdef SU_ACCESS
+ 	char *oldpass;
+ #endif
+@@ -342,13 +343,6 @@
+ 	 */
+ 
+ 	if (fakelogin) {
+-		if ((cp = getdef_str ("ENV_TZ")))
+-			addenv (*cp == '/' ? tz (cp) : cp, NULL);
+-		/*
+-		 * The clock frequency will be reset to the login value if required
+-		 */
+-		if ((cp = getdef_str ("ENV_HZ")))
+-			addenv (cp, NULL);	/* set the default $HZ, if one */
+ 		/*
+ 		 * The terminal type will be left alone if it is present in
+ 		 * the environment already.
+@@ -356,6 +350,13 @@
+ 		if ((cp = getenv ("TERM")))
+ 			addenv ("TERM", cp);
+ #ifndef USE_PAM
++		if ((cp = getdef_str ("ENV_TZ")))
++			addenv (*cp == '/' ? tz (cp) : cp, NULL);
++		/*
++		 * The clock frequency will be reset to the login value if required
++		 */
++		if ((cp = getdef_str ("ENV_HZ")))
++			addenv (cp, NULL);	/* set the default $HZ, if one */
+ 		/*
+ 		 * Also leave DISPLAY and XAUTHORITY if present, else
+ 		 * pam_xauth will not work.
+@@ -405,10 +406,8 @@
+ 	 * Sort out the password of user calling su, in case needed later
+ 	 * -- chris
+ 	 */
+-#ifdef SHADOWPWD
+ 	if ((spwd = getspnam (oldname)))
+ 		pw->pw_passwd = spwd->sp_pwdp;
+-#endif
+ 	oldpass = xstrdup (pw->pw_passwd);
+ #endif				/* SU_ACCESS */
+ 
+@@ -449,12 +448,10 @@
+ 		exit (1);
+ 	}
+ #ifndef USE_PAM
+-#ifdef SHADOWPWD
+ 	spwd = NULL;
+ 	if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0
+ 	    && (spwd = getspnam (name)))
+ 		pw->pw_passwd = spwd->sp_pwdp;
+-#endif
+ #endif				/* !USE_PAM */
+ 	pwent = *pw;
+ 
+@@ -466,7 +463,7 @@
+ 
+ 	/* The original Shadow 3.3.2 did this differently. Do it like BSD:
+ 	 *
+-	 * - check for uid 0 instead of name "root" - there are systems with
++	 * - check for UID 0 instead of name "root" - there are systems with
+ 	 *   several root accounts under different names,
+ 	 *
+ 	 * - check the contents of /etc/group instead of the current group
+@@ -563,7 +560,6 @@
+ 	 */
+ 
+ 	if (!amroot) {
+-#ifdef	SHADOWPWD
+ 		if (!spwd)
+ 			spwd = pwd_to_spwd (&pwent);
+ 
+@@ -572,7 +568,6 @@
+ 				 "Expired account %s", name));
+ 			su_failure (tty);
+ 		}
+-#endif
+ 	}
+ 
+ 	/*
+@@ -593,6 +588,7 @@
+ #endif				/* !USE_PAM */
+ 
+ 	signal (SIGINT, SIG_DFL);
++#ifndef USE_PAM
+ 	cp = getdef_str ((pwent.pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
+ 
+ 	/* XXX very similar code duplicated in libmisc/setupenv.c */
+@@ -604,10 +600,8 @@
+ 		addenv ("PATH", cp);
+ 	}
+ 
+-/* setup the environment for pam later on, else we run into auth problems */
+-#ifndef USE_PAM
+ 	environ = newenvp;	/* make new environment active */
+-#endif
++#endif /* !USE_PAM */
+ 
+ 	if (getenv ("IFS"))	/* don't export user IFS ... */
+ 		addenv ("IFS= \t\n", NULL);	/* ... instead, set a safe IFS */
+@@ -616,20 +610,16 @@
+ 		pwent.pw_shell++;	/* skip the '*' */
+ 		subsystem (&pwent);	/* figure out what to execute */
+ 		endpwent ();
+-#ifdef SHADOWPWD
+ 		endspent ();
+-#endif
+ 		goto top;
+ 	}
+ 
+ 	sulog (tty, 1, oldname, name);	/* save SU information */
+ 	endpwent ();
+-#ifdef SHADOWPWD
+ 	endspent ();
+-#endif
+ #ifdef USE_SYSLOG
+ 	if (getdef_bool ("SYSLOG_SU_ENAB"))
+-		SYSLOG ((LOG_INFO, "+ %s %s-%s", tty,
++		SYSLOG ((LOG_INFO, "+ %s %s:%s", tty,
+ 			 oldname[0] ? oldname : "???", name[0] ? name : "???"));
+ #endif
+ 
+diff -Naur shadow-4.0.9-orig/src/sulogin.c shadow-4.0.9/src/sulogin.c
+--- shadow-4.0.9-orig/src/sulogin.c	2005-03-30 23:14:54.000000000 -0600
++++ shadow-4.0.9/src/sulogin.c	2005-07-06 20:52:18.000000000 -0500
+@@ -140,10 +140,14 @@
+ 	while (*envp)		/* add inherited environment, */
+ 		addenv (*envp++, NULL);	/* some variables change later */
+ 
++#ifndef USE_PAM
++
+ 	if ((cp = getdef_str ("ENV_TZ")))
+ 		addenv (*cp == '/' ? tz (cp) : cp, NULL);
+ 	if ((cp = getdef_str ("ENV_HZ")))
+ 		addenv (cp, NULL);	/* set the default $HZ, if one */
++#endif /* !USE_PAM */
++
+ 	(void) strcpy (name, "root");	/* KLUDGE!!! */
+ 
+ 	signal (SIGALRM, catch);	/* exit if the timer expires */


Property changes on: trunk/patches/shadow-4.0.9-Linux_PAM_fixes-1.patch
___________________________________________________________________
Name: svn:keywords
   + LastChangedBy Date




More information about the blfs-book mailing list