include $(TOPDIR)/rules.mk
PKG_NAME:=libpam
-PKG_VERSION:=1.1.8
-PKG_RELEASE:=5
+PKG_VERSION:=1.2.0
+PKG_RELEASE:=1
PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.linux-pam.org/library/
--disable-selinux \
--disable-nls \
--disable-rpath \
+ --disable-nis \
+ --disable-regenerate-docu \
--enable-db=no \
)
endef
+++ /dev/null
-This patch is used to create a new sub package libpam-xtests to do more checks.
-
-Upstream-Status: Pending
-
-Signed-off-by: Kang Kai <kai.kang@windriver.com>
---- a/xtests/Makefile.am
-+++ b/xtests/Makefile.am
-@@ -7,7 +7,7 @@ AM_CFLAGS = -DLIBPAM_COMPILE -I$(top_src
- LDADD = $(top_builddir)/libpam/libpam.la \
- $(top_builddir)/libpam_misc/libpam_misc.la
-
--CLEANFILES = *~ $(XTESTS)
-+CLEANFILES = *~
-
- EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
- tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \
-@@ -51,3 +51,18 @@ EXTRA_PROGRAMS = $(XTESTS)
-
- xtests: $(XTESTS) run-xtests.sh
- "$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS}
-+
-+all: $(XTESTS)
-+
-+install: install_xtests
-+
-+install_xtests:
-+ $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests
-+ for file in $(EXTRA_DIST) ; do \
-+ $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \
-+ done
-+ for file in $(XTESTS); do \
-+ $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \
-+ done
-+
-+.PHONY: all install_xtests
+++ /dev/null
-innetgr may not be there so make sure that when innetgr is not present
-then we inform about it and not use it.
-
--Khem
---- a/modules/pam_group/pam_group.c
-+++ b/modules/pam_group/pam_group.c
-@@ -656,7 +656,11 @@ static int check_account(pam_handle_t *p
- }
- /* If buffer starts with @, we are using netgroups */
- if (buffer[0] == '@')
-+#ifdef HAVE_INNETGR
- good &= innetgr (&buffer[1], NULL, user, NULL);
-+#else
-+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
-+#endif
- /* otherwise, if the buffer starts with %, it's a UNIX group */
- else if (buffer[0] == '%')
- good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
---- a/modules/pam_time/pam_time.c
-+++ b/modules/pam_time/pam_time.c
-@@ -555,9 +555,13 @@ check_account(pam_handle_t *pamh, const
- }
- /* If buffer starts with @, we are using netgroups */
- if (buffer[0] == '@')
-- good &= innetgr (&buffer[1], NULL, user, NULL);
-+#ifdef HAVE_INNETGR
-+ good &= innetgr (&buffer[1], NULL, user, NULL);
-+#else
-+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
-+#endif
- else
-- good &= logic_field(pamh, user, buffer, count, is_same);
-+ good &= logic_field(pamh, user, buffer, count, is_same);
- D(("with user: %s", good ? "passes":"fails" ));
-
- /* here we get the time field */
---- a/modules/pam_succeed_if/pam_succeed_if.c
-+++ b/modules/pam_succeed_if/pam_succeed_if.c
-@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh,
- }
- /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
- static int
--evaluate_innetgr(const char *host, const char *user, const char *group)
-+evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
- {
-+#ifdef HAVE_INNETGR
- if (innetgr(group, host, user, NULL) == 1)
- return PAM_SUCCESS;
-+#else
-+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
-+#endif
-+
- return PAM_AUTH_ERR;
- }
- /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
- static int
--evaluate_notinnetgr(const char *host, const char *user, const char *group)
-+evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
- {
-+#ifdef HAVE_INNETGR
- if (innetgr(group, host, user, NULL) == 0)
- return PAM_SUCCESS;
-+#else
-+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
-+#endif
- return PAM_AUTH_ERR;
- }
-
-@@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug,
- const void *rhost;
- if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
- rhost = NULL;
-- return evaluate_innetgr(rhost, user, right);
-+ return evaluate_innetgr(pamh, rhost, user, right);
- }
- /* (Rhost, user) is not in this group. */
- if (strcasecmp(qual, "notinnetgr") == 0) {
- const void *rhost;
- if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
- rhost = NULL;
-- return evaluate_notinnetgr(rhost, user, right);
-+ return evaluate_notinnetgr(pamh, rhost, user, right);
- }
- /* Fail closed. */
- return PAM_SERVICE_ERR;
--- /dev/null
+From ee916fd0ec70eb37a97da29f6ec0c26bef7cf6f2 Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Wed, 17 Jun 2015 16:11:31 +0800
+Subject: [PATCH 1/7] build: use $host_cpu for lib64 directory handling.
+
+* configure.ac: use $host_cpu for lib64 directory handling.
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index fd0e310..1bc2591 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -27,7 +27,7 @@ dnl If we use /usr as prefix, use /etc for config files
+ fi
+ if test ${libdir} = '${exec_prefix}/lib'
+ then
+- case "`uname -m`" in
++ case "$host_cpu" in
+ x86_64|ppc64|s390x|sparc64)
+ libdir="/lib64" ;;
+ *)
+--
+1.7.10.4
+
--- /dev/null
+From e985c1ef2c739a597b2d7a2efc3c310c02e40c1f Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Wed, 17 Jun 2015 18:19:23 +0800
+Subject: [PATCH 2/7] build: ignore pam_rhosts if neither ruserok nor
+ ruserok_af is available.
+
+* configure.ac: check for ruserok and ruserok_af
+* modules/Makefile.am: ignore pam_rhosts/ if it's disabled
+* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+---
+ configure.ac | 5 ++++-
+ modules/Makefile.am | 11 ++++++++---
+ modules/pam_rhosts/pam_rhosts.c | 1 +
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 1bc2591..3c4d8bb 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -542,7 +542,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
+ AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
+ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
+ AC_CHECK_FUNCS(getgrouplist getline getdelim)
+-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
++AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
++AC_CHECK_FUNCS([ruserok_af ruserok], [break])
++
++AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes])
+
+ AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
+ AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
+diff --git a/modules/Makefile.am b/modules/Makefile.am
+index 0c80cea..9ad26a9 100644
+--- a/modules/Makefile.am
++++ b/modules/Makefile.am
+@@ -2,16 +2,21 @@
+ # Copyright (c) 2005, 2006, 2008 Thorsten Kukuk <kukuk@thkukuk.de>
+ #
+
+-SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
++if COND_BUILD_PAM_RHOSTS
++ MAYBE_PAM_RHOSTS = pam_rhosts
++endif
++
++SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
+ pam_env pam_exec pam_faildelay pam_filter pam_ftp \
+ pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
+ pam_listfile pam_localuser pam_loginuid pam_mail \
+ pam_mkhomedir pam_motd pam_namespace pam_nologin \
+- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
++ pam_permit pam_pwhistory pam_rootok pam_securetty \
+ pam_selinux pam_sepermit pam_shells pam_stress \
+ pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
+ pam_tty_audit pam_umask \
+- pam_unix pam_userdb pam_warn pam_wheel pam_xauth
++ pam_unix pam_userdb pam_warn pam_wheel pam_xauth \
++ $(MAYBE_PAM_RHOSTS)
+
+ CLEANFILES = *~
+
+diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
+index bc9e76f..51ef13e 100644
+--- a/modules/pam_rhosts/pam_rhosts.c
++++ b/modules/pam_rhosts/pam_rhosts.c
+@@ -35,6 +35,7 @@
+ #include <pwd.h>
+ #include <netdb.h>
+ #include <string.h>
++#include <stdlib.h>
+ #include <syslog.h>
+
+ #define PAM_SM_AUTH /* only defines this management group */
+--
+1.7.10.4
+
--- /dev/null
+From 173164996ca7daf3fa705f2a0bb2991b0d5d2083 Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Wed, 17 Jun 2015 21:18:05 +0800
+Subject: [PATCH 3/7] build: ignore pam_lastlog when logwtmp is not available.
+
+* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
+* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+---
+ configure.ac | 2 ++
+ modules/Makefile.am | 8 ++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 3c4d8bb..8de6edf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -544,8 +544,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
+ AC_CHECK_FUNCS(getgrouplist getline getdelim)
+ AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
+ AC_CHECK_FUNCS([ruserok_af ruserok], [break])
++AC_CHECK_FUNCS([logwtmp])
+
+ AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes])
++AM_CONDITIONAL([COND_BUILD_PAM_LASTLOG], [test "$ac_cv_func_logwtmp" = yes])
+
+ AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
+ AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
+diff --git a/modules/Makefile.am b/modules/Makefile.am
+index 9ad26a9..b98dc5c 100644
+--- a/modules/Makefile.am
++++ b/modules/Makefile.am
+@@ -6,9 +6,13 @@ if COND_BUILD_PAM_RHOSTS
+ MAYBE_PAM_RHOSTS = pam_rhosts
+ endif
+
++if COND_BUILD_PAM_LASTLOG
++ MAYBE_PAM_LASTLOG = pam_lastlog
++endif
++
+ SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
+ pam_env pam_exec pam_faildelay pam_filter pam_ftp \
+- pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
++ pam_group pam_issue pam_keyinit pam_limits \
+ pam_listfile pam_localuser pam_loginuid pam_mail \
+ pam_mkhomedir pam_motd pam_namespace pam_nologin \
+ pam_permit pam_pwhistory pam_rootok pam_securetty \
+@@ -16,7 +20,7 @@ SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \
+ pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
+ pam_tty_audit pam_umask \
+ pam_unix pam_userdb pam_warn pam_wheel pam_xauth \
+- $(MAYBE_PAM_RHOSTS)
++ $(MAYBE_PAM_RHOSTS) $(MAYBE_PAM_LASTLOG)
+
+ CLEANFILES = *~
+
+--
+1.7.10.4
+
--- /dev/null
+From 20e5efe4b2a8471bc52e480e53cff68a4de19c56 Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Wed, 17 Jun 2015 18:22:31 +0800
+Subject: [PATCH 4/7] build: fix build when crypt() is not part of crypt_libs.
+
+* configure.ac: ditto.
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 8de6edf..c15441b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -416,7 +416,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
+ [crypt_libs="crypt"])
+
+ BACKUP_LIBS=$LIBS
+-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
++AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
+ AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
+ LIBS=$BACKUP_LIBS
+ AC_SUBST(LIBCRYPT)
+--
+1.7.10.4
+
--- /dev/null
+From df7abf333d19aefd166f613b696345732ae4c9c8 Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Wed, 17 Jun 2015 20:38:41 +0800
+Subject: [PATCH 5/7] build: fix doc build.
+
+* Makefile.am: ignore doc/ directory if not ENABLE_REGENERATE_MAN
+* doc/adg/Makefile.am: remove check on ENABLE_REGENERATE_MAN
+* doc/man/Makefile.am: ditto
+* doc/mwg/Makefile.am: ditto
+* doc/sag/Makefile.am: ditto
+* doc/specs/Makefile.am: ignore CC from command line
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+---
+ Makefile.am | 5 ++++-
+ doc/adg/Makefile.am | 3 ---
+ doc/man/Makefile.am | 2 --
+ doc/mwg/Makefile.am | 3 ---
+ doc/sag/Makefile.am | 2 --
+ doc/specs/Makefile.am | 2 +-
+ 6 files changed, 5 insertions(+), 12 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 3db4e37..5e6592a 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -4,7 +4,10 @@
+
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
+
+-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
++if ENABLE_REGENERATE_MAN
++ MAYBE_DOC = doc
++endif
++SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests $(MAYBE_DOC)
+
+ CLEANFILES = *~
+
+diff --git a/doc/adg/Makefile.am b/doc/adg/Makefile.am
+index 77bd7a9..bec5edc 100644
+--- a/doc/adg/Makefile.am
++++ b/doc/adg/Makefile.am
+@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS)
+ XMLS = Linux-PAM_ADG.xml $(shell ls $(srcdir)/pam_*.xml)
+ DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
+
+-if ENABLE_REGENERATE_MAN
+ MAINTAINERCLEANFILES = Linux-PAM_ADG.txt Linux-PAM_ADG.pdf html/*.html
+
+ all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf
+@@ -51,8 +50,6 @@ html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS)
+ distclean-local:
+ -rm -rf html Linux-PAM_ADG.txt Linux-PAM_ADG.pdf
+
+-endif
+-
+ install-data-local:
+ $(mkinstalldirs) $(DESTDIR)$(docdir)
+ $(mkinstalldirs) $(DESTDIR)$(pdfdir)
+diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am
+index 78c891d..b1dc421 100644
+--- a/doc/man/Makefile.am
++++ b/doc/man/Makefile.am
+@@ -45,7 +45,6 @@ XMLS = pam.3.xml pam.8.xml \
+ misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \
+ pam_misc_setenv.3.xml
+
+-if ENABLE_REGENERATE_MAN
+ PAM.8: pam.8
+ pam_get_authtok_noverify.3: pam_get_authtok.3
+ pam_get_authtok_verify.3: pam_get_authtok.3
+@@ -60,4 +59,3 @@ pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
+ pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml
+ pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml
+ -include $(top_srcdir)/Make.xml.rules
+-endif
+diff --git a/doc/mwg/Makefile.am b/doc/mwg/Makefile.am
+index 2bbb2d0..f57e297 100644
+--- a/doc/mwg/Makefile.am
++++ b/doc/mwg/Makefile.am
+@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS)
+ XMLS = Linux-PAM_MWG.xml $(shell ls $(srcdir)/pam_*.xml)
+ DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml)
+
+-if ENABLE_REGENERATE_MAN
+ MAINTAINERCLEANFILES = Linux-PAM_MWG.txt Linux-PAM_MWG.pdf html/*.html
+
+ all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf
+@@ -51,8 +50,6 @@ html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS)
+ distclean-local:
+ -rm -rf html Linux-PAM_MWG.txt Linux-PAM_MWG.pdf
+
+-endif
+-
+ install-data-local:
+ $(mkinstalldirs) $(DESTDIR)$(docdir)
+ $(mkinstalldirs) $(DESTDIR)$(pdfdir)
+diff --git a/doc/sag/Makefile.am b/doc/sag/Makefile.am
+index 31816aa..a8b655f 100644
+--- a/doc/sag/Makefile.am
++++ b/doc/sag/Makefile.am
+@@ -10,7 +10,6 @@ XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml)
+
+ DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml)
+
+-if ENABLE_REGENERATE_MAN
+ MAINTAINERCLEANFILES = Linux-PAM_SAG.txt Linux-PAM_SAG.pdf html/*.html
+
+ all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf
+@@ -51,7 +50,6 @@ html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS)
+
+ distclean-local:
+ -rm -rf html Linux-PAM_SAG.txt Linux-PAM_SAG.pdf
+-endif
+
+ install-data-local:
+ $(mkinstalldirs) $(DESTDIR)$(docdir)
+diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am
+index 99ecc70..39c850f 100644
+--- a/doc/specs/Makefile.am
++++ b/doc/specs/Makefile.am
+@@ -11,7 +11,7 @@ draft-morgan-pam-current.txt: padout draft-morgan-pam.raw
+
+ AM_YFLAGS = -d
+
+-CC = @CC_FOR_BUILD@
++override CC = @CC_FOR_BUILD@
+ CPPFLAGS = @BUILD_CPPFLAGS@
+ CFLAGS = @BUILD_CFLAGS@
+ LDFLAGS = @BUILD_LDFLAGS@
+--
+1.7.10.4
+
--- /dev/null
+From 596797ab7f46fb4d0338e75db7c0d1019cd4df87 Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Wed, 17 Jun 2015 18:16:18 +0800
+Subject: [PATCH 6/7] pam_unix: fix compilation in case rpc/rpc.h is missing.
+
+* modules/pam_unix/pam_unix_passwd.c: conditional compile on the
+ availability of rpc/rpc.h
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+---
+ modules/pam_unix/pam_unix_passwd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
+index 2d330e5..970724a 100644
+--- a/modules/pam_unix/pam_unix_passwd.c
++++ b/modules/pam_unix/pam_unix_passwd.c
+@@ -336,7 +336,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
+ }
+
+ if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
+-#ifdef HAVE_NIS
++#if defined(HAVE_NIS) && defined(HAVE_RPC_RPC_H)
+ if ((master=getNISserver(pamh, ctrl)) != NULL) {
+ struct timeval timeout;
+ struct yppasswd yppwd;
+--
+1.7.10.4
+
--- /dev/null
+From 9e2fa22891a87592c1a04801623fea5be40cb581 Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Wed, 17 Jun 2015 15:33:43 +0800
+Subject: [PATCH 7/7] Check if innetgr is available at compile time.
+
+innetgr may not be there so make sure that when innetgr is not present
+then we inform about it and not use it.
+
+* modules/pam_group/pam_group.c: ditto
+* modules/pam_succeed_if/pam_succeed_if.c: ditto
+* modules/pam_time/pam_time.c: ditto
+
+Signed-off-by: Khem Raj <raj.khem at gmail.com>
+Signed-off-by: Yousong Zhou <yszhou4tech at gmail.com>
+---
+ modules/pam_group/pam_group.c | 4 ++++
+ modules/pam_succeed_if/pam_succeed_if.c | 17 +++++++++++++----
+ modules/pam_time/pam_time.c | 4 ++++
+ 3 files changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
+index be5f20f..6a065ca 100644
+--- a/modules/pam_group/pam_group.c
++++ b/modules/pam_group/pam_group.c
+@@ -656,7 +656,11 @@ static int check_account(pam_handle_t *pamh, const char *service,
+ }
+ /* If buffer starts with @, we are using netgroups */
+ if (buffer[0] == '@')
++#ifdef HAVE_INNETGR
+ good &= innetgr (&buffer[1], NULL, user, NULL);
++#else
++ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
++#endif
+ /* otherwise, if the buffer starts with %, it's a UNIX group */
+ else if (buffer[0] == '%')
+ good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
+diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
+index aa828fc..c0c68a0 100644
+--- a/modules/pam_succeed_if/pam_succeed_if.c
++++ b/modules/pam_succeed_if/pam_succeed_if.c
+@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
+ }
+ /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
+ static int
+-evaluate_innetgr(const char *host, const char *user, const char *group)
++evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+ {
++#ifdef HAVE_INNETGR
+ if (innetgr(group, host, user, NULL) == 1)
+ return PAM_SUCCESS;
++#else
++ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
++#endif
++
+ return PAM_AUTH_ERR;
+ }
+ /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
+ static int
+-evaluate_notinnetgr(const char *host, const char *user, const char *group)
++evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
+ {
++#ifdef HAVE_INNETGR
+ if (innetgr(group, host, user, NULL) == 0)
+ return PAM_SUCCESS;
++#else
++ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
++#endif
+ return PAM_AUTH_ERR;
+ }
+
+@@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug,
+ const void *rhost;
+ if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+ rhost = NULL;
+- return evaluate_innetgr(rhost, user, right);
++ return evaluate_innetgr(pamh, rhost, user, right);
+ }
+ /* (Rhost, user) is not in this group. */
+ if (strcasecmp(qual, "notinnetgr") == 0) {
+ const void *rhost;
+ if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
+ rhost = NULL;
+- return evaluate_notinnetgr(rhost, user, right);
++ return evaluate_notinnetgr(pamh, rhost, user, right);
+ }
+ /* Fail closed. */
+ return PAM_SERVICE_ERR;
+diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
+index c94737c..0b34a14 100644
+--- a/modules/pam_time/pam_time.c
++++ b/modules/pam_time/pam_time.c
+@@ -555,7 +555,11 @@ check_account(pam_handle_t *pamh, const char *service,
+ }
+ /* If buffer starts with @, we are using netgroups */
+ if (buffer[0] == '@')
++#ifdef HAVE_INNETGR
+ good &= innetgr (&buffer[1], NULL, user, NULL);
++#else
++ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
++#endif
+ else
+ good &= logic_field(pamh, user, buffer, count, is_same);
+ D(("with user: %s", good ? "passes":"fails" ));
+--
+1.7.10.4
+
+++ /dev/null
---- a/modules/pam_access/pam_access.c
-+++ b/modules/pam_access/pam_access.c
-@@ -44,7 +44,7 @@
- #include <arpa/inet.h>
- #include <netdb.h>
- #include <sys/socket.h>
--#ifdef HAVE_RPCSVC_YPCLNT_H
-+#ifdef HAVE_RPCSVC_YPCLNT_H && USE_NIS
- #include <rpcsvc/ypclnt.h>
- #endif
- #ifdef HAVE_LIBAUDIT
---- a/modules/pam_unix/pam_unix_passwd.c
-+++ b/modules/pam_unix/pam_unix_passwd.c
-@@ -79,18 +79,18 @@
- #include "passverify.h"
- #include "bigcrypt.h"
-
--#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER
-+#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER && USE_NIS
- # define HAVE_NIS
- #endif
-
- #ifdef HAVE_NIS
- # include <rpc/rpc.h>
-
--# if HAVE_RPCSVC_YP_PROT_H
-+# if HAVE_RPCSVC_YP_PROT_H && USE_NIS
- # include <rpcsvc/yp_prot.h>
- # endif
-
--# if HAVE_RPCSVC_YPCLNT_H
-+# if HAVE_RPCSVC_YPCLNT_H && USE_NIS
- # include <rpcsvc/ypclnt.h>
- # endif
-
---- a/modules/pam_unix/support.c
-+++ b/modules/pam_unix/support.c
-@@ -19,7 +19,7 @@
- #include <ctype.h>
- #include <syslog.h>
- #include <sys/resource.h>
--#ifdef HAVE_RPCSVC_YPCLNT_H
-+#ifdef HAVE_RPCSVC_YPCLNT_H && USE_NIS
- #include <rpcsvc/ypclnt.h>
- #endif
-
-@@ -402,7 +402,7 @@ int _unix_getpwnam(pam_handle_t *pamh, c
- }
- }
-
--#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND)
-+#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND) && (USE_NIS)
- if (!matched && nis) {
- char *userinfo = NULL, *domain = NULL;
- int len = 0, i;
---- a/modules/pam_unix/yppasswd_xdr.c
-+++ b/modules/pam_unix/yppasswd_xdr.c
-@@ -15,6 +15,10 @@
- #ifdef HAVE_RPC_RPC_H
-
- #include <rpc/rpc.h>
-+#ifdef USE_NIS
-+#include <rpcsvc/yp_prot.h>
-+#include <rpcsvc/ypclnt.h>
-+#endif
- #include "yppasswd.h"
-
- bool_t
+++ /dev/null
---- a/conf/pam_conv1/pam_conv_l.c
-+++ b/conf/pam_conv1/pam_conv_l.c
-@@ -534,7 +534,9 @@ void yyset_lineno (int line_number );
- #ifdef __cplusplus
- extern "C" int yywrap (void );
- #else
--extern int yywrap (void );
-+int yywrap (void ) {
-+ return 1;
-+}
- #endif
- #endif
-
---- a/doc/specs/parse_l.c
-+++ b/doc/specs/parse_l.c
-@@ -520,7 +520,9 @@ void yyset_lineno (int line_number );
- #ifdef __cplusplus
- extern "C" int yywrap (void );
- #else
--extern int yywrap (void );
-+int yywrap (void ) {
-+ return 1;
-+}
- #endif
- #endif
-
+++ /dev/null
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -4,7 +4,7 @@
-
- AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
-
--SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
-+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
-
- CLEANFILES = *~
-
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -288,7 +288,7 @@ top_build_prefix = @top_build_prefix@
- top_builddir = @top_builddir@
- top_srcdir = @top_srcdir@
- AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
--SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
-+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests
- CLEANFILES = *~
- EXTRA_DIST = pgp.keys.asc CHANGELOG ChangeLog-CVS Copyright Make.xml.rules
- ACLOCAL_AMFLAGS = -I m4
+++ /dev/null
---- a/configure.in
-+++ b/configure.in
-@@ -28,12 +28,7 @@ dnl If we use /usr as prefix, use /etc f
- fi
- if test ${libdir} = '${exec_prefix}/lib'
- then
-- case "`uname -m`" in
-- x86_64|ppc64|s390x|sparc64)
-- libdir="/lib64" ;;
-- *)
-- libdir="/lib" ;;
-- esac
-+ libdir="/lib"
- fi
- if test ${sbindir} = '${exec_prefix}/sbin'
- then
+++ /dev/null
---- a/modules/pam_rhosts/pam_rhosts.c
-+++ b/modules/pam_rhosts/pam_rhosts.c
-@@ -43,6 +43,361 @@
- #include <security/pam_modutil.h>
- #include <security/pam_ext.h>
-
-+#ifdef __UCLIBC__
-+
-+#include <stdio.h>
-+#include <sys/stat.h>
-+
-+
-+int __check_rhosts_file = 1;
-+
-+/* Extremely paranoid file open function. */
-+static FILE *
-+iruserfopen (const char *file, uid_t okuser)
-+{
-+ struct stat st;
-+ char *cp = NULL;
-+ FILE *res = NULL;
-+
-+ /* If not a regular file, if owned by someone other than user or
-+ root, if writeable by anyone but the owner, or if hardlinked
-+ anywhere, quit. */
-+ if (lstat (file, &st))
-+ cp = "lstat failed";
-+ else if (!S_ISREG (st.st_mode))
-+ cp = "not regular file";
-+ else
-+ {
-+ res = fopen (file, "r");
-+ if (!res)
-+ cp = "cannot open";
-+ else if (fstat (fileno (res), &st) < 0)
-+ cp = "fstat failed";
-+ else if (st.st_uid && st.st_uid != okuser)
-+ cp = "bad owner";
-+ else if (st.st_mode & (S_IWGRP|S_IWOTH))
-+ cp = "writeable by other than owner";
-+ else if (st.st_nlink > 1)
-+ cp = "hard linked somewhere";
-+ }
-+
-+ /* If there were any problems, quit. */
-+ if (cp != NULL)
-+ {
-+ if (res)
-+ fclose (res);
-+ return NULL;
-+ }
-+
-+ return res;
-+}
-+
-+/*
-+ * Returns 1 for blank lines (or only comment lines) and 0 otherwise
-+ */
-+static int
-+__isempty(char *p)
-+{
-+ while (*p && isspace (*p)) {
-+ ++p;
-+ }
-+
-+ return (*p == '\0' || *p == '#') ? 1 : 0 ;
-+}
-+
-+/* Returns 1 on positive match, 0 on no match, -1 on negative match. */
-+static int
-+__icheckhost (u_int32_t raddr, char *lhost, const char *rhost)
-+{
-+ struct hostent *hp;
-+ u_int32_t laddr;
-+ int negate=1; /* Multiply return with this to get -1 instead of 1 */
-+ char **pp;
-+
-+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
-+ int save_errno;
-+ size_t buflen;
-+ char *buffer;
-+ struct hostent hostbuf;
-+ int herr;
-+#endif
-+
-+#ifdef HAVE_NETGROUP
-+ /* Check nis netgroup. */
-+ if (strncmp ("+@", lhost, 2) == 0)
-+ return innetgr (&lhost[2], rhost, NULL, NULL);
-+
-+ if (strncmp ("-@", lhost, 2) == 0)
-+ return -innetgr (&lhost[2], rhost, NULL, NULL);
-+#endif /* HAVE_NETGROUP */
-+
-+ /* -host */
-+ if (strncmp ("-", lhost,1) == 0) {
-+ negate = -1;
-+ lhost++;
-+ } else if (strcmp ("+",lhost) == 0) {
-+ return 1; /* asking for trouble, but ok.. */
-+ }
-+
-+ /* Try for raw ip address first. */
-+ if (isdigit (*lhost) && (laddr = inet_addr (lhost)) != INADDR_NONE)
-+ return negate * (! (raddr ^ laddr));
-+
-+ /* Better be a hostname. */
-+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
-+ buflen = 1024;
-+ buffer = malloc(buflen);
-+ save_errno = errno;
-+
-+ while (gethostbyname_r (lhost, &hostbuf, buffer, buflen, &hp, &herr)
-+ != 0) {
-+ free(buffer);
-+ return (0);
-+ }
-+ free(buffer);
-+ __set_errno (save_errno);
-+#else
-+ hp = gethostbyname(lhost);
-+#endif /* __UCLIBC_HAS_REENTRANT_RPC__ */
-+
-+ if (hp == NULL)
-+ return 0;
-+
-+ /* Spin through ip addresses. */
-+ for (pp = hp->h_addr_list; *pp; ++pp)
-+ if (!memcmp (&raddr, *pp, sizeof (u_int32_t)))
-+ return negate;
-+
-+ /* No match. */
-+ return (0);
-+}
-+
-+/* Returns 1 on positive match, 0 on no match, -1 on negative match. */
-+static int
-+__icheckuser (const char *luser, const char *ruser)
-+{
-+
-+ /*
-+ luser is user entry from .rhosts/hosts.equiv file
-+ ruser is user id on remote host
-+ */
-+
-+#ifdef HAVE_NETGROUP
-+ /* [-+]@netgroup */
-+ if (strncmp ("+@", luser, 2) == 0)
-+ return innetgr (&luser[2], NULL, ruser, NULL);
-+
-+ if (strncmp ("-@", luser,2) == 0)
-+ return -innetgr (&luser[2], NULL, ruser, NULL);
-+#endif /* HAVE_NETGROUP */
-+
-+ /* -user */
-+ if (strncmp ("-", luser, 1) == 0)
-+ return -(strcmp (&luser[1], ruser) == 0);
-+
-+ /* + */
-+ if (strcmp ("+", luser) == 0)
-+ return 1;
-+
-+ /* simple string match */
-+ return strcmp (ruser, luser) == 0;
-+}
-+
-+/*
-+ * Returns 0 if positive match, -1 if _not_ ok.
-+ */
-+static int
-+__ivaliduser2(FILE *hostf, u_int32_t raddr, const char *luser,
-+ const char *ruser, const char *rhost)
-+{
-+ register const char *user;
-+ register char *p;
-+ int hcheck, ucheck;
-+ char *buf = NULL;
-+ size_t bufsize = 0;
-+ int retval = -1;
-+
-+ while (getline (&buf, &bufsize, hostf) > 0) {
-+ buf[bufsize - 1] = '\0'; /* Make sure it's terminated. */
-+ p = buf;
-+
-+ /* Skip empty or comment lines */
-+ if (__isempty (p)) {
-+ continue;
-+ }
-+
-+ /* Skip lines that are too long. */
-+ if (strchr (p, '\n') == NULL) {
-+ int ch = getc_unlocked (hostf);
-+
-+ while (ch != '\n' && ch != EOF)
-+ ch = getc_unlocked (hostf);
-+ continue;
-+ }
-+
-+ for (;*p && !isspace(*p); ++p) {
-+ *p = tolower (*p);
-+ }
-+
-+ /* Next we want to find the permitted name for the remote user. */
-+ if (*p == ' ' || *p == '\t') {
-+ /* <nul> terminate hostname and skip spaces */
-+ for (*p++='\0'; *p && isspace (*p); ++p);
-+
-+ user = p; /* this is the user's name */
-+ while (*p && !isspace (*p))
-+ ++p; /* find end of user's name */
-+ } else
-+ user = p;
-+
-+ *p = '\0'; /* <nul> terminate username (+host?) */
-+
-+ /* buf -> host(?) ; user -> username(?) */
-+
-+ /* First check host part */
-+ hcheck = __icheckhost (raddr, buf, rhost);
-+
-+ if (hcheck < 0)
-+ break;
-+
-+ if (hcheck) {
-+ /* Then check user part */
-+ if (! (*user))
-+ user = luser;
-+
-+ ucheck = __icheckuser (user, ruser);
-+
-+ /* Positive 'host user' match? */
-+ if (ucheck > 0) {
-+ retval = 0;
-+ break;
-+ }
-+
-+ /* Negative 'host -user' match? */
-+ if (ucheck < 0)
-+ break;
-+
-+ /* Neither, go on looking for match */
-+ }
-+ }
-+
-+ free (buf);
-+
-+ return retval;
-+}
-+
-+static int
-+iruserok2 (u_int32_t raddr, int superuser, const char *ruser, const char *luser,
-+ const char *rhost)
-+{
-+ FILE *hostf = NULL;
-+ int isbad = -1;
-+
-+ if (!superuser)
-+ hostf = iruserfopen (_PATH_HEQUIV, 0);
-+
-+ if (hostf) {
-+ isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost);
-+ fclose (hostf);
-+
-+ if (!isbad)
-+ return 0;
-+ }
-+
-+ if (__check_rhosts_file || superuser) {
-+ char *pbuf;
-+ struct passwd *pwd;
-+ size_t dirlen;
-+ uid_t uid;
-+
-+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
-+ size_t buflen = sysconf (_SC_GETPW_R_SIZE_MAX);
-+ struct passwd pwdbuf;
-+ char *buffer = stack_heap_alloc(buflen);
-+
-+ if (getpwnam_r (luser, &pwdbuf, buffer,
-+ buflen, &pwd) != 0 || pwd == NULL)
-+ {
-+ stack_heap_free(buffer);
-+ return -1;
-+ }
-+ stack_heap_free(buffer);
-+#else
-+ if ((pwd = getpwnam(luser)) == NULL)
-+ return -1;
-+#endif
-+
-+ dirlen = strlen (pwd->pw_dir);
-+ pbuf = malloc (dirlen + sizeof "/.rhosts");
-+ strcpy (pbuf, pwd->pw_dir);
-+ strcat (pbuf, "/.rhosts");
-+
-+ /* Change effective uid while reading .rhosts. If root and
-+ reading an NFS mounted file system, can't read files that
-+ are protected read/write owner only. */
-+ uid = geteuid ();
-+ seteuid (pwd->pw_uid);
-+ hostf = iruserfopen (pbuf, pwd->pw_uid);
-+ free(pbuf);
-+
-+ if (hostf != NULL) {
-+ isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost);
-+ fclose (hostf);
-+ }
-+
-+ seteuid (uid);
-+ return isbad;
-+ }
-+ return -1;
-+}
-+
-+int ruserok(const char *rhost, int superuser, const char *ruser,
-+ const char *luser)
-+{
-+ struct hostent *hp;
-+ u_int32_t addr;
-+ char **ap;
-+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
-+ size_t buflen;
-+ char *buffer;
-+ int herr;
-+ struct hostent hostbuf;
-+#endif
-+
-+#ifdef __UCLIBC_HAS_REENTRANT_RPC__
-+ buflen = 1024;
-+ buffer = stack_heap_alloc(buflen);
-+
-+ while (gethostbyname_r (rhost, &hostbuf, buffer,
-+ buflen, &hp, &herr) != 0 || hp == NULL)
-+ {
-+ if (herr != NETDB_INTERNAL || errno != ERANGE) {
-+ stack_heap_free(buffer);
-+ return -1;
-+ } else
-+ {
-+ /* Enlarge the buffer. */
-+ buflen *= 2;
-+ stack_heap_free(buffer);
-+ buffer = stack_heap_alloc(buflen);
-+ }
-+ }
-+ stack_heap_free(buffer);
-+#else
-+ if ((hp = gethostbyname(rhost)) == NULL) {
-+ return -1;
-+ }
-+#endif
-+ for (ap = hp->h_addr_list; *ap; ++ap) {
-+ memmove(&addr, *ap, sizeof(addr));
-+ if (iruserok2(addr, superuser, ruser, luser, rhost) == 0)
-+ return 0;
-+ }
-+ return -1;
-+}
-+
-+#endif /* __UCLIBC__ */
-+
- PAM_EXTERN
- int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
- const char **argv)
+++ /dev/null
---- a/modules/pam_unix/yppasswd_xdr.c
-+++ b/modules/pam_unix/yppasswd_xdr.c
-@@ -21,6 +21,268 @@
- #endif
- #include "yppasswd.h"
-
-+#ifdef __UCLIBC__
-+
-+static const char xdr_zero[BYTES_PER_XDR_UNIT] = {0, 0, 0, 0};
-+
-+/*
-+ * XDR integers
-+ */
-+bool_t
-+xdr_int (XDR *xdrs, int *ip)
-+{
-+
-+#if INT_MAX < LONG_MAX
-+ long l;
-+
-+ switch (xdrs->x_op)
-+ {
-+ case XDR_ENCODE:
-+ l = (long) *ip;
-+ return XDR_PUTLONG (xdrs, &l);
-+
-+ case XDR_DECODE:
-+ if (!XDR_GETLONG (xdrs, &l))
-+ {
-+ return FALSE;
-+ }
-+ *ip = (int) l;
-+ case XDR_FREE:
-+ return TRUE;
-+ }
-+ return FALSE;
-+#elif INT_MAX == LONG_MAX
-+ return xdr_long (xdrs, (long *) ip);
-+#elif INT_MAX == SHRT_MAX
-+ return xdr_short (xdrs, (short *) ip);
-+#else
-+#error unexpected integer sizes in xdr_int()
-+#endif
-+}
-+
-+/*
-+ * XDR null terminated ASCII strings
-+ * xdr_string deals with "C strings" - arrays of bytes that are
-+ * terminated by a NULL character. The parameter cpp references a
-+ * pointer to storage; If the pointer is null, then the necessary
-+ * storage is allocated. The last parameter is the max allowed length
-+ * of the string as specified by a protocol.
-+ */
-+bool_t
-+xdr_string (XDR *xdrs, char **cpp, u_int maxsize)
-+{
-+ char *sp = *cpp; /* sp is the actual string pointer */
-+ u_int size;
-+ u_int nodesize;
-+
-+ /*
-+ * first deal with the length since xdr strings are counted-strings
-+ */
-+ switch (xdrs->x_op)
-+ {
-+ case XDR_FREE:
-+ if (sp == NULL)
-+ {
-+ return TRUE; /* already free */
-+ }
-+ /* fall through... */
-+ case XDR_ENCODE:
-+ if (sp == NULL)
-+ return FALSE;
-+ size = strlen (sp);
-+ break;
-+ case XDR_DECODE:
-+ break;
-+ }
-+ if (!xdr_u_int (xdrs, &size))
-+ {
-+ return FALSE;
-+ }
-+ if (size > maxsize)
-+ {
-+ return FALSE;
-+ }
-+ nodesize = size + 1;
-+
-+ /*
-+ * now deal with the actual bytes
-+ */
-+ switch (xdrs->x_op)
-+ {
-+ case XDR_DECODE:
-+ if (nodesize == 0)
-+ {
-+ return TRUE;
-+ }
-+ if (sp == NULL)
-+ *cpp = sp = (char *) mem_alloc (nodesize);
-+ if (sp == NULL)
-+ {
-+#ifdef USE_IN_LIBIO
-+ if (_IO_fwide (stderr, 0) > 0)
-+ (void) fwprintf (stderr, L"%s",
-+ _("xdr_string: out of memory\n"));
-+ else
-+#endif
-+ (void) fputs (_("xdr_string: out of memory\n"), stderr);
-+ return FALSE;
-+ }
-+ sp[size] = 0;
-+ /* fall into ... */
-+
-+ case XDR_ENCODE:
-+ return xdr_opaque (xdrs, sp, size);
-+
-+ case XDR_FREE:
-+ mem_free (sp, nodesize);
-+ *cpp = NULL;
-+ return TRUE;
-+ }
-+ return FALSE;
-+}
-+
-+/*
-+ * XDR long integers
-+ * The definition of xdr_long() is kept for backward
-+ * compatibility. Instead xdr_int() should be used.
-+ */
-+bool_t
-+xdr_long (XDR *xdrs, long *lp)
-+{
-+ if (xdrs->x_op == XDR_ENCODE
-+ && (sizeof (int32_t) == sizeof (long)
-+ || (int32_t) *lp == *lp))
-+ return XDR_PUTLONG (xdrs, lp);
-+
-+ if (xdrs->x_op == XDR_DECODE)
-+ return XDR_GETLONG (xdrs, lp);
-+
-+ if (xdrs->x_op == XDR_FREE)
-+ return TRUE;
-+
-+ return FALSE;
-+}
-+
-+/*
-+ * XDR unsigned integers
-+ */
-+bool_t
-+xdr_u_int (XDR *xdrs, u_int *up)
-+{
-+#if UINT_MAX < ULONG_MAX
-+ u_long l;
-+
-+ switch (xdrs->x_op)
-+ {
-+ case XDR_ENCODE:
-+ l = (u_long) * up;
-+ return XDR_PUTLONG (xdrs, (long *) &l);
-+
-+ case XDR_DECODE:
-+ if (!XDR_GETLONG (xdrs, (long *) &l))
-+ {
-+ return FALSE;
-+ }
-+ *up = (u_int) l;
-+ case XDR_FREE:
-+ return TRUE;
-+ }
-+ return FALSE;
-+#elif UINT_MAX == ULONG_MAX
-+ return xdr_u_long (xdrs, (u_long *) up);
-+#elif UINT_MAX == USHRT_MAX
-+ return xdr_short (xdrs, (short *) up);
-+#else
-+#error unexpected integer sizes in xdr_u_int()
-+#endif
-+}
-+
-+/*
-+ * XDR opaque data
-+ * Allows the specification of a fixed size sequence of opaque bytes.
-+ * cp points to the opaque object and cnt gives the byte length.
-+ */
-+bool_t
-+xdr_opaque (XDR *xdrs, caddr_t cp, u_int cnt)
-+{
-+ u_int rndup;
-+ static char crud[BYTES_PER_XDR_UNIT];
-+
-+ /*
-+ * if no data we are done
-+ */
-+ if (cnt == 0)
-+ return TRUE;
-+
-+ /*
-+ * round byte count to full xdr units
-+ */
-+ rndup = cnt % BYTES_PER_XDR_UNIT;
-+ if (rndup > 0)
-+ rndup = BYTES_PER_XDR_UNIT - rndup;
-+
-+ switch (xdrs->x_op)
-+ {
-+ case XDR_DECODE:
-+ if (!XDR_GETBYTES (xdrs, cp, cnt))
-+ {
-+ return FALSE;
-+ }
-+ if (rndup == 0)
-+ return TRUE;
-+ return XDR_GETBYTES (xdrs, (caddr_t)crud, rndup);
-+
-+ case XDR_ENCODE:
-+ if (!XDR_PUTBYTES (xdrs, cp, cnt))
-+ {
-+ return FALSE;
-+ }
-+ if (rndup == 0)
-+ return TRUE;
-+ return XDR_PUTBYTES (xdrs, xdr_zero, rndup);
-+
-+ case XDR_FREE:
-+ return TRUE;
-+ }
-+ return FALSE;
-+}
-+
-+/*
-+ * XDR unsigned long integers
-+ * The definition of xdr_u_long() is kept for backward
-+ * compatibility. Instead xdr_u_int() should be used.
-+ */
-+bool_t
-+xdr_u_long (XDR *xdrs, u_long *ulp)
-+{
-+ switch (xdrs->x_op)
-+ {
-+ case XDR_DECODE:
-+ {
-+ long int tmp;
-+
-+ if (XDR_GETLONG (xdrs, &tmp) == FALSE)
-+ return FALSE;
-+
-+ *ulp = (uint32_t) tmp;
-+ return TRUE;
-+ }
-+
-+ case XDR_ENCODE:
-+ if (sizeof (uint32_t) != sizeof (u_long)
-+ && (uint32_t) *ulp != *ulp)
-+ return FALSE;
-+
-+ return XDR_PUTLONG (xdrs, (long *) ulp);
-+
-+ case XDR_FREE:
-+ return TRUE;
-+ }
-+ return FALSE;
-+}
-+
-+#endif /* UCLIBC */
-+
- bool_t
- xdr_xpasswd(XDR * xdrs, xpasswd * objp)
- {
+++ /dev/null
-From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
-From: "Dmitry V. Levin" <ldv@altlinux.org>
-Date: Wed, 26 Mar 2014 22:17:23 +0000
-Subject: pam_timestamp: fix potential directory traversal issue (ticket #27)
-
-pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
-the timestamp pathname it creates, so extra care should be taken to
-avoid potential directory traversal issues.
-
-* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
-"." and ".." tty values as invalid.
-(get_ruser): Treat "." and ".." ruser values, as well as any ruser
-value containing '/', as invalid.
-
-Fixes CVE-2014-2583.
-
-Reported-by: Sebastian Krahmer <krahmer@suse.de>
-
-diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
-index 5193733..b3f08b1 100644
---- a/modules/pam_timestamp/pam_timestamp.c
-+++ b/modules/pam_timestamp/pam_timestamp.c
-@@ -158,7 +158,7 @@ check_tty(const char *tty)
- tty = strrchr(tty, '/') + 1;
- }
- /* Make sure the tty wasn't actually a directory (no basename). */
-- if (strlen(tty) == 0) {
-+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
- return NULL;
- }
- return tty;
-@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
- if (pwd != NULL) {
- ruser = pwd->pw_name;
- }
-+ } else {
-+ /*
-+ * This ruser is used by format_timestamp_name as a component
-+ * of constructed timestamp pathname, so ".", "..", and '/'
-+ * are disallowed to avoid potential path traversal issues.
-+ */
-+ if (!strcmp(ruser, ".") ||
-+ !strcmp(ruser, "..") ||
-+ strchr(ruser, '/')) {
-+ ruser = NULL;
-+ }
- }
- if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
- *ruserbuf = '\0';
---
-cgit v0.10.2
-
+++ /dev/null
---- a/configure.in.orig 2015-06-16 20:40:02.938216001 +0800
-+++ b/configure.in 2015-06-16 20:40:16.198216001 +0800
-@@ -399,7 +399,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" =
- [crypt_libs="crypt"])
-
- BACKUP_LIBS=$LIBS
--AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
-+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
- AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
- LIBS=$BACKUP_LIBS
- AC_SUBST(LIBCRYPT)
+++ /dev/null
---- a/configure.in.orig 2015-06-16 21:05:09.938216001 +0800
-+++ b/configure.in 2015-06-16 21:05:29.374216001 +0800
-@@ -525,7 +525,8 @@ AC_CHECK_FUNCS(fseeko getdomainname geth
- AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
- AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
- AC_CHECK_FUNCS(getgrouplist getline getdelim)
--AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af)
-+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
-+AC_CHECK_FUNCS(ruserok ruserok_af)
-
- AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
- AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
---- a/modules/pam_rhosts/pam_rhosts.c.orig 2015-06-16 20:58:20.002216001 +0800
-+++ b/modules/pam_rhosts/pam_rhosts.c 2015-06-16 21:10:10.026216001 +0800
-@@ -35,6 +35,7 @@
- #include <pwd.h>
- #include <netdb.h>
- #include <string.h>
-+#include <stdlib.h>
- #include <syslog.h>
-
- #define PAM_SM_AUTH /* only defines this management group */
-@@ -43,7 +43,7 @@
- #include <security/pam_modutil.h>
- #include <security/pam_ext.h>
-
--#ifdef __UCLIBC__
-+#if defined(__UCLIBC__) || (!defined(HAVE_RUSEROK) && !defined(HAVE_RUSEROK_AF))
-
- #include <stdio.h>
- #include <sys/stat.h>
-@@ -293,8 +294,10 @@ iruserok2 (u_int32_t raddr, int superuse
- FILE *hostf = NULL;
- int isbad = -1;
-
-+#ifdef _PATH_HEQUIV
- if (!superuser)
- hostf = iruserfopen (_PATH_HEQUIV, 0);
-+#endif
-
- if (hostf) {
- isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost);
-@@ -396,7 +396,7 @@ int ruserok(const char *rhost, int super
- return -1;
- }
-
--#endif /* __UCLIBC__ */
-+#endif /* __UCLIBC__ || (!defined(HAVE_RUSEROK) && !defined(HAVE_RUSEROK_AF)) */
-
- PAM_EXTERN
- int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
projects / feed / packages.git / commitdiff