From: Yousong Zhou Date: Wed, 17 Jun 2015 13:37:24 +0000 (+0800) Subject: libpam: bump to 1.2.0 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=refs%2Fpull%2F1400%2Fhead;p=feed%2Fpackages.git libpam: bump to 1.2.0 - Add configure options --disable-nis, --disable-regenerate-docu - 000-OE-libpam-xtests.patch is not relevant in OpenWrt - 001-no_nis.patch was dropped because we now --disable-nis - 002-no_yywrap.patch was dropped be cause it was fixed in 1.2.0 - 003-no_doc was dropped because we ignore doc/ with --disable-regenreate-docu - 004-fix_lib64 was replaced by new 0001-build-use-host_cpu... - pam_rhosts will not be built with musl because ruserok{,_af{ are not available - pam_lastlog will not be built with musl because logwtmp is missing Signed-off-by: Yousong Zhou --- diff --git a/libs/libpam/Makefile b/libs/libpam/Makefile index c04b247896..10e74589ad 100644 --- a/libs/libpam/Makefile +++ b/libs/libpam/Makefile @@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libpam -PKG_VERSION:=1.1.8 -PKG_RELEASE:=5 +PKG_VERSION:=1.2.0 +PKG_RELEASE:=1 PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.linux-pam.org/library/ @@ -45,6 +45,8 @@ define Build/Configure --disable-selinux \ --disable-nls \ --disable-rpath \ + --disable-nis \ + --disable-regenerate-docu \ --enable-db=no \ ) endef diff --git a/libs/libpam/patches/000-OE-libpam-xtests.patch b/libs/libpam/patches/000-OE-libpam-xtests.patch deleted file mode 100644 index 19fbaa29bd..0000000000 --- a/libs/libpam/patches/000-OE-libpam-xtests.patch +++ /dev/null @@ -1,35 +0,0 @@ -This patch is used to create a new sub package libpam-xtests to do more checks. - -Upstream-Status: Pending - -Signed-off-by: Kang Kai ---- a/xtests/Makefile.am -+++ b/xtests/Makefile.am -@@ -7,7 +7,7 @@ AM_CFLAGS = -DLIBPAM_COMPILE -I$(top_src - LDADD = $(top_builddir)/libpam/libpam.la \ - $(top_builddir)/libpam_misc/libpam_misc.la - --CLEANFILES = *~ $(XTESTS) -+CLEANFILES = *~ - - EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \ - tst-pam_dispatch3.pamd tst-pam_dispatch4.pamd \ -@@ -51,3 +51,18 @@ EXTRA_PROGRAMS = $(XTESTS) - - xtests: $(XTESTS) run-xtests.sh - "$(srcdir)"/run-xtests.sh "$(srcdir)" ${XTESTS} ${NOSRCTESTS} -+ -+all: $(XTESTS) -+ -+install: install_xtests -+ -+install_xtests: -+ $(INSTALL) -d $(DESTDIR)$(pkgdatadir)/xtests -+ for file in $(EXTRA_DIST) ; do \ -+ $(INSTALL) $$file $(DESTDIR)$(pkgdatadir)/xtests ; \ -+ done -+ for file in $(XTESTS); do \ -+ $(INSTALL) .libs/$$file $(DESTDIR)$(pkgdatadir)/xtests ; \ -+ done -+ -+.PHONY: all install_xtests diff --git a/libs/libpam/patches/000-OE-pam-no-innetgr.patch b/libs/libpam/patches/000-OE-pam-no-innetgr.patch deleted file mode 100644 index f7f5b4897e..0000000000 --- a/libs/libpam/patches/000-OE-pam-no-innetgr.patch +++ /dev/null @@ -1,85 +0,0 @@ -innetgr may not be there so make sure that when innetgr is not present -then we inform about it and not use it. - --Khem ---- a/modules/pam_group/pam_group.c -+++ b/modules/pam_group/pam_group.c -@@ -656,7 +656,11 @@ static int check_account(pam_handle_t *p - } - /* If buffer starts with @, we are using netgroups */ - if (buffer[0] == '@') -+#ifdef HAVE_INNETGR - good &= innetgr (&buffer[1], NULL, user, NULL); -+#else -+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); -+#endif - /* otherwise, if the buffer starts with %, it's a UNIX group */ - else if (buffer[0] == '%') - good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); ---- a/modules/pam_time/pam_time.c -+++ b/modules/pam_time/pam_time.c -@@ -555,9 +555,13 @@ check_account(pam_handle_t *pamh, const - } - /* If buffer starts with @, we are using netgroups */ - if (buffer[0] == '@') -- good &= innetgr (&buffer[1], NULL, user, NULL); -+#ifdef HAVE_INNETGR -+ good &= innetgr (&buffer[1], NULL, user, NULL); -+#else -+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); -+#endif - else -- good &= logic_field(pamh, user, buffer, count, is_same); -+ good &= logic_field(pamh, user, buffer, count, is_same); - D(("with user: %s", good ? "passes":"fails" )); - - /* here we get the time field */ ---- a/modules/pam_succeed_if/pam_succeed_if.c -+++ b/modules/pam_succeed_if/pam_succeed_if.c -@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, - } - /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ - static int --evaluate_innetgr(const char *host, const char *user, const char *group) -+evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) - { -+#ifdef HAVE_INNETGR - if (innetgr(group, host, user, NULL) == 1) - return PAM_SUCCESS; -+#else -+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); -+#endif -+ - return PAM_AUTH_ERR; - } - /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ - static int --evaluate_notinnetgr(const char *host, const char *user, const char *group) -+evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) - { -+#ifdef HAVE_INNETGR - if (innetgr(group, host, user, NULL) == 0) - return PAM_SUCCESS; -+#else -+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); -+#endif - return PAM_AUTH_ERR; - } - -@@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug, - const void *rhost; - if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) - rhost = NULL; -- return evaluate_innetgr(rhost, user, right); -+ return evaluate_innetgr(pamh, rhost, user, right); - } - /* (Rhost, user) is not in this group. */ - if (strcasecmp(qual, "notinnetgr") == 0) { - const void *rhost; - if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) - rhost = NULL; -- return evaluate_notinnetgr(rhost, user, right); -+ return evaluate_notinnetgr(pamh, rhost, user, right); - } - /* Fail closed. */ - return PAM_SERVICE_ERR; diff --git a/libs/libpam/patches/0001-build-use-host_cpu-for-lib64-directory-handling.patch b/libs/libpam/patches/0001-build-use-host_cpu-for-lib64-directory-handling.patch new file mode 100644 index 0000000000..038b214220 --- /dev/null +++ b/libs/libpam/patches/0001-build-use-host_cpu-for-lib64-directory-handling.patch @@ -0,0 +1,28 @@ +From ee916fd0ec70eb37a97da29f6ec0c26bef7cf6f2 Mon Sep 17 00:00:00 2001 +From: Yousong Zhou +Date: Wed, 17 Jun 2015 16:11:31 +0800 +Subject: [PATCH 1/7] build: use $host_cpu for lib64 directory handling. + +* configure.ac: use $host_cpu for lib64 directory handling. + +Signed-off-by: Yousong Zhou +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fd0e310..1bc2591 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -27,7 +27,7 @@ dnl If we use /usr as prefix, use /etc for config files + fi + if test ${libdir} = '${exec_prefix}/lib' + then +- case "`uname -m`" in ++ case "$host_cpu" in + x86_64|ppc64|s390x|sparc64) + libdir="/lib64" ;; + *) +-- +1.7.10.4 + diff --git a/libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch b/libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch new file mode 100644 index 0000000000..c3eda41554 --- /dev/null +++ b/libs/libpam/patches/0002-build-ignore-pam_rhosts-if-neither-ruserok-nor-ruser.patch @@ -0,0 +1,77 @@ +From e985c1ef2c739a597b2d7a2efc3c310c02e40c1f Mon Sep 17 00:00:00 2001 +From: Yousong Zhou +Date: Wed, 17 Jun 2015 18:19:23 +0800 +Subject: [PATCH 2/7] build: ignore pam_rhosts if neither ruserok nor + ruserok_af is available. + +* configure.ac: check for ruserok and ruserok_af +* modules/Makefile.am: ignore pam_rhosts/ if it's disabled +* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free + +Signed-off-by: Yousong Zhou +--- + configure.ac | 5 ++++- + modules/Makefile.am | 11 ++++++++--- + modules/pam_rhosts/pam_rhosts.c | 1 + + 3 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 1bc2591..3c4d8bb 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -542,7 +542,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec + AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) + AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) + AC_CHECK_FUNCS(getgrouplist getline getdelim) +-AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af) ++AC_CHECK_FUNCS(inet_ntop inet_pton innetgr) ++AC_CHECK_FUNCS([ruserok_af ruserok], [break]) ++ ++AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes]) + + AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) + AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) +diff --git a/modules/Makefile.am b/modules/Makefile.am +index 0c80cea..9ad26a9 100644 +--- a/modules/Makefile.am ++++ b/modules/Makefile.am +@@ -2,16 +2,21 @@ + # Copyright (c) 2005, 2006, 2008 Thorsten Kukuk + # + +-SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ ++if COND_BUILD_PAM_RHOSTS ++ MAYBE_PAM_RHOSTS = pam_rhosts ++endif ++ ++SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \ + pam_env pam_exec pam_faildelay pam_filter pam_ftp \ + pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ + pam_mkhomedir pam_motd pam_namespace pam_nologin \ +- pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ ++ pam_permit pam_pwhistory pam_rootok pam_securetty \ + pam_selinux pam_sepermit pam_shells pam_stress \ + pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ + pam_tty_audit pam_umask \ +- pam_unix pam_userdb pam_warn pam_wheel pam_xauth ++ pam_unix pam_userdb pam_warn pam_wheel pam_xauth \ ++ $(MAYBE_PAM_RHOSTS) + + CLEANFILES = *~ + +diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c +index bc9e76f..51ef13e 100644 +--- a/modules/pam_rhosts/pam_rhosts.c ++++ b/modules/pam_rhosts/pam_rhosts.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + + #define PAM_SM_AUTH /* only defines this management group */ +-- +1.7.10.4 + diff --git a/libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch b/libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch new file mode 100644 index 0000000000..ddcb66228a --- /dev/null +++ b/libs/libpam/patches/0003-build-ignore-pam_lastlog-when-logwtmp-is-not-availab.patch @@ -0,0 +1,60 @@ +From 173164996ca7daf3fa705f2a0bb2991b0d5d2083 Mon Sep 17 00:00:00 2001 +From: Yousong Zhou +Date: Wed, 17 Jun 2015 21:18:05 +0800 +Subject: [PATCH 3/7] build: ignore pam_lastlog when logwtmp is not available. + +* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG +* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG + +Signed-off-by: Yousong Zhou +--- + configure.ac | 2 ++ + modules/Makefile.am | 8 ++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 3c4d8bb..8de6edf 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -544,8 +544,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r + AC_CHECK_FUNCS(getgrouplist getline getdelim) + AC_CHECK_FUNCS(inet_ntop inet_pton innetgr) + AC_CHECK_FUNCS([ruserok_af ruserok], [break]) ++AC_CHECK_FUNCS([logwtmp]) + + AM_CONDITIONAL([COND_BUILD_PAM_RHOSTS], [test "$ac_cv_func_ruserok_af" = yes -o "$ac_cv_func_ruserok" = yes]) ++AM_CONDITIONAL([COND_BUILD_PAM_LASTLOG], [test "$ac_cv_func_logwtmp" = yes]) + + AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) + AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) +diff --git a/modules/Makefile.am b/modules/Makefile.am +index 9ad26a9..b98dc5c 100644 +--- a/modules/Makefile.am ++++ b/modules/Makefile.am +@@ -6,9 +6,13 @@ if COND_BUILD_PAM_RHOSTS + MAYBE_PAM_RHOSTS = pam_rhosts + endif + ++if COND_BUILD_PAM_LASTLOG ++ MAYBE_PAM_LASTLOG = pam_lastlog ++endif ++ + SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \ + pam_env pam_exec pam_faildelay pam_filter pam_ftp \ +- pam_group pam_issue pam_keyinit pam_lastlog pam_limits \ ++ pam_group pam_issue pam_keyinit pam_limits \ + pam_listfile pam_localuser pam_loginuid pam_mail \ + pam_mkhomedir pam_motd pam_namespace pam_nologin \ + pam_permit pam_pwhistory pam_rootok pam_securetty \ +@@ -16,7 +20,7 @@ SUBDIRS := pam_access pam_cracklib pam_debug pam_deny pam_echo \ + pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ + pam_tty_audit pam_umask \ + pam_unix pam_userdb pam_warn pam_wheel pam_xauth \ +- $(MAYBE_PAM_RHOSTS) ++ $(MAYBE_PAM_RHOSTS) $(MAYBE_PAM_LASTLOG) + + CLEANFILES = *~ + +-- +1.7.10.4 + diff --git a/libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch b/libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch new file mode 100644 index 0000000000..ee319d11b8 --- /dev/null +++ b/libs/libpam/patches/0004-build-fix-build-when-crypt-is-not-part-of-crypt_libs.patch @@ -0,0 +1,28 @@ +From 20e5efe4b2a8471bc52e480e53cff68a4de19c56 Mon Sep 17 00:00:00 2001 +From: Yousong Zhou +Date: Wed, 17 Jun 2015 18:22:31 +0800 +Subject: [PATCH 4/7] build: fix build when crypt() is not part of crypt_libs. + +* configure.ac: ditto. + +Signed-off-by: Yousong Zhou +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 8de6edf..c15441b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -416,7 +416,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"], + [crypt_libs="crypt"]) + + BACKUP_LIBS=$LIBS +-AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="") ++AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="") + AC_CHECK_FUNCS(crypt_r crypt_gensalt_r) + LIBS=$BACKUP_LIBS + AC_SUBST(LIBCRYPT) +-- +1.7.10.4 + diff --git a/libs/libpam/patches/0005-build-fix-doc-build.patch b/libs/libpam/patches/0005-build-fix-doc-build.patch new file mode 100644 index 0000000000..1320124392 --- /dev/null +++ b/libs/libpam/patches/0005-build-fix-doc-build.patch @@ -0,0 +1,133 @@ +From df7abf333d19aefd166f613b696345732ae4c9c8 Mon Sep 17 00:00:00 2001 +From: Yousong Zhou +Date: Wed, 17 Jun 2015 20:38:41 +0800 +Subject: [PATCH 5/7] build: fix doc build. + +* Makefile.am: ignore doc/ directory if not ENABLE_REGENERATE_MAN +* doc/adg/Makefile.am: remove check on ENABLE_REGENERATE_MAN +* doc/man/Makefile.am: ditto +* doc/mwg/Makefile.am: ditto +* doc/sag/Makefile.am: ditto +* doc/specs/Makefile.am: ignore CC from command line + +Signed-off-by: Yousong Zhou +--- + Makefile.am | 5 ++++- + doc/adg/Makefile.am | 3 --- + doc/man/Makefile.am | 2 -- + doc/mwg/Makefile.am | 3 --- + doc/sag/Makefile.am | 2 -- + doc/specs/Makefile.am | 2 +- + 6 files changed, 5 insertions(+), 12 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 3db4e37..5e6592a 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -4,7 +4,10 @@ + + AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news + +-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests ++if ENABLE_REGENERATE_MAN ++ MAYBE_DOC = doc ++endif ++SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests $(MAYBE_DOC) + + CLEANFILES = *~ + +diff --git a/doc/adg/Makefile.am b/doc/adg/Makefile.am +index 77bd7a9..bec5edc 100644 +--- a/doc/adg/Makefile.am ++++ b/doc/adg/Makefile.am +@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS) + XMLS = Linux-PAM_ADG.xml $(shell ls $(srcdir)/pam_*.xml) + DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml) + +-if ENABLE_REGENERATE_MAN + MAINTAINERCLEANFILES = Linux-PAM_ADG.txt Linux-PAM_ADG.pdf html/*.html + + all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf +@@ -51,8 +50,6 @@ html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS) + distclean-local: + -rm -rf html Linux-PAM_ADG.txt Linux-PAM_ADG.pdf + +-endif +- + install-data-local: + $(mkinstalldirs) $(DESTDIR)$(docdir) + $(mkinstalldirs) $(DESTDIR)$(pdfdir) +diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am +index 78c891d..b1dc421 100644 +--- a/doc/man/Makefile.am ++++ b/doc/man/Makefile.am +@@ -45,7 +45,6 @@ XMLS = pam.3.xml pam.8.xml \ + misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \ + pam_misc_setenv.3.xml + +-if ENABLE_REGENERATE_MAN + PAM.8: pam.8 + pam_get_authtok_noverify.3: pam_get_authtok.3 + pam_get_authtok_verify.3: pam_get_authtok.3 +@@ -60,4 +59,3 @@ pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml + pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml + pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml + -include $(top_srcdir)/Make.xml.rules +-endif +diff --git a/doc/mwg/Makefile.am b/doc/mwg/Makefile.am +index 2bbb2d0..f57e297 100644 +--- a/doc/mwg/Makefile.am ++++ b/doc/mwg/Makefile.am +@@ -9,7 +9,6 @@ EXTRA_DIST = $(XMLS) + XMLS = Linux-PAM_MWG.xml $(shell ls $(srcdir)/pam_*.xml) + DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml) + +-if ENABLE_REGENERATE_MAN + MAINTAINERCLEANFILES = Linux-PAM_MWG.txt Linux-PAM_MWG.pdf html/*.html + + all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf +@@ -51,8 +50,6 @@ html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS) + distclean-local: + -rm -rf html Linux-PAM_MWG.txt Linux-PAM_MWG.pdf + +-endif +- + install-data-local: + $(mkinstalldirs) $(DESTDIR)$(docdir) + $(mkinstalldirs) $(DESTDIR)$(pdfdir) +diff --git a/doc/sag/Makefile.am b/doc/sag/Makefile.am +index 31816aa..a8b655f 100644 +--- a/doc/sag/Makefile.am ++++ b/doc/sag/Makefile.am +@@ -10,7 +10,6 @@ XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml) + + DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml) + +-if ENABLE_REGENERATE_MAN + MAINTAINERCLEANFILES = Linux-PAM_SAG.txt Linux-PAM_SAG.pdf html/*.html + + all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf +@@ -51,7 +50,6 @@ html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS) + + distclean-local: + -rm -rf html Linux-PAM_SAG.txt Linux-PAM_SAG.pdf +-endif + + install-data-local: + $(mkinstalldirs) $(DESTDIR)$(docdir) +diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am +index 99ecc70..39c850f 100644 +--- a/doc/specs/Makefile.am ++++ b/doc/specs/Makefile.am +@@ -11,7 +11,7 @@ draft-morgan-pam-current.txt: padout draft-morgan-pam.raw + + AM_YFLAGS = -d + +-CC = @CC_FOR_BUILD@ ++override CC = @CC_FOR_BUILD@ + CPPFLAGS = @BUILD_CPPFLAGS@ + CFLAGS = @BUILD_CFLAGS@ + LDFLAGS = @BUILD_LDFLAGS@ +-- +1.7.10.4 + diff --git a/libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch b/libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch new file mode 100644 index 0000000000..bfdfd8b4c0 --- /dev/null +++ b/libs/libpam/patches/0006-pam_unix-fix-compilation-in-case-rpc-rpc.h-is-missin.patch @@ -0,0 +1,29 @@ +From 596797ab7f46fb4d0338e75db7c0d1019cd4df87 Mon Sep 17 00:00:00 2001 +From: Yousong Zhou +Date: Wed, 17 Jun 2015 18:16:18 +0800 +Subject: [PATCH 6/7] pam_unix: fix compilation in case rpc/rpc.h is missing. + +* modules/pam_unix/pam_unix_passwd.c: conditional compile on the + availability of rpc/rpc.h + +Signed-off-by: Yousong Zhou +--- + modules/pam_unix/pam_unix_passwd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c +index 2d330e5..970724a 100644 +--- a/modules/pam_unix/pam_unix_passwd.c ++++ b/modules/pam_unix/pam_unix_passwd.c +@@ -336,7 +336,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho, + } + + if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) { +-#ifdef HAVE_NIS ++#if defined(HAVE_NIS) && defined(HAVE_RPC_RPC_H) + if ((master=getNISserver(pamh, ctrl)) != NULL) { + struct timeval timeout; + struct yppasswd yppwd; +-- +1.7.10.4 + diff --git a/libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch b/libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch new file mode 100644 index 0000000000..7108b6bed4 --- /dev/null +++ b/libs/libpam/patches/0007-Check-if-innetgr-is-available-at-compile-time.patch @@ -0,0 +1,106 @@ +From 9e2fa22891a87592c1a04801623fea5be40cb581 Mon Sep 17 00:00:00 2001 +From: Yousong Zhou +Date: Wed, 17 Jun 2015 15:33:43 +0800 +Subject: [PATCH 7/7] Check if innetgr is available at compile time. + +innetgr may not be there so make sure that when innetgr is not present +then we inform about it and not use it. + +* modules/pam_group/pam_group.c: ditto +* modules/pam_succeed_if/pam_succeed_if.c: ditto +* modules/pam_time/pam_time.c: ditto + +Signed-off-by: Khem Raj +Signed-off-by: Yousong Zhou +--- + modules/pam_group/pam_group.c | 4 ++++ + modules/pam_succeed_if/pam_succeed_if.c | 17 +++++++++++++---- + modules/pam_time/pam_time.c | 4 ++++ + 3 files changed, 21 insertions(+), 4 deletions(-) + +diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c +index be5f20f..6a065ca 100644 +--- a/modules/pam_group/pam_group.c ++++ b/modules/pam_group/pam_group.c +@@ -656,7 +656,11 @@ static int check_account(pam_handle_t *pamh, const char *service, + } + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') ++#ifdef HAVE_INNETGR + good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support"); ++#endif + /* otherwise, if the buffer starts with %, it's a UNIX group */ + else if (buffer[0] == '%') + good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]); +diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c +index aa828fc..c0c68a0 100644 +--- a/modules/pam_succeed_if/pam_succeed_if.c ++++ b/modules/pam_succeed_if/pam_succeed_if.c +@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group) + } + /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */ + static int +-evaluate_innetgr(const char *host, const char *user, const char *group) ++evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 1) + return PAM_SUCCESS; ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); ++#endif ++ + return PAM_AUTH_ERR; + } + /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */ + static int +-evaluate_notinnetgr(const char *host, const char *user, const char *group) ++evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group) + { ++#ifdef HAVE_INNETGR + if (innetgr(group, host, user, NULL) == 0) + return PAM_SUCCESS; ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support"); ++#endif + return PAM_AUTH_ERR; + } + +@@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug, + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; +- return evaluate_innetgr(rhost, user, right); ++ return evaluate_innetgr(pamh, rhost, user, right); + } + /* (Rhost, user) is not in this group. */ + if (strcasecmp(qual, "notinnetgr") == 0) { + const void *rhost; + if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS) + rhost = NULL; +- return evaluate_notinnetgr(rhost, user, right); ++ return evaluate_notinnetgr(pamh, rhost, user, right); + } + /* Fail closed. */ + return PAM_SERVICE_ERR; +diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c +index c94737c..0b34a14 100644 +--- a/modules/pam_time/pam_time.c ++++ b/modules/pam_time/pam_time.c +@@ -555,7 +555,11 @@ check_account(pam_handle_t *pamh, const char *service, + } + /* If buffer starts with @, we are using netgroups */ + if (buffer[0] == '@') ++#ifdef HAVE_INNETGR + good &= innetgr (&buffer[1], NULL, user, NULL); ++#else ++ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support"); ++#endif + else + good &= logic_field(pamh, user, buffer, count, is_same); + D(("with user: %s", good ? "passes":"fails" )); +-- +1.7.10.4 + diff --git a/libs/libpam/patches/001-no_nis.patch b/libs/libpam/patches/001-no_nis.patch deleted file mode 100644 index c9988c7fbd..0000000000 --- a/libs/libpam/patches/001-no_nis.patch +++ /dev/null @@ -1,68 +0,0 @@ ---- a/modules/pam_access/pam_access.c -+++ b/modules/pam_access/pam_access.c -@@ -44,7 +44,7 @@ - #include - #include - #include --#ifdef HAVE_RPCSVC_YPCLNT_H -+#ifdef HAVE_RPCSVC_YPCLNT_H && USE_NIS - #include - #endif - #ifdef HAVE_LIBAUDIT ---- a/modules/pam_unix/pam_unix_passwd.c -+++ b/modules/pam_unix/pam_unix_passwd.c -@@ -79,18 +79,18 @@ - #include "passverify.h" - #include "bigcrypt.h" - --#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER -+#if (HAVE_YP_GET_DEFAULT_DOMAIN || HAVE_GETDOMAINNAME) && HAVE_YP_MASTER && USE_NIS - # define HAVE_NIS - #endif - - #ifdef HAVE_NIS - # include - --# if HAVE_RPCSVC_YP_PROT_H -+# if HAVE_RPCSVC_YP_PROT_H && USE_NIS - # include - # endif - --# if HAVE_RPCSVC_YPCLNT_H -+# if HAVE_RPCSVC_YPCLNT_H && USE_NIS - # include - # endif - ---- a/modules/pam_unix/support.c -+++ b/modules/pam_unix/support.c -@@ -19,7 +19,7 @@ - #include - #include - #include --#ifdef HAVE_RPCSVC_YPCLNT_H -+#ifdef HAVE_RPCSVC_YPCLNT_H && USE_NIS - #include - #endif - -@@ -402,7 +402,7 @@ int _unix_getpwnam(pam_handle_t *pamh, c - } - } - --#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND) -+#if defined(HAVE_YP_GET_DEFAULT_DOMAIN) && defined (HAVE_YP_BIND) && defined (HAVE_YP_MATCH) && defined (HAVE_YP_UNBIND) && (USE_NIS) - if (!matched && nis) { - char *userinfo = NULL, *domain = NULL; - int len = 0, i; ---- a/modules/pam_unix/yppasswd_xdr.c -+++ b/modules/pam_unix/yppasswd_xdr.c -@@ -15,6 +15,10 @@ - #ifdef HAVE_RPC_RPC_H - - #include -+#ifdef USE_NIS -+#include -+#include -+#endif - #include "yppasswd.h" - - bool_t diff --git a/libs/libpam/patches/002-no_yywrap.patch b/libs/libpam/patches/002-no_yywrap.patch deleted file mode 100644 index 0d73e4be05..0000000000 --- a/libs/libpam/patches/002-no_yywrap.patch +++ /dev/null @@ -1,26 +0,0 @@ ---- a/conf/pam_conv1/pam_conv_l.c -+++ b/conf/pam_conv1/pam_conv_l.c -@@ -534,7 +534,9 @@ void yyset_lineno (int line_number ); - #ifdef __cplusplus - extern "C" int yywrap (void ); - #else --extern int yywrap (void ); -+int yywrap (void ) { -+ return 1; -+} - #endif - #endif - ---- a/doc/specs/parse_l.c -+++ b/doc/specs/parse_l.c -@@ -520,7 +520,9 @@ void yyset_lineno (int line_number ); - #ifdef __cplusplus - extern "C" int yywrap (void ); - #else --extern int yywrap (void ); -+int yywrap (void ) { -+ return 1; -+} - #endif - #endif - diff --git a/libs/libpam/patches/003-no_doc.patch b/libs/libpam/patches/003-no_doc.patch deleted file mode 100644 index d36621514f..0000000000 --- a/libs/libpam/patches/003-no_doc.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- a/Makefile.am -+++ b/Makefile.am -@@ -4,7 +4,7 @@ - - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news - --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests - - CLEANFILES = *~ - ---- a/Makefile.in -+++ b/Makefile.in -@@ -288,7 +288,7 @@ top_build_prefix = @top_build_prefix@ - top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ - AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news --SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests -+SUBDIRS = libpam tests libpamc libpam_misc modules po conf examples xtests - CLEANFILES = *~ - EXTRA_DIST = pgp.keys.asc CHANGELOG ChangeLog-CVS Copyright Make.xml.rules - ACLOCAL_AMFLAGS = -I m4 diff --git a/libs/libpam/patches/004-fix_lib64.patch b/libs/libpam/patches/004-fix_lib64.patch deleted file mode 100644 index 5605d8298b..0000000000 --- a/libs/libpam/patches/004-fix_lib64.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/configure.in -+++ b/configure.in -@@ -28,12 +28,7 @@ dnl If we use /usr as prefix, use /etc f - fi - if test ${libdir} = '${exec_prefix}/lib' - then -- case "`uname -m`" in -- x86_64|ppc64|s390x|sparc64) -- libdir="/lib64" ;; -- *) -- libdir="/lib" ;; -- esac -+ libdir="/lib" - fi - if test ${sbindir} = '${exec_prefix}/sbin' - then diff --git a/libs/libpam/patches/005-fix_ruserok.patch b/libs/libpam/patches/005-fix_ruserok.patch deleted file mode 100644 index 1f0f463371..0000000000 --- a/libs/libpam/patches/005-fix_ruserok.patch +++ /dev/null @@ -1,364 +0,0 @@ ---- a/modules/pam_rhosts/pam_rhosts.c -+++ b/modules/pam_rhosts/pam_rhosts.c -@@ -43,6 +43,361 @@ - #include - #include - -+#ifdef __UCLIBC__ -+ -+#include -+#include -+ -+ -+int __check_rhosts_file = 1; -+ -+/* Extremely paranoid file open function. */ -+static FILE * -+iruserfopen (const char *file, uid_t okuser) -+{ -+ struct stat st; -+ char *cp = NULL; -+ FILE *res = NULL; -+ -+ /* If not a regular file, if owned by someone other than user or -+ root, if writeable by anyone but the owner, or if hardlinked -+ anywhere, quit. */ -+ if (lstat (file, &st)) -+ cp = "lstat failed"; -+ else if (!S_ISREG (st.st_mode)) -+ cp = "not regular file"; -+ else -+ { -+ res = fopen (file, "r"); -+ if (!res) -+ cp = "cannot open"; -+ else if (fstat (fileno (res), &st) < 0) -+ cp = "fstat failed"; -+ else if (st.st_uid && st.st_uid != okuser) -+ cp = "bad owner"; -+ else if (st.st_mode & (S_IWGRP|S_IWOTH)) -+ cp = "writeable by other than owner"; -+ else if (st.st_nlink > 1) -+ cp = "hard linked somewhere"; -+ } -+ -+ /* If there were any problems, quit. */ -+ if (cp != NULL) -+ { -+ if (res) -+ fclose (res); -+ return NULL; -+ } -+ -+ return res; -+} -+ -+/* -+ * Returns 1 for blank lines (or only comment lines) and 0 otherwise -+ */ -+static int -+__isempty(char *p) -+{ -+ while (*p && isspace (*p)) { -+ ++p; -+ } -+ -+ return (*p == '\0' || *p == '#') ? 1 : 0 ; -+} -+ -+/* Returns 1 on positive match, 0 on no match, -1 on negative match. */ -+static int -+__icheckhost (u_int32_t raddr, char *lhost, const char *rhost) -+{ -+ struct hostent *hp; -+ u_int32_t laddr; -+ int negate=1; /* Multiply return with this to get -1 instead of 1 */ -+ char **pp; -+ -+#ifdef __UCLIBC_HAS_REENTRANT_RPC__ -+ int save_errno; -+ size_t buflen; -+ char *buffer; -+ struct hostent hostbuf; -+ int herr; -+#endif -+ -+#ifdef HAVE_NETGROUP -+ /* Check nis netgroup. */ -+ if (strncmp ("+@", lhost, 2) == 0) -+ return innetgr (&lhost[2], rhost, NULL, NULL); -+ -+ if (strncmp ("-@", lhost, 2) == 0) -+ return -innetgr (&lhost[2], rhost, NULL, NULL); -+#endif /* HAVE_NETGROUP */ -+ -+ /* -host */ -+ if (strncmp ("-", lhost,1) == 0) { -+ negate = -1; -+ lhost++; -+ } else if (strcmp ("+",lhost) == 0) { -+ return 1; /* asking for trouble, but ok.. */ -+ } -+ -+ /* Try for raw ip address first. */ -+ if (isdigit (*lhost) && (laddr = inet_addr (lhost)) != INADDR_NONE) -+ return negate * (! (raddr ^ laddr)); -+ -+ /* Better be a hostname. */ -+#ifdef __UCLIBC_HAS_REENTRANT_RPC__ -+ buflen = 1024; -+ buffer = malloc(buflen); -+ save_errno = errno; -+ -+ while (gethostbyname_r (lhost, &hostbuf, buffer, buflen, &hp, &herr) -+ != 0) { -+ free(buffer); -+ return (0); -+ } -+ free(buffer); -+ __set_errno (save_errno); -+#else -+ hp = gethostbyname(lhost); -+#endif /* __UCLIBC_HAS_REENTRANT_RPC__ */ -+ -+ if (hp == NULL) -+ return 0; -+ -+ /* Spin through ip addresses. */ -+ for (pp = hp->h_addr_list; *pp; ++pp) -+ if (!memcmp (&raddr, *pp, sizeof (u_int32_t))) -+ return negate; -+ -+ /* No match. */ -+ return (0); -+} -+ -+/* Returns 1 on positive match, 0 on no match, -1 on negative match. */ -+static int -+__icheckuser (const char *luser, const char *ruser) -+{ -+ -+ /* -+ luser is user entry from .rhosts/hosts.equiv file -+ ruser is user id on remote host -+ */ -+ -+#ifdef HAVE_NETGROUP -+ /* [-+]@netgroup */ -+ if (strncmp ("+@", luser, 2) == 0) -+ return innetgr (&luser[2], NULL, ruser, NULL); -+ -+ if (strncmp ("-@", luser,2) == 0) -+ return -innetgr (&luser[2], NULL, ruser, NULL); -+#endif /* HAVE_NETGROUP */ -+ -+ /* -user */ -+ if (strncmp ("-", luser, 1) == 0) -+ return -(strcmp (&luser[1], ruser) == 0); -+ -+ /* + */ -+ if (strcmp ("+", luser) == 0) -+ return 1; -+ -+ /* simple string match */ -+ return strcmp (ruser, luser) == 0; -+} -+ -+/* -+ * Returns 0 if positive match, -1 if _not_ ok. -+ */ -+static int -+__ivaliduser2(FILE *hostf, u_int32_t raddr, const char *luser, -+ const char *ruser, const char *rhost) -+{ -+ register const char *user; -+ register char *p; -+ int hcheck, ucheck; -+ char *buf = NULL; -+ size_t bufsize = 0; -+ int retval = -1; -+ -+ while (getline (&buf, &bufsize, hostf) > 0) { -+ buf[bufsize - 1] = '\0'; /* Make sure it's terminated. */ -+ p = buf; -+ -+ /* Skip empty or comment lines */ -+ if (__isempty (p)) { -+ continue; -+ } -+ -+ /* Skip lines that are too long. */ -+ if (strchr (p, '\n') == NULL) { -+ int ch = getc_unlocked (hostf); -+ -+ while (ch != '\n' && ch != EOF) -+ ch = getc_unlocked (hostf); -+ continue; -+ } -+ -+ for (;*p && !isspace(*p); ++p) { -+ *p = tolower (*p); -+ } -+ -+ /* Next we want to find the permitted name for the remote user. */ -+ if (*p == ' ' || *p == '\t') { -+ /* terminate hostname and skip spaces */ -+ for (*p++='\0'; *p && isspace (*p); ++p); -+ -+ user = p; /* this is the user's name */ -+ while (*p && !isspace (*p)) -+ ++p; /* find end of user's name */ -+ } else -+ user = p; -+ -+ *p = '\0'; /* terminate username (+host?) */ -+ -+ /* buf -> host(?) ; user -> username(?) */ -+ -+ /* First check host part */ -+ hcheck = __icheckhost (raddr, buf, rhost); -+ -+ if (hcheck < 0) -+ break; -+ -+ if (hcheck) { -+ /* Then check user part */ -+ if (! (*user)) -+ user = luser; -+ -+ ucheck = __icheckuser (user, ruser); -+ -+ /* Positive 'host user' match? */ -+ if (ucheck > 0) { -+ retval = 0; -+ break; -+ } -+ -+ /* Negative 'host -user' match? */ -+ if (ucheck < 0) -+ break; -+ -+ /* Neither, go on looking for match */ -+ } -+ } -+ -+ free (buf); -+ -+ return retval; -+} -+ -+static int -+iruserok2 (u_int32_t raddr, int superuser, const char *ruser, const char *luser, -+ const char *rhost) -+{ -+ FILE *hostf = NULL; -+ int isbad = -1; -+ -+ if (!superuser) -+ hostf = iruserfopen (_PATH_HEQUIV, 0); -+ -+ if (hostf) { -+ isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost); -+ fclose (hostf); -+ -+ if (!isbad) -+ return 0; -+ } -+ -+ if (__check_rhosts_file || superuser) { -+ char *pbuf; -+ struct passwd *pwd; -+ size_t dirlen; -+ uid_t uid; -+ -+#ifdef __UCLIBC_HAS_REENTRANT_RPC__ -+ size_t buflen = sysconf (_SC_GETPW_R_SIZE_MAX); -+ struct passwd pwdbuf; -+ char *buffer = stack_heap_alloc(buflen); -+ -+ if (getpwnam_r (luser, &pwdbuf, buffer, -+ buflen, &pwd) != 0 || pwd == NULL) -+ { -+ stack_heap_free(buffer); -+ return -1; -+ } -+ stack_heap_free(buffer); -+#else -+ if ((pwd = getpwnam(luser)) == NULL) -+ return -1; -+#endif -+ -+ dirlen = strlen (pwd->pw_dir); -+ pbuf = malloc (dirlen + sizeof "/.rhosts"); -+ strcpy (pbuf, pwd->pw_dir); -+ strcat (pbuf, "/.rhosts"); -+ -+ /* Change effective uid while reading .rhosts. If root and -+ reading an NFS mounted file system, can't read files that -+ are protected read/write owner only. */ -+ uid = geteuid (); -+ seteuid (pwd->pw_uid); -+ hostf = iruserfopen (pbuf, pwd->pw_uid); -+ free(pbuf); -+ -+ if (hostf != NULL) { -+ isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost); -+ fclose (hostf); -+ } -+ -+ seteuid (uid); -+ return isbad; -+ } -+ return -1; -+} -+ -+int ruserok(const char *rhost, int superuser, const char *ruser, -+ const char *luser) -+{ -+ struct hostent *hp; -+ u_int32_t addr; -+ char **ap; -+#ifdef __UCLIBC_HAS_REENTRANT_RPC__ -+ size_t buflen; -+ char *buffer; -+ int herr; -+ struct hostent hostbuf; -+#endif -+ -+#ifdef __UCLIBC_HAS_REENTRANT_RPC__ -+ buflen = 1024; -+ buffer = stack_heap_alloc(buflen); -+ -+ while (gethostbyname_r (rhost, &hostbuf, buffer, -+ buflen, &hp, &herr) != 0 || hp == NULL) -+ { -+ if (herr != NETDB_INTERNAL || errno != ERANGE) { -+ stack_heap_free(buffer); -+ return -1; -+ } else -+ { -+ /* Enlarge the buffer. */ -+ buflen *= 2; -+ stack_heap_free(buffer); -+ buffer = stack_heap_alloc(buflen); -+ } -+ } -+ stack_heap_free(buffer); -+#else -+ if ((hp = gethostbyname(rhost)) == NULL) { -+ return -1; -+ } -+#endif -+ for (ap = hp->h_addr_list; *ap; ++ap) { -+ memmove(&addr, *ap, sizeof(addr)); -+ if (iruserok2(addr, superuser, ruser, luser, rhost) == 0) -+ return 0; -+ } -+ return -1; -+} -+ -+#endif /* __UCLIBC__ */ -+ - PAM_EXTERN - int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, - const char **argv) diff --git a/libs/libpam/patches/006-fix_xdr.patch b/libs/libpam/patches/006-fix_xdr.patch deleted file mode 100644 index 9769506089..0000000000 --- a/libs/libpam/patches/006-fix_xdr.patch +++ /dev/null @@ -1,271 +0,0 @@ ---- a/modules/pam_unix/yppasswd_xdr.c -+++ b/modules/pam_unix/yppasswd_xdr.c -@@ -21,6 +21,268 @@ - #endif - #include "yppasswd.h" - -+#ifdef __UCLIBC__ -+ -+static const char xdr_zero[BYTES_PER_XDR_UNIT] = {0, 0, 0, 0}; -+ -+/* -+ * XDR integers -+ */ -+bool_t -+xdr_int (XDR *xdrs, int *ip) -+{ -+ -+#if INT_MAX < LONG_MAX -+ long l; -+ -+ switch (xdrs->x_op) -+ { -+ case XDR_ENCODE: -+ l = (long) *ip; -+ return XDR_PUTLONG (xdrs, &l); -+ -+ case XDR_DECODE: -+ if (!XDR_GETLONG (xdrs, &l)) -+ { -+ return FALSE; -+ } -+ *ip = (int) l; -+ case XDR_FREE: -+ return TRUE; -+ } -+ return FALSE; -+#elif INT_MAX == LONG_MAX -+ return xdr_long (xdrs, (long *) ip); -+#elif INT_MAX == SHRT_MAX -+ return xdr_short (xdrs, (short *) ip); -+#else -+#error unexpected integer sizes in xdr_int() -+#endif -+} -+ -+/* -+ * XDR null terminated ASCII strings -+ * xdr_string deals with "C strings" - arrays of bytes that are -+ * terminated by a NULL character. The parameter cpp references a -+ * pointer to storage; If the pointer is null, then the necessary -+ * storage is allocated. The last parameter is the max allowed length -+ * of the string as specified by a protocol. -+ */ -+bool_t -+xdr_string (XDR *xdrs, char **cpp, u_int maxsize) -+{ -+ char *sp = *cpp; /* sp is the actual string pointer */ -+ u_int size; -+ u_int nodesize; -+ -+ /* -+ * first deal with the length since xdr strings are counted-strings -+ */ -+ switch (xdrs->x_op) -+ { -+ case XDR_FREE: -+ if (sp == NULL) -+ { -+ return TRUE; /* already free */ -+ } -+ /* fall through... */ -+ case XDR_ENCODE: -+ if (sp == NULL) -+ return FALSE; -+ size = strlen (sp); -+ break; -+ case XDR_DECODE: -+ break; -+ } -+ if (!xdr_u_int (xdrs, &size)) -+ { -+ return FALSE; -+ } -+ if (size > maxsize) -+ { -+ return FALSE; -+ } -+ nodesize = size + 1; -+ -+ /* -+ * now deal with the actual bytes -+ */ -+ switch (xdrs->x_op) -+ { -+ case XDR_DECODE: -+ if (nodesize == 0) -+ { -+ return TRUE; -+ } -+ if (sp == NULL) -+ *cpp = sp = (char *) mem_alloc (nodesize); -+ if (sp == NULL) -+ { -+#ifdef USE_IN_LIBIO -+ if (_IO_fwide (stderr, 0) > 0) -+ (void) fwprintf (stderr, L"%s", -+ _("xdr_string: out of memory\n")); -+ else -+#endif -+ (void) fputs (_("xdr_string: out of memory\n"), stderr); -+ return FALSE; -+ } -+ sp[size] = 0; -+ /* fall into ... */ -+ -+ case XDR_ENCODE: -+ return xdr_opaque (xdrs, sp, size); -+ -+ case XDR_FREE: -+ mem_free (sp, nodesize); -+ *cpp = NULL; -+ return TRUE; -+ } -+ return FALSE; -+} -+ -+/* -+ * XDR long integers -+ * The definition of xdr_long() is kept for backward -+ * compatibility. Instead xdr_int() should be used. -+ */ -+bool_t -+xdr_long (XDR *xdrs, long *lp) -+{ -+ if (xdrs->x_op == XDR_ENCODE -+ && (sizeof (int32_t) == sizeof (long) -+ || (int32_t) *lp == *lp)) -+ return XDR_PUTLONG (xdrs, lp); -+ -+ if (xdrs->x_op == XDR_DECODE) -+ return XDR_GETLONG (xdrs, lp); -+ -+ if (xdrs->x_op == XDR_FREE) -+ return TRUE; -+ -+ return FALSE; -+} -+ -+/* -+ * XDR unsigned integers -+ */ -+bool_t -+xdr_u_int (XDR *xdrs, u_int *up) -+{ -+#if UINT_MAX < ULONG_MAX -+ u_long l; -+ -+ switch (xdrs->x_op) -+ { -+ case XDR_ENCODE: -+ l = (u_long) * up; -+ return XDR_PUTLONG (xdrs, (long *) &l); -+ -+ case XDR_DECODE: -+ if (!XDR_GETLONG (xdrs, (long *) &l)) -+ { -+ return FALSE; -+ } -+ *up = (u_int) l; -+ case XDR_FREE: -+ return TRUE; -+ } -+ return FALSE; -+#elif UINT_MAX == ULONG_MAX -+ return xdr_u_long (xdrs, (u_long *) up); -+#elif UINT_MAX == USHRT_MAX -+ return xdr_short (xdrs, (short *) up); -+#else -+#error unexpected integer sizes in xdr_u_int() -+#endif -+} -+ -+/* -+ * XDR opaque data -+ * Allows the specification of a fixed size sequence of opaque bytes. -+ * cp points to the opaque object and cnt gives the byte length. -+ */ -+bool_t -+xdr_opaque (XDR *xdrs, caddr_t cp, u_int cnt) -+{ -+ u_int rndup; -+ static char crud[BYTES_PER_XDR_UNIT]; -+ -+ /* -+ * if no data we are done -+ */ -+ if (cnt == 0) -+ return TRUE; -+ -+ /* -+ * round byte count to full xdr units -+ */ -+ rndup = cnt % BYTES_PER_XDR_UNIT; -+ if (rndup > 0) -+ rndup = BYTES_PER_XDR_UNIT - rndup; -+ -+ switch (xdrs->x_op) -+ { -+ case XDR_DECODE: -+ if (!XDR_GETBYTES (xdrs, cp, cnt)) -+ { -+ return FALSE; -+ } -+ if (rndup == 0) -+ return TRUE; -+ return XDR_GETBYTES (xdrs, (caddr_t)crud, rndup); -+ -+ case XDR_ENCODE: -+ if (!XDR_PUTBYTES (xdrs, cp, cnt)) -+ { -+ return FALSE; -+ } -+ if (rndup == 0) -+ return TRUE; -+ return XDR_PUTBYTES (xdrs, xdr_zero, rndup); -+ -+ case XDR_FREE: -+ return TRUE; -+ } -+ return FALSE; -+} -+ -+/* -+ * XDR unsigned long integers -+ * The definition of xdr_u_long() is kept for backward -+ * compatibility. Instead xdr_u_int() should be used. -+ */ -+bool_t -+xdr_u_long (XDR *xdrs, u_long *ulp) -+{ -+ switch (xdrs->x_op) -+ { -+ case XDR_DECODE: -+ { -+ long int tmp; -+ -+ if (XDR_GETLONG (xdrs, &tmp) == FALSE) -+ return FALSE; -+ -+ *ulp = (uint32_t) tmp; -+ return TRUE; -+ } -+ -+ case XDR_ENCODE: -+ if (sizeof (uint32_t) != sizeof (u_long) -+ && (uint32_t) *ulp != *ulp) -+ return FALSE; -+ -+ return XDR_PUTLONG (xdrs, (long *) ulp); -+ -+ case XDR_FREE: -+ return TRUE; -+ } -+ return FALSE; -+} -+ -+#endif /* UCLIBC */ -+ - bool_t - xdr_xpasswd(XDR * xdrs, xpasswd * objp) - { diff --git a/libs/libpam/patches/007-cve-2014-2583.patch b/libs/libpam/patches/007-cve-2014-2583.patch deleted file mode 100644 index 8d24bead65..0000000000 --- a/libs/libpam/patches/007-cve-2014-2583.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001 -From: "Dmitry V. Levin" -Date: Wed, 26 Mar 2014 22:17:23 +0000 -Subject: pam_timestamp: fix potential directory traversal issue (ticket #27) - -pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of -the timestamp pathname it creates, so extra care should be taken to -avoid potential directory traversal issues. - -* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat -"." and ".." tty values as invalid. -(get_ruser): Treat "." and ".." ruser values, as well as any ruser -value containing '/', as invalid. - -Fixes CVE-2014-2583. - -Reported-by: Sebastian Krahmer - -diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c -index 5193733..b3f08b1 100644 ---- a/modules/pam_timestamp/pam_timestamp.c -+++ b/modules/pam_timestamp/pam_timestamp.c -@@ -158,7 +158,7 @@ check_tty(const char *tty) - tty = strrchr(tty, '/') + 1; - } - /* Make sure the tty wasn't actually a directory (no basename). */ -- if (strlen(tty) == 0) { -+ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) { - return NULL; - } - return tty; -@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) - if (pwd != NULL) { - ruser = pwd->pw_name; - } -+ } else { -+ /* -+ * This ruser is used by format_timestamp_name as a component -+ * of constructed timestamp pathname, so ".", "..", and '/' -+ * are disallowed to avoid potential path traversal issues. -+ */ -+ if (!strcmp(ruser, ".") || -+ !strcmp(ruser, "..") || -+ strchr(ruser, '/')) { -+ ruser = NULL; -+ } - } - if (ruser == NULL || strlen(ruser) >= ruserbuflen) { - *ruserbuf = '\0'; --- -cgit v0.10.2 - diff --git a/libs/libpam/patches/008-LIBCRYPT-fix.patch b/libs/libpam/patches/008-LIBCRYPT-fix.patch deleted file mode 100644 index 85c03fd843..0000000000 --- a/libs/libpam/patches/008-LIBCRYPT-fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/configure.in.orig 2015-06-16 20:40:02.938216001 +0800 -+++ b/configure.in 2015-06-16 20:40:16.198216001 +0800 -@@ -399,7 +399,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = - [crypt_libs="crypt"]) - - BACKUP_LIBS=$LIBS --AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="") -+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="") - AC_CHECK_FUNCS(crypt_r crypt_gensalt_r) - LIBS=$BACKUP_LIBS - AC_SUBST(LIBCRYPT) diff --git a/libs/libpam/patches/009-pam_rhosts-fix.patch b/libs/libpam/patches/009-pam_rhosts-fix.patch deleted file mode 100644 index 1d7d7f362d..0000000000 --- a/libs/libpam/patches/009-pam_rhosts-fix.patch +++ /dev/null @@ -1,51 +0,0 @@ ---- a/configure.in.orig 2015-06-16 21:05:09.938216001 +0800 -+++ b/configure.in 2015-06-16 21:05:29.374216001 +0800 -@@ -525,7 +525,8 @@ AC_CHECK_FUNCS(fseeko getdomainname geth - AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname) - AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r) - AC_CHECK_FUNCS(getgrouplist getline getdelim) --AC_CHECK_FUNCS(inet_ntop inet_pton innetgr ruserok_af) -+AC_CHECK_FUNCS(inet_ntop inet_pton innetgr) -+AC_CHECK_FUNCS(ruserok ruserok_af) - - AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no]) - AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes]) ---- a/modules/pam_rhosts/pam_rhosts.c.orig 2015-06-16 20:58:20.002216001 +0800 -+++ b/modules/pam_rhosts/pam_rhosts.c 2015-06-16 21:10:10.026216001 +0800 -@@ -35,6 +35,7 @@ - #include - #include - #include -+#include - #include - - #define PAM_SM_AUTH /* only defines this management group */ -@@ -43,7 +43,7 @@ - #include - #include - --#ifdef __UCLIBC__ -+#if defined(__UCLIBC__) || (!defined(HAVE_RUSEROK) && !defined(HAVE_RUSEROK_AF)) - - #include - #include -@@ -293,8 +294,10 @@ iruserok2 (u_int32_t raddr, int superuse - FILE *hostf = NULL; - int isbad = -1; - -+#ifdef _PATH_HEQUIV - if (!superuser) - hostf = iruserfopen (_PATH_HEQUIV, 0); -+#endif - - if (hostf) { - isbad = __ivaliduser2 (hostf, raddr, luser, ruser, rhost); -@@ -396,7 +396,7 @@ int ruserok(const char *rhost, int super - return -1; - } - --#endif /* __UCLIBC__ */ -+#endif /* __UCLIBC__ || (!defined(HAVE_RUSEROK) && !defined(HAVE_RUSEROK_AF)) */ - - PAM_EXTERN - int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,