diff options
Diffstat (limited to 'extra/source/pam/patches/pam-1.1.3-securetty-console.patch')
| -rw-r--r-- | extra/source/pam/patches/pam-1.1.3-securetty-console.patch | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch b/extra/source/pam/patches/pam-1.1.3-securetty-console.patch new file mode 100644 index 00000000..94fa6ecf --- /dev/null +++ b/extra/source/pam/patches/pam-1.1.3-securetty-console.patch @@ -0,0 +1,120 @@ +Index: modules/pam_securetty/pam_securetty.8.xml +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml,v +retrieving revision 1.4 +retrieving revision 1.6 +diff -u -p -r1.4 -r1.6 +--- modules/pam_securetty/pam_securetty.8.xml 18 Aug 2008 13:29:25 -0000 1.4 ++++ modules/pam_securetty/pam_securetty.8.xml 25 Nov 2010 16:58:59 -0000 1.6 +@@ -33,7 +33,9 @@ + user is logging in on a "secure" tty, as defined by the listing + in <filename>/etc/securetty</filename>. pam_securetty also checks + to make sure that <filename>/etc/securetty</filename> is a plain +- file and not world writable. ++ file and not world writable. It will also allow root logins on ++ the tty specified with <option>console=</option> switch on the ++ kernel command line. + </para> + <para> + This module has no effect on non-root users and requires that the +@@ -61,6 +63,18 @@ + </para> + </listitem> + </varlistentry> ++ <varlistentry> ++ <term> ++ <option>noconsole</option> ++ </term> ++ <listitem> ++ <para> ++ Do not automatically allow root logins on the kernel console ++ device, as specified on the kernel command line, if it is ++ not also specified in the <filename>/etc/securetty</filename> file. ++ </para> ++ </listitem> ++ </varlistentry> + </variablelist> + </refsect1> + +Index: modules/pam_securetty/pam_securetty.c +=================================================================== +RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v +retrieving revision 1.14 +retrieving revision 1.15 +diff -u -p -r1.14 -r1.15 +--- modules/pam_securetty/pam_securetty.c 10 Sep 2009 10:19:58 -0000 1.14 ++++ modules/pam_securetty/pam_securetty.c 24 Nov 2010 12:28:01 -0000 1.15 +@@ -2,6 +2,7 @@ + + #define SECURETTY_FILE "/etc/securetty" + #define TTY_PREFIX "/dev/" ++#define CMDLINE_FILE "/proc/cmdline" + + /* + * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. +@@ -22,6 +23,7 @@ + #include <pwd.h> + #include <string.h> + #include <ctype.h> ++#include <limits.h> + + /* + * here, we make a definition for the externally accessible function +@@ -38,6 +40,7 @@ + #include <security/pam_ext.h> + + #define PAM_DEBUG_ARG 0x0001 ++#define PAM_NOCONSOLE_ARG 0x0002 + + static int + _pam_parse (const pam_handle_t *pamh, int argc, const char **argv) +@@ -51,6 +54,8 @@ _pam_parse (const pam_handle_t *pamh, in + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; ++ else if (!strcmp(*argv, "noconsole")) ++ ctrl |= PAM_NOCONSOLE_ARG; + else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } +@@ -144,6 +149,40 @@ securetty_perform_check (pam_handle_t *p + } + fclose(ttyfile); + ++ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) { ++ FILE *cmdlinefile; ++ ++ /* Allow access from the kernel console, if enabled */ ++ cmdlinefile = fopen(CMDLINE_FILE, "r"); ++ ++ if (cmdlinefile != NULL) { ++ char line[LINE_MAX], *p; ++ ++ line[0] = 0; ++ fgets(line, sizeof(line), cmdlinefile); ++ fclose(cmdlinefile); ++ ++ for (p = line; p; p = strstr(p+1, "console=")) { ++ char *e; ++ ++ /* Test whether this is a beginning of a word? */ ++ if (p > line && p[-1] != ' ') ++ continue; ++ ++ /* Ist this our console? */ ++ if (strncmp(p + 8, uttyname, strlen(uttyname))) ++ continue; ++ ++ /* Is there any garbage after the TTY name? */ ++ e = p + 8 + strlen(uttyname); ++ if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) { ++ retval = 0; ++ break; ++ } ++ } ++ } ++ } ++ + if (retval) { + pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !", + uttyname); |