diff --git a/debian/changelog b/debian/changelog index bb53cdb8..02173383 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,9 +10,14 @@ shadow (1:4.1.3.1-1) UNRELEASED; urgency=low - passwd: Report password properties changes if the password is not actually changed. Closes: #525967 - Fixed lastlog. 4.1.3 only reported empty logs. Closes: #524873 + - Updated patches: + + debian/patches/008_login_log_failure_in_FTMP + + debian/patches/401_cppw_src.dpatch + + debian/patches/429_login_FAILLOG_ENAB + + debian/patches/463_login_delay_obeys_to_PAM * debian/securetty.linux: Added Freescale i.MX ports. Closes: #527095 - -- Christian Perrier Thu, 07 May 2009 19:20:57 +0200 + -- Christian Perrier Sat, 09 May 2009 15:44:03 +0200 shadow (1:4.1.3.1-1) unstable; urgency=low diff --git a/debian/patches/008_login_log_failure_in_FTMP b/debian/patches/008_login_log_failure_in_FTMP index b1e0a8e3..48d253c7 100644 --- a/debian/patches/008_login_log_failure_in_FTMP +++ b/debian/patches/008_login_log_failure_in_FTMP @@ -8,36 +8,31 @@ Index: shadow-4.1.0/src/login.c =================================================================== --- shadow-4.1.0.orig/src/login.c +++ shadow-4.1.0/src/login.c -@@ -722,6 +722,29 @@ - #endif /* WITH_AUDIT */ +@@ -722,6 +722,24 @@ + (void) puts (""); + (void) puts (_("Login incorrect")); - fprintf (stderr, "\nLogin incorrect\n"); -+ if (getdef_str("FTMP_FILE") != NULL) { -+#if HAVE_UTMPX_H -+ failent = utxent; -+ if (sizeof (failent.ut_tv) == sizeof (struct timeval)) -+ gettimeofday((struct timeval *) -+ &failent.ut_tv, NULL); -+ else { -+ struct timeval tv; ++ if (getdef_str("FTMP_FILE") != NULL) { ++#ifdef USE_UTMPX ++ struct utmpx *failent = ++ prepare_utmpx (failent_user, ++ tty, ++ /* FIXME: or fromhost? */hostname, ++ utent); ++#else /* !USE_UTMPX */ ++ struct utmp *failent = ++ prepare_utmp (failent_user, ++ tty, ++ hostname, ++ utent); ++#endif /* !USE_UTMPX */ ++ failtmp (failent_user, failent); ++ free (failent); ++ } + -+ gettimeofday (&tv, NULL); -+ failent.ut_tv.tv_sec = tv.tv_sec; -+ failent.ut_tv.tv_usec = tv.tv_usec; -+ } -+#else -+ failent = utent; -+ failent.ut_time = time(NULL); -+#endif -+ strncpy(failent.ut_user, failent_user, sizeof(failent.ut_user)); -+#ifdef USER_PROCESS -+ failent.ut_type = USER_PROCESS; -+#endif -+ failtmp(&failent); -+ } - - /* - * Let's give it another go around. + if (failcount >= retries) { + SYSLOG ((LOG_NOTICE, + "TOO MANY LOGIN TRIES (%d)%s FOR '%s'", Index: shadow-4.1.0/lib/getdef.c =================================================================== --- shadow-4.1.0.orig/lib/getdef.c diff --git a/debian/patches/401_cppw_src.dpatch b/debian/patches/401_cppw_src.dpatch index b19957c0..8522052c 100755 --- a/debian/patches/401_cppw_src.dpatch +++ b/debian/patches/401_cppw_src.dpatch @@ -224,7 +224,7 @@ Index: shadow-4.1.0/src/Makefile.am @@ -59,6 +60,7 @@ chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) - chpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT) + chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) +cppw_LDADD = $(LDADD) $(LIBSELINUX) gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT) groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) diff --git a/debian/patches/429_login_FAILLOG_ENAB b/debian/patches/429_login_FAILLOG_ENAB index 0cdfd289..43b3749d 100644 --- a/debian/patches/429_login_FAILLOG_ENAB +++ b/debian/patches/429_login_FAILLOG_ENAB @@ -7,55 +7,58 @@ Fixes: #192849 Note: It could be removed if pam_tally could report the number of failures preceding a successful login. -Index: shadow-4.1.0/src/login.c +Index: shadow-4.1.3.1/src/login.c =================================================================== ---- shadow-4.1.0.orig/src/login.c -+++ shadow-4.1.0/src/login.c -@@ -130,9 +130,9 @@ - static void setup_tty (void); - static void check_flags (int, char *const *); +--- shadow-4.1.3.1.orig/src/login.c 2009-05-04 19:38:24.668839562 +0200 ++++ shadow-4.1.3.1/src/login.c 2009-05-04 19:50:43.360832944 +0200 +@@ -131,9 +131,9 @@ + const char *host, + /*@null@*/const struct utmp *utent); -+static struct faillog faillog; -+ - #ifndef USE_PAM --static struct faillog faillog; -- +-#ifndef USE_PAM + static struct faillog faillog; + ++#ifndef USE_PAM static void bad_time_notify (void); - static void check_nologin (void); - #endif -@@ -673,6 +673,8 @@ + static void check_nologin (bool login_to_root); + #else +@@ -792,6 +792,9 @@ SYSLOG ((LOG_NOTICE, - "TOO MANY LOGIN TRIES (%d)%s FOR `%s'", + "TOO MANY LOGIN TRIES (%d)%s FOR '%s'", failcount, fromhost, failent_user)); -+ if (pwd && getdef_bool("FAILLOG_ENAB")) -+ failure (pwent.pw_uid, tty, &faillog); ++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { ++ failure (pwd->pw_uid, tty, &faillog); ++ } fprintf(stderr, _("Maximum number of tries exceeded (%d)\n"), failcount); -@@ -690,6 +692,13 @@ +@@ -809,6 +812,14 @@ pam_strerror (pamh, retcode))); failed = true; } -+ if (pwd && getdef_bool("FAILLOG_ENAB") && -+ ! failcheck (pwent.pw_uid, &faillog, failed)) { -+ SYSLOG((LOG_CRIT, -+ "exceeded failure limit for `%s' %s", -+ failent_user, fromhost)); -+ failed = 1; -+ } ++ if ( (NULL != pwd) ++ && getdef_bool("FAILLOG_ENAB") ++ && ! failcheck (pwd->pw_uid, &faillog, failed)) { ++ SYSLOG((LOG_CRIT, ++ "exceeded failure limit for `%s' %s", ++ failent_user, fromhost)); ++ failed = 1; ++ } if (!failed) { break; -@@ -766,6 +731,8 @@ - #endif /* WITH_AUDIT */ +@@ -832,6 +843,10 @@ + (void) puts (""); + (void) puts (_("Login incorrect")); - fprintf (stderr, "\nLogin incorrect\n"); -+ if (pwd && getdef_bool("FAILLOG_ENAB")) -+ failure (pwent.pw_uid, tty, &faillog); - if (getdef_str("FTMP_FILE") != NULL) { - #if HAVE_UTMPX_H - failent = utxent; -@@ -1099,6 +1110,7 @@ ++ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { ++ failure (pwd->pw_uid, tty, &faillog); ++ } ++ + if (getdef_str("FTMP_FILE") != NULL) { + #ifdef USE_UTMPX + struct utmpx *failent = +@@ -1281,6 +1296,7 @@ */ #ifndef USE_PAM motd (); /* print the message of the day */ @@ -63,19 +66,19 @@ Index: shadow-4.1.0/src/login.c if ( getdef_bool ("FAILLOG_ENAB") && (0 != faillog.fail_cnt)) { failprint (&faillog); -@@ -1112,6 +1124,7 @@ - username, (int) faillog.fail_cnt)); +@@ -1293,6 +1309,7 @@ + username, (int) faillog.fail_cnt)); } } +#ifndef USE_PAM if ( getdef_bool ("LASTLOG_ENAB") - && (0 != lastlog.ll_time)) { - time_t ll_time = lastlog.ll_time; -Index: shadow-4.1.0/lib/getdef.c + && (ll.ll_time != 0)) { + time_t ll_time = ll.ll_time; +Index: shadow-4.1.3.1/lib/getdef.c =================================================================== ---- shadow-4.1.0.orig/lib/getdef.c -+++ shadow-4.1.0/lib/getdef.c -@@ -57,6 +57,7 @@ +--- shadow-4.1.3.1.orig/lib/getdef.c 2009-05-04 19:38:24.672844662 +0200 ++++ shadow-4.1.3.1/lib/getdef.c 2009-05-04 19:50:14.720839237 +0200 +@@ -61,6 +61,7 @@ {"ENV_SUPATH", NULL}, {"ERASECHAR", NULL}, {"FAIL_DELAY", NULL}, @@ -83,7 +86,7 @@ Index: shadow-4.1.0/lib/getdef.c {"FAKE_SHELL", NULL}, {"FTMP_FILE", NULL}, {"GID_MAX", NULL}, -@@ -93,7 +94,6 @@ +@@ -103,7 +104,6 @@ {"ENV_HZ", NULL}, {"ENVIRON_FILE", NULL}, {"ENV_TZ", NULL}, diff --git a/debian/patches/463_login_delay_obeys_to_PAM b/debian/patches/463_login_delay_obeys_to_PAM index d79e3a5c..5ec5df49 100644 --- a/debian/patches/463_login_delay_obeys_to_PAM +++ b/debian/patches/463_login_delay_obeys_to_PAM @@ -15,15 +15,15 @@ Index: shadow-4.1.0/src/login.c #if defined(HAVE_STRFTIME) && !defined(USE_PAM) char ptime[80]; #endif -- int delay; - int retries; +- unsigned int delay; + unsigned int retries; bool failed; bool subroot = false; @@ -354,6 +353,7 @@ char *pam_user; char **ptr_pam_user = &pam_user; #else -+ int delay; ++ unsigned int delay; struct spwd *spwd = NULL; #endif /* @@ -31,17 +31,20 @@ Index: shadow-4.1.0/src/login.c } environ = newenvp; /* make new environment active */ -- delay = getdef_num ("FAIL_DELAY", 1); - retries = getdef_num ("LOGIN_RETRIES", RETRIES); +- delay = getdef_unum ("FAIL_DELAY", 1); + retries = getdef_unum ("LOGIN_RETRIES", RETRIES); #ifdef USE_PAM -@@ -594,17 +593,12 @@ +@@ -594,20 +593,15 @@ /* * hostname & tty are either set to NULL or their correct values, - * depending on how much we know. We also set PAM's fail delay to - * ours. + * depending on how much we know. + * + * PAM_RHOST and PAM_TTY are used for authentication, only use + * information coming from login or from the caller (e.g. no utmp) */ retcode = pam_set_item (pamh, PAM_RHOST, hostname); PAM_FAIL_CHECK; @@ -68,8 +71,8 @@ Index: shadow-4.1.0/src/login.c retcode = pam_authenticate (pamh, 0); @@ -956,14 +948,17 @@ - pw_auth ("!", username, reason, (char *) 0); - } + free (username); + username = NULL; +#ifndef USE_PAM /* @@ -77,9 +80,9 @@ Index: shadow-4.1.0/src/login.c * to login the user again. If the earlier alarm occurs * before the sleep() below completes, login will exit. */ -+ delay = getdef_num ("FAIL_DELAY", 1); ++ delay = getdef_unum ("FAIL_DELAY", 1); if (delay > 0) { - sleep (delay); + (void) sleep (delay); } +#endif