a0871be6c0
* Update buildroot-patches for 2020.11-rc1 buildroot * Update buildroot to 2020.11-rc1 Signed-off-by: Stefan Agner <stefan@agner.ch> * Don't rely on sfdisk --list-free output The --list-free (-F) argument does not allow machine readable mode. And it seems that the output format changes over time (different spacing, using size postfixes instead of raw blocks). Use sfdisk json output and calculate free partition space ourselfs. This works for 2.35 and 2.36 and is more robust since we rely on output which is meant for scripts to parse. * Migrate defconfigs for Buildroot 2020.11-rc1 In particular, rename BR2_TARGET_UBOOT_BOOT_SCRIPT(_SOURCE) to BR2_PACKAGE_HOST_UBOOT_TOOLS_BOOT_SCRIPT(_SOURCE). * Rebase/remove systemd patches for systemd 246 * Drop apparmor/libapparmor from buildroot-external * hassos-persists: use /run as directory for lockfiles The U-Boot tools use /var/lock by default which is not created any more by systemd by default (it is under tmpfiles legacy.conf, which we no longer install). * Disable systemd-update-done.service The service is not suited for pure read-only systems. In particular the service needs to be able to write a file in /etc and /var. Remove the service. Note: This is a static service and cannot be removed using systemd-preset. * Disable apparmor.service for now The service loads all default profiles. Some might actually cause problems. E.g. the profile for ping seems not to match our setup for /etc/resolv.conf: [85503.634653] audit: type=1400 audit(1605286002.684:236): apparmor="DENIED" operation="open" profile="ping" name="/run/resolv.conf" pid=27585 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
321 lines
8.7 KiB
Diff
321 lines
8.7 KiB
Diff
From 295bf7403364b23ab03287ecdd95ea266d6f4d89 Mon Sep 17 00:00:00 2001
|
|
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
Date: Thu, 11 Jun 2020 17:39:03 +0200
|
|
Subject: [PATCH] fix build on musl
|
|
|
|
Rename check_user_in_passwd from pam_localuser.c to
|
|
pam_modutil_check_user_in_passwd and use it in pam_faillock.c instead of
|
|
fgetpwent_r which is not available on musl
|
|
|
|
Fix #236
|
|
|
|
Fixes:
|
|
- http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b
|
|
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
[Upstream status: https://github.com/linux-pam/linux-pam/pull/237]
|
|
---
|
|
libpam/Makefile.am | 1 +
|
|
libpam/include/security/pam_modutil.h | 5 ++
|
|
libpam/libpam.map | 5 ++
|
|
libpam/pam_modutil_check_user_in_passwd.c | 89 +++++++++++++++++++++++
|
|
modules/pam_faillock/pam_faillock.c | 37 +---------
|
|
modules/pam_localuser/pam_localuser.c | 86 +---------------------
|
|
6 files changed, 103 insertions(+), 120 deletions(-)
|
|
create mode 100644 libpam/pam_modutil_check_user_in_passwd.c
|
|
|
|
diff --git a/libpam/Makefile.am b/libpam/Makefile.am
|
|
index 9252a837..a8fc428d 100644
|
|
--- a/libpam/Makefile.am
|
|
+++ b/libpam/Makefile.am
|
|
@@ -35,6 +35,7 @@ libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \
|
|
pam_misc.c pam_password.c pam_prelude.c \
|
|
pam_session.c pam_start.c pam_strerror.c \
|
|
pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \
|
|
+ pam_modutil_check_user_in_passwd.c \
|
|
pam_modutil_cleanup.c pam_modutil_getpwnam.c pam_modutil_ioloop.c \
|
|
pam_modutil_getgrgid.c pam_modutil_getpwuid.c pam_modutil_getgrnam.c \
|
|
pam_modutil_getspnam.c pam_modutil_getlogin.c pam_modutil_ingroup.c \
|
|
diff --git a/libpam/include/security/pam_modutil.h b/libpam/include/security/pam_modutil.h
|
|
index 3a6aec6a..33f87b90 100644
|
|
--- a/libpam/include/security/pam_modutil.h
|
|
+++ b/libpam/include/security/pam_modutil.h
|
|
@@ -58,6 +58,11 @@ extern "C" {
|
|
|
|
#include <security/_pam_types.h>
|
|
|
|
+extern int PAM_NONNULL((1,2))
|
|
+pam_modutil_check_user_in_passwd(pam_handle_t *pamh,
|
|
+ const char *user_name,
|
|
+ const char *file_name);
|
|
+
|
|
extern struct passwd * PAM_NONNULL((1,2))
|
|
pam_modutil_getpwnam(pam_handle_t *pamh, const char *user);
|
|
|
|
diff --git a/libpam/libpam.map b/libpam/libpam.map
|
|
index c9690a91..3cc7ef35 100644
|
|
--- a/libpam/libpam.map
|
|
+++ b/libpam/libpam.map
|
|
@@ -82,3 +82,8 @@ LIBPAM_1.4 {
|
|
global:
|
|
pam_start_confdir;
|
|
} LIBPAM_1.0;
|
|
+
|
|
+LIBPAM_MODUTIL_1.4.1 {
|
|
+ global:
|
|
+ pam_modutil_check_user_in_passwd;
|
|
+} LIBPAM_MODUTIL_1.3.2;
|
|
diff --git a/libpam/pam_modutil_check_user_in_passwd.c b/libpam/pam_modutil_check_user_in_passwd.c
|
|
new file mode 100644
|
|
index 00000000..b998aa25
|
|
--- /dev/null
|
|
+++ b/libpam/pam_modutil_check_user_in_passwd.c
|
|
@@ -0,0 +1,89 @@
|
|
+#include "pam_modutil_private.h"
|
|
+#include <security/pam_ext.h>
|
|
+
|
|
+#include <stdio.h>
|
|
+#include <syslog.h>
|
|
+
|
|
+int
|
|
+pam_modutil_check_user_in_passwd(pam_handle_t *pamh,
|
|
+ const char *user_name,
|
|
+ const char *file_name)
|
|
+{
|
|
+ int rc;
|
|
+ size_t user_len;
|
|
+ FILE *fp;
|
|
+ char line[BUFSIZ];
|
|
+
|
|
+ /* Validate the user name. */
|
|
+ if ((user_len = strlen(user_name)) == 0) {
|
|
+ pam_syslog(pamh, LOG_NOTICE, "user name is not valid");
|
|
+ return PAM_SERVICE_ERR;
|
|
+ }
|
|
+
|
|
+ if (user_len > sizeof(line) - sizeof(":")) {
|
|
+ pam_syslog(pamh, LOG_NOTICE, "user name is too long");
|
|
+ return PAM_SERVICE_ERR;
|
|
+ }
|
|
+
|
|
+ if (strchr(user_name, ':') != NULL) {
|
|
+ /*
|
|
+ * "root:x" is not a local user name even if the passwd file
|
|
+ * contains a line starting with "root:x:".
|
|
+ */
|
|
+ return PAM_PERM_DENIED;
|
|
+ }
|
|
+
|
|
+ /* Open the passwd file. */
|
|
+ if (file_name == NULL) {
|
|
+ file_name = "/etc/passwd";
|
|
+ }
|
|
+ if ((fp = fopen(file_name, "r")) == NULL) {
|
|
+ pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name);
|
|
+ return PAM_SERVICE_ERR;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Scan the file using fgets() instead of fgetpwent_r() because
|
|
+ * the latter is not flexible enough in handling long lines
|
|
+ * in passwd files.
|
|
+ */
|
|
+ rc = PAM_PERM_DENIED;
|
|
+ while (fgets(line, sizeof(line), fp) != NULL) {
|
|
+ size_t line_len;
|
|
+ const char *str;
|
|
+
|
|
+ /*
|
|
+ * Does this line start with the user name
|
|
+ * followed by a colon?
|
|
+ */
|
|
+ if (strncmp(user_name, line, user_len) == 0 &&
|
|
+ line[user_len] == ':') {
|
|
+ rc = PAM_SUCCESS;
|
|
+ break;
|
|
+ }
|
|
+ /* Has a newline been read? */
|
|
+ line_len = strlen(line);
|
|
+ if (line_len < sizeof(line) - 1 ||
|
|
+ line[line_len - 1] == '\n') {
|
|
+ /* Yes, continue with the next line. */
|
|
+ continue;
|
|
+ }
|
|
+
|
|
+ /* No, read till the end of this line first. */
|
|
+ while ((str = fgets(line, sizeof(line), fp)) != NULL) {
|
|
+ line_len = strlen(line);
|
|
+ if (line_len == 0 ||
|
|
+ line[line_len - 1] == '\n') {
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ if (str == NULL) {
|
|
+ /* fgets returned NULL, we are done. */
|
|
+ break;
|
|
+ }
|
|
+ /* Continue with the next line. */
|
|
+ }
|
|
+
|
|
+ fclose(fp);
|
|
+ return rc;
|
|
+}
|
|
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
|
|
index f592d0a2..8bca46ca 100644
|
|
--- a/modules/pam_faillock/pam_faillock.c
|
|
+++ b/modules/pam_faillock/pam_faillock.c
|
|
@@ -348,42 +348,7 @@ set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const c
|
|
static int
|
|
check_local_user (pam_handle_t *pamh, const char *user)
|
|
{
|
|
- struct passwd pw, *pwp;
|
|
- char buf[16384];
|
|
- int found = 0;
|
|
- FILE *fp;
|
|
- int errn;
|
|
-
|
|
- fp = fopen(PATH_PASSWD, "r");
|
|
- if (fp == NULL) {
|
|
- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m",
|
|
- PATH_PASSWD);
|
|
- return -1;
|
|
- }
|
|
-
|
|
- for (;;) {
|
|
- errn = fgetpwent_r(fp, &pw, buf, sizeof (buf), &pwp);
|
|
- if (errn == ERANGE) {
|
|
- pam_syslog(pamh, LOG_WARNING, "%s contains very long lines; corrupted?",
|
|
- PATH_PASSWD);
|
|
- break;
|
|
- }
|
|
- if (errn != 0)
|
|
- break;
|
|
- if (strcmp(pwp->pw_name, user) == 0) {
|
|
- found = 1;
|
|
- break;
|
|
- }
|
|
- }
|
|
-
|
|
- fclose (fp);
|
|
-
|
|
- if (errn != 0 && errn != ENOENT) {
|
|
- pam_syslog(pamh, LOG_ERR, "unable to enumerate local accounts: %m");
|
|
- return -1;
|
|
- } else {
|
|
- return found;
|
|
- }
|
|
+ return pam_modutil_check_user_in_passwd(pamh, user, NULL);
|
|
}
|
|
|
|
static int
|
|
diff --git a/modules/pam_localuser/pam_localuser.c b/modules/pam_localuser/pam_localuser.c
|
|
index cb507524..a9f2233c 100644
|
|
--- a/modules/pam_localuser/pam_localuser.c
|
|
+++ b/modules/pam_localuser/pam_localuser.c
|
|
@@ -45,92 +45,10 @@
|
|
#include <unistd.h>
|
|
|
|
#include <security/pam_modules.h>
|
|
+#include <security/pam_modutil.h>
|
|
#include <security/pam_ext.h>
|
|
#include "pam_inline.h"
|
|
|
|
-static int
|
|
-check_user_in_passwd(pam_handle_t *pamh, const char *user_name,
|
|
- const char *file_name)
|
|
-{
|
|
- int rc;
|
|
- size_t user_len;
|
|
- FILE *fp;
|
|
- char line[BUFSIZ];
|
|
-
|
|
- /* Validate the user name. */
|
|
- if ((user_len = strlen(user_name)) == 0) {
|
|
- pam_syslog(pamh, LOG_NOTICE, "user name is not valid");
|
|
- return PAM_SERVICE_ERR;
|
|
- }
|
|
-
|
|
- if (user_len > sizeof(line) - sizeof(":")) {
|
|
- pam_syslog(pamh, LOG_NOTICE, "user name is too long");
|
|
- return PAM_SERVICE_ERR;
|
|
- }
|
|
-
|
|
- if (strchr(user_name, ':') != NULL) {
|
|
- /*
|
|
- * "root:x" is not a local user name even if the passwd file
|
|
- * contains a line starting with "root:x:".
|
|
- */
|
|
- return PAM_PERM_DENIED;
|
|
- }
|
|
-
|
|
- /* Open the passwd file. */
|
|
- if (file_name == NULL) {
|
|
- file_name = "/etc/passwd";
|
|
- }
|
|
- if ((fp = fopen(file_name, "r")) == NULL) {
|
|
- pam_syslog(pamh, LOG_ERR, "error opening %s: %m", file_name);
|
|
- return PAM_SERVICE_ERR;
|
|
- }
|
|
-
|
|
- /*
|
|
- * Scan the file using fgets() instead of fgetpwent_r() because
|
|
- * the latter is not flexible enough in handling long lines
|
|
- * in passwd files.
|
|
- */
|
|
- rc = PAM_PERM_DENIED;
|
|
- while (fgets(line, sizeof(line), fp) != NULL) {
|
|
- size_t line_len;
|
|
- const char *str;
|
|
-
|
|
- /*
|
|
- * Does this line start with the user name
|
|
- * followed by a colon?
|
|
- */
|
|
- if (strncmp(user_name, line, user_len) == 0 &&
|
|
- line[user_len] == ':') {
|
|
- rc = PAM_SUCCESS;
|
|
- break;
|
|
- }
|
|
- /* Has a newline been read? */
|
|
- line_len = strlen(line);
|
|
- if (line_len < sizeof(line) - 1 ||
|
|
- line[line_len - 1] == '\n') {
|
|
- /* Yes, continue with the next line. */
|
|
- continue;
|
|
- }
|
|
-
|
|
- /* No, read till the end of this line first. */
|
|
- while ((str = fgets(line, sizeof(line), fp)) != NULL) {
|
|
- line_len = strlen(line);
|
|
- if (line_len == 0 ||
|
|
- line[line_len - 1] == '\n') {
|
|
- break;
|
|
- }
|
|
- }
|
|
- if (str == NULL) {
|
|
- /* fgets returned NULL, we are done. */
|
|
- break;
|
|
- }
|
|
- /* Continue with the next line. */
|
|
- }
|
|
-
|
|
- fclose(fp);
|
|
- return rc;
|
|
-}
|
|
-
|
|
int
|
|
pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
|
|
int argc, const char **argv)
|
|
@@ -173,7 +91,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
|
|
return rc == PAM_CONV_AGAIN ? PAM_INCOMPLETE : rc;
|
|
}
|
|
|
|
- return check_user_in_passwd(pamh, user_name, file_name);
|
|
+ return pam_modutil_check_user_in_passwd(pamh, user_name, file_name);
|
|
}
|
|
|
|
int
|
|
--
|
|
2.26.2
|
|
|