diff options
author | Richard Leitner <richard.leitner@skidata.com> | 2018-06-04 10:00:45 +0200 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2018-06-05 10:03:43 -0700 |
commit | 268b4bd1dc4286f5b79e2a2d39c7cfdb12220fff (patch) | |
tree | 3201679ed7b39144562aa5fcacd64e2ea30ac16c /meta-oe/recipes-extended | |
parent | f5a3718a41687def7a4f17b264ae4a66c340acab (diff) | |
download | meta-openembedded-268b4bd1dc4286f5b79e2a2d39c7cfdb12220fff.tar.gz |
pam-plugin-ccreds: add recipe
Add version 11 of the pam-plugin-ccreds with the debian patches and a
fix for *.so symlink creation applied.
Upstreaming of these patches was requested by following pull-request:
https://github.com/PADL/pam_ccreds/pull/1
Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/recipes-extended')
4 files changed, 193 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch new file mode 100644 index 0000000000..d7f8f5a966 --- /dev/null +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch @@ -0,0 +1,29 @@ +From 59a95494002ce57ace17d676544101e88a55265d Mon Sep 17 00:00:00 2001 +From: Nicolas Boullis <nicolas.boullis@ecp.fr> +Date: Mon, 23 Mar 2009 10:46:44 +0100 +Subject: [PATCH 1/3] make sure we don't overflow the data buffer + +This patch was taken from Debian's libpam-ccreds v10-6 source: + 0001-make-sure-we-don-t-overflow-the-data-buffer.patch + +Reviewed-by: Richard Leitner <richard.leitner@skidata.com> +--- + cc_db.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cc_db.c b/cc_db.c +index c0e0488..9371c4d 100644 +--- a/cc_db.c ++++ b/cc_db.c +@@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t keylength, + return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR; + } + +- if (val.size < *size) { ++ if (val.size > *size) { + return PAM_BUF_ERR; + } + +-- +2.11.0 + diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch new file mode 100644 index 0000000000..adc464924d --- /dev/null +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch @@ -0,0 +1,97 @@ +From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org> +Date: Thu, 13 May 2010 12:36:26 +0200 +Subject: [PATCH 2/3] add minimum_uid option + +Closes: #580037 + +This patch was taken from Debian's libpam-ccreds v10-6 source: + 0002-add-minimum_uid-option.patch + +Reviewed-by: Richard Leitner <richard.leitner@skidata.com> +--- + cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/cc_pam.c b/cc_pam.c +index d096117..56776aa 100644 +--- a/cc_pam.c ++++ b/cc_pam.c +@@ -20,6 +20,7 @@ + #include <errno.h> + #include <limits.h> + #include <syslog.h> ++#include <pwd.h> + + #include "cc_private.h" + +@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, + int flags, int argc, const char **argv); + #endif + ++ ++/* ++ * Given the PAM arguments and the user we're authenticating, see if we should ++ * ignore that user because they're root or have a low-numbered UID and we ++ * were configured to ignore such users. Returns true if we should ignore ++ * them, false otherwise. ++ */ ++static int ++_pamcc_should_ignore(const char *username, int minimum_uid) ++{ ++ struct passwd *pwd; ++ ++ if (minimum_uid > 0) { ++ pwd = getpwnam(username); ++ if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) { ++ syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)", ++ (unsigned long) pwd->pw_uid, minimum_uid); ++ return 1; ++ } ++ } ++ return 0; ++} ++ ++ + static int _pam_sm_interact(pam_handle_t *pamh, + int flags, + const char **authtok) +@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, + unsigned int sm_flags = 0, sm_action = 0; + const char *ccredsfile = NULL; + const char *action = NULL; ++ const char *name = NULL; + int (*selector)(pam_handle_t *, int, unsigned int, const char *); ++ int minimum_uid = 0; + + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "use_first_pass") == 0) +@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, + sm_flags |= SM_FLAGS_TRY_FIRST_PASS; + else if (strcmp(argv[i], "service_specific") == 0) + sm_flags |= SM_FLAGS_SERVICE_SPECIFIC; ++ else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0) ++ minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1); + else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0) + ccredsfile = argv[i] + sizeof("ccredsfile=") - 1; + else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0) +@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, + syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action); + } + ++ rc = pam_get_user(pamh, &name, NULL); ++ if (rc != PAM_SUCCESS || name == NULL) { ++ if (rc == PAM_CONV_AGAIN) ++ return PAM_INCOMPLETE; ++ else ++ return PAM_SERVICE_ERR; ++ } ++ if (_pamcc_should_ignore(name, minimum_uid)) ++ return PAM_USER_UNKNOWN; ++ + switch (sm_action) { + case SM_ACTION_VALIDATE_CCREDS: + selector = _pam_sm_validate_cached_credentials; +-- +2.11.0 + diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-for-all-linux-targets.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-for-all-linux-targets.patch new file mode 100644 index 0000000000..988c374428 --- /dev/null +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-for-all-linux-targets.patch @@ -0,0 +1,40 @@ +From 2b137b0364c57505a95cb498660e3b97b557540d Mon Sep 17 00:00:00 2001 +From: Richard Leitner <richard.leitner@skidata.com> +Date: Fri, 1 Jun 2018 13:24:15 +0200 +Subject: [PATCH 3/3] Set EXTENSION_SO for all linux* targets + +As EXTENSION_SO gets already set for linux and linux-gnu targets we +should set it for all linux* targets. This is done by introducing a new +"LINUX" value for the "TARGET_OS" helper variable. + +Signed-off-by: Richard Leitner <richard.leitner@skidata.com> +--- + configure.in | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/configure.in b/configure.in +index 0dbdf79..3829d9f 100644 +--- a/configure.in ++++ b/configure.in +@@ -35,7 +35,8 @@ hpux*) pam_ccreds_so_LD="/bin/ld" + TARGET_OS="HPUX" ;; + solaris*) pam_ccreds_so_LD="/usr/ccs/bin/ld" + pam_ccreds_so_LDFLAGS="-B dynamic -M \$(srcdir)/exports.solaris -G -B group -lc" ;; +-linux*) pam_ccreds_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;; ++linux*) pam_ccreds_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ++ TARGET_OS="LINUX" ;; + *) pam_ccreds_so_LDFLAGS="-shared" ;; + esac + +@@ -43,7 +44,7 @@ AC_SUBST(pam_ccreds_so_LD) + AC_SUBST(pam_ccreds_so_LDFLAGS) + + AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD") +-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu") ++AM_CONDITIONAL(EXTENSION_SO, test "$TARGET_OS" = "LINUX") + AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX") + + if test -z "$use_gcrypt"; then +-- +2.11.0 + diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb new file mode 100644 index 0000000000..9a21d90456 --- /dev/null +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb @@ -0,0 +1,27 @@ +SUMMARY = "PAM cached credentials module" +HOMEPAGE = "https://www.padl.com/OSS/pam_ccreds.html" +SECTION = "libs" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" + +DEPENDS = "libpam openssl db" + +inherit distro_features_check +REQUIRED_DISTRO_FEATURES = "pam" + +SRCREV = "376bb189ceb3a113954f1012c45be7ff09e148ba" + +SRC_URI = " \ + git://github.com/PADL/pam_ccreds \ + file://0001-make-sure-we-don-t-overflow-the-data-buffer.patch \ + file://0002-add-minimum_uid-option.patch \ + file://0003-Set-EXTENSION_SO-for-all-linux-targets.patch \ +" + +S = "${WORKDIR}/git" + +inherit autotools + +EXTRA_OECONF += "--libdir=${base_libdir} " + +FILES_${PN} += "${base_libdir}/security/pam*" |