summaryrefslogtreecommitdiff
path: root/extra/source/pam/patches/pam-1.1.3-securetty-console.patch
diff options
context:
space:
mode:
Diffstat (limited to 'extra/source/pam/patches/pam-1.1.3-securetty-console.patch')
-rw-r--r--extra/source/pam/patches/pam-1.1.3-securetty-console.patch120
1 files changed, 0 insertions, 120 deletions
diff --git a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch b/extra/source/pam/patches/pam-1.1.3-securetty-console.patch
deleted file mode 100644
index 94fa6ecf..00000000
--- a/extra/source/pam/patches/pam-1.1.3-securetty-console.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-Index: modules/pam_securetty/pam_securetty.8.xml
-===================================================================
-RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.8.xml,v
-retrieving revision 1.4
-retrieving revision 1.6
-diff -u -p -r1.4 -r1.6
---- modules/pam_securetty/pam_securetty.8.xml 18 Aug 2008 13:29:25 -0000 1.4
-+++ modules/pam_securetty/pam_securetty.8.xml 25 Nov 2010 16:58:59 -0000 1.6
-@@ -33,7 +33,9 @@
- user is logging in on a "secure" tty, as defined by the listing
- in <filename>/etc/securetty</filename>. pam_securetty also checks
- to make sure that <filename>/etc/securetty</filename> is a plain
-- file and not world writable.
-+ file and not world writable. It will also allow root logins on
-+ the tty specified with <option>console=</option> switch on the
-+ kernel command line.
- </para>
- <para>
- This module has no effect on non-root users and requires that the
-@@ -61,6 +63,18 @@
- </para>
- </listitem>
- </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>noconsole</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ Do not automatically allow root logins on the kernel console
-+ device, as specified on the kernel command line, if it is
-+ not also specified in the <filename>/etc/securetty</filename> file.
-+ </para>
-+ </listitem>
-+ </varlistentry>
- </variablelist>
- </refsect1>
-
-Index: modules/pam_securetty/pam_securetty.c
-===================================================================
-RCS file: /cvsroot/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v
-retrieving revision 1.14
-retrieving revision 1.15
-diff -u -p -r1.14 -r1.15
---- modules/pam_securetty/pam_securetty.c 10 Sep 2009 10:19:58 -0000 1.14
-+++ modules/pam_securetty/pam_securetty.c 24 Nov 2010 12:28:01 -0000 1.15
-@@ -2,6 +2,7 @@
-
- #define SECURETTY_FILE "/etc/securetty"
- #define TTY_PREFIX "/dev/"
-+#define CMDLINE_FILE "/proc/cmdline"
-
- /*
- * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
-@@ -22,6 +23,7 @@
- #include <pwd.h>
- #include <string.h>
- #include <ctype.h>
-+#include <limits.h>
-
- /*
- * here, we make a definition for the externally accessible function
-@@ -38,6 +40,7 @@
- #include <security/pam_ext.h>
-
- #define PAM_DEBUG_ARG 0x0001
-+#define PAM_NOCONSOLE_ARG 0x0002
-
- static int
- _pam_parse (const pam_handle_t *pamh, int argc, const char **argv)
-@@ -51,6 +54,8 @@ _pam_parse (const pam_handle_t *pamh, in
-
- if (!strcmp(*argv,"debug"))
- ctrl |= PAM_DEBUG_ARG;
-+ else if (!strcmp(*argv, "noconsole"))
-+ ctrl |= PAM_NOCONSOLE_ARG;
- else {
- pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
- }
-@@ -144,6 +149,40 @@ securetty_perform_check (pam_handle_t *p
- }
- fclose(ttyfile);
-
-+ if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
-+ FILE *cmdlinefile;
-+
-+ /* Allow access from the kernel console, if enabled */
-+ cmdlinefile = fopen(CMDLINE_FILE, "r");
-+
-+ if (cmdlinefile != NULL) {
-+ char line[LINE_MAX], *p;
-+
-+ line[0] = 0;
-+ fgets(line, sizeof(line), cmdlinefile);
-+ fclose(cmdlinefile);
-+
-+ for (p = line; p; p = strstr(p+1, "console=")) {
-+ char *e;
-+
-+ /* Test whether this is a beginning of a word? */
-+ if (p > line && p[-1] != ' ')
-+ continue;
-+
-+ /* Ist this our console? */
-+ if (strncmp(p + 8, uttyname, strlen(uttyname)))
-+ continue;
-+
-+ /* Is there any garbage after the TTY name? */
-+ e = p + 8 + strlen(uttyname);
-+ if (*e == ',' || *e == ' ' || *e == '\n' || *e == 0) {
-+ retval = 0;
-+ break;
-+ }
-+ }
-+ }
-+ }
-+
- if (retval) {
- pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
- uttyname);