'[linux-pam] 2011-10-25 Thorsten Kukuk <kukuk@thkukuk.de>'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-pam-commits
Subject:    [linux-pam] 2011-10-25  Thorsten Kukuk  <kukuk@thkukuk.de>
From:       kukuk () fedoraproject ! org (kukuk)
Date:       2011-10-25 12:25:22
Message-ID: 20111025122522.AF729120309 () lists ! fedorahosted ! org
[Download RAW message or body]

commit fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a
Author: Thorsten Kukuk <kukuk at thkukuk.de>
Date:   Tue Oct 25 14:24:50 2011 +0200

    2011-10-25  Thorsten Kukuk  <kukuk at thkukuk.de>
    
            * release version 1.1.5
    
            * configure.in: Bump version number.
    
            * modules/pam_tally2/pam_tally2.8.xml: Remove never used option
            "no_lock_time".

 ChangeLog                           |    9 +++++++
 NEWS                                |    6 ++++
 configure.in                        |    2 +-
 modules/pam_tally2/pam_tally2.8.xml |   12 ---------
 modules/pam_xauth/pam_xauth.c       |   45 +++++++++++++++++++++--------------
 5 files changed, 43 insertions(+), 31 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 107f765..d7d808b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2011-10-25  Thorsten Kukuk  <kukuk at thkukuk.de>
+
+	* release version 1.1.5
+
+	* configure.in: Bump version number.
+
+	* modules/pam_tally2/pam_tally2.8.xml: Remove never used option
+	"no_lock_time".
+
 2011-10-14  Kees Cook <kees at debian.org>
 
 	* modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
diff --git a/NEWS b/NEWS
index a80a2ab..81f961f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,11 @@
 Linux-PAM NEWS -- history of user-visible changes.
 
+Release 1.1.5
+* pam_env: Fix CVE-2011-3148 and CVE-2011-3149
+* pam_access: Add hostname resolution cache
+* Documentation: Improvements/fixes 
+
+
 Release 1.1.4
 
 * Add vietnamese translation
diff --git a/configure.in b/configure.in
index 7940a94..5058155 100644
--- a/configure.in
+++ b/configure.in
@@ -1,7 +1,7 @@
 dnl Process this file with autoconf to produce a configure script.
 AC_INIT
 AC_CONFIG_SRCDIR([conf/pam_conv1/pam_conv_y.y])
-AM_INIT_AUTOMAKE("Linux-PAM", 1.1.4)
+AM_INIT_AUTOMAKE("Linux-PAM", 1.1.5)
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml
index 4ad529f..5fecea2 100644
--- a/modules/pam_tally2/pam_tally2.8.xml
+++ b/modules/pam_tally2/pam_tally2.8.xml
@@ -238,17 +238,6 @@
             </varlistentry>
             <varlistentry>
               <term>
-                <option>no_lock_time</option>
-              </term>
-              <listitem>
-                <para>
-                  Do not use the .fail_locktime field in
-                  <filename>/var/log/faillog</filename> for this user.
-                </para>
-              </listitem>
-            </varlistentry>
-            <varlistentry>
-              <term>
                 <option>even_deny_root</option>
               </term>
               <listitem>
@@ -446,4 +435,3 @@ session  optional       pam_mail.so standard
   </refsect1>
 
 </refentry>
-
diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
index a64ae89..88624b1 100644
--- a/modules/pam_xauth/pam_xauth.c
+++ b/modules/pam_xauth/pam_xauth.c
@@ -459,24 +459,33 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
 		goto cleanup;
 	}
 
-	/* Check that both users are amenable to this.  By default, this
-	 * boils down to this policy:
-	 * export(ruser=root): only if <user> is listed in .xauth/export
-	 * export(ruser=*) if <user> is listed in .xauth/export, or
-	 *                 if .xauth/export does not exist
-	 * import(user=*): if <ruser> is listed in .xauth/import, or
-	 *                 if .xauth/import does not exist */
-	i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED;
-	i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug);
-	if (i != PAM_SUCCESS) {
-		retval = PAM_SESSION_ERR;
-		goto cleanup;
-	}
-	i = PAM_SUCCESS;
-	i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug);
-	if (i != PAM_SUCCESS) {
-		retval = PAM_SESSION_ERR;
-		goto cleanup;
+
+	/* If current user and the target user are the same, don't
+	   check the ACL list, but forward X11 */
+	if (strcmp (rpwd->pw_name, tpwd->pw_name) != 0) {
+
+	  /* Check that both users are amenable to this.  By default, this
+	   * boils down to this policy:
+	   * export(ruser=root): only if <user> is listed in .xauth/export
+	   * export(ruser=*) if <user> is listed in .xauth/export, or
+	   *                 if .xauth/export does not exist
+	   * import(user=*): if <ruser> is listed in .xauth/import, or
+	   *                 if .xauth/import does not exist */
+	  i = (getuid() != 0 || tpwd->pw_uid == 0) ? PAM_SUCCESS : PAM_PERM_DENIED;
+	  i = check_acl(pamh, "export", rpwd->pw_name, user, i, debug);
+	  if (i != PAM_SUCCESS) {
+	    retval = PAM_SESSION_ERR;
+	    goto cleanup;
+	  }
+	  i = PAM_SUCCESS;
+	  i = check_acl(pamh, "import", user, rpwd->pw_name, i, debug);
+	  if (i != PAM_SUCCESS) {
+	    retval = PAM_SESSION_ERR;
+	    goto cleanup;
+	  }
+	}  else {
+	  if (debug)
+	    pam_syslog (pamh, LOG_DEBUG, "current and target user are the same, forward X11");
 	}
 
 	/* Figure out where the source user's .Xauthority file is. */

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic