diff options
| -rw-r--r-- | gnu/local.mk | 2 | ||||
| -rw-r--r-- | gnu/packages/linux.scm | 9 | ||||
| -rw-r--r-- | gnu/packages/patches/linux-pam-no-setfsuid.patch | 75 |
3 files changed, 83 insertions, 3 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 8ca246206d..f86fc02e58 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -5,6 +5,7 @@ # Copyright © 2013, 2014, 2015, 2016 Mark H Weaver <mhw@netris.org> # Copyright © 2016 Chris Marusich <cmmarusich@gmail.com> # Copyright © 2016 Kei Kebreau <kei@openmailbox.org> +# Copyright © 2016 Rene Saavedra <rennes@openmailbox.org> # # This file is part of GNU Guix. # @@ -651,6 +652,7 @@ dist_patch_DATA = \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ + %D%/packages/patches/linux-pam-no-setfsuid.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/lm-sensors-hwmon-attrs.patch \ %D%/packages/patches/lua-CVE-2014-5461.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 50568d2125..2069170440 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -15,6 +15,7 @@ ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2016 David Craven <david@craven.ch> ;;; Copyright © 2016 John Darrington <jmd@gnu.org> +;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -414,7 +415,9 @@ It has been modified to remove all non-free binary blobs.") "Linux-PAM-" version ".tar.bz2")) (sha256 (base32 - "1fyi04d5nsh8ivd0rn2y0z83ylgc0licz7kifbb6xxi2ylgfs6i4")))) + "1fyi04d5nsh8ivd0rn2y0z83ylgc0licz7kifbb6xxi2ylgfs6i4")) + (patches (search-patches "linux-pam-no-setfsuid.patch")))) + (build-system gnu-build-system) (native-inputs `(("flex" ,flex) @@ -455,8 +458,8 @@ at login. Local and dynamic reconfiguration are its key features.") "Linux-PAM-" version ".tar.bz2")) (sha256 (base32 - "1n9lnf9gjs72kbj1g354v1xhi2j27aqaah15vykh7cnkq08i4arl")))))) - + "1n9lnf9gjs72kbj1g354v1xhi2j27aqaah15vykh7cnkq08i4arl")) + (patches (search-patches "linux-pam-no-setfsuid.patch")))))) ;;; diff --git a/gnu/packages/patches/linux-pam-no-setfsuid.patch b/gnu/packages/patches/linux-pam-no-setfsuid.patch new file mode 100644 index 0000000000..f92fbc057a --- /dev/null +++ b/gnu/packages/patches/linux-pam-no-setfsuid.patch @@ -0,0 +1,75 @@ +On systems without 'setfsuid', use 'setreuid' instead. + +The patch originates from the Debian project for GNU/Hurd. +Authors: Steve Langasek <vorlon@debian.org> +Upstream status: A ticket was opened to request apply the patch, +ticket: 'https://fedorahosted.org/linux-pam/ticket/64'. + +--- Linux-PAM-1.2.1/libpam/pam_modutil_priv.c 2015-03-24 06:02:32.000000000 -0600 ++++ pam_modutil_priv-mod.c 2016-09-20 13:36:53.150663205 -0500 +@@ -14,7 +14,9 @@ + #include <syslog.h> + #include <pwd.h> + #include <grp.h> ++#ifdef HAVE_SYS_FSUID_H + #include <sys/fsuid.h> ++#endif /* HAVE_SYS_FSUID_H */ + + /* + * Two setfsuid() calls in a row are necessary to check +@@ -22,17 +24,55 @@ + */ + static int change_uid(uid_t uid, uid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + uid_t tmp = setfsuid(uid); + if (save) + *save = tmp; + return (uid_t) setfsuid(uid) == uid ? 0 : -1; ++#else ++ uid_t euid = geteuid(); ++ uid_t ruid = getuid(); ++ if (save) ++ *save = ruid; ++ if (ruid == uid && uid != 0) ++ if (setreuid(euid, uid)) ++ return -1; ++ else { ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) { ++ setreuid(-1, 0); ++ setreuid(0, -1); ++ if (setreuid(-1, uid)) ++ return -1; ++ } ++ } ++#endif + } + static int change_gid(gid_t gid, gid_t *save) + { ++#ifdef HAVE_SYS_FSUID_H + gid_t tmp = setfsgid(gid); + if (save) + *save = tmp; + return (gid_t) setfsgid(gid) == gid ? 0 : -1; ++#else ++ gid_t egid = getegid(); ++ gid_t rgid = getgid(); ++ if (save) ++ *save = rgid; ++ if (rgid == gid) ++ if (setregid(egid, gid)) ++ return -1; ++ else { ++ setregid(0, -1); ++ if (setregid(-1, gid)) { ++ setregid(-1, 0); ++ setregid(0, -1); ++ if (setregid(-1, gid)) ++ return -1; ++ } ++ } ++#endif + } + + static int cleanup(struct pam_modutil_privs *p) |