ALT Linux Sisyphus

pam_mktemp-1.1.1/000075500000000000000000000000001163112675500136515ustar00rootroot00000000000000pam_mktemp-1.1.1/LICENSE000064400000000000000000000003021163112675500146510ustar00rootroot00000000000000Redistribution and use in source and binary forms, with or without
modification, are permitted.

There's ABSOLUTELY NO WARRANTY, express or implied.

(This is a heavily cut-down "BSD license".)
pam_mktemp-1.1.1/Makefile000064400000000000000000000021571163112675500153160ustar00rootroot00000000000000#
# Copyright (c) 2000,2003 by Solar Designer
# Copyright (c) 2006,2010 by Dmitry V. Levin
# See LICENSE
#

CC = gcc
LD = $(CC)
RM = rm -f
MKDIR = mkdir -p
INSTALL = install -c
CFLAGS = -Wall -O2 -fPIC
LDFLAGS = -s --shared -Wl,--version-script,$(MAP)
LDLIBS = -lpam

# This requires GNU make
ifeq ($(shell uname -s),SunOS)
# We support Sun's older /usr/ucb/install, but not the newer /usr/sbin/install
	override INSTALL = /usr/ucb/install -c
	override LDFLAGS = -G
endif

TITLE = pam_mktemp
PAM_SO_SUFFIX =
LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX)
SHLIBMODE = 755
SECUREDIR = /lib/security
DESTDIR =

OBJS = pam_mktemp.o
MAP = pam_mktemp.map

ifeq ($(USE_SELINUX),1)
	override CFLAGS += -DUSE_SELINUX=1
	override LDLIBS += -lselinux
endif

ifeq ($(USE_APPEND_FL),1)
	override CFLAGS += -DUSE_APPEND_FL=1
endif

all: $(LIBSHARED)

pam_mktemp.so: $(OBJS) $(MAP)
	$(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o pam_mktemp.so

.c.o:
	$(CC) $(CFLAGS) -c $*.c

install:
	$(MKDIR) $(DESTDIR)$(SECUREDIR)
	$(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(DESTDIR)$(SECUREDIR)

remove:
	$(RM) $(DESTDIR)$(SECUREDIR)/$(TITLE).so

clean:
	$(RM) $(LIBSHARED) *.o
pam_mktemp-1.1.1/README000064400000000000000000000025541163112675500145370ustar00rootroot00000000000000pam_mktemp is a PAM module that may be used with a PAM-aware login
service to provide per-user private directories under /tmp as part
of PAM session or account management.

When an interactive (shell) session is started, a directory is created
and the environment variables TMPDIR and TMP are set to the name of
the directory.

According to some "out of the box" SELinux policies, /tmp/.private and
/tmp/.private/USER directories created by this module running from
processes like login and sshd would inherit a login process context
instead of /tmp directory or user context.  As a result, user processes
would have problems creating files in such "login-owned" directories.
When the module is built with SELinux support ("make USE_SELINUX=1"), it
creates directories in the proper context.

Please note that there's a security risk of using pam_mktemp along with
tmpwatch(8) and maybe with some other "/tmp cleaners", but stmpclean(8)
is known to be safe.  If you must use a "/tmp cleaner" that exposes the
problem (although you'd better not), this risk may be avoided by
enabling pam_mktemp's USE_APPEND_FL compile-time setting
("make USE_APPEND_FL=1") _and_ keeping /tmp on an ext2, ext3, or ext4
filesystem.  Please refer to comments in pam_mktemp.c for more detail on
the issue.  Once again, it is better to switch to using a "/tmp cleaner"
that does not expose the problem.

$Owl$
pam_mktemp-1.1.1/pam_mktemp.c000064400000000000000000000221171163112675500161520ustar00rootroot00000000000000/*
 * Copyright (c) 2000-2002,2005,2010 by Solar Designer
 * Copyright (c) 2005,2006,2010 by Dmitry V. Levin
 * See LICENSE
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <pwd.h>
#include <grp.h>
#include <errno.h>
#include <sys/stat.h>

#ifdef USE_SELINUX
/*
 * According to some "out of the box" SELinux policies, /tmp/.private and
 * /tmp/.private/USER directories created by this module running from
 * processes like login and sshd would inherit a login process context instead
 * of /tmp directory or user context.  As a result, user processes would have
 * problems creating files in such "login-owned" directories.  When the module
 * is built with SELinux support, it creates directories in the proper context.
 */
#include <selinux/selinux.h>
#endif /* USE_SELINUX */

#ifndef HAVE_APPEND_FL
# ifdef __linux__
#  define HAVE_APPEND_FL 1
# endif /* __linux__ */
#endif /* ! HAVE_APPEND_FL */

#ifdef HAVE_APPEND_FL
/*
 * We may want to use the append-only flag on /tmp/.private such that
 * tmpwatch(8) does not remove users' temporary file directories and
 * /tmp/.private itself.  This would be a security problem because a malicious
 * user would then be able to create a directory of this name and thus violate
 * reasonable assumptions of temporary file using programs of other users that
 * had TMPDIR set by pam_mktemp previously.
 *
 * stmpclean(8), which we have in Owl, does not remove root-owned directories
 * (so it won't remove /tmp/.private) and switches to each directory's owner
 * euid when it tries to remove other directories (so it won't actually remove
 * subdirectories of /tmp/.private).  Thus, we do not need the append-only flag
 * on /tmp/.private on Owl.
 *
 * Since the append-only flag posed a usability problem (it was not immediately
 * clear to many how to remove an Owl userland tree) and since it did not apply
 * to tmpfs filesystems anyway, we now have this disabled by default.  However,
 * if /tmp/.private is already set to append-only (perhaps by an older version
 * of pam_mktemp), we take care of resetting this flag for subdirectories of
 * /tmp/.private (we don't let it get inherited, which would be the default).
 */
# include <fcntl.h>
# include <sys/ioctl.h>
# include <ext2fs/ext2_fs.h>
#else
# undef USE_APPEND_FL
#endif /* HAVE_APPEND_FL */

#define PAM_SM_SESSION
#if !defined(__LIBPAM_VERSION) && !defined(__LINUX_PAM__)
# include <security/pam_appl.h>
#endif
#include <security/pam_modules.h>

#if !defined(__LIBPAM_VERSION) && !defined(__LINUX_PAM__) && !defined(_OPENPAM)
/* Sun's PAM doesn't use const here, while Linux-PAM and OpenPAM do */
#define lo_const
#else
#define lo_const			const
#endif

#if !defined(PAM_EXTERN) && !defined(PAM_STATIC)
# define PAM_EXTERN			extern
#endif

#define PRIVATE_PREFIX			"/tmp/.private"

#ifdef HAVE_APPEND_FL
static int ext2fs_chflags(const char *name, int set, int clear)
{
	int fd, old_flags, new_flags;
	int retval = 0;

	if ((fd = open(name, O_RDONLY)) < 0)
		return -1;

	if (ioctl(fd, EXT2_IOC_GETFLAGS, &old_flags)) {
		if ((errno == ENOTTY) /* Inappropriate ioctl for device */
		    || (errno == ENOSYS)) /* Function not implemented */
			errno = EOPNOTSUPP;
		close(fd);
		return -1;
	}

	new_flags = (old_flags | set) & ~clear;
	if (new_flags != old_flags)
		retval = ioctl(fd, EXT2_IOC_SETFLAGS, &new_flags);

	if (close(fd))
		retval = -1;
	return retval;
}
#endif /* HAVE_APPEND_FL */

#ifdef USE_SELINUX
static int check_scontext(const security_context_t scontext, const char *file)
{
	security_context_t fscon = NULL;
	int ret;

	if (getfilecon(file, &fscon) < 0)
		return -1;
	ret = selinux_file_context_cmp(scontext, fscon);
	freecon(fscon);

	return ret;
}
#endif /* USE_SELINUX */

static int assign(pam_handle_t *pamh, const char *name, const char *value)
{
	char *string;
	int rc;

	string = malloc(strlen(name) + strlen(value) + 2);
	if (!string)
		return PAM_BUF_ERR;

	sprintf(string, "%s=%s", name, value);
	rc = pam_putenv(pamh, string);
	free(string);
	return rc;
}

PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags,
	int argc, const char **argv)
{
	struct passwd *pw;
	struct group *gr;
	struct stat st;
	lo_const void *item;
	const char *user;
	char *userdir = NULL;
	int usergroups;
	int status;
#ifdef USE_SELINUX
	security_context_t old_fscreatecon, new_fscreatecon = NULL;
	int fscreatecon_saved = 0, selinux_enabled;
#endif /* USE_SELINUX */

	if (geteuid() != 0)
		return PAM_SESSION_ERR;

	status = pam_get_item(pamh, PAM_USER, &item);
	if (status != PAM_SUCCESS)
		return status;
	user = item;

	status = PAM_SESSION_ERR;

/* "Can't happen" (the user should have been authenticated by now) */
	if (user[0] == '.' || strchr(user, '/'))
		return PAM_SESSION_ERR;

	if (!(pw = getpwnam(user)))
		return PAM_USER_UNKNOWN;
	memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));

/* Could have multiple UID 0 accounts, no need for separate directories */
	if (pw->pw_uid == 0) user = "root";

/* If there's a private group for this user, use it as this makes it safe
 * to su to another user (or root) even if su doesn't use this module. */
	usergroups = 0;
	if (pw->pw_uid != 0 && (gr = getgrgid(pw->pw_gid))) {
		memset(gr->gr_passwd, 0, strlen(gr->gr_passwd));
		if (!strcmp(user, gr->gr_name)) usergroups = 1;
	}

#ifdef USE_SELINUX
/* Load SELinux file contexts configuration.
 * In case of any error reported by SELinux functions, the error
 * itself will be ignored (it is not a problem of the PAM module), but
 * selinux_enabled will be reset to 0, to skip subsequent SELinux
 * function calls. */
	selinux_enabled = is_selinux_enabled() > 0;
	if (selinux_enabled && matchpathcon_init_prefix(NULL, PRIVATE_PREFIX))
		selinux_enabled = 0;

	/* Save current file creation context. */
	if (selinux_enabled) {
		if (getfscreatecon(&old_fscreatecon))
			selinux_enabled = 0;
		else
			fscreatecon_saved = 1;
	}
	/* Set file creation context before mkdir() call. */
	if (selinux_enabled) {
		if (matchpathcon(PRIVATE_PREFIX, S_IFDIR, &new_fscreatecon) ||
		    setfscreatecon(new_fscreatecon))
			selinux_enabled = 0;
	}
#endif /* USE_SELINUX */

/* This directory should be created at system installation or bootup time and
 * never removed, or there's the obvious DoS possibility here. */
	if (mkdir(PRIVATE_PREFIX, 0711) && errno != EEXIST)
		goto out;

	if (lstat(PRIVATE_PREFIX, &st) ||
	    !S_ISDIR(st.st_mode) ||
	    st.st_uid != 0)
		goto out;

	if ((st.st_mode & 0777) != 0711 && chmod(PRIVATE_PREFIX, 0711))
		goto out;

#ifdef USE_SELINUX
	if (selinux_enabled &&
	    check_scontext(new_fscreatecon, PRIVATE_PREFIX) &&
	    setfilecon(PRIVATE_PREFIX, new_fscreatecon))
		selinux_enabled = 0;
#endif /* USE_SELINUX */

/*
 * At this point we have a directory which is only writable by root, and
 * is itself in a root-owned +t directory (/tmp).  Thus, only root can do
 * anything in the directory or rename/unlink it and we can play safely.
 */

#ifdef USE_APPEND_FL
	ext2fs_chflags(PRIVATE_PREFIX, EXT2_APPEND_FL, 0);
#endif /* USE_APPEND_FL */

	userdir = malloc(strlen(PRIVATE_PREFIX) + strlen(user) + 2);
	if (!userdir) {
		status = PAM_BUF_ERR;
		goto out;
	}
	sprintf(userdir, "%s/%s", PRIVATE_PREFIX, user);

#ifdef USE_SELINUX
	if (selinux_enabled) {
		freecon(new_fscreatecon);
		new_fscreatecon = NULL;
		if (matchpathcon(userdir, S_IFDIR, &new_fscreatecon) ||
		    setfscreatecon(new_fscreatecon))
			selinux_enabled = 0;
	}
#endif /* USE_SELINUX */

	if (mkdir(userdir, 01700)) {
		if (errno != EEXIST)
			goto out;
#ifdef HAVE_APPEND_FL
	} else {
		/* Don't let the append-only flag get inherited
		 * from the parent directory. */
		if (ext2fs_chflags(userdir, 0, EXT2_APPEND_FL) &&
		    errno != EOPNOTSUPP)
			goto out;
#endif /* HAVE_APPEND_FL */
	}

	if (usergroups) {
		if (chown(userdir, 0, pw->pw_gid) ||
		    chmod(userdir, 01770))
			goto out;
	} else {
		if (chmod(userdir, 01700) ||
		    chown(userdir, pw->pw_uid, pw->pw_gid))
			goto out;
	}

#ifdef USE_SELINUX
	if (selinux_enabled && check_scontext(new_fscreatecon, userdir))
		setfilecon(userdir, new_fscreatecon);
#endif /* USE_SELINUX */

	if ((status = assign(pamh, "TMPDIR", userdir)) != PAM_SUCCESS ||
	    (status = assign(pamh, "TMP", userdir)) != PAM_SUCCESS)
		goto out;

out:
#ifdef USE_SELINUX
	if (fscreatecon_saved) {
		if (setfscreatecon(old_fscreatecon) && status == PAM_SUCCESS)
			status = PAM_SESSION_ERR;
		freecon(old_fscreatecon);
	}
	freecon(new_fscreatecon);
	matchpathcon_fini();
#endif /* USE_SELINUX */
	free(userdir);

	return status;
}

PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags,
	int argc, const char **argv)
{
/* There are good reasons to NOT remove the directory here, not even when
 * it is empty. */
	return PAM_SUCCESS;
}

#ifdef PAM_STATIC
#define pam_sm_acct_mgmt pam_sm_open_session
#elif defined(__linux__) && defined(__ELF__)
__asm__(".globl pam_sm_acct_mgmt; pam_sm_acct_mgmt = pam_sm_open_session");
#else
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
	int argc, const char **argv)
{
	return pam_sm_open_session(pamh, flags, argc, argv);
}
#endif

#ifdef PAM_STATIC
struct pam_module _pam_mktemp_modstruct = {
	"pam_mktemp",
	NULL,
	NULL,
	pam_sm_acct_mgmt,
	pam_sm_open_session,
	pam_sm_close_session,
	NULL
};
#endif
pam_mktemp-1.1.1/pam_mktemp.map000064400000000000000000000002641163112675500165040ustar00rootroot00000000000000# $Owl$

{
  global:
    pam_sm_acct_mgmt;
    pam_sm_authenticate;
    pam_sm_chauthtok;
    pam_sm_close_session;
    pam_sm_open_session;
    pam_sm_setcred;
  local:
    *;
};
pam_mktemp-1.1.1/pam_mktemp.spec000064400000000000000000000116131163112675500166610ustar00rootroot00000000000000# $Owl$

Summary: Pluggable private /tmp space support for interactive (shell) sessions.
Name: pam_mktemp
Version: 1.1.1
Release: owl1
License: BSD-compatible
Group: System Environment/Base
URL: http://www.openwall.com/pam/
Source: ftp://ftp.openwall.com/pub/projects/pam/modules/%name/%name-%version.tar.gz
BuildRequires: pam-devel, e2fsprogs-devel
BuildRoot: /override/%name-%version

%description
pam_mktemp is a PAM module which may be used with a PAM-aware login service
to provide per-user private directories under /tmp as a part of PAM session
or account management.

%prep
%setup -q

%build
make CFLAGS="%optflags -Wall -fPIC"

%install
rm -rf %buildroot
make install DESTDIR=%buildroot SECUREDIR=/%_lib/security

%post
mkdir -p -m 711 /tmp/.private

%if 0
# Disabled.  See the comment in pam_mktemp.c for the rationale.
%triggerin -- e2fsprogs
if [ -d /tmp/.private -a -O /tmp/.private ]; then
	chattr +a /tmp/.private 2> /dev/null || :
fi
%endif

%files
%defattr(-,root,root)
%doc LICENSE README
/%_lib/security/pam_mktemp.so

%changelog
* Sat Sep 18 2010 Dmitry V. Levin <ldv-at-owl.openwall.com> 1.1.1-owl1
- In SELinux support, save and restore file creation context.

* Fri Sep 17 2010 Solar Designer <solar-at-owl.openwall.com> 1.1.0-owl1
- Documented the USE_SELINUX and USE_APPEND_FL compile-time settings.
- Added Solaris support (but GNU make and gcc are required by our Makefile).
- Updated the authorship, copyright, and licensing statements to use the
cut-down BSD license only (no public domain with a license fallback anymore,
which would be too cumbersome with significant contributions by two authors).

* Tue Sep 07 2010 Dmitry V. Levin <ldv-at-owl.openwall.com> 1.0.5-owl1
- Use ext2fs/ext2_fs.h instead of linux/ext2_fs.h to avoid potential
build problems with fresh kernel headers.
- Clear append-only flag from user directory iff the directory was
actually created.
- Replaced unsafe alloca(3) with malloc(3).
- Imported SELinux support from Sisyphus.

* Thu Sep 02 2010 Solar Designer <solar-at-owl.openwall.com> 1.0.4-owl1
- No longer set the append-only flag on /tmp/.private (see the comment in
pam_mktemp.c for the rationale).
- Placed the module into the public domain with fallback to a heavily cut-down
BSD license.

* Tue Apr 04 2006 Dmitry V. Levin <ldv-at-owl.openwall.com> 1.0.3-owl1
- Restricted list of global symbols exported by the PAM module
to standard set of six pam_sm_* functions.
- Changed Makefile to pass list of libraries to linker after regular
object files, to fix build with -Wl,--as-needed.
- Corrected specfile to make it build on x86_64.

* Mon Jan 09 2006 Dmitry V. Levin <ldv-at-owl.openwall.com> 1.0.2-owl1
- Replaced manual -DLINUX_PAM with Linux-PAM autodetection.
- Added workaround for build with Linux 2.6.x headers.

* Thu Aug 11 2005 Dmitry V. Levin <ldv-at-owl.openwall.com> 1.0.1-owl1
- Added support of filesystem drivers which fail with ENOSYS error code
in response to ioctl requests.

* Fri Mar 25 2005 Solar Designer <solar-at-owl.openwall.com> 1.0-owl1
- Corrected the source code to not break C strict aliasing rules.

* Sun Nov 02 2003 Solar Designer <solar-at-owl.openwall.com> 0.2.5-owl1
- Ignore errors from chattr as /tmp may be on tmpfs rather than ext[23]fs.
- When compiling with gcc, also link with gcc.
- Use "install -c" (makes a difference on some non-Linux systems).
- Moved the "-c" out of CFLAGS, renamed FAKEROOT to DESTDIR.

* Mon Jun 02 2003 Solar Designer <solar-at-owl.openwall.com> 0.2.4.1-owl1
- Added URL.

* Thu Apr 25 2002 Solar Designer <solar-at-owl.openwall.com> 0.2.4-owl1
- Use a trigger on e2fsprogs, don't assume that chattr(1) is available
at the time this package is installed.

* Tue Apr 02 2002 Solar Designer <solar-at-owl.openwall.com>
- Use '=' instead of '.set' to declare the alias.

* Sun Mar 31 2002 Solar Designer <solar-at-owl.openwall.com>
- Support running without CAP_LINUX_IMMUTABLE as long as this code is
_never_ executed with the capability; should probably switch to using
mode 511 for the directory instead of the append-only flag, this would
be sufficient against tmpwatch (will prevent it from traversing the
directory structure at all, but we now have stmpclean).

* Thu Mar 21 2002 Solar Designer <solar-at-owl.openwall.com>
- Deal with non-ext2fs correctly (again).

* Wed Mar 20 2002 Solar Designer <solar-at-owl.openwall.com>
- Don't let the append-only flag get inherited by per-user subdirectories.

* Wed Mar 13 2002 Solar Designer <solar-at-owl.openwall.com>
- Make the /tmp/.private directory append-only (where supported) such that
the directory or its subdirectories don't get removed by a /tmp cleaner.

* Thu Feb 07 2002 Michail Litvak <mci-at-owl.openwall.com>
- Enforce our new spec file conventions.

* Fri Nov 09 2001 Solar Designer <solar-at-owl.openwall.com>
- Support stacking for account management as well as for session setup.
- No longer set LYNX_TEMP_SPACE.

* Tue Dec 19 2000 Solar Designer <solar-at-owl.openwall.com>
- Initial version.

S:	1.1.1-alt4
5.0:	1.0.3-alt5
4.1:	1.0.3-alt4
4.0:	1.0.3-alt4
3.0:	1.0.1-alt1