4 files changed, 193 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
new file mode 100644
index 0000000000..d7f8f5a966
--- /dev/null
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
@@ -0,0 +1,29 @@
+From 59a95494002ce57ace17d676544101e88a55265d Mon Sep 17 00:00:00 2001
+From: Nicolas Boullis <nicolas.boullis@ecp.fr>
+Date: Mon, 23 Mar 2009 10:46:44 +0100
+Subject: [PATCH 1/3] make sure we don't overflow the data buffer
+This patch was taken from Debian's libpam-ccreds v10-6 source:
+        0001-make-sure-we-don-t-overflow-the-data-buffer.patch
+Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
+---
+ cc_db.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/cc_db.c b/cc_db.c
+index c0e0488..9371c4d 100644
+--- a/cc_db.c
+++ b/cc_db.c
+@@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t keylength,
+                return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR;
+        }
+ 
+-       if (val.size < *size) {
+       if (val.size > *size) {
+                return PAM_BUF_ERR;
+        }
+ 
+-- 
+2.11.0
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
new file mode 100644
index 0000000000..adc464924d
--- /dev/null
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
@@ -0,0 +1,97 @@
+From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 13 May 2010 12:36:26 +0200
+Subject: [PATCH 2/3] add minimum_uid option
+Closes: #580037
+This patch was taken from Debian's libpam-ccreds v10-6 source:
+        0002-add-minimum_uid-option.patch
+Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
+---
+ cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+diff --git a/cc_pam.c b/cc_pam.c
+index d096117..56776aa 100644
+--- a/cc_pam.c
+++ b/cc_pam.c
+@@ -20,6 +20,7 @@
+ #include <errno.h>
+ #include <limits.h>
+ #include <syslog.h>
+#include <pwd.h>
+ 
+ #include "cc_private.h"
+ 
+@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
+                                int flags, int argc, const char **argv);
+ #endif
+ 
+
+/*
+ * Given the PAM arguments and the user we're authenticating, see if we should
+ * ignore that user because they're root or have a low-numbered UID and we
+ * were configured to ignore such users.  Returns true if we should ignore
+ * them, false otherwise.
+ */
+static int
+_pamcc_should_ignore(const char *username, int minimum_uid)
+{
+       struct passwd *pwd;
+
+       if (minimum_uid > 0) {
+               pwd = getpwnam(username);
+               if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
+                       syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
+                               (unsigned long) pwd->pw_uid, minimum_uid);
+                       return 1;
+               }
+       }
+       return 0;
+}
+
+
+ static int _pam_sm_interact(pam_handle_t *pamh,
+                            int flags,
+                            const char **authtok)
+@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+        unsigned int sm_flags = 0, sm_action = 0;
+        const char *ccredsfile = NULL;
+        const char *action = NULL;
+       const char *name = NULL;
+        int (*selector)(pam_handle_t *, int, unsigned int, const char *);
+       int minimum_uid = 0;
+ 
+        for (i = 0; i < argc; i++) {
+                if (strcmp(argv[i], "use_first_pass") == 0)
+@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+                        sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
+                else if (strcmp(argv[i], "service_specific") == 0)
+                        sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
+               else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
+                       minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
+                else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
+                        ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
+                else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
+@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
+                syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
+        }
+ 
+       rc = pam_get_user(pamh, &name, NULL);
+       if (rc != PAM_SUCCESS || name == NULL) {
+               if (rc == PAM_CONV_AGAIN)
+                       return PAM_INCOMPLETE;
+               else
+                       return PAM_SERVICE_ERR;
+       }
+       if (_pamcc_should_ignore(name, minimum_uid))
+               return PAM_USER_UNKNOWN;
+
+        switch (sm_action) {
+        case SM_ACTION_VALIDATE_CCREDS:
+                selector = _pam_sm_validate_cached_credentials;
+-- 
+2.11.0
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-for-all-linux-targets.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-for-all-linux-targets.patch
new file mode 100644
index 0000000000..988c374428
--- /dev/null
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-for-all-linux-targets.patch
@@ -0,0 +1,40 @@
+From 2b137b0364c57505a95cb498660e3b97b557540d Mon Sep 17 00:00:00 2001
+From: Richard Leitner <richard.leitner@skidata.com>
+Date: Fri, 1 Jun 2018 13:24:15 +0200
+Subject: [PATCH 3/3] Set EXTENSION_SO for all linux* targets
+As EXTENSION_SO gets already set for linux and linux-gnu targets we
+should set it for all linux* targets. This is done by introducing a new
+"LINUX" value for the "TARGET_OS" helper variable.
+Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
+---
+ configure.in | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/configure.in b/configure.in
+index 0dbdf79..3829d9f 100644
+--- a/configure.in
+++ b/configure.in
+@@ -35,7 +35,8 @@ hpux*) pam_ccreds_so_LD="/bin/ld"
+   TARGET_OS="HPUX" ;;
+ solaris*) pam_ccreds_so_LD="/usr/ccs/bin/ld"
+   pam_ccreds_so_LDFLAGS="-B dynamic -M \$(srcdir)/exports.solaris -G -B group -lc" ;;
+-linux*) pam_ccreds_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;;
+linux*) pam_ccreds_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux"
+  TARGET_OS="LINUX" ;;
+ *) pam_ccreds_so_LDFLAGS="-shared" ;;
+ esac
+ 
+@@ -43,7 +44,7 @@ AC_SUBST(pam_ccreds_so_LD)
+ AC_SUBST(pam_ccreds_so_LDFLAGS)
+ 
+ AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD")
+-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu")
+AM_CONDITIONAL(EXTENSION_SO, test "$TARGET_OS" = "LINUX")
+ AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX")
+ 
+ if test -z "$use_gcrypt"; then
+-- 
+2.11.0
diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
new file mode 100644
index 0000000000..9a21d90456
--- /dev/null
+++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
@@ -0,0 +1,27 @@
+SUMMARY = "PAM cached credentials module"
+HOMEPAGE = "https://www.padl.com/OSS/pam_ccreds.html"
+SECTION = "libs"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+DEPENDS = "libpam openssl db"
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES = "pam"
+SRCREV = "376bb189ceb3a113954f1012c45be7ff09e148ba"
+SRC_URI = " \
+    git://github.com/PADL/pam_ccreds \
+    file://0001-make-sure-we-don-t-overflow-the-data-buffer.patch \
+    file://0002-add-minimum_uid-option.patch \
+    file://0003-Set-EXTENSION_SO-for-all-linux-targets.patch \
+"
+S = "${WORKDIR}/git"
+inherit autotools
+EXTRA_OECONF += "--libdir=${base_libdir} "
+FILES_${PN} += "${base_libdir}/security/pam*"

diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch new file mode 100644 index 0000000000..d7f8f5a966 --- /dev/null +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0001-make-sure-we-don-t-overflow-the-data-buffer.patch
@@ -0,0 +1,29 @@
	1	From 59a95494002ce57ace17d676544101e88a55265d Mon Sep 17 00:00:00 2001
	2	From: Nicolas Boullis <nicolas.boullis@ecp.fr>
	3	Date: Mon, 23 Mar 2009 10:46:44 +0100
	4	Subject: [PATCH 1/3] make sure we don't overflow the data buffer
	5
	6	This patch was taken from Debian's libpam-ccreds v10-6 source:
	7	0001-make-sure-we-don-t-overflow-the-data-buffer.patch
	8
	9	Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
	10	---
	11	cc_db.c \| 2 +-
	12	1 file changed, 1 insertion(+), 1 deletion(-)
	13
	14	diff --git a/cc_db.c b/cc_db.c
	15	index c0e0488..9371c4d 100644
	16	--- a/cc_db.c
	17	+++ b/cc_db.c
	18	@@ -199,7 +199,7 @@ int pam_cc_db_get(void _db, const char keyname, size_t keylength,
	19	return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR;
	20	}
	21
	22	- if (val.size < *size) {
	23	+ if (val.size > *size) {
	24	return PAM_BUF_ERR;
	25	}
	26
	27	--
	28	2.11.0
	29


diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch new file mode 100644 index 0000000000..adc464924d --- /dev/null +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0002-add-minimum_uid-option.patch
@@ -0,0 +1,97 @@
	1	From 21e3ab24836c5087f3531d2d3270242cea857a79 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
	3	Date: Thu, 13 May 2010 12:36:26 +0200
	4	Subject: [PATCH 2/3] add minimum_uid option
	5
	6	Closes: #580037
	7
	8	This patch was taken from Debian's libpam-ccreds v10-6 source:
	9	0002-add-minimum_uid-option.patch
	10
	11	Reviewed-by: Richard Leitner <richard.leitner@skidata.com>
	12	---
	13	cc_pam.c \| 39 +++++++++++++++++++++++++++++++++++++++
	14	1 file changed, 39 insertions(+)
	15
	16	diff --git a/cc_pam.c b/cc_pam.c
	17	index d096117..56776aa 100644
	18	--- a/cc_pam.c
	19	+++ b/cc_pam.c
	20	@@ -20,6 +20,7 @@
	21	#include <errno.h>
	22	#include <limits.h>
	23	#include <syslog.h>
	24	+#include <pwd.h>
	25
	26	#include "cc_private.h"
	27
	28	@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
	29	int flags, int argc, const char **argv);
	30	#endif
	31
	32	+
	33	+/*
	34	+ * Given the PAM arguments and the user we're authenticating, see if we should
	35	+ * ignore that user because they're root or have a low-numbered UID and we
	36	+ * were configured to ignore such users. Returns true if we should ignore
	37	+ * them, false otherwise.
	38	+ */
	39	+static int
	40	+_pamcc_should_ignore(const char *username, int minimum_uid)
	41	+{
	42	+ struct passwd *pwd;
	43	+
	44	+ if (minimum_uid > 0) {
	45	+ pwd = getpwnam(username);
	46	+ if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
	47	+ syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
	48	+ (unsigned long) pwd->pw_uid, minimum_uid);
	49	+ return 1;
	50	+ }
	51	+ }
	52	+ return 0;
	53	+}
	54	+
	55	+
	56	static int _pam_sm_interact(pam_handle_t *pamh,
	57	int flags,
	58	const char **authtok)
	59	@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
	60	unsigned int sm_flags = 0, sm_action = 0;
	61	const char *ccredsfile = NULL;
	62	const char *action = NULL;
	63	+ const char *name = NULL;
	64	int (selector)(pam_handle_t , int, unsigned int, const char *);
	65	+ int minimum_uid = 0;
	66
	67	for (i = 0; i < argc; i++) {
	68	if (strcmp(argv[i], "use_first_pass") == 0)
	69	@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
	70	sm_flags \|= SM_FLAGS_TRY_FIRST_PASS;
	71	else if (strcmp(argv[i], "service_specific") == 0)
	72	sm_flags \|= SM_FLAGS_SERVICE_SPECIFIC;
	73	+ else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
	74	+ minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
	75	else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
	76	ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
	77	else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
	78	@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
	79	syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
	80	}
	81
	82	+ rc = pam_get_user(pamh, &name, NULL);
	83	+ if (rc != PAM_SUCCESS \|\| name == NULL) {
	84	+ if (rc == PAM_CONV_AGAIN)
	85	+ return PAM_INCOMPLETE;
	86	+ else
	87	+ return PAM_SERVICE_ERR;
	88	+ }
	89	+ if (_pamcc_should_ignore(name, minimum_uid))
	90	+ return PAM_USER_UNKNOWN;
	91	+
	92	switch (sm_action) {
	93	case SM_ACTION_VALIDATE_CCREDS:
	94	selector = _pam_sm_validate_cached_credentials;
	95	--
	96	2.11.0
	97


diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-for-all-linux-targets.patch b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-for-all-linux-targets.patch new file mode 100644 index 0000000000..988c374428 --- /dev/null +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds/0003-Set-EXTENSION_SO-for-all-linux-targets.patch
@@ -0,0 +1,40 @@
	1	From 2b137b0364c57505a95cb498660e3b97b557540d Mon Sep 17 00:00:00 2001
	2	From: Richard Leitner <richard.leitner@skidata.com>
	3	Date: Fri, 1 Jun 2018 13:24:15 +0200
	4	Subject: [PATCH 3/3] Set EXTENSION_SO for all linux* targets
	5
	6	As EXTENSION_SO gets already set for linux and linux-gnu targets we
	7	should set it for all linux* targets. This is done by introducing a new
	8	"LINUX" value for the "TARGET_OS" helper variable.
	9
	10	Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
	11	---
	12	configure.in \| 5 +++--
	13	1 file changed, 3 insertions(+), 2 deletions(-)
	14
	15	diff --git a/configure.in b/configure.in
	16	index 0dbdf79..3829d9f 100644
	17	--- a/configure.in
	18	+++ b/configure.in
	19	@@ -35,7 +35,8 @@ hpux*) pam_ccreds_so_LD="/bin/ld"
	20	TARGET_OS="HPUX" ;;
	21	solaris*) pam_ccreds_so_LD="/usr/ccs/bin/ld"
	22	pam_ccreds_so_LDFLAGS="-B dynamic -M \$(srcdir)/exports.solaris -G -B group -lc" ;;
	23	-linux*) pam_ccreds_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux" ;;
	24	+linux*) pam_ccreds_so_LDFLAGS="-shared -Wl,-Bdynamic -Wl,--version-script,\$(srcdir)/exports.linux"
	25	+ TARGET_OS="LINUX" ;;
	26	*) pam_ccreds_so_LDFLAGS="-shared" ;;
	27	esac
	28
	29	@@ -43,7 +44,7 @@ AC_SUBST(pam_ccreds_so_LD)
	30	AC_SUBST(pam_ccreds_so_LDFLAGS)
	31
	32	AM_CONDITIONAL(USE_NATIVE_LINKER, test -n "$pam_ccreds_so_LD")
	33	-AM_CONDITIONAL(EXTENSION_SO, test "$target_os" = "linux" -o "$target_os" = "linux-gnu")
	34	+AM_CONDITIONAL(EXTENSION_SO, test "$TARGET_OS" = "LINUX")
	35	AM_CONDITIONAL(EXTENSION_1, test "$TARGET_OS" = "HPUX")
	36
	37	if test -z "$use_gcrypt"; then
	38	--
	39	2.11.0
	40


diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb new file mode 100644 index 0000000000..9a21d90456 --- /dev/null +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb
@@ -0,0 +1,27 @@
	1	SUMMARY = "PAM cached credentials module"
	2	HOMEPAGE = "https://www.padl.com/OSS/pam_ccreds.html"
	3	SECTION = "libs"
	4	LICENSE = "GPLv2"
	5	LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
	6
	7	DEPENDS = "libpam openssl db"
	8
	9	inherit distro_features_check
	10	REQUIRED_DISTRO_FEATURES = "pam"
	11
	12	SRCREV = "376bb189ceb3a113954f1012c45be7ff09e148ba"
	13
	14	SRC_URI = " \
	15	git://github.com/PADL/pam_ccreds \
	16	file://0001-make-sure-we-don-t-overflow-the-data-buffer.patch \
	17	file://0002-add-minimum_uid-option.patch \
	18	file://0003-Set-EXTENSION_SO-for-all-linux-targets.patch \
	19	"
	20
	21	S = "${WORKDIR}/git"
	22
	23	inherit autotools
	24
	25	EXTRA_OECONF += "--libdir=${base_libdir} "
	26
	27	FILES_${PN} += "${base_libdir}/security/pam*"