NetBSD Problem Report #47269
From root@nb6i386.its.iastate.edu Fri Nov 30 23:06:49 2012
Return-Path: <root@nb6i386.its.iastate.edu>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id 8727363DFC7
for <gnats-bugs@gnats.NetBSD.org>; Fri, 30 Nov 2012 23:06:49 +0000 (UTC)
Message-Id: <20121130230646.4FAE61C868D@nb6i386.its.iastate.edu>
Date: Fri, 30 Nov 2012 17:06:46 -0600 (CST)
From: jdwhite@iastate.edu
Reply-To: jdwhite@iastate.edu
To: gnats-bugs@gnats.NetBSD.org
Subject: Patch to fix security/pam-radius
X-Send-Pr-Version: 3.95
>Number: 47269
>Category: pkg
>Synopsis: Fixes broken pam module on 5.2/6.0, i386/amd64
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bsiegert
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Fri Nov 30 23:10:00 +0000 2012
>Closed-Date: Sat Oct 03 13:47:44 +0000 2015
>Last-Modified: Sat Oct 03 13:47:44 +0000 2015
>Originator: Charlie Root
>Release: NetBSD 6.0
>Organization:
>Environment:
System: NetBSD nb6i386.its.iastate.edu 6.0 NetBSD 6.0 (GENERIC) i386
Architecture: i386
Machine: i386
>Description:
Tested on 5.2 i386/amd64 and 6.0 i386/amd64. Same exact issue in all
four environments.
pam_radius_auth.so compiles, but when invoked the following message
appears in /var/log/messages:
in openpam_dispatch(): pam_radius_auth.so: no pam_sm_authenticate()
Control is passed to the next entry in the PAM stack.
>How-To-Repeat:
Stock build from pkgsrc-current and the following in /etc/pam.d/su (or
sudo) placed before the pam_unix line:
auth required pam_radius_auth.so debug
(Note: I symlinked /usr/lib/security/pam_radius_auth.so to
/usr/pkg/lib/security/pam_radius_auth.so)
>Fix:
Module must be compiled with -DNO_STATIC_MODULES.
Patch follows and corrects the following:
- Adds -DNO_STATIC_MODULES to pam-radius source's Makefile CFLAGS.
- Fixes numerous compiler warnings.
- Bumps the version of pam-radius to 1.3.17 which adds the following
options (the 'ruser' option is of particular importance to me):
1.3.17
------
Allow any number of retries, instead of only up to 3.
Add ruser option, to authenticate as PAM_RUSER instead of PAM_USER,
to allow applications such as 'su' to authenticate as the real user.
Patch from David Mitchell.
Add 'localifdown' option.
Module was tested against an RSA SecurID server and functioned perfectly
on NetBSD 5.2 i386/amd64 and NetBSD 6.0 i386/amd64.
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/security/pam-radius/Makefile,v
retrieving revision 1.4
diff -u -U 1 -r1.4 Makefile
--- Makefile 23 Oct 2012 18:16:48 -0000 1.4
+++ Makefile 30 Nov 2012 22:24:28 -0000
@@ -3,3 +3,3 @@
PKGNAME= ${DISTNAME:S/_/-/}
-DISTNAME= pam_radius-1.3.16
+DISTNAME= pam_radius-1.3.17
CATEGORIES= security
@@ -12,3 +12,3 @@
NO_CONFIGURE= YES
-EXTRACT_SUFX= .tar
+EXTRACT_SUFX= .tar.gz
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/security/pam-radius/distinfo,v
retrieving revision 1.2
diff -u -U 1 -r1.2 distinfo
--- distinfo 21 Feb 2009 00:06:52 -0000 1.2
+++ distinfo 30 Nov 2012 22:24:28 -0000
@@ -2,5 +2,6 @@
-SHA1 (pam_radius-1.3.16.tar) = 127352a693bafd9f32dd80ecece57de2bc1c19b8
-RMD160 (pam_radius-1.3.16.tar) = 6fb69c357b01ba5ac026b186de9be0e3f92c3fcd
-Size (pam_radius-1.3.16.tar) = 112640 bytes
-SHA1 (patch-aa) = a52b9561ca552a7b35b65b3f3361f5ab1bdf872e
+SHA1 (pam_radius-1.3.17.tar.gz) = 7623ca1b636bba729c69c3f50254b856bb4519a7
+RMD160 (pam_radius-1.3.17.tar.gz) = c3873d5a4275170420f98c2f37def0593293f463
+Size (pam_radius-1.3.17.tar.gz) = 31341 bytes
+SHA1 (patch-Makefile) = 192a300d690aa096fd31b3ffdb2394761ded23cc
+SHA1 (patch-pam_radius_auth.c) = ac1886fc20757a3787f57071c514e4518b4c25bd
cvs diff: Diffing patches
Index: patches/patch-Makefile
===================================================================
RCS file: patches/patch-Makefile
diff -N patches/patch-Makefile
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-Makefile 30 Nov 2012 22:24:28 -0000
@@ -0,0 +1,7 @@
+--- Makefile 2007-03-25 23:22:11.000000000 -0500
++++ Makefile 2012-11-30 15:29:34.000000000 -0600
+@@ -17,3 +17,3 @@
+ #
+-CFLAGS = -Wall -fPIC
++CFLAGS = -Wall -fPIC -DNO_STATIC_MODULES
+ #
Index: patches/patch-aa
===================================================================
RCS file: patches/patch-aa
diff -N patches/patch-aa
--- patches/patch-aa 21 Feb 2009 00:06:52 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-$NetBSD: patch-aa,v 1.1 2009/02/21 00:06:52 adrianp Exp $
-
---- md5.h.orig 2003-04-29 13:19:16.000000000 -0700
-+++ md5.h
-@@ -15,6 +15,9 @@
- #define MD5Transform pra_MD5Transform
-
- #include <sys/types.h>
-+#ifndef u_int32_t
-+#define u_int32_t uint32_t
-+#endif
- #define uint32 u_int32_t
-
- struct MD5Context {
Index: patches/patch-pam_radius_auth.c
===================================================================
RCS file: patches/patch-pam_radius_auth.c
diff -N patches/patch-pam_radius_auth.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-pam_radius_auth.c 30 Nov 2012 22:24:28 -0000
@@ -0,0 +1,36 @@
+--- pam_radius_auth.c 2007-03-26 04:36:13.000000000 -0500
++++ pam_radius_auth.c 2012-11-30 15:53:29.000000000 -0600
+@@ -58,6 +58,5 @@
+ #include <errno.h>
++#include <sys/types.h>
+
+-#ifdef sun
+ #include <security/pam_appl.h>
+-#endif
+ #include <security/pam_modules.h>
+@@ -184,3 +183,3 @@
+ while(*ip_str != '.' && *ip_str != '\0' && count < 4) {
+- if(!isdigit(*ip_str)) {
++ if(!isdigit((unsigned char)*ip_str)) {
+ return((UINT4)0);
+@@ -220,3 +219,3 @@
+ digit_count = 0;
+- } else if(!isdigit(*addr)) {
++ } else if(!isdigit((unsigned char)*addr)) {
+ dot_count = 5;
+@@ -276,3 +275,3 @@
+ if (!server->port) {
+- if (p && isdigit(*p)) { /* the port looks like it's a number */
++ if (p && isdigit((unsigned char)*p)) { /* the port looks like it's a number */
+ unsigned int i = atoi(p) & 0xffff;
+@@ -768,3 +767,4 @@
+ {
+- int salen, total_length;
++ socklen_t salen;
++ int total_length;
+ fd_set set;
+@@ -1101,3 +1101,3 @@
+ if (!strcmp("root", user)) {
+- user = userinfo;
++ user = (char *)userinfo;
+ DPRINT(LOG_DEBUG, "Username now %s from ruser", user);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->bsiegert
Responsible-Changed-By: bsiegert@NetBSD.org
Responsible-Changed-When: Sat, 08 Aug 2015 19:47:16 +0000
Responsible-Changed-Why:
I like bugreports that include a patch.
From: "Benny Siegert" <bsiegert@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47269 CVS commit: pkgsrc/security/pam-radius
Date: Sat, 26 Sep 2015 20:01:27 +0000
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Sep 26 20:01:27 UTC 2015
Modified Files:
pkgsrc/security/pam-radius: Makefile distinfo
Added Files:
pkgsrc/security/pam-radius/patches: patch-Makefile
patch-pam_radius_auth.c
Removed Files:
pkgsrc/security/pam-radius/patches: patch-aa
Log Message:
Update pam_radius to 1.3.17, patch from PR pkg/47269.
Allow any number of retries, instead of only up to 3.
Add ruser option, to authenticate as PAM_RUSER instead of PAM_USER,
to allow applications such as 'su' to authenticate as the real user.
Patch from David Mitchell.
Add 'localifdown' option.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/pam-radius/Makefile
cvs rdiff -u -r1.2 -r1.3 pkgsrc/security/pam-radius/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/pam-radius/patches/patch-Makefile \
pkgsrc/security/pam-radius/patches/patch-pam_radius_auth.c
cvs rdiff -u -r1.1 -r0 pkgsrc/security/pam-radius/patches/patch-aa
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: bsiegert@NetBSD.org
State-Changed-When: Sat, 03 Oct 2015 13:47:44 +0000
State-Changed-Why:
Submitted, thanks!
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.