NetBSD Problem Report #47269

From root@nb6i386.its.iastate.edu  Fri Nov 30 23:06:49 2012
Return-Path: <root@nb6i386.its.iastate.edu>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 8727363DFC7
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 30 Nov 2012 23:06:49 +0000 (UTC)
Message-Id: <20121130230646.4FAE61C868D@nb6i386.its.iastate.edu>
Date: Fri, 30 Nov 2012 17:06:46 -0600 (CST)
From: jdwhite@iastate.edu
Reply-To: jdwhite@iastate.edu
To: gnats-bugs@gnats.NetBSD.org
Subject: Patch to fix security/pam-radius
X-Send-Pr-Version: 3.95

>Number:         47269
>Category:       pkg
>Synopsis:       Fixes broken pam module on 5.2/6.0, i386/amd64
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bsiegert
>State:          closed
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 30 23:10:00 +0000 2012
>Closed-Date:    Sat Oct 03 13:47:44 +0000 2015
>Last-Modified:  Sat Oct 03 13:47:44 +0000 2015
>Originator:     Charlie Root
>Release:        NetBSD 6.0
>Organization:
>Environment:
System: NetBSD nb6i386.its.iastate.edu 6.0 NetBSD 6.0 (GENERIC) i386
Architecture: i386
Machine: i386
>Description:
Tested on 5.2 i386/amd64 and 6.0 i386/amd64.  Same exact issue in all 
four environments.

pam_radius_auth.so compiles, but when invoked the following message 
appears in /var/log/messages:

  in openpam_dispatch(): pam_radius_auth.so: no pam_sm_authenticate()

Control is passed to the next entry in the PAM stack.

>How-To-Repeat:
Stock build from pkgsrc-current and the following in /etc/pam.d/su (or 
sudo) placed before the pam_unix line:

auth            required        pam_radius_auth.so      debug

(Note: I symlinked /usr/lib/security/pam_radius_auth.so to 
/usr/pkg/lib/security/pam_radius_auth.so)

>Fix:
Module must be compiled with -DNO_STATIC_MODULES.

Patch follows and corrects the following:

 - Adds -DNO_STATIC_MODULES to pam-radius source's Makefile CFLAGS.
 - Fixes numerous compiler warnings.
 - Bumps the version of pam-radius to 1.3.17 which adds the following 
   options (the 'ruser' option is of particular importance to me):

   1.3.17
   ------
   Allow any number of retries, instead of only up to 3.

   Add ruser option, to authenticate as PAM_RUSER instead of PAM_USER,
   to allow applications such as 'su' to authenticate as the real user.
   Patch from David Mitchell.

   Add 'localifdown' option.

Module was tested against an RSA SecurID server and functioned perfectly 
on NetBSD 5.2 i386/amd64 and NetBSD 6.0 i386/amd64.

Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/security/pam-radius/Makefile,v
retrieving revision 1.4
diff -u -U 1 -r1.4 Makefile
--- Makefile	23 Oct 2012 18:16:48 -0000	1.4
+++ Makefile	30 Nov 2012 22:24:28 -0000
@@ -3,3 +3,3 @@
 PKGNAME=	${DISTNAME:S/_/-/}
-DISTNAME=	pam_radius-1.3.16
+DISTNAME=	pam_radius-1.3.17
 CATEGORIES=	security
@@ -12,3 +12,3 @@
 NO_CONFIGURE=	YES
-EXTRACT_SUFX=	.tar
+EXTRACT_SUFX=	.tar.gz

Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/security/pam-radius/distinfo,v
retrieving revision 1.2
diff -u -U 1 -r1.2 distinfo
--- distinfo	21 Feb 2009 00:06:52 -0000	1.2
+++ distinfo	30 Nov 2012 22:24:28 -0000
@@ -2,5 +2,6 @@

-SHA1 (pam_radius-1.3.16.tar) = 127352a693bafd9f32dd80ecece57de2bc1c19b8
-RMD160 (pam_radius-1.3.16.tar) = 6fb69c357b01ba5ac026b186de9be0e3f92c3fcd
-Size (pam_radius-1.3.16.tar) = 112640 bytes
-SHA1 (patch-aa) = a52b9561ca552a7b35b65b3f3361f5ab1bdf872e
+SHA1 (pam_radius-1.3.17.tar.gz) = 7623ca1b636bba729c69c3f50254b856bb4519a7
+RMD160 (pam_radius-1.3.17.tar.gz) = c3873d5a4275170420f98c2f37def0593293f463
+Size (pam_radius-1.3.17.tar.gz) = 31341 bytes
+SHA1 (patch-Makefile) = 192a300d690aa096fd31b3ffdb2394761ded23cc
+SHA1 (patch-pam_radius_auth.c) = ac1886fc20757a3787f57071c514e4518b4c25bd
cvs diff: Diffing patches
Index: patches/patch-Makefile
===================================================================
RCS file: patches/patch-Makefile
diff -N patches/patch-Makefile
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-Makefile	30 Nov 2012 22:24:28 -0000
@@ -0,0 +1,7 @@
+--- Makefile	2007-03-25 23:22:11.000000000 -0500
++++ Makefile	2012-11-30 15:29:34.000000000 -0600
+@@ -17,3 +17,3 @@
+ #
+-CFLAGS = -Wall -fPIC
++CFLAGS = -Wall -fPIC -DNO_STATIC_MODULES
+ #
Index: patches/patch-aa
===================================================================
RCS file: patches/patch-aa
diff -N patches/patch-aa
--- patches/patch-aa	21 Feb 2009 00:06:52 -0000	1.1
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,14 +0,0 @@
-$NetBSD: patch-aa,v 1.1 2009/02/21 00:06:52 adrianp Exp $
-
---- md5.h.orig	2003-04-29 13:19:16.000000000 -0700
-+++ md5.h
-@@ -15,6 +15,9 @@
- #define MD5Transform  pra_MD5Transform
- 
- #include <sys/types.h>
-+#ifndef u_int32_t
-+#define u_int32_t uint32_t
-+#endif
- #define uint32 u_int32_t
- 
- struct MD5Context {
Index: patches/patch-pam_radius_auth.c
===================================================================
RCS file: patches/patch-pam_radius_auth.c
diff -N patches/patch-pam_radius_auth.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-pam_radius_auth.c	30 Nov 2012 22:24:28 -0000
@@ -0,0 +1,36 @@
+--- pam_radius_auth.c	2007-03-26 04:36:13.000000000 -0500
++++ pam_radius_auth.c	2012-11-30 15:53:29.000000000 -0600
+@@ -58,6 +58,5 @@
+ #include <errno.h>
++#include <sys/types.h>
+ 
+-#ifdef sun
+ #include <security/pam_appl.h>
+-#endif
+ #include <security/pam_modules.h>
+@@ -184,3 +183,3 @@
+     while(*ip_str != '.' && *ip_str != '\0' && count < 4) {
+-      if(!isdigit(*ip_str)) {
++      if(!isdigit((unsigned char)*ip_str)) {
+ 	return((UINT4)0);
+@@ -220,3 +219,3 @@
+       digit_count = 0;
+-    } else if(!isdigit(*addr)) {
++    } else if(!isdigit((unsigned char)*addr)) {
+       dot_count = 5;
+@@ -276,3 +275,3 @@
+   if (!server->port) {
+-    if (p && isdigit(*p)) {	/* the port looks like it's a number */
++    if (p && isdigit((unsigned char)*p)) {	/* the port looks like it's a number */
+       unsigned int i = atoi(p) & 0xffff;
+@@ -768,3 +767,4 @@
+ {
+-  int salen, total_length;
++  socklen_t salen;
++  int total_length;
+   fd_set set;
+@@ -1101,3 +1101,3 @@
+     if (!strcmp("root", user)) {
+-      user = userinfo;
++      user = (char *)userinfo;
+       DPRINT(LOG_DEBUG, "Username now %s from ruser", user);

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: pkg-manager->bsiegert
Responsible-Changed-By: bsiegert@NetBSD.org
Responsible-Changed-When: Sat, 08 Aug 2015 19:47:16 +0000
Responsible-Changed-Why:
I like bugreports that include a patch.


From: "Benny Siegert" <bsiegert@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47269 CVS commit: pkgsrc/security/pam-radius
Date: Sat, 26 Sep 2015 20:01:27 +0000

 Module Name:	pkgsrc
 Committed By:	bsiegert
 Date:		Sat Sep 26 20:01:27 UTC 2015

 Modified Files:
 	pkgsrc/security/pam-radius: Makefile distinfo
 Added Files:
 	pkgsrc/security/pam-radius/patches: patch-Makefile
 	    patch-pam_radius_auth.c
 Removed Files:
 	pkgsrc/security/pam-radius/patches: patch-aa

 Log Message:
 Update pam_radius to 1.3.17, patch from PR pkg/47269.

 Allow any number of retries, instead of only up to 3.

 Add ruser option, to authenticate as PAM_RUSER instead of PAM_USER,
 to allow applications such as 'su' to authenticate as the real user.
 Patch from David Mitchell.

 Add 'localifdown' option.


 To generate a diff of this commit:
 cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/pam-radius/Makefile
 cvs rdiff -u -r1.2 -r1.3 pkgsrc/security/pam-radius/distinfo
 cvs rdiff -u -r0 -r1.1 pkgsrc/security/pam-radius/patches/patch-Makefile \
     pkgsrc/security/pam-radius/patches/patch-pam_radius_auth.c
 cvs rdiff -u -r1.1 -r0 pkgsrc/security/pam-radius/patches/patch-aa

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: bsiegert@NetBSD.org
State-Changed-When: Sat, 03 Oct 2015 13:47:44 +0000
State-Changed-Why:
Submitted, thanks!


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.