--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package pam/1.1.8-3.1+deb8u2
- From: Evgeni Golov <evgeni@debian.org>
- Date: Sun, 06 Nov 2016 16:51:04 +0100
- Message-id: <147844746494.8799.9194981654851000606.reportbug@nana.phantasia.die-welt.net>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Ohai,
I would love to fix #726661 in stable. The bug currently prevents the use
of pam_loginuid in non-privileged containers → you cannot SSH into them.
The patch has been in unstable for quite some time and so far noone complained.
I am running the patched packages in my containers and did not have any issues
there either.
debdiff is attached, it basically updates a patch that was already in the package
but was not complete :/
Greets
Evgeni
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u pam-1.1.8/debian/changelog pam-1.1.8/debian/changelog
--- pam-1.1.8/debian/changelog
+++ pam-1.1.8/debian/changelog
@@ -1,3 +1,11 @@
+pam (1.1.8-3.1+deb8u2) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * debian/patches-applied/pam-loginuid-in-containers: Updated with the version
+ from Ubuntu, this should fix logins in containers (Closes: #726661)
+
+ -- Evgeni Golov <evgeni@debian.org> Sun, 06 Nov 2016 16:10:14 +0100
+
pam (1.1.8-3.1+deb8u1) jessie; urgency=medium
* Non-maintainer upload.
diff -u pam-1.1.8/debian/patches-applied/pam-loginuid-in-containers pam-1.1.8/debian/patches-applied/pam-loginuid-in-containers
--- pam-1.1.8/debian/patches-applied/pam-loginuid-in-containers
+++ pam-1.1.8/debian/patches-applied/pam-loginuid-in-containers
@@ -29,11 +29,11 @@
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
-Index: pam.deb/modules/pam_loginuid/pam_loginuid.c
+Index: ubuntu/modules/pam_loginuid/pam_loginuid.c
===================================================================
---- pam.deb.orig/modules/pam_loginuid/pam_loginuid.c
-+++ pam.deb/modules/pam_loginuid/pam_loginuid.c
-@@ -46,25 +46,49 @@
+--- ubuntu.orig/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:07:08.665185675 +0000
++++ ubuntu/modules/pam_loginuid/pam_loginuid.c 2014-01-31 21:05:05.000000000 +0000
+@@ -47,25 +47,56 @@
/*
* This function writes the loginuid to the /proc system. It returns
@@ -50,48 +50,58 @@
+ char loginuid[24], buf[24];
+ static const char host_uid_map[] = " 0 0 4294967295\n";
+ char uid_map[sizeof(host_uid_map)];
++
++ /* loginuid in user namespaces currently isn't writable and in some
++ case, not even readable, so consider any failure as ignorable (but try
++ anyway, in case we hit a kernel which supports it). */
++ fd = open("/proc/self/uid_map", O_RDONLY);
++ if (fd >= 0) {
++ count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
++ if (strncmp(uid_map, host_uid_map, count) != 0)
++ rc = PAM_IGNORE;
++ close(fd);
++ }
- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+- count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
- fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
+ fd = open("/proc/self/loginuid", O_NOFOLLOW|O_RDWR);
if (fd < 0) {
- if (errno != ENOENT) {
- rc = 1;
+- pam_syslog(pamh, LOG_ERR,
+- "Cannot open /proc/self/loginuid: %m");
+ if (errno == ENOENT) {
+ rc = PAM_IGNORE;
-+ } else if (errno == EACCES) {
-+ fd = open("/proc/self/uid_map", O_RDONLY);
-+ if (fd >= 0) {
-+ count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
-+ if (strncmp(uid_map, host_uid_map, count) != 0)
-+ rc = PAM_IGNORE;
-+ close(fd);
-+ }
-+ if (rc != PAM_IGNORE)
-+ errno = EACCES;
+ }
+ if (rc != PAM_IGNORE) {
- pam_syslog(pamh, LOG_ERR,
- "Cannot open /proc/self/loginuid: %m");
++ pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m",
++ "/proc/self/loginuid");
}
return rc;
}
- if (pam_modutil_write(fd, loginuid, count) != count)
- rc = 1;
+
++ count = snprintf(loginuid, sizeof(loginuid), "%lu", (unsigned long)uid);
+ if (pam_modutil_read(fd, buf, sizeof(buf)) == count &&
+ memcmp(buf, loginuid, count) == 0) {
+ rc = PAM_SUCCESS;
+ goto done; /* already correct */
+ }
+ if (lseek(fd, 0, SEEK_SET) == 0 && ftruncate(fd, 0) == 0 &&
-+ pam_modutil_write(fd, loginuid, count) == count)
++ pam_modutil_write(fd, loginuid, count) == count) {
+ rc = PAM_SUCCESS;
++ } else {
++ if (rc != PAM_IGNORE) {
++ pam_syslog(pamh, LOG_ERR, "Error writing %s: %m",
++ "/proc/self/loginuid");
++ }
++ }
+ done:
close(fd);
return rc;
}
-@@ -164,6 +188,7 @@
+@@ -165,6 +196,7 @@
{
const char *user = NULL;
struct passwd *pwd;
@@ -99,7 +109,7 @@
#ifdef HAVE_LIBAUDIT
int require_auditd = 0;
#endif
-@@ -182,9 +207,14 @@
+@@ -183,9 +215,14 @@
return PAM_SESSION_ERR;
}
@@ -117,7 +127,7 @@
}
#ifdef HAVE_LIBAUDIT
-@@ -194,11 +224,12 @@
+@@ -195,11 +232,12 @@
argv++;
}
--- End Message ---