diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-12-07 13:19:32 +0000 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-04-15 05:13:00 +0300 |
commit | e722fd49ea4d83da91056d8a5b90d606e70b49ed (patch) | |
tree | 84ce8cc4b8ab4723ff596c2e268214c19f4d8b99 | |
parent | 29d4f7a7cbb09b065256336eb4cdea42c32d4c75 (diff) | |
download | aports-e722fd49ea4d83da91056d8a5b90d606e70b49ed.tar.bz2 aports-e722fd49ea4d83da91056d8a5b90d606e70b49ed.tar.xz |
main/busybox: add patch for /etc/securetty support in su
This makes it possible to have blank root passwords in container setups.
-rw-r--r-- | main/busybox/3001-login-move-check_securetty-to-libbb.patch | 103 | ||||
-rw-r--r-- | main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch | 70 | ||||
-rw-r--r-- | main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch | 76 | ||||
-rw-r--r-- | main/busybox/APKBUILD | 47 | ||||
-rw-r--r-- | main/busybox/busyboxconfig | 5 |
5 files changed, 261 insertions, 40 deletions
diff --git a/main/busybox/3001-login-move-check_securetty-to-libbb.patch b/main/busybox/3001-login-move-check_securetty-to-libbb.patch new file mode 100644 index 0000000000..07a7246867 --- /dev/null +++ b/main/busybox/3001-login-move-check_securetty-to-libbb.patch @@ -0,0 +1,103 @@ +From 2543aee0930976d95822a88d840cf139261f7fe0 Mon Sep 17 00:00:00 2001 +From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> +Date: Thu, 5 Nov 2015 16:27:34 +0200 +Subject: [PATCH 3001/3003] login: move check_securetty to libbb + +--- + include/libbb.h | 1 + + libbb/Kbuild.src | 1 + + libbb/securetty.c | 27 +++++++++++++++++++++++++++ + loginutils/login.c | 19 ------------------- + 4 files changed, 29 insertions(+), 19 deletions(-) + create mode 100644 libbb/securetty.c + +diff --git a/include/libbb.h b/include/libbb.h +index a8ceb44..516f42e 100644 +--- a/include/libbb.h ++++ b/include/libbb.h +@@ -1360,6 +1360,7 @@ int sd_listen_fds(void); + #define SETUP_ENV_NO_CHDIR (1 << 4) + void setup_environment(const char *shell, int flags, const struct passwd *pw) FAST_FUNC; + void nuke_str(char *str) FAST_FUNC; ++int check_securetty(const char *short_tty); + int check_password(const struct passwd *pw, const char *plaintext) FAST_FUNC; + int ask_and_check_password_extended(const struct passwd *pw, int timeout, const char *prompt) FAST_FUNC; + int ask_and_check_password(const struct passwd *pw) FAST_FUNC; +diff --git a/libbb/Kbuild.src b/libbb/Kbuild.src +index 7fb6872..0f09de7 100644 +--- a/libbb/Kbuild.src ++++ b/libbb/Kbuild.src +@@ -84,6 +84,7 @@ lib-y += safe_gethostname.o + lib-y += safe_poll.o + lib-y += safe_strncpy.o + lib-y += safe_write.o ++lib-y += securetty.o + lib-y += setup_environment.o + lib-y += signals.o + lib-y += simplify_path.o +diff --git a/libbb/securetty.c b/libbb/securetty.c +new file mode 100644 +index 0000000..95edbc9 +--- /dev/null ++++ b/libbb/securetty.c +@@ -0,0 +1,27 @@ ++/* vi: set sw=4 ts=4: */ ++/* ++ * /etc/securetty checking. ++ * ++ * Licensed under GPLv2, see file LICENSE in this source tree. ++ */ ++ ++#include "libbb.h" ++ ++#if ENABLE_FEATURE_SECURETTY && !ENABLE_PAM ++int check_securetty(const char *short_tty) ++{ ++ char *buf = (char*)"/etc/securetty"; /* any non-NULL is ok */ ++ parser_t *parser = config_open2("/etc/securetty", fopen_for_read); ++ while (config_read(parser, &buf, 1, 1, "# \t", PARSE_NORMAL)) { ++ if (strcmp(buf, short_tty) == 0) ++ break; ++ buf = NULL; ++ } ++ config_close(parser); ++ /* buf != NULL here if config file was not found, empty ++ * or line was found which equals short_tty */ ++ return buf != NULL; ++} ++#else ++ALWAYS_INLINE int check_securetty(const char *short_tty UNUSED_PARAM) { return 1; } ++#endif +diff --git a/loginutils/login.c b/loginutils/login.c +index 1700cfc..b38a1fb 100644 +--- a/loginutils/login.c ++++ b/loginutils/login.c +@@ -79,25 +79,6 @@ static void die_if_nologin(void) + # define die_if_nologin() ((void)0) + #endif + +-#if ENABLE_FEATURE_SECURETTY && !ENABLE_PAM +-static int check_securetty(const char *short_tty) +-{ +- char *buf = (char*)"/etc/securetty"; /* any non-NULL is ok */ +- parser_t *parser = config_open2("/etc/securetty", fopen_for_read); +- while (config_read(parser, &buf, 1, 1, "# \t", PARSE_NORMAL)) { +- if (strcmp(buf, short_tty) == 0) +- break; +- buf = NULL; +- } +- config_close(parser); +- /* buf != NULL here if config file was not found, empty +- * or line was found which equals short_tty */ +- return buf != NULL; +-} +-#else +-static ALWAYS_INLINE int check_securetty(const char *short_tty UNUSED_PARAM) { return 1; } +-#endif +- + #if ENABLE_SELINUX + static void initselinux(char *username, char *full_tty, + security_context_t *user_sid) +-- +2.6.3 + diff --git a/main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch b/main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch new file mode 100644 index 0000000000..1722be2ccd --- /dev/null +++ b/main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch @@ -0,0 +1,70 @@ +From 12b6eff3a535a55441b6a84c24407626edf44b76 Mon Sep 17 00:00:00 2001 +From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> +Date: Thu, 5 Nov 2015 16:27:35 +0200 +Subject: [PATCH 3002/3003] libbb: allow_blank argument for + ask_and_check_password_extended() + +--- + include/libbb.h | 2 +- + libbb/correct_password.c | 6 +++--- + loginutils/sulogin.c | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/libbb.h b/include/libbb.h +index 516f42e..ece8d37 100644 +--- a/include/libbb.h ++++ b/include/libbb.h +@@ -1362,7 +1362,7 @@ void setup_environment(const char *shell, int flags, const struct passwd *pw) FA + void nuke_str(char *str) FAST_FUNC; + int check_securetty(const char *short_tty); + int check_password(const struct passwd *pw, const char *plaintext) FAST_FUNC; +-int ask_and_check_password_extended(const struct passwd *pw, int timeout, const char *prompt) FAST_FUNC; ++int ask_and_check_password_extended(const struct passwd *pw, int timeout, int allow_blank, const char *prompt) FAST_FUNC; + int ask_and_check_password(const struct passwd *pw) FAST_FUNC; + /* Returns a malloced string */ + #if !ENABLE_USE_BB_CRYPT +diff --git a/libbb/correct_password.c b/libbb/correct_password.c +index 513c930..57cd2b8 100644 +--- a/libbb/correct_password.c ++++ b/libbb/correct_password.c +@@ -96,7 +96,7 @@ int FAST_FUNC check_password(const struct passwd *pw, const char *plaintext) + * NULL pw means "just fake it for login with bad username" + */ + int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw, +- int timeout, const char *prompt) ++ int timeout, int allow_blank, const char *prompt) + { + IF_FEATURE_SHADOWPASSWDS(char buffer[SHADOW_BUFSIZE];) + char *plaintext; +@@ -105,7 +105,7 @@ int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw, + + pw_pass = get_passwd(pw, buffer); + if (!pw_pass[0]) /* empty password field? */ +- return 1; ++ return allow_blank; + + plaintext = bb_ask(STDIN_FILENO, timeout, prompt); + if (!plaintext) { +@@ -120,5 +120,5 @@ int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw, + + int FAST_FUNC ask_and_check_password(const struct passwd *pw) + { +- return ask_and_check_password_extended(pw, 0, "Password: "); ++ return ask_and_check_password_extended(pw, 0, 1, "Password: "); + } +diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c +index 2a29099..4013f11 100644 +--- a/loginutils/sulogin.c ++++ b/loginutils/sulogin.c +@@ -53,7 +53,7 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv) + while (1) { + int r; + +- r = ask_and_check_password_extended(pwd, timeout, ++ r = ask_and_check_password_extended(pwd, timeout, 1, + "Give root password for system maintenance\n" + "(or type Control-D for normal startup):" + ); +-- +2.6.3 + diff --git a/main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch b/main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch new file mode 100644 index 0000000000..bb0e1c64ce --- /dev/null +++ b/main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch @@ -0,0 +1,76 @@ +From 0acd825122c5e2d1b2ba6a0d0f42960cefaafa88 Mon Sep 17 00:00:00 2001 +From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> +Date: Thu, 5 Nov 2015 16:27:36 +0200 +Subject: [PATCH 3003/3003] su: FEATURE_SU_NULLOK_SECURE + +When this feature is enabled, blank passwords are not accepted by su +unless the user is on a secure TTY defined in /etc/securetty. This +resembles the default PAM configuration of some Linux distros which +specify the nullok_secure option for pam_unix.so. +--- + loginutils/Config.src | 5 +++++ + loginutils/su.c | 13 ++++++++----- + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/loginutils/Config.src b/loginutils/Config.src +index fa2b4f8..a150899 100644 +--- a/loginutils/Config.src ++++ b/loginutils/Config.src +@@ -311,6 +311,11 @@ config FEATURE_SU_CHECKS_SHELLS + depends on SU + default y + ++config FEATURE_SU_NULLOK_SECURE ++ bool "Disallow blank passwords from TTYs other than specified in /etc/securetty" ++ depends on SU ++ default n ++ + config SULOGIN + bool "sulogin" + default y +diff --git a/loginutils/su.c b/loginutils/su.c +index f812505..bd0cb35 100644 +--- a/loginutils/su.c ++++ b/loginutils/su.c +@@ -51,6 +51,7 @@ int su_main(int argc UNUSED_PARAM, char **argv) + struct passwd *pw; + uid_t cur_uid = getuid(); + const char *tty; ++ int allow_blank = 1; + #if ENABLE_FEATURE_UTMP + char user_buf[64]; + #endif +@@ -71,6 +72,12 @@ int su_main(int argc UNUSED_PARAM, char **argv) + argv++; + } + ++ tty = xmalloc_ttyname(STDIN_FILENO); ++ if (!tty) tty = "none"; ++ tty = skip_dev_pfx(tty); ++ ++ if (ENABLE_FEATURE_SU_NULLOK_SECURE) allow_blank = check_securetty(tty); ++ + if (ENABLE_FEATURE_SU_SYSLOG) { + /* The utmp entry (via getlogin) is probably the best way to + * identify the user, especially if someone su's from a su-shell. +@@ -84,16 +91,12 @@ int su_main(int argc UNUSED_PARAM, char **argv) + pw = getpwuid(cur_uid); + old_user = pw ? xstrdup(pw->pw_name) : ""; + } +- tty = xmalloc_ttyname(2); +- if (!tty) { +- tty = "none"; +- } + openlog(applet_name, 0, LOG_AUTH); + } + + pw = xgetpwnam(opt_username); + +- if (cur_uid == 0 || ask_and_check_password(pw) > 0) { ++ if (cur_uid == 0 || ask_and_check_password_extended(pw, 0, allow_blank, "Password: ") > 0) { + if (ENABLE_FEATURE_SU_SYSLOG) + syslog(LOG_NOTICE, "%c %s %s:%s", + '+', tty, old_user, opt_username); +-- +2.6.3 + diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD index dee1240317..247c9a6fce 100644 --- a/main/busybox/APKBUILD +++ b/main/busybox/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=busybox pkgver=1.23.2 -pkgrel=1 +pkgrel=2 pkgdesc="Size optimized toolbox of many common UNIX utilities" url=http://busybox.net arch="all" @@ -34,6 +34,10 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 1001-fbsplash-support-console-switching.patch 1002-fbsplash-support-image-and-bar-alignment-and-positio.patch + 3001-login-move-check_securetty-to-libbb.patch + 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch + 3003-su-FEATURE_SU_NULLOK_SECURE.patch + busyboxconfig glibc.patch CVE-2016-6301.patch @@ -120,42 +124,6 @@ static() { "$subpkgdir"/bin/busybox.static } -md5sums="7925683d7dd105aabe9b6b618d48cc73 busybox-1.23.2.tar.bz2 -8485cf1e389e891914cbb8771a6d9bbd bbsuid.c -d64b58a30892c558bdbab7f0d0997577 nologin.c -4c0f3b486eaa0674961b7ddcd0c60a9b busybox-1.11.1-bb.patch -b5375210f13fd6e1ca61a565e8fabd35 busybox-uname-is-not-gnu.patch -c5a8dbc8696db6da9c4624b0e11d8fba bb-app-location.patch -8c42c9ef0f0419c314c86bcaf7796106 loginutils-sha512.patch -91a7584a562a72ba886936558e576bbd udhcpc-discover-retries.patch -04eeda8c49d4688e6dec02451f8b6aae 0001-ifupdown-pass-interface-device-name-for-ipv6-route-c.patch -e1c183cbe1ca18a0fa0d9597314076c9 0001-ifupdown-use-x-hostname-NAME-with-udhcpc.patch -239dbe5dae5d36bbf73548b2749a22b1 0001-linedit-deluser-use-POSIX-getpwent-instead-of-getpwe.patch -69fa40bee9abec058427bf67fde1b61e 0001-diff-add-support-for-no-dereference.patch -699ce5aa1095ba4419cd595cec8a8f75 1000-fbsplash-use-virtual-y-size-in-mmap-size-calculation.patch -b56d306ccba574da78dff060b7330806 1001-fbsplash-support-console-switching.patch -4fe5f9e973674c7db3d07f295c363a7c 1002-fbsplash-support-image-and-bar-alignment-and-positio.patch -3cff842a3618c84465d7ef5425c8749b busyboxconfig -befaac2c59c380e36a452b3f1c1d4a3a glibc.patch -b23dd4bd38216d05d88287371d35513a CVE-2016-6301.patch" -sha256sums="05a6f9e21aad8c098e388ae77de7b2361941afa7157ef74216703395b14e319a busybox-1.23.2.tar.bz2 -81957f1fe0c386120dad1c8174ccc1fcfeed98c14d229db7d164d4fb4c938b3d bbsuid.c -9bbf0bec82e6d6907474958f3be048c54657fbf49207810b7e4d4d6146f0069d nologin.c -327bb8049e2726351a5c8b6b2cef864f6ce58725d4453983f97092ea73656ccc busybox-1.11.1-bb.patch -a31ce8bcb8b81b20e80ffa407600a530d085806c6471f4e4249fcb3a491b79ef busybox-uname-is-not-gnu.patch -576366b4d50f1078da6c0364ef70415de92d97c93c64f4d790b11d7a34cdccd2 bb-app-location.patch -57674b20158c0b266ed028b0c65299f9cbcad7d33d19c9fcc403d3967daba493 loginutils-sha512.patch -90825a443339f1c8c249d05f7b025ce53e374d305f8e113d98d45146b105494d udhcpc-discover-retries.patch -2e9d56335ca39e944b9abd9ecc91d0e47a3fe3434f8b7ec3f526bc8fa0895ada 0001-ifupdown-pass-interface-device-name-for-ipv6-route-c.patch -53563c6dc4db13004d0b37f7bf1748e861b5a5c4244c1d34f102c23b689420c5 0001-ifupdown-use-x-hostname-NAME-with-udhcpc.patch -ac2cd5fed91bfaec22ed1f2766396d0feb29b9b96f20b2c12d5d8ac8769afae9 0001-linedit-deluser-use-POSIX-getpwent-instead-of-getpwe.patch -70180473e3939402e460b25de8273a5ce7f62b130a9efe31f33d847b2406ac92 0001-diff-add-support-for-no-dereference.patch -043963183cad556bdae5d5608180f0cb76cf7eede175cd97aa002a787780500f 1000-fbsplash-use-virtual-y-size-in-mmap-size-calculation.patch -b8b0b16ed67b0159256193b1d2108b8ef9aa8a334ab81e463bb970c71257da9a 1001-fbsplash-support-console-switching.patch -e1f3fad8e21dfd72cfcae7ab3ba31d7938e964e0f9ec08b2da0b14d462435424 1002-fbsplash-support-image-and-bar-alignment-and-positio.patch -342bb69c144a1e63d7a7fe4c24578ce5b483c09751ac16bb36d1b88929068141 busyboxconfig -c604ef791c31d35a8c5ee4558d21428a46f37a6d762c4a7e29864f4037fc44a0 glibc.patch -0bffce454b303b832a19946006eebcb217fa6e14a3c638170bd003dc66504e77 CVE-2016-6301.patch" sha512sums="209c8ef26e40ccb81510f6b663202b080f9bbecac7faf386bbabf7e36a43d63b15dd6ce9f7a84c1ccc5345c524999812251da1e113ef9faadc6af1fedd24c7c9 busybox-1.23.2.tar.bz2 16b3dd6a8b76b062d51458351fcb44f84b49eb4bf898584c933df90fb2cb3966f9547865a4d7447589bb20b7c203beb04ff7512f76f85d29138d2cff4eb9ee81 bbsuid.c 4e7c291a70e879b74c0fc07c54a73ef50537d8be68fee6b2d409425c07afd2d67f9b6afcd8c33a7971014913cc5de85e45079681c9e77200c6cc2f34acfba6d2 nologin.c @@ -171,6 +139,9 @@ a35b66cd28b79ccc14b47315ac94677fdf8c14d8a6e8956707e71fb50d453dfc5b4b822832cd1fae 2a8e9360e1cedd26bdb70d8cc036ef0abc7588bf2eee147c1c7436d7a40763f8e31d346b980145a36649130a2f811d299e4f46f7e1b60a8165a60ae9e79727d5 1000-fbsplash-use-virtual-y-size-in-mmap-size-calculation.patch a181dd54e8e11cf1199edb1b1fcd4b7402bbf142593b6014f32c6815bb7093b56899ad0fcc9f73c382f56203ac5274fb3d51fa070feb541436f23c31680f1a69 1001-fbsplash-support-console-switching.patch c33073416f7da2805a20f3f456f869217171c8fbfdef85f4ae481307aeb1e1b5717084bbbc619010fa5500c3f3f49b6468d5c122024fcc49d637c82427a3f553 1002-fbsplash-support-image-and-bar-alignment-and-positio.patch -2efb13f23c48a4dc3e2eb6343256694719c3425fe8ddd36ce9fb1837e45fafa3326c2630a08d731abc6bbc104536218d095b2d997861c5b35a7f7907177d2e66 busyboxconfig +1832d2a09625cb60998c54330a751f13dec97da2c4133db29c10f77fa3314fd2ef2002a45eab7215ed1a0dd8b84a8a4c7d4c1d225b5ee012fe357a8777707a17 3001-login-move-check_securetty-to-libbb.patch +ed8d060b85d4da1681eb35ba64c5b249391e6a7edbeb55b8952897f08fe9bafac33593992772d80a6df42dd3af0e175ce9575ee51c49fbc875008ad0ac2f6f06 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch +c6579970450e7c711461ab1953f534ae855c4a355b4a452b3fc52a286355c87e41f8951b1b5217d0f659e3173ace8718d42dad3dcc878899cf9decdf4d3fe238 3003-su-FEATURE_SU_NULLOK_SECURE.patch +c82de96986c562d23da2d9eda957f4a183715c4638842ff42122f38e0c65fc6abaef36922b3da4f911d93b0291cf9311a5f17f05fc3d86f2563336bf052a8713 busyboxconfig 1d2739379dab1deb3eae7cffd4845300eb7d30f7343b4a1209b21a5680860d55080ad45fdefe098b249ce3040c01951fa7f0a79cd447b2d7b260eb000099d9dc glibc.patch a3030e07a30951b2c4a292670f2ff87541c2a84322525422505f1e3f578021b87c004d0180e5f4219bd1befef2981283b331eb3471de0ae6e4bf44dba8fab502 CVE-2016-6301.patch" diff --git a/main/busybox/busyboxconfig b/main/busybox/busyboxconfig index b8311b20a9..c9940ba5d6 100644 --- a/main/busybox/busyboxconfig +++ b/main/busybox/busyboxconfig @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit -# Busybox version: 1.23.0 -# Thu Dec 25 13:55:58 2014 +# Busybox version: 1.23.2 +# Sun Apr 15 04:47:07 2018 # CONFIG_HAVE_DOT_CONFIG=y @@ -496,6 +496,7 @@ CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="sha512" CONFIG_SU=y CONFIG_FEATURE_SU_SYSLOG=y CONFIG_FEATURE_SU_CHECKS_SHELLS=y +CONFIG_FEATURE_SU_NULLOK_SECURE=y # CONFIG_SULOGIN is not set CONFIG_VLOCK=y |