diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-12-07 13:19:32 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-12-07 13:20:22 +0000 |
commit | 1b45ae751207c272643ebcca029ca2082e2c4508 (patch) | |
tree | 628e9f6856adc98d41151dd519b85bde552f3dfb /main/busybox | |
parent | 95c8dee6aadee2f1df56e0a206b1a7ab3fab6224 (diff) | |
download | aports-1b45ae751207c272643ebcca029ca2082e2c4508.tar.bz2 aports-1b45ae751207c272643ebcca029ca2082e2c4508.tar.xz |
main/busybox: add patch for /etc/securetty support in su
This makes it possible to have blank root passwords in container setups.
Diffstat (limited to 'main/busybox')
-rw-r--r-- | main/busybox/3001-login-move-check_securetty-to-libbb.patch | 103 | ||||
-rw-r--r-- | main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch | 70 | ||||
-rw-r--r-- | main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch | 76 | ||||
-rw-r--r-- | main/busybox/APKBUILD | 21 | ||||
-rw-r--r-- | main/busybox/busyboxconfig | 3 |
5 files changed, 268 insertions, 5 deletions
diff --git a/main/busybox/3001-login-move-check_securetty-to-libbb.patch b/main/busybox/3001-login-move-check_securetty-to-libbb.patch new file mode 100644 index 0000000000..07a7246867 --- /dev/null +++ b/main/busybox/3001-login-move-check_securetty-to-libbb.patch @@ -0,0 +1,103 @@ +From 2543aee0930976d95822a88d840cf139261f7fe0 Mon Sep 17 00:00:00 2001 +From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> +Date: Thu, 5 Nov 2015 16:27:34 +0200 +Subject: [PATCH 3001/3003] login: move check_securetty to libbb + +--- + include/libbb.h | 1 + + libbb/Kbuild.src | 1 + + libbb/securetty.c | 27 +++++++++++++++++++++++++++ + loginutils/login.c | 19 ------------------- + 4 files changed, 29 insertions(+), 19 deletions(-) + create mode 100644 libbb/securetty.c + +diff --git a/include/libbb.h b/include/libbb.h +index a8ceb44..516f42e 100644 +--- a/include/libbb.h ++++ b/include/libbb.h +@@ -1360,6 +1360,7 @@ int sd_listen_fds(void); + #define SETUP_ENV_NO_CHDIR (1 << 4) + void setup_environment(const char *shell, int flags, const struct passwd *pw) FAST_FUNC; + void nuke_str(char *str) FAST_FUNC; ++int check_securetty(const char *short_tty); + int check_password(const struct passwd *pw, const char *plaintext) FAST_FUNC; + int ask_and_check_password_extended(const struct passwd *pw, int timeout, const char *prompt) FAST_FUNC; + int ask_and_check_password(const struct passwd *pw) FAST_FUNC; +diff --git a/libbb/Kbuild.src b/libbb/Kbuild.src +index 7fb6872..0f09de7 100644 +--- a/libbb/Kbuild.src ++++ b/libbb/Kbuild.src +@@ -84,6 +84,7 @@ lib-y += safe_gethostname.o + lib-y += safe_poll.o + lib-y += safe_strncpy.o + lib-y += safe_write.o ++lib-y += securetty.o + lib-y += setup_environment.o + lib-y += signals.o + lib-y += simplify_path.o +diff --git a/libbb/securetty.c b/libbb/securetty.c +new file mode 100644 +index 0000000..95edbc9 +--- /dev/null ++++ b/libbb/securetty.c +@@ -0,0 +1,27 @@ ++/* vi: set sw=4 ts=4: */ ++/* ++ * /etc/securetty checking. ++ * ++ * Licensed under GPLv2, see file LICENSE in this source tree. ++ */ ++ ++#include "libbb.h" ++ ++#if ENABLE_FEATURE_SECURETTY && !ENABLE_PAM ++int check_securetty(const char *short_tty) ++{ ++ char *buf = (char*)"/etc/securetty"; /* any non-NULL is ok */ ++ parser_t *parser = config_open2("/etc/securetty", fopen_for_read); ++ while (config_read(parser, &buf, 1, 1, "# \t", PARSE_NORMAL)) { ++ if (strcmp(buf, short_tty) == 0) ++ break; ++ buf = NULL; ++ } ++ config_close(parser); ++ /* buf != NULL here if config file was not found, empty ++ * or line was found which equals short_tty */ ++ return buf != NULL; ++} ++#else ++ALWAYS_INLINE int check_securetty(const char *short_tty UNUSED_PARAM) { return 1; } ++#endif +diff --git a/loginutils/login.c b/loginutils/login.c +index 1700cfc..b38a1fb 100644 +--- a/loginutils/login.c ++++ b/loginutils/login.c +@@ -79,25 +79,6 @@ static void die_if_nologin(void) + # define die_if_nologin() ((void)0) + #endif + +-#if ENABLE_FEATURE_SECURETTY && !ENABLE_PAM +-static int check_securetty(const char *short_tty) +-{ +- char *buf = (char*)"/etc/securetty"; /* any non-NULL is ok */ +- parser_t *parser = config_open2("/etc/securetty", fopen_for_read); +- while (config_read(parser, &buf, 1, 1, "# \t", PARSE_NORMAL)) { +- if (strcmp(buf, short_tty) == 0) +- break; +- buf = NULL; +- } +- config_close(parser); +- /* buf != NULL here if config file was not found, empty +- * or line was found which equals short_tty */ +- return buf != NULL; +-} +-#else +-static ALWAYS_INLINE int check_securetty(const char *short_tty UNUSED_PARAM) { return 1; } +-#endif +- + #if ENABLE_SELINUX + static void initselinux(char *username, char *full_tty, + security_context_t *user_sid) +-- +2.6.3 + diff --git a/main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch b/main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch new file mode 100644 index 0000000000..1722be2ccd --- /dev/null +++ b/main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch @@ -0,0 +1,70 @@ +From 12b6eff3a535a55441b6a84c24407626edf44b76 Mon Sep 17 00:00:00 2001 +From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> +Date: Thu, 5 Nov 2015 16:27:35 +0200 +Subject: [PATCH 3002/3003] libbb: allow_blank argument for + ask_and_check_password_extended() + +--- + include/libbb.h | 2 +- + libbb/correct_password.c | 6 +++--- + loginutils/sulogin.c | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/libbb.h b/include/libbb.h +index 516f42e..ece8d37 100644 +--- a/include/libbb.h ++++ b/include/libbb.h +@@ -1362,7 +1362,7 @@ void setup_environment(const char *shell, int flags, const struct passwd *pw) FA + void nuke_str(char *str) FAST_FUNC; + int check_securetty(const char *short_tty); + int check_password(const struct passwd *pw, const char *plaintext) FAST_FUNC; +-int ask_and_check_password_extended(const struct passwd *pw, int timeout, const char *prompt) FAST_FUNC; ++int ask_and_check_password_extended(const struct passwd *pw, int timeout, int allow_blank, const char *prompt) FAST_FUNC; + int ask_and_check_password(const struct passwd *pw) FAST_FUNC; + /* Returns a malloced string */ + #if !ENABLE_USE_BB_CRYPT +diff --git a/libbb/correct_password.c b/libbb/correct_password.c +index 513c930..57cd2b8 100644 +--- a/libbb/correct_password.c ++++ b/libbb/correct_password.c +@@ -96,7 +96,7 @@ int FAST_FUNC check_password(const struct passwd *pw, const char *plaintext) + * NULL pw means "just fake it for login with bad username" + */ + int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw, +- int timeout, const char *prompt) ++ int timeout, int allow_blank, const char *prompt) + { + IF_FEATURE_SHADOWPASSWDS(char buffer[SHADOW_BUFSIZE];) + char *plaintext; +@@ -105,7 +105,7 @@ int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw, + + pw_pass = get_passwd(pw, buffer); + if (!pw_pass[0]) /* empty password field? */ +- return 1; ++ return allow_blank; + + plaintext = bb_ask(STDIN_FILENO, timeout, prompt); + if (!plaintext) { +@@ -120,5 +120,5 @@ int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw, + + int FAST_FUNC ask_and_check_password(const struct passwd *pw) + { +- return ask_and_check_password_extended(pw, 0, "Password: "); ++ return ask_and_check_password_extended(pw, 0, 1, "Password: "); + } +diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c +index 2a29099..4013f11 100644 +--- a/loginutils/sulogin.c ++++ b/loginutils/sulogin.c +@@ -53,7 +53,7 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv) + while (1) { + int r; + +- r = ask_and_check_password_extended(pwd, timeout, ++ r = ask_and_check_password_extended(pwd, timeout, 1, + "Give root password for system maintenance\n" + "(or type Control-D for normal startup):" + ); +-- +2.6.3 + diff --git a/main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch b/main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch new file mode 100644 index 0000000000..bb0e1c64ce --- /dev/null +++ b/main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch @@ -0,0 +1,76 @@ +From 0acd825122c5e2d1b2ba6a0d0f42960cefaafa88 Mon Sep 17 00:00:00 2001 +From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> +Date: Thu, 5 Nov 2015 16:27:36 +0200 +Subject: [PATCH 3003/3003] su: FEATURE_SU_NULLOK_SECURE + +When this feature is enabled, blank passwords are not accepted by su +unless the user is on a secure TTY defined in /etc/securetty. This +resembles the default PAM configuration of some Linux distros which +specify the nullok_secure option for pam_unix.so. +--- + loginutils/Config.src | 5 +++++ + loginutils/su.c | 13 ++++++++----- + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/loginutils/Config.src b/loginutils/Config.src +index fa2b4f8..a150899 100644 +--- a/loginutils/Config.src ++++ b/loginutils/Config.src +@@ -311,6 +311,11 @@ config FEATURE_SU_CHECKS_SHELLS + depends on SU + default y + ++config FEATURE_SU_NULLOK_SECURE ++ bool "Disallow blank passwords from TTYs other than specified in /etc/securetty" ++ depends on SU ++ default n ++ + config SULOGIN + bool "sulogin" + default y +diff --git a/loginutils/su.c b/loginutils/su.c +index f812505..bd0cb35 100644 +--- a/loginutils/su.c ++++ b/loginutils/su.c +@@ -51,6 +51,7 @@ int su_main(int argc UNUSED_PARAM, char **argv) + struct passwd *pw; + uid_t cur_uid = getuid(); + const char *tty; ++ int allow_blank = 1; + #if ENABLE_FEATURE_UTMP + char user_buf[64]; + #endif +@@ -71,6 +72,12 @@ int su_main(int argc UNUSED_PARAM, char **argv) + argv++; + } + ++ tty = xmalloc_ttyname(STDIN_FILENO); ++ if (!tty) tty = "none"; ++ tty = skip_dev_pfx(tty); ++ ++ if (ENABLE_FEATURE_SU_NULLOK_SECURE) allow_blank = check_securetty(tty); ++ + if (ENABLE_FEATURE_SU_SYSLOG) { + /* The utmp entry (via getlogin) is probably the best way to + * identify the user, especially if someone su's from a su-shell. +@@ -84,16 +91,12 @@ int su_main(int argc UNUSED_PARAM, char **argv) + pw = getpwuid(cur_uid); + old_user = pw ? xstrdup(pw->pw_name) : ""; + } +- tty = xmalloc_ttyname(2); +- if (!tty) { +- tty = "none"; +- } + openlog(applet_name, 0, LOG_AUTH); + } + + pw = xgetpwnam(opt_username); + +- if (cur_uid == 0 || ask_and_check_password(pw) > 0) { ++ if (cur_uid == 0 || ask_and_check_password_extended(pw, 0, allow_blank, "Password: ") > 0) { + if (ENABLE_FEATURE_SU_SYSLOG) + syslog(LOG_NOTICE, "%c %s %s:%s", + '+', tty, old_user, opt_username); +-- +2.6.3 + diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD index e3f3a9bd80..e130024ff1 100644 --- a/main/busybox/APKBUILD +++ b/main/busybox/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=busybox pkgver=1.24.1 -pkgrel=4 +pkgrel=5 pkgdesc="Size optimized toolbox of many common UNIX utilities" url=http://busybox.net arch="all" @@ -34,6 +34,10 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2 2002-depmod-support-generating-kmod-binary-index-files.patch 2003-modinfo-fix-argument-parsing-and-printing-of-firmwar.patch + 3001-login-move-check_securetty-to-libbb.patch + 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch + 3003-su-FEATURE_SU_NULLOK_SECURE.patch + 0001-ash-backport-fix-for-here-document-issues.patch 0001-ash-fix-error-during-recursive-processing-of-here-do.patch @@ -150,10 +154,13 @@ b56d306ccba574da78dff060b7330806 1001-fbsplash-support-console-switching.patch ad908fc45563148d9f22b50c6e78e0d4 2001-modutils-merge-module_entry-and-module_info-to-commo.patch 313fa7175333161c549af097d9f62a79 2002-depmod-support-generating-kmod-binary-index-files.patch 47987a0add3da5f2b1bac13c62120423 2003-modinfo-fix-argument-parsing-and-printing-of-firmwar.patch +94ab8b7b930df2f8f04da0e69da258da 3001-login-move-check_securetty-to-libbb.patch +f7c45568bdb0d2295c43108691e78a40 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch +f82d49c891c02516462db3cda29ccca7 3003-su-FEATURE_SU_NULLOK_SECURE.patch 5f03ee6f3e93bbc6aedff0777b227810 0001-ash-backport-fix-for-here-document-issues.patch a4d1cf64fd1835a284ccc6dbc78e3ce0 0001-ash-fix-error-during-recursive-processing-of-here-do.patch 4046b78ee6a25259954797d73b94f4bd acpid.logrotate -08cc87d52169236c035e7a562d606514 busyboxconfig +5cddea6331e6aff69869568b679186ec busyboxconfig befaac2c59c380e36a452b3f1c1d4a3a glibc.patch" sha256sums="37d03132cc078937360b392170b7a1d0e5b322eee9f57c0b82292a8b1f0afe3d busybox-1.24.1.tar.bz2 81957f1fe0c386120dad1c8174ccc1fcfeed98c14d229db7d164d4fb4c938b3d bbsuid.c @@ -171,10 +178,13 @@ e1f3fad8e21dfd72cfcae7ab3ba31d7938e964e0f9ec08b2da0b14d462435424 1002-fbsplash- 16ee3a66e5854adbcb7ea6b1ea5846bac49dcf6d874e167f57e88f2fbd5cd0a5 2001-modutils-merge-module_entry-and-module_info-to-commo.patch dbddad67d6b6054b8ffe7159f7fd3189bf3b433ba8f179fb6915caeea20d1b4e 2002-depmod-support-generating-kmod-binary-index-files.patch ea589dcd25037e3fefd2f3d6ac801a2a4a61a5cfd2d765785ea5558ed3937776 2003-modinfo-fix-argument-parsing-and-printing-of-firmwar.patch +34c694cc2ac69ee2d6bbfe45a20c68036b6299ad7e4a1a8df9bf1ce0a4637bd7 3001-login-move-check_securetty-to-libbb.patch +ce24e38be870c90bdcb90e7b0445067adf7be0fac6b1154d2364a4db9ee3a9d8 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch +d7b18672334ddeee7fbd6c0e92f26c5d2ef49ddefebf0b7f6eff8dc1ad8d3f7e 3003-su-FEATURE_SU_NULLOK_SECURE.patch f712ce190ce86084d56977e125d1561615394f3d9b840e926537868260e19d79 0001-ash-backport-fix-for-here-document-issues.patch 1d3f8f7b6d0972f8e56437fce8efbafe70e2d869fbe82f06eba11e0103fce224 0001-ash-fix-error-during-recursive-processing-of-here-do.patch f7cbeb5a5a47395ad30454ce8262abcd3e91c33ef803c2ae31a9258d7142dd48 acpid.logrotate -3c44bace3822cc83f1a68690775e7bf51a659565a50dfe5344b40bfca782b2ec busyboxconfig +ddc0c2e87e37a5e6cc878c5c5c14093c43b361a4d32eee813e0f0b01900efb9e busyboxconfig c604ef791c31d35a8c5ee4558d21428a46f37a6d762c4a7e29864f4037fc44a0 glibc.patch" sha512sums="3afc757ebaae61ae13c2c69097ee734717434f9e658eb77093a8b7b49af3326cbca2d723483ff84a1da99544b822fd2b47d9a97c68f09962e11754e5daf124ca busybox-1.24.1.tar.bz2 16b3dd6a8b76b062d51458351fcb44f84b49eb4bf898584c933df90fb2cb3966f9547865a4d7447589bb20b7c203beb04ff7512f76f85d29138d2cff4eb9ee81 bbsuid.c @@ -192,8 +202,11 @@ c33073416f7da2805a20f3f456f869217171c8fbfdef85f4ae481307aeb1e1b5717084bbbc619010 d94d17806f08ad54366ca623fbe8663b6397b28d68860239edc9305e6006f01d4ea1c1fd2033b30d302fd095145b018aa6a1707b07b7b4dfcaa8e0388b6737d0 2001-modutils-merge-module_entry-and-module_info-to-commo.patch daadb1b255a8d30f2a13b84c2120427998d8173cf10754b9117e19a6fea8926d1820005f4d99a4a6999a559e731b5339c12ead22b3efbe1f0e752671363129a5 2002-depmod-support-generating-kmod-binary-index-files.patch 80589e03021fd0cb7bf29c3747e5396bf53dc99ecfecf78de86759e5c3939652d7f022f4534de0a35228bd782c1a44c4762f027d198790ec2c1bb76d6f7f102d 2003-modinfo-fix-argument-parsing-and-printing-of-firmwar.patch +1832d2a09625cb60998c54330a751f13dec97da2c4133db29c10f77fa3314fd2ef2002a45eab7215ed1a0dd8b84a8a4c7d4c1d225b5ee012fe357a8777707a17 3001-login-move-check_securetty-to-libbb.patch +ed8d060b85d4da1681eb35ba64c5b249391e6a7edbeb55b8952897f08fe9bafac33593992772d80a6df42dd3af0e175ce9575ee51c49fbc875008ad0ac2f6f06 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch +c6579970450e7c711461ab1953f534ae855c4a355b4a452b3fc52a286355c87e41f8951b1b5217d0f659e3173ace8718d42dad3dcc878899cf9decdf4d3fe238 3003-su-FEATURE_SU_NULLOK_SECURE.patch d55cab6ed08434e2a278edf1be6171b921bcaee47598988e4de6b390a01569e10394c54d5d4a27e6eba251ce68df5cc1ece358be32a9c31bdf1f7e9147cf5180 0001-ash-backport-fix-for-here-document-issues.patch c14a632f9477c13ea99b24a73c81c9c44ead8b536970acd758e739b43a6260860039674341192ce7bb20a9204ee7d93dcd9541e526f2437d4d2d88637b400867 0001-ash-fix-error-during-recursive-processing-of-here-do.patch dadb4c953ebc755b88ee95c1489feb0c2d352f6e44abc716166024e6eea11ab9d10c84fad62c081775834d205cb04aa1be3c994676c88f4284495c54b9188e8b acpid.logrotate -5d5a23dc4c6b808b62d888225ba79dc726c8c2776b86d85cc01206e7e861c72d8fe23434eef74b1cfa3e8054618fa87a81af05ca22264a1901fd52944ea8c30a busyboxconfig +249f9c4769b7e20149109810bed8ed48c87e7e67817f27fbb620857bb3db1857f2d1616c4badba5c9eb2b6a1a14a15e89327b8c5f3c2d3ea15d09e252bab2a20 busyboxconfig 1d2739379dab1deb3eae7cffd4845300eb7d30f7343b4a1209b21a5680860d55080ad45fdefe098b249ce3040c01951fa7f0a79cd447b2d7b260eb000099d9dc glibc.patch" diff --git a/main/busybox/busyboxconfig b/main/busybox/busyboxconfig index f49ee7762b..6efc267ec8 100644 --- a/main/busybox/busyboxconfig +++ b/main/busybox/busyboxconfig @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Busybox version: 1.24.1 -# Wed Oct 28 15:46:41 2015 +# Mon Dec 7 13:04:53 2015 # CONFIG_HAVE_DOT_CONFIG=y @@ -505,6 +505,7 @@ CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="sha512" CONFIG_SU=y CONFIG_FEATURE_SU_SYSLOG=y CONFIG_FEATURE_SU_CHECKS_SHELLS=y +CONFIG_FEATURE_SU_NULLOK_SECURE=y # CONFIG_SULOGIN is not set CONFIG_VLOCK=y |