aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/busybox/3001-login-move-check_securetty-to-libbb.patch103
-rw-r--r--main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch70
-rw-r--r--main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch76
-rw-r--r--main/busybox/APKBUILD21
-rw-r--r--main/busybox/busyboxconfig3
5 files changed, 268 insertions, 5 deletions
diff --git a/main/busybox/3001-login-move-check_securetty-to-libbb.patch b/main/busybox/3001-login-move-check_securetty-to-libbb.patch
new file mode 100644
index 0000000000..07a7246867
--- /dev/null
+++ b/main/busybox/3001-login-move-check_securetty-to-libbb.patch
@@ -0,0 +1,103 @@
+From 2543aee0930976d95822a88d840cf139261f7fe0 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Thu, 5 Nov 2015 16:27:34 +0200
+Subject: [PATCH 3001/3003] login: move check_securetty to libbb
+
+---
+ include/libbb.h | 1 +
+ libbb/Kbuild.src | 1 +
+ libbb/securetty.c | 27 +++++++++++++++++++++++++++
+ loginutils/login.c | 19 -------------------
+ 4 files changed, 29 insertions(+), 19 deletions(-)
+ create mode 100644 libbb/securetty.c
+
+diff --git a/include/libbb.h b/include/libbb.h
+index a8ceb44..516f42e 100644
+--- a/include/libbb.h
++++ b/include/libbb.h
+@@ -1360,6 +1360,7 @@ int sd_listen_fds(void);
+ #define SETUP_ENV_NO_CHDIR (1 << 4)
+ void setup_environment(const char *shell, int flags, const struct passwd *pw) FAST_FUNC;
+ void nuke_str(char *str) FAST_FUNC;
++int check_securetty(const char *short_tty);
+ int check_password(const struct passwd *pw, const char *plaintext) FAST_FUNC;
+ int ask_and_check_password_extended(const struct passwd *pw, int timeout, const char *prompt) FAST_FUNC;
+ int ask_and_check_password(const struct passwd *pw) FAST_FUNC;
+diff --git a/libbb/Kbuild.src b/libbb/Kbuild.src
+index 7fb6872..0f09de7 100644
+--- a/libbb/Kbuild.src
++++ b/libbb/Kbuild.src
+@@ -84,6 +84,7 @@ lib-y += safe_gethostname.o
+ lib-y += safe_poll.o
+ lib-y += safe_strncpy.o
+ lib-y += safe_write.o
++lib-y += securetty.o
+ lib-y += setup_environment.o
+ lib-y += signals.o
+ lib-y += simplify_path.o
+diff --git a/libbb/securetty.c b/libbb/securetty.c
+new file mode 100644
+index 0000000..95edbc9
+--- /dev/null
++++ b/libbb/securetty.c
+@@ -0,0 +1,27 @@
++/* vi: set sw=4 ts=4: */
++/*
++ * /etc/securetty checking.
++ *
++ * Licensed under GPLv2, see file LICENSE in this source tree.
++ */
++
++#include "libbb.h"
++
++#if ENABLE_FEATURE_SECURETTY && !ENABLE_PAM
++int check_securetty(const char *short_tty)
++{
++ char *buf = (char*)"/etc/securetty"; /* any non-NULL is ok */
++ parser_t *parser = config_open2("/etc/securetty", fopen_for_read);
++ while (config_read(parser, &buf, 1, 1, "# \t", PARSE_NORMAL)) {
++ if (strcmp(buf, short_tty) == 0)
++ break;
++ buf = NULL;
++ }
++ config_close(parser);
++ /* buf != NULL here if config file was not found, empty
++ * or line was found which equals short_tty */
++ return buf != NULL;
++}
++#else
++ALWAYS_INLINE int check_securetty(const char *short_tty UNUSED_PARAM) { return 1; }
++#endif
+diff --git a/loginutils/login.c b/loginutils/login.c
+index 1700cfc..b38a1fb 100644
+--- a/loginutils/login.c
++++ b/loginutils/login.c
+@@ -79,25 +79,6 @@ static void die_if_nologin(void)
+ # define die_if_nologin() ((void)0)
+ #endif
+
+-#if ENABLE_FEATURE_SECURETTY && !ENABLE_PAM
+-static int check_securetty(const char *short_tty)
+-{
+- char *buf = (char*)"/etc/securetty"; /* any non-NULL is ok */
+- parser_t *parser = config_open2("/etc/securetty", fopen_for_read);
+- while (config_read(parser, &buf, 1, 1, "# \t", PARSE_NORMAL)) {
+- if (strcmp(buf, short_tty) == 0)
+- break;
+- buf = NULL;
+- }
+- config_close(parser);
+- /* buf != NULL here if config file was not found, empty
+- * or line was found which equals short_tty */
+- return buf != NULL;
+-}
+-#else
+-static ALWAYS_INLINE int check_securetty(const char *short_tty UNUSED_PARAM) { return 1; }
+-#endif
+-
+ #if ENABLE_SELINUX
+ static void initselinux(char *username, char *full_tty,
+ security_context_t *user_sid)
+--
+2.6.3
+
diff --git a/main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch b/main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch
new file mode 100644
index 0000000000..1722be2ccd
--- /dev/null
+++ b/main/busybox/3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch
@@ -0,0 +1,70 @@
+From 12b6eff3a535a55441b6a84c24407626edf44b76 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Thu, 5 Nov 2015 16:27:35 +0200
+Subject: [PATCH 3002/3003] libbb: allow_blank argument for
+ ask_and_check_password_extended()
+
+---
+ include/libbb.h | 2 +-
+ libbb/correct_password.c | 6 +++---
+ loginutils/sulogin.c | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/libbb.h b/include/libbb.h
+index 516f42e..ece8d37 100644
+--- a/include/libbb.h
++++ b/include/libbb.h
+@@ -1362,7 +1362,7 @@ void setup_environment(const char *shell, int flags, const struct passwd *pw) FA
+ void nuke_str(char *str) FAST_FUNC;
+ int check_securetty(const char *short_tty);
+ int check_password(const struct passwd *pw, const char *plaintext) FAST_FUNC;
+-int ask_and_check_password_extended(const struct passwd *pw, int timeout, const char *prompt) FAST_FUNC;
++int ask_and_check_password_extended(const struct passwd *pw, int timeout, int allow_blank, const char *prompt) FAST_FUNC;
+ int ask_and_check_password(const struct passwd *pw) FAST_FUNC;
+ /* Returns a malloced string */
+ #if !ENABLE_USE_BB_CRYPT
+diff --git a/libbb/correct_password.c b/libbb/correct_password.c
+index 513c930..57cd2b8 100644
+--- a/libbb/correct_password.c
++++ b/libbb/correct_password.c
+@@ -96,7 +96,7 @@ int FAST_FUNC check_password(const struct passwd *pw, const char *plaintext)
+ * NULL pw means "just fake it for login with bad username"
+ */
+ int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw,
+- int timeout, const char *prompt)
++ int timeout, int allow_blank, const char *prompt)
+ {
+ IF_FEATURE_SHADOWPASSWDS(char buffer[SHADOW_BUFSIZE];)
+ char *plaintext;
+@@ -105,7 +105,7 @@ int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw,
+
+ pw_pass = get_passwd(pw, buffer);
+ if (!pw_pass[0]) /* empty password field? */
+- return 1;
++ return allow_blank;
+
+ plaintext = bb_ask(STDIN_FILENO, timeout, prompt);
+ if (!plaintext) {
+@@ -120,5 +120,5 @@ int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw,
+
+ int FAST_FUNC ask_and_check_password(const struct passwd *pw)
+ {
+- return ask_and_check_password_extended(pw, 0, "Password: ");
++ return ask_and_check_password_extended(pw, 0, 1, "Password: ");
+ }
+diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c
+index 2a29099..4013f11 100644
+--- a/loginutils/sulogin.c
++++ b/loginutils/sulogin.c
+@@ -53,7 +53,7 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv)
+ while (1) {
+ int r;
+
+- r = ask_and_check_password_extended(pwd, timeout,
++ r = ask_and_check_password_extended(pwd, timeout, 1,
+ "Give root password for system maintenance\n"
+ "(or type Control-D for normal startup):"
+ );
+--
+2.6.3
+
diff --git a/main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch b/main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch
new file mode 100644
index 0000000000..bb0e1c64ce
--- /dev/null
+++ b/main/busybox/3003-su-FEATURE_SU_NULLOK_SECURE.patch
@@ -0,0 +1,76 @@
+From 0acd825122c5e2d1b2ba6a0d0f42960cefaafa88 Mon Sep 17 00:00:00 2001
+From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
+Date: Thu, 5 Nov 2015 16:27:36 +0200
+Subject: [PATCH 3003/3003] su: FEATURE_SU_NULLOK_SECURE
+
+When this feature is enabled, blank passwords are not accepted by su
+unless the user is on a secure TTY defined in /etc/securetty. This
+resembles the default PAM configuration of some Linux distros which
+specify the nullok_secure option for pam_unix.so.
+---
+ loginutils/Config.src | 5 +++++
+ loginutils/su.c | 13 ++++++++-----
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/loginutils/Config.src b/loginutils/Config.src
+index fa2b4f8..a150899 100644
+--- a/loginutils/Config.src
++++ b/loginutils/Config.src
+@@ -311,6 +311,11 @@ config FEATURE_SU_CHECKS_SHELLS
+ depends on SU
+ default y
+
++config FEATURE_SU_NULLOK_SECURE
++ bool "Disallow blank passwords from TTYs other than specified in /etc/securetty"
++ depends on SU
++ default n
++
+ config SULOGIN
+ bool "sulogin"
+ default y
+diff --git a/loginutils/su.c b/loginutils/su.c
+index f812505..bd0cb35 100644
+--- a/loginutils/su.c
++++ b/loginutils/su.c
+@@ -51,6 +51,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
+ struct passwd *pw;
+ uid_t cur_uid = getuid();
+ const char *tty;
++ int allow_blank = 1;
+ #if ENABLE_FEATURE_UTMP
+ char user_buf[64];
+ #endif
+@@ -71,6 +72,12 @@ int su_main(int argc UNUSED_PARAM, char **argv)
+ argv++;
+ }
+
++ tty = xmalloc_ttyname(STDIN_FILENO);
++ if (!tty) tty = "none";
++ tty = skip_dev_pfx(tty);
++
++ if (ENABLE_FEATURE_SU_NULLOK_SECURE) allow_blank = check_securetty(tty);
++
+ if (ENABLE_FEATURE_SU_SYSLOG) {
+ /* The utmp entry (via getlogin) is probably the best way to
+ * identify the user, especially if someone su's from a su-shell.
+@@ -84,16 +91,12 @@ int su_main(int argc UNUSED_PARAM, char **argv)
+ pw = getpwuid(cur_uid);
+ old_user = pw ? xstrdup(pw->pw_name) : "";
+ }
+- tty = xmalloc_ttyname(2);
+- if (!tty) {
+- tty = "none";
+- }
+ openlog(applet_name, 0, LOG_AUTH);
+ }
+
+ pw = xgetpwnam(opt_username);
+
+- if (cur_uid == 0 || ask_and_check_password(pw) > 0) {
++ if (cur_uid == 0 || ask_and_check_password_extended(pw, 0, allow_blank, "Password: ") > 0) {
+ if (ENABLE_FEATURE_SU_SYSLOG)
+ syslog(LOG_NOTICE, "%c %s %s:%s",
+ '+', tty, old_user, opt_username);
+--
+2.6.3
+
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index e3f3a9bd80..e130024ff1 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=busybox
pkgver=1.24.1
-pkgrel=4
+pkgrel=5
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url=http://busybox.net
arch="all"
@@ -34,6 +34,10 @@ source="http://busybox.net/downloads/$pkgname-$pkgver.tar.bz2
2002-depmod-support-generating-kmod-binary-index-files.patch
2003-modinfo-fix-argument-parsing-and-printing-of-firmwar.patch
+ 3001-login-move-check_securetty-to-libbb.patch
+ 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch
+ 3003-su-FEATURE_SU_NULLOK_SECURE.patch
+
0001-ash-backport-fix-for-here-document-issues.patch
0001-ash-fix-error-during-recursive-processing-of-here-do.patch
@@ -150,10 +154,13 @@ b56d306ccba574da78dff060b7330806 1001-fbsplash-support-console-switching.patch
ad908fc45563148d9f22b50c6e78e0d4 2001-modutils-merge-module_entry-and-module_info-to-commo.patch
313fa7175333161c549af097d9f62a79 2002-depmod-support-generating-kmod-binary-index-files.patch
47987a0add3da5f2b1bac13c62120423 2003-modinfo-fix-argument-parsing-and-printing-of-firmwar.patch
+94ab8b7b930df2f8f04da0e69da258da 3001-login-move-check_securetty-to-libbb.patch
+f7c45568bdb0d2295c43108691e78a40 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch
+f82d49c891c02516462db3cda29ccca7 3003-su-FEATURE_SU_NULLOK_SECURE.patch
5f03ee6f3e93bbc6aedff0777b227810 0001-ash-backport-fix-for-here-document-issues.patch
a4d1cf64fd1835a284ccc6dbc78e3ce0 0001-ash-fix-error-during-recursive-processing-of-here-do.patch
4046b78ee6a25259954797d73b94f4bd acpid.logrotate
-08cc87d52169236c035e7a562d606514 busyboxconfig
+5cddea6331e6aff69869568b679186ec busyboxconfig
befaac2c59c380e36a452b3f1c1d4a3a glibc.patch"
sha256sums="37d03132cc078937360b392170b7a1d0e5b322eee9f57c0b82292a8b1f0afe3d busybox-1.24.1.tar.bz2
81957f1fe0c386120dad1c8174ccc1fcfeed98c14d229db7d164d4fb4c938b3d bbsuid.c
@@ -171,10 +178,13 @@ e1f3fad8e21dfd72cfcae7ab3ba31d7938e964e0f9ec08b2da0b14d462435424 1002-fbsplash-
16ee3a66e5854adbcb7ea6b1ea5846bac49dcf6d874e167f57e88f2fbd5cd0a5 2001-modutils-merge-module_entry-and-module_info-to-commo.patch
dbddad67d6b6054b8ffe7159f7fd3189bf3b433ba8f179fb6915caeea20d1b4e 2002-depmod-support-generating-kmod-binary-index-files.patch
ea589dcd25037e3fefd2f3d6ac801a2a4a61a5cfd2d765785ea5558ed3937776 2003-modinfo-fix-argument-parsing-and-printing-of-firmwar.patch
+34c694cc2ac69ee2d6bbfe45a20c68036b6299ad7e4a1a8df9bf1ce0a4637bd7 3001-login-move-check_securetty-to-libbb.patch
+ce24e38be870c90bdcb90e7b0445067adf7be0fac6b1154d2364a4db9ee3a9d8 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch
+d7b18672334ddeee7fbd6c0e92f26c5d2ef49ddefebf0b7f6eff8dc1ad8d3f7e 3003-su-FEATURE_SU_NULLOK_SECURE.patch
f712ce190ce86084d56977e125d1561615394f3d9b840e926537868260e19d79 0001-ash-backport-fix-for-here-document-issues.patch
1d3f8f7b6d0972f8e56437fce8efbafe70e2d869fbe82f06eba11e0103fce224 0001-ash-fix-error-during-recursive-processing-of-here-do.patch
f7cbeb5a5a47395ad30454ce8262abcd3e91c33ef803c2ae31a9258d7142dd48 acpid.logrotate
-3c44bace3822cc83f1a68690775e7bf51a659565a50dfe5344b40bfca782b2ec busyboxconfig
+ddc0c2e87e37a5e6cc878c5c5c14093c43b361a4d32eee813e0f0b01900efb9e busyboxconfig
c604ef791c31d35a8c5ee4558d21428a46f37a6d762c4a7e29864f4037fc44a0 glibc.patch"
sha512sums="3afc757ebaae61ae13c2c69097ee734717434f9e658eb77093a8b7b49af3326cbca2d723483ff84a1da99544b822fd2b47d9a97c68f09962e11754e5daf124ca busybox-1.24.1.tar.bz2
16b3dd6a8b76b062d51458351fcb44f84b49eb4bf898584c933df90fb2cb3966f9547865a4d7447589bb20b7c203beb04ff7512f76f85d29138d2cff4eb9ee81 bbsuid.c
@@ -192,8 +202,11 @@ c33073416f7da2805a20f3f456f869217171c8fbfdef85f4ae481307aeb1e1b5717084bbbc619010
d94d17806f08ad54366ca623fbe8663b6397b28d68860239edc9305e6006f01d4ea1c1fd2033b30d302fd095145b018aa6a1707b07b7b4dfcaa8e0388b6737d0 2001-modutils-merge-module_entry-and-module_info-to-commo.patch
daadb1b255a8d30f2a13b84c2120427998d8173cf10754b9117e19a6fea8926d1820005f4d99a4a6999a559e731b5339c12ead22b3efbe1f0e752671363129a5 2002-depmod-support-generating-kmod-binary-index-files.patch
80589e03021fd0cb7bf29c3747e5396bf53dc99ecfecf78de86759e5c3939652d7f022f4534de0a35228bd782c1a44c4762f027d198790ec2c1bb76d6f7f102d 2003-modinfo-fix-argument-parsing-and-printing-of-firmwar.patch
+1832d2a09625cb60998c54330a751f13dec97da2c4133db29c10f77fa3314fd2ef2002a45eab7215ed1a0dd8b84a8a4c7d4c1d225b5ee012fe357a8777707a17 3001-login-move-check_securetty-to-libbb.patch
+ed8d060b85d4da1681eb35ba64c5b249391e6a7edbeb55b8952897f08fe9bafac33593992772d80a6df42dd3af0e175ce9575ee51c49fbc875008ad0ac2f6f06 3002-libbb-allow_blank-argument-for-ask_and_check_passwor.patch
+c6579970450e7c711461ab1953f534ae855c4a355b4a452b3fc52a286355c87e41f8951b1b5217d0f659e3173ace8718d42dad3dcc878899cf9decdf4d3fe238 3003-su-FEATURE_SU_NULLOK_SECURE.patch
d55cab6ed08434e2a278edf1be6171b921bcaee47598988e4de6b390a01569e10394c54d5d4a27e6eba251ce68df5cc1ece358be32a9c31bdf1f7e9147cf5180 0001-ash-backport-fix-for-here-document-issues.patch
c14a632f9477c13ea99b24a73c81c9c44ead8b536970acd758e739b43a6260860039674341192ce7bb20a9204ee7d93dcd9541e526f2437d4d2d88637b400867 0001-ash-fix-error-during-recursive-processing-of-here-do.patch
dadb4c953ebc755b88ee95c1489feb0c2d352f6e44abc716166024e6eea11ab9d10c84fad62c081775834d205cb04aa1be3c994676c88f4284495c54b9188e8b acpid.logrotate
-5d5a23dc4c6b808b62d888225ba79dc726c8c2776b86d85cc01206e7e861c72d8fe23434eef74b1cfa3e8054618fa87a81af05ca22264a1901fd52944ea8c30a busyboxconfig
+249f9c4769b7e20149109810bed8ed48c87e7e67817f27fbb620857bb3db1857f2d1616c4badba5c9eb2b6a1a14a15e89327b8c5f3c2d3ea15d09e252bab2a20 busyboxconfig
1d2739379dab1deb3eae7cffd4845300eb7d30f7343b4a1209b21a5680860d55080ad45fdefe098b249ce3040c01951fa7f0a79cd447b2d7b260eb000099d9dc glibc.patch"
diff --git a/main/busybox/busyboxconfig b/main/busybox/busyboxconfig
index f49ee7762b..6efc267ec8 100644
--- a/main/busybox/busyboxconfig
+++ b/main/busybox/busyboxconfig
@@ -1,7 +1,7 @@
#
# Automatically generated make config: don't edit
# Busybox version: 1.24.1
-# Wed Oct 28 15:46:41 2015
+# Mon Dec 7 13:04:53 2015
#
CONFIG_HAVE_DOT_CONFIG=y
@@ -505,6 +505,7 @@ CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="sha512"
CONFIG_SU=y
CONFIG_FEATURE_SU_SYSLOG=y
CONFIG_FEATURE_SU_CHECKS_SHELLS=y
+CONFIG_FEATURE_SU_NULLOK_SECURE=y
# CONFIG_SULOGIN is not set
CONFIG_VLOCK=y