* Re: SE/Linux patch - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=249499
[not found] ` <tsl4qpxskty.fsf@konishi-polis.mit.edu>
@ 2004-05-30 22:23 ` Luke Kenneth Casson Leighton
0 siblings, 0 replies; only message in thread
From: Luke Kenneth Casson Leighton @ 2004-05-30 22:23 UTC (permalink / raw)
To: nicholas.vermeer; +Cc: SE-Linux, pam-list
On Sun, May 30, 2004 at 04:48:09PM -0400, Sam Hartman wrote:
> I indicated a willingness to work with Russel on selinux integration
> but he never got back to me.
oh?
ah.
seems like communication has been lost in transit then.
> He asked if I was interested in
> upgrading to PAM 0.77. I said no because it seemed like a lot of work
> for no significant gain.
*thinks*. lessavalook.
okay... debian's pam version is 0.76. SHRIEK there's a stack
of patches in the debian/patches directory!! no wonder it'd
be a lot of work!
and the NSA's pam patch is against 0.77, and it's 1,934 lines long.
eep :)
okay, let's see if it cleanly applies to 0.76.... annnd no it
doesn't.
okay, i tried doing a merge, but i am beginning to get into trouble
on pam_unix_passwd.c.
for example, in the original 0.76 pam_unix_passwd.c file, there
is code that does:
chown(OPW_TMPFILE, 0, 0);
chmod(OPW_TMPFILE, 0600);
yet i see no such thing in 0.77.
but i _do_ see a fchmod(fileno(owfile), st.st_mode).
and then later on there appear to be inconsistencies when
the shadow password file is handled in a similar fashion.
[whoever did that rewrite of pam 0.77, you're a pain! :)
only kidding.
you introduced a different style "set err = -1; goto end"
instead of returning an error message immediately: i know
_why_ it was done, it's to be able to clean-up the selinux
context at the end of that function which has over five
return points.
knowing why doesn't mean i have to like it if it causes a
patch to happen not to apply against an older version.
*grump*. ignore me.
]
i think the mods to unix_chkpwd.c where this a single clash
in main at the comment "read the nullok/nonull option" are
more straightforward to resolve.
it's just these passwd file and shadow file handling patches
that are... "odd" and don't cleanly apply.
> I indicated willingness to take patches from
> upstream's cvs if they made the selinux work easier but he never
> responded to the offer.
the only thing i can think of is that a communication thread has
been lost, somehow, because russell is under the impression that
pam / selinux integration has stalled.
*click*.
oh, so you'd be happy for someone (me being the closest victim)
to attempt a patch against the latest pam cvs rather than
specifically against 0.77?
hey, that's worth a shot, because against 0.76 it ain't gonna
happen - not cleanly, anyway.
correct me if a quick googling is wrong, but that's
http://sf.net/projects/pam, yes?
l.
_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-12-28 17:46 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20040529214030.GG2851@lkcl.net>
[not found] ` <tsl4qpxskty.fsf@konishi-polis.mit.edu>
2004-05-30 22:23 ` SE/Linux patch - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=249499 Luke Kenneth Casson Leighton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.