I am uploading a NMU to DELAYED/10 in order to fix this.
The debdiff is attached.
diff -Nru libpam-chroot-0.9/chroot.conf libpam-chroot-0.9/chroot.conf
--- libpam-chroot-0.9/chroot.conf 2023-09-29 12:52:00.000000000 +0200
+++ libpam-chroot-0.9/chroot.conf 2004-05-05 02:07:47.000000000 +0200
@@ -1,13 +1,6 @@
# /etc/security/chroot.conf
-# This file determines where will pam_chroot restrict the
-# users for applications that use this module.
-# Users not listed in this configuration file will not
-# be chrooted.
-# The format of this configuration file is:
-#
+# format:
# username chroot_dir
-#
-# For example:
#foo /home/foo
# Or, if you've specified use_regex,
diff -Nru libpam-chroot-0.9/debian/changelog libpam-chroot-0.9/debian/changelog
--- libpam-chroot-0.9/debian/changelog 2023-09-29 12:52:00.000000000 +0200
+++ libpam-chroot-0.9/debian/changelog 2023-09-29 12:44:34.000000000 +0200
@@ -1,3 +1,11 @@
+libpam-chroot (0.9-5.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Convert to source format 3.0. (Closes: #1043203)
+ + Move example to debian directory.
+
+ -- Bastian Germann <[email protected]> Fri, 29 Sep 2023 12:44:34 +0200
+
libpam-chroot (0.9-5.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libpam-chroot-0.9/debian/example/chroot.conf
libpam-chroot-0.9/debian/example/chroot.conf
--- libpam-chroot-0.9/debian/example/chroot.conf 1970-01-01
01:00:00.000000000 +0100
+++ libpam-chroot-0.9/debian/example/chroot.conf 2023-09-29
12:44:34.000000000 +0200
@@ -0,0 +1,3 @@
+# /etc/security/chroot.conf
+test /chroot/directory
+
diff -Nru libpam-chroot-0.9/debian/example/chrooted-directory-tree.txt
libpam-chroot-0.9/debian/example/chrooted-directory-tree.txt
--- libpam-chroot-0.9/debian/example/chrooted-directory-tree.txt
1970-01-01 01:00:00.000000000 +0100
+++ libpam-chroot-0.9/debian/example/chrooted-directory-tree.txt
2023-09-29 12:44:34.000000000 +0200
@@ -0,0 +1,38 @@
+/home/test/
+|-- bin
+| |-- bash
+| |-- ls
+| |-- rbash
+| `-- sh
+|-- dev
+| |-- null
+| |-- tty1
+| |-- tty2
+| |-- tty3
+| |-- tty4
+| |-- tty5
+| |-- tty6
+| |-- tty7
+| |-- urandom
+| `-- zero
+|-- home
+| `-- test
+| |-- .alias
+| |-- .bash_history
+| |-- .bash_profile
+| |-- .bashrc
+| |-- .cshrc
+| `-- .profile
+|-- lib
+ |-- ld-linux.so.2
+ |-- libc.so.6
+ |-- libdl-2.2.5.so
+ |-- libdl.so.2
+ |-- libncurses.so.4
+ |-- libncurses.so.4.2
+ |-- libncurses.so.5
+ |-- libncurses.so.5.2
+ |-- libpthread-0.9.so
+ |-- libpthread.so.0
+ |-- librt-2.2.5.so
+ `-- librt.so.1
diff -Nru libpam-chroot-0.9/debian/example/README.example
libpam-chroot-0.9/debian/example/README.example
--- libpam-chroot-0.9/debian/example/README.example 1970-01-01
01:00:00.000000000 +0100
+++ libpam-chroot-0.9/debian/example/README.example 2023-09-29
12:44:34.000000000 +0200
@@ -0,0 +1,36 @@
+
+This is a sample configuration for the pam_chroot module.
+
+In order to make this work you need to:
+
+1.- use setup-chrootdir.sh to create a directory in which
+the user will be chrooted (let's call it CHROOTDIR)
+A sample layout like the one it creates is provided in the
+chrooted-directory-tree.txt file
+
+WARNING! Make sure to have an open console in which to
+become superuser in case you mangle the files and cannot
+log-on to the system later on!
+
+2.- configure /etc/security/chroot.conf so that a given user
+(USERCHROOTED) is chrooted to CHROOTDIR when entering (in the
+sample configuration file CHROOTDIR=/chroot/directory)
+
+3.- add the following line to /etc/pam.d/login
+session required pam_chroot.so debug
+
+4.- create USERCHROOTED in the system (/etc/passwd et al.) and
+have his home directory be /home/test
+(real directory=CHROOTDIR/home/test)
+
+5.- add the neccesary .profile, .cshrc, .bash_profile files to
+the CHROOTDIR/home/test directory (fix permissions to your own
+needs/policy)
+
+6.- Try to enter the system as USERCHROOTED. You should be
+restricted to CHROOTDIR and have only a limited number of
+utilies (setup-chrootdir only provides 'ls')
+
+If it does not work check the syslog files to see the messages
+related to PAM (should include pam_chroot[XXXX]: session messages
+due to the 'debug' option being set)
diff -Nru libpam-chroot-0.9/debian/example/setup-chrootdir-rsync.sh
libpam-chroot-0.9/debian/example/setup-chrootdir-rsync.sh
--- libpam-chroot-0.9/debian/example/setup-chrootdir-rsync.sh 1970-01-01
01:00:00.000000000 +0100
+++ libpam-chroot-0.9/debian/example/setup-chrootdir-rsync.sh 2023-09-29
12:44:34.000000000 +0200
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Copyright (C) 2002 Andres Salomon <[email protected]>
+#
+# Create a chroot environment for allowing users to rsync.
+# This script is placed in the public domain. Do with it what
+# you will.
+
+PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin"
+DIRECTORIES="bin dev lib usr/bin usr/lib"
+FILES="bin/false lib/libc.so.6 lib/ld-linux.so.2
+ bin/bash lib/libncurses.so.5 lib/libdl.so.2
+ usr/bin/rsync lib/libpopt.so.0 lib/libresolv.so.2"
+
+if test -z "$1"; then
+ echo "Usage: $0 <directory>" 1>&2
+ exit 1
+fi
+
+id=`id -u`
+if test "$id" -gt 0; then
+ echo "Error: this script requires root (for mknod)!" 1>&2
+ exit 1
+fi
+
+dir=$1
+curdir=`pwd`
+
+# Create directory structure
+mkdir -p $dir
+cd $dir
+for d in $DIRECTORIES; do
+ mkdir -p $d
+done
+
+# Add files
+for f in $FILES; do
+ cp /$f $f
+done
+
+# And devices..
+if test -d dev; then
+ cp /dev/MAKEDEV dev
+ cd dev && ./MAKEDEV std && rm -f MAKEDEV
+fi
+
+
+cd $curdir
+
+exit 0
diff -Nru libpam-chroot-0.9/debian/example/setup-chrootdir-shell.sh
libpam-chroot-0.9/debian/example/setup-chrootdir-shell.sh
--- libpam-chroot-0.9/debian/example/setup-chrootdir-shell.sh 1970-01-01
01:00:00.000000000 +0100
+++ libpam-chroot-0.9/debian/example/setup-chrootdir-shell.sh 2023-09-29
12:44:34.000000000 +0200
@@ -0,0 +1,75 @@
+#!/bin/sh
+
+# Given a (non-existant) directory
+# creates a chroot environment so users can login
+# and have limited movements
+
+# (c) 2002 Javier Fernandez-Sanguino Peña <[email protected]>
+
+[ -z "$1" ] && {
+ echo "Usage $0 directory"
+ exit 1
+}
+id=`/usr/bin/id -u`
+
+[ "$id" -gt 0 ] &&
+ echo "WARNING: Needs to be run as root (for mknod to work)"
+
+dir=$1
+
+[ -e "$dir" ] && {
+ echo "ERROR: $dir exists. Please specify a non-existant directory"
+ exit 1
+}
+
+curdir=`/bin/pwd`
+/bin/mkdir -p $dir
+cd $dir
+for i in bin dev lib home/test ; do
+ /bin/mkdir -p $i
+done
+
+# Procedure:
+# Hard link for files and just copy simbolyc links,
+# should work ok in the chroot
+
+# Bin directory (minimal set of binaries)
+for cmd in ls pwd true false rbash bash ; do
+ if [ -f /bin/$cmd -a ! -L /bin/$cmd ] ; then
+ /bin/ln /bin/$cmd bin/
+ fi
+ if [ -L /bin/$cmd ] ; then
+ cp -a /bin/$cmd lib/
+ fi
+done
+
+# Libraries (for previous binaries)
+for lib in /lib/ld-linux* /lib/libc.* /lib/libdl* /lib/librt* /lib/ncurse*
/lib/libpthread* ; do
+ if [ -f $lib -a ! -L $lib ] ; then
+ /bin/ln $lib lib/
+ fi
+ if [ -L "$lib" ] ; then
+ cp -a $lib lib/
+ fi
+done
+
+# Devices
+cd dev
+# We need as many tty's as consoles
+/bin/mknod -m 644 tty1 c 4 1
+/bin/mknod -m 644 tty2 c 4 2
+/bin/mknod -m 644 tty3 c 4 3
+/bin/mknod -m 644 tty4 c 4 4
+/bin/mknod -m 644 tty5 c 4 5
+/bin/mknod -m 644 tty6 c 4 6
+# Some special nodes, just for fun
+/bin/mknod -m 444 urandom c 1 9
+/bin/mknod -m 666 zero c 1 5
+/bin/mknod -m 666 null c 1 3
+# Warning: since we do not have the /dev/log socket the
+# 'debug' option of the PAM module will not work once chrooted
+
+# Finish and get back were we started
+cd $curdir
+
+exit 0
diff -Nru libpam-chroot-0.9/debian/example/setup-chrootdir-template.sh
libpam-chroot-0.9/debian/example/setup-chrootdir-template.sh
--- libpam-chroot-0.9/debian/example/setup-chrootdir-template.sh
1970-01-01 01:00:00.000000000 +0100
+++ libpam-chroot-0.9/debian/example/setup-chrootdir-template.sh
2023-09-29 12:44:34.000000000 +0200
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+# Copyright (C) 2002 Andres Salomon <[email protected]>
+#
+# Template for setup-chrootdir-XX.sh scripts
+
+PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin"
+# Directories to include in the chroot go here
+DIRECTORIES="bin dev "
+# Files to copy over to the chroot are included here
+FILES="bin/false lib/libc.so.6 lib/ld-linux.so.2"
+
+if test -z "$1"; then
+ echo "Usage: $0 <directory>" 1>&2
+ exit 1
+fi
+
+id=`id -u`
+if test "$id" -gt 0; then
+ echo "Error: this script requires root (for mknod)!" 1>&2
+ exit 1
+fi
+
+dir=$1
+curdir=`pwd`
+
+# Create directory structure
+mkdir -p $dir
+cd $dir
+for d in $DIRECTORIES; do
+ mkdir -p $d
+done
+
+# Add files
+for f in $FILES; do
+ cp /$f $f
+done
+
+# And devices..
+if test -d dev; then
+ cp /dev/MAKEDEV dev
+ cd dev && ./MAKEDEV std && rm -f MAKEDEV
+fi
+
+
+cd $curdir
+
+exit 0
diff -Nru libpam-chroot-0.9/debian/patches/debian.patch
libpam-chroot-0.9/debian/patches/debian.patch
--- libpam-chroot-0.9/debian/patches/debian.patch 1970-01-01
01:00:00.000000000 +0100
+++ libpam-chroot-0.9/debian/patches/debian.patch 2023-09-29
12:44:34.000000000 +0200
@@ -0,0 +1,222 @@
+--- libpam-chroot-0.9.orig/Makefile
++++ libpam-chroot-0.9/Makefile
+@@ -3,17 +3,22 @@
+ CC=gcc
+ CFLAGS=-fPIC -O2 -Wall -Werror -pedantic
+ CPPFLAGS=-I.
+-LDFLAGS=-x --shared -lpam
++LDFLAGS=-shared
++DESTDIR=/
++LIBDIR=$(DESTDIR)/lib/security
++INSTALL?=install
+
+ OUT=pam_chroot.so
++CONF=chroot.conf
+
+ all: $(OUT)
+
+ %.so: %.o
+- ld $(LDFLAGS) -o $@ $<
++ $(CC) $(LDFLAGS) -o $@ $< -lpam
+
+ clean:
+ rm -f *.o $(OUT)
+
+ install:
+- install -s -o0 -g0 -m755 $(OUT) /lib/security
++ $(INSTALL) -s -o0 -g0 -m755 $(OUT) $(LIBDIR)
++ install -m640 $(CONF) $(DESTDIR)/etc/security
+--- libpam-chroot-0.9.orig/TROUBLESHOOTING
++++ libpam-chroot-0.9/TROUBLESHOOTING
+@@ -6,7 +6,7 @@ also want to check the pam-list archives
+ Note that all of the following assumes that you have put pam_chroot into
+ debug mode (add the "debug" option to the pam_chroot line in the
+ appropriate /etc/pam.d file) and that syslogd is configured to put
+-auth.debug messages in some known location (/var/log/messages,
++auth.notice and auth.debug messages in some known location (/var/log/messages,
+ /var/adm/messages, /var/adm/syslog/syslog.log, etc.)
+
+ Under normal operation, pam_chroot will output something similar to the
+@@ -42,8 +42,8 @@ SOLUTION: This usually indicates that th
+ appropriate /etc/pam.d file, or it might be that PAM is not being used
+ at all. (For example, you might have set 'UsePAM no' in your
+ /etc/ssh/sshd_config.) It might also be that syslogd is not running or
+- is not configured to report auth.debug messages in the file that you're
+- looking for them in.
++ is not configured to report auth.notice and auth.debug messages in the
++ file that you're looking for them in.
+ There are a multitude of reasons that PAM might not be being used, and
+ they're usually application configuration issues, rather than issues with
+ PAM itself.
+--- libpam-chroot-0.9.orig/chroot.conf
++++ libpam-chroot-0.9/chroot.conf
+@@ -1,6 +1,13 @@
+ # /etc/security/chroot.conf
+-# format:
++# This file determines where will pam_chroot restrict the
++# users for applications that use this module.
++# Users not listed in this configuration file will not
++# be chrooted.
++# The format of this configuration file is:
++#
+ # username chroot_dir
++#
++# For example:
+ #foo /home/foo
+
+ # Or, if you've specified use_regex,
+--- libpam-chroot-0.9.orig/pam_chroot.c
++++ libpam-chroot-0.9/pam_chroot.c
+@@ -68,14 +68,14 @@ static void _pam_log(int err, const char
+ /* initialize opts to a standard known state */
+ int _pam_opts_init(struct _pam_opts* opts) {
+ if(NULL == opts) {
+- _pam_log(LOG_ERR, "%s: NULL opts pointer", __FUNCTION__);
++ _pam_log(LOG_ERR, "%s: NULL opts pointer", __extension__
__FUNCTION__);
+ return _PAM_CHROOT_INTERNALERR;
+ }
+
+ opts->flags = _PAM_OPTS_NOOPTS;
+ opts->chroot_dir = NULL;
+
+- opts->conf = x_strdup(CONFIG);
++ opts->conf = strdup(CONFIG);
+ if(NULL == opts->conf) {
+ _pam_log(LOG_ERR, "strdup: %s", strerror(errno));
+ return _PAM_CHROOT_SYSERR;
+@@ -91,7 +91,7 @@ int _pam_opts_config(struct _pam_opts* o
+ int i;
+
+ if(NULL == opts) {
+- _pam_log(LOG_ERR, "%s: NULL opts pointer", __FUNCTION__);
++ _pam_log(LOG_ERR, "%s: NULL opts pointer", __extension__
__FUNCTION__);
+ return _PAM_CHROOT_INTERNALERR;
+ }
+
+@@ -133,7 +133,7 @@ int _pam_opts_config(struct _pam_opts* o
+ } else if(!strncmp(argv[i], "onerr=", 6)) {
+ if(!strcmp(argv[i] + 6, "succeed")) {
+ opts->flags = opts->flags &
(~_PAM_OPTS_NOTFOUNDFAILS);
+- } else if(!strcmp(argv[i] + 9, "fail")) {
++ } else if(!strcmp(argv[i] + 6, "fail")) {
+ opts->flags = opts->flags |
_PAM_OPTS_NOTFOUNDFAILS;
+ } else {
+ _pam_log(LOG_ERR, "bad config option: \"%s\"",
argv[i]);
+@@ -146,7 +146,7 @@ int _pam_opts_config(struct _pam_opts* o
+ _pam_log(LOG_ERR,
+ "bad config option: \"%s\":
chroot dir already set", argv[i]);
+ } else {
+- opts->chroot_dir = x_strdup(argv[i] + 11);
++ opts->chroot_dir = strdup(argv[i] + 11);
+ if(NULL == opts->chroot_dir) {
+ _pam_log(LOG_ERR, "strdup: %s",
strerror(errno));
+ }
+@@ -162,7 +162,7 @@ int _pam_opts_config(struct _pam_opts* o
+ /* free the allocated memory of a struct _pam_opts */
+ int _pam_opts_free(struct _pam_opts* opts) {
+ if(NULL == opts) {
+- _pam_log(LOG_ERR, "%s: NULL opts pointer", __FUNCTION__);
++ _pam_log(LOG_ERR, "%s: NULL opts pointer", __extension__
__FUNCTION__);
+ }
+ _pam_drop(opts->chroot_dir);
+ _pam_drop(opts->conf);
+@@ -187,7 +187,7 @@ int _pam_getugroups(const char *user, gi
+ char **uptr;
+
+ if(NULL == user || NULL == ngrps) { return -1; }
+- if(0 > *ngrps || 0 > gid) { return -1; }
++ if(0 > *ngrps) { return -1; }
+
+ if(gcount < *ngrps) {
+ if(NULL != grps) { grps[gcount] = gid; }
+@@ -261,19 +261,19 @@ char** _pam_get_groups(const char* user,
+ gids = (gid_t*) malloc(ngroups*sizeof(gid_t));
+ if(NULL == gids) {
+ _pam_log(LOG_ERR, "%s: %s: malloc: %s",
+- opts->module, __FUNCTION__, strerror(errno));
++ opts->module, __extension__ __FUNCTION__,
strerror(errno));
+ return NULL;
+ }
+ ret = _PAM_GETUGROUPS(pwd->pw_name, pwd->pw_gid, gids, &ngroups);
+ if(-1 == ret) {
+ _pam_log(LOG_WARNING,
+ "%s: %s: _PAM_GETUGROUPS found more gids on
second run",
+- opts->module, __FUNCTION__);
++ opts->module, __extension__ __FUNCTION__);
+ }
+ if(0 >= ngroups) {
+ _pam_log(LOG_ERR,
+ "%s: %s: _PAM_GETUGROUPS returned no groups for
user \"%s\"",
+- opts->module, __FUNCTION__, user);
++ opts->module, __extension__ __FUNCTION__, user);
+ _pam_drop(gids);
+ return NULL;
+ }
+@@ -282,7 +282,7 @@ char** _pam_get_groups(const char* user,
+ groups = (char**)malloc((ngroups+1)*sizeof(char*));
+ if(NULL == groups) {
+ _pam_log(LOG_ERR, "%s: %s: malloc: %s",
+- opts->module, __FUNCTION__, strerror(errno));
++ opts->module, __extension__ __FUNCTION__,
strerror(errno));
+ _pam_drop(gids);
+ return NULL;
+ }
+@@ -291,9 +291,9 @@ char** _pam_get_groups(const char* user,
+ if(NULL == grp) {
+ _pam_log(LOG_DEBUG, "%s: no grnam for gid %d",
opts->module, gids[i]);
+ snprintf(scratch, SCRATCH, "%d", gids[i]);
+- groups[i] = x_strdup(scratch);
++ groups[i] = strdup(scratch);
+ } else {
+- groups[i] = x_strdup(grp->gr_name);
++ groups[i] = strdup(grp->gr_name);
+ }
+ }
+ groups[i] = NULL;
+@@ -322,7 +322,7 @@ int _pam_check_path_perms(char *path, st
+ char save;
+ struct stat st;
+
+- path = x_strdup(path);
++ path = strdup(path);
+ if(NULL == path) {
+ _pam_log(LOG_ERR, "strdup: %s", strerror(errno));
+ return -1;
+@@ -382,7 +382,7 @@ char* _pam_expand_chroot_dir(const char*
+ return NULL;
+ }
+
+- exp = x_strdup(path);
++ exp = strdup(path);
+ if(NULL == exp) {
+ _pam_log(LOG_ERR, "%s: strdup: %s", opts->module,
strerror(errno));
+ return NULL;
+@@ -533,7 +533,7 @@ int _pam_get_chrootdir(const char* user,
+ char *errbuf = malloc(len);
+ if(NULL == errbuf) {
+ _pam_log(LOG_ERR, "%s: %s: malloc: %s",
+- opts->module,
__FUNCTION__, strerror(errno));
++ opts->module,
__extension__ __FUNCTION__, strerror(errno));
+ if(opts->flags & _PAM_OPTS_USE_GROUPS) {
+ _pam_free_groups(group_list);
+ }
+@@ -639,10 +639,8 @@ int _pam_get_chrootdir(const char* user,
+ * then pass it to this function */
+ int _pam_do_chroot(pam_handle_t *pamh, struct _pam_opts *opts) {
+ int err,debug;
+- char *name;
+ char const *user;
+
+- name = NULL;
+ debug = opts->flags & _PAM_OPTS_DEBUG;
+
+ err = pam_get_user(pamh, &user, NULL);
+@@ -872,7 +870,7 @@ PAM_EXTERN int pam_sm_open_session(pam_h
+ break;
+
+ default:
+- if(opts.flags * _PAM_OPTS_DEBUG) {
++ if(opts.flags & _PAM_OPTS_DEBUG) {
+ _pam_log(LOG_NOTICE, "%s: returning failure",
opts.module);
+ }
+ err = PAM_SESSION_ERR;
diff -Nru libpam-chroot-0.9/debian/patches/series
libpam-chroot-0.9/debian/patches/series
--- libpam-chroot-0.9/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ libpam-chroot-0.9/debian/patches/series 2023-09-29 12:44:34.000000000
+0200
@@ -0,0 +1 @@
+debian.patch
diff -Nru libpam-chroot-0.9/debian/rules libpam-chroot-0.9/debian/rules
--- libpam-chroot-0.9/debian/rules 2023-09-29 12:52:00.000000000 +0200
+++ libpam-chroot-0.9/debian/rules 2023-09-29 12:44:34.000000000 +0200
@@ -48,7 +48,7 @@
# dh_installdebconf
dh_installdocs options TROUBLESHOOTING
- dh_installexamples example/*
+ dh_installexamples debian/example/*
# dh_installpam
dh_installchangelogs
dh_link
diff -Nru libpam-chroot-0.9/debian/source/format
libpam-chroot-0.9/debian/source/format
--- libpam-chroot-0.9/debian/source/format 1970-01-01 01:00:00.000000000
+0100
+++ libpam-chroot-0.9/debian/source/format 2023-09-29 12:44:34.000000000
+0200
@@ -0,0 +1 @@
+3.0 (quilt)
diff -Nru libpam-chroot-0.9/example/chroot.conf
libpam-chroot-0.9/example/chroot.conf
--- libpam-chroot-0.9/example/chroot.conf 2023-09-29 12:52:00.000000000
+0200
+++ libpam-chroot-0.9/example/chroot.conf 1970-01-01 01:00:00.000000000
+0100
@@ -1,3 +0,0 @@
-# /etc/security/chroot.conf
-test /chroot/directory
-
diff -Nru libpam-chroot-0.9/example/chrooted-directory-tree.txt
libpam-chroot-0.9/example/chrooted-directory-tree.txt
--- libpam-chroot-0.9/example/chrooted-directory-tree.txt 2023-09-29
12:52:00.000000000 +0200
+++ libpam-chroot-0.9/example/chrooted-directory-tree.txt 1970-01-01
01:00:00.000000000 +0100
@@ -1,38 +0,0 @@
-/home/test/
-|-- bin
-| |-- bash
-| |-- ls
-| |-- rbash
-| `-- sh
-|-- dev
-| |-- null
-| |-- tty1
-| |-- tty2
-| |-- tty3
-| |-- tty4
-| |-- tty5
-| |-- tty6
-| |-- tty7
-| |-- urandom
-| `-- zero
-|-- home
-| `-- test
-| |-- .alias
-| |-- .bash_history
-| |-- .bash_profile
-| |-- .bashrc
-| |-- .cshrc
-| `-- .profile
-|-- lib
- |-- ld-linux.so.2
- |-- libc.so.6
- |-- libdl-2.2.5.so
- |-- libdl.so.2
- |-- libncurses.so.4
- |-- libncurses.so.4.2
- |-- libncurses.so.5
- |-- libncurses.so.5.2
- |-- libpthread-0.9.so
- |-- libpthread.so.0
- |-- librt-2.2.5.so
- `-- librt.so.1
diff -Nru libpam-chroot-0.9/example/README.example
libpam-chroot-0.9/example/README.example
--- libpam-chroot-0.9/example/README.example 2023-09-29 12:52:00.000000000
+0200
+++ libpam-chroot-0.9/example/README.example 1970-01-01 01:00:00.000000000
+0100
@@ -1,36 +0,0 @@
-
-This is a sample configuration for the pam_chroot module.
-
-In order to make this work you need to:
-
-1.- use setup-chrootdir.sh to create a directory in which
-the user will be chrooted (let's call it CHROOTDIR)
-A sample layout like the one it creates is provided in the
-chrooted-directory-tree.txt file
-
-WARNING! Make sure to have an open console in which to
-become superuser in case you mangle the files and cannot
-log-on to the system later on!
-
-2.- configure /etc/security/chroot.conf so that a given user
-(USERCHROOTED) is chrooted to CHROOTDIR when entering (in the
-sample configuration file CHROOTDIR=/chroot/directory)
-
-3.- add the following line to /etc/pam.d/login
-session required pam_chroot.so debug
-
-4.- create USERCHROOTED in the system (/etc/passwd et al.) and
-have his home directory be /home/test
-(real directory=CHROOTDIR/home/test)
-
-5.- add the neccesary .profile, .cshrc, .bash_profile files to
-the CHROOTDIR/home/test directory (fix permissions to your own
-needs/policy)
-
-6.- Try to enter the system as USERCHROOTED. You should be
-restricted to CHROOTDIR and have only a limited number of
-utilies (setup-chrootdir only provides 'ls')
-
-If it does not work check the syslog files to see the messages
-related to PAM (should include pam_chroot[XXXX]: session messages
-due to the 'debug' option being set)
diff -Nru libpam-chroot-0.9/example/setup-chrootdir-rsync.sh
libpam-chroot-0.9/example/setup-chrootdir-rsync.sh
--- libpam-chroot-0.9/example/setup-chrootdir-rsync.sh 2023-09-29
12:52:00.000000000 +0200
+++ libpam-chroot-0.9/example/setup-chrootdir-rsync.sh 1970-01-01
01:00:00.000000000 +0100
@@ -1,50 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2002 Andres Salomon <[email protected]>
-#
-# Create a chroot environment for allowing users to rsync.
-# This script is placed in the public domain. Do with it what
-# you will.
-
-PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin"
-DIRECTORIES="bin dev lib usr/bin usr/lib"
-FILES="bin/false lib/libc.so.6 lib/ld-linux.so.2
- bin/bash lib/libncurses.so.5 lib/libdl.so.2
- usr/bin/rsync lib/libpopt.so.0 lib/libresolv.so.2"
-
-if test -z "$1"; then
- echo "Usage: $0 <directory>" 1>&2
- exit 1
-fi
-
-id=`id -u`
-if test "$id" -gt 0; then
- echo "Error: this script requires root (for mknod)!" 1>&2
- exit 1
-fi
-
-dir=$1
-curdir=`pwd`
-
-# Create directory structure
-mkdir -p $dir
-cd $dir
-for d in $DIRECTORIES; do
- mkdir -p $d
-done
-
-# Add files
-for f in $FILES; do
- cp /$f $f
-done
-
-# And devices..
-if test -d dev; then
- cp /dev/MAKEDEV dev
- cd dev && ./MAKEDEV std && rm -f MAKEDEV
-fi
-
-
-cd $curdir
-
-exit 0
diff -Nru libpam-chroot-0.9/example/setup-chrootdir-shell.sh
libpam-chroot-0.9/example/setup-chrootdir-shell.sh
--- libpam-chroot-0.9/example/setup-chrootdir-shell.sh 2023-09-29
12:52:00.000000000 +0200
+++ libpam-chroot-0.9/example/setup-chrootdir-shell.sh 1970-01-01
01:00:00.000000000 +0100
@@ -1,75 +0,0 @@
-#!/bin/sh
-
-# Given a (non-existant) directory
-# creates a chroot environment so users can login
-# and have limited movements
-
-# (c) 2002 Javier Fernandez-Sanguino Peña <[email protected]>
-
-[ -z "$1" ] && {
- echo "Usage $0 directory"
- exit 1
-}
-id=`/usr/bin/id -u`
-
-[ "$id" -gt 0 ] &&
- echo "WARNING: Needs to be run as root (for mknod to work)"
-
-dir=$1
-
-[ -e "$dir" ] && {
- echo "ERROR: $dir exists. Please specify a non-existant directory"
- exit 1
-}
-
-curdir=`/bin/pwd`
-/bin/mkdir -p $dir
-cd $dir
-for i in bin dev lib home/test ; do
- /bin/mkdir -p $i
-done
-
-# Procedure:
-# Hard link for files and just copy simbolyc links,
-# should work ok in the chroot
-
-# Bin directory (minimal set of binaries)
-for cmd in ls pwd true false rbash bash ; do
- if [ -f /bin/$cmd -a ! -L /bin/$cmd ] ; then
- /bin/ln /bin/$cmd bin/
- fi
- if [ -L /bin/$cmd ] ; then
- cp -a /bin/$cmd lib/
- fi
-done
-
-# Libraries (for previous binaries)
-for lib in /lib/ld-linux* /lib/libc.* /lib/libdl* /lib/librt* /lib/ncurse*
/lib/libpthread* ; do
- if [ -f $lib -a ! -L $lib ] ; then
- /bin/ln $lib lib/
- fi
- if [ -L "$lib" ] ; then
- cp -a $lib lib/
- fi
-done
-
-# Devices
-cd dev
-# We need as many tty's as consoles
-/bin/mknod -m 644 tty1 c 4 1
-/bin/mknod -m 644 tty2 c 4 2
-/bin/mknod -m 644 tty3 c 4 3
-/bin/mknod -m 644 tty4 c 4 4
-/bin/mknod -m 644 tty5 c 4 5
-/bin/mknod -m 644 tty6 c 4 6
-# Some special nodes, just for fun
-/bin/mknod -m 444 urandom c 1 9
-/bin/mknod -m 666 zero c 1 5
-/bin/mknod -m 666 null c 1 3
-# Warning: since we do not have the /dev/log socket the
-# 'debug' option of the PAM module will not work once chrooted
-
-# Finish and get back were we started
-cd $curdir
-
-exit 0
diff -Nru libpam-chroot-0.9/example/setup-chrootdir-template.sh
libpam-chroot-0.9/example/setup-chrootdir-template.sh
--- libpam-chroot-0.9/example/setup-chrootdir-template.sh 2023-09-29
12:52:00.000000000 +0200
+++ libpam-chroot-0.9/example/setup-chrootdir-template.sh 1970-01-01
01:00:00.000000000 +0100
@@ -1,48 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2002 Andres Salomon <[email protected]>
-#
-# Template for setup-chrootdir-XX.sh scripts
-
-PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin"
-# Directories to include in the chroot go here
-DIRECTORIES="bin dev "
-# Files to copy over to the chroot are included here
-FILES="bin/false lib/libc.so.6 lib/ld-linux.so.2"
-
-if test -z "$1"; then
- echo "Usage: $0 <directory>" 1>&2
- exit 1
-fi
-
-id=`id -u`
-if test "$id" -gt 0; then
- echo "Error: this script requires root (for mknod)!" 1>&2
- exit 1
-fi
-
-dir=$1
-curdir=`pwd`
-
-# Create directory structure
-mkdir -p $dir
-cd $dir
-for d in $DIRECTORIES; do
- mkdir -p $d
-done
-
-# Add files
-for f in $FILES; do
- cp /$f $f
-done
-
-# And devices..
-if test -d dev; then
- cp /dev/MAKEDEV dev
- cd dev && ./MAKEDEV std && rm -f MAKEDEV
-fi
-
-
-cd $curdir
-
-exit 0
diff -Nru libpam-chroot-0.9/Makefile libpam-chroot-0.9/Makefile
--- libpam-chroot-0.9/Makefile 2023-09-29 12:52:00.000000000 +0200
+++ libpam-chroot-0.9/Makefile 2004-05-05 02:07:47.000000000 +0200
@@ -3,22 +3,17 @@
CC=gcc
CFLAGS=-fPIC -O2 -Wall -Werror -pedantic
CPPFLAGS=-I.
-LDFLAGS=-shared
-DESTDIR=/
-LIBDIR=$(DESTDIR)/lib/security
-INSTALL?=install
+LDFLAGS=-x --shared -lpam
OUT=pam_chroot.so
-CONF=chroot.conf
all: $(OUT)
%.so: %.o
- $(CC) $(LDFLAGS) -o $@ $< -lpam
+ ld $(LDFLAGS) -o $@ $<
clean:
rm -f *.o $(OUT)
install:
- $(INSTALL) -s -o0 -g0 -m755 $(OUT) $(LIBDIR)
- install -m640 $(CONF) $(DESTDIR)/etc/security
+ install -s -o0 -g0 -m755 $(OUT) /lib/security
diff -Nru libpam-chroot-0.9/pam_chroot.c libpam-chroot-0.9/pam_chroot.c
--- libpam-chroot-0.9/pam_chroot.c 2023-09-29 12:52:00.000000000 +0200
+++ libpam-chroot-0.9/pam_chroot.c 2004-06-24 04:01:44.000000000 +0200
@@ -68,14 +68,14 @@
/* initialize opts to a standard known state */
int _pam_opts_init(struct _pam_opts* opts) {
if(NULL == opts) {
- _pam_log(LOG_ERR, "%s: NULL opts pointer", __extension__
__FUNCTION__);
+ _pam_log(LOG_ERR, "%s: NULL opts pointer", __FUNCTION__);
return _PAM_CHROOT_INTERNALERR;
}
opts->flags = _PAM_OPTS_NOOPTS;
opts->chroot_dir = NULL;
- opts->conf = strdup(CONFIG);
+ opts->conf = x_strdup(CONFIG);
if(NULL == opts->conf) {
_pam_log(LOG_ERR, "strdup: %s", strerror(errno));
return _PAM_CHROOT_SYSERR;
@@ -91,7 +91,7 @@
int i;
if(NULL == opts) {
- _pam_log(LOG_ERR, "%s: NULL opts pointer", __extension__
__FUNCTION__);
+ _pam_log(LOG_ERR, "%s: NULL opts pointer", __FUNCTION__);
return _PAM_CHROOT_INTERNALERR;
}
@@ -133,7 +133,7 @@
} else if(!strncmp(argv[i], "onerr=", 6)) {
if(!strcmp(argv[i] + 6, "succeed")) {
opts->flags = opts->flags &
(~_PAM_OPTS_NOTFOUNDFAILS);
- } else if(!strcmp(argv[i] + 6, "fail")) {
+ } else if(!strcmp(argv[i] + 9, "fail")) {
opts->flags = opts->flags |
_PAM_OPTS_NOTFOUNDFAILS;
} else {
_pam_log(LOG_ERR, "bad config option: \"%s\"",
argv[i]);
@@ -146,7 +146,7 @@
_pam_log(LOG_ERR,
"bad config option: \"%s\":
chroot dir already set", argv[i]);
} else {
- opts->chroot_dir = strdup(argv[i] + 11);
+ opts->chroot_dir = x_strdup(argv[i] + 11);
if(NULL == opts->chroot_dir) {
_pam_log(LOG_ERR, "strdup: %s",
strerror(errno));
}
@@ -162,7 +162,7 @@
/* free the allocated memory of a struct _pam_opts */
int _pam_opts_free(struct _pam_opts* opts) {
if(NULL == opts) {
- _pam_log(LOG_ERR, "%s: NULL opts pointer", __extension__
__FUNCTION__);
+ _pam_log(LOG_ERR, "%s: NULL opts pointer", __FUNCTION__);
}
_pam_drop(opts->chroot_dir);
_pam_drop(opts->conf);
@@ -187,7 +187,7 @@
char **uptr;
if(NULL == user || NULL == ngrps) { return -1; }
- if(0 > *ngrps) { return -1; }
+ if(0 > *ngrps || 0 > gid) { return -1; }
if(gcount < *ngrps) {
if(NULL != grps) { grps[gcount] = gid; }
@@ -261,19 +261,19 @@
gids = (gid_t*) malloc(ngroups*sizeof(gid_t));
if(NULL == gids) {
_pam_log(LOG_ERR, "%s: %s: malloc: %s",
- opts->module, __extension__ __FUNCTION__,
strerror(errno));
+ opts->module, __FUNCTION__, strerror(errno));
return NULL;
}
ret = _PAM_GETUGROUPS(pwd->pw_name, pwd->pw_gid, gids, &ngroups);
if(-1 == ret) {
_pam_log(LOG_WARNING,
"%s: %s: _PAM_GETUGROUPS found more gids on
second run",
- opts->module, __extension__ __FUNCTION__);
+ opts->module, __FUNCTION__);
}
if(0 >= ngroups) {
_pam_log(LOG_ERR,
"%s: %s: _PAM_GETUGROUPS returned no groups for
user \"%s\"",
- opts->module, __extension__ __FUNCTION__, user);
+ opts->module, __FUNCTION__, user);
_pam_drop(gids);
return NULL;
}
@@ -282,7 +282,7 @@
groups = (char**)malloc((ngroups+1)*sizeof(char*));
if(NULL == groups) {
_pam_log(LOG_ERR, "%s: %s: malloc: %s",
- opts->module, __extension__ __FUNCTION__,
strerror(errno));
+ opts->module, __FUNCTION__, strerror(errno));
_pam_drop(gids);
return NULL;
}
@@ -291,9 +291,9 @@
if(NULL == grp) {
_pam_log(LOG_DEBUG, "%s: no grnam for gid %d",
opts->module, gids[i]);
snprintf(scratch, SCRATCH, "%d", gids[i]);
- groups[i] = strdup(scratch);
+ groups[i] = x_strdup(scratch);
} else {
- groups[i] = strdup(grp->gr_name);
+ groups[i] = x_strdup(grp->gr_name);
}
}
groups[i] = NULL;
@@ -322,7 +322,7 @@
char save;
struct stat st;
- path = strdup(path);
+ path = x_strdup(path);
if(NULL == path) {
_pam_log(LOG_ERR, "strdup: %s", strerror(errno));
return -1;
@@ -382,7 +382,7 @@
return NULL;
}
- exp = strdup(path);
+ exp = x_strdup(path);
if(NULL == exp) {
_pam_log(LOG_ERR, "%s: strdup: %s", opts->module,
strerror(errno));
return NULL;
@@ -533,7 +533,7 @@
char *errbuf = malloc(len);
if(NULL == errbuf) {
_pam_log(LOG_ERR, "%s: %s: malloc: %s",
- opts->module,
__extension__ __FUNCTION__, strerror(errno));
+ opts->module,
__FUNCTION__, strerror(errno));
if(opts->flags & _PAM_OPTS_USE_GROUPS) {
_pam_free_groups(group_list);
}
@@ -639,8 +639,10 @@
* then pass it to this function */
int _pam_do_chroot(pam_handle_t *pamh, struct _pam_opts *opts) {
int err,debug;
+ char *name;
char const *user;
+ name = NULL;
debug = opts->flags & _PAM_OPTS_DEBUG;
err = pam_get_user(pamh, &user, NULL);
@@ -870,7 +872,7 @@
break;
default:
- if(opts.flags & _PAM_OPTS_DEBUG) {
+ if(opts.flags * _PAM_OPTS_DEBUG) {
_pam_log(LOG_NOTICE, "%s: returning failure",
opts.module);
}
err = PAM_SESSION_ERR;
diff -Nru libpam-chroot-0.9/TROUBLESHOOTING libpam-chroot-0.9/TROUBLESHOOTING
--- libpam-chroot-0.9/TROUBLESHOOTING 2023-09-29 12:52:00.000000000 +0200
+++ libpam-chroot-0.9/TROUBLESHOOTING 2004-05-05 02:07:47.000000000 +0200
@@ -6,7 +6,7 @@
Note that all of the following assumes that you have put pam_chroot into
debug mode (add the "debug" option to the pam_chroot line in the
appropriate /etc/pam.d file) and that syslogd is configured to put
-auth.notice and auth.debug messages in some known location (/var/log/messages,
+auth.debug messages in some known location (/var/log/messages,
/var/adm/messages, /var/adm/syslog/syslog.log, etc.)
Under normal operation, pam_chroot will output something similar to the
@@ -42,8 +42,8 @@
appropriate /etc/pam.d file, or it might be that PAM is not being used
at all. (For example, you might have set 'UsePAM no' in your
/etc/ssh/sshd_config.) It might also be that syslogd is not running or
- is not configured to report auth.notice and auth.debug messages in the
- file that you're looking for them in.
+ is not configured to report auth.debug messages in the file that you're
+ looking for them in.
There are a multitude of reasons that PAM might not be being used, and
they're usually application configuration issues, rather than issues with
PAM itself.