Hello community,
here is the log from the commit of package pam for openSUSE:Factory checked in
at 2017-03-08 00:44:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pam (Old)
and /work/SRC/openSUSE:Factory/.pam.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam"
Wed Mar 8 00:44:33 2017 rev:87 rq:476831 version:1.3.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/pam/pam.changes 2016-12-22 15:43:52.673863337
+0100
+++ /work/SRC/openSUSE:Factory/.pam.new/pam.changes 2017-03-08
00:44:34.320275725 +0100
@@ -1,0 +2,6 @@
+Fri Jan 27 10:35:29 UTC 2017 - josef.moell...@suse.com
+
+- Allow symbolic hostnames in access.conf file.
+ [pam-hostnames-in-access_conf.patch, boo#1019866]
+
+-------------------------------------------------------------------
New:
----
pam-hostnames-in-access_conf.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pam.spec ++++++
--- /var/tmp/diff_new_pack.2xhZWO/_old 2017-03-08 00:44:35.316134970 +0100
+++ /var/tmp/diff_new_pack.2xhZWO/_new 2017-03-08 00:44:35.316134970 +0100
@@ -1,7 +1,7 @@
#
# spec file for package pam
#
-# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -59,6 +59,7 @@
Patch0: fix-man-links.dif
Patch2: pam-limit-nproc.patch
Patch3: encryption_method_nis.diff
+Patch4: pam-hostnames-in-access_conf.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# Remove with next version update:
BuildRequires: autoconf
@@ -109,6 +110,7 @@
%patch0 -p1
%patch2 -p1
%patch3 -p0
+%patch4 -p0
%build
autoreconf -fiv
++++++ pam-hostnames-in-access_conf.patch ++++++
Index: modules/pam_access/pam_access.c
===================================================================
--- modules/pam_access/pam_access.c.orig
+++ modules/pam_access/pam_access.c
@@ -692,10 +692,10 @@ string_match (pam_handle_t *pamh, const
return (NO);
}
-
/* network_netmask_match - match a string against one token
* where string is a hostname or ip (v4,v6) address and tok
- * represents either a single ip (v4,v6) address or a network/netmask
+ * represents either a hostname, a single ip (v4,v6) address
+ * or a network/netmask
*/
static int
network_netmask_match (pam_handle_t *pamh,
@@ -704,10 +704,14 @@ network_netmask_match (pam_handle_t *pam
char *netmask_ptr;
char netmask_string[MAXHOSTNAMELEN + 1];
int addr_type;
+ struct addrinfo *ai;
+ struct sockaddr_storage tok_addr;
+ struct addrinfo hint;
if (item->debug)
- pam_syslog (pamh, LOG_DEBUG,
+ pam_syslog (pamh, LOG_DEBUG,
"network_netmask_match: tok=%s, item=%s", tok, string);
+
/* OK, check if tok is of type addr/mask */
if ((netmask_ptr = strchr(tok, '/')) != NULL)
{
@@ -717,7 +721,7 @@ network_netmask_match (pam_handle_t *pam
*netmask_ptr = 0;
netmask_ptr++;
- if (isipaddr(tok, &addr_type, NULL) == NO)
+ if (isipaddr(tok, &addr_type, &tok_addr) == NO)
{ /* no netaddr */
return NO;
}
@@ -739,19 +743,47 @@ network_netmask_match (pam_handle_t *pam
netmask_ptr = number_to_netmask(netmask, addr_type,
netmask_string, MAXHOSTNAMELEN);
}
- }
+
+ /*
+ * Although isipaddr() has already converted the IP address,
+ * we call getaddrinfo here to properly construct an addrinfo list
+ */
+ memset (&hint, '\0', sizeof (hint));
+ hint.ai_flags = 0;
+ hint.ai_family = AF_UNSPEC;
+
+ ai = NULL; /* just to be on the safe side */
+
+ /* The following should not fail ... */
+ if (getaddrinfo (tok, NULL, &hint, &ai) != 0)
+ {
+ return NO;
+ }
+ }
else
- /* NO, then check if it is only an addr */
- if (isipaddr(tok, NULL, NULL) != YES)
+ {
+ /*
+ * It is either an IP address or a hostname.
+ * Let getaddrinfo sort everything out
+ */
+ memset (&hint, '\0', sizeof (hint));
+ hint.ai_flags = 0;
+ hint.ai_family = AF_UNSPEC;
+
+ ai = NULL; /* just to be on the safe side */
+
+ if (getaddrinfo (string, NULL, &hint, &ai) != 0)
{
+ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", string);
+
return NO;
}
+ netmask_ptr = NULL;
+ }
if (isipaddr(string, NULL, NULL) != YES)
{
/* Assume network/netmask with a name of a host. */
- struct addrinfo hint;
-
memset (&hint, '\0', sizeof (hint));
hint.ai_flags = AI_CANONNAME;
hint.ai_family = AF_UNSPEC;
@@ -764,27 +796,52 @@ network_netmask_match (pam_handle_t *pam
else
{
struct addrinfo *runp = item->res;
+ struct addrinfo *runp1;
while (runp != NULL)
{
char buf[INET6_ADDRSTRLEN];
- inet_ntop (runp->ai_family,
- runp->ai_family == AF_INET
- ? (void *) &((struct sockaddr_in *)
runp->ai_addr)->sin_addr
- : (void *) &((struct sockaddr_in6 *)
runp->ai_addr)->sin6_addr,
- buf, sizeof (buf));
+ (void) getnameinfo (runp->ai_addr, runp->ai_addrlen, buf,
sizeof (buf), NULL, 0, NI_NUMERICHOST);
- if (are_addresses_equal(buf, tok, netmask_ptr))
+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
{
- return YES;
+ char buf1[INET6_ADDRSTRLEN];
+
+ if (runp->ai_family != runp1->ai_family)
+ continue;
+
+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen,
buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST);
+
+ if (are_addresses_equal (buf, buf1, netmask_ptr))
+ {
+ freeaddrinfo(ai);
+ return YES;
+ }
}
runp = runp->ai_next;
}
}
}
else
- return (are_addresses_equal(string, tok, netmask_ptr));
+ {
+ struct addrinfo *runp1;
+
+ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next)
+ {
+ char buf1[INET6_ADDRSTRLEN];
+
+ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof
(buf1), NULL, 0, NI_NUMERICHOST);
+
+ if (are_addresses_equal(string, buf1, netmask_ptr))
+ {
+ freeaddrinfo(ai);
+ return YES;
+ }
+ }
+ }
+
+ freeaddrinfo(ai);
return NO;
}
