2011-11-29 Rohini S <
[email protected]>
* patches/Python26-22-audio.diff: Fixes CVE-2010-1634
* specs/SUNWPython26.spec: Fixes CR 7085446
--- gdm-2.30.1/common/gdm-common.h-orig 2009-03-30 14:58:43.821340000 -0500
+++ gdm-2.30.1/common/gdm-common.h 2009-03-30 14:58:03.958286000 -0500
@@ -52,6 +52,8 @@ gboolean gdm_string_hex_decode
int insert_at);
char *gdm_generate_random_bytes (gsize size,
GError **error);
+char *gdm_read_default (gchar *key);
+
G_END_DECLS
--- gdm-2.30.1/common/gdm-common.c-orig 2009-03-30 14:59:24.837987000 -0500
+++ gdm-2.30.1/common/gdm-common.c 2009-03-30 15:00:41.625204000 -0500
@@ -27,6 +27,7 @@
#include <fcntl.h>
#include <sys/wait.h>
#include <pwd.h>
+#include <deflt.h>
#include <glib.h>
#include <glib/gi18n.h>
@@ -470,3 +471,27 @@ gdm_generate_random_bytes (gsize size
close (fd);
return bytes;
}
+
+/*
+ * gdm_read_default
+ *
+ * This function is used to support systems that have the /etc/default/login
+ * interface to control programs that affect security. This is a Solaris
+ * thing, though some users on other systems may find it useful.
+ */
+gchar *
+gdm_read_default (gchar *key)
+{
+ gchar *retval = NULL;
+
+ if (defopen ("/etc/default/login") == 0) {
+ int flags = defcntl (DC_GETFLAGS, 0);
+
+ TURNOFF (flags, DC_CASE);
+ (void) defcntl (DC_SETFLAGS, flags); /* ignore case */
+ retval = g_strdup (defread (key));
+ (void) defopen ((char *)NULL);
+ }
+ return retval;
+}
+
--- gdm-2.30.1/daemon/gdm-session-direct.c-orig 2010-04-26 14:52:23.950164465 -0500
+++ gdm-2.30.1/daemon/gdm-session-direct.c 2010-04-26 14:52:49.618142348 -0500
@@ -2118,6 +2118,8 @@ gdm_session_direct_set_environment_varia
static void
setup_session_environment (GdmSessionDirect *session)
{
+ struct passwd *passwd_entry;
+ char *path_str = NULL;
char *windowpath;
gdm_session_direct_set_environment_variable (session,
@@ -2158,15 +2160,20 @@ setup_session_environment (GdmSessionDir
windowpath);
}
+ passwd_entry = getpwnam (session->priv->selected_user);
+ if (passwd_entry != NULL && passwd_entry->pw_uid == 0)
+ path_str = gdm_read_default ("SUPATH=");
+
+ if (path_str == NULL)
+ path_str = gdm_read_default ("PATH=");
+
+ if (path_str == NULL)
+ path_str = GDM_SESSION_DEFAULT_PATH;
+
/* FIXME: We do this here and in the session worker. We should consolidate
* somehow.
*/
- gdm_session_direct_set_environment_variable (session,
- "PATH",
- strcmp (BINDIR, "/usr/bin") == 0?
- GDM_SESSION_DEFAULT_PATH :
- BINDIR ":" GDM_SESSION_DEFAULT_PATH);
-
+ gdm_session_direct_set_environment_variable (session, "PATH", path_str);
}
static void
--- gdm-2.30.1/daemon/gdm-session-worker.c-orig 2010-04-26 14:52:34.008619408 -0500
+++ gdm-2.30.1/daemon/gdm-session-worker.c 2010-04-26 14:52:49.616650736 -0500
@@ -1443,9 +1443,28 @@ gdm_session_worker_authorize_user (GdmSe
{
int error_code;
int authentication_flags;
+ char *consoleonly;
g_debug ("GdmSessionWorker: determining if authenticated user is authorized to session");
+ consoleonly = gdm_read_default ("CONSOLE=");
+
+ if ((consoleonly != NULL) &&
+ (strcmp (consoleonly, "/dev/console") == 0)) {
+
+ if (worker->priv->hostname != NULL && worker->priv->hostname[0] != '\0') {
+ struct passwd *passwd_entry;
+
+ passwd_entry = getpwnam (worker->priv->username);
+ if (passwd_entry->pw_uid == 0) {
+ error_code = PAM_PERM_DENIED;
+
+ g_debug ("The system administrator is not allowed to log in remotely");
+ goto out;
+ }
+ }
+ }
+
authentication_flags = 0;
if (password_is_required) {
@@ -1648,6 +1667,7 @@ gdm_session_worker_accredit_user (GdmSes
gid_t gid;
char *shell;
char *home;
+ char *path_str;
int error_code;
ret = FALSE;
@@ -1687,17 +1707,17 @@ gdm_session_worker_accredit_user (GdmSes
home,
shell);
- /* Let's give the user a default PATH if he doesn't already have one
- */
- if (!gdm_session_worker_environment_variable_is_set (worker, "PATH")) {
- if (strcmp (BINDIR, "/usr/bin") == 0) {
- gdm_session_worker_set_environment_variable (worker, "PATH",
- GDM_SESSION_DEFAULT_PATH);
- } else {
- gdm_session_worker_set_environment_variable (worker, "PATH",
- BINDIR ":" GDM_SESSION_DEFAULT_PATH);
- }
- }
+ path_str = NULL;
+ if (uid == 0)
+ path_str = gdm_read_default ("SUPATH=");
+
+ if (path_str == NULL)
+ path_str = gdm_read_default ("PATH=");
+
+ if (path_str == NULL)
+ path_str = GDM_SESSION_DEFAULT_PATH;
+
+ gdm_session_worker_set_environment_variable (worker, "PATH", path_str);
if (! _change_user (worker, uid, gid)) {
g_debug ("GdmSessionWorker: Unable to change to user");
@@ -2315,6 +2335,14 @@ do_setup (GdmSessionWorker *worker)
{
GError *error;
gboolean res;
+ char *passreq;
+
+ passreq = gdm_read_default ("PASSREQ=");
+
+ if ((passreq != NULL) && g_ascii_strcasecmp (passreq, "YES") == 0)
+ worker->priv->password_is_required = TRUE;
+ else
+ worker->priv->password_is_required = FALSE;
worker->priv->user_settings = gdm_session_settings_new ();