From fb4fb2bb4ad8aa6ab0fdce04864477bbe63eba78 Mon Sep 17 00:00:00 2001 From: hugel <2712504175@qq.com> Date: Thu, 3 Apr 2025 17:05:38 +0800 Subject: [PATCH] revert "backport patch libpam use close_range() to close file descriptors" --- ...m_modutil_sanitize.c-optimize-the-wa.patch | 134 ------------------ ...lose_range-to-close-file-descriptors.patch | 82 ----------- ...tize_fds-Add-explicit-casts-to-avoid.patch | 36 ----- pam.spec | 8 +- 4 files changed, 4 insertions(+), 256 deletions(-) delete mode 100644 backport-Revert-libpam-pam_modutil_sanitize.c-optimize-the-wa.patch delete mode 100644 backport-libpam-use-close_range-to-close-file-descriptors.patch delete mode 100644 backport-pam_modutil_sanitize_fds-Add-explicit-casts-to-avoid.patch diff --git a/backport-Revert-libpam-pam_modutil_sanitize.c-optimize-the-wa.patch b/backport-Revert-libpam-pam_modutil_sanitize.c-optimize-the-wa.patch deleted file mode 100644 index 8e25756..0000000 --- a/backport-Revert-libpam-pam_modutil_sanitize.c-optimize-the-wa.patch +++ /dev/null @@ -1,134 +0,0 @@ -From a7b9ffd2eee74ac57b19a8cdf6710e43cd345ded Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 12 Oct 2020 09:42:52 +0200 -Subject: [PATCH] Revert "libpam/pam_modutil_sanitize.c: optimize the way to - close fds" - -This reverts commit 1b087edc7f05237bf5eccc405704cd82b848e761. - -Conflict:NA -Reference:https://github.com/linux-pam/linux-pam/commit/a7b9ffd2eee74ac57b19a8cdf6710e43cd345ded - ---- - configure.ac | 2 +- - libpam/pam_modutil_sanitize.c | 73 +++++++---------------------------- - 2 files changed, 15 insertions(+), 60 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 0f2b7de7..59327a75 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -530,7 +530,7 @@ dnl Checks for header files. - AC_HEADER_DIRENT - AC_HEADER_STDC - AC_HEADER_SYS_WAIT --AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h sys/vfs.h linux/magic.h) -+AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h) - - dnl For module/pam_lastlog - AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h) -diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c -index 58b9537c..7579c5bd 100644 ---- a/libpam/pam_modutil_sanitize.c -+++ b/libpam/pam_modutil_sanitize.c -@@ -10,13 +10,6 @@ - #include - #include - #include --#include --#ifdef HAVE_SYS_VFS_H --#include --#endif --#ifdef HAVE_LINUX_MAGIC_H --#include --#endif - - /* - * Creates a pipe, closes its write end, redirects fd to its read end. -@@ -91,69 +84,31 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode, - return fd; - } - --/* Check if path is in a procfs. */ --static int --is_in_procfs(int fd) --{ --#if defined HAVE_SYS_VFS_H && defined PROC_SUPER_MAGIC -- struct statfs stfs; -- -- if (fstatfs(fd, &stfs) == 0) { -- if (stfs.f_type == PROC_SUPER_MAGIC) -- return 1; -- } else { -- return 0; -- } --#endif /* HAVE_SYS_VFS_H && PROC_SUPER_MAGIC */ -- -- return -1; --} -- - /* Closes all descriptors after stderr. */ - static void - close_fds(void) - { -- DIR *dir = NULL; -- struct dirent *dent; -- int dfd = -1; -- int fd; -- struct rlimit rlim; -- - /* - * An arbitrary upper limit for the maximum file descriptor number - * returned by RLIMIT_NOFILE. - */ -- const unsigned int MAX_FD_NO = 65535; -+ const int MAX_FD_NO = 65535; - - /* The lower limit is the same as for _POSIX_OPEN_MAX. */ -- const unsigned int MIN_FD_NO = 20; -- -- /* If /proc is mounted, we can optimize which fd can be closed. */ -- if ((dir = opendir("/proc/self/fd")) != NULL) { -- if ((dfd = dirfd(dir)) >= 0 && is_in_procfs(dfd) > 0) { -- while ((dent = readdir(dir)) != NULL) { -- fd = atoi(dent->d_name); -- if (fd > STDERR_FILENO && fd != dfd) -- close(fd); -- } -- } else { -- dfd = -1; -- } -- closedir(dir); -- } -+ const int MIN_FD_NO = 20; - -- /* If /proc isn't available, fallback to the previous behavior. */ -- if (dfd < 0) { -- if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) -- fd = MAX_FD_NO; -- else if (rlim.rlim_max < MIN_FD_NO) -- fd = MIN_FD_NO; -- else -- fd = rlim.rlim_max - 1; -- -- for (; fd > STDERR_FILENO; --fd) -- close(fd); -- } -+ int fd; -+ struct rlimit rlim; -+ -+ if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) -+ fd = MAX_FD_NO; -+ else if (rlim.rlim_max < MIN_FD_NO) -+ fd = MIN_FD_NO; -+ else -+ fd = rlim.rlim_max - 1; -+ -+ for (; fd > STDERR_FILENO; --fd) -+ close(fd); - } - - int --- -2.33.0 - diff --git a/backport-libpam-use-close_range-to-close-file-descriptors.patch b/backport-libpam-use-close_range-to-close-file-descriptors.patch deleted file mode 100644 index e385cb6..0000000 --- a/backport-libpam-use-close_range-to-close-file-descriptors.patch +++ /dev/null @@ -1,82 +0,0 @@ -From d6103b30050554d7b6ca6d55cb5b4ed3c9516663 Mon Sep 17 00:00:00 2001 -From: Iker Pedrosa -Date: Wed, 25 Oct 2023 09:46:15 +0200 -Subject: [PATCH] libpam: use close_range() to close file descriptors - -* configure.ac: check whether close_range() is available in the system. -* libpam/pam_modutil_sanitize.c: use close_range() to close all file - descriptors. If the interface isn't available use the previous - approach. - -Link: https://github.com/linux-pam/linux-pam/pull/276 -Resolves: https://issues.redhat.com/browse/RHEL-5099 - -Signed-off-by: Iker Pedrosa - -Conflict:Context adaptation in configure.ac -Reference:https://github.com/linux-pam/linux-pam/commit/d6103b30050554d7b6ca6d55cb5b4ed3c9516663 - ---- - configure.ac | 1 + - libpam/pam_modutil_sanitize.c | 19 +++++++++++++++++-- - 2 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 39124d87..b6a8d6fb 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -638,5 +638,6 @@ AC_CHECK_FUNCS(quotactl) - AC_CHECK_FUNCS(unshare) - AC_CHECK_FUNCS([ruserok_af ruserok], [break]) -+AC_CHECK_FUNCS(close_range) - BACKUP_LIBS=$LIBS - LIBS="$LIBS -lutil" - AC_CHECK_FUNCS([logwtmp]) -diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c -index f26e8ec0..1b8af743 100644 ---- a/libpam/pam_modutil_sanitize.c -+++ b/libpam/pam_modutil_sanitize.c -@@ -11,6 +11,10 @@ - #include - #include - -+#ifndef CLOSE_RANGE_UNSHARE -+#define CLOSE_RANGE_UNSHARE (1U << 1) -+#endif /* CLOSE_RANGE_UNSHARE */ -+ - /* - * Creates a pipe, closes its write end, redirects fd to its read end. - * Returns fd on success, -1 otherwise. -@@ -84,9 +88,8 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode, - return fd; - } - --/* Closes all descriptors after stderr. */ - static void --close_fds(void) -+close_fds_iteratively(void) - { - /* - * An arbitrary upper limit for the maximum file descriptor number -@@ -111,6 +114,18 @@ close_fds(void) - close(fd); - } - -+/* Closes all descriptors after stderr. */ -+static void -+close_fds(void) -+{ -+#ifdef HAVE_CLOSE_RANGE -+ if (close_range(STDERR_FILENO+1, -1U, CLOSE_RANGE_UNSHARE) == 0) -+ return; -+#endif /* HAVE_CLOSE_RANGE */ -+ -+ close_fds_iteratively(); -+} -+ - int - pam_modutil_sanitize_helper_fds(pam_handle_t *pamh, - enum pam_modutil_redirect_fd stdin_mode, --- -2.33.0 - diff --git a/backport-pam_modutil_sanitize_fds-Add-explicit-casts-to-avoid.patch b/backport-pam_modutil_sanitize_fds-Add-explicit-casts-to-avoid.patch deleted file mode 100644 index e79f328..0000000 --- a/backport-pam_modutil_sanitize_fds-Add-explicit-casts-to-avoid.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 930200f240a50dcb84d8e3a5f0c33159b6c4309c Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 12 Oct 2020 10:15:09 +0200 -Subject: [PATCH] pam_modutil_sanitize_fds: Add explicit casts to avoid - warnings - -Conflict:NA -Reference:https://github.com/linux-pam/linux-pam/commit/930200f240a50dcb84d8e3a5f0c33159b6c4309c - ---- - libpam/pam_modutil_sanitize.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c -index 7579c5bd..f26e8ec0 100644 ---- a/libpam/pam_modutil_sanitize.c -+++ b/libpam/pam_modutil_sanitize.c -@@ -100,12 +100,12 @@ close_fds(void) - int fd; - struct rlimit rlim; - -- if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO) -+ if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > (rlim_t)MAX_FD_NO) - fd = MAX_FD_NO; -- else if (rlim.rlim_max < MIN_FD_NO) -+ else if (rlim.rlim_max < (rlim_t)MIN_FD_NO) - fd = MIN_FD_NO; - else -- fd = rlim.rlim_max - 1; -+ fd = (int)rlim.rlim_max - 1; - - for (; fd > STDERR_FILENO; --fd) - close(fd); --- -2.33.0 - diff --git a/pam.spec b/pam.spec index 624ccb6..67c5c79 100644 --- a/pam.spec +++ b/pam.spec @@ -4,7 +4,7 @@ %define _pamconfdir %{_sysconfdir}/pam.d Name: pam Version: 1.4.0 -Release: 14 +Release: 15 Summary: Pluggable Authentication Modules for Linux License: BSD and GPLv2+ URL: http://www.linux-pam.org/ @@ -41,9 +41,6 @@ Patch6008: backport-Permit-unix_chkpwd-pam_unix.so-to-run-without-being-setuid-r Patch6009: backport-pam_unix-workaround-the-problem-caused-by-libnss_sys.patch Patch6010: backport-CVE-2024-10041.patch Patch6011: backport-CVE-2024-10041-pam_unix-try-to-set-uid-to-0-for-unix_chkpwd.patch -Patch6012: backport-Revert-libpam-pam_modutil_sanitize.c-optimize-the-wa.patch -Patch6013: backport-pam_modutil_sanitize_fds-Add-explicit-casts-to-avoid.patch -Patch6014: backport-libpam-use-close_range-to-close-file-descriptors.patch Patch9000: add-sm3-crypt-support.patch @@ -198,6 +195,9 @@ fi %changelog +* Thu Apr 03 2025 hugel - 1.4.0-15 +- revert "backport patch libpam use close_range() to close file descriptors" + * Mon Mar 24 2025 hugel - 1.4.0-14 - backport patch libpam use close_range() to close file descriptors