]>
Commit | Line | Data |
---|---|---|
76652ff6 AM |
1 | --- cvs-1.12.13.orig/debian/patches/60_PAM_support |
2 | +++ cvs-1.12.13/debian/patches/60_PAM_support | |
3 | @@ -0,0 +1,144 @@ | |
4 | +# | |
5 | +# Add in extra PAM options compared to upstream's own PAM code: | |
6 | +# * Add an extra option PamAuth to control use of PAM separately from | |
7 | +# SystemAuth | |
8 | +# * Add support for DefaultPamUser - try that if the specified | |
9 | +# user does not exist | |
10 | +# | |
11 | +# Patch by Steve McIntyre <steve@einval.com> | |
12 | +diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo | |
13 | +--- cvs-1.12.13-old/doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100 | |
14 | ++++ cvs-1.12.13/doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100 | |
15 | +@@ -2662,8 +2662,18 @@ | |
16 | + system has PAM (Pluggable Authentication Modules) | |
17 | + and your @sc{cvs} server executable was configured to | |
18 | + use it at compile time (using @code{./configure --enable-pam} - see the | |
19 | +-INSTALL file for more). In this case, PAM will be consulted instead. | |
20 | +-This means that @sc{cvs} can be configured to use any password | |
21 | ++INSTALL file for more). In this case, PAM may be | |
22 | ++consulted first (or instead). The | |
23 | ++"fallback" behaviour can be controlled using the two | |
24 | ++variables @code{PamAuth} and @code{SystemAuth}. On a | |
25 | ++Debian system, @code{PamAuth} defaults to @code{yes} | |
26 | ++and @code{SystemAuth} to @code{no} - after all, PAM can | |
27 | ++supports passwd file lookups itself. Changing these is | |
28 | ++possible by setting @code{PamAuth=no} and | |
29 | ++@code{SystemAuth=yes} in the @sc{cvs} @file{config} | |
30 | ++file, @pxref{config}). | |
31 | ++ | |
32 | ++Use of PAM means that @sc{cvs} can be configured to use any password | |
33 | + authentication source PAM can be configured to use (possibilities | |
34 | + include a simple UNIX password, NIS, LDAP, and others) in its | |
35 | + global configuration file (usually @file{/etc/pam.conf} | |
36 | +@@ -2691,7 +2701,7 @@ | |
37 | + cvs session required pam_unix.so | |
38 | + @end example | |
39 | + | |
40 | +-The the equivalent @file{/etc/pam.d/cvs} would contain | |
41 | ++The equivalent @file{/etc/pam.d/cvs} would contain | |
42 | + | |
43 | + @example | |
44 | + auth required pam_unix.so | |
45 | +@@ -2715,6 +2725,13 @@ | |
46 | + feature should not be used if you may not have control of the name | |
47 | + @sc{cvs} will be invoked as. | |
48 | + | |
49 | ++If you wish to use PAM for authentication, and details | |
50 | ++of your users are not available using getpwnam(), you | |
51 | ++may set a default name for the account on the server | |
52 | ++that will be used after authentication. To do this, | |
53 | ++either set @code{DefaultPamUser=user} in the @sc{cvs} | |
54 | ++@file{config} file, @pxref{config}. | |
55 | ++ | |
56 | + Be aware, also, that falling back to system | |
57 | + authentication might be a security risk: @sc{cvs} | |
58 | + operations would then be authenticated with that user's | |
59 | +diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c | |
60 | +--- cvs-1.12.13-old/src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100 | |
61 | ++++ cvs-1.12.13/src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100 | |
62 | +@@ -303,8 +303,12 @@ | |
63 | + */ | |
64 | + #endif /* PROXY_SUPPORT */ | |
65 | + #ifdef AUTH_SERVER_SUPPORT | |
66 | +- new->system_auth = true; | |
67 | ++ new->system_auth = false; | |
68 | + #endif /* AUTH_SERVER_SUPPORT */ | |
69 | ++#ifdef HAVE_PAM | |
70 | ++ new->PamAuth = true; | |
71 | ++ new->DefaultPamUser = NULL; | |
72 | ++#endif | |
73 | + | |
74 | + return new; | |
75 | + } | |
76 | +@@ -696,6 +700,13 @@ | |
77 | + readSizeT (infopath, "MaxCompressionLevel", p, | |
78 | + &retval->MaxCompressionLevel); | |
79 | + #endif /* SERVER_SUPPORT */ | |
80 | ++#ifdef HAVE_PAM | |
81 | ++ else if (!strcmp (line, "DefaultPamUser")) | |
82 | ++ retval->DefaultPamUser = xstrdup(p); | |
83 | ++ else if (!strcmp (line, "PamAuth")) | |
84 | ++ readBool (infopath, "PamAuth", p, | |
85 | ++ &retval->PamAuth); | |
86 | ++#endif | |
87 | + else | |
88 | + /* We may be dealing with a keyword which was added in a | |
89 | + subsequent version of CVS. In that case it is a good idea | |
90 | +diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h | |
91 | +--- cvs-1.12.13-old/src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100 | |
92 | ++++ cvs-1.12.13/src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100 | |
93 | +@@ -59,6 +59,10 @@ | |
94 | + #ifdef PRESERVE_PERMISSIONS_SUPPORT | |
95 | + bool preserve_perms; | |
96 | + #endif /* PRESERVE_PERMISSIONS_SUPPORT */ | |
97 | ++#ifdef HAVE_PAM | |
98 | ++ char *DefaultPamUser; | |
99 | ++ bool PamAuth; | |
100 | ++#endif | |
101 | + }; | |
102 | + | |
103 | + bool parse_error (const char *, unsigned int); | |
104 | +diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c | |
105 | +--- cvs-1.12.13-old/src/server.c 2005-09-28 16:25:59.000000000 +0100 | |
106 | ++++ cvs-1.12.13/src/server.c 2006-05-20 00:45:14.000000000 +0100 | |
107 | +@@ -6919,6 +6919,15 @@ | |
108 | + { | |
109 | + pam_stage = "get pam user"; | |
110 | + retval = pam_get_item (pamh, PAM_USER, (const void **)username); | |
111 | ++ if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser)) | |
112 | ++ { | |
113 | ++ /* An issue with using pam is that the host may well not have | |
114 | ++ a local user entry to match the authenticated user. If this | |
115 | ++ has failed, optionally fall back to a specified local | |
116 | ++ username */ | |
117 | ++ *username = xstrdup(config->DefaultPamUser); | |
118 | ++ retval = PAM_SUCCESS; | |
119 | ++ } | |
120 | + } | |
121 | + | |
122 | + if (retval != PAM_SUCCESS) | |
123 | +@@ -7022,7 +7031,11 @@ | |
124 | + | |
125 | + assert (rc == 0); | |
126 | + | |
127 | ++#ifdef HAVE_PAM | |
128 | ++ if (!config->system_auth && !config->PamAuth) | |
129 | ++#else | |
130 | + if (!config->system_auth) | |
131 | ++#endif | |
132 | + { | |
133 | + /* Note that the message _does_ distinguish between the case in | |
134 | + which we check for a system password and the case in which | |
135 | +@@ -7037,9 +7050,10 @@ | |
136 | + | |
137 | + /* No cvs password found, so try /etc/passwd. */ | |
138 | + #ifdef HAVE_PAM | |
139 | +- if (check_pam_password (&username, password)) | |
140 | ++ if ( (config->PamAuth && check_pam_password (&username, password)) || | |
141 | ++ (config->system_auth && check_system_password (username, password))) | |
142 | + #else /* !HAVE_PAM */ | |
143 | +- if (check_system_password (username, password)) | |
144 | ++ if (config->system_auth && check_system_password (username, password)) | |
145 | + #endif /* HAVE_PAM */ | |
146 | + host_user = xstrdup (username); | |
147 | + else |