[packages/cvs.git] / cvs-debian-pam.patch

--- cvs-1.12.13.orig/debian/patches/60_PAM_support
+++ cvs-1.12.13/debian/patches/60_PAM_support
@@ -0,0 +1,144 @@
+#
+# Add in extra PAM options compared to upstream's own PAM code:
+# * Add an extra option PamAuth to control use of PAM separately from
+#   SystemAuth
+# * Add support for DefaultPamUser - try that if the specified
+#   user does not exist
+#
+# Patch by Steve McIntyre <steve@einval.com>
+diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo
+--- cvs-1.12.13-old/doc/cvs.texinfo	2005-09-23 03:02:53.000000000 +0100
++++ cvs-1.12.13/doc/cvs.texinfo	2006-05-19 23:50:10.000000000 +0100
+@@ -2662,8 +2662,18 @@
+ system has PAM (Pluggable Authentication Modules)
+ and your @sc{cvs} server executable was configured to
+ use it at compile time (using @code{./configure --enable-pam} - see the
+-INSTALL file for more).  In this case, PAM will be consulted instead.
+-This means that @sc{cvs} can be configured to use any password
++INSTALL file for more).  In this case, PAM may be
++consulted first (or instead). The
++"fallback" behaviour can be controlled using the two
++variables @code{PamAuth} and @code{SystemAuth}. On a
++Debian system, @code{PamAuth} defaults to @code{yes}
++and @code{SystemAuth} to @code{no} - after all, PAM can
++supports passwd file lookups itself. Changing these is
++possible by setting @code{PamAuth=no} and
++@code{SystemAuth=yes} in the @sc{cvs} @file{config}
++file, @pxref{config}).
++
++Use of PAM means that @sc{cvs} can be configured to use any password
+ authentication source PAM can be configured to use (possibilities
+ include a simple UNIX password, NIS, LDAP, and others) in its
+ global configuration file (usually @file{/etc/pam.conf}
+@@ -2691,7 +2701,7 @@
+ cvs	session	    required	pam_unix.so
+ @end example
+ 
+-The the equivalent @file{/etc/pam.d/cvs} would contain
++The equivalent @file{/etc/pam.d/cvs} would contain
+ 
+ @example
+ auth	    required	pam_unix.so
+@@ -2715,6 +2725,13 @@
+ feature should not be used if you may not have control of the name
+ @sc{cvs} will be invoked as.
+ 
++If you wish to use PAM for authentication, and details
++of your users are not available using getpwnam(), you
++may set a default name for the account on the server
++that will be used after authentication. To do this,
++either set @code{DefaultPamUser=user} in the @sc{cvs}
++@file{config} file, @pxref{config}.
++
+ Be aware, also, that falling back to system
+ authentication might be a security risk: @sc{cvs}
+ operations would then be authenticated with that user's
+diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c
+--- cvs-1.12.13-old/src/parseinfo.c	2005-09-06 05:40:37.000000000 +0100
++++ cvs-1.12.13/src/parseinfo.c	2006-05-19 22:46:00.000000000 +0100
+@@ -303,8 +303,12 @@
+                                                           */
+ #endif /* PROXY_SUPPORT */
+ #ifdef AUTH_SERVER_SUPPORT
+-    new->system_auth = true;
++    new->system_auth = false;
+ #endif /* AUTH_SERVER_SUPPORT */
++#ifdef HAVE_PAM
++    new->PamAuth = true;
++    new->DefaultPamUser = NULL;
++#endif
+ 
+     return new;
+ }
+@@ -696,6 +700,13 @@
+ 	    readSizeT (infopath, "MaxCompressionLevel", p,
+ 		       &retval->MaxCompressionLevel);
+ #endif /* SERVER_SUPPORT */
++#ifdef HAVE_PAM
++    else if (!strcmp (line, "DefaultPamUser"))
++        retval->DefaultPamUser = xstrdup(p);
++	else if (!strcmp (line, "PamAuth"))
++	    readBool (infopath, "PamAuth", p,
++		      &retval->PamAuth);
++#endif
+ 	else
+ 	    /* We may be dealing with a keyword which was added in a
+ 	       subsequent version of CVS.  In that case it is a good idea
+diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
+--- cvs-1.12.13-old/src/parseinfo.h	2005-09-05 04:03:38.000000000 +0100
++++ cvs-1.12.13/src/parseinfo.h	2006-05-19 22:40:31.000000000 +0100
+@@ -59,6 +59,10 @@
+ #ifdef PRESERVE_PERMISSIONS_SUPPORT
+     bool preserve_perms;
+ #endif /* PRESERVE_PERMISSIONS_SUPPORT */
++#ifdef HAVE_PAM
++    char *DefaultPamUser;
++    bool PamAuth;
++#endif
+ };
+ 
+ bool parse_error (const char *, unsigned int);
+diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
+--- cvs-1.12.13-old/src/server.c	2005-09-28 16:25:59.000000000 +0100
++++ cvs-1.12.13/src/server.c	2006-05-20 00:45:14.000000000 +0100
+@@ -6919,6 +6919,15 @@
+     {
+         pam_stage = "get pam user";
+         retval = pam_get_item (pamh, PAM_USER, (const void **)username);
++        if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
++        {
++            /* An issue with using pam is that the host may well not have
++               a local user entry to match the authenticated user. If this
++               has failed, optionally fall back to a specified local
++               username */
++            *username = xstrdup(config->DefaultPamUser);
++            retval = PAM_SUCCESS;
++        }
+     }
+ 
+     if (retval != PAM_SUCCESS)
+@@ -7022,7 +7031,11 @@
+ 
+     assert (rc == 0);
+ 
++#ifdef HAVE_PAM
++    if (!config->system_auth && !config->PamAuth)
++#else
+     if (!config->system_auth)
++#endif
+     {
+ 	/* Note that the message _does_ distinguish between the case in
+ 	   which we check for a system password and the case in which
+@@ -7037,9 +7050,10 @@
+ 
+     /* No cvs password found, so try /etc/passwd. */
+ #ifdef HAVE_PAM
+-    if (check_pam_password (&username, password))
++    if ( (config->PamAuth && check_pam_password (&username, password)) ||
++         (config->system_auth && check_system_password (username, password)))
+ #else /* !HAVE_PAM */
+-    if (check_system_password (username, password))
++	if (config->system_auth && check_system_password (username, password))
+ #endif /* HAVE_PAM */
+ 	host_user = xstrdup (username);
+     else
Commit	Line	Data
76652ff6 AM	1	--- cvs-1.12.13.orig/debian/patches/60_PAM_support
	2	+++ cvs-1.12.13/debian/patches/60_PAM_support
	3	@@ -0,0 +1,144 @@
	4	+#
	5	+# Add in extra PAM options compared to upstream's own PAM code:
	6	+# * Add an extra option PamAuth to control use of PAM separately from
	7	+# SystemAuth
	8	+# * Add support for DefaultPamUser - try that if the specified
	9	+# user does not exist
	10	+#
	11	+# Patch by Steve McIntyre <steve@einval.com>
	12	+diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo
	13	+--- cvs-1.12.13-old/doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100
	14	++++ cvs-1.12.13/doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100
	15	+@@ -2662,8 +2662,18 @@
	16	+ system has PAM (Pluggable Authentication Modules)
	17	+ and your @sc{cvs} server executable was configured to
	18	+ use it at compile time (using @code{./configure --enable-pam} - see the
	19	+-INSTALL file for more). In this case, PAM will be consulted instead.
	20	+-This means that @sc{cvs} can be configured to use any password
	21	++INSTALL file for more). In this case, PAM may be
	22	++consulted first (or instead). The
	23	++"fallback" behaviour can be controlled using the two
	24	++variables @code{PamAuth} and @code{SystemAuth}. On a
	25	++Debian system, @code{PamAuth} defaults to @code{yes}
	26	++and @code{SystemAuth} to @code{no} - after all, PAM can
	27	++supports passwd file lookups itself. Changing these is
	28	++possible by setting @code{PamAuth=no} and
	29	++@code{SystemAuth=yes} in the @sc{cvs} @file{config}
	30	++file, @pxref{config}).
	31	++
	32	++Use of PAM means that @sc{cvs} can be configured to use any password
	33	+ authentication source PAM can be configured to use (possibilities
	34	+ include a simple UNIX password, NIS, LDAP, and others) in its
	35	+ global configuration file (usually @file{/etc/pam.conf}
	36	+@@ -2691,7 +2701,7 @@
	37	+ cvs session required pam_unix.so
	38	+ @end example
	39	+
	40	+-The the equivalent @file{/etc/pam.d/cvs} would contain
	41	++The equivalent @file{/etc/pam.d/cvs} would contain
	42	+
	43	+ @example
	44	+ auth required pam_unix.so
	45	+@@ -2715,6 +2725,13 @@
	46	+ feature should not be used if you may not have control of the name
	47	+ @sc{cvs} will be invoked as.
	48	+
	49	++If you wish to use PAM for authentication, and details
	50	++of your users are not available using getpwnam(), you
	51	++may set a default name for the account on the server
	52	++that will be used after authentication. To do this,
	53	++either set @code{DefaultPamUser=user} in the @sc{cvs}
	54	++@file{config} file, @pxref{config}.
	55	++
	56	+ Be aware, also, that falling back to system
	57	+ authentication might be a security risk: @sc{cvs}
	58	+ operations would then be authenticated with that user's
	59	+diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c
	60	+--- cvs-1.12.13-old/src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100
	61	++++ cvs-1.12.13/src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100
	62	+@@ -303,8 +303,12 @@
	63	+ */
	64	+ #endif /* PROXY_SUPPORT */
65	+ #ifdef AUTH_SERVER_SUPPORT
66	+- new->system_auth = true;
67	++ new->system_auth = false;
68	+ #endif /* AUTH_SERVER_SUPPORT */
69	++#ifdef HAVE_PAM
70	++ new->PamAuth = true;
71	++ new->DefaultPamUser = NULL;
72	++#endif
73	+
74	+ return new;
75	+ }
76	+@@ -696,6 +700,13 @@
77	+ readSizeT (infopath, "MaxCompressionLevel", p,
78	+ &retval->MaxCompressionLevel);
79	+ #endif /* SERVER_SUPPORT */
80	++#ifdef HAVE_PAM
81	++ else if (!strcmp (line, "DefaultPamUser"))
82	++ retval->DefaultPamUser = xstrdup(p);
83	++ else if (!strcmp (line, "PamAuth"))
84	++ readBool (infopath, "PamAuth", p,
85	++ &retval->PamAuth);
86	++#endif
87	+ else
88	+ /* We may be dealing with a keyword which was added in a
89	+ subsequent version of CVS. In that case it is a good idea
90	+diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
91	+--- cvs-1.12.13-old/src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100
92	++++ cvs-1.12.13/src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100
93	+@@ -59,6 +59,10 @@
94	+ #ifdef PRESERVE_PERMISSIONS_SUPPORT
95	+ bool preserve_perms;
96	+ #endif /* PRESERVE_PERMISSIONS_SUPPORT */
97	++#ifdef HAVE_PAM
98	++ char *DefaultPamUser;
99	++ bool PamAuth;
100	++#endif
101	+ };
102	+
103	+ bool parse_error (const char *, unsigned int);
104	+diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
105	+--- cvs-1.12.13-old/src/server.c 2005-09-28 16:25:59.000000000 +0100
106	++++ cvs-1.12.13/src/server.c 2006-05-20 00:45:14.000000000 +0100
107	+@@ -6919,6 +6919,15 @@
108	+ {
109	+ pam_stage = "get pam user";
110	+ retval = pam_get_item (pamh, PAM_USER, (const void **)username);
111	++ if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
112	++ {
113	++ /* An issue with using pam is that the host may well not have
114	++ a local user entry to match the authenticated user. If this
115	++ has failed, optionally fall back to a specified local
116	++ username */
117	++ *username = xstrdup(config->DefaultPamUser);
118	++ retval = PAM_SUCCESS;
119	++ }
120	+ }
121	+
122	+ if (retval != PAM_SUCCESS)
123	+@@ -7022,7 +7031,11 @@
124	+
125	+ assert (rc == 0);
126	+
127	++#ifdef HAVE_PAM
128	++ if (!config->system_auth && !config->PamAuth)
129	++#else
130	+ if (!config->system_auth)
131	++#endif
132	+ {
133	+ /* Note that the message _does_ distinguish between the case in
134	+ which we check for a system password and the case in which
135	+@@ -7037,9 +7050,10 @@
136	+
137	+ /* No cvs password found, so try /etc/passwd. */
138	+ #ifdef HAVE_PAM
139	+- if (check_pam_password (&username, password))
140	++ if ( (config->PamAuth && check_pam_password (&username, password)) \|\|
141	++ (config->system_auth && check_system_password (username, password)))
142	+ #else /* !HAVE_PAM */
143	+- if (check_system_password (username, password))
144	++ if (config->system_auth && check_system_password (username, password))
145	+ #endif /* HAVE_PAM */
146	+ host_user = xstrdup (username);
147	+ else