[packages/cvs.git] / cvs-debian-pam.patch

#
# Add in extra PAM options compared to upstream's own PAM code:
# * Add an extra option PamAuth to control use of PAM separately from
#   SystemAuth
# * Add support for DefaultPamUser - try that if the specified
#   user does not exist
#
# Patch by Steve McIntyre <steve@einval.com>
diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo
--- cvs-1.12.13-old/doc/cvs.texinfo	2005-09-23 03:02:53.000000000 +0100
+++ cvs-1.12.13/doc/cvs.texinfo	2006-05-19 23:50:10.000000000 +0100
@@ -2662,8 +2662,18 @@
 system has PAM (Pluggable Authentication Modules)
 and your @sc{cvs} server executable was configured to
 use it at compile time (using @code{./configure --enable-pam} - see the
-INSTALL file for more).  In this case, PAM will be consulted instead.
-This means that @sc{cvs} can be configured to use any password
+INSTALL file for more).  In this case, PAM may be
+consulted first (or instead). The
+"fallback" behaviour can be controlled using the two
+variables @code{PamAuth} and @code{SystemAuth}. On a
+Debian system, @code{PamAuth} defaults to @code{yes}
+and @code{SystemAuth} to @code{no} - after all, PAM can
+supports passwd file lookups itself. Changing these is
+possible by setting @code{PamAuth=no} and
+@code{SystemAuth=yes} in the @sc{cvs} @file{config}
+file, @pxref{config}).
+
+Use of PAM means that @sc{cvs} can be configured to use any password
 authentication source PAM can be configured to use (possibilities
 include a simple UNIX password, NIS, LDAP, and others) in its
 global configuration file (usually @file{/etc/pam.conf}
@@ -2691,7 +2701,7 @@
 cvs	session	    required	pam_unix.so
 @end example
 
-The the equivalent @file{/etc/pam.d/cvs} would contain
+The equivalent @file{/etc/pam.d/cvs} would contain
 
 @example
 auth	    required	pam_unix.so
@@ -2715,6 +2725,13 @@
 feature should not be used if you may not have control of the name
 @sc{cvs} will be invoked as.
 
+If you wish to use PAM for authentication, and details
+of your users are not available using getpwnam(), you
+may set a default name for the account on the server
+that will be used after authentication. To do this,
+either set @code{DefaultPamUser=user} in the @sc{cvs}
+@file{config} file, @pxref{config}.
+
 Be aware, also, that falling back to system
 authentication might be a security risk: @sc{cvs}
 operations would then be authenticated with that user's
diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c
--- cvs-1.12.13-old/src/parseinfo.c	2005-09-06 05:40:37.000000000 +0100
+++ cvs-1.12.13/src/parseinfo.c	2006-05-19 22:46:00.000000000 +0100
@@ -303,8 +303,12 @@
                                                           */
 #endif /* PROXY_SUPPORT */
 #ifdef AUTH_SERVER_SUPPORT
-    new->system_auth = true;
+    new->system_auth = false;
 #endif /* AUTH_SERVER_SUPPORT */
+#ifdef HAVE_PAM
+    new->PamAuth = true;
+    new->DefaultPamUser = NULL;
+#endif
 
     return new;
 }
@@ -696,6 +700,13 @@
 	    readSizeT (infopath, "MaxCompressionLevel", p,
 		       &retval->MaxCompressionLevel);
 #endif /* SERVER_SUPPORT */
+#ifdef HAVE_PAM
+    else if (!strcmp (line, "DefaultPamUser"))
+        retval->DefaultPamUser = xstrdup(p);
+	else if (!strcmp (line, "PamAuth"))
+	    readBool (infopath, "PamAuth", p,
+		      &retval->PamAuth);
+#endif
 	else
 	    /* We may be dealing with a keyword which was added in a
 	       subsequent version of CVS.  In that case it is a good idea
diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
--- cvs-1.12.13-old/src/parseinfo.h	2005-09-05 04:03:38.000000000 +0100
+++ cvs-1.12.13/src/parseinfo.h	2006-05-19 22:40:31.000000000 +0100
@@ -59,6 +59,10 @@
 #ifdef PRESERVE_PERMISSIONS_SUPPORT
     bool preserve_perms;
 #endif /* PRESERVE_PERMISSIONS_SUPPORT */
+#ifdef HAVE_PAM
+    char *DefaultPamUser;
+    bool PamAuth;
+#endif
 };
 
 bool parse_error (const char *, unsigned int);
diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
--- cvs-1.12.13-old/src/server.c	2005-09-28 16:25:59.000000000 +0100
+++ cvs-1.12.13/src/server.c	2006-05-20 00:45:14.000000000 +0100
@@ -6919,6 +6919,15 @@
     {
         pam_stage = "get pam user";
         retval = pam_get_item (pamh, PAM_USER, (const void **)username);
+        if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
+        {
+            /* An issue with using pam is that the host may well not have
+               a local user entry to match the authenticated user. If this
+               has failed, optionally fall back to a specified local
+               username */
+            *username = xstrdup(config->DefaultPamUser);
+            retval = PAM_SUCCESS;
+        }
     }
 
     if (retval != PAM_SUCCESS)
@@ -7022,7 +7031,11 @@
 
     assert (rc == 0);
 
+#ifdef HAVE_PAM
+    if (!config->system_auth && !config->PamAuth)
+#else
     if (!config->system_auth)
+#endif
     {
 	/* Note that the message _does_ distinguish between the case in
 	   which we check for a system password and the case in which
@@ -7037,9 +7050,10 @@
 
     /* No cvs password found, so try /etc/passwd. */
 #ifdef HAVE_PAM
-    if (check_pam_password (&username, password))
+    if ( (config->PamAuth && check_pam_password (&username, password)) ||
+         (config->system_auth && check_system_password (username, password)))
 #else /* !HAVE_PAM */
-    if (check_system_password (username, password))
+	if (config->system_auth && check_system_password (username, password))
 #endif /* HAVE_PAM */
 	host_user = xstrdup (username);
     else
Commit	Line	Data
3a862a5e AM	1	#
	2	# Add in extra PAM options compared to upstream's own PAM code:
	3	# * Add an extra option PamAuth to control use of PAM separately from
	4	# SystemAuth
	5	# * Add support for DefaultPamUser - try that if the specified
	6	# user does not exist
	7	#
	8	# Patch by Steve McIntyre <steve@einval.com>
	9	diff -ruN cvs-1.12.13-old/doc/cvs.texinfo cvs-1.12.13/doc/cvs.texinfo
	10	--- cvs-1.12.13-old/doc/cvs.texinfo 2005-09-23 03:02:53.000000000 +0100
	11	+++ cvs-1.12.13/doc/cvs.texinfo 2006-05-19 23:50:10.000000000 +0100
	12	@@ -2662,8 +2662,18 @@
	13	system has PAM (Pluggable Authentication Modules)
	14	and your @sc{cvs} server executable was configured to
	15	use it at compile time (using @code{./configure --enable-pam} - see the
	16	-INSTALL file for more). In this case, PAM will be consulted instead.
	17	-This means that @sc{cvs} can be configured to use any password
	18	+INSTALL file for more). In this case, PAM may be
	19	+consulted first (or instead). The
	20	+"fallback" behaviour can be controlled using the two
	21	+variables @code{PamAuth} and @code{SystemAuth}. On a
	22	+Debian system, @code{PamAuth} defaults to @code{yes}
	23	+and @code{SystemAuth} to @code{no} - after all, PAM can
	24	+supports passwd file lookups itself. Changing these is
	25	+possible by setting @code{PamAuth=no} and
	26	+@code{SystemAuth=yes} in the @sc{cvs} @file{config}
	27	+file, @pxref{config}).
	28	+
	29	+Use of PAM means that @sc{cvs} can be configured to use any password
	30	authentication source PAM can be configured to use (possibilities
	31	include a simple UNIX password, NIS, LDAP, and others) in its
	32	global configuration file (usually @file{/etc/pam.conf}
	33	@@ -2691,7 +2701,7 @@
	34	cvs session required pam_unix.so
	35	@end example
	36
	37	-The the equivalent @file{/etc/pam.d/cvs} would contain
	38	+The equivalent @file{/etc/pam.d/cvs} would contain
	39
	40	@example
	41	auth required pam_unix.so
	42	@@ -2715,6 +2725,13 @@
	43	feature should not be used if you may not have control of the name
	44	@sc{cvs} will be invoked as.
	45
	46	+If you wish to use PAM for authentication, and details
	47	+of your users are not available using getpwnam(), you
	48	+may set a default name for the account on the server
	49	+that will be used after authentication. To do this,
	50	+either set @code{DefaultPamUser=user} in the @sc{cvs}
	51	+@file{config} file, @pxref{config}.
	52	+
	53	Be aware, also, that falling back to system
	54	authentication might be a security risk: @sc{cvs}
	55	operations would then be authenticated with that user's
	56	diff -ruN cvs-1.12.13-old/src/parseinfo.c cvs-1.12.13/src/parseinfo.c
	57	--- cvs-1.12.13-old/src/parseinfo.c 2005-09-06 05:40:37.000000000 +0100
	58	+++ cvs-1.12.13/src/parseinfo.c 2006-05-19 22:46:00.000000000 +0100
	59	@@ -303,8 +303,12 @@
	60	*/
	61	#endif /* PROXY_SUPPORT */
	62	#ifdef AUTH_SERVER_SUPPORT
	63	- new->system_auth = true;
	64	+ new->system_auth = false;
65	#endif /* AUTH_SERVER_SUPPORT */
66	+#ifdef HAVE_PAM
67	+ new->PamAuth = true;
68	+ new->DefaultPamUser = NULL;
69	+#endif
70
71	return new;
72	}
73	@@ -696,6 +700,13 @@
74	readSizeT (infopath, "MaxCompressionLevel", p,
75	&retval->MaxCompressionLevel);
76	#endif /* SERVER_SUPPORT */
77	+#ifdef HAVE_PAM
78	+ else if (!strcmp (line, "DefaultPamUser"))
79	+ retval->DefaultPamUser = xstrdup(p);
80	+ else if (!strcmp (line, "PamAuth"))
81	+ readBool (infopath, "PamAuth", p,
82	+ &retval->PamAuth);
83	+#endif
84	else
85	/* We may be dealing with a keyword which was added in a
86	subsequent version of CVS. In that case it is a good idea
87	diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
88	--- cvs-1.12.13-old/src/parseinfo.h 2005-09-05 04:03:38.000000000 +0100
89	+++ cvs-1.12.13/src/parseinfo.h 2006-05-19 22:40:31.000000000 +0100
90	@@ -59,6 +59,10 @@
91	#ifdef PRESERVE_PERMISSIONS_SUPPORT
92	bool preserve_perms;
93	#endif /* PRESERVE_PERMISSIONS_SUPPORT */
94	+#ifdef HAVE_PAM
95	+ char *DefaultPamUser;
96	+ bool PamAuth;
97	+#endif
98	};
99
100	bool parse_error (const char *, unsigned int);
101	diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
102	--- cvs-1.12.13-old/src/server.c 2005-09-28 16:25:59.000000000 +0100
103	+++ cvs-1.12.13/src/server.c 2006-05-20 00:45:14.000000000 +0100
104	@@ -6919,6 +6919,15 @@
105	{
106	pam_stage = "get pam user";
107	retval = pam_get_item (pamh, PAM_USER, (const void **)username);
108	+ if ((retval != PAM_SUCCESS) && (NULL != config->DefaultPamUser))
109	+ {
110	+ /* An issue with using pam is that the host may well not have
111	+ a local user entry to match the authenticated user. If this
112	+ has failed, optionally fall back to a specified local
113	+ username */
114	+ *username = xstrdup(config->DefaultPamUser);
115	+ retval = PAM_SUCCESS;
116	+ }
117	}
118
119	if (retval != PAM_SUCCESS)
120	@@ -7022,7 +7031,11 @@
121
122	assert (rc == 0);
123
124	+#ifdef HAVE_PAM
125	+ if (!config->system_auth && !config->PamAuth)
126	+#else
127	if (!config->system_auth)
128	+#endif
129	{
130	/* Note that the message _does_ distinguish between the case in
131	which we check for a system password and the case in which
132	@@ -7037,9 +7050,10 @@
133
134	/* No cvs password found, so try /etc/passwd. */
135	#ifdef HAVE_PAM
136	- if (check_pam_password (&username, password))
137	+ if ( (config->PamAuth && check_pam_password (&username, password)) \|\|
138	+ (config->system_auth && check_system_password (username, password)))
139	#else /* !HAVE_PAM */
140	- if (check_system_password (username, password))
141	+ if (config->system_auth && check_system_password (username, password))
142	#endif /* HAVE_PAM */
143	host_user = xstrdup (username);
144	else