1 |
commit: bf8a15acdb09aef0eedfaeb743e1ae566120e0b7 |
2 |
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Sep 8 18:28:49 2021 +0000 |
4 |
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Sep 8 18:29:25 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf8a15ac |
7 |
|
8 |
sys-apps/systemd: backport fix for pam_systemd_home |
9 |
|
10 |
Closes: https://bugs.gentoo.org/811093 |
11 |
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> |
12 |
|
13 |
.../systemd/files/249-home-secret-assert.patch | 106 +++++++++++++++++++++ |
14 |
sys-apps/systemd/systemd-249.4-r2.ebuild | 1 + |
15 |
2 files changed, 107 insertions(+) |
16 |
|
17 |
diff --git a/sys-apps/systemd/files/249-home-secret-assert.patch b/sys-apps/systemd/files/249-home-secret-assert.patch |
18 |
new file mode 100644 |
19 |
index 00000000000..e6e2a8e7cc7 |
20 |
--- /dev/null |
21 |
+++ b/sys-apps/systemd/files/249-home-secret-assert.patch |
22 |
@@ -0,0 +1,106 @@ |
23 |
+From 6a09dbb89507449d158af6c7097d2c51ce83205f Mon Sep 17 00:00:00 2001 |
24 |
+From: Yu Watanabe <watanabe.yu+github@×××××.com> |
25 |
+Date: Sun, 5 Sep 2021 11:16:26 +0900 |
26 |
+Subject: [PATCH] home: 'secret' argument of handle_generic_user_record_error |
27 |
+ may be null |
28 |
+ |
29 |
+When RefHome() bus method is called in acquire_home(), secret is NULL. |
30 |
+ |
31 |
+Fixes #20639. |
32 |
+--- |
33 |
+ src/home/pam_systemd_home.c | 19 ++++++++++++++++++- |
34 |
+ 1 file changed, 18 insertions(+), 1 deletion(-) |
35 |
+ |
36 |
+diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c |
37 |
+index 836ed0d5e96d..a04d50208a8e 100644 |
38 |
+--- a/src/home/pam_systemd_home.c |
39 |
++++ b/src/home/pam_systemd_home.c |
40 |
+@@ -281,7 +281,6 @@ static int handle_generic_user_record_error( |
41 |
+ const sd_bus_error *error) { |
42 |
+ |
43 |
+ assert(user_name); |
44 |
+- assert(secret); |
45 |
+ assert(error); |
46 |
+ |
47 |
+ int r; |
48 |
+@@ -301,6 +300,8 @@ static int handle_generic_user_record_error( |
49 |
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD)) { |
50 |
+ _cleanup_(erase_and_freep) char *newp = NULL; |
51 |
+ |
52 |
++ assert(secret); |
53 |
++ |
54 |
+ /* This didn't work? Ask for an (additional?) password */ |
55 |
+ |
56 |
+ if (strv_isempty(secret->password)) |
57 |
+@@ -326,6 +327,8 @@ static int handle_generic_user_record_error( |
58 |
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) { |
59 |
+ _cleanup_(erase_and_freep) char *newp = NULL; |
60 |
+ |
61 |
++ assert(secret); |
62 |
++ |
63 |
+ if (strv_isempty(secret->password)) { |
64 |
+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token of user %s not inserted.", user_name); |
65 |
+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Try again with password: "); |
66 |
+@@ -350,6 +353,8 @@ static int handle_generic_user_record_error( |
67 |
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) { |
68 |
+ _cleanup_(erase_and_freep) char *newp = NULL; |
69 |
+ |
70 |
++ assert(secret); |
71 |
++ |
72 |
+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Security token PIN: "); |
73 |
+ if (r != PAM_SUCCESS) |
74 |
+ return PAM_CONV_ERR; /* no logging here */ |
75 |
+@@ -367,6 +372,8 @@ static int handle_generic_user_record_error( |
76 |
+ |
77 |
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PROTECTED_AUTHENTICATION_PATH_NEEDED)) { |
78 |
+ |
79 |
++ assert(secret); |
80 |
++ |
81 |
+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please authenticate physically on security token of user %s.", user_name); |
82 |
+ |
83 |
+ r = user_record_set_pkcs11_protected_authentication_path_permitted(secret, true); |
84 |
+@@ -377,6 +384,8 @@ static int handle_generic_user_record_error( |
85 |
+ |
86 |
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) { |
87 |
+ |
88 |
++ assert(secret); |
89 |
++ |
90 |
+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please confirm presence on security token of user %s.", user_name); |
91 |
+ |
92 |
+ r = user_record_set_fido2_user_presence_permitted(secret, true); |
93 |
+@@ -387,6 +396,8 @@ static int handle_generic_user_record_error( |
94 |
+ |
95 |
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_VERIFICATION_NEEDED)) { |
96 |
+ |
97 |
++ assert(secret); |
98 |
++ |
99 |
+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please verify user on security token of user %s.", user_name); |
100 |
+ |
101 |
+ r = user_record_set_fido2_user_verification_permitted(secret, true); |
102 |
+@@ -403,6 +414,8 @@ static int handle_generic_user_record_error( |
103 |
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN)) { |
104 |
+ _cleanup_(erase_and_freep) char *newp = NULL; |
105 |
+ |
106 |
++ assert(secret); |
107 |
++ |
108 |
+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN incorrect for user %s.", user_name); |
109 |
+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); |
110 |
+ if (r != PAM_SUCCESS) |
111 |
+@@ -422,6 +435,8 @@ static int handle_generic_user_record_error( |
112 |
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_FEW_TRIES_LEFT)) { |
113 |
+ _cleanup_(erase_and_freep) char *newp = NULL; |
114 |
+ |
115 |
++ assert(secret); |
116 |
++ |
117 |
+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only a few tries left!)", user_name); |
118 |
+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); |
119 |
+ if (r != PAM_SUCCESS) |
120 |
+@@ -441,6 +456,8 @@ static int handle_generic_user_record_error( |
121 |
+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_ONE_TRY_LEFT)) { |
122 |
+ _cleanup_(erase_and_freep) char *newp = NULL; |
123 |
+ |
124 |
++ assert(secret); |
125 |
++ |
126 |
+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only one try left!)", user_name); |
127 |
+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); |
128 |
+ if (r != PAM_SUCCESS) |
129 |
|
130 |
diff --git a/sys-apps/systemd/systemd-249.4-r2.ebuild b/sys-apps/systemd/systemd-249.4-r2.ebuild |
131 |
index 95d20177016..dd5462b694d 100644 |
132 |
--- a/sys-apps/systemd/systemd-249.4-r2.ebuild |
133 |
+++ b/sys-apps/systemd/systemd-249.4-r2.ebuild |
134 |
@@ -226,6 +226,7 @@ src_prepare() { |
135 |
# Add local patches here |
136 |
PATCHES+=( |
137 |
"${FILESDIR}/249-libudev-static.patch" |
138 |
+ "${FILESDIR}/249-home-secret-assert.patch" |
139 |
"${FILESDIR}/249-fido2.patch" |
140 |
) |