[gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/, sys-apps/systemd/files/ - gentoo-commits

From:	Mike Gilbert <floppym@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: sys-apps/systemd/, sys-apps/systemd/files/
Date:	Wed, 08 Sep 2021 18:29:59
Message-Id:	`1631125765.bf8a15acdb09aef0eedfaeb743e1ae566120e0b7.floppym@gentoo`

1

commit:     bf8a15acdb09aef0eedfaeb743e1ae566120e0b7

2

Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>

3

AuthorDate: Wed Sep  8 18:28:49 2021 +0000

4

Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>

5

CommitDate: Wed Sep  8 18:29:25 2021 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf8a15ac

7

8

sys-apps/systemd: backport fix for pam_systemd_home

9

10

Closes: https://bugs.gentoo.org/811093

11

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

12

13

 .../systemd/files/249-home-secret-assert.patch     | 106 +++++++++++++++++++++

14

 sys-apps/systemd/systemd-249.4-r2.ebuild           |   1 +

15

 2 files changed, 107 insertions(+)

16

17

diff --git a/sys-apps/systemd/files/249-home-secret-assert.patch b/sys-apps/systemd/files/249-home-secret-assert.patch

18

new file mode 100644

19

index 00000000000..e6e2a8e7cc7

20

--- /dev/null

21

+++ b/sys-apps/systemd/files/249-home-secret-assert.patch

22

@@ -0,0 +1,106 @@

23

+From 6a09dbb89507449d158af6c7097d2c51ce83205f Mon Sep 17 00:00:00 2001

24

+From: Yu Watanabe <watanabe.yu+github@×××××.com>

25

+Date: Sun, 5 Sep 2021 11:16:26 +0900

26

+Subject: [PATCH] home: 'secret' argument of handle_generic_user_record_error

27

+ may be null

28

+

29

+When RefHome() bus method is called in acquire_home(), secret is NULL.

30

+

31

+Fixes #20639.

32

+---

33

+ src/home/pam_systemd_home.c | 19 ++++++++++++++++++-

34

+ 1 file changed, 18 insertions(+), 1 deletion(-)

35

+

36

+diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c

37

+index 836ed0d5e96d..a04d50208a8e 100644

38

+--- a/src/home/pam_systemd_home.c

39

++++ b/src/home/pam_systemd_home.c

40

+@@ -281,7 +281,6 @@ static int handle_generic_user_record_error(

41

+                 const sd_bus_error *error) {

42

+

43

+         assert(user_name);

44

+-        assert(secret);

45

+         assert(error);

46

+

47

+         int r;

48

+@@ -301,6 +300,8 @@ static int handle_generic_user_record_error(

49

+         } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD)) {

50

+                 _cleanup_(erase_and_freep) char *newp = NULL;

51

+

52

++                assert(secret);

53

++

54

+                 /* This didn't work? Ask for an (additional?) password */

55

+

56

+                 if (strv_isempty(secret->password))

57

+@@ -326,6 +327,8 @@ static int handle_generic_user_record_error(

58

+         } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) {

59

+                 _cleanup_(erase_and_freep) char *newp = NULL;

60

+

61

++                assert(secret);

62

++

63

+                 if (strv_isempty(secret->password)) {

64

+                         (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token of user %s not inserted.", user_name);

65

+                         r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Try again with password: ");

66

+@@ -350,6 +353,8 @@ static int handle_generic_user_record_error(

67

+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) {

68

+                 _cleanup_(erase_and_freep) char *newp = NULL;

69

+

70

++                assert(secret);

71

++

72

+                 r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Security token PIN: ");

73

+                 if (r != PAM_SUCCESS)

74

+                         return PAM_CONV_ERR; /* no logging here */

75

+@@ -367,6 +372,8 @@ static int handle_generic_user_record_error(

76

+

77

+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PROTECTED_AUTHENTICATION_PATH_NEEDED)) {

78

+

79

++                assert(secret);

80

++

81

+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please authenticate physically on security token of user %s.", user_name);

82

+

83

+                 r = user_record_set_pkcs11_protected_authentication_path_permitted(secret, true);

84

+@@ -377,6 +384,8 @@ static int handle_generic_user_record_error(

85

+

86

+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) {

87

+

88

++                assert(secret);

89

++

90

+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please confirm presence on security token of user %s.", user_name);

91

+

92

+                 r = user_record_set_fido2_user_presence_permitted(secret, true);

93

+@@ -387,6 +396,8 @@ static int handle_generic_user_record_error(

94

+

95

+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_VERIFICATION_NEEDED)) {

96

+

97

++                assert(secret);

98

++

99

+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please verify user on security token of user %s.", user_name);

100

+

101

+                 r = user_record_set_fido2_user_verification_permitted(secret, true);

102

+@@ -403,6 +414,8 @@ static int handle_generic_user_record_error(

103

+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN)) {

104

+                 _cleanup_(erase_and_freep) char *newp = NULL;

105

+

106

++                assert(secret);

107

++

108

+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN incorrect for user %s.", user_name);

109

+                 r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: ");

110

+                 if (r != PAM_SUCCESS)

111

+@@ -422,6 +435,8 @@ static int handle_generic_user_record_error(

112

+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_FEW_TRIES_LEFT)) {

113

+                 _cleanup_(erase_and_freep) char *newp = NULL;

114

+

115

++                assert(secret);

116

++

117

+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only a few tries left!)", user_name);

118

+                 r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: ");

119

+                 if (r != PAM_SUCCESS)

120

+@@ -441,6 +456,8 @@ static int handle_generic_user_record_error(

121

+         } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_ONE_TRY_LEFT)) {

122

+                 _cleanup_(erase_and_freep) char *newp = NULL;

123

+

124

++                assert(secret);

125

++

126

+                 (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only one try left!)", user_name);

127

+                 r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: ");

128

+                 if (r != PAM_SUCCESS)

129

130

diff --git a/sys-apps/systemd/systemd-249.4-r2.ebuild b/sys-apps/systemd/systemd-249.4-r2.ebuild

131

index 95d20177016..dd5462b694d 100644

132

--- a/sys-apps/systemd/systemd-249.4-r2.ebuild

133

+++ b/sys-apps/systemd/systemd-249.4-r2.ebuild

134

@@ -226,6 +226,7 @@ src_prepare() {

135

 	# Add local patches here

136

 	PATCHES+=(

137

 		"${FILESDIR}/249-libudev-static.patch"

138

+		"${FILESDIR}/249-home-secret-assert.patch"

139

 		"${FILESDIR}/249-fido2.patch"

140

)

1	commit: bf8a15acdb09aef0eedfaeb743e1ae566120e0b7
2	Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
3	AuthorDate: Wed Sep 8 18:28:49 2021 +0000
4	Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
5	CommitDate: Wed Sep 8 18:29:25 2021 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf8a15ac
7
8	sys-apps/systemd: backport fix for pam_systemd_home
9
10	Closes: https://bugs.gentoo.org/811093
11	Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
12
13	.../systemd/files/249-home-secret-assert.patch \| 106 +++++++++++++++++++++
14	sys-apps/systemd/systemd-249.4-r2.ebuild \| 1 +
15	2 files changed, 107 insertions(+)
16
17	diff --git a/sys-apps/systemd/files/249-home-secret-assert.patch b/sys-apps/systemd/files/249-home-secret-assert.patch
18	new file mode 100644
19	index 00000000000..e6e2a8e7cc7
20	--- /dev/null
21	+++ b/sys-apps/systemd/files/249-home-secret-assert.patch
22	@@ -0,0 +1,106 @@
23	+From 6a09dbb89507449d158af6c7097d2c51ce83205f Mon Sep 17 00:00:00 2001
24	+From: Yu Watanabe <watanabe.yu+github@×××××.com>
25	+Date: Sun, 5 Sep 2021 11:16:26 +0900
26	+Subject: [PATCH] home: 'secret' argument of handle_generic_user_record_error
27	+ may be null
28	+
29	+When RefHome() bus method is called in acquire_home(), secret is NULL.
30	+
31	+Fixes #20639.
32	+---
33	+ src/home/pam_systemd_home.c \| 19 ++++++++++++++++++-
34	+ 1 file changed, 18 insertions(+), 1 deletion(-)
35	+
36	+diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c
37	+index 836ed0d5e96d..a04d50208a8e 100644
38	+--- a/src/home/pam_systemd_home.c
39	++++ b/src/home/pam_systemd_home.c
40	+@@ -281,7 +281,6 @@ static int handle_generic_user_record_error(
41	+ const sd_bus_error *error) {
42	+
43	+ assert(user_name);
44	+- assert(secret);
45	+ assert(error);
46	+
47	+ int r;
48	+@@ -301,6 +300,8 @@ static int handle_generic_user_record_error(
49	+ } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD)) {
50	+ _cleanup_(erase_and_freep) char *newp = NULL;
51	+
52	++ assert(secret);
53	++
54	+ /* This didn't work? Ask for an (additional?) password */
55	+
56	+ if (strv_isempty(secret->password))
57	+@@ -326,6 +327,8 @@ static int handle_generic_user_record_error(
58	+ } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) {
59	+ _cleanup_(erase_and_freep) char *newp = NULL;
60	+
61	++ assert(secret);
62	++
63	+ if (strv_isempty(secret->password)) {
64	+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token of user %s not inserted.", user_name);
65	+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Try again with password: ");
66	+@@ -350,6 +353,8 @@ static int handle_generic_user_record_error(
67	+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) {
68	+ _cleanup_(erase_and_freep) char *newp = NULL;
69	+
70	++ assert(secret);
71	++
72	+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Security token PIN: ");
73	+ if (r != PAM_SUCCESS)
74	+ return PAM_CONV_ERR; /* no logging here */
75	+@@ -367,6 +372,8 @@ static int handle_generic_user_record_error(
76	+
77	+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PROTECTED_AUTHENTICATION_PATH_NEEDED)) {
78	+
79	++ assert(secret);
80	++
81	+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please authenticate physically on security token of user %s.", user_name);
82	+
83	+ r = user_record_set_pkcs11_protected_authentication_path_permitted(secret, true);
84	+@@ -377,6 +384,8 @@ static int handle_generic_user_record_error(
85	+
86	+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) {
87	+
88	++ assert(secret);
89	++
90	+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please confirm presence on security token of user %s.", user_name);
91	+
92	+ r = user_record_set_fido2_user_presence_permitted(secret, true);
93	+@@ -387,6 +396,8 @@ static int handle_generic_user_record_error(
94	+
95	+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_VERIFICATION_NEEDED)) {
96	+
97	++ assert(secret);
98	++
99	+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please verify user on security token of user %s.", user_name);
100	+
101	+ r = user_record_set_fido2_user_verification_permitted(secret, true);
102	+@@ -403,6 +414,8 @@ static int handle_generic_user_record_error(
103	+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN)) {
104	+ _cleanup_(erase_and_freep) char *newp = NULL;
105	+
106	++ assert(secret);
107	++
108	+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN incorrect for user %s.", user_name);
109	+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: ");
110	+ if (r != PAM_SUCCESS)
111	+@@ -422,6 +435,8 @@ static int handle_generic_user_record_error(
112	+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_FEW_TRIES_LEFT)) {
113	+ _cleanup_(erase_and_freep) char *newp = NULL;
114	+
115	++ assert(secret);
116	++
117	+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only a few tries left!)", user_name);
118	+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: ");
119	+ if (r != PAM_SUCCESS)
120	+@@ -441,6 +456,8 @@ static int handle_generic_user_record_error(
121	+ } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_ONE_TRY_LEFT)) {
122	+ _cleanup_(erase_and_freep) char *newp = NULL;
123	+
124	++ assert(secret);
125	++
126	+ (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only one try left!)", user_name);
127	+ r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: ");
128	+ if (r != PAM_SUCCESS)
129
130	diff --git a/sys-apps/systemd/systemd-249.4-r2.ebuild b/sys-apps/systemd/systemd-249.4-r2.ebuild
131	index 95d20177016..dd5462b694d 100644
132	--- a/sys-apps/systemd/systemd-249.4-r2.ebuild
133	+++ b/sys-apps/systemd/systemd-249.4-r2.ebuild
134	@@ -226,6 +226,7 @@ src_prepare() {
135	# Add local patches here
136	PATCHES+=(
137	"${FILESDIR}/249-libudev-static.patch"
138	+ "${FILESDIR}/249-home-secret-assert.patch"
139	"${FILESDIR}/249-fido2.patch"
140	)

Gentoo Archives: gentoo-commits