On Sun, May 30, 2004 at 04:48:09PM -0400, Sam Hartman wrote: > I indicated a willingness to work with Russel on selinux integration > but he never got back to me. oh? ah. seems like communication has been lost in transit then. > He asked if I was interested in > upgrading to PAM 0.77. I said no because it seemed like a lot of work > for no significant gain. *thinks*. lessavalook. okay... debian's pam version is 0.76. SHRIEK there's a stack of patches in the debian/patches directory!! no wonder it'd be a lot of work! and the NSA's pam patch is against 0.77, and it's 1,934 lines long. eep :) okay, let's see if it cleanly applies to 0.76.... annnd no it doesn't. okay, i tried doing a merge, but i am beginning to get into trouble on pam_unix_passwd.c. for example, in the original 0.76 pam_unix_passwd.c file, there is code that does: chown(OPW_TMPFILE, 0, 0); chmod(OPW_TMPFILE, 0600); yet i see no such thing in 0.77. but i _do_ see a fchmod(fileno(owfile), st.st_mode). and then later on there appear to be inconsistencies when the shadow password file is handled in a similar fashion. [whoever did that rewrite of pam 0.77, you're a pain! :) only kidding. you introduced a different style "set err = -1; goto end" instead of returning an error message immediately: i know _why_ it was done, it's to be able to clean-up the selinux context at the end of that function which has over five return points. knowing why doesn't mean i have to like it if it causes a patch to happen not to apply against an older version. *grump*. ignore me. ] i think the mods to unix_chkpwd.c where this a single clash in main at the comment "read the nullok/nonull option" are more straightforward to resolve. it's just these passwd file and shadow file handling patches that are... "odd" and don't cleanly apply. > I indicated willingness to take patches from > upstream's cvs if they made the selinux work easier but he never > responded to the offer. the only thing i can think of is that a communication thread has been lost, somehow, because russell is under the impression that pam / selinux integration has stalled. *click*. oh, so you'd be happy for someone (me being the closest victim) to attempt a patch against the latest pam cvs rather than specifically against 0.77? hey, that's worth a shot, because against 0.76 it ain't gonna happen - not cleanly, anyway. correct me if a quick googling is wrong, but that's http://sf.net/projects/pam, yes? l. _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
