[1] Avoid leaking potentially sensitive information into system logs

[2] Add PAM support to gnatsd

PR:		[1] ports/41342
Submitted by:	[1] Igor Kucherenko <kivvy@sunbay.com>
		[2] ru

4 files changed, 166 insertions, 3 deletions

diff --git a/databases/gnats/Makefile b/databases/gnats/Makefile
index 751a22a94dd3..362abc19c6d7 100644
--- a/databases/gnats/Makefile
+++ b/databases/gnats/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	gnats
 PORTVERSION=	3.113.1
-PORTREVISION=	6
+PORTREVISION=	7
 CATEGORIES=	databases elisp
 MASTER_SITES=	${MASTER_SITE_GNU}
 MASTER_SITE_SUBDIR=	gnats
diff --git a/databases/gnats/files/patch-ab b/databases/gnats/files/patch-ab
index bea5f88fe1a8..141789659a58 100644
--- a/databases/gnats/files/patch-ab
+++ b/databases/gnats/files/patch-ab
@@ -1,5 +1,23 @@
---- gnats/Makefile.in.orig	Tue Sep 21 16:18:39 1999
-+++ gnats/Makefile.in	Fri Jan 21 10:06:19 2000
+--- gnats/Makefile.in.orig	Tue May  8 20:23:36 2001
++++ gnats/Makefile.in	Tue Aug 20 19:17:44 2002
+@@ -122,7 +122,7 @@
+ DIFFOPT = @DIFFOPT@
+ 
+ # These are set by autoconf.
+-DEFS = @DEFS@
++DEFS = @DEFS@ -DHAVE_PAM
+ LIBS = @LIBS@
+ KRBINCLUDE = @KRBINCLUDE@
+ 
+@@ -311,7 +311,7 @@
+ 
+ gnatsd: gnatsd.o cmds.o regex.o libgnats.a
+ 	$(CC) $(LDFLAGS) -o $@ gnatsd.o cmds.o regex.o db_conf.o \
+-		libgnats.a $(LIBRX) $(LIBIBERTY) $(LIBS)
++		libgnats.a $(LIBRX) $(LIBIBERTY) $(LIBS) -lpam
+ 
+ queue-pr: queue-pr.o libgnats.a
+ 	$(CC) $(LDFLAGS) -o $@ queue-pr.o \
 @@ -465,7 +465,7 @@
  
  getdate.c: getdate.y
diff --git a/databases/gnats/files/patch-gnats::cmds.c b/databases/gnats/files/patch-gnats::cmds.c
new file mode 100644
index 000000000000..727ce56bf87e
--- /dev/null
+++ b/databases/gnats/files/patch-gnats::cmds.c
@@ -0,0 +1,15 @@
+--- gnats/cmds.c.orig	Sun Feb  4 22:56:10 2001
++++ gnats/cmds.c	Mon Aug  5 17:25:48 2002
+@@ -476,9 +476,9 @@
+ 
+   if (user_access <= ACCESS_NONE)
+     {
+-      syslog (LOG_ERR, "user not allowed access: %s/%s", av[0], av[1]);
+-      printf ("%d You are not on the user access list: %s/%s.\r\n",
+-              CODE_NO_ACCESS, av[0], av[1]);
++      syslog (LOG_ERR, "user %s not allowed access", av[0]);
++      printf ("%d You are not on the user access list.\r\n",
++              CODE_NO_ACCESS, av[0]);
+       exit (1);
+     }
+   
diff --git a/databases/gnats/files/patch-gnats::gnatsd.c b/databases/gnats/files/patch-gnats::gnatsd.c
new file mode 100644
index 000000000000..a979f42d8815
--- /dev/null
+++ b/databases/gnats/files/patch-gnats::gnatsd.c
@@ -0,0 +1,130 @@
+--- gnats/gnatsd.c.orig	Wed Sep 22 02:18:39 1999
++++ gnats/gnatsd.c	Tue Aug 20 21:11:28 2002
+@@ -24,6 +24,15 @@
+ #include "query.h"
+ #include "db_conf.h"
+ 
++#ifdef HAVE_PAM
++#include <security/pam_appl.h>
++#ifdef _OPENPAM
++#include <security/openpam.h>
++#endif
++
++static int issetuidroot;
++#endif /* HAVE_PAM */
++
+ char myname[MAXHOSTNAMELEN];
+ 
+ char *program_name;
+@@ -387,9 +396,9 @@
+   return found;
+ }
+ 
+-/* Get the access lever for this user. */
+-int
+-get_user_access (database, filename, user, passwd)
++/* Get the access level for this user using the file backend. */
++static int
++get_user_access_file (database, filename, user, passwd)
+      char *database;
+      char *filename;
+      char *user;
+@@ -489,6 +498,86 @@
+   return access;
+ }
+ 
++#ifdef HAVE_PAM
++#ifndef _OPENPAM
++int
++pam_conv (n, msg, resp, data)
++      int n;
++      const struct pam_message **msg;
++      struct pam_response **resp;
++      void *data;
++{
++
++  if (n != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF)
++    return(PAM_CONV_ERR);
++  if ((*resp = malloc(sizeof(struct pam_response))) == NULL)
++    return(PAM_CONV_ERR);
++  (*resp)[0].resp = strdup((const char *)data);
++  (*resp)[0].resp_retcode = 0;
++
++  return ((*resp)[0].resp != NULL ? PAM_SUCCESS : PAM_CONV_ERR);
++}
++#endif /* _OPENPAM */
++
++/* Get the access level for this user using the PAM backend. */
++static int
++get_user_access_pam (user, passwd)
++     char *user;
++     char *passwd;
++{
++  int access;
++  pam_handle_t *pamh;
++  struct pam_conv pamc = {
++#ifdef _OPENPAM
++    &openpam_nullconv, NULL
++#else
++    &pam_conv, passwd
++#endif
++  };
++
++  access = -1;
++
++  /* PAM chain may require super-user. */
++  if (issetuidroot)
++    seteuid(0);
++
++  if (pam_start("gnatsd", user, &pamc, &pamh) == PAM_SUCCESS &&
++#ifdef _OPENPAM
++      pam_set_item(pamh, PAM_AUTHTOK, passwd) == PAM_SUCCESS &&
++#endif
++      pam_authenticate(pamh, 0) == PAM_SUCCESS)
++    {
++      access = ACCESS_EDIT;
++    }
++
++  /* Revert back to real UID. */
++  if (issetuidroot)
++    seteuid(getuid());
++
++  return access;
++}
++#endif /* HAVE_PAM */
++
++/* Get the access level for this user. */
++int
++get_user_access (database, filename, user, passwd)
++     char *database;
++     char *filename;
++     char *user;
++     char *passwd;
++{
++  int access;
++
++  access = -1;
++
++#ifdef HAVE_PAM
++  if ((access = get_user_access_pam(user, passwd)) == -1)
++#endif /* HAVE_PAM */
++  access = get_user_access_file(database, filename, user, passwd);
++
++  return access;
++}
++
+ void
+ start_connection ()
+ {
+@@ -680,6 +769,11 @@
+   int optc;
+   int not_inetd  = 0;
+   int access, access_required;
++
++#ifdef HAVE_PAM
++  if ((issetuidroot = geteuid() == 0 && getuid() != 0))
++    seteuid(getuid());
++#endif /* HAVE_PAM */
+ 
+   outfile = stdout;
+