summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2004-09-15 12:06:17 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2004-09-15 12:06:17 +0000
commite1f75a80821125170e23a9b920d138a4a952c708 (patch)
tree06b15c3d9d4fa69fad768cb5071bb4bfc80f9d92
parentd7987be1aade2b11454a8b3b3d8e9c1c3df93d5f (diff)
Relevant BUGIDs:
Purpose of commit: Commit summary: --------------- bugfix: Add parts of Steve Grubb's resource leak and other fixes
-rw-r--r--CHANGELOG5
-rw-r--r--libpam/include/security/_pam_types.h2
-rw-r--r--libpam/pam_env.c5
-rw-r--r--libpam/pam_handlers.c2
-rw-r--r--libpam/pam_private.h8
-rw-r--r--modules/pam_access/pam_access.c62
-rw-r--r--modules/pam_cracklib/pam_cracklib.c48
-rw-r--r--modules/pam_debug/pam_debug.c4
-rw-r--r--modules/pam_env/pam_env.c23
-rw-r--r--modules/pam_pwdb/support.-c2
-rw-r--r--modules/pam_unix/support.c2
11 files changed, 86 insertions, 77 deletions
diff --git a/CHANGELOG b/CHANGELOG
index b4ea04b9..8a2092d8 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -101,7 +101,10 @@ BerliOS Bugs are marked with (BerliOS #XXXX).
* ldconfig: Only run full ldconfig, if we don't install into a FAKEROOT
environment, else let ldconfig only create the symlinks correct
(from Linux distributors - kukuk)
-
+* pam_unix/pam_pwdb: Use SIG_DFL instead of SIG_IGN for SIGCHLD
+ (from Linux distributors - kukuk)
+* Add parts of the first chunk of Steve Grubb's resource leak and
+ other fixes (from Linux distributors - kukuk)
0.77: Mon Sep 23 10:25:42 PDT 2002
diff --git a/libpam/include/security/_pam_types.h b/libpam/include/security/_pam_types.h
index 871bfbf2..70f6d6ab 100644
--- a/libpam/include/security/_pam_types.h
+++ b/libpam/include/security/_pam_types.h
@@ -76,7 +76,7 @@ typedef struct pam_handle pam_handle_t;
#define PAM_AUTHTOK_LOCK_BUSY 22 /* Authentication token lock busy */
#define PAM_AUTHTOK_DISABLE_AGING 23 /* Authentication token aging disabled */
#define PAM_TRY_AGAIN 24 /* Preliminary check by password service */
-#define PAM_IGNORE 25 /* Ingore underlying account module */
+#define PAM_IGNORE 25 /* Ignore underlying account module */
/* regardless of whether the control */
/* flag is required, optional, or sufficient */
#define PAM_ABORT 26 /* Critical error (?module fail now request) */
diff --git a/libpam/pam_env.c b/libpam/pam_env.c
index d5a26ccb..ae1ddf2e 100644
--- a/libpam/pam_env.c
+++ b/libpam/pam_env.c
@@ -75,7 +75,7 @@ int _pam_make_env(pam_handle_t *pamh)
/*
* fill entries in pamh->env
*/
-
+
pamh->env->entries = PAM_ENV_CHUNK;
pamh->env->requested = 1;
pamh->env->list[0] = NULL;
@@ -223,7 +223,7 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value)
/* add a new NULL entry at end; increase counter */
pamh->env->list[pamh->env->requested++] = NULL;
-
+
} else { /* replace old */
D(("replacing item: %s\n with: %s"
, pamh->env->list[item], name_value));
@@ -344,6 +344,7 @@ static char **_copy_env(pam_handle_t *pamh)
_pam_overwrite(dump[i]);
_pam_drop(dump[i]);
}
+ __pam_drop(dump);
return NULL;
}
}
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
index e84d0d03..90c0968a 100644
--- a/libpam/pam_handlers.c
+++ b/libpam/pam_handlers.c
@@ -686,7 +686,7 @@ int _pam_add_handler(pam_handle_t *pamh
/* indicate its name - later we will search for it by this */
if ((mod->name = _pam_strdup(mod_path)) == NULL) {
D(("_pam_handler: couldn't get memory for mod_path"));
- _pam_system_log(LOG_ERR, "no memory for module path", mod_path);
+ _pam_system_log(LOG_ERR, "no memory for module path");
success = PAM_ABORT;
}
diff --git a/libpam/pam_private.h b/libpam/pam_private.h
index 7afc4fa7..1fbd9812 100644
--- a/libpam/pam_private.h
+++ b/libpam/pam_private.h
@@ -250,7 +250,13 @@ void _pam_set_default_control(int *control_array, int default_action);
void _pam_parse_control(int *control_array, char *tok);
-void _pam_system_log(int priority, const char *format, ... );
+void _pam_system_log(int priority, const char *format, ... )
+#ifdef __GNUC__
+ __attribute__ ((format (printf, 2, 3)));
+#else
+ ;
+#endif
+
#define _PAM_SYSTEM_LOG_PREFIX "PAM "
/*
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 854b1506..031b94ba 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -5,23 +5,23 @@
* (I took login_access from logdaemon-5.6 and converted it to PAM
* using parts of pam_time code.)
*
- ************************************************************************
+ ************************************************************************
* Copyright message from logdaemon-5.6 (original file name DISCLAIMER)
- ************************************************************************
- * Copyright 1995 by Wietse Venema. All rights reserved. Individual files
- * may be covered by other copyrights (as noted in the file itself.)
- *
- * This material was originally written and compiled by Wietse Venema at
- * Eindhoven University of Technology, The Netherlands, in 1990, 1991,
- * 1992, 1993, 1994 and 1995.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this entire copyright notice is duplicated in all such
- * copies.
- *
- * This software is provided "as is" and without any expressed or implied
- * warranties, including, without limitation, the implied warranties of
- * merchantibility and fitness for any particular purpose.
+ ************************************************************************
+ * Copyright 1995 by Wietse Venema. All rights reserved. Individual files
+ * may be covered by other copyrights (as noted in the file itself.)
+ *
+ * This material was originally written and compiled by Wietse Venema at
+ * Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+ * 1992, 1993, 1994 and 1995.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this entire copyright notice is duplicated in all such
+ * copies.
+ *
+ * This software is provided "as is" and without any expressed or implied
+ * warranties, including, without limitation, the implied warranties of
+ * merchantibility and fitness for any particular purpose.
*************************************************************************
*/
@@ -60,8 +60,6 @@
#include <security/_pam_macros.h>
#include <security/pam_modules.h>
-int strcasecmp(const char *s1, const char *s2);
-
/* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */
/*
@@ -69,7 +67,7 @@ int strcasecmp(const char *s1, const char *s2);
* control based on login names and on host (or domain) names, internet
* addresses (or network numbers), or on terminal line names in case of
* non-networked logins. Diagnostics are reported through syslog(3).
- *
+ *
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
*/
@@ -141,16 +139,16 @@ static int parse_args(struct login_info *loginfo, int argc, const char **argv)
, loginfo->service, 11 + argv[i]);
return 0;
}
-
+
} else {
_log_err("unrecognized option [%s]", argv[i]);
}
}
-
+
return 1; /* OK */
}
-typedef int match_func (char *, struct login_info *);
+typedef int match_func (char *, struct login_info *);
static int list_match (char *, struct login_info *,
match_func *);
@@ -213,6 +211,7 @@ static int login_access(struct login_info *item)
(void) fclose(fp);
} else if (errno != ENOENT) {
_log_err("cannot open %s: %m", item->config_file);
+ return NO;
}
return (match == 0 || (line[0] == '+'));
}
@@ -254,9 +253,11 @@ static char * myhostname(void)
{
static char name[MAXHOSTNAMELEN + 1];
- gethostname(name, MAXHOSTNAMELEN);
- name[MAXHOSTNAMELEN] = 0;
- return (name);
+ if (gethostname(name, MAXHOSTNAMELEN) == 0) {
+ name[MAXHOSTNAMELEN] = 0;
+ return (name);
+ }
+ return NULL;
}
/* netgroup_match - match group against machine or user */
@@ -290,6 +291,8 @@ static int user_match(char *tok, struct login_info *item)
if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
*at = 0;
fake_item.from = myhostname();
+ if (fake_item.from == NULL)
+ return NO;
return (user_match(tok, item) && from_match(at + 1, &fake_item));
} else if (tok[0] == '@') { /* netgroup */
return (netgroup_match(tok + 1, (char *) 0, string));
@@ -386,14 +389,6 @@ static int string_match(char *tok, char *string)
return (NO);
}
-/* end of login_access.c */
-
-int strcasecmp(const char *s1, const char *s2)
-{
- while ((toupper(*s1)==toupper(*s2)) && (*s1) && (*s2)) {s1++; s2++;}
- return(toupper(*s1)-toupper(*s2));
-}
-
/* --- public account management functions --- */
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc
@@ -490,4 +485,3 @@ struct pam_module _pam_access_modstruct = {
NULL
};
#endif
-
diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
index 84eae9fb..5ddf7f2c 100644
--- a/modules/pam_cracklib/pam_cracklib.c
+++ b/modules/pam_cracklib/pam_cracklib.c
@@ -77,7 +77,7 @@ extern char *FascistCheck(char *pw, const char *dictpath);
#include <security/pam_modules.h>
#include <security/_pam_macros.h>
-#ifndef LINUX_PAM
+#ifndef LINUX_PAM
#include <security/pam_appl.h>
#endif /* LINUX_PAM */
@@ -186,11 +186,11 @@ static int converse(pam_handle_t *pamh, int ctrl, int nargs,
struct pam_response **response)
{
int retval;
- struct pam_conv *conv;
+ struct pam_conv *conv = NULL;
- retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
+ retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
- if ( retval == PAM_SUCCESS ) {
+ if ( retval == PAM_SUCCESS && conv ) {
retval = conv->conv(nargs, (const struct pam_message **)message,
response, conv->appdata_ptr);
if (retval != PAM_SUCCESS && (ctrl && PAM_DEBUG_ARG)) {
@@ -199,7 +199,9 @@ static int converse(pam_handle_t *pamh, int ctrl, int nargs,
}
} else {
_pam_log(LOG_ERR, "couldn't obtain coversation function [%s]",
- pam_strerror(pamh, retval));
+ pam_strerror(pamh, retval));
+ if ( retval == PAM_SUCCESS )
+ retval = PAM_BAD_ITEM; /* conv was NULL */
}
return retval; /* propagate error status */
@@ -389,17 +391,17 @@ static int simple(struct cracklib_options *opt,
size -= digits;
else if (digits < opt->dig_credit * -1)
return 1;
-
+
if (opt->up_credit >= 0)
size -= uppers;
else if (uppers < opt->up_credit * -1)
return 1;
-
+
if (opt->low_credit >= 0)
size -= lowers;
else if (lowers < opt->low_credit * -1)
return 1;
-
+
if (opt->oth_credit >= 0)
size -= others;
else if (others < opt->oth_credit * -1)
@@ -507,7 +509,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh,
const char *msg = NULL;
const char *user;
int retval;
-
+
if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) {
if (ctrl && PAM_DEBUG_ARG)
_pam_log(LOG_DEBUG, "bad authentication token");
@@ -524,7 +526,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh,
msg = password_check(opt, pass_old,pass_new);
if (!msg) {
retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
- if (retval != PAM_SUCCESS) {
+ if (retval != PAM_SUCCESS || user == NULL) {
if (ctrl & PAM_DEBUG_ARG) {
_pam_log(LOG_ERR,"Can not get username");
return PAM_AUTHTOK_ERR;
@@ -535,7 +537,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh,
if (msg) {
char remark[BUFSIZ];
-
+
memset(remark,0,sizeof(remark));
snprintf(remark,sizeof(remark),"BAD PASSWORD: %s",msg);
if (ctrl && PAM_DEBUG_ARG)
@@ -543,12 +545,12 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh,
msg);
make_remark(pamh, ctrl, PAM_ERROR_MSG, remark);
return PAM_AUTHTOK_ERR;
- };
+ };
return PAM_SUCCESS;
-
+
}
-/* The Main Thing (by Cristian Gafton, CEO at this module :-)
+/* The Main Thing (by Cristian Gafton, CEO at this module :-)
* (stolen from http://home.netscape.com)
*/
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
@@ -575,7 +577,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
ctrl = _pam_parse(&options, argc, argv);
if (flags & PAM_PRELIM_CHECK) {
- /* Check for passwd dictionary */
+ /* Check for passwd dictionary */
struct stat st;
char buf[sizeof(CRACKLIB_DICTPATH)+10];
@@ -592,7 +594,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
CRACKLIB_DICTPATH);
return PAM_ABORT;
}
-
+
/* Not reached */
return PAM_SERVICE_ERR;
@@ -614,12 +616,12 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
retval = PAM_SUCCESS;
}
- do {
+ do {
/*
* make sure nothing inappropriate gets returned
*/
token1 = token2 = NULL;
-
+
if (!options.retry_times) {
D(("returning %s because maxtries reached",
pam_strerror(pamh, retval)));
@@ -629,7 +631,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
/* Planned modus operandi:
* Get a passwd.
* Verify it against cracklib.
- * If okay get it a second time.
+ * If okay get it a second time.
* Check to be the same with the first one.
* set PAM_AUTHTOK and return
*/
@@ -692,7 +694,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
{
char *crack_msg;
char remark[BUFSIZ];
-
+
bzero(remark,sizeof(remark));
D(("against cracklib"));
if ((crack_msg = FascistCheck(token1, cracklib_dictpath))) {
@@ -780,7 +782,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
retval = PAM_AUTHTOK_RECOVER_ERR;
continue;
}
-
+
/* Yes, the password was typed correct twice
* we store this password as an item
*/
@@ -805,7 +807,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
return PAM_SUCCESS;
}
}
-
+
} while (options.retry_times--);
} else {
@@ -815,7 +817,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
}
/* Not reached */
- return PAM_SERVICE_ERR;
+ return PAM_SERVICE_ERR;
}
diff --git a/modules/pam_debug/pam_debug.c b/modules/pam_debug/pam_debug.c
index 152b977c..a6f3538c 100644
--- a/modules/pam_debug/pam_debug.c
+++ b/modules/pam_debug/pam_debug.c
@@ -102,7 +102,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
}
if (user == NULL || *user == '\0') {
D(("username not known"));
- pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
+ retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
+ if (retval != PAM_SUCCESS)
+ return retval;
}
user = NULL; /* clean up */
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index ba04c15e..2c93ebab 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -13,7 +13,7 @@
#endif
#define DEFAULT_ETC_ENVFILE "/etc/environment"
-#define DEFAULT_READ_ENVFILE 1
+#define DEFAULT_READ_ENVFILE 0
#include <security/_pam_aconf.h>
@@ -165,8 +165,8 @@ static int _parse_config_file(pam_handle_t *pamh, int ctrl, char **conffile)
return PAM_IGNORE;
}
- /* _pam_assemble_line will provide a complete line from the config file, with all
- * comments removed and any escaped newlines fixed up
+ /* _pam_assemble_line will provide a complete line from the config file,
+ * with all comments removed and any escaped newlines fixed up
*/
while (( retval = _assemble_line(conf, buffer, BUF_SIZE)) > 0) {
@@ -192,12 +192,13 @@ static int _parse_config_file(pam_handle_t *pamh, int ctrl, char **conffile)
(void) fclose(conf);
/* tidy up */
- _clean_var(var); /* We could have got here prematurely, this is safe though */
+ _clean_var(var); /* We could have got here prematurely,
+ * this is safe though */
_pam_overwrite(*conffile);
_pam_drop(*conffile);
file = NULL;
D(("Exit."));
- return (retval<0?PAM_ABORT:PAM_SUCCESS);
+ return (retval != 0 ? PAM_ABORT : PAM_SUCCESS);
}
static int _parse_env_file(pam_handle_t *pamh, int ctrl, char **env_file)
@@ -231,7 +232,7 @@ static int _parse_env_file(pam_handle_t *pamh, int ctrl, char **env_file)
continue;
/* skip over "export " if present so we can be compat with
- bash type declerations */
+ bash type declarations */
if (strncmp(key, "export ", (size_t) 7) == 0)
key += 7;
@@ -279,7 +280,7 @@ static int _parse_env_file(pam_handle_t *pamh, int ctrl, char **env_file)
_pam_drop(*env_file);
file = NULL;
D(("Exit."));
- return (retval<0?PAM_IGNORE:PAM_SUCCESS);
+ return (retval != 0 ? PAM_IGNORE : PAM_SUCCESS);
}
/*
@@ -765,8 +766,8 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
retval = _parse_config_file(pamh, ctrl, &conf_file);
- if(readenv)
- _parse_env_file(pamh, ctrl, &env_file);
+ if(readenv && retval == PAM_SUCCESS)
+ retval = _parse_env_file(pamh, ctrl, &env_file);
/* indicate success or failure */
@@ -798,8 +799,8 @@ int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc
retval = _parse_config_file(pamh, ctrl, &conf_file);
- if(readenv)
- _parse_env_file(pamh, ctrl, &env_file);
+ if(readenv && retval == PAM_SUCCESS)
+ retval = _parse_env_file(pamh, ctrl, &env_file);
/* indicate success or failure */
diff --git a/modules/pam_pwdb/support.-c b/modules/pam_pwdb/support.-c
index 96f34609..45867ce8 100644
--- a/modules/pam_pwdb/support.-c
+++ b/modules/pam_pwdb/support.-c
@@ -370,7 +370,7 @@ static int pwdb_run_helper_binary(pam_handle_t *pamh, const char *passwd,
* The "noreap" module argument is provided so that the admin can
* override this behavior.
*/
- sighandler = signal(SIGCHLD, SIG_IGN);
+ sighandler = signal(SIGCHLD, SIG_DFL);
}
/* fork */
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 5486e12f..3b1feb96 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -424,7 +424,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
* The "noreap" module argument is provided so that the admin can
* override this behavior.
*/
- sighandler = signal(SIGCHLD, SIG_IGN);
+ sighandler = signal(SIGCHLD, SIG_DFL);
}
/* fork */