diff options
| author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 15:43:05 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 15:44:43 -0800 |
| commit | 9a4298687784e7812c8aeef6e0e97830febbf393 (patch) | |
| tree | 45942549c91c2ae3cb6b58aa5df40b9e121f908a /Linux-PAM/modules | |
| parent | d5b06b67bbeeed7c05c0eb2e05d6a972ad050d1c (diff) | |
| parent | 9bc383eeb9d9f5976645cb4c4850a8d36b2bd7da (diff) | |
New upstream version 0.99.8.1
Diffstat (limited to 'Linux-PAM/modules')
41 files changed, 1668 insertions, 841 deletions
diff --git a/Linux-PAM/modules/pam_access/README b/Linux-PAM/modules/pam_access/README index c3561da0..a3adcc8f 100644 --- a/Linux-PAM/modules/pam_access/README +++ b/Linux-PAM/modules/pam_access/README @@ -45,6 +45,11 @@ listsep=separators information obtained from a Windows domain, where the default built-in groups "Domain Users", "Domain Admins" contain a space. +nodefgroup + + The group database will not be used for tokens not identified as account + name. + EXAMPLES These are some example lines which might be specified in /etc/security/ @@ -97,6 +102,11 @@ User john should get access from IPv6 net/mask. + : john : 2001:4ca0:0:101::/64 +Disallow console logins to all but the shutdown, sync and all other accounts, +which are a member of the wheel group. + +-:ALL EXCEPT (wheel) shutdown sync:LOCAL + All other users should be denied to get access from all sources. - : ALL : ALL diff --git a/Linux-PAM/modules/pam_access/access.conf b/Linux-PAM/modules/pam_access/access.conf index b22f1d43..74c5fbe8 100644 --- a/Linux-PAM/modules/pam_access/access.conf +++ b/Linux-PAM/modules/pam_access/access.conf @@ -1,14 +1,14 @@ # Login access control table. -# +# # Comment line must start with "#", no space at front. # Order of lines is important. # # When someone logs in, the table is scanned for the first entry that # matches the (user, host) combination, or, in case of non-networked # logins, the first entry that matches the (user, tty) combination. The -# permissions field of that table entry determines whether the login will +# permissions field of that table entry determines whether the login will # be accepted or refused. -# +# # Format of the login access control table is three fields separated by a # ":" character: # @@ -17,11 +17,11 @@ # '|'. This is useful for configurations where you are trying to use # pam_access with X applications that provide PAM_TTY values that are # the display variable like "host:0".] -# +# # permission : users : origins -# +# # The first field should be a "+" (access granted) or "-" (access denied) -# character. +# character. # # The second field should be a list of one or more login names, group # names, or ALL (always matches). A pattern of the form user@host is @@ -42,20 +42,28 @@ # The group file is searched only when a name does not match that of the # logged-in user. Both the user's primary group is matched, as well as # groups in which users are explicitly listed. +# To avoid problems with accounts, which have the same name as a group, +# you can use brackets around group names '(group)' to differentiate. +# In this case, you should also set the "nodefgroup" option. # # TTY NAMES: Must be in the form returned by ttyname(3) less the initial # "/dev" (e.g. tty1 or vc/1) # ############################################################################## -# +# # Disallow non-root logins on tty1 # #-:ALL EXCEPT root:tty1 -# +# # Disallow console logins to all but a few accounts. # #-:ALL EXCEPT wheel shutdown sync:LOCAL # +# Same, but make sure that really the group wheel and not the user +# wheel is used (use nodefgroup argument, too): +# +#-:ALL EXCEPT (wheel) shutdown sync:LOCAL +# # Disallow non-local logins to privileged accounts (group wheel). # #-:wheel:ALL EXCEPT LOCAL .win.tue.nl @@ -87,7 +95,7 @@ # Uses string matching also. #+ : root : .foo.bar.org # -# User "root" should be denied to get access from all other sources. +# User "root" should be denied to get access from all other sources. #- : root : ALL # # User "foo" and members of netgroup "nis_group" should be @@ -111,4 +119,4 @@ #+ : john : 2001:4ca0:0:101::/64 # # All other users should be denied to get access from all sources. -#- : ALL : ALL +#- : ALL : ALL diff --git a/Linux-PAM/modules/pam_access/access.conf.5 b/Linux-PAM/modules/pam_access/access.conf.5 index 43cc4fce..fcd33bb4 100644 --- a/Linux-PAM/modules/pam_access/access.conf.5 +++ b/Linux-PAM/modules/pam_access/access.conf.5 @@ -1,11 +1,11 @@ .\" Title: access.conf .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> -.\" Date: 06/21/2006 +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: 06/22/2007 .\" Manual: Linux\-PAM Manual .\" Source: Linux\-PAM Manual .\" -.TH "ACCESS.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "ACCESS.CONF" "5" "06/22/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -16,32 +16,33 @@ access.conf \- the login access control table file .PP The \fI/etc/security/access.conf\fR -file specifies (\fIuser\fR, -\fIhost\fR), (\fIuser\fR, -\fInetwork/netmask\fR) or (\fIuser\fR, +file specifies (\fIuser/group\fR, +\fIhost\fR), (\fIuser/group\fR, +\fInetwork/netmask\fR) or (\fIuser/group\fR, \fItty\fR) combinations for which a login will be either accepted or refused. .PP When someone logs in, the file \fIaccess.conf\fR -is scanned for the first entry that matches the (\fIuser\fR, -\fIhost\fR) or (\fIuser\fR, -\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser\fR, +is scanned for the first entry that matches the (\fIuser/group\fR, +\fIhost\fR) or (\fIuser/group\fR, +\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR, \fItty\fR) combination. The permissions field of that table entry determines whether the login will be accepted or refused. .PP Each line of the login access control table has three fields separated by a ":" character (colon): .PP -\fIpermission\fR:\fIusers\fR:\fIorigins\fR +\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR .PP The first field, the \fIpermission\fR field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied. .PP The second field, the -\fIusers\fR +\fIusers\fR/\fIgroup\fR field, should be a list of one or more login names, group names, or \fIALL\fR -(which always matches). +(which always matches). To differentiate user entries from group entries, group entries should be written with brackets, e.g. +\fI(group)\fR. .PP The third field, the \fIorigins\fR @@ -54,10 +55,12 @@ field, should be a list of one or more tty names (for non\-networked logins), ho in host or user patterns. .PP The -\fIexcept\fR +\fIEXCEPT\fR operator makes it possible to write very compact rules. .PP -The group file is searched only when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user. +If the +\fBnodefgroup\fR +is not set, the group file is searched when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user. .PP The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line. .SH "EXAMPLES" @@ -143,6 +146,10 @@ should get access from IPv6 net/mask. .PP + : john : 2001:4ca0:0:101::/64 .PP +Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group. +.PP +\-:ALL EXCEPT (wheel) shutdown sync:LOCAL +.PP All other users should be denied to get access from all sources. .PP \- : ALL : ALL diff --git a/Linux-PAM/modules/pam_access/access.conf.5.xml b/Linux-PAM/modules/pam_access/access.conf.5.xml index 492f995d..f8eb7a4e 100644 --- a/Linux-PAM/modules/pam_access/access.conf.5.xml +++ b/Linux-PAM/modules/pam_access/access.conf.5.xml @@ -20,19 +20,19 @@ <title>DESCRIPTION</title> <para> The <filename>/etc/security/access.conf</filename> file specifies - (<replaceable>user</replaceable>, <replaceable>host</replaceable>), - (<replaceable>user</replaceable>, <replaceable>network/netmask</replaceable>) or - (<replaceable>user</replaceable>, <replaceable>tty</replaceable>) + (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>), + (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or + (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>) combinations for which a login will be either accepted or refused. </para> <para> When someone logs in, the file <filename>access.conf</filename> is scanned for the first entry that matches the - (<replaceable>user</replaceable>, <replaceable>host</replaceable>) or - (<replaceable>user</replaceable>, <replaceable>network/netmask</replaceable>) + (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>) or + (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) combination, or, in case of non-networked logins, the first entry that matches the - (<replaceable>user</replaceable>, <replaceable>tty</replaceable>) + (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>) combination. The permissions field of that table entry determines whether the login will be accepted or refused. </para> @@ -43,7 +43,7 @@ </para> <para> - <replaceable>permission</replaceable>:<replaceable>users</replaceable>:<replaceable>origins</replaceable> + <replaceable>permission</replaceable>:<replaceable>users/groups</replaceable>:<replaceable>origins</replaceable> </para> @@ -54,9 +54,12 @@ </para> <para> - The second field, the <replaceable>users</replaceable> + The second field, the + <replaceable>users</replaceable>/<replaceable>group</replaceable> field, should be a list of one or more login names, group names, or - <emphasis>ALL</emphasis> (which always matches). + <emphasis>ALL</emphasis> (which always matches). To differentiate + user entries from group entries, group entries should be written + with brackets, e.g. <emphasis>(group)</emphasis>. </para> <para> @@ -72,15 +75,15 @@ </para> <para> - The <replaceable>except</replaceable> operator makes it possible to + The <replaceable>EXCEPT</replaceable> operator makes it possible to write very compact rules. </para> <para> - The group file is searched only when a name does not match that of - the logged-in user. Only groups are matched in which users are - explicitly listed. However the PAM module does not look at the - primary group id of a user. + If the <option>nodefgroup</option> is not set, the group file + is searched when a name does not match that of the logged-in + user. Only groups are matched in which users are explicitly listed. + However the PAM module does not look at the primary group id of a user. </para> @@ -163,6 +166,12 @@ <para>+ : john : 2001:4ca0:0:101::/64</para> <para> + Disallow console logins to all but the shutdown, sync and all + other accounts, which are a member of the wheel group. + </para> + <para>-:ALL EXCEPT (wheel) shutdown sync:LOCAL</para> + + <para> All other users should be denied to get access from all sources. </para> <para>- : ALL : ALL</para> diff --git a/Linux-PAM/modules/pam_access/pam_access.8 b/Linux-PAM/modules/pam_access/pam_access.8 index b613e323..ca8cc5b0 100644 --- a/Linux-PAM/modules/pam_access/pam_access.8 +++ b/Linux-PAM/modules/pam_access/pam_access.8 @@ -1,11 +1,11 @@ .\" Title: pam_access .\" Author: -.\" Generator: DocBook XSL Stylesheets vsnapshot_2006\-08\-24_0226 <http://docbook.sf.net/> -.\" Date: 08/31/2006 +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: 06/22/2007 .\" Manual: Linux\-PAM Manual .\" Source: Linux\-PAM Manual .\" -.TH "PAM_ACCESS" "8" "08/31/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_ACCESS" "8" "06/22/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -14,7 +14,7 @@ pam_access \- PAM module for logdaemon style login access control .SH "SYNOPSIS" .HP 14 -\fBpam_access.so\fR [debug] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] +\fBpam_access.so\fR [debug] [nodefgroup] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] .SH "DESCRIPTION" .PP The pam_access PAM module is mainly for access management. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins. @@ -23,52 +23,77 @@ By default rules for access management are taken from config file \fI/etc/security/access.conf\fR if you don't specify another file. .SH "OPTIONS" -.TP 3n +.PP \fBaccessfile=\fR\fB\fI/path/to/access.conf\fR\fR +.RS 4 Indicate an alternative \fIaccess.conf\fR style configuration file to override the default. This can be useful when different services need different access lists. -.TP 3n +.RE +.PP \fBdebug\fR +.RS 4 A lot of debug informations are printed with \fBsyslog\fR(3). -.TP 3n +.RE +.PP \fBfieldsep=\fR\fB\fIseparators\fR\fR +.RS 4 This option modifies the field separator character that pam_access will recognize when parsing the access configuration file. For example: \fBfieldsep=|\fR will cause the default `:' character to be treated as part of a field value and `|' becomes the field separator. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the \fBPAM_TTY\fR item is likely to be of the form "hostname:0" which includes a `:' character in its value. But you should not need this. -.TP 3n +.RE +.PP \fBlistsep=\fR\fB\fIseparators\fR\fR +.RS 4 This option modifies the list separator character that pam_access will recognize when parsing the access configuration file. For example: \fBlistsep=,\fR will cause the default ` ' (space) and `\\t' (tab) characters to be treated as part of a list element value and `,' becomes the only list element separator. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space. +.RE +.PP +\fBnodefgroup\fR +.RS 4 +The group database will not be used for tokens not identified as account name. +.RE .SH "MODULE SERVICES PROVIDED" .PP All services are supported. .SH "RETURN VALUES" -.TP 3n +.PP PAM_SUCCESS +.RS 4 Access was granted. -.TP 3n +.RE +.PP PAM_PERM_DENIED +.RS 4 Access was not granted. -.TP 3n +.RE +.PP PAM_IGNORE +.RS 4 \fBpam_setcred\fR was called which does nothing. -.TP 3n +.RE +.PP PAM_ABORT +.RS 4 Not all relevant data or options could be gotten. -.TP 3n +.RE +.PP PAM_USER_UNKNOWN +.RS 4 The user is not known to the system. +.RE .SH "FILES" -.TP 3n +.PP \fI/etc/security/access.conf\fR +.RS 4 Default configuration file +.RE .SH "SEE ALSO" .PP diff --git a/Linux-PAM/modules/pam_access/pam_access.8.xml b/Linux-PAM/modules/pam_access/pam_access.8.xml index 74e39993..1d814e88 100644 --- a/Linux-PAM/modules/pam_access/pam_access.8.xml +++ b/Linux-PAM/modules/pam_access/pam_access.8.xml @@ -26,6 +26,9 @@ debug </arg> <arg choice="opt"> + nodefgroup + </arg> + <arg choice="opt"> accessfile=<replaceable>file</replaceable> </arg> <arg choice="opt"> @@ -123,6 +126,18 @@ </listitem> </varlistentry> + <varlistentry> + <term> + <option>nodefgroup</option> + </term> + <listitem> + <para> + The group database will not be used for tokens not + identified as account name. + </para> + </listitem> + </varlistentry> + </variablelist> </refsect1> diff --git a/Linux-PAM/modules/pam_access/pam_access.c b/Linux-PAM/modules/pam_access/pam_access.c index 80d94cc9..29a1606c 100644 --- a/Linux-PAM/modules/pam_access/pam_access.c +++ b/Linux-PAM/modules/pam_access/pam_access.c @@ -89,6 +89,9 @@ static const char *sep = ", \t"; /* list-element separator */ #define YES 1 #define NO 0 +/* Only allow group entries of the form "(xyz)" */ +static int only_new_group_syntax = NO; + /* * A structure to bundle up all login-related information to keep the * functional interfaces as generic as possible. @@ -136,6 +139,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, } else if (strcmp (argv[i], "debug") == 0) { pam_access_debug = YES; + } else if (strcmp (argv[i], "nodefgroup") == 0) { + only_new_group_syntax = YES; } else { pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]); } @@ -151,6 +156,7 @@ typedef int match_func (pam_handle_t *, char *, struct login_info *); static int list_match (pam_handle_t *, char *, struct login_info *, match_func *); static int user_match (pam_handle_t *, char *, struct login_info *); +static int group_match (pam_handle_t *, const char *, const char *); static int from_match (pam_handle_t *, char *, struct login_info *); static int string_match (pam_handle_t *, const char *, const char *); static int network_netmask_match (pam_handle_t *, const char *, const char *); @@ -321,6 +327,7 @@ login_access (pam_handle_t *pamh, struct login_info *item) int match = NO; int end; int lineno = 0; /* for diagnostics */ + char *sptr; if (pam_access_debug) pam_syslog (pamh, LOG_DEBUG, @@ -354,9 +361,9 @@ login_access (pam_handle_t *pamh, struct login_info *item) continue; /* Allow field seperator in last field of froms */ - if (!(perm = strtok(line, fs)) - || !(users = strtok((char *) 0, fs)) - || !(froms = strtok((char *) 0, "\n"))) { + if (!(perm = strtok_r(line, fs, &sptr)) + || !(users = strtok_r(NULL, fs, &sptr)) + || !(froms = strtok_r(NULL, "\n", &sptr))) { pam_syslog(pamh, LOG_ERR, "%s: line %d: bad field count", item->config_file, lineno); continue; @@ -398,6 +405,11 @@ static int list_match(pam_handle_t *pamh, { char *tok; int match = NO; + char *sptr; + + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "list_match: list=%s, item=%s", list, item->user->pw_name); /* * Process tokens one at a time. We have exhausted all possible matches @@ -406,7 +418,8 @@ static int list_match(pam_handle_t *pamh, * the match is affected by any exceptions. */ - for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) { + for (tok = strtok_r(list, sep, &sptr); tok != 0; + tok = strtok_r(NULL, sep, &sptr)) { if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ break; if ((match = (*match_fn) (pamh, tok, item))) /* YES */ @@ -415,9 +428,9 @@ static int list_match(pam_handle_t *pamh, /* Process exceptions to matches. */ if (match != NO) { - while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT")) + while ((tok = strtok_r(NULL, sep, &sptr)) && strcasecmp(tok, "EXCEPT")) /* VOID */ ; - if (tok == 0 || list_match(pamh, (char *) 0, item, match_fn) == NO) + if (tok == 0 || list_match(pamh, sptr, item, match_fn) == NO) return (match); } return (NO); @@ -425,7 +438,7 @@ static int list_match(pam_handle_t *pamh, /* myhostname - figure out local machine name */ -static char * myhostname(void) +static char *myhostname(void) { static char name[MAXHOSTNAMELEN + 1]; @@ -439,7 +452,7 @@ static char * myhostname(void) /* netgroup_match - match group against machine or user */ static int -netgroup_match (pam_handle_t *pamh, const char *group, +netgroup_match (pam_handle_t *pamh, const char *netgroup, const char *machine, const char *user) { char *mydomain = NULL; @@ -448,11 +461,12 @@ netgroup_match (pam_handle_t *pamh, const char *group, yp_get_default_domain(&mydomain); - retval = innetgr (group, machine, user, mydomain); + retval = innetgr (netgroup, machine, user, mydomain); if (pam_access_debug == YES) pam_syslog (pamh, LOG_DEBUG, - "netgroup_match: %d (group=%s, machine=%s, user=%s, domain=%s)", - retval, group ? group : "NULL", machine ? machine : "NULL", + "netgroup_match: %d (netgroup=%s, machine=%s, user=%s, domain=%s)", + retval, netgroup ? netgroup : "NULL", + machine ? machine : "NULL", user ? user : "NULL", mydomain ? mydomain : "NULL"); return retval; @@ -487,15 +501,45 @@ user_match (pam_handle_t *pamh, char *tok, struct login_info *item) from_match (pamh, at + 1, &fake_item)); } else if (tok[0] == '@') /* netgroup */ return (netgroup_match (pamh, tok + 1, (char *) 0, string)); + else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') + return (group_match (pamh, tok, string)); else if (string_match (pamh, tok, string)) /* ALL or exact match */ - return YES; - else if (pam_modutil_user_in_group_nam_nam (pamh, item->user->pw_name, tok)) + return YES; + else if (only_new_group_syntax == NO && + pam_modutil_user_in_group_nam_nam (pamh, + item->user->pw_name, tok)) /* try group membership */ return YES; return NO; } + +/* group_match - match a username against token named group */ + +static int +group_match (pam_handle_t *pamh, const char *tok, const char* usr) +{ + char grptok[BUFSIZ]; + + if (pam_access_debug) + pam_syslog (pamh, LOG_DEBUG, + "group_match: grp=%s, user=%s", grptok, usr); + + if (strlen(tok) < 3) + return NO; + + /* token is recieved under the format '(...)' */ + memset(grptok, 0, BUFSIZ); + strncpy(grptok, tok + 1, strlen(tok) - 2); + + if (pam_modutil_user_in_group_nam_nam(pamh, usr, grptok)) + return YES; + + return NO; +} + + /* from_match - match a host or tty against a list of tokens */ static int diff --git a/Linux-PAM/modules/pam_cracklib/README b/Linux-PAM/modules/pam_cracklib/README index 89e80318..25ec00b4 100644 --- a/Linux-PAM/modules/pam_cracklib/README +++ b/Linux-PAM/modules/pam_cracklib/README @@ -152,6 +152,14 @@ ocredit=N (N < 0) This is the minimum number of other characters that must be met for a new password. +minclass=N + + The minimum number of required classes of characters for the new password. + The default number is zero. The four classes are digits, upper and lower + letters and other characters. The difference to the credit check is that a + specific class if of characters is not required. Instead N out of four of + the classes are required. + use_authtok This argument is used to force the module to not prompt the user for a new diff --git a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8 b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8 index 526817a4..8ccf8059 100644 --- a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8 +++ b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8 @@ -1,11 +1,11 @@ .\" Title: pam_cracklib .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> -.\" Date: 06/02/2006 +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: 06/20/2007 .\" Manual: Linux\-PAM Manual .\" Source: Linux\-PAM Manual .\" -.TH "PAM_CRACKLIB" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_CRACKLIB" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -28,14 +28,19 @@ The first action is to prompt for a single password, check its strength and then The strength checks works in the following manner: at first the \fBCracklib\fR routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are: -.TP 3n +.PP Palindrome +.RS 4 Is the new password a palindrome of the old one? -.TP 3n +.RE +.PP Case Change Only +.RS 4 Is the new password the the old one with only a change of case? -.TP 3n +.RE +.PP Similar +.RS 4 Is the new password too much like the old one? This is primarily controlled by one argument, \fBdifok\fR which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller. @@ -47,52 +52,70 @@ is available. This argument can be used to specify the minimum length a new pass value is ignored. The default value for \fBdifignore\fR is 23. -.TP 3n +.RE +.PP Simple +.RS 4 Is the new password too small? This is controlled by 5 arguments \fBminlen\fR, \fBdcredit\fR, \fBucredit\fR, \fBlcredit\fR, and \fBocredit\fR. See the section on the arguments for the details of how these work and there defaults. -.TP 3n +.RE +.PP Rotated +.RS 4 Is the new password a rotated version of the old password? -.TP 3n +.RE +.PP Already used +.RS 4 Was the password used in the past? Previously used passwords are to be found in \fI/etc/security/opasswd\fR. +.RE .PP This module with no arguments will work well for standard unix password encryption. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change... In addition, the default action is to allow passwords as small as 5 characters in length. For a md5 systems it can be a good idea to increase the required minimum size of a password. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password. .SH "OPTIONS" .PP -.TP 3n +.PP \fBdebug\fR +.RS 4 This option makes the module write information to \fBsyslog\fR(3) indicating the behavior of the module (this option does not write password information to the log file). -.TP 3n +.RE +.PP \fBtype=\fR\fB\fIXXX\fR\fR +.RS 4 The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The default word \fIUNIX\fR can be replaced with this option. -.TP 3n +.RE +.PP \fBretry=\fR\fB\fIN\fR\fR +.RS 4 Prompt user at most \fIN\fR times before returning with error. The default is \fI1\fR -.TP 3n +.RE +.PP \fBdifok=\fR\fB\fIN\fR\fR +.RS 4 This argument will change the default of \fI5\fR for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway. -.TP 3n +.RE +.PP \fBdifignore=\fR\fB\fIN\fR\fR +.RS 4 How many characters should the password have before difok will be ignored. The default is \fI23\fR. -.TP 3n +.RE +.PP \fBminlen=\fR\fB\fIN\fR\fR +.RS 4 The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR, \fIupper\fR, \fIlower\fR @@ -103,8 +126,10 @@ which is good for a old style UNIX password all of the same type of character bu \fICracklib\fR itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to \fBminlen\fR. If you want to allow passwords as short as 5 characters you should not use this module. -.TP 3n +.RE +.PP \fBdcredit=\fR\fB\fIN\fR\fR +.RS 4 (N >= 0) This is the maximum credit for having digits in the new password. If you have less than or \fIN\fR digits, each digit will count +1 towards meeting the current @@ -116,8 +141,10 @@ is 1 which is the recommended value for less than 10. .sp (N < 0) This is the minimum number of digits that must be met for a new password. -.TP 3n +.RE +.PP \fBucredit=\fR\fB\fIN\fR\fR +.RS 4 (N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or \fIN\fR upper case letters each letter will count +1 towards meeting the current @@ -131,8 +158,10 @@ which is the recommended value for less than 10. .sp (N > 0) This is the minimum number of upper case letters that must be met for a new password. -.TP 3n +.RE +.PP \fBlcredit=\fR\fB\fIN\fR\fR +.RS 4 (N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or \fIN\fR lower case letters, each letter will count +1 towards meeting the current @@ -144,8 +173,10 @@ is 1 which is the recommended value for less than 10. .sp (N < 0) This is the minimum number of lower case letters that must be met for a new password. -.TP 3n +.RE +.PP \fBocredit=\fR\fB\fIN\fR\fR +.RS 4 (N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or \fIN\fR other characters, each character will count +1 towards meeting the current @@ -157,16 +188,30 @@ is 1 which is the recommended value for less than 10. .sp (N < 0) This is the minimum number of other characters that must be met for a new password. -.TP 3n +.RE +.PP +\fBminclass=\fR\fB\fIN\fR\fR +.RS 4 +The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the +\fBcredit\fR +check is that a specific class if of characters is not required. Instead +\fIN\fR +out of four of the classes are required. +.RE +.PP \fBuse_authtok\fR +.RS 4 This argument is used to \fIforce\fR the module to not prompt the user for a new password but use the one provided by the previously stacked \fIpassword\fR module. -.TP 3n +.RE +.PP \fBdictpath=\fR\fB\fI/path/to/dict\fR\fR +.RS 4 Path to the cracklib dictionaries. +.RE .SH "MODULE SERVICES PROVIDED" .PP Only he @@ -174,26 +219,34 @@ Only he service is supported. .SH "RETURN VALUES" .PP -.TP 3n +.PP PAM_SUCCESS +.RS 4 The new password passes all checks. -.TP 3n +.RE +.PP PAM_AUTHTOK_ERR +.RS 4 No new password was entered, the username could not be determined or the new password fails the strength checks. -.TP 3n +.RE +.PP PAM_AUTHTOK_RECOVERY_ERR +.RS 4 The old password was not supplied by a previous stackked module or got not requested from the user. The first error can happen if \fBuse_authtok\fR is specified. -.TP 3n +.RE +.PP PAM_SERVICE_ERR +.RS 4 A internal error occured. +.RE .SH "EXAMPLES" .PP For an example of the use of this module, we show how it may be stacked with the password component of \fBpam_unix\fR(8) .sp -.RS 3n +.RS 4 .nf # # These lines stack two password type modules. In this example the @@ -213,7 +266,7 @@ Another example (in the \fI/etc/pam.d/passwd\fR format) is for the case that you want to use md5 password encryption: .sp -.RS 3n +.RS 4 .nf #%PAM\-1.0 # @@ -232,7 +285,7 @@ password required pam_unix.so use_authtok nullok md5 .PP And here is another example in case you don't want to use credits: .sp -.RS 3n +.RS 4 .nf #%PAM\-1.0 # diff --git a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml index 7edabe0f..f97ad8fb 100644 --- a/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml +++ b/Linux-PAM/modules/pam_cracklib/pam_cracklib.8.xml @@ -331,6 +331,24 @@ <varlistentry> <term> + <option>minclass=<replaceable>N</replaceable></option> + </term> + <listitem> + <para> + The minimum number of required classes of characters for + the new password. The default number is zero. The four + classes are digits, upper and lower letters and other + characters. + The difference to the <option>credit</option> check is + that a specific class if of characters is not required. + Instead <replaceable>N</replaceable> out of four of the + classes are required. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> <option>use_authtok</option> </term> <listitem> diff --git a/Linux-PAM/modules/pam_cracklib/pam_cracklib.c b/Linux-PAM/modules/pam_cracklib/pam_cracklib.c index 9b496202..6decf2bf 100644 --- a/Linux-PAM/modules/pam_cracklib/pam_cracklib.c +++ b/Linux-PAM/modules/pam_cracklib/pam_cracklib.c @@ -92,6 +92,7 @@ struct cracklib_options { int up_credit; int low_credit; int oth_credit; + int min_class; int use_authtok; char prompt_type[BUFSIZ]; char cracklib_dictpath[PATH_MAX]; @@ -156,6 +157,12 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt, opt->oth_credit = strtol(*argv+8,&ep,10); if (!ep) opt->oth_credit = 0; + } else if (!strncmp(*argv,"minclass=",9)) { + opt->min_class = strtol(*argv+9,&ep,10); + if (!ep) + opt->min_class = 0; + if (opt->min_class > 4) + opt->min_class = 4 ; } else if (!strncmp(*argv,"use_authtok",11)) { opt->use_authtok = 1; } else if (!strncmp(*argv,"dictpath=",9)) { @@ -290,6 +297,47 @@ static int similar(struct cracklib_options *opt, } /* + * enough classes of charecters + */ + +static int minclass (struct cracklib_options *opt, + const char *new) +{ + int digits = 0; + int uppers = 0; + int lowers = 0; + int others = 0; + int total_class; + int i; + int retval; + + D(( "called" )); + for (i = 0; new[i]; i++) + { + if (isdigit (new[i])) + digits = 1; + else if (isupper (new[i])) + uppers = 1; + else if (islower (new[i])) + lowers = 1; + else + others = 1; + } + + total_class = digits + uppers + lowers + others; + + D (("total class: %d\tmin_class: %d", total_class, opt->min_class)); + + if (total_class >= opt->min_class) + retval = 0; + else + retval = 1; + + return retval; +} + + +/* * a nice mix of characters. */ static int simple(struct cracklib_options *opt, const char *new) @@ -369,43 +417,51 @@ static char * str_lower(char *string) return string; } -static const char * password_check(struct cracklib_options *opt, const char *old, const char *new) +static const char *password_check(struct cracklib_options *opt, + const char *old, const char *new) { const char *msg = NULL; - char *oldmono, *newmono, *wrapped; + char *oldmono = NULL, *newmono, *wrapped = NULL; - if (strcmp(new, old) == 0) { - msg = _("is the same as the old one"); - return msg; - } + if (old && strcmp(new, old) == 0) { + msg = _("is the same as the old one"); + return msg; + } newmono = str_lower(x_strdup(new)); - oldmono = str_lower(x_strdup(old)); - wrapped = malloc(strlen(oldmono) * 2 + 1); - strcpy (wrapped, oldmono); - strcat (wrapped, oldmono); + if (old) { + oldmono = str_lower(x_strdup(old)); + wrapped = malloc(strlen(oldmono) * 2 + 1); + strcpy (wrapped, oldmono); + strcat (wrapped, oldmono); + } if (palindrome(newmono)) msg = _("is a palindrome"); - if (!msg && strcmp(oldmono, newmono) == 0) + if (!msg && oldmono && strcmp(oldmono, newmono) == 0) msg = _("case changes only"); - if (!msg && similar(opt, oldmono, newmono)) + if (!msg && oldmono && similar(opt, oldmono, newmono)) msg = _("is too similar to the old one"); if (!msg && simple(opt, new)) msg = _("is too simple"); - if (!msg && strstr(wrapped, newmono)) + if (!msg && wrapped && strstr(wrapped, newmono)) msg = _("is rotated"); + if (!msg && minclass (opt, new)) + msg = _("not enough character classes"); + memset(newmono, 0, strlen(newmono)); - memset(oldmono, 0, strlen(oldmono)); - memset(wrapped, 0, strlen(wrapped)); free(newmono); - free(oldmono); - free(wrapped); + if (old) { + memset(oldmono, 0, strlen(oldmono)); + memset(wrapped, 0, strlen(wrapped)); + free(oldmono); + free(wrapped); + } return msg; } @@ -426,17 +482,18 @@ static const char * check_old_password(const char *forwho, const char *newpass) while (fgets(buf, 16380, opwfile)) { if (!strncmp(buf, forwho, strlen(forwho))) { + char *sptr; buf[strlen(buf)-1] = '\0'; - s_luser = strtok(buf, ":,"); - s_uid = strtok(NULL, ":,"); - s_npas = strtok(NULL, ":,"); - s_pas = strtok(NULL, ":,"); + s_luser = strtok_r(buf, ":,", &sptr); + s_uid = strtok_r(NULL, ":,", &sptr); + s_npas = strtok_r(NULL, ":,", &sptr); + s_pas = strtok_r(NULL, ":,", &sptr); while (s_pas != NULL) { if (!strcmp(crypt(newpass, s_pas), s_pas)) { msg = _("has been already used"); break; } - s_pas = strtok(NULL, ":,"); + s_pas = strtok_r(NULL, ":,", &sptr); } break; } @@ -469,7 +526,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh, * if one wanted to hardwire authentication token strength * checking this would be the place */ - msg = password_check(opt, pass_old,pass_new); + msg = password_check(opt, pass_old, pass_new); if (!msg) { retval = pam_get_item(pamh, PAM_USER, &user); if (retval != PAM_SUCCESS || user == NULL) { @@ -620,15 +677,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, } else { /* check it for strength too... */ D(("for strength")); - if (oldtoken) { - retval = _pam_unix_approve_pass(pamh,ctrl,&options, - oldtoken,token1); - if (retval != PAM_SUCCESS) { - if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) - retval = PAM_AUTHTOK_ERR; - else - retval = PAM_SUCCESS; - } + retval = _pam_unix_approve_pass (pamh, ctrl, &options, + oldtoken, token1); + if (retval != PAM_SUCCESS) { + if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK)) + retval = PAM_AUTHTOK_ERR; + else + retval = PAM_SUCCESS; } } } diff --git a/Linux-PAM/modules/pam_ftp/pam_ftp.c b/Linux-PAM/modules/pam_ftp/pam_ftp.c index 948dd729..9c69c108 100644 --- a/Linux-PAM/modules/pam_ftp/pam_ftp.c +++ b/Linux-PAM/modules/pam_ftp/pam_ftp.c @@ -79,10 +79,11 @@ static int lookup(const char *name, const char *list, const char **_user) if (list && *list) { const char *l; char *list_copy, *x; + char *sptr; list_copy = x_strdup(list); x = list_copy; - while (list_copy && (l = strtok(x, ","))) { + while (list_copy && (l = strtok_r(x, ",", &sptr))) { x = NULL; if (!strcmp(name, l)) { *_user = list; @@ -170,11 +171,12 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, /* XXX: Some effort should be made to verify this email address! */ if (!(ctrl & PAM_IGNORE_EMAIL)) { - token = strtok(resp, "@"); + char *sptr; + token = strtok_r(resp, "@", &sptr); retval = pam_set_item(pamh, PAM_RUSER, token); if ((token) && (retval == PAM_SUCCESS)) { - token = strtok(NULL, "@"); + token = strtok_r(NULL, "@", &sptr); retval = pam_set_item(pamh, PAM_RHOST, token); } } diff --git a/Linux-PAM/modules/pam_limits/Makefile.am b/Linux-PAM/modules/pam_limits/Makefile.am index be2852a9..60256a7c 100644 --- a/Linux-PAM/modules/pam_limits/Makefile.am +++ b/Linux-PAM/modules/pam_limits/Makefile.am @@ -13,8 +13,10 @@ TESTS = tst-pam_limits securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) +limits_conf_dir = $(SCONFIGDIR)/limits.d AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DLIMITS_FILE_DIR=\"$(limits_conf_dir)/*.conf\" \ -DLIMITS_FILE=\"$(SCONFIGDIR)/limits.conf\" AM_LDFLAGS = -no-undefined -avoid-version -module \ -L$(top_builddir)/libpam -lpam @@ -32,3 +34,5 @@ README: pam_limits.8.xml limits.conf.5.xml -include $(top_srcdir)/Make.xml.rules endif +install-data-local: + mkdir -p $(DESTDIR)$(limits_conf_dir) diff --git a/Linux-PAM/modules/pam_limits/README b/Linux-PAM/modules/pam_limits/README index adab19df..26336711 100644 --- a/Linux-PAM/modules/pam_limits/README +++ b/Linux-PAM/modules/pam_limits/README @@ -8,6 +8,13 @@ The pam_limits PAM module sets limits on the system resources that can be obtained in a user-session. Users of uid=0 are affected by this limits, too. By default limits are taken from the /etc/security/limits.conf config file. +Then individual files from the /etc/security/limits.d/ directory are read. The +files are parsed one after another in the order of "C" locale. The effect of +the individual files is the same as if all the files were concatenated together +in the order of parsing. If a config file is explicitely specified with a +module option then the files in the above directory are not parsed. + +The module must not be called by a multithreaded application. OPTIONS diff --git a/Linux-PAM/modules/pam_limits/limits.conf b/Linux-PAM/modules/pam_limits/limits.conf index c52778b1..d3463638 100644 --- a/Linux-PAM/modules/pam_limits/limits.conf +++ b/Linux-PAM/modules/pam_limits/limits.conf @@ -26,7 +26,7 @@ # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes -# - as - address space limit +# - as - address space limit (KB) # - maxlogins - max number of logins for this user # - maxsyslogins - max number of logins on the system # - priority - the priority to run user process with diff --git a/Linux-PAM/modules/pam_limits/limits.conf.5 b/Linux-PAM/modules/pam_limits/limits.conf.5 index e6ba853f..3cf62f26 100644 --- a/Linux-PAM/modules/pam_limits/limits.conf.5 +++ b/Linux-PAM/modules/pam_limits/limits.conf.5 @@ -1,11 +1,11 @@ .\" Title: limits.conf .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> -.\" Date: 06/22/2006 +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: 04/30/2007 .\" Manual: Linux\-PAM Manual .\" Source: Linux\-PAM Manual .\" -.TH "LIMITS.CONF" "5" "06/22/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "LIMITS.CONF" "5" "04/30/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -23,38 +23,44 @@ The syntax of the lines is as follows: \fI<value>\fR .PP The fields listed above should be filled as follows: -.TP 3n +.PP \fB<domain>\fR -.RS 3n -.TP 3n +.RS 4 +.RS 4 +.TP 4 \(bu a username -.TP 3n +.TP 4 \(bu a groupname, with \fB@group\fR syntax. This should not be confused with netgroups. -.TP 3n +.TP 4 \(bu the wildcard \fB*\fR, for default entry. -.TP 3n +.TP 4 \(bu the wildcard \fB%\fR, for maxlogins limit only, can also be used with \fI%group\fR syntax. .RE -.TP 3n +.RE +.PP \fB<type>\fR -.RS 3n -.TP 3n +.RS 4 +.RS 4 +.PP \fBhard\fR +.RS 4 for enforcing \fBhard\fR resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values. -.TP 3n +.RE +.PP \fBsoft\fR +.RS 4 for enforcing \fBsoft\fR resource limits. These limits are ones that the user can move up or down within the permitted range by any pre\-exisiting @@ -62,8 +68,10 @@ resource limits. These limits are ones that the user can move up or down within limits. The values specified with this token can be thought of as \fIdefault\fR values, for normal system usage. -.TP 3n +.RE +.PP \fB\-\fR +.RS 4 for enforcing both \fBsoft\fR and @@ -72,64 +80,104 @@ resource limits together. .sp Note, if you specify a type of '\-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. . .RE -.TP 3n +.RE +.RE +.PP \fB<item>\fR -.RS 3n -.TP 3n +.RS 4 +.RS 4 +.PP \fBcore\fR +.RS 4 limits the core file size (KB) -.TP 3n +.RE +.PP \fBdata\fR +.RS 4 maximum data size (KB) -.TP 3n +.RE +.PP \fBfsize\fR +.RS 4 maximum filesize (KB) -.TP 3n +.RE +.PP \fBmemlock\fR +.RS 4 maximum locked\-in\-memory address space (KB) -.TP 3n +.RE +.PP \fBnofile\fR +.RS 4 maximum number of open files -.TP 3n +.RE +.PP \fBrss\fR +.RS 4 maximum resident set size (KB) -.TP 3n +.RE +.PP \fBstack\fR +.RS 4 maximum stack size (KB) -.TP 3n +.RE +.PP \fBcpu\fR +.RS 4 maximum CPU time (minutes) -.TP 3n +.RE +.PP \fBnproc\fR +.RS 4 maximum number of processes -.TP 3n +.RE +.PP \fBas\fR -address space limit -.TP 3n +.RS 4 +address space limit (KB) +.RE +.PP \fBmaxlogins\fR +.RS 4 maximum number of logins for this user -.TP 3n +.RE +.PP \fBmaxsyslogins\fR +.RS 4 maximum number of logins on system -.TP 3n +.RE +.PP \fBpriority\fR +.RS 4 the priority to run user process with (negative values boost process priority) -.TP 3n +.RE +.PP \fBlocks\fR +.RS 4 maximum locked files (Linux 2.4 and higher) -.TP 3n +.RE +.PP \fBsigpending\fR +.RS 4 maximum number of pending signals (Linux 2.6 and higher) -.TP 3n +.RE +.PP \fBmsqqueue\fR +.RS 4 maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher) -.TP 3n +.RE +.PP \fBnice\fR +.RS 4 maximum nice priority allowed to raise to (Linux 2.6.12 and higher) -.TP 3n +.RE +.PP \fBrtprio\fR +.RS 4 maximum realtime priority allowed for non\-privileged processes (Linux 2.6.12 and higher) .RE +.RE +.RE .PP In general, individual limits have priority over group limits, so if you impose no limits for \fIadmin\fR @@ -149,7 +197,7 @@ The pam_limits module does its best to report configuration problems found in it These are some example lines which might be specified in \fI/etc/security/limits.conf\fR. .sp -.RS 3n +.RS 4 .nf * soft core 0 * hard rss 10000 diff --git a/Linux-PAM/modules/pam_limits/limits.conf.5.xml b/Linux-PAM/modules/pam_limits/limits.conf.5.xml index 28df7381..830aa022 100644 --- a/Linux-PAM/modules/pam_limits/limits.conf.5.xml +++ b/Linux-PAM/modules/pam_limits/limits.conf.5.xml @@ -169,7 +169,7 @@ <varlistentry> <term><option>as</option></term> <listitem> - <para>address space limit</para> + <para>address space limit (KB)</para> </listitem> </varlistentry> <varlistentry> diff --git a/Linux-PAM/modules/pam_limits/pam_limits.8 b/Linux-PAM/modules/pam_limits/pam_limits.8 index 9083e14d..4f01e4cf 100644 --- a/Linux-PAM/modules/pam_limits/pam_limits.8 +++ b/Linux-PAM/modules/pam_limits/pam_limits.8 @@ -1,11 +1,11 @@ .\" Title: pam_limits .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> -.\" Date: 06/17/2006 +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: 04/30/2007 .\" Manual: Linux\-PAM Manual .\" Source: Linux\-PAM Manual .\" -.TH "PAM_LIMITS" "8" "06/17/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_LIMITS" "8" "04/30/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -23,58 +23,86 @@ are affected by this limits, too. .PP By default limits are taken from the \fI/etc/security/limits.conf\fR -config file. +config file. Then individual files from the +\fI/etc/security/limits.d/\fR +directory are read. The files are parsed one after another in the order of "C" locale. The effect of the individual files is the same as if all the files were concatenated together in the order of parsing. If a config file is explicitely specified with a module option then the files in the above directory are not parsed. +.PP +The module must not be called by a multithreaded application. .SH "OPTIONS" -.TP 3n +.PP \fBchange_uid\fR +.RS 4 Change real uid to the user for who the limits are set up. Use this option if you have problems like login not forking a shell for user who has no processes. Be warned that something else may break when you do this. -.TP 3n +.RE +.PP \fBconf=\fR\fB\fI/path/to/limits.conf\fR\fR +.RS 4 Indicate an alternative limits.conf style configuration file to override the default. -.TP 3n +.RE +.PP \fBdebug\fR +.RS 4 Print debug information. -.TP 3n +.RE +.PP \fButmp_early\fR +.RS 4 Some broken applications actually allocate a utmp entry for the user before the user is admitted to the system. If some of the services you are configuring PAM for do this, you can selectively use this module argument to compensate for this behavior and at the same time maintain system\-wide consistency with a single limits.conf file. +.RE .SH "MODULE SERVICES PROVIDED" .PP Only the \fBsession\fR service is supported. .SH "RETURN VALUES" -.TP 3n +.PP PAM_ABORT +.RS 4 Cannot get current limits. -.TP 3n +.RE +.PP PAM_IGNORE +.RS 4 No limits found for this user. -.TP 3n +.RE +.PP PAM_PERM_DENIED +.RS 4 New limits could not be set. -.TP 3n +.RE +.PP PAM_SERVICE_ERR +.RS 4 Cannot read config file. -.TP 3n +.RE +.PP PAM_SESSEION_ERR +.RS 4 Error recovering account name. -.TP 3n +.RE +.PP PAM_SUCCESS +.RS 4 Limits were changed. -.TP 3n +.RE +.PP PAM_USER_UNKNOWN +.RS 4 The user is not known to the system. +.RE .SH "FILES" -.TP 3n +.PP \fI/etc/security/limits.conf\fR +.RS 4 Default configuration file +.RE .SH "EXAMPLES" .PP For the services you need resources limits (login for example) put a the following line in \fI/etc/pam.d/login\fR as the last line for that service (usually after the pam_unix session line): .sp -.RS 3n +.RS 4 .nf #%PAM\-1.0 # diff --git a/Linux-PAM/modules/pam_limits/pam_limits.8.xml b/Linux-PAM/modules/pam_limits/pam_limits.8.xml index 78060a20..9f13bb68 100644 --- a/Linux-PAM/modules/pam_limits/pam_limits.8.xml +++ b/Linux-PAM/modules/pam_limits/pam_limits.8.xml @@ -47,7 +47,15 @@ </para> <para> By default limits are taken from the <filename>/etc/security/limits.conf</filename> - config file. + config file. Then individual files from the <filename>/etc/security/limits.d/</filename> + directory are read. The files are parsed one after another in the order of "C" locale. + The effect of the individual files is the same as if all the files were + concatenated together in the order of parsing. + If a config file is explicitely specified with a module option then the + files in the above directory are not parsed. + </para> + <para> + The module must not be called by a multithreaded application. </para> </refsect1> diff --git a/Linux-PAM/modules/pam_limits/pam_limits.c b/Linux-PAM/modules/pam_limits/pam_limits.c index 20aa794a..a4bc727f 100644 --- a/Linux-PAM/modules/pam_limits/pam_limits.c +++ b/Linux-PAM/modules/pam_limits/pam_limits.c @@ -31,7 +31,7 @@ #include <sys/stat.h> #include <sys/resource.h> #include <limits.h> - +#include <glob.h> #include <utmp.h> #ifndef UT_USER /* some systems have ut_name instead of ut_user */ #define UT_USER ut_user @@ -39,6 +39,7 @@ #include <grp.h> #include <pwd.h> +#include <locale.h> /* Module defines */ #define LINE_LENGTH 1024 @@ -75,7 +76,7 @@ struct pam_limit_s { specific user or to count all logins */ int priority; /* the priority to run user process with */ struct user_limits_struct limits[RLIM_NLIMITS]; - char conf_file[BUFSIZ]; + const char *conf_file; int utmp_after_pam_call; char login_group[LINE_LENGTH]; }; @@ -101,6 +102,11 @@ struct pam_limit_s { #define PAM_DO_SETREUID 0x0002 #define PAM_UTMP_EARLY 0x0004 +/* Limits from globbed files. */ +#define LIMITS_CONF_GLOB LIMITS_FILE_DIR + +#define CONF_FILE (pl->conf_file != NULL)?pl->conf_file:LIMITS_FILE + static int _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, struct pam_limit_s *pl) @@ -115,7 +121,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, if (!strcmp(*argv,"debug")) { ctrl |= PAM_DEBUG_ARG; } else if (!strncmp(*argv,"conf=",5)) { - strncpy(pl->conf_file,*argv+5,sizeof(pl->conf_file)-1); + pl->conf_file = *argv+5; } else if (!strncmp(*argv,"change_uid",10)) { ctrl |= PAM_DO_SETREUID; } else if (!strcmp(*argv,"utmp_early")) { @@ -124,7 +130,6 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } - pl->conf_file[sizeof(pl->conf_file) - 1] = '\0'; return ctrl; } @@ -370,8 +375,13 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, switch(limit_item) { case RLIMIT_CPU: - if (rlimit_value != RLIM_INFINITY) - rlimit_value *= 60; + if (rlimit_value != RLIM_INFINITY) + { + if (rlimit_value >= RLIM_INFINITY/60) + rlimit_value = RLIM_INFINITY; + else + rlimit_value *= 60; + } break; case RLIMIT_FSIZE: case RLIMIT_DATA: @@ -381,13 +391,20 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, case RLIMIT_MEMLOCK: case RLIMIT_AS: if (rlimit_value != RLIM_INFINITY) - rlimit_value *= 1024; + { + if (rlimit_value >= RLIM_INFINITY/1024) + rlimit_value = RLIM_INFINITY; + else + rlimit_value *= 1024; + } break; #ifdef RLIMIT_NICE case RLIMIT_NICE: if (int_value > 19) int_value = 19; - rlimit_value = 19 - int_value; + if (int_value < -20) + int_value = -20; + rlimit_value = 20 - int_value; #endif break; } @@ -434,7 +451,6 @@ static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl, FILE *fil; char buf[LINE_LENGTH]; -#define CONF_FILE (pl->conf_file[0])?pl->conf_file:LIMITS_FILE /* check for the LIMITS_FILE */ if (ctrl & PAM_DEBUG_ARG) pam_syslog(pamh, LOG_DEBUG, "reading settings from '%s'", CONF_FILE); @@ -444,7 +460,6 @@ static int parse_config_file(pam_handle_t *pamh, const char *uname, int ctrl, "cannot read settings from %s: %m", CONF_FILE); return PAM_SERVICE_ERR; } -#undef CONF_FILE /* init things */ memset(buf, 0, sizeof(buf)); @@ -599,16 +614,22 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { int retval; + int i; + int glob_rc; char *user_name; struct passwd *pwd; int ctrl; - struct pam_limit_s pl; + struct pam_limit_s plstruct; + struct pam_limit_s *pl = &plstruct; + glob_t globbuf; + const char *oldlocale; D(("called.")); - memset(&pl, 0, sizeof(pl)); + memset(pl, 0, sizeof(*pl)); + memset(&globbuf, 0, sizeof(globbuf)); - ctrl = _pam_parse(pamh, argc, argv, &pl); + ctrl = _pam_parse(pamh, argc, argv, pl); retval = pam_get_item( pamh, PAM_USER, (void*) &user_name ); if ( user_name == NULL || retval != PAM_SUCCESS ) { pam_syslog(pamh, LOG_CRIT, "open_session - error recovering username"); @@ -623,26 +644,60 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return PAM_USER_UNKNOWN; } - retval = init_limits(&pl); + retval = init_limits(pl); if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_WARNING, "cannot initialize"); return PAM_ABORT; } - retval = parse_config_file(pamh, pwd->pw_name, ctrl, &pl); + retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl); if (retval == PAM_IGNORE) { - D(("the configuration file has an applicable '<domain> -' entry")); + D(("the configuration file ('%s') has an applicable '<domain> -' entry", CONF_FILE)); return PAM_SUCCESS; } - if (retval != PAM_SUCCESS) { - pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file"); - return retval; + if (retval != PAM_SUCCESS || pl->conf_file != NULL) + /* skip reading limits.d if config file explicitely specified */ + goto out; + + /* Read subsequent *.conf files, if they exist. */ + + /* set the LC_COLLATE so the sorting order doesn't depend + on system locale */ + + oldlocale = setlocale(LC_COLLATE, "C"); + glob_rc = glob(LIMITS_CONF_GLOB, GLOB_ERR, NULL, &globbuf); + + if (oldlocale != NULL) + setlocale (LC_COLLATE, oldlocale); + + if (!glob_rc) { + /* Parse the *.conf files. */ + for (i = 0; globbuf.gl_pathv[i] != NULL; i++) { + pl->conf_file = globbuf.gl_pathv[i]; + retval = parse_config_file(pamh, pwd->pw_name, ctrl, pl); + if (retval == PAM_IGNORE) { + D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); + globfree(&globbuf); + return PAM_SUCCESS; + } + if (retval != PAM_SUCCESS) + goto out; + } + } + +out: + globfree(&globbuf); + if (retval != PAM_SUCCESS) + { + pam_syslog(pamh, LOG_WARNING, "error parsing the configuration file: '%s' ",CONF_FILE); + return retval; } if (ctrl & PAM_DO_SETREUID) { setreuid(pwd->pw_uid, -1); } - retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, &pl); + + retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl); if (retval & LOGIN_ERR) pam_error(pamh, _("Too many logins for '%s'."), pwd->pw_name); if (retval != LIMITED_OK) { diff --git a/Linux-PAM/modules/pam_loginuid/pam_loginuid.c b/Linux-PAM/modules/pam_loginuid/pam_loginuid.c index 13d915e3..13509e7e 100644 --- a/Linux-PAM/modules/pam_loginuid/pam_loginuid.c +++ b/Linux-PAM/modules/pam_loginuid/pam_loginuid.c @@ -56,12 +56,11 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid) count = snprintf(loginuid, sizeof(loginuid), "%d", uid); fd = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC); if (fd < 0) { - int loglevel = LOG_DEBUG; if (errno != ENOENT) { rc = 1; - loglevel = LOG_ERR; + pam_syslog(pamh, LOG_ERR, + "Cannot open /proc/self/loginuid: %m"); } - pam_syslog(pamh, loglevel, "set_loginuid failed opening loginuid"); return rc; } if (pam_modutil_write(fd, loginuid, count) != count) diff --git a/Linux-PAM/modules/pam_mail/pam_mail.c b/Linux-PAM/modules/pam_mail/pam_mail.c index 7d43d5e0..46395b53 100644 --- a/Linux-PAM/modules/pam_mail/pam_mail.c +++ b/Linux-PAM/modules/pam_mail/pam_mail.c @@ -411,11 +411,6 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc, ctrl = _pam_parse(pamh, flags, argc, argv, &path_mail, &hashcount); - /* Do we have anything to do? */ - - if (flags & PAM_SILENT) - return PAM_SUCCESS; - /* which folder? */ retval = get_folder(pamh, ctrl, path_mail, &folder, hashcount); diff --git a/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.c b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.c index e5901a8f..44b092c1 100644 --- a/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.c +++ b/Linux-PAM/modules/pam_mkhomedir/pam_mkhomedir.c @@ -58,7 +58,7 @@ /* argument parsing */ -#define MKHOMEDIR_DEBUG 020 /* keep quiet about things */ +#define MKHOMEDIR_DEBUG 020 /* be verbose about things */ #define MKHOMEDIR_QUIET 040 /* keep quiet about things */ static unsigned int UMask = 0022; @@ -78,6 +78,8 @@ _pam_parse (const pam_handle_t *pamh, int flags, int argc, const char **argv) { if (!strcmp(*argv, "silent")) { ctrl |= MKHOMEDIR_QUIET; + } else if (!strcmp(*argv, "debug")) { + ctrl |= MKHOMEDIR_DEBUG; } else if (!strncmp(*argv,"umask=",6)) { UMask = strtol(*argv+6,0,0); } else if (!strncmp(*argv,"skel=",5)) { diff --git a/Linux-PAM/modules/pam_namespace/README b/Linux-PAM/modules/pam_namespace/README index c47ba232..cf5814e3 100644 --- a/Linux-PAM/modules/pam_namespace/README +++ b/Linux-PAM/modules/pam_namespace/README @@ -2,128 +2,167 @@ pam_namespace — PAM module for configuring namespace for a session ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ +DESCRIPTION -pam_namespace module: -Setup a private namespace with polyinstantiated directories. - -THEORY OF OPERATION: -The pam namespace module consults /etc/security/namespace.conf -configuration file and sets up a private namespace with polyinstantiated -directories for a session managed by PAM. A skeleton namespace.conf -installed by default provides example for polyinstantiating /tmp, /var/tmp -and users' home directory. - -If an executable script /etc/security/namespace.init exists, it -is used to initialize the namespace every time a new instance directory -is setup. The script receives the polyinstantiated directory path -and the instance directory path as its arguments. - -Each line in namespace.conf describes a limit for a user in the form: - -<polydir> <instance_prefix> <method> <list_of_uids> - -Where: -<polydir> - is the absolute pathname of the directory to polyinstantiate - Special entry $HOME is supported to designate user's home directory. - This field cannot be blank. - -<instance_prefix> - is the string prefix used to build the pathname for the - instantiation of <polydir>. The directory security context, or - optionally its md5sum string (32 hex characters), is appended to - the prefix to generate the final instance directory path. - This directory is created if it did not exist already, and is then - bind mounted on the <polydir> to provide an instance of <polydir> - based on the <method> column. The special string $HOME is replaced with - the user's home directory, and $USER with the username. - This field cannot be blank. - -<method> - is the method used for polyinstantiation. It can take 3 different - values; "user" for polyinstantiation based on user name, "context" - for polyinstantiation based on process security context, and "both" - for polyinstantiation based on both user name and security context. - Methods "context" and "both" are only available with SELinux. This - field cannot be blank. - -<list_of_uids> - is a comma separated list of user names for whom the - polyinstantiation is not performed. If left blank, polyinstantiation - will be performed for all users. - -EXAMPLE /etc/security/namespace.conf configuration file: -======================================================= -# Following three lines will polyinstantiate /tmp, /var/tmp and user's home -# directories. /tmp and /var/tmp will be polyinstantiated based on both -# security context as well as user name, whereas home directory will -# be polyinstantiated based on security context only. Polyinstantiation -# will not be performed for user root and adm for directories /tmp and -# /var/tmp, whereas home directories will be polyinstantiated for all -# users. The user name and/or context is appended to the instance prefix. -# -# Note that instance directories do not have to reside inside the -# polyinstantiated directory. In the examples below, instances of /tmp -# will be created in /tmp-inst directory, where as instances of /var/tmp -# and users home directories will reside within the directories that -# are being polyinstantiated. -# -# Instance parent directories must exist for the polyinstantiation -# mechanism to work. By default, they should be created with the mode -# of 000. pam_namespace module will enforce this mode unless it -# is explicitly called with an argument to ignore the mode of the -# instance parent. System administrators should use this argument with -# caution, as it will reduce security and isolation achieved by -# polyinstantiation. -# -/tmp /tmp-inst/ both root,adm -/var/tmp /var/tmp/tmp-inst/ both root,adm -$HOME $HOME/$USER.inst/inst- context - -ARGUMENTS RECOGNIZED: - debug - Verbose logging by syslog - - unmnt_remnt - For programs such as su and newrole, the login session has - already setup a polyinstantiated namespace. For these programs, - polyinstantiation is performed based on new user id or security - context, however the command first needs to undo the - polyinstantiation performed by login. This argument instructs - the command to first undo previous polyinstantiation before - proceeding with new polyinstantiation based on new id/context. - - unmnt_only - For trusted programs that want to undo any existing bind mounts - and process instance directories on their own, this argument - allows them to unmount currently mounted instance directories. - - require_selinux - If selinux is not enabled, return failure. - - gen_hash - Instead of using the security context string for the instance - name, generate and use its md5 hash. - - ignore_config_error - If a line in the configuration file corresponding to a - polyinstantiated directory contains format error, skip that - line process the next line. Without this option, pam will return - an error to the calling program resulting in termination - of the session. - - ignore_instance_parent_mode - Instance parent directories by default are expected to have - the restrictive mode of 000. Using this option, an administrator - can choose to ignore the mode of the instance parent. - -MODULE SERVICES PROVIDED: - session open_session and close_session - -USAGE: - For the <service>s you need polyinstantiation (login for example) - put the following line in /etc/pam.d/<service> as the last line for - session group: - - session required pam_namespace.so [arguments] - - This module also depends on pam_selinux.so setting the context. +The pam_namespace PAM module sets up a private namespace for a session with +polyinstantiated directories. A polyinstantiated directory provides a different +instance of itself based on user name, or when using SELinux, user name, +security context or both. If an executable script /etc/security/namespace.init +exists, it is used to initialize the namespace every time a new instance +directory is setup. The script receives the polyinstantiated directory path and +the instance directory path as its arguments. +The pam_namespace module disassociates the session namespace from the parent +namespace. Any mounts/unmounts performed in the parent namespace, such as +mounting of devices, are not reflected in the session namespace. To propagate +selected mount/unmount events from the parent namespace into the disassociated +session namespace, an administrator may use the special shared-subtree feature. +For additional information on shared-subtree feature, please refer to the mount +(8) man page and the shared-subtree description at http://lwn.net/Articles/ +159077 and http://lwn.net/Articles/159092. +OPTIONS + +debug + + A lot of debug information is logged using syslog + +unmnt_remnt + + For programs such as su and newrole, the login session has already setup a + polyinstantiated namespace. For these programs, polyinstantiation is + performed based on new user id or security context, however the command + first needs to undo the polyinstantiation performed by login. This argument + instructs the command to first undo previous polyinstantiation before + proceeding with new polyinstantiation based on new id/context + +unmnt_only + + For trusted programs that want to undo any existing bind mounts and process + instance directories on their own, this argument allows them to unmount + currently mounted instance directories + +require_selinux + + If selinux is not enabled, return failure + +gen_hash + + Instead of using the security context string for the instance name, + generate and use its md5 hash. + +ignore_config_error + + If a line in the configuration file corresponding to a polyinstantiated + directory contains format error, skip that line process the next line. + Without this option, pam will return an error to the calling program + resulting in termination of the session. + +ignore_instance_parent_mode + + Instance parent directories by default are expected to have the restrictive + mode of 000. Using this option, an administrator can choose to ignore the + mode of the instance parent. This option should be used with caution as it + will reduce security and isolation goals of the polyinstantiation + mechanism. + +no_unmount_on_close + + For certain trusted programs such as newrole, open session is called from a + child process while the parent perfoms close session and pam end functions. + For these commands use this option to instruct pam_close_session to not + unmount the bind mounted polyinstantiated directory in the parent. + +DESCRIPTION + +This module allows setup of private namespaces with polyinstantiated +directories. Directories can be polyinstantiated based on user name or, in the +case of SELinux, user name, sensitivity level or complete security context. If +an executable script /etc/security/namespace.init exists, it is used to +initialize the namespace every time a new instance directory is setup. The +script receives the polyinstantiated directory path and the instance directory +path as its arguments. + +The /etc/security/namespace.conf file specifies which directories are +polyinstantiated, how they are polyinstantiated, how instance directories would +be named, and any users for whom polyinstantiation would not be performed. + +When someone logs in, the file namespace.conf is scanned where each non comment +line represents one polyinstantiated directory with space separated fields as +follows: + +polydir instance_prefix method list_of_uids + +The first field, polydir, is the absolute pathname of the directory to +polyinstantiate. Special entry $HOME is supported to designate user's home +directory. This field cannot be blank. + +The second field, instance_prefix is the string prefix used to build the +pathname for the instantiation of <polydir>. Depending on the polyinstantiation +method it is then appended with "instance differentiation string" to generate +the final instance directory path. This directory is created if it did not +exist already, and is then bind mounted on the <polydir> to provide an instance +of <polydir> based on the <method> column. The special string $HOME is replaced +with the user's home directory, and $USER with the username. This field cannot +be blank. The directory where polyinstantiated instances are to be created, +must exist and must have, by default, the mode of 000. The requirement that the +instance parent be of mode 000 can be overridden with the command line option +ignore_instance_parent_mode + +The third field, method, is the method used for polyinstantiation. It can take +3 different values; "user" for polyinstantiation based on user name, "level" +for polyinstantiation based on process MLS level and user name, and "context" +for polyinstantiation based on process security context and user name Methods +"context" and "level" are only available with SELinux. This field cannot be +blank. + +The fourth field, list_of_uids, is a comma separated list of user names for +whom the polyinstantiation is not performed. If left blank, polyinstantiation +will be performed for all users. + +In case of context or level polyinstantiation the SELinux context which is used +for polyinstantiation is the context used for executing a new process as +obtained by getexeccon. This context must be set by the calling application or +pam_selinux.so module. If this context is not set the polyinstatiation will be +based just on user name. + +The "instance differentiation string" is <user name> for "user" method and +<user name>_<raw directory context> for "context" and "level" methods. If the +whole string is too long the end of it is replaced with md5sum of itself. Also +when command line option gen_hash is used the whole string is replaced with +md5sum of itself. + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +namespace.conf. + + + # The following three lines will polyinstantiate /tmp, + # /var/tmp and user's home directories. /tmp and /var/tmp + # will be polyinstantiated based on the security level + # as well as user name, whereas home directory will be + # polyinstantiated based on the full security context and user name. + # Polyinstantiation will not be performed for user root + # and adm for directories /tmp and /var/tmp, whereas home + # directories will be polyinstantiated for all users. + # + # Note that instance directories do not have to reside inside + # the polyinstantiated directory. In the examples below, + # instances of /tmp will be created in /tmp-inst directory, + # where as instances of /var/tmp and users home directories + # will reside within the directories that are being + # polyinstantiated. + # + /tmp /tmp-inst/ level root,adm + /var/tmp /var/tmp/tmp-inst/ level root,adm + $HOME $HOME/$USER.inst/inst- context + + +For the <service>s you need polyinstantiation (login for example) put the +following line in /etc/pam.d/<service> as the last line for session group: + +session required pam_namespace.so [arguments] + +This module also depends on pam_selinux.so setting the context. diff --git a/Linux-PAM/modules/pam_namespace/README.xml b/Linux-PAM/modules/pam_namespace/README.xml index 98ab7532..4ef99c9f 100644 --- a/Linux-PAM/modules/pam_namespace/README.xml +++ b/Linux-PAM/modules/pam_namespace/README.xml @@ -1,139 +1,44 @@ <?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" -"http://www.docbook.org/xml/4.4/docbookx.dtd"> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamns SYSTEM "pam_namespace.8.xml"> +--> +<!-- +<!ENTITY nsconf SYSTEM "namespace.conf.5.xml"> +--> +]> + <article> + <articleinfo> + <title> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_namespace.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_namespace-name"]/*)'/> </title> - </articleinfo> - <section> - <programlisting><![CDATA[ - -pam_namespace module: -Setup a private namespace with polyinstantiated directories. - -THEORY OF OPERATION: -The pam namespace module consults /etc/security/namespace.conf -configuration file and sets up a private namespace with polyinstantiated -directories for a session managed by PAM. A skeleton namespace.conf -installed by default provides example for polyinstantiating /tmp, /var/tmp -and users' home directory. - -If an executable script /etc/security/namespace.init exists, it -is used to initialize the namespace every time a new instance directory -is setup. The script receives the polyinstantiated directory path -and the instance directory path as its arguments. - -Each line in namespace.conf describes a limit for a user in the form: - -<polydir> <instance_prefix> <method> <list_of_uids> - -Where: -<polydir> - is the absolute pathname of the directory to polyinstantiate - Special entry $HOME is supported to designate user's home directory. - This field cannot be blank. - -<instance_prefix> - is the string prefix used to build the pathname for the - instantiation of <polydir>. The directory security context, or - optionally its md5sum string (32 hex characters), is appended to - the prefix to generate the final instance directory path. - This directory is created if it did not exist already, and is then - bind mounted on the <polydir> to provide an instance of <polydir> - based on the <method> column. The special string $HOME is replaced with - the user's home directory, and $USER with the username. - This field cannot be blank. - -<method> - is the method used for polyinstantiation. It can take 3 different - values; "user" for polyinstantiation based on user name, "context" - for polyinstantiation based on process security context, and "both" - for polyinstantiation based on both user name and security context. - Methods "context" and "both" are only available with SELinux. This - field cannot be blank. - -<list_of_uids> - is a comma separated list of user names for whom the - polyinstantiation is not performed. If left blank, polyinstantiation - will be performed for all users. - -EXAMPLE /etc/security/namespace.conf configuration file: -======================================================= -# Following three lines will polyinstantiate /tmp, /var/tmp and user's home -# directories. /tmp and /var/tmp will be polyinstantiated based on both -# security context as well as user name, whereas home directory will -# be polyinstantiated based on security context only. Polyinstantiation -# will not be performed for user root and adm for directories /tmp and -# /var/tmp, whereas home directories will be polyinstantiated for all -# users. The user name and/or context is appended to the instance prefix. -# -# Note that instance directories do not have to reside inside the -# polyinstantiated directory. In the examples below, instances of /tmp -# will be created in /tmp-inst directory, where as instances of /var/tmp -# and users home directories will reside within the directories that -# are being polyinstantiated. -# -# Instance parent directories must exist for the polyinstantiation -# mechanism to work. By default, they should be created with the mode -# of 000. pam_namespace module will enforce this mode unless it -# is explicitly called with an argument to ignore the mode of the -# instance parent. System administrators should use this argument with -# caution, as it will reduce security and isolation achieved by -# polyinstantiation. -# -/tmp /tmp-inst/ both root,adm -/var/tmp /var/tmp/tmp-inst/ both root,adm -$HOME $HOME/$USER.inst/inst- context - -ARGUMENTS RECOGNIZED: - debug - Verbose logging by syslog - unmnt_remnt - For programs such as su and newrole, the login session has - already setup a polyinstantiated namespace. For these programs, - polyinstantiation is performed based on new user id or security - context, however the command first needs to undo the - polyinstantiation performed by login. This argument instructs - the command to first undo previous polyinstantiation before - proceeding with new polyinstantiation based on new id/context. - - unmnt_only - For trusted programs that want to undo any existing bind mounts - and process instance directories on their own, this argument - allows them to unmount currently mounted instance directories. - - require_selinux - If selinux is not enabled, return failure. - - gen_hash - Instead of using the security context string for the instance - name, generate and use its md5 hash. - - ignore_config_error - If a line in the configuration file corresponding to a - polyinstantiated directory contains format error, skip that - line process the next line. Without this option, pam will return - an error to the calling program resulting in termination - of the session. - - ignore_instance_parent_mode - Instance parent directories by default are expected to have - the restrictive mode of 000. Using this option, an administrator - can choose to ignore the mode of the instance parent. + </articleinfo> -MODULE SERVICES PROVIDED: - session open_session and close_session + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-description"]/*)'/> + </section> -USAGE: - For the <service>s you need polyinstantiation (login for example) - put the following line in /etc/pam.d/<service> as the last line for - session group: + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-options"]/*)'/> + </section> - session required pam_namespace.so [arguments] + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-description"]/*)'/> + </section> - This module also depends on pam_selinux.so setting the context. -]]> - </programlisting> + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-examples"]/*)'/> </section> -</article> +</article> diff --git a/Linux-PAM/modules/pam_namespace/namespace.conf b/Linux-PAM/modules/pam_namespace/namespace.conf index c7305ffe..f973225f 100644 --- a/Linux-PAM/modules/pam_namespace/namespace.conf +++ b/Linux-PAM/modules/pam_namespace/namespace.conf @@ -4,12 +4,10 @@ # # Uncommenting the following three lines will polyinstantiate # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will -# be polyinstantiated based on both security context as well as user -# name, whereas home directory will be polyinstantiated based on -# security context only. Polyinstantion will not be performed for -# user root and adm for directories /tmp and /var/tmp, whereas home -# directories will be polyinstantiated for all users. The user name -# and/or context is appended to the instance prefix. +# be polyinstantiated based on the MLS level part of the security context as well as user +# name, Polyinstantion will not be performed for user root and adm for directories +# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. +# The user name and context is appended to the instance prefix. # # Note that instance directories do not have to reside inside the # polyinstantiated directory. In the examples below, instances of /tmp @@ -25,6 +23,6 @@ # caution, as it will reduce security and isolation achieved by # polyinstantiation. # -#/tmp /tmp-inst/ both root,adm -#/var/tmp /var/tmp/tmp-inst/ both root,adm -#$HOME $HOME/$USER.inst/inst- context +#/tmp /tmp-inst/ level root,adm +#/var/tmp /var/tmp/tmp-inst/ level root,adm +#$HOME $HOME/$USER.inst/ level diff --git a/Linux-PAM/modules/pam_namespace/namespace.conf.5 b/Linux-PAM/modules/pam_namespace/namespace.conf.5 index ff325a21..0a4d98e4 100644 --- a/Linux-PAM/modules/pam_namespace/namespace.conf.5 +++ b/Linux-PAM/modules/pam_namespace/namespace.conf.5 @@ -1,96 +1,101 @@ -.\"Generated by db2man.xsl. Don't modify this, modify the source. -.de Sh \" Subsection -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.TH "NAMESPACE.CONF" 5 "" "" "" -.SH NAME +.\" Title: namespace.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: 06/20/2007 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "NAMESPACE.CONF" "5" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" namespace.conf \- the namespace configuration file .SH "DESCRIPTION" - .PP -This module allows setup of private namespaces with polyinstantiated directories\&. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, security context or both\&. If an executable script \fI/etc/security/namespace\&.init\fR exists, it is used to initialize the namespace every time a new instance directory is setup\&. The script receives the polyinstantiated directory path and the instance directory path as its arguments\&. - +This module allows setup of private namespaces with polyinstantiated directories. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context. If an executable script +\fI/etc/security/namespace.init\fR +exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated directory path and the instance directory path as its arguments. .PP -The \fI/etc/security/namespace\&.conf\fR file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\&. - +The +\fI/etc/security/namespace.conf\fR +file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed. .PP -When someone logs in, the file \fInamespace\&.conf\fR is scanned where each non comment line represents one polyinstantiated directory with space separated fields as follows: - +When someone logs in, the file +\fInamespace.conf\fR +is scanned where each non comment line represents one polyinstantiated directory with space separated fields as follows: .PP - \fIpolydir\fR \fI instance_prefix\fR \fI method\fR \fI list_of_uids\fR +\fIpolydir\fR +\fI instance_prefix\fR +\fI method\fR +\fI list_of_uids\fR .PP -The first field, \fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. Special entry $HOME is supported to designate user's home directory\&. This field cannot be blank\&. - +The first field, +\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate. Special entry $HOME is supported to designate user's home directory. This field cannot be blank. .PP -The second field, \fIinstance_prefix\fR is the string prefix used to build the pathname for the instantiation of <polydir>\&. The directory security context, or optionally its md5sum string (32 hex characters), is appended to the prefix to generate the final instance directory path\&. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column\&. The special string $HOME is replaced with the user's home directory, and $USER with the username\&. This field cannot be blank\&. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000\&. The requirement that the instance parent be of mode 000 can be overridden with the command line option <ignore_instance_parent_mode> - +The second field, +\fIinstance_prefix\fR +is the string prefix used to build the pathname for the instantiation of <polydir>. Depending on the polyinstantiation +\fImethod\fR +it is then appended with "instance differentiation string" to generate the final instance directory path. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column. The special string $HOME is replaced with the user's home directory, and $USER with the username. This field cannot be blank. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000. The requirement that the instance parent be of mode 000 can be overridden with the command line option +\fIignore_instance_parent_mode\fR .PP -The third field, \fImethod\fR, is the method used for polyinstantiation\&. It can take 3 different values; "user" for polyinstantiation based on user name, "context" for polyinstantiation based on process security context, and "both" for polyinstantiation based on both user name and security context\&. Methods "context" and "both" are only available with SELinux\&. This field cannot be blank\&. - +The third field, +\fImethod\fR, is the method used for polyinstantiation. It can take 3 different values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, and "context" for polyinstantiation based on process security context and user name Methods "context" and "level" are only available with SELinux. This field cannot be blank. .PP -The fourth field, \fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\&. If left blank, polyinstantiation will be performed for all users\&. - +The fourth field, +\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed. If left blank, polyinstantiation will be performed for all users. +.PP +In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon. This context must be set by the calling application or +\fIpam_selinux.so\fR +module. If this context is not set the polyinstatiation will be based just on user name. +.PP +The "instance differentiation string" is <user name> for "user" method and <user name>_<raw directory context> for "context" and "level" methods. If the whole string is too long the end of it is replaced with md5sum of itself. Also when command line option +\fIgen_hash\fR +is used the whole string is replaced with md5sum of itself. .SH "EXAMPLES" - .PP -These are some example lines which might be specified in \fI/etc/security/namespace\&.conf\fR\&. - +These are some example lines which might be specified in +\fI/etc/security/namespace.conf\fR. +.sp +.RS 4 .nf - # The following three lines will polyinstantiate /tmp, - # /var/tmp and user's home directories\&. /tmp and /var/tmp - # will be polyinstantiated based on both security context + # /var/tmp and user's home directories. /tmp and /var/tmp + # will be polyinstantiated based on the security level # as well as user name, whereas home directory will be - # polyinstantiated based on security context only\&. + # polyinstantiated based on the full security context and user name. # Polyinstantiation will not be performed for user root # and adm for directories /tmp and /var/tmp, whereas home - # directories will be polyinstantiated for all users\&. + # directories will be polyinstantiated for all users. # # Note that instance directories do not have to reside inside - # the polyinstantiated directory\&. In the examples below, + # the polyinstantiated directory. In the examples below, # instances of /tmp will be created in /tmp\-inst directory, # where as instances of /var/tmp and users home directories # will reside within the directories that are being - # polyinstantiated\&. + # polyinstantiated. # - /tmp /tmp\-inst/ both root,adm - /var/tmp /var/tmp/tmp\-inst/ both root,adm - $HOME $HOME/$USER\&.inst/inst\- context + /tmp /tmp\-inst/ level root,adm + /var/tmp /var/tmp/tmp\-inst/ level root,adm + $HOME $HOME/$USER.inst/inst\- context .fi - +.RE .PP -For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/<service> as the last line for session group: - +For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group: .PP -session required pam_namespace\&.so [arguments] - +session required pam_namespace.so [arguments] .PP -This module also depends on pam_selinux\&.so setting the context\&. - +This module also depends on pam_selinux.so setting the context. .SH "SEE ALSO" - .PP - \fBpam_namespace\fR(8), \fBpam\&.d\fR(5), \fBpam\fR(8) +\fBpam_namespace\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) .SH "AUTHORS" - .PP -The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&. - +The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>. diff --git a/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml b/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml index 36a1a085..db48cdcb 100644 --- a/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml +++ b/Linux-PAM/modules/pam_namespace/namespace.conf.5.xml @@ -22,7 +22,7 @@ <para> This module allows setup of private namespaces with polyinstantiated directories. Directories can be polyinstantiated based on user name - or, in the case of SELinux, user name, security context or both. If an + or, in the case of SELinux, user name, sensitivity level or complete security context. If an executable script <filename>/etc/security/namespace.init</filename> exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated @@ -56,26 +56,27 @@ <para> The second field, <replaceable>instance_prefix</replaceable> is the string prefix used to build the pathname for the instantiation - of <polydir>. The directory security context, or optionally its - md5sum string (32 hex characters), is appended to the prefix to - generate the final instance directory path. This directory is - created if it did not exist already, and is then bind mounted on the - <polydir> to provide an instance of <polydir> based on the - <method> column. The special string $HOME is replaced with the - user's home directory, and $USER with the username. This field cannot - be blank. The directory where polyinstantiated instances are to be + of <polydir>. Depending on the polyinstantiation + <replaceable>method</replaceable> it is then appended with + "instance differentiation string" to generate the final + instance directory path. This directory is created if it did not exist + already, and is then bind mounted on the <polydir> to provide an + instance of <polydir> based on the <method> column. + The special string $HOME is replaced with the user's home directory, + and $USER with the username. This field cannot be blank. + The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000. The requirement that the instance parent be of mode 000 can be overridden - with the command line option <ignore_instance_parent_mode> + with the command line option <replaceable>ignore_instance_parent_mode</replaceable> </para> <para> The third field, <replaceable>method</replaceable>, is the method used for polyinstantiation. It can take 3 different values; "user" - for polyinstantiation based on user name, "context" for - polyinstantiation based on process security context, and "both" - for polyinstantiation based on both user name and security context. - Methods "context" and "both" are only available with SELinux. This + for polyinstantiation based on user name, "level" for + polyinstantiation based on process MLS level and user name, and "context" for + polyinstantiation based on process security context and user name + Methods "context" and "level" are only available with SELinux. This field cannot be blank. </para> @@ -86,6 +87,24 @@ for all users. </para> + <para> + In case of context or level polyinstantiation the SELinux context + which is used for polyinstantiation is the context used for executing + a new process as obtained by getexeccon. This context must be set + by the calling application or <filename>pam_selinux.so</filename> + module. If this context is not set the polyinstatiation will be + based just on user name. + </para> + + <para> + The "instance differentiation string" is <user name> for "user" + method and <user name>_<raw directory context> for "context" + and "level" methods. If the whole string is too long the end of it is + replaced with md5sum of itself. Also when command line option + <replaceable>gen_hash</replaceable> is used the whole string is replaced + with md5sum of itself. + </para> + </refsect1> <refsect1 id="namespace.conf-examples"> @@ -98,9 +117,9 @@ <literallayout> # The following three lines will polyinstantiate /tmp, # /var/tmp and user's home directories. /tmp and /var/tmp - # will be polyinstantiated based on both security context + # will be polyinstantiated based on the security level # as well as user name, whereas home directory will be - # polyinstantiated based on security context only. + # polyinstantiated based on the full security context and user name. # Polyinstantiation will not be performed for user root # and adm for directories /tmp and /var/tmp, whereas home # directories will be polyinstantiated for all users. @@ -112,8 +131,8 @@ # will reside within the directories that are being # polyinstantiated. # - /tmp /tmp-inst/ both root,adm - /var/tmp /var/tmp/tmp-inst/ both root,adm + /tmp /tmp-inst/ level root,adm + /var/tmp /var/tmp/tmp-inst/ level root,adm $HOME $HOME/$USER.inst/inst- context </literallayout> diff --git a/Linux-PAM/modules/pam_namespace/namespace.init b/Linux-PAM/modules/pam_namespace/namespace.init index 62f8e6e4..0e9be68f 100755 --- a/Linux-PAM/modules/pam_namespace/namespace.init +++ b/Linux-PAM/modules/pam_namespace/namespace.init @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/sh -p # This is only a boilerplate for the instance initialization script. # It receives polydir path as $1 and the instance path as $2. # diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.8 b/Linux-PAM/modules/pam_namespace/pam_namespace.8 index 126cfc88..8d136c99 100644 --- a/Linux-PAM/modules/pam_namespace/pam_namespace.8 +++ b/Linux-PAM/modules/pam_namespace/pam_namespace.8 @@ -1,11 +1,11 @@ .\" Title: pam_namespace .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> -.\" Date: 06/27/2006 +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: 06/20/2007 .\" Manual: Linux\-PAM Manual .\" Source: Linux\-PAM Manual .\" -.TH "PAM_NAMESPACE" "8" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_NAMESPACE" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -14,7 +14,7 @@ pam_namespace \- PAM module for configuring namespace for a session .SH "SYNOPSIS" .HP 17 -\fBpam_namespace.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] +\fBpam_namespace.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close] .SH "DESCRIPTION" .PP The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. If an executable script @@ -23,46 +23,73 @@ exists, it is used to initialize the namespace every time a new instance directo .PP The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092. .SH "OPTIONS" -.TP 3n +.PP \fBdebug\fR +.RS 4 A lot of debug information is logged using syslog -.TP 3n +.RE +.PP \fBunmnt_remnt\fR +.RS 4 For programs such as su and newrole, the login session has already setup a polyinstantiated namespace. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context -.TP 3n +.RE +.PP \fBunmnt_only\fR +.RS 4 For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories -.TP 3n +.RE +.PP \fBrequire_selinux\fR +.RS 4 If selinux is not enabled, return failure -.TP 3n +.RE +.PP \fBgen_hash\fR +.RS 4 Instead of using the security context string for the instance name, generate and use its md5 hash. -.TP 3n +.RE +.PP \fBignore_config_error\fR +.RS 4 If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line. Without this option, pam will return an error to the calling program resulting in termination of the session. -.TP 3n +.RE +.PP \fBignore_instance_parent_mode\fR +.RS 4 Instance parent directories by default are expected to have the restrictive mode of 000. Using this option, an administrator can choose to ignore the mode of the instance parent. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism. +.RE +.PP +\fBno_unmount_on_close\fR +.RS 4 +For certain trusted programs such as newrole, open session is called from a child process while the parent perfoms close session and pam end functions. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent. +.RE .SH "MODULE SERVICES PROVIDED" .PP The \fBsession\fR service is supported. .SH "RETURN VALUES" -.TP 3n +.PP PAM_SUCCESS +.RS 4 Namespace setup was successful. -.TP 3n +.RE +.PP PAM_SERVICE_ERR +.RS 4 Unexpected system error occurred while setting up namespace. -.TP 3n +.RE +.PP PAM_SESSION_ERR +.RS 4 Unexpected namespace configuration error occurred. +.RE .SH "FILES" -.TP 3n +.PP \fI/etc/security/namespace.conf\fR +.RS 4 Configuration file +.RE .SH "EXAMPLES" .PP For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group: @@ -80,7 +107,7 @@ to ensure that the X server and its clients can appropriately access the communi .PP .sp -.RS 3n +.RS 4 .nf 1. Disable the use of font server by commenting out "FontPath" line in /etc/X11/xorg.conf. If you do want to use the font server diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml b/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml index 4c93ecf0..e1b307ae 100644 --- a/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml +++ b/Linux-PAM/modules/pam_namespace/pam_namespace.8.xml @@ -43,6 +43,9 @@ <arg choice="opt"> ignore_instance_parent_mode </arg> + <arg choice="opt"> + no_unmount_on_close + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -179,6 +182,22 @@ </listitem> </varlistentry> + <varlistentry> + <term> + <option>no_unmount_on_close</option> + </term> + <listitem> + <para> + For certain trusted programs such as newrole, open session + is called from a child process while the parent perfoms + close session and pam end functions. For these commands + use this option to instruct pam_close_session to not + unmount the bind mounted polyinstantiated directory in the + parent. + </para> + </listitem> + </varlistentry> + </variablelist> </refsect1> diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.c b/Linux-PAM/modules/pam_namespace/pam_namespace.c index e4e4a5d8..73d8e591 100644 --- a/Linux-PAM/modules/pam_namespace/pam_namespace.c +++ b/Linux-PAM/modules/pam_namespace/pam_namespace.c @@ -244,23 +244,29 @@ static int process_line(char *line, const char *home, } strcpy(poly.dir, dir); strcpy(poly.instance_prefix, instance_prefix); - if (strcmp(method, "user") == 0) - poly.method = USER; + + poly.method = NONE; + if (strcmp(method, "user") == 0) + poly.method = USER; + #ifdef WITH_SELINUX - else if (strcmp(method, "context") == 0) { + if (strcmp(method, "level") == 0) { if (idata->flags & PAMNS_CTXT_BASED_INST) - poly.method = CONTEXT; + poly.method = LEVEL; else poly.method = USER; - } else if (strcmp(method, "both") == 0) { + } + + if (strcmp(method, "context") == 0) { if (idata->flags & PAMNS_CTXT_BASED_INST) - poly.method = BOTH; + poly.method = CONTEXT; else poly.method = USER; } #endif - else { + + if ( poly.method == NONE) { pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method"); goto skipping; } @@ -296,11 +302,14 @@ static int process_line(char *line, const char *home, *tptr = '\0'; pwd = pam_modutil_getpwnam(idata->pamh, ustr); - *uidptr = pwd->pw_uid; - if (i < count - 1) { - ustr = tptr + 1; + if (pwd == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr); + poly.num_uids--; + } else { + *uidptr = pwd->pw_uid; uidptr++; } + ustr = tptr + 1; } } @@ -411,17 +420,18 @@ static int parse_config_file(struct instance_data *idata) * uids for the polyinstantiated directory, polyinstantiation is not * performed for that user for that directory. */ -static int ns_override(struct polydir_s *polyptr, struct instance_data *idata) +static int ns_override(struct polydir_s *polyptr, struct instance_data *idata, + uid_t uid) { unsigned int i; if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Checking for ns override in dir %s for uid %d", - polyptr->dir, idata->uid); + polyptr->dir, uid); for (i = 0; i < polyptr->num_uids; i++) { - if (idata->uid == polyptr->uid[i]) { + if (uid == polyptr->uid[i]) { return 1; } } @@ -429,6 +439,36 @@ static int ns_override(struct polydir_s *polyptr, struct instance_data *idata) return 0; } +/* + * md5hash generates a hash of the passed in instance directory name. + */ +static char *md5hash(const char *instname, struct instance_data *idata) +{ + int i; + char *md5inst = NULL; + char *to; + unsigned char inst_digest[MD5_DIGEST_LENGTH]; + + /* + * Create MD5 hashes for instance pathname. + */ + + MD5((const unsigned char *)instname, strlen(instname), inst_digest); + + if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) { + pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer"); + return NULL; + } + + to = md5inst; + for (i = 0; i < MD5_DIGEST_LENGTH; i++) { + snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]); + to += 2; + } + + return md5inst; +} + #ifdef WITH_SELINUX static int form_context(const struct polydir_s *polyptr, security_context_t *i_context, security_context_t *origcon, @@ -448,19 +488,23 @@ static int form_context(const struct polydir_s *polyptr, return PAM_SESSION_ERR; } + if (polyptr->method == USER) return PAM_SUCCESS; + + rc = getexeccon(&scon); + if (rc < 0 || scon == NULL) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting exec context, %m"); + return PAM_SESSION_ERR; + } + /* * If polyinstantiating based on security context, get current * process security context, get security class for directories, * and ask the policy to provide security context of the * polyinstantiated instance directory. */ - if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) { - rc = getexeccon(&scon); - if (rc < 0 || scon == NULL) { - pam_syslog(idata->pamh, LOG_ERR, - "Error getting exec context, %m"); - return PAM_SESSION_ERR; - } + + if (polyptr->method == CONTEXT) { tclass = string_to_security_class("dir"); if (security_compute_member(scon, *origcon, tclass, @@ -473,7 +517,48 @@ static int form_context(const struct polydir_s *polyptr, pam_syslog(idata->pamh, LOG_DEBUG, "member context returned by policy %s", *i_context); freecon(scon); + return PAM_SUCCESS; } + + /* + * If polyinstantiating based on security level, get current + * process security context, get security class for directories, + * and change the directories MLS Level to match process. + */ + + if (polyptr->method == LEVEL) { + context_t scontext = NULL; + context_t fcontext = NULL; + rc = PAM_SESSION_ERR; + + scontext = context_new(scon); + if (! scontext) { + pam_syslog(idata->pamh, LOG_ERR, "out of memory"); + goto fail; + } + fcontext = context_new(*origcon); + if (! fcontext) { + pam_syslog(idata->pamh, LOG_ERR, "out of memory"); + goto fail; + } + if (context_range_set(fcontext, context_range_get(scontext)) != 0) { + pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context"); + goto fail; + } + *i_context=strdup(context_str(fcontext)); + if (! *i_context) { + pam_syslog(idata->pamh, LOG_ERR, "out of memory"); + goto fail; + } + + rc = PAM_SUCCESS; + fail: + context_free(scontext); + context_free(fcontext); + freecon(scon); + return rc; + } + /* Should never get here */ return PAM_SUCCESS; } #endif @@ -495,12 +580,21 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, #endif { int rc; + char *hash = NULL; +#ifdef WITH_SELINUX + security_context_t rawcon = NULL; +#endif -# ifdef WITH_SELINUX - rc = form_context(polyptr, i_context, origcon, idata); + *i_name = NULL; +#ifdef WITH_SELINUX + *i_context = NULL; + *origcon = NULL; + if ((rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) { + return rc; + } #endif - rc = PAM_SUCCESS; + rc = PAM_SESSION_ERR; /* * Set the name of the polyinstantiated instance dir based on the * polyinstantiation method. @@ -509,35 +603,70 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, case USER: if (asprintf(i_name, "%s", idata->user) < 0) { *i_name = NULL; - rc = PAM_SESSION_ERR; - } + goto fail; + } break; #ifdef WITH_SELINUX + case LEVEL: case CONTEXT: - if (asprintf(i_name, "%s", *i_context) < 0) { + if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context"); + goto fail; + } + if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) { *i_name = NULL; - rc = PAM_SESSION_ERR; + goto fail; } break; - case BOTH: - if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) { - *i_name = NULL; - rc = PAM_SESSION_ERR; - } - break; #endif /* WITH_SELINUX */ default: if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_ERR, "Unknown method"); - rc = PAM_SESSION_ERR; + goto fail; } - if ((idata->flags & PAMNS_DEBUG) && rc == PAM_SUCCESS) + if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name); + if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) { + hash = md5hash(*i_name, idata); + if (hash == NULL) { + goto fail; + } + if (idata->flags & PAMNS_GEN_HASH) { + free(*i_name); + *i_name = hash; + hash = NULL; + } else { + char *newname; + if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash), + *i_name, hash) < 0) { + goto fail; + } + free(*i_name); + *i_name = newname; + } + } + rc = PAM_SUCCESS; + +fail: + free(hash); +#ifdef WITH_SELINUX + freecon(rawcon); +#endif + if (rc != PAM_SUCCESS) { +#ifdef WITH_SELINUX + freecon(*i_context); + *i_context = NULL; + freecon(*origcon); + *origcon = NULL; +#endif + free(*i_name); + *i_name = NULL; + } return rc; } @@ -785,39 +914,6 @@ inst_init: /* - * md5hash generates a hash of the passed in instance directory name. - */ -static int md5hash(char **instname, struct instance_data *idata) -{ - int i; - char *md5inst = NULL; - char *to; - unsigned char inst_digest[MD5_DIGEST_LENGTH]; - - /* - * Create MD5 hashes for instance pathname. - */ - - MD5((unsigned char *)*instname, strlen(*instname), inst_digest); - - if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) { - pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer"); - return PAM_SESSION_ERR; - } - - to = md5inst; - for (i = 0; i < MD5_DIGEST_LENGTH; i++) { - snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]); - to += 3; - } - - free(*instname); - *instname = md5inst; - - return PAM_SUCCESS; -} - -/* * This function performs the namespace setup for a particular directory * that is being polyinstantiated. It creates an MD5 hash of instance * directory, calls create_dirs to create it with appropriate @@ -867,14 +963,6 @@ static int ns_setup(const struct polydir_s *polyptr, #endif } - if (idata->flags & PAMNS_GEN_HASH) { - retval = md5hash(&instname, idata); - if (retval < 0) { - pam_syslog(idata->pamh, LOG_ERR, "Error generating md5 hash"); - goto error_out; - } - } - if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0) goto error_out; @@ -967,21 +1055,46 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) int retval = 0, need_poly = 0, changing_dir = 0; char *cptr, *fptr, poly_parent[PATH_MAX]; struct polydir_s *pptr; + uid_t req_uid; + const void *ruser_name; + struct passwd *pwd; if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d", getpid()); + retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name); + if (ruser_name == NULL || retval != PAM_SUCCESS) { + retval = PAM_SUCCESS; + req_uid = getuid(); + } else { + pwd = pam_modutil_getpwnam(idata->pamh, ruser_name); + if (pwd != NULL) { + req_uid = pwd->pw_uid; + } else { + req_uid = getuid(); + } + } + /* * Cycle through all polyinstantiated directory entries to see if * polyinstantiation is needed at all. */ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { - if (ns_override(pptr, idata)) { - if (idata->flags & PAMNS_DEBUG) - pam_syslog(idata->pamh, LOG_DEBUG, + if (ns_override(pptr, idata, idata->uid)) { + if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, "Overriding poly for user %d for dir %s", idata->uid, pptr->dir); + } else { + if (idata->flags & PAMNS_DEBUG) + pam_syslog(idata->pamh, LOG_DEBUG, + "Need unmount ns for user %d for dir %s", + idata->uid, pptr->dir); + need_poly = 1; + break; + } continue; } else { if (idata->flags & PAMNS_DEBUG) @@ -1011,15 +1124,20 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) * call ns_setup to setup polyinstantiation for a particular entry. */ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { - if (ns_override(pptr, idata)) - continue; - else { - if (idata->flags & PAMNS_DEBUG) + enum unmnt_op dir_unmnt = unmnt; + if (ns_override(pptr, idata, idata->uid)) { + if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) { + continue; + } else { + dir_unmnt = UNMNT_ONLY; + } + } + if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Setting poly ns for user %d for dir %s", idata->uid, pptr->dir); - if ((unmnt == UNMNT_REMNT) || (unmnt == UNMNT_ONLY)) { + if ((dir_unmnt == UNMNT_REMNT) || (dir_unmnt == UNMNT_ONLY)) { /* * Check to see if process current directory is in the * bind mounted instance_parent directory that we are trying to @@ -1059,13 +1177,12 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) } else if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s", pptr->dir); - } + } - if (unmnt != UNMNT_ONLY) { + if (dir_unmnt != UNMNT_ONLY) { retval = ns_setup(pptr, idata); if (retval != PAM_SUCCESS) break; - } } } @@ -1092,7 +1209,7 @@ static int orig_namespace(struct instance_data *idata) * appropriate polyinstantiated instance directories. */ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { - if (ns_override(pptr, idata)) + if (ns_override(pptr, idata, idata->uid)) continue; else { if (idata->flags & PAMNS_DEBUG) @@ -1158,7 +1275,7 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, #ifdef WITH_SELINUX if (is_selinux_enabled()) idata.flags |= PAMNS_SELINUX_ENABLED; - if (ctxt_based_inst_needed()) + if (ctxt_based_inst_needed()) idata.flags |= PAMNS_CTXT_BASED_INST; #endif @@ -1266,12 +1383,30 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, idata.flags |= PAMNS_DEBUG; if (strcmp(argv[i], "ignore_config_error") == 0) idata.flags |= PAMNS_IGN_CONFIG_ERR; + if (strcmp(argv[i], "no_unmount_on_close") == 0) + idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE; } if (idata.flags & PAMNS_DEBUG) pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start"); /* + * For certain trusted programs such as newrole, open session + * is called from a child process while the parent perfoms + * close session and pam end functions. For these commands + * pam_close_session should not perform the unmount of the + * polyinstantiatied directory because it will result in + * undoing of parents polyinstantiatiaion. These commands + * will invoke pam_namespace with the "no_unmount_on_close" + * argument. + */ + if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) { + if (idata.flags & PAMNS_DEBUG) + pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful"); + return PAM_SUCCESS; + } + + /* * Lookup user and fill struct items */ retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name ); diff --git a/Linux-PAM/modules/pam_namespace/pam_namespace.h b/Linux-PAM/modules/pam_namespace/pam_namespace.h index c918cff3..0847ec08 100644 --- a/Linux-PAM/modules/pam_namespace/pam_namespace.h +++ b/Linux-PAM/modules/pam_namespace/pam_namespace.h @@ -63,6 +63,7 @@ #ifdef WITH_SELINUX #include <selinux/selinux.h> +#include <selinux/context.h> #endif #ifndef CLONE_NEWNS @@ -86,15 +87,19 @@ #define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */ #define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */ #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ +#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ + +#define NAMESPACE_MAX_DIR_LEN 80 /* * Polyinstantiation method options, based on user, security context * or both */ enum polymethod { + NONE, USER, CONTEXT, - BOTH, + LEVEL, }; /* diff --git a/Linux-PAM/modules/pam_selinux/README b/Linux-PAM/modules/pam_selinux/README index 4268d3fb..9e841f2e 100644 --- a/Linux-PAM/modules/pam_selinux/README +++ b/Linux-PAM/modules/pam_selinux/README @@ -31,11 +31,6 @@ debug Turns on debugging via syslog(3). -multiple - - Tells pam_selinux.so to allow the user to select the security context they - will login with, if the user has more than one role. - open Only execute the open_session portion of the module. @@ -48,6 +43,16 @@ verbose attempt to inform the user when security context is set. +select_context + + Attempt to ask the user for a custom security context role. If MLS is on + ask also for sensitivity level. + +use_current_range + + Use the sensitivity range of the process for the user context. This option + and the select_context option are mutually exclusive. + EXAMPLES auth required pam_unix.so diff --git a/Linux-PAM/modules/pam_selinux/pam_selinux.8 b/Linux-PAM/modules/pam_selinux/pam_selinux.8 index f44fc684..6709ac9c 100644 --- a/Linux-PAM/modules/pam_selinux/pam_selinux.8 +++ b/Linux-PAM/modules/pam_selinux/pam_selinux.8 @@ -1,11 +1,11 @@ .\" Title: pam_selinux .\" Author: -.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/> -.\" Date: 06/18/2006 +.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> +.\" Date: 06/20/2007 .\" Manual: Linux\-PAM Manual .\" Source: Linux\-PAM Manual .\" -.TH "PAM_SELINUX" "8" "06/18/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SELINUX" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -14,7 +14,7 @@ pam_selinux \- PAM module to set the default security context .SH "SYNOPSIS" .HP 15 -\fBpam_selinux.so\fR [close] [debug] [multiple] [open] [nottys] [verbose] +\fBpam_selinux.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [use_current_range] .SH "DESCRIPTION" .PP In a nutshell, pam_selinux sets up the default security context for the next execed shell. @@ -23,43 +23,66 @@ When an application opens a session using pam_selinux, the shell that gets execu .PP Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application. The close and open option help mitigate this problem. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run. You can add pam_selinux to the config file twice. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last. When PAM executes the close pass through the modules pam_selinux close_session will happen first. .SH "OPTIONS" -.TP 3n +.PP \fBclose\fR +.RS 4 Only execute the close_session portion of the module. -.TP 3n +.RE +.PP \fBdebug\fR +.RS 4 Turns on debugging via \fBsyslog\fR(3). -.TP 3n -\fBmultiple\fR -Tells pam_selinux.so to allow the user to select the security context they will login with, if the user has more than one role. -.TP 3n +.RE +.PP \fBopen\fR +.RS 4 Only execute the open_session portion of the module. -.TP 3n +.RE +.PP \fBnottys\fR +.RS 4 Do not try to setup the ttys security context. -.TP 3n +.RE +.PP \fBverbose\fR +.RS 4 attempt to inform the user when security context is set. +.RE +.PP +\fBselect_context\fR +.RS 4 +Attempt to ask the user for a custom security context role. If MLS is on ask also for sensitivity level. +.RE +.PP +\fBuse_current_range\fR +.RS 4 +Use the sensitivity range of the process for the user context. This option and the select_context option are mutually exclusive. +.RE .SH "MODULE SERVICES PROVIDED" .PP Only the \fBsession\fR service is supported. .SH "RETURN VALUES" -.TP 3n +.PP PAM_AUTH_ERR +.RS 4 Unable to get or set a valid context. -.TP 3n +.RE +.PP PAM_SUCCESS +.RS 4 The security context was set successfull. -.TP 3n +.RE +.PP PAM_USER_UNKNOWN +.RS 4 The user is not known to the system. +.RE .SH "EXAMPLES" .sp -.RS 3n +.RS 4 .nf auth required pam_unix.so session required pam_permit.so diff --git a/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml b/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml index 1f00f082..3acd1322 100644 --- a/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml +++ b/Linux-PAM/modules/pam_selinux/pam_selinux.8.xml @@ -25,9 +25,6 @@ debug </arg> <arg choice="opt"> - multiple - </arg> - <arg choice="opt"> open </arg> <arg choice="opt"> @@ -36,6 +33,12 @@ <arg choice="opt"> verbose </arg> + <arg choice="opt"> + select_context + </arg> + <arg choice="opt"> + use_current_range + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -93,43 +96,53 @@ </varlistentry> <varlistentry> <term> - <option>multiple</option> + <option>open</option> </term> <listitem> <para> - Tells pam_selinux.so to allow the user to select the - security context they will login with, if the user has - more than one role. + Only execute the open_session portion of the module. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>open</option> + <option>nottys</option> </term> <listitem> <para> - Only execute the open_session portion of the module. + Do not try to setup the ttys security context. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>nottys</option> + <option>verbose</option> </term> <listitem> <para> - Do not try to setup the ttys security context. + attempt to inform the user when security context is set. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>verbose</option> + <option>select_context</option> </term> <listitem> <para> - attempt to inform the user when security context is set. + Attempt to ask the user for a custom security context role. + If MLS is on ask also for sensitivity level. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_current_range</option> + </term> + <listitem> + <para> + Use the sensitivity range of the process for the user context. + This option and the select_context option are mutually exclusive. </para> </listitem> </varlistentry> diff --git a/Linux-PAM/modules/pam_selinux/pam_selinux.c b/Linux-PAM/modules/pam_selinux/pam_selinux.c index 5aaec2e7..f0935896 100644 --- a/Linux-PAM/modules/pam_selinux/pam_selinux.c +++ b/Linux-PAM/modules/pam_selinux/pam_selinux.c @@ -63,9 +63,67 @@ #include <selinux/selinux.h> #include <selinux/get_context_list.h> #include <selinux/flask.h> +#include <selinux/av_permissions.h> #include <selinux/selinux.h> #include <selinux/context.h> +#include <selinux/get_default_type.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#include <sys/select.h> +#include <errno.h> +#endif + +/* Send audit message */ +static + +int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context, + security_context_t selected_context) +{ + int rc=0; +#ifdef HAVE_LIBAUDIT + char *msg = NULL; + int audit_fd = audit_open(); + security_context_t default_raw=NULL; + security_context_t selected_raw=NULL; + rc = -1; + if (audit_fd < 0) { + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return 0; /* No audit support in kernel */ + pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.")); + return rc; + } + if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { + pam_syslog(pamh, LOG_ERR, _("Error translating default context.")); + default_raw = NULL; + } + if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { + pam_syslog(pamh, LOG_ERR, _("Error translating selected context.")); + selected_raw = NULL; + } + if (asprintf(&msg, "pam: default-context=%s selected-context=%s", + default_raw ? default_raw : (default_context ? default_context : "?"), + selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) { + pam_syslog(pamh, LOG_ERR, ("Error allocating memory.")); + goto out; + } + if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, + msg, NULL, NULL, NULL, success) <= 0) { + pam_syslog(pamh, LOG_ERR, _("Error sending audit message.")); + goto out; + } + rc = 0; + out: + free(msg); + freecon(default_raw); + freecon(selected_raw); + close(audit_fd); +#else + pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success); +#endif + return rc; +} static int send_text (pam_handle_t *pamh, const char *text, int debug) { @@ -79,119 +137,64 @@ send_text (pam_handle_t *pamh, const char *text, int debug) * is responsible for freeing the responses. */ static int -query_response (pam_handle_t *pamh, const char *text, +query_response (pam_handle_t *pamh, const char *text, const char *def, char **responses, int debug) { + int rc; + if (def) + rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s [%s] ", text, def); + else + rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s ", text); if (debug) - pam_syslog(pamh, LOG_NOTICE, "%s", text); - - return pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s", text); -} - -static security_context_t -select_context (pam_handle_t *pamh, security_context_t* contextlist, - int debug) -{ - char *responses; - char *text=calloc(PATH_MAX,1); - - if (text == NULL) - return (security_context_t) strdup(contextlist[0]); - - snprintf(text, PATH_MAX, - _("Your default context is %s. \n"), contextlist[0]); - send_text(pamh,text,debug); - free(text); - query_response(pamh,_("Do you want to choose a different one? [n]"), - &responses,debug); - if (responses && ((responses[0] == 'y') || - (responses[0] == 'Y'))) - { - int choice=0; - int i; - const char *prompt=_("Enter number of choice: "); - int len=strlen(prompt); - char buf[PATH_MAX]; - - _pam_drop(responses); - for (i = 0; contextlist[i]; i++) { - len+=strlen(contextlist[i]) + 10; - } - text=calloc(len,1); - for (i = 0; contextlist[i]; i++) { - snprintf(buf, PATH_MAX, - "[%d] %s\n", i+1, contextlist[i]); - strncat(text,buf,len); - } - strcat(text,prompt); - while ((choice < 1) || (choice > i)) { - query_response(pamh,text,&responses,debug); - choice = strtol (responses, NULL, 10); - _pam_drop(responses); - } - free(text); - return (security_context_t) strdup(contextlist[choice-1]); - } - else if (responses) - _pam_drop(responses); - - return (security_context_t) strdup(contextlist[0]); + pam_syslog(pamh, LOG_NOTICE, "%s %s", text, responses[0]); + return rc; } static security_context_t manual_context (pam_handle_t *pamh, const char *user, int debug) { - security_context_t newcon; + security_context_t newcon=NULL; context_t new_context; int mls_enabled = is_selinux_mls_enabled(); - - char *responses; + char *type=NULL; + char *responses=NULL; while (1) { query_response(pamh, - _("Would you like to enter a security context? [y] "), + _("Would you like to enter a security context? [N] "), NULL, &responses,debug); - if ((responses[0] == 'y') || (responses[0] == 'Y') || - (responses[0] == '\0') ) + if ((responses[0] == 'y') || (responses[0] == 'Y')) { if (mls_enabled) new_context = context_new ("user:role:type:level"); else new_context = context_new ("user:role:type"); - _pam_drop(responses); - /* Allow the user to enter each field of the context individually */ + if (!new_context) + goto fail_set; + if (context_user_set (new_context, user)) - { - context_free (new_context); - return NULL; - } - query_response(pamh,_("role: "),&responses,debug); - if (context_role_set (new_context, responses)) - { - _pam_drop(responses); - context_free (new_context); - return NULL; - } + goto fail_set; + _pam_drop(responses); - query_response(pamh,_("type: "),&responses,debug); - if (context_type_set (new_context, responses)) - { - _pam_drop(responses); - context_free (new_context); - return NULL; - } + /* Allow the user to enter each field of the context individually */ + query_response(pamh,_("role:"), NULL, &responses,debug); + if (responses[0] != '\0') { + if (context_role_set (new_context, responses)) + goto fail_set; + if (get_default_type(responses, &type)) + goto fail_set; + if (context_type_set (new_context, type)) + goto fail_set; + } _pam_drop(responses); if (mls_enabled) { - query_response(pamh,_("level: "),&responses,debug); - if (context_range_set (new_context, responses)) - { - _pam_drop(responses); - context_free (new_context); - return NULL; - } - _pam_drop(responses); + query_response(pamh,_("level:"), NULL, &responses,debug); + if (responses[0] != '\0') { + if (context_range_set (new_context, responses)) + goto fail_set; + } } /* Get the string value of the context and see if it is valid. */ if (!security_check_context(context_str(new_context))) { @@ -201,14 +204,129 @@ manual_context (pam_handle_t *pamh, const char *user, int debug) } else send_text(pamh,_("Not a valid security context"),debug); + context_free (new_context); } else { _pam_drop(responses); return NULL; } } /* end while */ + fail_set: + free(type); + _pam_drop(responses); + context_free (new_context); + return NULL; +} + +static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) +{ + struct av_decision avd; + int retval; + unsigned int bit = CONTEXT__CONTAINS; + context_t src_context = context_new (src); + context_t dst_context = context_new (dst); + context_range_set(dst_context, context_range_get(src_context)); + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); + + retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd); + context_free(src_context); + context_free(dst_context); + if (retval || ((bit & avd.allowed) != bit)) + return 0; + + return 1; +} + +static security_context_t +config_context (pam_handle_t *pamh, security_context_t puser_context, int debug) +{ + security_context_t newcon=NULL; + context_t new_context; + int mls_enabled = is_selinux_mls_enabled(); + char *responses=NULL; + char *type=NULL; + char resp_val = 0; + + pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), puser_context); + + while (1) { + query_response(pamh, + _("Would you like to enter a different role or level?"), "n", + &responses,debug); + + resp_val = responses[0]; + _pam_drop(responses); + if ((resp_val == 'y') || (resp_val == 'Y')) + { + new_context = context_new(puser_context); + + /* Allow the user to enter role and level individually */ + query_response(pamh,_("role:"), context_role_get(new_context), + &responses, debug); + if (responses[0]) { + if (get_default_type(responses, &type)) { + pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), responses); + _pam_drop(responses); + continue; + } else { + if (context_role_set(new_context, responses)) + goto fail_set; + if (context_type_set (new_context, type)) + goto fail_set; + } + } + _pam_drop(responses); + if (mls_enabled) + { + query_response(pamh,_("level:"), context_range_get(new_context), + &responses, debug); + if (responses[0]) { + if (context_range_set(new_context, responses)) + goto fail_set; + } + _pam_drop(responses); + } + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", context_str(new_context)); + + /* Get the string value of the context and see if it is valid. */ + if (!security_check_context(context_str(new_context))) { + newcon = strdup(context_str(new_context)); + context_free (new_context); + + /* we have to check that this user is allowed to go into the + range they have specified ... role is tied to an seuser, so that'll + be checked at setexeccon time */ + if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) { + pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon); + + send_audit_message(pamh, 0, puser_context, newcon); + + free(newcon); + goto fail_range; + } + return newcon; + } + else { + send_audit_message(pamh, 0, puser_context, context_str(new_context)); + send_text(pamh,_("Not a valid security context"),debug); + } + context_free(new_context); /* next time around allocates another */ + } + else + return strdup(puser_context); + } /* end while */ return NULL; + + fail_set: + free(type); + _pam_drop(responses); + context_free (new_context); + send_audit_message(pamh, 0, puser_context, NULL); + fail_range: + return NULL; } static void @@ -322,12 +440,17 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { int i, debug = 0, ttys=1, has_tty=isatty(0); - int verbose=0, multiple=0, close_session=0; + int verbose=0, close_session=0; + int select_context = 0; + int use_current_range = 0; int ret = 0; security_context_t* contextlist = NULL; int num_contexts = 0; - const void *username = NULL; + const char *username = NULL; const void *tty = NULL; + char *seuser=NULL; + char *level=NULL; + security_context_t default_user_context=NULL; /* Parse arguments. */ for (i = 0; i < argc; i++) { @@ -340,17 +463,25 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, if (strcmp(argv[i], "verbose") == 0) { verbose = 1; } - if (strcmp(argv[i], "multiple") == 0) { - multiple = 1; - } if (strcmp(argv[i], "close") == 0) { close_session = 1; } + if (strcmp(argv[i], "select_context") == 0) { + select_context = 1; + } + if (strcmp(argv[i], "use_current_range") == 0) { + use_current_range = 1; + } } - + if (debug) pam_syslog(pamh, LOG_NOTICE, "Open Session"); + if (select_context && use_current_range) { + pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range"); + select_context = 0; + } + /* this module is only supposed to execute close_session */ if (close_session) return PAM_SUCCESS; @@ -358,34 +489,110 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, if (!(selinux_enabled = is_selinux_enabled()>0) ) return PAM_SUCCESS; - if (pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS || + if (pam_get_item(pamh, PAM_USER, (void *) &username) != PAM_SUCCESS || username == NULL) { return PAM_USER_UNKNOWN; } - num_contexts = get_ordered_context_list(username, 0, &contextlist); + + if (getseuserbyname(username, &seuser, &level)==0) { + num_contexts = get_ordered_context_list_with_level(seuser, + level, + NULL, + &contextlist); + if (debug) + pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", + username, seuser, level); + free(seuser); + free(level); + } if (num_contexts > 0) { - if (multiple && (num_contexts > 1) && has_tty) { - user_context = select_context(pamh,contextlist, debug); - freeconary(contextlist); - } else { - user_context = (security_context_t) strdup(contextlist[0]); - freeconary(contextlist); + default_user_context=strdup(contextlist[0]); + freeconary(contextlist); + if (default_user_context == NULL) { + pam_syslog(pamh, LOG_ERR, _("Out of memory")); + return PAM_AUTH_ERR; } - } else { + user_context = default_user_context; + if (select_context && has_tty) { + user_context = config_context(pamh, default_user_context, debug); + if (user_context == NULL) { + freecon(default_user_context); + pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"), + username); + pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username); + if (security_getenforce() == 1) + return PAM_AUTH_ERR; + else + return PAM_SUCCESS; + } + } + } + else { if (has_tty) { - user_context = manual_context(pamh,username,debug); + user_context = manual_context(pamh,seuser,debug); if (user_context == NULL) { pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", - (const char *)username); - return PAM_AUTH_ERR; + username); + if (security_getenforce() == 1) + return PAM_AUTH_ERR; + else + return PAM_SUCCESS; } } else { pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s, No valid tty", - (const char *)username); + username); + if (security_getenforce() == 1) + return PAM_AUTH_ERR; + else + return PAM_SUCCESS; + } + } + + if (use_current_range && is_selinux_mls_enabled()) { + security_context_t process_context=NULL; + if (getcon(&process_context) == 0) { + context_t pcon, ucon; + char *process_level=NULL; + security_context_t orig_context; + + if (user_context) + orig_context = user_context; + else + orig_context = default_user_context; + + pcon = context_new(process_context); + freecon(process_context); + process_level = strdup(context_range_get(pcon)); + context_free(pcon); + + if (debug) + pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level); + + ucon = context_new(orig_context); + + context_range_set(ucon, process_level); + free(process_level); + + if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) { + send_text(pamh, _("Requested MLS level not in permitted range"), debug); + /* even if default_user_context is NULL audit that anyway */ + send_audit_message(pamh, 0, default_user_context, context_str(ucon)); + context_free(ucon); return PAM_AUTH_ERR; + } + + if (debug) + pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon)); + + /* replace the user context with the level adjusted one */ + freecon(user_context); + user_context = strdup(context_str(ucon)); + + context_free(ucon); } } + if (getexeccon(&prev_user_context)<0) { prev_user_context=NULL; } @@ -410,6 +617,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, ttyn=strdup(tty); ttyn_context=security_label_tty(pamh,ttyn,user_context); } + send_audit_message(pamh, 1, default_user_context, user_context); + if (default_user_context != user_context) { + freecon(default_user_context); + } ret = setexeccon(user_context); if (ret==0 && verbose) { char msg[PATH_MAX]; @@ -420,14 +631,38 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, if (ret) { pam_syslog(pamh, LOG_ERR, "Error! Unable to set %s executable context %s.", - (const char *)username, user_context); - freecon(user_context); - return PAM_AUTH_ERR; + username, user_context); + if (security_getenforce() == 1) { + freecon(user_context); + return PAM_AUTH_ERR; + } } else { if (debug) pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", - (const char *)username, user_context); + username, user_context); + } +#ifdef HAVE_SETKEYCREATECON + ret = setkeycreatecon(user_context); + if (ret==0 && verbose) { + char msg[PATH_MAX]; + snprintf(msg, sizeof(msg), + _("Key Creation Context %s Assigned"), user_context); + verbose_message(pamh, msg, debug); + } + if (ret) { + pam_syslog(pamh, LOG_ERR, + "Error! Unable to set %s key creation context %s.", + username, user_context); + if (security_getenforce() == 1) { + freecon(user_context); + return PAM_AUTH_ERR; + } + } else { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", + username, user_context); } +#endif freecon(user_context); return PAM_SUCCESS; @@ -472,7 +707,10 @@ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, if (status) { pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.", prev_user_context); - return PAM_AUTH_ERR; + if (security_getenforce() == 1) + return PAM_AUTH_ERR; + else + return PAM_SUCCESS; } if (debug) diff --git a/Linux-PAM/modules/pam_umask/pam_umask.c b/Linux-PAM/modules/pam_umask/pam_umask.c index fdeb3c51..eb88c1ac 100644 --- a/Linux-PAM/modules/pam_umask/pam_umask.c +++ b/Linux-PAM/modules/pam_umask/pam_umask.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> + * Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -181,7 +181,7 @@ set_umask (const char *value) mask = strtoul (value, &endptr, 8) & 0777; if (((mask == 0) && (value_orig == endptr)) || - ((mask == ULONG_MAX) && (errno == ERANGE))) + ((mask == UINT_MAX) && (errno == ERANGE))) return; umask (mask); return; diff --git a/Linux-PAM/modules/pam_unix/pam_unix_passwd.c b/Linux-PAM/modules/pam_unix/pam_unix_passwd.c index 8921d1cc..c8ee5492 100644 --- a/Linux-PAM/modules/pam_unix/pam_unix_passwd.c +++ b/Linux-PAM/modules/pam_unix/pam_unix_passwd.c @@ -330,11 +330,12 @@ static int check_old_password(const char *forwho, const char *newpass) while (fgets(buf, 16380, opwfile)) { if (!strncmp(buf, forwho, strlen(forwho))) { + char *sptr; buf[strlen(buf) - 1] = '\0'; - s_luser = strtok(buf, ":,"); - s_uid = strtok(NULL, ":,"); - s_npas = strtok(NULL, ":,"); - s_pas = strtok(NULL, ":,"); + s_luser = strtok_r(buf, ":,", &sptr); + s_uid = strtok_r(NULL, ":,", &sptr); + s_npas = strtok_r(NULL, ":,", &sptr); + s_pas = strtok_r(NULL, ":,", &sptr); while (s_pas != NULL) { char *md5pass = Goodcrypt_md5(newpass, s_pas); if (!strcmp(md5pass, s_pas)) { @@ -342,7 +343,7 @@ static int check_old_password(const char *forwho, const char *newpass) retval = PAM_AUTHTOK_ERR; break; } - s_pas = strtok(NULL, ":,"); + s_pas = strtok_r(NULL, ":,", &sptr); _pam_delete(md5pass); } break; @@ -432,11 +433,12 @@ static int save_old_password(pam_handle_t *pamh, while (fgets(buf, 16380, opwfile)) { if (!strncmp(buf, forwho, strlen(forwho))) { + char *sptr; buf[strlen(buf) - 1] = '\0'; - s_luser = strtok(buf, ":"); - s_uid = strtok(NULL, ":"); - s_npas = strtok(NULL, ":"); - s_pas = strtok(NULL, ":"); + s_luser = strtok_r(buf, ":", &sptr); + s_uid = strtok_r(NULL, ":", &sptr); + s_npas = strtok_r(NULL, ":", &sptr); + s_pas = strtok_r(NULL, ":", &sptr); npas = strtol(s_npas, NULL, 10) + 1; while (npas > howmany) { s_pas = strpbrk(s_pas, ","); @@ -1077,13 +1079,6 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, user); return PAM_USER_UNKNOWN; } - if (!_unix_shadowed(pwd) && - (strchr(pwd->pw_passwd, '*') != NULL)) { - pam_syslog(pamh, LOG_DEBUG, - "user \"%s\" does not have modifiable password", - user); - return PAM_USER_UNKNOWN; - } } /* diff --git a/Linux-PAM/modules/pam_unix/support.c b/Linux-PAM/modules/pam_unix/support.c index 954f2c73..fc95f2c0 100644 --- a/Linux-PAM/modules/pam_unix/support.c +++ b/Linux-PAM/modules/pam_unix/support.c @@ -679,7 +679,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name } } } else { - int salt_len = strlen(salt); + size_t salt_len = strlen(salt); if (!salt_len) { /* the stored password is NULL */ if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */ @@ -689,19 +689,19 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name D(("user has empty password - access denied")); retval = PAM_AUTH_ERR; } - } else if (!p || (*salt == '*')) { + } else if (!p || *salt == '*' || *salt == '!') { retval = PAM_AUTH_ERR; } else { if (!strncmp(salt, "$1$", 3)) { pp = Goodcrypt_md5(p, salt); - if (strcmp(pp, salt) != 0) { + if (pp && strcmp(pp, salt) != 0) { _pam_delete(pp); pp = Brokencrypt_md5(p, salt); } } else if (*salt != '$' && salt_len >= 13) { pp = bigcrypt(p, salt); - if (strlen(pp) > salt_len) { - pp[salt_len] = '\0'; + if (pp && salt_len == 13 && strlen(pp) > salt_len) { + _pam_overwrite(pp + salt_len); } } else { /* @@ -715,7 +715,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name /* the moment of truth -- do we agree with the password? */ D(("comparing state of pp[%s] and salt[%s]", pp, salt)); - if (strcmp(pp, salt) == 0) { + if (pp && strcmp(pp, salt) == 0) { retval = PAM_SUCCESS; } else { retval = PAM_AUTH_ERR; diff --git a/Linux-PAM/modules/pam_unix/unix_chkpwd.c b/Linux-PAM/modules/pam_unix/unix_chkpwd.c index 87d29256..236ad5c2 100644 --- a/Linux-PAM/modules/pam_unix/unix_chkpwd.c +++ b/Linux-PAM/modules/pam_unix/unix_chkpwd.c @@ -144,7 +144,7 @@ static int _unix_verify_password(const char *name, const char *p, int nullok) char *salt = NULL; char *pp = NULL; int retval = PAM_AUTH_ERR; - int salt_len; + size_t salt_len; /* UNIX passwords area */ setpwent(); @@ -189,6 +189,8 @@ static int _unix_verify_password(const char *name, const char *p, int nullok) return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS; } if (p == NULL || strlen(p) == 0) { + _pam_overwrite(salt); + _pam_drop(salt); return PAM_AUTHTOK_ERR; } @@ -196,11 +198,13 @@ static int _unix_verify_password(const char *name, const char *p, int nullok) retval = PAM_AUTH_ERR; if (!strncmp(salt, "$1$", 3)) { pp = Goodcrypt_md5(p, salt); - if (strcmp(pp, salt) == 0) { + if (pp && strcmp(pp, salt) == 0) { retval = PAM_SUCCESS; } else { + _pam_overwrite(pp); + _pam_drop(pp); pp = Brokencrypt_md5(p, salt); - if (strcmp(pp, salt) == 0) + if (pp && strcmp(pp, salt) == 0) retval = PAM_SUCCESS; } } else if (*salt == '$') { @@ -209,10 +213,10 @@ static int _unix_verify_password(const char *name, const char *p, int nullok) * libcrypt nows about it? We should try it. */ pp = x_strdup (crypt(p, salt)); - if (strcmp(pp, salt) == 0) { + if (pp && strcmp(pp, salt) == 0) { retval = PAM_SUCCESS; } - } else if ((*salt == '*') || (salt_len < 13)) { + } else if (*salt == '*' || *salt == '!' || salt_len < 13) { retval = PAM_AUTH_ERR; } else { pp = bigcrypt(p, salt); @@ -223,24 +227,21 @@ static int _unix_verify_password(const char *name, const char *p, int nullok) * have been truncated for storage relative to the output * of bigcrypt here. As such we need to compare only the * stored string with the subset of bigcrypt's result. - * Bug 521314: the strncmp comparison is for legacy support. + * Bug 521314. */ - if (strncmp(pp, salt, salt_len) == 0) { + if (pp && salt_len == 13 && strlen(pp) > salt_len) { + _pam_overwrite(pp+salt_len); + } + + if (pp && strcmp(pp, salt) == 0) { retval = PAM_SUCCESS; } } p = NULL; /* no longer needed here */ /* clean up */ - { - char *tp = pp; - if (pp != NULL) { - while (tp && *tp) - *tp++ = '\0'; - free(pp); - } - pp = tp = NULL; - } + _pam_overwrite(pp); + _pam_drop(pp); return retval; } |